 Good morning, everyone, and welcome to day two of the Tech and Innovation Summit 2021. We are going to start the stage four, wherein we will first have a fireside chat followed by a panel discussion. And it is my pleasure to welcome Naveen Gulati, CIO, Garbaco for a one-on-one discussion with Sumanth Narayan, Business Head Akamai India. And the topic of discussion is what it takes to build a security first customer acquisition mindset. I request the audience to keep posting their questions for the speakers and welcome Sumanth, welcome Naveen, over to you Sumanth. The stage is yours. Thanks Aurob. Good morning to everyone. So e-commerce has transformed the way we do business in India. Now the Indian e-commerce market is expected to capture over 11% of the total Indian retail market and is poised to reach almost 200 billion by 2026. The recent rise in digital literacy has also led to an influx of investments in e-commerce firms, thereby leveling the market for new players to set up their base and to help build innovative products slash platforms that disrupt the old guard. Overall, the Indian e-commerce industry has been on an upward growth trajectory and is expected to surpass the US to become the second largest e-commerce market in the world by 2034. Now at Akamai, whilst we continue to see growth and traffic on our platform, we also continue to see substantial increase both in the complexity and the volume of cyber attacks across various sectors. And especially across e-commerce and retail would seem to be the most targeted sectors. Interestingly, India was amongst the top three countries that were targeted by attackers in 2020. Now the good news is that most organizations have come a long way from looking at cyber security as a cost center to now an enabler or even a business differentiator, which helps build trust with end users and in turn drives business growth. However, when you're on an aggressive growth trajectory to acquire new customers, technology and cyber security leaders are usually left with a tough choice of having to prioritize their resources and investments, we're enrolling out new features and focusing on security. Now, with that context, I'd like to welcome the CIO of Garnersaw to Kar Dekho, Naveen Gulati to join us on the session and share his insights on what it takes to build a security first customer acquisition mindset. Naveen, great to have you. Hi everyone, thanks everyone, thanks for having me here. Okay. So let me let's dive straight into it right so let me first start with just a mindset piece. So we've got a long way from where security used to be a bit of an afterthought to know where security has shifted left and is essentially embedded in the early part of the app development phase. Could you talk a little bit about how you and your teams have embraced this mindset shift. All right, a very good question, Suman. So since we are purely a B2C platform and so security had always been a part of the culture. One motto that we list by at Garnersaw Kar Dekho is that we are a customer centric company so a customer comes first. And it's the experience that we deliver to the customer which really matters as the most. And really I had seen in the industry people look at experience in terms of better UI, better UX fast, fast time to deliver it so say super fast or super slow latency. But for us, that experience also has security deeply integrated in that. So essentially when we are handling a PII data, it becomes our responsibility to handle that to the very best. So coming back to your question, this has never been a challenge to us, but yes in the industry when I speak to other peers, I have seen this mindset now shifting in. And largely to some extent also thanks to COVID, the surface of attacks has increased like you rightly said India is now the third most attacked country across the globe. So I think that's where every organization today has sensitized that security is a front runner. And that's getting deeply ingrained in the systems and processes. Okay, so let me just double down on that. So especially when you're on a growth trajectory like the one that you've been on, you end up having to prioritize resources. Now, how do you strike a balance between scaling up or providing the right user experience or even rolling out new features versus focusing on security to keep the bad actors away? All right, so see it all starts with your processes. And once your processes are firm laid down, they are deeply disseminated across the organization, then comes the tech part and then come the people part. So we realized that this is very important and it's not that things have always been very rosy, very good. But that was close to what some a few years back we started migrating our journey to a pure CI CD pipeline driven release management process. And where we have source code security checks built into our pipeline. So if the pipeline fails, sorry, if the ranking fails, the code doesn't get deployed to production. It's as simple as that. So security is now a part of the entire gatekeeping thing. We work in line with the QA. So when the QA says, okay, the functionality is working well and then comes the security bit and only then the code gets deployed. And then we have other supplementary processes like regular VAPT checks. We do bug bounty, we encourage bug bounty hunters to work with us. We do periodic campaigns with them. So there are a lot of things that we do and which has really helped us improve our security portion across all platforms. Got it. Next one is, I'm sure it's a hot topic with a lot of folks, which is essentially budgeting for cyber security initiatives. Now, on one hand, you know, we hear a lot about how the average cost of a security breach has is increasing year over year. And I think it's about now 16 crores of error. Right. And on the other hand, we hear still about organizations struggling to prioritize budgets for security. Could you share a little bit about how you manage cyber security budgets in your organization. It's actually the most ridiculous part to answer. So this is a dilemma that every one of us faces. All the CIO seesaws because everything else is very easy to quantify. You need more compute. It's easy to quantify the productivity, right? So you need newer tools. You map it to the business value that it brings in more sales, faster sales, faster numbers coming out. But security is one thing where you can't really define how much is good enough, right? But the way that we have started shaping our budgets is it all starts actually a step before budgeting. It's about how the leader of security, Infosec, either the CIO or the CISO. He is driving Infosec across the organization, across the board. So how we have done it at Narsov Karveko. We have given dashboards which give us good insights on how our security initiatives are performing. So for example, we use WAF, which gives us a very clear metric between the traffic that we are handling, how much has been the malicious traffic and how much has been good traffic, which are bots that are attacking us and how our defense systems have been handling them very well. So when these insights go out to the CFO, to the CEO, to the board, right? Then the conversation around security investments become very easy to drive because you are showing good value insights coming in. So though I cannot quantify how much money we would have spent had we been hacked, right? But it generates that sensitization across the organization. And then that's something that helps us drive our budgets ahead. So again, a very small analogy, like how many door locks would you put at your home? Is too good enough? Is poor good enough? Is a CCTV good enough, right? So it's not until you have been breached, you realize what I was doing was good enough or not. There's no direct ROI, but it's a journey. So every day you need to drive that journey across the organization so that people are aware how important these initiatives are to the organization. And that's one way which has helped me drive the budget better. Got it. Okay. So let's just switch gears a little bit and talk about your end customers or your end users, right? And how they perceive all these investments. Now, obviously, a lot of most organizations have come a long way from perceiving cybersecurity, just as a cost center to now an enabler or even a business differentiator, right? And this actually helps build trust with your end users and which in turn drives business growth. Now, one, I'd like to get your thoughts on this and two, can you also talk a little bit about how if security investments have indeed had any positive impact on your business metrics? Yeah, so they definitely have a great impact on our investments. First, talking about how it impacts our customers. So the more better our security posture is, the more trust we gain from our customers. So today when our customers see us as an organization which is equally, which is equally proactive about securing their data, securing the customer's experience, securing the journey or handling data that we hold about our customers with us. So that gives us an edge and just for an example, so today between us and our nearest competitor, we have a 3x lead over the traffic that we handle, right? So between India's number one and number two, we are at 9 billion hits a month. So of course, that also reflects a customer's confidence on how they perceive us as an organization, how they perceive us as a brand. It's the various security measures that we take in place. It's the certifications that we hold and all of these are well promoted across our platform. So today you visit Cardico, you go to about a session, you can read a lot, including things that we do to protect your data to deliver a secure journey to you as a customer. And that has shaped well for us. These numbers speak for itself that how our customers see us as a more secure platform to transact. So I would say, of course, it has an indirect ROI, but it does really well. It makes a difference when you talk to customers, when you talk to investors. So that has had a very, very deep impact across all the platforms. Got it. Wonderful. Now obviously to implement all of this, that really comes down to just talent, right? Now, on our platform, obviously, we're seeing a substantial increase both in the volume and complexity of these cyber attacks. And as you can imagine, protecting against these, this is kind of like a rapidly evolving landscape, you need quality cybersecurity talent. Now, it usually comes down to either kind of building these capabilities in-house or leveraging, you know, trusted cybersecurity partners. Could you share just some broad guidelines and how to think about, you know, building these, building whether, you know, building these in-house capabilities, versus relying on cybersecurity partners? I think a good one again, Swamantha. Probably they're asking me to lay out all my strategies in one session altogether. But okay, so when it comes to talent on InfoSec, first thing that any organization need to really mark out well is, is this cold to me or not? If it's non-cold, it's always better to work with partners who have that process as their core business model. And the same principle applies to InfoSec as well. So we have a very lean and mean internal team, which does routine scans, which does licensing between stakeholders, which drives rather the entire education process across the organization. Because that's something that we saw is an ongoing exercise and where we could do with a fairly lean team there. But then when it comes to pure play, deep cybersecurity, that's something that we outsource. We rely on partners. We have a pretty solid due diligence process on how we shortlist and work with our partners. And then let them drive the InfoSec part for us because that's their core. It's not cold to me. My core is media. My core is automobiles. It's their core to do the InfoSec. And that's where, and it has really worked well for us. We have seen clear differences in reports on a scan done by us, visa visa scan done by a partner. And that's where we realize that having everything in house will not work. It's not scalable. And then of course, this attrition, you need to really harness your talent. And again, for any good ethical hacker who is looking to develop a career in InfoSec, I would not be able to give him the right playground. When you are working with a partner, when you are in a services firm, you have better talent because that talent also gets a hell lot of different customers to work with, different processes to look into. So their maturity curve versus your internal team would always have that gap. And that's the reason why we work with very closely with good partners who help us secure our overall environment. Okay. That's very important. I mean, I think we're almost at the top of the R for our session. I see a whole bunch of questions. I'll probably take one for now, given the positive of time. There's one question about when targeting a specific audience, how should brands ensure they are valid users rather than bots or other forms of invalid users? I think someone, you can answer this better because we have been using Akamai and just for the audience knowledge and the results have been pretty phenomenal. So now someone, you can probably share more on what you offer to target, to, you know, the disability between bots and traffic. Sure. Look, I think I'll just add that I think it really comes down to, you know, having specific capabilities to detect bots. And then what you do with that really depends on your business use case, right? Sometimes you just want to obviously slow them down. Sometimes you just want to deny them, or sometimes you want to give them a whole differentiated experience. But I think what it comes down to is that this is a big menace right now, especially for online firms, and really comes down to having specialized capabilities to detect bots, and then obviously figure out the right strategy in terms of mitigating them. I think I'll leave that for now, but if folks are interested, we can obviously take that offline and share more information. But I think with that, I think we come to the end of the session. And I mean, this is a very informative session. I think for me, like some of the key takeaways was, I think the big one really was about the culture that built within the organization and how you use data points to constantly sensitize not just your team, but even just a larger organization about the importance of security. And then obviously getting the right resources and investments to continue on that path. I think what is very reassuring for a lot of users, I'm sure, is that it has a business impact. I think those stats are very staggering, right, in terms of almost 3x compared to your closest competitor, that that validates the kind of investments that we need for security. So very, very, very useful information. Once again, I mean, thanks for taking the time out and sharing all of this with us.