Skip navigation
Ensuring a Safe and Sound Federal Banking System for All Americans Site Map | Text Size: S M L

OCC People:  Five Minutes with Devin Bhatt


Devin Bhatt is the Chief Information Security and Privacy Officer.

What does a CISO do?

Great question. The Chief Information Security Officer (CISO) role and responsibilities are continuously evolving as cybersecurity is a hot topic for the corporate board agenda, the regulators, and all organizations with sensitive data.

The CISO develops the vision and strategy for the agency-wide information security program and executes the strategy. The CISO informs senior executives and business units about cyber risks and recommends controls to mitigate the risks. Here at the OCC, I am also the Chief Privacy Officer, which means that I’m responsible for the agency’s privacy program. The program requires implementation of many security controls to protect confidential information.

Chief Information Security and Privacy Officer Devin Bhatt

Chief Information Security and Privacy Officer Devin Bhatt

I manage a team of dedicated security and privacy professionals, who develop policies, perform security assessments, and tests OCC systems. The team also implements a variety of information technology solutions to protect sensitive information.

What do you like most about the OCC?

The OCC’s mission and the Comptroller’s focus on cybersecurity make it very interesting and attractive. Mr. Curry has set an exemplary “tone at the top” about cyber security, and other senior executives, including Tom Bloom and Ed Dorris, have provided additional support and leadership for developing and maintaining a successful cyber security program.

The OCC mission is very appealing. It gives me a sense of personal pride to be part of such a historic organization that plays a significant and major role in keeping our national banks and federal savings associations safe and sound. When I took the oath as a federal employee on my first day at the OCC, it touched my heart. I truly consider this an honor and a privilege to serve in my role as a CISO.

How long have you been with the OCC?

I am the new kid on the block. I have been with the OCC since February of this year. I bring 24 years of security experience with the last 10 years dedicated to payments, banks, and financial services, which are directly applicable to the OCC. With the fast pace of work here, it feels like I have been here much longer.

There has been a lot of talk about cybersecurity in the media. What do you think is the OCC’s greatest challenge in this area?

The frequent headline news stories about security breaches at the well-known retailers, multi-million dollar fraudulent ATM heists, and denial of service attacks on the financial industry draw a lot of attention to cybersecurity.

Our adversaries include financially motivated criminals, hactivists, and even nation-state sponsored units known as advanced persistent threats (APT) who may use sophisticated social engineering attacks on the employees and contractors of organizations like the OCC. As the sophistication of the cyber attacks increases, our information security department and the cybersecurity program, the technical defenses, and our culture must be enhanced quickly to defend against such asymmetric cyber threats.

The old security model focused on network perimeter security to keep the unauthorized people out, but the new model requires data-centric security to protect data wherever it may reside. We have a large number of bank examiners who are mobile, and we must balance the need for mobility, access, and security.

Like many organizations, the OCC faces the challenge of growing a culture of security, where security is built into everything we do. We must hold ourselves to the same high security standards we expect from the banks we regulate.

Many organizations that recently became victims of cyber crime were compliant with many industry security standards and other regulations, but compliance does not automatically equal security. Compliance is a snapshot in time, so ongoing assessments and continuous testing and monitoring are critical. Building a defense-in-depth strategy -- which means deploying multiple layers of controls covering technology, operations and people -- is a must.

What professional accomplishment are you most proud of?

One of my previous employers recruited me after a breach to develop a best-in-class security program to prevent any future breaches. That organization became the first in the world to encrypt one of the largest data warehouses and the first service provider in the travel industry to become compliant with the stringent Payment Card Industry Data Security Standards. We were able to make “Security” a competitive advantage and rebuild the customer trust and reputation. As a result, CSO Magazine presented me with an award in 2007, which put me in the company of an amazing group of elite security thought leaders. I was humbled to be recognized for going out of my way to be a funny Inspector Clouseau to increase security awareness in the organization. The higher level of security helped with the reputation as well as became a competitive advantage in earning new revenue generating business.

What do you do in your spare time?

I love to listen to a wide range of music, because I have two musically talented daughters. I am an avid reader and love researching cyber crime. I also volunteer for different causes ranging from helping charitable organizations, encouraging cybersecurity and STEM (Science, Technology, Engineering, and Mathematics) education at all levels, and promoting public-private sector partnerships for innovative security technology solutions.

Last Updated: 08/23/2016