Profile: John Nai, CISO, PayPal

“Our brand is built on the trust and security we deliver for our customers and merchants,” said John Nai, the CISO of PayPal. “That means security is not as much a competitive advantage as it is a table stake. It is an absolutely crucial part of our service offering.” Unlike many CISOs, Nai did not spend extra effort convincing his Board and executives about the value of security. He said, “When I sit on committees about building new products or applications, security is a consideration from the onset. I have an equal voice at the table with business unit and profit owners.”

SECURITY-FOCUSED CULTURE

PayPal’s security-focused culture lands Nai in front of the Board on a regular basis. During these meetings, he helps them understand many aspects of security, including the key measures his team takes to protect the brand. He commented, “I don’t need to convince the Board to make security a priority. They get it. At the executive and board level, we work to ensure they fully understand our security risk profile. Transparency with the board and the executive team is critical. The more information we share with our teams about our risk profile, our defenses, and how we are being attacked, the better we are all aligned and the better we can maintain brand trust.”

Innovation stems into PayPal’s products and services, with a key goal of doing so in the most frictionless and enabling way possible. Nai and his information security team work hard to ensure this frictionless experience has a secure foundation. Nai said, “We are always walking the balance to make frictionless experiences that are highly secure. It is an ongoing dialogue within the company. Even though security and trust are in the DNA of PayPal, challenges still exist. We need to be an enabler and not a progress inhibitor. Too many security organizations think their role is to say ‘no’. We say, ‘no’ when we have to, but we know our prime role is to enable the business.”

SECURITY IMPLICATIONS FOR CUSTOMERS AND MERCHANTS

“In respect to threats, PayPal is similar to most companies in Payments and Financial services; we are under constant attack from bad actors, so we need to make sure the Board knows what controls and risk mitigation we have or need. The Board’s understanding opens the doors for communication to all of our other communities. We start at the top level to get the support we need.”

With an influx of people’s personal information and financial lives online, many security implications arise for PayPal’s merchants. In regards to his relationship and approach with merchants, Nai commented, “I engage with some of our largest merchants. They want to know what we are doing to protect ourselves and their business.” He continued, “One of PayPal’s value propositions is that we provide secure transactions. Clearly secure processing is core for our largest partners as well, so they want to know what we do, how we do it and how we ensure our brand promise of trust and security.”

Merchants and customers have come to expect innovation from PayPal, something that extends to the information security team. Nai said, “We have the benefit of having massive scale in payment volume. We have 188 million active customers. From a security perspective we are in over 200 global markets. The scale in which we can do things is significant.”

SECURITY OF THE INTERNET

“We look at security internally and externally. We build security into our own platform and we also help with security of the technology ecosystem. For example, PayPal was one of the founding companies behind DMARC email protection and FIDO for authentication. We were among the first companies to offer a bounty for uncovering bugs. So of course we look at security internally, securing our own infrastructure and apps, but we also take a leadership role securing the technology ecosystem in general for our customers and merchants.”

Similar to other internet companies, PayPal invests heavily in security infrastructure and purchasing security firms to build out strong teams. In 2015, PayPal purchased the Israeli predictive malware detection firm CyActive. “That acquisition gave us their product, but also their talent. Now we have a large presence of highly technical security professionals in Israel,” said Nai.

Nai’s team, which includes hundreds of security professionals and 16,800 employees at PayPal who make security a priority, is set up to enable innovation. “Our team is spread out across three geographies. We have a core team in our San Jose headquarters and many security engineers in our Security Operations Center in Arizona. We also have a second Security Operations Center in Israel, so we have 7x24 coverage,” Nai remarked.

HIRING EXCEPTIONAL TALENT

Even in a well-tapped industry when it comes to recruiting security talent, Nai acknowledged a clear advantage at PayPal. He commented, “The security industry knows that PayPal prioritizes security, and that is a great enabler for us when hiring exceptional talent.”

The Silicon Valley culture is an important factor that contributes to his team’s success and their ability to innovate. “One big thing for us is we participate in information shares, peer-to-peer working sessions in Silicon Valley. People think the region is competitive, but there is a lot of cooperation here, too. At my level, I speak with my peers about things like how to talk to the Board.”

What is next for the future of PayPal’s innovative ecosystem? Nai said, “It is hard to predict the future and how commerce will evolve overtime, but we are looking at partnerships with commerce in new contexts and how to protect that at the scale we need to do business. That is a phenomenal opportunity and there will be more innovation in the FinTech industry in general.”