XXXX
July 15th, 2023.
Fellow Mobbster, Ante Gulam, is the CISO at SumUp, a global financial technology company that supports over 3.5 million micro and nano merchants in more than 30 markets worldwide.
Our Co-Founder & CEO, Eitan Worcel, recently sat down with Ante to discuss the challenges that companies like SumUp are facing in the financial technology space and the role Mobb can play in addressing these concerns. You can read their conversation below.
Hi Ante! To start, can you tell me a little bit about SumUp and what made you take on this exciting opportunity at the company?
That's a good question. Well to start, SumUp is basically a global payments company that currently operates in 30 plus markets globally and basically provides payment services to those small merchants that are usually underserved in the existing markets. Over the last couple of year’s we have seen tremendous growth and have expanded our presence to other cities like San Paolo, Brazil, London, Barcelona, Paris, and Boulder, Colorado in the US. So pretty much all over the globe.
At SumUp my role is basically like being the CISO of 20 plus different organizations rather than being a CISO of one large organization. And I enjoyed the challenge of building and scaling an effective security program in such a fast-paced environment for the last three years.
Eitan Worcel
That sounds very challenging! Can you tell me more about why security is more important in the financial sector?
In the financial sector, the importance of security cannot be overstated, and here's why:
Firstly, the realm of regulation. We operate across a myriad of markets, from the central bank of Ireland to the FCA in the UK, and even as far as the central banks in Lithuania and Brazil. Each of these markets brings its own set of rules, and staying compliant with all of them is a massive task.
Then there's the overwhelming responsibility tied to data. Imagine the trust placed in us; we're holding vast amounts of data from merchants and customers, processing billions of transactions through our terminals. The challenge of safeguarding this data is enormous. And if you consider the sheer volume, the weight of the responsibility becomes even more palpable. Every piece of data, whether it's moving or stored, needs top-tier protection.
Taking all these factors into account, it becomes clear: In our industry, security is not just a priority; it's absolutely non-negotiable.
I can’t imagine the amount of diverse challenges you face on a daily basis, especially from a security perspective. Can you highlight the top challenge you've encountered?
There are many, but the biggest challenge for anyone in security, especially in the product security space, is prioritizing the security measures themselves. Ideally, there would be a seamless integration of these security fixes into the fabric of operational excellence. In practical terms, this means engineering health should be a key component of every development sprint. Additionally, a designated portion of the backlog should be allocated specifically for addressing security issues.
The real hurdle here is the significant amount of time required from product security engineers. As, they often find themselves dedicating several hours to collaborate with various cross-functional teams or 'tribes,' so to speak. And having been a CISO for the past decade, the recurrent complaints I hear can usually be summed up as: 'Team X is reluctant to address issue Y,' or 'Person A simply doesn't have the bandwidth to tackle issue B.' These are not just complaints; they illustrate the systemic challenge of aligning security priorities across different operational units.
In organizations like yours, with so many departments, M&As, and developers racing to stay ahead, there's immense pressure. How do you juggle security with these pressing business demands?
That's a good observation. The key is embedding security seamlessly into processes. We're aiming for security to be organically integrated into engineering, rather than seeming like an additional chore. We're acting as a central team, working to embed security measures directly into the development pipeline. This way, developers don't have to constantly weigh security against speed; as we're setting up safeguards for them.
Some argue that as their DevSecOps matures, the multitude of security tools slows down their processes. It's like they're penalized for trying to be more secure. Have you encountered such sentiments?
Absolutely. As organizations like this scale, one inevitable byproduct is the accumulation of multiple tools and methods, each generating their own sets of data. The sheer volume can be overwhelming, making it necessary to streamline and unify these solutions. Thankfully, new vendors are emerging with better ways to aggregate and contextualize this barrage of security data for better more efficient decision-making.
Looking forward, the next big step would be automation in the actual implementation of fixes. Imagine not having to even think about prioritizing the vulnerabilities, because a system is already doing it for you, or even implementing fixes automatically. Effectively closing the loop!
Clearly, you recognize the value that a tool like Mobb offers. When I introduce Mobb to prospecting clients, I always emphasize its dual benefits. Beyond its obvious contributions to enhancing security measures, Mobb's automation capabilities also significantly free up developer time. However, I've encountered a recurring viewpoint among some security professionals. Where they argue, 'I'm focused on security, so developers’ time isn't my resource, and is not a priority of mine.
From the perspective of a CISO, what do you believe is the most valuable asset that a tool like Mobb brings to the table?
I don't know, luckily, anyone in the industry who would say I don't care about that.
Going back to that biggest challenge I mentioned earlier, that is exactly where most value is coming from a tool like that. Because it doesn’t require developer’s time, you don’t need to have those discussions with developers not wanting to do the right thing and you get to use your time better.
It changes the whole narrative around it and it’s also impacting the longer-term improvement in that it’s not only fixing things but also educating engineers showing them how the code gets fixed and the right way it should be done.
So, shifting from merely reporting on vulnerabilities to demonstrating risk reduction is a valuable change for someone in your role?
Precisely. With tools like Mobb, we can re-focus on things that matter, adapting to the ever-evolving landscape of security. The industry is moving beyond mere detection, and into automated remediation, which is the right direction, especially for rapidly scaling organizations.
And the real risk here is stagnation. If teams are always patching holes, they're not pushing the business forward.
Exactly! That's the sentiment we often face when urging teams to prioritize security.
Thank you for your insights, Ante. Always a pleasure talking to you.
Likewise, Eitan!
Are you interested to see it for yourself? Schedule your demo here. See how the magic happens.
DDFFFFFFF