Cybersecurity is paramount in the world of digital payments. As senior vice president and CISO at Visa, Subra Kumaraswamy leads cybersecurity efforts at the payment card services giant with a philosophy that he and his team could always be doing more.
“Every day I wake up and say, ‘What I should do better?’” he tells InformationWeek. “Being pessimistic and being paranoid, P&P, meaning constantly look at this as ‘glass half empty.’ What else we should be doing to ensure we have a strong security posture?”
Before he stepped into the lead cyber job at Visa, Kumaraswamy built his career through many different roles at many different companies. He looks back at those experiences and forward to the ever-present need to manage and strengthen cybersecurity in his current position.
A Diverse Set of Roles
Kumaraswamy considers himself an engineer and a problem solver at heart. His first job was as a software engineer at the University of Notre Dame; he was figuring out how to offer internet services across the campus before the dot com boom began.
Since that first job, he has built experience at companies like Netscape, Sun Microsystems, eBay, and Intuit. He also spent time as an entrepreneur.
“In my journey, what defined me was the diversity … of roles,” says Kumaraswamy. “I was able to be a developer. I was able to be a data center architect. I was able to run services in the cloud, and I was able to be an entrepreneur. And all of this helped me to create much more of a holistic view.”
When he was at Netscape, the company was hit with a DDoS attack, the initial spark that got Kumaraswamy interested in cybersecurity. Throughout his career, he has focused on securing enterprises as they ride the waves of new transformative technology, whether that be the internet, the cloud, or now, AI.
Subra Kumaraswamy
He was working as head of digital security at Apigee, a company that is now part of Google Cloud, focusing on API security. Then came a call from a recruiter.
“Visa was going through the whole transformation around creating open systems, opening up the platform to millions of developers using APIs,” Kumaraswamy recalls. “The hook was, ‘Hey, you can do this at scale.’ You can bring the same mindset, your passion, and all the experience … to one of the largest payment security payment companies in the world.”
He accepted the role in security engineering and security architecture in 2015. A decade later, he is leading cyber strategy as the company’s CISO.
Cyber Leadership at Visa
More than 1,000 people work in cyber at Visa, according to Kumaraswamy. “I’m really proud of the fact [that] the bench is very strong. We have top talent across multiple locations, not just in the US — across the globe,” he says.
That bench of talent works in six vertical functions within cybersecurity: governance, risk and compliance; access control and management; cyber engineering; cyber defense; cloud security; and security architecture and engineering.
Kumaraswamy works closely with Rajat Taneja, Visa’s president of technology. “I’m very fortunate to have a CTO who thinks cyber first,” says Kumaraswamy. “That sets the tone at the top. Saying that, ‘Hey, we do have to innovate in technology and payments. But if you don’t do cyber, well, nothing matters.’ It’s an existential threat for Visa.”
Avoiding Complacency
Gartner rates Visa’s cybersecurity maturity. “When I started my career path here at Visa in 2015, it was about 3.2 out of 5,” Kumaraswamy shares. “For the last two years, we’ve been given a score of 4.9 out of 5.”
While those numbers are a testament to Visa’s investments in cybersecurity, Kumaraswamy hardly sees them as a given. Cyber threats are constant and ever-changing.
Looking back at his years with Visa, Kumaraswamy recalls working through the aftermath of the Log4J zero-day vulnerability in 2021. He and his team spent four weeks sweeping hundreds of applications using Log4J and potentially open to attack.
“It was around the clock effort and literally hundreds of people, maybe thousands of people, in the company, were involved in the technology to make sure we mitigated this in a very short order,” he says. “I think that also gave us a lot of exposure to how we should think about the next Log4J.”
There will be, inevitably, more zero days and more cyberattacks. “When you wake up in the morning, [the] first thing you think about is, ‘Am I paranoid enough?’ Complacency is the enemy of security,” says Kumaraswamy.
Pushing Cybersecurity Forward
Kumaraswamy is always thinking about talent and technology in cybersecurity. Talent is a perennial concern in the industry, and Visa is looking to grow its own.
The Visa Payments Learning Program, launched in 2023, aims to help close the skills gap in cyber through training and certification. “We are offering this to all of the employees. We’re offering it to our partners, like the banks, our customers,” says Kumaraswamy.
Right now, Visa leverages approximately 115 different technologies in cyber, and Kumaraswamy is constantly evaluating where to go next. “How do I [get to] the 116th, 117th, 181th?” he asks. ”That needs to be added because every layer counts.”
Of course, GenAI is a part of that equation. Thus far, Kumaraswamy and his team are exploring more than 80 different GenAI initiatives within cyber.
“We’ve already taken about three to four of those initiatives … to the entire company. That includes the what we call a ‘shift left’ process within Visa. It is now enabled with agentic AI. It’s reducing the time to find bugs in the code. It is also helping reduce the time to investigate incidents,” he shares.
Visa is also taking its best practices in cybersecurity and sharing them with their customers. “We can think of this as value-added services to the mid-size banks, the credit unions, who don’t have the scale of Visa,” says Kumaraswamy. “I’m really excited to see how that can take shape and make not just Visa be the strongest link, but the entire payment ecosystem can be as strong as Visa,” he says.