Capillary’s products help enterprises in customer retention, increased customer loyalty and repeat business, both offline and online. Capillary’s products include loyalty, rewards, campaign, and Ecommerce platform for retail, fashion and quick service restaurants, etc., Capillary products handle a huge number of consumer transaction and Personally Identifiable Info (PII) records. Capillary operates in a space highly regulated by privacy regulations worldwide. Capillary is growing rapidly, expanding to newer geographies and hence requires compliance and internal policy catchup too.
Talk: Organization, culture, security and compliance
At Capillary, Security is an equal peer to the rest of the functions and report to the CEO and periodically to the Board. Culture of transparency and collaboration are key to a results-driven security program. Priorities have to change back and forth often between business and security requirements. Both business and security have to rally behind the chosen priority. Excellence in security is not the end. Excellence in business through security is the journey. We will discuss how we do it in fast paced Capillary.
Compliance at Capillary:
At Capillary, we break up the InfoSec assessment plan usually across the year. The InfoSec team meets the different Tech teams and takes up for review. However, in 2020, as Capillary decided to go towards cloud native computing (which we call Capillary Cloud), there was no reason InfoSec had to wait for Tech to complete implementation and review for security controls. Capillary over a few years has been on to secure-by-design-&-default. Tech, Systems Engineering and InfoSec together worked out a plan to validate the relevance of the current security tools, logging, monitoring and alerting systems in the context of Capillary Cloud.
Tech, Systems Engineering and InfoSec met over three weeks to list out the security features we would want in the new platform and what were the issues we knew existed in our existing platform. Once we had the security feature requirements as a list, tool selection was not difficult.
The security tooling plan was part of the overall tooling and instrumentation of the Capillary Cloud. We had to change our tool preference to align with our feature requirements and also for ease of instrumentation and subsequent maintenance.
After the core implementation, Systems Engineering handed over the implementation to InfoSec for fine tuning security rules, alerts, etc.,
The InfoSec team manages and operates the tools on an ongoing basis.
A perfect case of working together through the planning and implementation phase, Tech and Systems Engineering playing to their strengths in implementing, InfoSec playing to their strengths in identifying the right rules.
The objectivity and independence (which InfoSec is required to operate with) is achieved through a set of automated scripts, logging, monitoring and alerting, allowing Tech, Sys Engg and InfoSec to operate seamlessly.
Collaboration allowed iterations and flexibility to change tools to achieve results, keeping timelines intact, while preserving and prioritizing the objectives of the Capillary Cloud itself.