UAE Exchange CISO Venu Sriraj discusses how the firm is protecting two of the most valuable assets of its customers – money and data.
With a global network of 800 branches across 28 countries in five continents and serving millions of customers every year, UAE Exchange is privy to importance of the customer and transaction data. This is why, it is imperative for the company to deploy technologies and processes necessary to protect these assets.
Led by Venu Sriraj, who has 15+ years of experience, the Information Security function at UAE Exchange is where the data is curated under strict processes with the help of advanced security technologies. “Our strategy is to ensure that the sanctity of data security is maintained, particularly at a time when privacy has become vulnerable in today’s technology-driven world. For us, what matters more is to safeguard the company’s interest from any known and unforeseen threats, protect customer data, ensure market compliance, and enable business continuity.”
Comprising of a 25-member team, the Infosec division of UAE Exchange focuses on the twin goals of the Information Security function – Information Security Programme Management and Cybersecurity Operations.
“The Information Security Programme Management division largely focuses on governance, risk and compliance. We ensure that processes and procedures outlined by the company are carried out in compliance with both internal and external security policies, standards and regulatory diktats,” he explains.
The team also focuses on augmenting business continuity by collaborating with cross-functional teams. This is central for the division as UAE Exchange caters to expatriate workers, which account for 75 percent of the country’s 9.5 million population, and processes billions of dirhams in salaries and remittances while also handling an immense amount of customer data.
Having a global presence means, the organisation handles large volumes of information such as customer, card and transaction data. This requires the team to mandatorily ensure that its processes comply with various security standards including the Payment Card Industry Data Security Standard (PCIDSS), ISO 27000, global data protection frameworks such as EU’s GDPR, Malaysia’s Data Protection Act and Hong Kong’s Personal Data (Privacy) Ordinance among others.
“In the case of Cybersecurity Operations, the predominant task ensuring that we have the right processes and technologies in place to deal with potential cyber threats and vulnerabilities,” says Sriraj. “We have to be prepared to quickly respond to cyber threats and mitigate its impact on the business. Therefore, a key responsibility of the Cybersecurity Operations team is making sure that we are equipped with all the tools necessary in responding to cyber-attacks.”
As part of this process, the Infosec team has identified key core security processes and integrated it into the company’s security operations. These processes and solutions focuses on incident detection and response, application security, threat intelligence and vulnerability management as well as user identity and access management. These are critical core security processes which have been implemented and sees continuous investment.
“Today, cyber threats are evolving at a rapid pace and hence, we believe that it is vital that we constantly develop processes to ensure that our defences are strong enough to address potential vulnerabilities,” explains Sriraj. “Creating security awareness among people is a vital aspect of our strategic agenda as users are typically regarded as the weakest link in the cybersecurity chain. You can have all the best technologies available but with just one click on a malicious link everything can go wrong. That’s why security awareness is an important part of our strategy. We view it as a key principle rather than process.”
The Infosec team at UAE Exchange has curated a comprehensive security awareness programme, which comprises of a wide range of activities starting from learning campaigns, security training to phishing assessments. These training sessions are conducted monthly and the phishing assessments every quarter.
“At UAE Exchange, the workforce is educated on the emphasis of security as an enabler for business growth instead of treating it as a hindrance. We want cyber vigilance to be a norm within the company so that each member of our workforce is equipped with the knowledge needed for when an actual security incident occurs.”
Sriraj’s foresight has also helped in reconstituting and streamlining the security processes resulting in enhanced user experience. “The Management has always been supportive when it comes to technology and security innovation. Over the years, I have seen a dramatic rise in their collective interest in increasing the protection of our day-to-day business operations and more importantly our customers privacy.”
Looking ahead, Sriraj believes that in the coming years, machine learning will be among the key technologies that will enable cybersecurity for financial organisations such as UAE Exchange. “We handle huge volumes of data and run multiple processes on a regular basis and machine learning can help us sift through hundreds of thousands of security events per day much faster and improve the detection and response to these incidents. This is something that we have started investing in and we plan to continuously develop.”