As cyber threats grow more persistent and sophisticated, the responsibility placed on senior information security leaders has expanded well beyond tools and controls. Today's challenge lies in designing security environments that can withstand real-world pressure—where governance, technical rigor, and human judgment must operate together, consistently and at scale.
Rajendra Prasad Jakku serves as Vice President and Information Security Senior Specialist in the Chief Security Office unit at a leading global financial institution, where he leads Information Security Control Testing and Governance within the Identity and Access Management (IAM) domain. His work focuses on validating that security controls are designed correctly and assuring that controls will operate reliably across complex, highly regulated systems that support global financial activity.
Jakku is widely respected for his Enterprise Risk Management expertise and innovative approaches to information security, particularly in the financial sector, where his work addresses systemic risk at an enterprise scale. In addition to his institutional responsibilities, he contributes to the broader cybersecurity profession through peer review, mentorship, and workforce development initiatives with organizations such as National CyberWatch and ISACA®, helping strengthen how cybersecurity talent is developed and evaluated in the United States and internationally. We spoke with him about how his work has evolved, the problems he is focused on solving today, and what effective cybersecurity leadership looks like in practice.
PAULA FREUDENTHAL: Raj, in your role as Vice President and Information Security Specialist at one of the world's largest banks, you oversee Information Security Control Testing within Identity and Access Management. Can you tell us about what this entails and why this role has become so critical in today's threat environment?
RAJENDRA JAKKU: Information Security Control Testing within Identity and Access Management (IAM) is about making sure access controls are effective by design and operationally working as intended by organizational policies. It involves overseeing how user access is granted, changed, and removed; verifying that MFA and approval workflows are enforced; reviewing privileged access; and confirming that identity activity is logged and monitored. The intent is to ensure people and systems have only the access they need, for the right reasons, and that there is clear evidence to support this for security, audit, and compliance purposes.
This role has become critical because identity is now the main way attackers get into organizations. With cloud services, remote work, and automation, a single weak or misconfigured IAM control can expose a large part of the environment very quickly. Most breaches today involve stolen or misused credentials rather than technical exploits. IAM control testing helps catch these gaps early, prevent privilege abuse, and reduce the risk of widespread impact, making it an essential function for both security and business resilience.
PF: Much of your work centers on control testing and governance, rather than day-to-day operations. What gaps did you see in traditional approaches that led you to focus on strengthening this area, and what strategies did you develop or introduce to fill those gaps?
RJ: Traditionally, controls were implemented to meet policies and frameworks, but they were rarely tested to see whether the design was sound or whether they actually worked in day-to-day operations. Internal and external auditors did review controls, but the focus was mostly on meeting regulatory requirements rather than on how effective those controls were in stopping real threats.
Now, regulatory expectations are becoming more stringent, and organizations are being asked to test their controls on a regular basis to ensure they can actually protect against threat actors. This shift has made it clear that periodic control testing is no longer optional; it's something organizations must adopt to both meet regulatory demands and reduce real security risk.
We have implemented an annual scoping framework that focuses on the enterprise's most critical vulnerabilities. Before the start of each fiscal year, I oversee the execution of a formal scoping exercise to define an annual testing plan. This phase ensures that testing resources are allocated to the areas of highest potential impact. The plan includes:
- Threshold-based prioritization: we specifically target controls where the residual risk is nearing or exceeded the Enterprise Risk Appetite.
- Cross-functional collaboration: we utilize three lines of defense collaboration to ensure 360-degree visibility, and connect regularly with risk and compliance teams to map testing against the enterprise risk register.
- Regulatory and compliance mapping: we prioritize controls mandated by law or industry standards such as SOX (Sarbanes-Oxley Act) or ECB (European Central Bank).
PF: Identity and access environments are notoriously complex. From a technical standpoint, what makes IAM control testing particularly challenging at enterprise scale?
RJ: At enterprise scale, IAM control testing is challenging mainly because identity environments are rarely clean or centralized. Most organizations run a mix of on-prem systems, multiple cloud platforms, SaaS applications, legacy directories, custom apps, and third-party integrations. Each of these handles identity, roles, and permissions differently, which makes it difficult to get a single, accurate view of who has access to what and whether the controls are being enforced consistently.
IAM is highly dynamic. Users join, change roles, leave, and return; contractors and service accounts come and go; and automation can grant or remove access in seconds. Testing controls in this environment means validating not just configurations, but also timing, data feeds, workflows, and exceptions. A control may be correctly designed, but a broken HR feed, a manual override, or a poorly managed service account can silently bypass it. At scale, the challenge is proving that controls work continuously across thousands of identities and systems—not just at a single point in time.
PF: You have led efforts to design and refine testing methodologies rather than relying on static checklists. Can you share an example of how you approached a complex control problem and improved the outcome?
RJ: We use industry standards such as NIST as the baseline for drafting our test cases, along with control attributes that are defined and managed internally by the control owners. This gives us a structured and consistent way to assess both the design and the operational effectiveness of each control, without drifting from the intended scope. It helps ensure we are testing the right things in the right way.
That said, there are times when the wording of a control or its attributes is unclear or open to interpretation, which can lead to test cases that don't fully align with what the control is actually meant to achieve. When this happens, we work closely with the control owners to clarify the intent, understand the real control requirement, and, where needed, suggest updates to the control language itself. We have implemented a regular communication between our teams and the control owners to close these gaps and keep testing accurate and aligned with expectations.
PF: Your role requires regular interaction with technical teams, auditors, and senior leadership. How do you translate detailed security findings into action that resonates at the executive level?
RJ: Translating detailed security findings for senior leadership starts with understanding what each audience cares about. With technical teams and auditors, the conversation can stay detailed and control-focused. With executives, the focus shifts to impact. Instead of leading with control IDs, configurations, or test steps, we explain what the issue means in business terms—what could go wrong, how likely it is, and what the potential impact would be if it's not addressed.
We also keep the message clear and actionable. That means summarizing the issue, linking it to risk areas executives already track (regulatory exposure, operational disruption, reputational impact), and outlining practical next steps rather than technical fixes. Using simple language, clear priorities, and trends helps leadership see where focus or investment is needed, ensuring informed decisions without getting deep into technical details
PF: Beyond your corporate role, you contribute your expertise to advancing the field as a volunteer peer reviewer and a panel member to develop Cybersecurity Curriculum standards through National CyberWatch initiatives. Why is this important to you, personally and professionally?
RJ: From my experience, one of the main reasons I volunteer is because I've seen firsthand the gap between academic learning and what cybersecurity roles actually demand in the real world. After spending years dealing with incidents, audits, and operational security challenges, it's clear that students and early-career professionals often aren't exposed to how security really works in practice. Volunteering gives me a chance to help shape curriculums that focus on practical skills, real scenarios, and critical thinking, so people entering the field are better prepared and more confident.
I also volunteer because I understand how mentorship and community support can shape a student's career. At this stage, giving back feels like a responsibility. For me, supporting workforce development is not just about teaching tools or frameworks; I do this to help young professionals understand the importance and pathways to building a strong foundation in technical skills, supplementing it with emotional intelligence (EQ) and real-life application, and leveraging mentorship to navigate their career journey, communicate effectively, and build ethical security practices. By contributing to these programs, I feel like I'm helping strengthen the future of the profession and setting up the next generation for long-term success.
PF: In your peer-review work, you have evaluated topics ranging from workforce readiness to post-quantum cryptography. What trends stand out to you as underappreciated risks?
RJ: I will start with workforce readiness; while new cybersecurity workforce members may have strong theoretical knowledge or certifications, they often lack real-world experience dealing with complex systems, unexpected incidents, and high-pressure situations. Overconfidence, reliance on automated tools, and limited exposure to organizational culture or regional compliance requirements can create blind spots, leaving both the individual and the organization vulnerable.
Soft skills are another underappreciated area. New professionals may struggle to communicate risks effectively to non-technical teams or leadership, which can delay critical decisions. Additionally, high-stress roles like SOC analyst or incident response can quickly lead to burnout if guidance and support aren't provided. Overall, bridging these gaps through mentorship, hands-on experience, and practical guidance is essential to help students launch and grow their careers successfully.
PF: Through ISACA, you've also contributed to advancing professional knowledge in information security. How does peer review influence the maturity of the field?
RJ: Many professionals in this field know that ISACA is a global professional association and learning organization with over 185,000 members working across digital trust areas such as information security, governance, risk, policy, and quality. ISACA Engage serves as a comprehensive online community and volunteer platform where members can connect, network, and grow their careers in IT audit, risk, security, and governance.
I have actively participated on the ISACA Engage platform by initiating discussions on topics such as information security, governance, and risk management. These discussions often spark ongoing conversations with other members, bringing in diverse perspectives and real-world experiences. The exchanges typically lead to meaningful conclusions that everyone can benefit from, helping members enhance their knowledge and apply it in their careers. It has also helped me in volunteering programs, such as peer review initiatives at National CyberWatch, by fostering a collaborative learning environment that strengthens professional development.
PF: Many cybersecurity professionals possess certifications and technical training, yet struggle to advance into leadership roles. Based on your experience, what differentiates those who make that transition?
RJ: In my experience, the professionals who successfully move from technical roles into leadership stand out not just because of their certifications or technical skills, but because of how they approach problem-solving, communication, and influence. They think beyond individual systems or incidents and start seeing the bigger picture—how security aligns with business goals, regulatory requirements, and organizational risk. They can explain complex technical issues in a way that leadership, auditors, or other non-technical stakeholders can understand and act on.
Some of the other key capabilities are relationship building, collaborating across teams, understanding the pressures other departments face, and the ability to make decisions under pressure, identify gaps, and propose solutions.
PF: Every year, it seems that financial institutions must face increasingly coordinated and global threat actors. What capabilities will define effective cybersecurity leadership over the next decade, particularly in organizations operating at a global scale?
RJ: Over the next decade, effective cybersecurity leadership in global financial institutions will be defined by the ability to combine deep technical understanding with strategic vision and operational agility. Leaders will need to anticipate and respond to highly coordinated, cross-border threats while aligning security initiatives with business objectives and regulatory requirements across multiple regions. This will require strong risk management skills, the ability to communicate complex security issues in clear business terms, and the capacity to build resilient teams that can act quickly under pressure. Leaders will also need to embrace emerging technologies, foster a culture of security awareness, and cultivate collaboration across internal teams, external partners, and regulators to stay ahead of evolving threats on a global scale.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
