Illyas Kooliyankal is not a CIO, but he rarely strays far from the IT department. With around 20 years of experience in the Information Technology and Cyber Security arena, the Head of Information Security/Chief Information Security Officer at ADS Securities has built his career on a open platform. “It is important that I am not just implementing security measures,” he explains, “I need to keep in mind that security affects every part of the business, and that people still need to be able to perform their duties without running into security measures that prevent them from functioning.”
His current employer is an Abu Dhabi-based organisation that provides sophisticated forex, bullion and commodities trading solutions to institutional and private investors. The firm’s clients include banks, global and regional hedge funds, asset managers, investment banks and other financial institutions. These entities are not only based in the UAE, or even the Middle East, but are spread over Europe, and Asia. The firm also provides wealth management solutions for private traders, business clients and more. In short, the company is the largest brokerage by volume in the Middle East and one of the fastest growing global investment banks in the region. The company specialises in forex, commodity and bullion as well as wealth management, asset management and global markets and has branches in London, Singapore and Hong Kong. It’s global headquarters in in Abu Dhabi.
The reason behind the company’s commitment to security is clear – when it comes to working with the finances of others, there simply cannot be any missteps; ADS trades more than five billion dollars per day. Add to that the fact that the company is expanding into certain markets without a tight handle on security, and all could be lost.
When Kooliyankal came to ADS, he hit the ground running. “In 2013 alone we had ten different security projects underway.” This was partially because of the rapid growth of the company, and partially due to Kooliyankal’s innovative approach to security.
“When you look at our portfolio from a security perspective,” says Kooliyankal, “one of the main challenges is maintaining compliance between countries, industries and portfolios.” The inclination, he explains, is to enforce a tight blanket of security around the whole operation. However, as a business savvy CISO, Kooliyankal is aware of the fine line between protecting information, and making it unusable.
“Information security has to be more than checking items on a checklist,” says Kooliyankal. In fact, he goes on to explain, because the company is both young and growing quickly, it is essential that they perform above and beyond expectations in every aspect of business – particularly security.
“Each business vertical is unique,” he says. “This can be because it is in a different region, or because that department has a unique function, but we have to customise security solutions for each area.” There is simply, he says, no one-size-fits-all solution for the entire firm. Some areas require tighter security, whereas others need more leniency to excel.
To continuously meet the unique needs of his end-users, Kooliyankal has developed a philosophy – work with them, not against them. “I created a security committee within the company,” says Kooliyankal. “I want to create an environment where all employees are open to sharing their opinions,” he says. The committee meets quarterly to discuss security issues. Each department is represented, and can express their needs openly.
Kooliyankal also personally trains all new hires. “I want to make sure that everyone is on the same page when it comes to securing their data,” he says, “and I want them to know why a policy is in place.” Regulations aren’t there, he says, only “because I said so.”
Though he runs a tight ship, Kooliyankal he wants to insure that the entire company is open to adapt to changing needs. “I tell my staff to never say no,” he says. “If someone requests a policy to be changed, I tell my staff to say that we will review the situation – and we will.” Sometimes, he says, he will make an exception if it is good for business.
The secret to his successful initiatives, he says, is to create an environment in which everyone “buys in.” “These projects need support from the top down,” he says. The management needs to back each project, and the employees need to believe in the policies, and not simply find ways around them. “Everyone needs to be on board. It is not just a technical issue. The technology needs to be there, the process and the education of all involved parties and users,” he says. Security cannot stand alone, he explains, it has to be supported by all IT governance.
His hard work and dedication to communication has paid off for Kooliyankal. In 2013 he won ISACA UAE’s CISO of the Year Award. He has also been the recipient of Crystal Award from Emirates Airlines-ISACA, KERA Outstanding Achiever and World Excellency Award in Information Security.
As for what he sees in the future – “As BYOD becomes more popular, we are going to need to address people’s needs in a security context,” he says. He also points out that information security really isn’t an issue of attack prevention anymore, but of attack management. “It is not whether or not you will be attacked,” he says, “but what you do when you are the victim of one.”