Subra Kumaraswamy, Visa’s Chief Facts Security Officer (CISO), began his career before the dot-com boom, gaining experience at companies like Netscape, Sun microsystems, eBay, and Intuit, and also venturing into entrepreneurship.

“In my journey, what defined me was the diversity … of roles,” says Kumaraswamy. “I was able to be a developer.I was able to be a data center architect. I was able to run services in the cloud, and I was able to be an entrepreneur. And all of this helped me to create much more of a holistic view.”

His interest in cybersecurity was sparked at Netscape during a DDoS attack. Throughout his career, Kumaraswamy has focused on securing enterprises amidst technological transformations like the internet, cloud, and now, AI.

He previously served as head of digital security at Apigee, now part of Google cloud, specializing in API security. A recruiter’s call led him to Visa.

“Visa was going through the whole change around creating open systems, opening up the platform to millions of developers using APIs,” Kumaraswamy recalls. “The hook was, ‘Hey, you can do this at scale.’ You can bring the same mindset, your passion, and all the experience … to one of the largest payment security payment companies in the world.”

He joined Visa in 2015, focusing on security engineering and architecture, and now leads cyber strategy as CISO.

Cyber Leadership at Visa

“Complacency is the enemy of security.”

Kumaraswamy oversees a team of over 1,000 cybersecurity professionals at Visa. “I’m really proud of the fact [that] the bench is very strong. We have top talent across multiple locations, not just in the US — across the globe,” he says.

The cybersecurity team is structured into six vertical functions: governance, risk and compliance; access control and management; cyber engineering; cyber defense; cloud security; and security architecture and engineering.

Kumaraswamy collaborates closely with Rajat Taneja, Visa’s president of technology.”I’m very fortunate to have a CTO who thinks cyber first,” says Kumaraswamy. “That sets the tone at the top. Saying that, ‘Hey, we do have to innovate in technology and payments. But if you don’t do cyber, well, nothing matters.’ It’s an existential threat for Visa.”

Avoiding Complacency

Gartner assesses Visa’s cybersecurity maturity. “When I started my career path here at Visa in 2015, it was about 3.2 out of 5,” Kumaraswamy shares. “For the last two years, we’ve been given a score of 4.9 out of 5.”

Despite these high scores,Kumaraswamy emphasizes the constant evolution of cyber threats.

He recalls the Log4J zero-day vulnerability in 2021, which required a massive effort to sweep hundreds of applications. “It was around the clock effort and literally hundreds of people, maybe thousands of people, in the company, were involved in the technology to make sure we mitigated this in a very short order,” he says.”I think that also gave us a lot of exposure to how we should think about the next Log4J.”

kumaraswamy stresses the inevitability of future zero days and cyberattacks. “When you wake up in the morning, [the] first thing you think about is, ‘Am I paranoid enough?’ Complacency is the enemy of security,” says Kumaraswamy.

Pushing Cybersecurity Forward

Kumaraswamy focuses on talent and technology in cybersecurity.Addressing the industry’s talent shortage, Visa is investing in training programs.

The visa Payments Learning Program, launched in 2023, aims to bridge the cyber skills gap through training and certification. “We are offering this to all of the employees. We’re offering it to our partners, like the banks, our customers,” says Kumaraswamy.

Visa currently uses around 115 cybersecurity technologies and is always seeking new solutions. “How do I [get to] the 116th, 117th, 181th?” he asks. “That needs to be added becuase every layer counts.”

GenAI is also a key focus, with over 80 different genai initiatives being explored within cyber.

“We’ve already taken about three to four of those initiatives … to the entire company. That includes the what we call a ‘shift left’ process within Visa. It is now enabled with agentic AI. It’s reducing the time to find bugs in the code. It is indeed also helping reduce the time to investigate incidents,” he shares.

Visa is sharing its cybersecurity best practices with customers. “We can think of this as value-added services to the mid-size banks, the credit unions, who don’t have the scale of Visa,” says Kumaraswamy. “I’m really excited to see how that can take shape and make not just Visa be the strongest link, but the entire payment ecosystem can be as strong as Visa,” he says.