Debmalya Banerjee

Passionate CISO with over 27 years of experience in IT, ITES, and BFSI sectors in all aspects of IS, Cybersecurity, and regulatory requirements (RBI, SEBI, CERT-In). Trusts in enabling business to do things in a secure way, and if there is a problem, come up with solutions for the business to consider. Priority is to stay on top of ever-changing regulations and ensure the bank understands and protects itself from cyber threats – not just from external hackers but sometimes from internally.

Executive Director, CISO at Goldman Sachs (2024-12 – Present)

Oversee RBI regulatory requirements pertaining to IT and cyber security to meet compliance, and run the APAC Technology Risk program.

• Led and managed multiple concurrent engagements related to RBI regulations, providing guidance on regulatory requirements, and helping the local stakeholders achieve satisfactory outcomes in various audits (Reg/IA).
• Established a culture of continuous improvement by mitigating risk in the technology risk space.
• Establish strong connections with stakeholders across the region to drive projects seamlessly & have a continuous connect with peer banks, industry players, and regulators.
• Oversee the technology risk programs (application, infrastructure) covering various themes such as IAM, system accounts life cycle, pen-test life cycle, vulnerability management, disaster recovery, patch management, end of life, SDLC, and risk exceptions. Provide assurance to regional stakeholders to eliminate zero surprises.
• Active member (as a KMP) of the board, RMC, Tech Risk Council, IT Strategy Committee, and the chair of the Information Security Committee.

Vice President, CISO at UBS (formally known as Credit Suisse AG) (2019-12 – 2024-12)

Oversee regulatory requirements pertaining to IT and cyber security to meet compliance for India-regulated entities (Bank, NBFC, Securities), and be part of the APAC Cyber function with a team of three members.

• Core responsibilities were to set up the CISO function of the front office and supervise regulatory requirements pertaining to IT and cybersecurity, including review of notifications, NSE/BSE ALGO, ITGC audit, RBI and SEBI inspections, NSDL inspection, CSITE inspection, statutory audits, SWIFT assessment, etc., and support the organization in respective quarterly regulatory submissions, as well as ad-hoc submissions.
• As the CISO, handled stakeholder expectations via periodic engagements and served as the sole bridge between the organization and regulators.
• Stayed well connected with peer banks, regulators, exchanges, and audit firms for recent developments, and reacted proactively within the organization to eliminate surprises.
• Oversaw technology risk assessments (application, infrastructure) covering various domains of IT, such as user access, change management, incident capacity management, disaster recovery, etc., and provided assurance to stakeholders.
• Rolled out IT and information risk awareness programs within the organization and participated in risk sessions, including the delivery of various awareness programs such as induction, refresher sessions, policy awareness, and training on cybersecurity, mock exercises on phishing, and vishing.
• Represented cyber in risk committee such as board meetings, technology committee, outsourcing governance committee, and provided risk and regulatory updates.

Vice President, CISO at J.P. Morgan (2014-07 – 2019-12)

Oversee regulatory requirements pertaining to IT and cyber security to meet compliance for the India front office (Bank, NBFC, Securities), and run the technology risk for CIB - Markets with a team of two members.

• As a CISO, I supervised external and regulatory audits and engagements such as ISO 27001, NSE/BSE ALGO, ITGC audit, RBI and SEBI inspections, NSDL inspection, CSITE inspection, and supported the regulated entities in various periodic and ad-hoc submissions.
• Ensured periodic engagement with core stakeholders and was an active member of the IND-Technology Operating Committee, chaired by the Head of Technology, to provide tech, cyber risk, and regional updates.
• Faced thematic audits (change management, SDLC, IAM, etc.) supervised by internal audit, and supported the regulated entities to achieve satisfactory outcomes.
• Chaired monthly control meetings with India-regulated entities' technology functions to brief them on project progress, issues, policies, regulations, application control gaps, SDLC, and audits.
• Rolled out IT and information risk awareness programs within the organization, and participated in risk sessions, delivering various awareness programs such as inductions, boot camp sessions, policy awareness, training on cybersecurity controls, and risk expos.

AVP, Information Security & Risk at Royal Bank of Scotland (RBS) (2010-06 – 2014-07)

Being in the second line of defense, core responsibilities were to manage the information security for the business services and supported the stakeholders in various security drives with a team of four members.

• Led from the front and got the firm certified to ISO 27001 certification, and ensured the same gets seamlessly carried out for the rest of the cycles.
• Provided consultancy to business operations on security policies and requirements.
• Coordinated with India and regional functions on incident management, VA-PT, application risk, client audits, thematic reviews, and ensured the same gets addressed adequately.
• Designed comprehensive information security awareness programs for the India region and delivered the same with the team.

AGM, Information Security at Minacs Aditya Birla (2006-08 – 2010-06)

Provided leadership, designed policies, and implemented certifications (ISO 27001, PCI) across the APAC region with up to 10,500 staff members and four team members, and built a security-conscious culture within the organization.

• Developed a crisis management framework and BCP/DR for clients and the organization, and carried out investigations on security incidents.
• Deployed SOC, VA-PT infrastructure, endpoint, and DLP solutions.
• Deployed a third-party assessment module for evaluating third parties, governance on change, incident, and problem management.
• Provided oversight on compliance requirements within APAC, and managed client audits across APAC, collaborating with stakeholders for successful outcomes.
• Served as an advocate for the business development team in responding to RFIs and RFPs.
• Actively participated in management forums to highlight risks and noncompliance.
• Provided consultancy to business and operations on security policies and requirements.
• Identified, analysed, and developed mitigation strategies related to anti-terrorism, fire protection, access control, and CCTV to reduce risks and vulnerabilities pertaining to physical security.
• Governance of HR background processes and compliance requirements.

Manager, Information Security at ICICI OneSource (2000-04 – 2006-07)

Core responsibilities were to manage the information security of the organization and support the business function to be compliant with the client's requirements. Led from the front and certified the organization's ISO 27001 covering nine locations, serving 67 clients.

• Carried out internal audits, technology reviews such as the configuration of network devices, application risk assessment, server audit, desktop hardening audit, and conduit data assessment.
• Deployed security infrastructure such as NTP, email and internet gateways, SOC, VA and PT, patch management, configuration management, incident management, change management, and identity access management within India and for co-locations.
• Implemented service-based risk assessment for technology services as per the BS15000 framework.

Software Programmer at Zyfax System (1998-10 – 2000-04)

Being the software programmer was responsible for handling the telecom client and supported its operations, Applications and was the single point of contact.

• Development of an eCRM application and database for clients, providing continuous support.
• Administration of servers, web servers, and databases.
• Managed SQL Server 6.5 and various programming languages like C, C++, ISAPI DLLs, ASP HTML, Java, and VB Scripts.

PGCPM (eMEP) – IIMK

Bachelor of Science in Physics Honours

Application Developer Course in IBM-ACE – IBM