As India’s banking ecosystem accelerates towards a deeply digital future, cybersecurity is rapidly evolving from a technology function into a boardroom-level resilience imperative.
In the first part of this exclusive CXO Dialogue interview with Risk Awareness, Ratan Jyoti, Chief Information Security Officer, Head of Technology Risk Management, and Data Protection of Ujjivan Small Finance Bank shares nuanced perspectives on cyber resilience, operational trust, AI-led threats and the growing importance of security culture in modern banking institutions.
Q: Cybersecurity in banking is increasingly becoming a boardroom conversation rather than just a technology function. From your perspective, how has the role of the modern CISO evolved over the last few years, especially within India’s rapidly digitising banking ecosystem?
The role of the CISO has changed dramatically over the last few years. Earlier, cybersecurity was largely viewed as a specialised technology function focused on infrastructure protection, patching, antivirus management and audit observations. Today, especially in banking, it has become a core business and resilience conversation.
India’s rapid adoption of UPI, mobile banking, fintech ecosystems, cloud adoption and digital onboarding has fundamentally transformed the banking landscape. While this has created significant opportunities, it has also expanded the cyber threat surface considerably.
Because of this shift, the CISO today cannot operate only as a technology custodian. The role now sits much closer to business continuity, operational resilience, customer trust and enterprise risk management.
Boardroom conversations themselves have evolved. Earlier, discussions were primarily around controls and compliance. Today, leadership teams are increasingly focused on resilience, how quickly critical services can recover, what happens if third-party ecosystems fail, how customer trust is protected during disruptions, and whether institutions are operationally prepared for large-scale incidents.
I remember a discussion following a major global ransomware incident where one CEO made a very practical observation. He said, “Customers may forgive a failed transaction once. They may not forgive loss of trust.” That observation stayed with me because it captures the real shift we are witnessing today. Cybersecurity is no longer only about securing systems. It is about preserving confidence in digital banking itself.
Another important evolution is that cybersecurity today cannot function in silos. Effective resilience requires collaboration across technology, operations, business teams, legal, compliance, risk management and leadership.
The modern CISO therefore has to balance multiple priorities simultaneously, enabling digital growth, managing evolving cyber threats, supporting regulatory expectations and ensuring operational resilience without unnecessarily slowing down the business.
Communication has also become significantly more important. Boards and leadership teams no longer want only technical metrics. They increasingly want clarity on operational impact, customer implications and resilience readiness.
Ultimately, the objective today is not to build an organisation that will never face attacks. That is unrealistic in the current environment. The real objective is to build institutions that can anticipate risks better, detect threats early, respond effectively and recover with minimal impact on customers and operations.
In many ways, cybersecurity has now become as much a trust and resilience function as a technology function.
Q: Having worked across multiple banking institutions over the decades, from public sector banks to a digitally focused small finance bank, what have been some of the most important lessons and shifts you have observed in the way organisations approach technology risk and cybersecurity?
One of the biggest lessons I have learned over the years is that cybersecurity maturity is rarely determined only by the amount of technology an organisation deploys. The real differentiator is culture, leadership commitment and operational discipline.
I have seen institutions with advanced security tools still struggle during incidents because security remained confined to one department instead of becoming part of organisational thinking. At the same time, I have seen organisations with comparatively modest setups respond very effectively because accountability and preparedness were deeply embedded across teams.
One thing has remained consistent across the industry, most successful attacks still exploit human behaviour more than technology weaknesses. Whether it is phishing, social engineering or operational oversight, the human element continues to be one of the biggest risk areas.
That is why I strongly believe cybersecurity culture matters far more than organisations sometimes realise. You cannot firewall your way out of a culture problem.
I remember interacting with a senior banker many years ago after a phishing-related incident. Technically, the institution had strong controls in place. But one delayed escalation and one assumption that “someone else must already be looking into it” allowed the situation to grow unnecessarily. That incident reinforced something very important for me, resilience is often determined by response culture, not just technology capability.
Another major shift I have observed is the movement from compliance-focused security to resilience-focused security.
Earlier, cybersecurity discussions in many organisations revolved heavily around audits, observations and regulatory compliance. While those remain important, the industry today is gradually becoming more outcome focused.
The real question now is not whether controls are documented. The real question is whether the organisation can continue functioning effectively during a disruption and recover quickly when something goes wrong.
I have also seen a major evolution in the way digital-first institutions approach security. Agile organisations have the advantage of embedding security into transformation initiatives from the design stage itself rather than adding controls later as corrective measures. When security becomes part of the design philosophy, organisations are able to move faster and more safely at the same time.
Third-party and ecosystem risk is another area that has changed significantly. Banking today operates in a highly interconnected environment involving cloud providers, fintechs, service partners and external platforms. In many ways, the traditional perimeter has disappeared.
I remember during an industry cyber discussion, a participant made a very relevant comment: “Sometimes the biggest operational risk to a bank may not even sit inside the bank.” That observation is becoming increasingly true in today’s interconnected ecosystem.
Regulatory expectations have also matured significantly over the years. There is now much stronger focus on operational resilience, third-party governance, cyber preparedness and data protection. I see this as a positive development because it encourages institutions to think beyond minimum compliance and focus more on sustainable resilience.
One thing I have personally observed is that the organisations that manage cyber risk best are usually the ones where leadership treats cybersecurity as a business priority and not merely as a technology cost.
Q: Small finance banks today are balancing aggressive digital expansion with rising cyber threats and regulatory expectations. What do you believe are the most critical technology-risk priorities for banks operating in this segment?
Small finance banks operate in a very unique and demanding environment. They are growing rapidly, expanding digital services aggressively and serving customers at significant scale, often with leaner operating models compared to larger institutions.
In my view, one of the biggest priorities is ensuring that digital growth is supported by equally strong governance and resilience frameworks. Speed without governance eventually creates operational risk.
Cyber resilience has to remain a top priority. Institutions must prepare not only to prevent attacks but also to respond and recover effectively when disruptions happen.
Securing digital channels is another critical area. Mobile banking platforms, APIs, fintech integrations and cloud ecosystems are expanding rapidly and therefore require continuous monitoring and strong security architecture.
Third-party and supply-chain risk management has also become extremely important. Today, banks depend heavily on external service providers and technology ecosystems. A disruption outside the organisation can very quickly impact customer-facing services.
I remember a discussion during an industry resilience workshop where someone said, “In digital banking, customers rarely differentiate between a bank outage and a partner outage. For them, the bank experience is one integrated experience.” I think that captures the importance of ecosystem resilience very well.
Identity and access management is another major focus area because identity-based attacks and credential compromise are increasing significantly across the industry.
Operational resilience is equally important. Backup readiness, disaster recovery capability, cyber drills and crisis management coordination cannot remain only audit activities. They have to become part of operational discipline.
I also believe employee awareness and leadership involvement remain extremely important. Technology alone cannot solve cybersecurity challenges. Long-term resilience always depends on a combination of people, process, governance and technology working together.
For small finance banks, the challenge is not choosing between growth and security. The real objective is enabling sustainable digital growth with trust and resilience built into the foundation.
