Rajendra Prasad Jakku is Vice President, Information Security Specialist at one of the world’s leading financial institutions, where he heads Identity and Access Management (IAM) Control Testing and is responsible for protecting data and enterprise information systems from unauthorized access, disclosure, alteration, or destruction. Raj brings nearly 25 years of global financial services leadership experience in information security governance, risk management, audit management, information security (IS) framework management, anti-money laundering compliance, and investment banking operations to his current role.
While identifying and remediating control gaps, and ensuring compliance with cybersecurity industry standards and regulatory requirements, his strategic initiatives have proved pivotal in fortifying blue-chip organizations against emerging threats. His achievements in IS have made Raj a trusted advisor to the management and stakeholders of Chief Security Office and Technology teams in India and the U.S.
Q: Raj, let’s start with your background. You launched your career with a degree in Commerce, unlike many who approach the field from the technology side, but you also earned Certifications in various software engineering systems. Tell us about how your business focus helped you advance in your career.
A: I began my career in a software company that develops products for stock exchanges. That is where I developed a domain knowledge in financial products, along with a foundation in information security, and that initial experience helped me understand the intricacies of security requirements for robust IT systems. Seeking to broaden my horizons, I then moved into the banking industry. This transition allowed me to gain valuable insights into finance and the inner workings of the financial sector.
While working in the banking industry, I had the opportunity to collaborate with Risk and Compliance teams. This experience was pivotal, as it deepened my understanding of how to identify and mitigate risks, and underscored the critical importance of protecting organizational assets. I learned about the various compliance regulations and the necessity of adhering to them to maintain the integrity and reputation of the organization.
As I became more involved in Risk Management and Compliance, I recognized the growing importance of information security in safeguarding sensitive data and systems. This realization prompted me to transition into an information security role, where I could apply my technical skills and industry knowledge to a new and increasingly vital area.
I was fortunate to have exceptional managers who supported my career growth and provided me with numerous opportunities to work in different capacities within the information security field. Their mentorship and guidance were invaluable as I navigated this transition and developed a comprehensive understanding of information security principles and practices.
My career journey has been shaped by a continuous quest for learning and growth. Progressing through various roles in the banking industry, I have built a diverse skill set that has enabled me to successfully transition into the field of information security.
Q: In the early 2000s, you were installing IT systems and gathering business requirements at major international stock exchanges, managing back-office processes for Fixed Income and Equities investments and leading Anti-Money Laundering teams in European banks. When and why did you move into risk management, audit reporting, and compliance? Was that a reflection of changes in the financial and technology industries, or your personal expertise, or both?
A: I moved into risk management, audit reporting, and compliance as a natural progression of my career around the mid-2000s. This shift was influenced primarily by my experience, leveraging the domain knowledge I acquired in the financial industry, as well as changes happening in the financial and technology industries.
During that period, the financial industry was becoming increasingly aware of the importance of risk management and compliance due to growing regulatory demands and the rise of sophisticated cyber threats. The introduction of regulations such as Sarbanes-Oxley (SOX) and the European Union’s directives on market abuse and anti-money laundering highlighted the need for robust compliance and audit frameworks.
Concurrently, my extensive experience in managing IT systems, understanding business processes, and leading AML teams equipped me with the necessary skills to excel in risk management and compliance roles. I had developed a keen eye for identifying potential risks and inefficiencies, which naturally aligned with the responsibilities of these new roles.
Additionally, my background in IT and finance allowed me to understand the technical and operational aspects of risk management and compliance. This integration of skills made me well-suited for roles that required both technical knowledge and an understanding of financial regulations.
Moving into risk management, audit reporting, and compliance was a reflection of both industry changes and my personal expertise. The increasing importance of regulatory compliance and risk management in the financial industry, combined with my diverse experience, made this transition a natural and strategic step in my career.
Q: How did your professional experiences in the first decade of the millennium evolve into your current position as an Information Security Specialist? When did organizations start investing in Information Security technology and personnel? Were financial institutions early adopters in this area? What were some of the challenges you encountered in the industry during that period?
A: Organizations have been investing in security controls for several decades, with significant growth in investment driven by various factors over time. The dot-com boom and the rise of e-commerce sites like Amazon and eBay increased the volume of online transactions, necessitating stronger security controls. Regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and others, required organizations to implement stringent data protection measures.
Businesses and financial enterprises started to invest significantly in Information Security technology and personnel in the mid-2000s, driven by the rising number of cyber threats and regulatory requirements. Financial institutions were indeed early adopters in this area due to the sensitive nature of the data they handle and the high stakes involved in safeguarding it.
Some challenges I encountered during this period included staying updated with rapidly evolving security threats, budget constraints, skills shortage, legacy systems, integrating new security technologies with existing systems, and fostering a security-aware culture within the organization. Additionally, navigating the complex regulatory landscape and ensuring compliance with various standards and regulations posed significant challenges.
Q: While you have served with your current organization for 17 years in aggregate, you moved into your current leadership role in 2014. Over the last decade, threats from “bad actors” have escalated at a pace concurrent with the rapid introduction of new technologies. How has this impacted Information Security at your organization, and in the financial services industry overall? How do you stay ahead of hackers who want to harm your organization? Are you using Artificial Intelligence and Machine Learning tools?
A: From the last decade, as new technologies have rapidly emerged, so have the threats from hackers. This has significantly impacted Information Security, both in my organization and in the financial services industry as a whole.
To stay ahead of these threats, we continuously update our security measures, invest in the latest technologies, and ensure our team is well-trained. We also use Artificial Intelligence (AI) and Machine Learning (ML) tools to detect and respond to threats more quickly and accurately.
AI can strengthen security decisions by training itself on historical data to recognize patterns and provide informed decisions. One of the areas where we use AI prediction models is in Confidentiality, Integrity and Availability (CIA) proposed impact ratings, which are based on multiple data sources and help information security officers to perform an appropriate risk assessment and implement robust controls. This is a proactive measure to tackle evolving threats. I play a critical role in this process by performing a quality analysis on the prediction of CIA risk ratings for all applications in the bank. This is tremendously important because an inaccurate risk rating may negatively impact multiple areas including financial, regulatory, client, market, and reputation.
Another important area where we are using AI is in threat reporting. In this case, AI is being used to calculate all types of threats and risks, and formulate that information into a threat dashboard that enables management to prioritize implementing remediation.
The fast pace of technological change and increasing hacker threats have made Information Security a top priority, requiring constant vigilance and innovation.
Q: Part of your job encompasses leading and mentoring an Information Security Control Testing team that designs critical processes to ensure sustainable information security control environments. The team also develops and implements audit strategies to test the design and operational effectiveness of information security controls and solutions, and evaluates audit test cases. This appears to involve process improvement and change management expertise, which many IT specialists don’t get in engineering school. Has your business background and leadership experience better equipped you for this role?
A: Leading and mentoring an Information Security Control Testing team involves ensuring robust security control environments and developing effective audit strategies. This requires not just technical expertise, but also a strong understanding of process improvement and change management.
While building this new team, there are many important key learnings which we need to consider to be effective and successful. I have arranged open, two-way discussions with the team to identify gaps in every phase and track them until they are fixed. Each gap must be prioritized according to its criticality and update in the procedure documents. Another important factor is to continuously provide guidance and support the team by having engagement and deep discussions about the process and their tasks. I always ask team members if they are facing any challenges and escalate matters if necessary.
It is important to ensure that the team is equipped with the necessary certifications and domain knowledge required for the process. I have utilized my networking in the organization and arranged sessions on Cloud security and user access management to help the team to enrich their skills.
Identifying risks and protecting organizational assets provided a deep understanding of the importance of strong security controls. Working in various roles within information security also helped me appreciate the nuances of designing and testing these controls.
My business background and leadership experience has indeed better equipped me for this role. The knowledge I gained about financial operations and regulatory requirements helped me develop and implement effective audit strategies. Additionally, my leadership experience allowed me to guide my team effectively, ensuring we continuously improve our processes and adapt to changes in the security landscape.
Q: Approximately 100 U.S. universities and 50 U.K. universities now offer undergraduate and post-graduate degrees in Information Security or Cyber Security. As a Specialist and a mentor, what do you advise people who are pursuing IS careers? Besides IT, what skills and knowledge capital do you think will be critical over the next 10 years?
A: My advice to those pursuing careers in this field is to build a strong foundation in both technical and non-technical skills. First, it’s important to understand the fundamentals. Grasp the core principles of information security, including risk management, compliance, and security controls. This foundational knowledge is crucial for any role in this field. It’s also critical to stay updated with technology. Cyber threats and technologies evolve rapidly. Continuously update your technical skills, and stay informed about the latest trends, tools, and best practices in information security. Explore AI and Machine Learning, because as these tools become increasingly important in detecting and responding to security threats, gaining knowledge in these areas will be beneficial.
I believe that anyone wanting to succeed in an Information/Cyber Security role needs to develop analytical and problem-solving skills. The ability to analyze complex security issues and devise effective solutions is critical. Practice thinking critically and approaching problems methodically. Learning about risk and compliance is also fundamental.
Understanding how to identify and mitigate risks and ensuring compliance with regulatory standards is essential to protecting organizational assets. Often, the best way to build a knowledge base is to gain experience in different roles. Working in various roles within information security will give you a broad perspective and make you more adaptable. My journey through different roles provided valuable insights and prepared me for leadership positions.
Career advancement in most any field requires excellent communication and leadership skills, and Information Security is no exception. Security professionals must often explain complex issues to non-technical stakeholders. Strong communication and leadership skills will help you articulate security needs and lead teams effectively. Equally important is a focus on process improvement and change management. As I’ve experienced, understanding how to improve processes and manage change is crucial. These skills help in creating sustainable security environments and adapting to new challenges.
Business knowledge is also important. My degree in Commerce, followed by my professional experience, gave me the opportunity to understand business operations. Knowing how businesses operate and the financial implications of security decisions will make you a more effective security professional. Building a strong professional network is also valuable. Connect with other professionals in the field. Networking can provide support, knowledge sharing, and opportunities for career growth.
Combining strong technical skills with a deep understanding of risk management, compliance, business operations, and effective communication will be critical over the next 10 years. As new technologies accelerate, so will the constant threat of cyberattacks. Thus, the need for experienced Information Security leaders who have the expertise and vigilance to protect data and organizational assets will continue to increase. I foresee ongoing opportunities for job growth in the Information Security field in the near and far future.
