How KUBRA balances information security protocols with providing positive customer experience

KUBRA was originally founded in 1992 as a bill printing service provider. Clients looking to outsource printing, from statements to invoices, turned to KUBRA. As the company expanded, so did its interests. From printing, KUBRA moved into billing and payments, which itself moved from the analogue to the digital. Today, KUBRA provides digital and software services to over 365 clients and their customers.  

Tushar Chandgothia has been Vice President of Information Security and Risk Management at KUBRA for over three years. His background is primarily with other service providers. “I make sure, from an executive standpoint, that there is someone to be held accountable for data security,” he says. KUBRA processes 1.5bn transactions every year, ranging from printed invoices to bank statement, text messages. “We collect a lot of personally-identifiable information,” says Chandgothia. “We need to make sure that the systems that actually host that data on behalf of our clients are secure. At the end of the day what we want to do is maintain customer trust and reliability in our services.” 

A shift in mentality between generations has forced KUBRA to re-evaluate how it provides services. Gen X, Y, and Z are looking for easy frictionless interactions. “They ask a question and expect a reply within minutes.” In response, KUBRA developed artificial intelligence-based solutions to efficiently respond to client messages. With new technology comes both convenience and complication. KUBRA’s applications are made up of over 600 different components, flavours or sub-applications. To avoid vulnerabilities in new code, KUBRA engages in a shift-left mentality. KUBRA’s development and implementation team, made up of over 150 people, centres around creating and testing new code. Every piece of billing and payments code at KUBRA is passed through a security tool that highlights potential security vulnerabilities. “When the developer is tinkering with new functionalities, they find out about the vulnerability early and it’s fixed before it is released into the market,” he says. For additional security testing in its billing and payments applications, one of KUBRA’s partners, Cobalt Labs work as hired hackers, trying to break into applications and find vulnerabilities that KUBRA can then adjust for. 

When it comes to ensuring a balance between functionality and security, Chandgothia says it is important to always be on the lookout for the next great thing. “We want to be at the forefront of payments,” he says. “That’s the strategy that has driven us in the last few years.” Services such as Forrester and Gartner help him compare vendors, ensuring any technologies KUBRA replaces will only be made better. “We are continuously evaluating what makes the most sense from a business perspective, where we have the most flexibility, where we can allow the client to provide for themselves rather than having us be in the middle. How can we help them help themselves to meet their expectations?” 

To focus on process building, KUBRA co-sources its security technology from some of the best security vendors. “We focus on making solutions that are great when it comes to billing and payments,” he says. “When it comes to security, we’re looking for a relationship where the partner’s core business is to provide that. Rather than managing it all in house, we find someone for whom security tech is their bread and butter.” Finding the correct technology is about economising. “We try to solve five problems with one piece of technology,” he says. This mentality has led KUBRA into a partnership with FireMon. It had the most seamless integration when it came to its firewalls and the additional service of real-time review of security rules and the capability to automate certain processes. Another way KUBRA has opted for security in technology is through the tokenization of data, which allows the company to reduce the footprint of actual credit card numbers in its environment by registering these as different values. This reduces risk since if the card numbers are tokenized it means that no client card numbers would be exposed if the system were compromised.  When searching for partners to do this, stacked functionality was once again key. The provider KUBRA chose to work with offers stateless tokenization, which removes the usual database of tokens, making the data even more secure. It is also speedy, able to tokenize over a million credit card numbers an hour.

Internal methodology is as important to information security as having the right technology in place at KUBRA. Chandgothia has seen major changes in the security team since he joined in 2016. “We have proper pillars now. We centralized a lot of the preventative controls. We don’t want to be just in the detection game, we want to control the first line of defence, hands-on.” The change, from a client standpoint, has been seamless. “I think for the most part we use common sense. It’s what we call a Defence-in-Depth approach.” It allows adaptability. Clients who are switching to KUBRA from a less-secure position can ask to reduce security restrictions temporarily for an initial adjustment period. KUBRA’s security infrastructure is multi-layered, so the company has the flexibility to do this without compromising safety. Legal security restrictions, such as the California Consumer Privacy Act (CCPA) or General Data Regulation Protection (GDPR) have been helpful to KUBRA in maintaining its high standards. “This legislation has allowed us to promote a security culture. If someone wants to push back, we have a regulation behind us. We’ve never seen it as something that has stopped our business,” says Chandgothia. 

Looking forward, KUBRA is interested in becoming an omni-channel provider. “We want to be involved in every facet where client communication is involved.” Chandgothia says. Security-wise, KUBRA is looking to develop a zero-trust environment, in which neither external nor internal users have unlimited access to information. A ten-year exercise, it has been implemented in parts. So far, KUBRA has segmented its production environment, where all personally identifiable data is kept, from its user environment and also segmented its credit card data environment in production from other non-card services. Technologically, KUBRA is looking into adopting machine learning, artificial intelligence, and cloud computing, allowing clients to further self-serve. “While secure delivery of new products is something we will always do, there is no compromise on security.”