Phishing

PayPal enterprise security chief on why the user experience should be critical to CISOs

A sign is posted outside of the PayPal headquarters on April 9, 2018, in San Jose, Calif. (Photo by Justin Sullivan/Getty Images)

Can security ever trump innovation for one of the most successful tech companies on the globe? It shouldn't, said PayPal Vice President of Enterprise Cyber Security Assaf Keren, during a keynote discussion at the SC Media Finance eConference.

Keren spoke at length about the top priority of user experience, and how security must work in tandem with developments to enhance the services to consumers.

"I have a calling now in talking to security people: user experience and product management practices have got to be part of our security processes, understanding how the users operate," he said.

First, your thoughts on the Log4j vulnerability: how has PayPal responded?

Keren: I’d like to say first, I think that the way our ecosystem and the broader security community has reacted to this is awe inspiring. We've seen vendors come and offer their services for free for organizations that were targeted. We've seen security researchers and bug bounty researchers step in and try to identify where there are vulnerable services. We've seen cloud vendors go in and help teams that are in their environment, and outside of their environments. We've seen people like PayPal and others in financial services that have been sharing information, IoCs, and ways to mitigate between different players in their fields. The vulnerability will come and go, there will be impact across the board. We'll probably deal with it for months to come as stragglers will patch or not patch. But really that strength of the community and the ecosystem is something that I'm very proud and humble to be a part of – this larger community of people that are basically trying to protect our joint customers and the internet, and the trust that we have in the internet.

So I’m not happy to see the vulnerability, not happy that it was exploited in the wild before we knew about it, and not happy that we had to deal with it as we did. But I’m really happy to see what we're getting from a security community perspective.

Yes – it felt like more of a coordinated, unified response than SolarWinds a year ago. So, moving on to the topic of financial services. If you were to talk to the leadership team at PayPal, would they describe themselves as a tech company or as a financial services company?

Keren: I think we are in an interesting place where depending on the day, you'll get a different answer. I think we're both a technology company and a financial services company and at the heart of fintech. We pride ourselves on the technology talent that we have, and the innovation that's happening across the board and on a daily basis to get us to better places. But we also have the needs and the structure of a financial services organization. We have all the structures in place to manage compliance and manage the different certifications that we need and we do that in a way that is thoughtful and is protecting our business and our customers.

So it's an interesting question in the sense that I don't have an answer for you. I think we look at things differently and different teams look at things differently. And that's part of the joy of working for the company. You get to play different roles in a day. I get to have a financial conversation about how we manage funds and what are the risks to that. And then I get to have a technology conversation about how we are accelerating one of our new initiatives.

There’s that dichotomy of innovation versus security. The most innovative companies are really pushing the envelope in terms of tech development and I have to imagine that the critical role for you as a CISO is to ensure the organization does not introduce too much user friction along the way. So how do you ensure that security doesn't get lost amid the vision?

Keren: So look, I'm fortunate. And I say this really because I have had a good chance to talk to a lot of different security leaders within my industry and outside of my industry in the last few years. And the initial conversation is always about how you educate the board, or how you educate leadership that security is important. I'm fortunate enough to sit in place where security is generally the top priority for the company. We have a brand promise of trust and security, and we've had that since the inception of the company. Security really has a major role to play in fulfilling that for 416 million customers that we have and counting.

And if you look at some of the history that this company has, we were one of the first companies to ever have a professional or commercial capture solution. And we were one of the first companies that did mutual TLS authentication in our production environments. I didn't have anything to do with it. This is PayPal pre-eBay days. This was a big priority. And I think that we are all standing on the shoulders of some of the principles that were laid down by our founders back then. And it has only grown since. So it's easy for me to talk about security and the importance of security because everybody in the company really gets it.

I had the good fortune of being a product manager for a bit in my career. And I think that brought in a new view into how I think about the world. Security cannot be 'one divided by productivity' [as some say]. It actually impacts the efficacy of our controls if that's the case, because if we impact productivity, people will find a way to go around security with controls. And actually it makes it risky here for us. So I have a calling now in talking to security people, and this is a good place to say that user experience and product management practices have got to be part of our security processes, understanding how the users operate.

So then does security stifle innovation? Or is that a fallacy?

Keren: When we don't think about user experience, that's when we do stifle innovation. But I also think security has a role to play with accelerating innovation. There are a lot of things that we, as security people know more than other people. We are very good data analysts, and with some of the thought leadership that has started from security and then moved into other areas – such as behavioral analytics, I'm really a big believer in how these things work together and not work against each other. Are we successful on a day-by-day basis in doing that? Probably, there's still a lot of room to be better. But I do believe that's the future for security.

You talk about the user experience. Certainly PayPal is among those apps where the consumer expects flexibility and convenience and speed. But consumers also certainly expect you to protect their information. So it's these dual demands. How does that dynamic work internally?

Keren: I think we have to move along at the same time. And there are two things here that are interesting, and I think I'll touch on both of them. As we develop, making sure that what we develop is secure and that the experiences that the customers have in the end are secure, and they're able to enjoy them without fearing that their data will be stolen or their activity will be tracked, or that we become a supply chain attack on them, which are all things that interest us. Or even that we are available. One of the basic things in the infrastructure of trust is being there for our customers when they need us.

I think all of those are important. And that's part of accelerating our ability to allow our developers to innovate.

But there is also the security experience that the user gets when they log into PayPal and how much friction they actually want to see. We're aiming at as close to zero friction as possible – allowing users to flow through a very easy process and an easy experience as much as we can. But in places where people are doing risky things, a lot of work is being done by our risk and fraud teams in modeling bad behavior [to flag those situations]. And I think our users see that, and sometimes they don't like it, but a lot of times they appreciate the fact that we ask them for additional authentication. We ask them some questions about what's happening, because it is unique and different than what we're seeing. So we’re following that path of making it as easy as possible for our users to do what they want to do, but where we give them that friction when they get to a risky place.

I know for myself as a user of some of these apps, if I breeze on through, if I’m not necessarily asked certain questions or there aren't walls that I hit along the way, I begin to question the security. Regarding that friction you mention, are there cases where you say, "We probably could get rid of this process, but we need just a little bit in there to ensure the user feels confident that we are properly protecting their experience”?

Keren: That’s a great question and I'm not sure I have a straight answer for that, because human psychology is also very different in different people, and different people expect different things. I can tell you as a security person, I expect friction. I like to see friction when it's presented to me, but I hear a lot of the people that don't like that as well. If we do the right thing in helping our users go through the processes easily, but still raising those gates where needed, I think we build trust with our consumer base.

PayPal as a company is among the most imitated among phishing scams – always among the top 10. That factors into the trust issue for a brand I imagine.

Keren: I think that there are a few views in the ecosystem on that, but I'll give you mine. It is our role to identify when people are using our brand for phishing emails or for phishing attacks against our customers, because in the end, they are attacks against our customers. They're trying to get to their PayPal account. And as such, when we identify that we do all that we can in order to either take down that phishing site or work with our partners, with the browser makers, to make sure that these sites go into the browser block lists. And when we identify something that did happen that led to an account takeover, we do our best to both inform the users and recover that account.

Some people I've talked to say that it's not the role of the company to protect users against phishing, but I disagree. I think that's part of what we need to do to build that trust that we have with our customer. And it's kind of that moral obligation that we have for the industry and the ecosystem.

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad