What this bank CISO seeks from his IT suppliers
Kamran Meer, CISO, UBL, divulges his dos and don'ts for IT suppliers
What does your company do, and what is your role there?
United Bank Limited is one of the largest private banks in Pakistan with over 1400 branches, 13,000 employees and assets of $15bn. It is a subsidiary of UK conglomerate Bestway Group. I wear several hats including CISO, divisional head (reporting to the chief risk officer) and secretary of the information security steering committee chaired by the president/CEO of UBL.
What traits do you seek in your IT suppliers?
First and foremost our suppliers must demonstrate a high level of technical proficiency. This doesn't just go for the senior personnel but right across the whole team. I hold several positions at once and they keep me extremely busy. I have to trust those on duty to take good care of things, knowing they can be relied upon to follow correct policy and procedure when the chips are down and shield me from constant interruptions. For this reason, the best suppliers fit seamlessly into our corporate culture. Above all they must understand the business and its objectives inside out and possess excellent communications skills. One minute they may be discussing a technical issue with an IT administrator and next minute explaining the implications in business terms to senior management.
How can IT suppliers best influence you early in the sales cycle?
It probably goes without saying that once a supplier has established a foothold in our organisation they become an invaluable extension of our in-house team. When an opportunity for a new supplier does come along, we will first speak to contacts within the CISO community to draw up a preferred supplier shortlist. In other words, the best way to influence us is to do a great job for someone else. As a next step we will probably decide it's worth meeting one or two of candidates face to face. At every step we will be looking for the highest standards of technical competency and a proactive, can-do approach.
Can you give us an example of a project where an IT supplier has really impressed you? What did they get right?
The best projects are always the ones that are technically complex on paper but are executed so expertly there is minimal disruption. For example, late last year we decided to introduce more automation into our Security Operations Centre (SOC) to help better manage the rising tide of security alerts. Our long-term partners Rewterz recommended a Security Orchestration Automation Response (SOAR) platform from SIRP Labs. The platform gives our security analysts a clear view of the nature and severity of alerts while at the same time equipping them to make informed decisions about incident response priorities. From the way they tailored the project to suit our business to leading the implementation every step of the way you could not ask for anything more.
How much of your time is spent helping business leaders drive business outcomes, versus running the IT department?
I spend most of my time on threat intelligence, managing our analyst teams involved in identifying and responding to security alerts - especially since the transition to remote working during the current pandemic. The rest is spent reporting to senior management, bringing them up to speed on the overall cybersecurity strategy of the bank.
Do the Board see you as part of their digital journey, or are you still just viewed as a massive cost that everyone wants to bring down?
At UBL we are fortunate that the board recognises robust cybersecurity is fundamental to business success. Of course, this is not to say that funds are unlimited but there is certainly respect for the professional opinions within the IT department. The Board is prepared to back our judgement and strategy with proportionate investment.
Kamran Meer is CISO at UBL