Razorpay is actively expanding in global markets and has made an acquisition in Malaysia (Curlec). As we are exploring opportunities for international expansion, navigating the diverse regulatory and cybersecurity landscapes of different countries is a key focus, shared Hilal Ahmad Lone, Chief Information Security Officer, Razorpay in an exclusive interaction with Kaanchi Chawla of Elets News Network (ENN). Edited excerpts:

With zero trust security becoming increasingly significant, how is Razorpay adapting its cybersecurity framework to incorporate zero trust principles? Can you share insights into the challenges and benefits experienced during this transition, especially in the context of cloud transition and hybrid work models?

The adoption of zero-trust security principles to fortify our defenses against evolving threats is one of the cornerstones of the security program at Razorpay. This involves implementing strict access controls, requiring multi-factor authentication for all users, and continuously monitoring network activity to detect anomalies. We work with our partners to build a comprehensive strategy around it that includes implementing state-of-the-art network and data protection tools. The transition presents challenges, such as integrating zero trust principles into our existing cloud-based infrastructure and ensuring all employees understand and adhere to new security protocols. However, the benefits, including a significant enhancement in our security posture and improved regulatory compliance, make this transition a strategic priority.

Data protection is not solely a cybersecurity concern but spans various departments. How does your organisation facilitate cross-functional collaboration between IT, legal, operations, and other departments to ensure a holistic approach to data protection and compliance with the DPDP Act?

At Razorpay, we’ve recognized that effective data protection transcends individual departments and requires a cohesive effort across the organization.

One of our key strategies has been the establishment of regular inter-departmental meetings and joint Objectives and Key Results (OKR). These sessions serve as a vital forum for representatives from IT, Engineering, legal, operations, and other relevant departments to come together, share insights, and discuss strategies for data protection. It’s in these meetings that we tackle the complexities of regulatory changes, address challenges in implementing data protection measures, and brainstorm proactive solutions.

To ensure that every team member is equipped with the necessary knowledge, we’ve rolled out joint training sessions. These sessions are meticulously tailored to the specific roles and functions of different departments, covering a wide range of topics from data privacy laws to best practices for data handling. The goal is to empower each employee with a clear understanding of their role in safeguarding data and the consequences of non-compliance.

We’ve also established integrated Unified compliance frameworks that provide a clear blueprint for each department’s responsibilities in protecting data and ensuring compliance with the DPDP Act and other relevant regulations. These frameworks outline guidelines for data processing activities, data retention policies, and incident response protocols, ensuring that every department is aligned with our data protection objectives.

Communication is the linchpin of our collaborative efforts. We’ve established dedicated communication channels, such as internal messaging platforms and email groups, to facilitate seamless information sharing and coordination among departments. This ensures that everyone is on the same page and can respond promptly to any data protection issues that may arise.

As global security and risk management spending, particularly on cloud security, is projected to grow significantly, how do you prioritize its investment in cloud security tools, and what impact do you foresee this trend having on the company’s overall security strategy?

In response to the projected growth in cloud security spending, we at Razorpay are strategically prioritizing our investments in cloud security tools. This prioritization is based on a comprehensive risk assessment process that takes into account the evolving threat landscape and the specific needs of our cloud-based infrastructure.

One of the key areas of focus is the adoption of cloud access security brokers (CASBs). These tools play a crucial role in monitoring and securing data in the cloud, providing visibility into cloud application usage, and enforcing security policies. By integrating CASBs into our security framework, we are able to better control access to cloud services and protect sensitive information from potential threats.

Another important aspect of our cloud security strategy is the adoption of threat intelligence platforms. These platforms provide us with real-time insights into emerging threats, enabling us to proactively identify and mitigate potential risks. By staying ahead of the threat curve, we can ensure that our cloud-based assets are protected against the latest security vulnerabilities.

As we continue to prioritize cloud security, we are not only safeguarding our assets but also building a more resilient and secure cloud infrastructure that can withstand the challenges of the evolving cybersecurity landscape.

Considering the increasing emphasis on data privacy and the impending enforcement of data protection laws globally, how is Razorpay aligning its cybersecurity and data protection practices with the requirements of the Data Protection Act to ensure compliance and protect customer data?

To ensure compliance with the Data Protection Act and safeguard our customers’ data, we are aligning our cybersecurity and data protection practices with the stringent requirements of the legislation. This involves implementing comprehensive data governance frameworks, minimizing data collection and retention to what is strictly necessary, and maintaining transparency in our data processing activities. By adhering to these principles, we aim to not only protect customer data but also build trust and demonstrate our commitment to privacy and security.

Razorpay has significantly impacted the Indian market. Are there any plans for international expansion, and if so, how does Razorpay plan to navigate the diverse regulatory and cybersecurity landscapes across different countries?

Razorpay is actively expanding in global markets and has made an acquisition in Malaysia (Curlec). As we are exploring opportunities for international expansion, navigating the diverse regulatory and cybersecurity landscapes of different countries is a key focus. We are conducting in-depth market research to understand the specific requirements of each target market, ensuring compliance with local data protection laws, and adapting our cybersecurity frameworks to meet these varying needs. Collaborating with local partners and recruiting regional cybersecurity experts are critical components of our strategy to address the challenges of international expansion effectively.

In the ever-changing fintech environment, managing risk and ensuring compliance is paramount. How is Razorpay enhancing its risk management frameworks to address the complexities of the digital payments ecosystem?

In the dynamic fintech environment, managing risk and ensuring compliance are paramount. We are enhancing our risk management frameworks by leveraging advanced analytics to gain insights into emerging threats, integrating real-time monitoring systems to detect and respond to potential risks promptly, and conducting regular risk assessments to evaluate the impact of these threats on our digital payments ecosystem. These proactive measures enable us to implement targeted mitigation strategies, ensuring robust compliance and effective risk management in the face of evolving challenges.

Moreover, we conduct collaborative risk assessments involving input from various departments. This approach allows us to gain a holistic understanding of potential data protection risks and their impact on the organization. By pooling our collective insights, we can develop more effective mitigation strategies, ensuring that we stay ahead of any potential threats.