13 апреля 2023
Vladislav Son

“Any Player That Seeks to Be a Market Leader Needs to Understand That There Is Always a Cyber-Risk”

Interview with Subra Kumaraswamy, Chief Information Security Officer (CISO) at Visa

“Any Player That Seeks to Be a Market Leader Needs to Understand That There Is Always a Cyber-Risk”

The rapid digitalization of businesses on the back of the COVID-19 pandemic, and new geopolitical crises have multiplied threats and risks in recent years, placing cybersecurity in the spotlight. Visa, a company that oversees the movement of $14 trillion each year globally, invested over $10 billion in technology and infrastructure, including fraud prevention and cyber security in the last five years. Vlast talked to its CISO Subra Kumaraswamy about current cyber issues, geopolitical instability risks, and what businesses should do to protect themselves.

By becoming increasingly reliant on digital technologies, businesses can access a wider range of opportunities. Yet, at the same time, companies can also become more vulnerable to threats and risks of cyber-attacks. How would you break down the landscape of cybersecurity today and explain why it is crucial for businesses to consider it as the main focus?

The big shift that happened from IBM’s huge Mainframe in the 1960s to Intel’s more flexible X86 platform allowed companies to run smaller servers at a scale. This, alongside open-source software has helped companies reduce barriers to adopt new technologies.

If you look at computing technology advances in waves, for the past decade we have lived in the cloud computing wave. This means more connected enterprises, better positioned to adapt to new technologies. Digital technologies develop at a faster pace compared to traditional industries: digital companies are constantly updating and releasing new features, making sure that customers are given the right user experience. So, if customers are demanding that from businesses, the latter cannot act like a car manufacturer. Constant accessibility requires businesses to be more agile. If we look at companies in the fintech space some of them are releasing features every day or sometimes every hour.

Developers, architects, product managers, and marketing professionals are coming together to dynamically configure their products because the user experience of their customers can differ due to various forms of technologies and devices they use – be it laptops, smartphones, Android or iOS – which are also evolving fast. So, the user experience has to be right with whichever technology a customer is comfortable with. And that creates a bigger challenge because all these technologies need to be secured, companies have to make sure that their products are not opening up any kind of back doors for unauthorized access to personal or sensitive data.

This is a process that cannot be reversed: once data is stolen, you cannot bring it back.

As we always say, “the good guys have to win all the time, but the bad guys need to win only once” to ruin a company’s reputation and send away customers.

So, businesses have to constantly improve their threat models to detect bad behavior. It takes a different approach and mindset: nowadays, delivering a delightful product with a great user experience and features is not enough. The products must be designed with pessimistic thinking and ‘secure-by-design’ principles.

What are the ways to ensure that products are secured?

This is where a company’s cyber security structure comes in. One of the principles we use is called “pessimistic design”: we think about what can go wrong. A good product design does not guarantee the absence of bugs and flaws that can result in hackers abusing it. So, we need a strong plan for prevention. The introduction of new features and updates at a high-speed means that there are always situations in which we may not be able to prevent everything. Therefore, we need in place a strong layer of monitoring for any kind of anomalies, we call this system “defense-in-depth”.

The system features multiple layers: prevention, detection, response, and recovery. We need to ensure that every product meets privacy, regulatory, and compliance requirements.

The cybersecurity structure works closely with developers, product managers, and architects. It works out scenarios by which the product can be abused so that they can then quickly ensure it is designed with in-built security. The cyber security organization helps businesses build all necessary protections into the product, makes the teams aware of the threats, and trains them to think like a hacker. Not every developer has a hacker’s mindset.

One of the most complex functions of cybersecurity is communication. We are required to interact with customers, raising awareness about threats, challenges and changes, and reassuring them that their data is secure. Beyond IT teams, it is also marketing, HR, finance, and other departments which need to be trained to think about cybersecurity.

Most companies are “connected enterprises” because they depend on external products and services, for example, security analytics software (SAS). Because their output depends on some other partners and suppliers, they have to make sure that third-party products are also secured. So, now the cyber security job is also to manage third-party risks.

What are the key challenges and risks that organizations managing large financial flows such as banks, fund corporations, or state organizations, face nowadays?

First of all, strong governance is needed. Products should not be released without proper verification. For example, a drug cannot be bought in the US until it is approved by the FDA. Similarly, with modern technologies, when a product or service is released to the customers, the governance of the company has to make sure that it has gone through sufficient testing to stand the pressure of hacking.

Any player that seeks to be a market leader needs to understand that there is always a cyber-risk, and without proper protection it can negatively affect the brand and reputation.

Second, it is key to have cybersecurity in the company’s DNA. For instance, at Visa we always say the cyber’s job is number one. Everything starts with it. When this tone is set at the top, from the board and to the executive team, it percolates all the way down the organizational structure. Product managers, developers, and architects think about mitigating cyber risks and protecting the company’s reputation which result in building strong products. They have a hacker mindset, use the “pessimistic design” principles, and have what we call a healthy paranoia. When the company has it all set, everything else just falls together.

The third challenge is talent. Companies must make sure they have excellent talents, who can think smartly because criminals and crooks are constantly reinventing their techniques. Therefore, companies have to look for strong talents, train the existing ones to think about different ways of protecting the organization from constantly evolving threats, and hire leaders who can always give feedback to their teams. Such a strategy allows them to stay ahead of the curve.

However, finding good talent is not easy because universities and companies are not able to produce as many as the market demands. There are about 8.1 million jobs in cybersecurity today, and we are 3.4 million short. An internal training program for developers within each company should be a part of risk management.

Staying on top of regulatory issues is another challenge. Thousands of changes can happen within a short amount of time. It is not easy to know and foresee them. Companies need to be constantly educated about regulatory requirements. And sometimes companies also have to educate the regulators so that they understand what is being done and how it is really minimizing the risk for businesses.

Managing fraud is another area of risk. Today, cybersecurity responsibilities and functions among departments are interconnected. At Visa, for instance, cyber, fraud and privacy staff are sitting next to each other. They always have to communicate with each other and work as one team for a common outcome.

Let’s talk about cybersecurity in a geopolitical context. The Russian invasion of Ukraine has caused more cybersecurity issues and increased the number of risks and threats that companies can face. Do you face similar concerns at Visa?

There will always be global events that are going to cause concern, so, the challenge is to identify the threat actors, because on the internet it is harder to understand who is behind the attack.

And yet you must know who the source of the harm may be. In the context of geopolitical instability, you must understand what part of your business is vulnerable. There could be potential threat actors from different countries, who want to get a head start with your intellectual property.

When the Russia-Ukraine war happened, obviously it took place in both the digital and real worlds. The adversary can now impact utilities such as power plants or water treatment plants. Protecting these critical infrastructures for the citizens is important. Ensuring that you understand, who may be the threat actors and what kind of assets they are going to come after, is going to be a part of the thinking all the time.

Because of this geopolitical instability, there could be a catastrophic cyber event in the next two years according to the Global Cybersecurity Outlook 2023 issued by the World Economic Forum. What measures can you take to weather such an event?

While it is hard to foresee the future, we need to prepare. Companies need to be aware of the worst-case scenario. If you look at what happened in the last two years, many companies, that thought they were secure, suffered ransomware attacks. I am sure that from the get-go they had not thought about what the worst-case scenario could be.

Planning for the worst case takes a sizable investment. But at least you know there are options to mitigate and recover quickly. A catastrophic event may take your business down. You can live with it being down for a day, but surely not for a week or a month. We also constantly think about potential cyber wars, because when it happens, it is going to be asymmetric: Who is going to have an upper arm? It all depends on which country has the weakest link and whether they are prepared for it.

But I cannot say for sure that there will be one big event. I am more worried about daily events. There are still a lot of companies not paying attention to the basics of cybersecurity. Unfortunately, today there is a little bit of asymmetry between companies that do well versus companies which cannot invest enough in cybersecurity.

Do you feel optimistic about cyber resilience in the future?

Yes, I am optimistic. We are living in a hyper-connected enterprise, and everything is digital. A lot more countries and companies recognize that this is a core asset for them. They know that the economic impact is higher. As a result, I see more attention toward education. We have to ensure that universities are teaching cybersecurity and that we start thinking about cyber much earlier in high schools. If there is a market opportunity, folks will gravitate towards it and make money out of it.

Just 20 years back, the cyber industry wasn't that big. As the economy grew more digital, companies popped up to fill a gap. That is because there was an opportunity to offer cybersecurity services to protect company investments, brand, and reputation. The market essentially created an opportunity to make money. So, if cybercrime is growing at 8 to 10% a year, the cyber impact will be more than $10 trillion dollars in the next three years. New entrepreneurs will emerge, governments will invest.

In the last six-seven years, cyber insurance has exploded for companies that cannot afford to take cyber risks but cannot invest into cybersecurity. This way, they at least can have an insurance model. This is one of the latest trends.

Also, innovations in AI represent a huge opportunity for companies and are out there for entrepreneurs to capitalize on them. AI can help companies to be much more efficient, agile, and better equipped to stay ahead of the threats.