Pritam Mukherjee is Lead Specialist for IT (SAP) Application and Data Security, Governance, Technology Risk and Compliance at the New York Power Authority (NYPA), America’s largest state public power organization. As the senior leader for technology Governance, Risk, and Compliance (GRC), he is responsible for implementing the utility company’s 10-year vision for leveraging advanced technologies and ensuring data security across multiple business processes. In this critical initiative, he has led and continues to oversee the design and management of SAP security and GRC solutions across the utility’s digital transformation, including role design, user provisioning, and access controls.
Pritam has worked at the cutting-edge of IT for nearly 20 years, and is widely regarded as a subject matter expert in IT Application Security, GRC, AI, ML, and Financial Data Analytics (Fintech). While integrating SAP Analytics Cloud (SAC), Artificial Intelligence (AI) and Machine Learning (ML) tools to enhance enterprise data protection and improve operational efficiency, he designed and developed the SAC Security system architecture and policies governing the organization’s multiple business processes, and the AI Governance and Risk Framework, including AI ethics and ML technology models and platforms for his organization’s vision and mission. Pritam additionally conducted risk and vulnerability assessments to identify and mitigate potential security risks in IT and business systems, and ensure compliance with industry regulations, collaborating with stakeholders in cross-functional teams across 14 departments to implement secure SAC modules for Financial Planning & Analysis, Budgets Digitization, and others, that in aggregate involved nearly 65 data feeds and more than 40 profit centers across a decade-spanning planning horizon.
Among his many career accomplishments, Pritam presented a case study about this complex digital transformation project at the 2023 Americas’ SAP Users’ Group (ASUG) New York City conference, the premier event in North America for organizations currently using or considering SAP systems, where he shared his professional expertise in eliminating manual data handling, introducing automation, improving data accuracy, and streamlining and centralizing forecasting and reporting data. Additionally, while overseeing digitization efforts, he was engaged in leveraging AI and ML technologies to facilitate the utility company’s commitment to sustainable product development towards green and clean energy.
Pritam received a Master’s degree in Financial Innovation and Technology (MFIT) from the prestigious Smith School of Business at Queens University in Ontario, Canada, which pioneered advanced education programs integrating finance and technology. He previously earned a Master of Technology degree in Computer Engineering from the University of Calcutta, India, and a Bachelor of Technology in Computer Engineering degree from India’s Jalpaiguri Government Engineering College. He is an alumnus of the McKinsey Asian Leadership Accelerator Program.
We spoke with Pritam about the implications of IT application security, the challenges involved in leading Application Security & Control space in a massive digital transformation process, his experience in implementing Technology Risk management framework for AI/ML tools, and navigating GRC in the era of emerging technologies.
Q: Pritam, from your first professional role at global leader Tata Consultancy Services (TCS) through positions at major manufacturing, pharmaceutical, and public utility companies, you have specialized in IT Application, Data Security, and GRC. What led you to this niche space, and what later attracted you to the public utility industry?
A: It was a remarkable journey of learning. Starting an early career with TCS always gives a tech professional an advantage. Interestingly, information security was not my first career choice when I started with TCS. They provided me with excellent mentors and educational opportunities, and as I gained global work experience, I found that I was very interested in directing my career towards information security and risk management. At that time, there were not many people working in this field and there were a lot of grey areas. So, developing my career in that environment enabled me to grow in the field.
The utility sector has been my principal area of domain expertise since the earliest days of my career. Although most of my work was focused on utilities, I also had opportunities to develop expertise in the manufacturing, automotive, retail, and pharmaceutical industries. But I always wanted to work in a large public utility organization, where I can utilize my skill and contribute directly to the public good, especially in the critical area of application security. The ever-increasing demand for cybersecurity in the current environment makes my work now particularly meaningful.
Q: You have held leadership positions in your specialized domain for nearly 20 years. As an expert in Enterprise Resource Planning (ERP) Application Security and SAP systems, you have lived and worked through the most cutting-edge and complex technology introductions, from SAP S/4HANA to AIML. Tell us about how you gained the exceptional experience required to lead these digital transformations, and how these IT evolutions have impacted your field of expertise.
A: Over the last decade I have had valuable opportunities to work with leaders across the globe, from India, Singapore, and Australia, to multiple states in the US. These engagements provided me with exposure to multiple functional domains and an understanding of the functional aspects of diverse businesses, as well as the opportunity to learn and develop innovative solutions and best practices related to Application Security and GRC, particularly in SAP technologies. These experiences have helped me to grow and contribute in this dynamic and challenging area, and has shaped my leadership skills along with my technical advancement. My certification journey in the McKinsey & Company Leadership Program also helped me to think out of the box and utilize an impactful strategic approach, as a technology leader in my field of expertise, to add value to my organization’s digital transformation.
Technology risk management is one my favorite domains. I also had the opportunity to acquire valuable knowledge in the areas of AI and machine learning (ML) as part of my academic journey, and I wanted to create a bridge between my experience in Application Security and Risk Management and cutting-edge AI/ML technologies. This inspired me to lead an experiment and create a foundational AI/ML Technology Risk & Control framework related to the AI technology lifecycle for my organization, which was ahead of its time. It was audited, tested, and subsequently approved and ready for use as a reference for an AI technology audit for enterprise AI applications, both on-premise and cloud.
Change is the only constant for technology. The technological evolution is driving us towards digitization. The more technology advances, the more our challenges as IT Security professionals will also increase, due to unknown threats. Our field of practice is gradually becoming more adept at combating those challenges, as compared to 10-15 years ago. We are now utilizing innovative AI tools to mitigate the threats that are continually evolving with emerging technologies.
Q: As the Lead Specialist for IT Application and Data Security, your role must bear a tremendous responsibility for protecting your customers, both in terms of their data security and securing the technology operational systems that enable the company to function. What are the challenges you face daily, and how do you mitigate risk that could be highly crippling and damaging?
A: In any organization, whether utility, retail, manufacturing, or other sector, there are numerous challenges in our day-to-day activities. Some of these are technological, some are organizational, and some are related to my area of expertise: Application Security & Control. There are a huge number of unknown surprises and challenges in the security area.
First, it is very difficult to maintain a minimum level of security for legacy systems that are devoid of contemporary security features, while adhering to dynamic technology laws. Second, there is often a restricted capacity to upgrade because of vendor limitations, operational requirements, or financial limitations. It can be quite challenging to make sure that old IT infrastructure and new security solutions work together without interfering with services. Walking the tightrope between the adoption of the new mandates and strong opposition to change is very common for us. It is also very challenging to maintain the balance between security control and business needs, specifically for small and mid-sized organizations.
Risk mitigation is a combination of science and art. If the organization maintains a data-driven and risk aware-based culture, then it is becomes a little easier. But, sometimes normal challenges can be highly damaging. For example, not aligning with industry regulations can be detrimental for entire organizations. Periodic auditing and having up-to-date knowledge can mitigate this risk to staying compliant. Overall, proactive risk identification and assessment is necessary for appropriate responses and to avoid detrimental impacts. Taking a preventive control approach is more efficient to minimize risks, as opposed to the effort involved in discovering risks in a reactive approach, after the fact.
Q: Clean or green energy is a hot topic of discussion in the energy industry, as different global energy companies are leaning towards creating a more sustainable environment by adopting clean energy initiatives with environmental benefits. NYPA is no exception, and the organization has broad mandates for clean energy. More than 80% of the electricity it produces is clean, renewable hydropower, and its projects create 440,000 jobs. From an IT security and GRC perspective, how can you support your organization’s green commitment to create clean energy and sustainable product development?
A: I have strong support for my organization’s clean energy initiative, as it has a significantly positive impact on environment. But we need to ensure that sustainability initiatives are secure, compliant, and resilient. We can achieve these goals by integrating appropriate IT Application Security, Governance, Risk and Compliance measures. We can ensure the alignment of regulatory compliance related to green tech, such as ISO 140001, ESG regulations, and the NIST framework specific to sustainability. We can think of implementing sustainable technology infrastructure and adopting green data centers in a cost-effective approach. Adopting secure IOT (Internet of Things) and industrial control systems, AI/ML technology applications–including models with low carbon emissions–can be effective for our organization. Real-time threat monitoring and incident response can provide an effective path to successful, secure, and sustainable product development, to create clean or renewable energy.
Q: In your presentation for the ASUG conference, you discussed your organizational application security and governance journey. Can you share some of the key takeaways that will be helpful to other business and IT leaders managing similar transformations?
A: I think data protection and the application security mechanism is one of the most important aspects for consideration in any digitization journey. The selection of appropriate applications and tools based on the organization and its functional requirements is critical. For example, SAP Analytics Cloud can be an excellent tool for digitizing reporting aspects of various functional areas, like Budget, Financial Planning and Analysis (FP&A), Treasury, etc. Protecting data while we are presenting it through a reporting dashboard should be one of the key considerations. All principles and guidelines related to Application Security & Control should be implemented, following both industry best practices and organizational goals. In cases of technical limitations, specific processes need to be defined, aligning with industry best practices.
Continuous monitoring, periodic auditing, addressing the concerns of the process owner, and learning from any issue can be the key for the success in the Application Security & Control area. This will further enhance the digital transformation for the entire organization.
Q: You are involved in multiple organizational initiatives including AI/ML and digital transformation. What unique and critical professional experience do you bring to technology innovation?
A: When we embark on multiple initiatives over time, gaining different experiences are inevitably valuable to designing technology solutions. For example, I can remember when we had to define processes and customized features for change management in a cloud application, following the segregation of duties concept, while it was technically challenging. We were required to separate Development from the Production environment for digitization initiatives of financial processes. This was extremely critical with respect to ITGC control, and unique because of the technical limitation within the specific tool that was already implemented.
I also led my team in building the risk and control management framework for AI technology risk related to the AI application technology lifecycle. We completed successful piloting for a similar framework for an Open AI application. Both were very unique, and in developing these frameworks we were ahead of the industry standard, including the regulatory authorities.
Q: In 2024, a leading GRC magazine published an article you wrote about navigating Governance, Risk, and Compliance in the era of AI and ML. What are your key messages for IT professionals working in the GRC domain? What do organizations need to know about new risks and regulations associated with new technologies, and how to operate in an ethical and compliant manner?
A: As IT professionals in the GRC domain, we need to stay current with new threats, emerging risks, cutting-edge technologies, and new industry regulations to combat the unknown and undesirable situations that are becoming more and more possible in this digital world. Risks specific to AI-driven systems can include data poisoning, adversarial attacks, and model drift. To proactively handle such dangers, IT professionals should incorporate AI risk assessments into conventional risk management frameworks.
AI has the potential to be a very useful tool for automating cybersecurity risk management, fraud detection, and compliance chores. To improve productivity and decision-making, IT workers should investigate AI-driven GRC solutions, but GRC teams must create governance policies tailored to AI, making sure that they are in line with the company’s risk appetite and legal requirements. This includes establishing precise accountability frameworks for AI decision-making.
As governments and regulatory agencies work to improve regulations to address algorithmic bias, data privacy, and ethical AI, AI/ML present new compliance difficulties. IT workers need to keep abreast of changing laws like the CCPA, GDPR, and new frameworks for AI governance.
It is essential to guarantee accountability, openness, and justice in AI models. To reduce ethical hazards, organizations must put in place explainability procedures, bias detection instruments, and strong data governance guidelines. This enables any ethical issues to be address in a complaint manner.
Q: In addition to your many technical responsibilities, you are heavily involved in training and mentoring the workforce. This includes conducting security awareness training programs for employees enterprise-wide to promote an IT security-conscious culture, and working to instill this security mindset in the IT and business teams by managing internal and external resources, including hiring, project and operational engagement, employee training, and career development. In closing, tell us why is this a priority for you, and how others can create a security-focused culture.
A: A security and risk-conscious culture is an imperative for any organization. All staff members, from executives to frontline staff, actively participate in protecting the company when there is a robust security culture in place. A workforce that is concerned about security makes sure that new technologies are adopted with risk reduction in mind. Promoting security awareness guarantees that staff adhere to appropriate data protection protocols. Professionals who have received training on security best practices are able to identify questionable activity and promptly report such dangers.
Furthermore, a security culture guarantees quick reactions to threats and helps avoid expensive incidents. By encouraging a security attitude, employers may make sure that workers actively participate in compliance, rather than seeing it as a chore. It takes constant dedication, instruction, and reinforcement to create a culture that is security-focused. Businesses can lower risks and increase resilience against cyberattacks by establishing cybersecurity as a shared responsibility at all organizational levels.
Start by aligning your security approach with business objectives, clear policies and mandates, and promoting secure technical environments, including technology applications and equipment. Regular, engaging training, drills, and role-based security education are the principal components that promote a security-focused organizational culture. Above all, leadership commitment and support is a primary necessity. Achieving a security-focused culture demands a top-down approach, from the C-suite to employees at every level of the enterprise.
