The Challenge

As a Fintech company, there are many challenges around cybersecurity - such as the evolving regulations, data security as well as the increasingly sophisticated cyber threats. CardUp shares more about the key challenges facing fintechs in their blog post here.

Specifically, CardUp is looking for:

1. A cybersecurity strategy that combines up-to-date knowhow, understanding of the latest tools and trends, and an experienced cybersecurity team to handle it. 
2. Accurate understanding of data governance and integrity tools as the part of nimble and easily adaptive framework for the development and operations life cycle and policies. 
3. Cost-effective ways to manage tools and access to a team of cybersecurity experts.

Why Horangi

The team at CardUp first knew about Horangi in 2018, due to the buzzing startup scene in Singapore. During the 2018 Singapore Fintech Festival, CardUp’s team noticed Horangi's logo standing out from the competition, which prompted them to  speak with Paul Hadjy and the Horangi team. CardUp had been looking to engage with a cybersecurity vendor and decided to speak to Horangi to see if they could provide the solution to their cybersecurity challenges.

The Results 

CardUp has since been engaging Horangi for two cybersecurity services, (1) vCISO, Horangi’s CISO-as-a-service offering and (2) Penetration Testing.

vCISO (CISO-as-a-service cybersecurity consulting)

As a relatively-young startup, CardUp’s lean team wears multiple hats to meet the platform’s security needs. They understand the benefit of having  dedicated security experts in the field who understand the breadth of the security landscape, with more years on the ground, and in tune with the ever-evolving threat landscape. CardUp was looking for experts who would provide advice on emerging cybersecurity threats and the know-how to execute in cost-effective ways, all while maintaining the same level of controls and protection.

The team at CardUp realised that the wide availability of different products and services posed  challenging to parse through to truly understand which are the best cybersecurity products and services for the company. This is when CardUp looked at Horangi’s vCISO (CISO-as-a-service cybersecurity consulting) as a possible solution. 

CardUp engaged Horangi to develop their cybersecurity strategy by the means of carrying out a series of collaborative consulting sessions that discusses a set of problems and business objectives of CardUp – ranging from cost effective security infrastructure, to data security, to delve deeper into the realm of automated threat management

CardUp noted three reasons why they have engaged Horangi’s vCISO service and how it has helped the team.

1. Accessing a team of cybersecurity experts - By leveraging the Horangi team, CardUp noted that “Horangi has provided us access to a whole team of cybersecurity experts with different specializations as per our needs, and it always feels like you are engaging a hive mind.” This meant that CardUp always has a broad range of cybersecurity experiences to draw on instead of searching for experts in various domains and skills.
2. Leveraging Horangi’s tested methodology - CardUp set up strategic goals and the Horangi vCISO on the project proactively monitors the progress of the strategic goals, supervises the overall development, and provides consultation aligning with the business goals. The Horangi vCISO helps supervise the development and implementation of a security program based on industry frameworks (ie PCI-DSS, MAS-TRM, MAS Cyber Hygiene) that is “right-sized” and tailored. 

Since the Horangi vCISO has helped build the infosec function many times before, they have a clear strategy and idea on how to approach it based on the size of the company. “They have brought tested methodology for gap analysis, data classification, risk assessment, and developing a fit-to-business and manageable control set that can be turned into routine procedures and standards that appropriately manage risk at CardUp.” said Anand Nirgudkar, CTO at CardUp.

1. Cost effective - By engaging Horangi’s vCISO, CardUp manages to keep its costs low while still getting access to a range of experience and skills of cybersecurity professionals. CardUp noted that, instead of relying on one in-house person, the team is able to learn from experiences the Horangi has gathered by dealing with numerous types of problems across different industries and companies which can be applied to protect CardUp’s business while enhancing CardUp’s overall cybersecurity profile in the most cost effective manner.
   

Penetration Testing (Pentest)

There were two reasons why CardUp needed a pentest. Firstly, there was a regulatory need for fintechs to comply with standards and frameworks such as PCI-DSS, MAS-TRM, and others. However, secondly and more importantly, CardUp wanted to ensure security is embedded and part of the software development cycle to ensure that their products and applications adhere to security best practices. 

Horangi did a series of interviews to understand CardUp’s systems, which provide the basis for the threat modelling of CardUp to help formulate the strategy for the different pentests to best meet CardUp’s threat modelling and goals.

Based on the interviews, Horangi and CardUp conducted a Web Application Pentest which was a combination black and grey box pentest. Given the diverse nature of the cybersecurity attacks, CardUp worked with Horangi to scope out a pentest that addressed the reasons why they needed a pentest initially and a test that suited CardUp in terms of the likely attack vectors and based on the threat model Horangi and CardUp devised together.

After the pentest, CardUp was confident that based on the scope that was agreed with Horangi, their web application has been tested against the likely attack vectors and steps have been taken to harden its security. 

The Horangi Experience

Anand Nirgudkar, CTO at CardUp, noted that he has worked with a number of cybersecurity vendors throughout his career in the payments industry, and typically there is an engagement cycle when working with third party vendors. Horangi went above and beyond just providing reports, and were playing more of a trusted advisor role: “Horangi would exchange ideas, how certain issues can be addressed, and the kinds of architecture tweaks  be implemented to factor the edge cases in the future.” 

He noted that there are a lot of automated tools and tests out there for companies just looking to improve their cybersecurity, but for a more holistic service, Anand saw the importance of having people who had acquired knowledge in the cybersecurity industry. “It is important to consider the vendor’s familiarity with the latest attack methodologies, understanding of social engineering vectors and thorough threat modeling which would help us to implement preventive measures in the earliest stages of  our product development phase. I saw this level of expertise from Horangi throughout the engagement and is a testament to Horangi’s methodology.” 

Closing Thoughts

“You’re always catching up against new threats that are coming up every day, and you can never say you are 100% secure,” Anand notes. CardUp ensures that there are proper security controls and robust practices and policies by working with Horangi and vCISO services.

As a lot of CTOs would point out, Anand said that ultimately, “security is everybody’s responsibility, it is important to remind everyone in the company so people are consciously applying the security principles in their day-to-day work.”

If you need help in building your security programs or to access a team of cybersecurity experts to provide you with consulting advice, contact the Horangi team about their vCISO service here.