Although fintech is a relatively new industry, it is also a sector that is transforming established companies globally. Naranja X is one of the latest ‘fintech transformations’ to emerge from South America’s financial sector.
From humble beginnings as a sports shop store card launched in 1985, Naranja X has now become one of the most dynamic fintechs in Argentina. Headquartered in Buenos Aires and Córdoba, the distinctive orange card, which gained its name Naranja X because it translates as ‘orange’ in Spanish, is already a household name.
The company re-modelled itself and relaunched as a fintech in 2019, just prior to the start of the pandemic. Since then, Naranja X has moved from strength to strength and provides its customers with a range of services and products that assist them with daily financial management.
Santiago Fernández, Chief Information Security Officer at Naranja X, explains, “It’s a 35-year-old company that has developed into a fintech company in order to support customers in their daily money management.”
So far, Naranja X has established two corporate buildings in the cities of Córdoba and Buenos Aires, and there are 180 branches throughout the country that operate with a workforce of more than 3,000 employees.
As an established and trusted brand, Naranja X boasts a user base of more than five million customers, who, according to Fernández, “access their pesos accounts, transfer money, pay bills, use their credit cards, obtain loans, take out insurance, deal with e-commerce, buy trips, enjoy promotions and more.”
Bringing a multitude of skills to the role of CISO, Fernández is also a Professor of Cybersecurity at the University of Palermo. The position, he says, gives him valuable insights into the space, which is becoming increasingly important in fintech, where protection of data and financial information is paramount.
“The university environment gives me the opportunity to share a space of constant challenge, not only with my colleagues but also with the students. Many of my colleagues work for the most important Argentine companies and, in many cases, International companies. They tell me their strategies, how they plan to approach them, what objective they pursue. That is nourishing for both parties, particularly for me.”
Fernández says the opportunity to view new perspectives and become familiar with the latest technologies being used in the market benefits the Naranja X Information Security team.
Indeed, the company’s security strategy is multi-pronged and relies on the latest technologies to secure data and customer information against cyber attacks.
“Our mission in the area of Information Security is to protect user and company data, ensuring data availability, confidentiality and integrity,” he says.
“We work proactively and synergistically with all the areas so that we can have a comprehensive vision of all the processes, thus reducing exposure levels, mitigating vulnerabilities and improving data protection. To achieve these objectives, we have designed a strategy built on three main pillars:
the first involves security awareness campaigns for employees, users and the general public. We know security education is essential.
The second pillar implies reducing threat exposure levels by using a proactive approach. Process automation and attack area reduction are key.
The third and last is about the adequate protection of sensitive corporate data by adding further protective layers around our most critical asset: information.”
Secure and agile teams
Naranga X also employs specific tactics in terms of its business modelling. Currently, the fintech utilises an element called ‘Security Champions’ and a work style it describes as ‘Tribal Squad’. These systems are employed to improve efficiency as well as security within the company.
In May 2020, Naranja X announced its evolution into a fintech company. Interdisciplinary work has been crucial to this success, as has the creation of “Squads” or teams, with different specialists from areas such as IT, analytics, customer experience, business.
Fernández explains, “At Naranja X, products and business opportunities are created and developed with different technologies by interdisciplinary teams called Squads or Tribes. We believe in empowering teams to achieve the aims we have set. Creating an agile mindset erases physical barriers and allows us to work virtually, building true teams and focusing on results.”
“To accompany the time to market each product, it is necessary to perform a ”Shift to the left” in terms of security. That is, Information Security must work from the very beginning at each of the stages in the product life cycle. So, we are part of each of our pipelines (CI/CD) of development and infrastructure (IaaC) as their security support”, explains.
He says that as resources are finite, to achieve scalability, the role of Security Champion was created in each Squad. The Security Champion is a member of the interdisciplinary team (Product Squad) who is in charge of overseeing security stories in the team’s backlog. The Security Champion is also well trained in cyber security and liaises with Cyber Security CoE.
“Our aim is to ensure that Security tasks advance at the same pace as the Product or Business tasks. In the past, it was common to hear comments such as “ this risk is not relevant”, “we do not want so much formal work” “it is only an MVP, a pilot”. The Security Champion role helps us to participate from the beginning of the product life cycle thus enhancing efficiency.”
A Cybersecurity Centre of Excellence
“The Information Security CoE counts on specialists in different fields to deliver services to the whole company,” Fernández tells us. “There are three main teams within the CoE at present: Information Security, Cyber Security and Digital Information Security. The first is the most traditional one where we deal with GRC, IAM and Brand Protection.”
He points out that Naranja X’s cyber security focuses on monitoring, end-point and I&R as well as Digital Information Security (DIS). “In this team, we have DevSecOps and NetSecOps specialists, Cloud Security Engineers and red and blue Team members. In the near future, we are going to create a Product Security team to support and further reach customers with the solutions we develop.”
A customer-centric approach
But perhaps one of the most defining features about Naranja X is its customer-centric approach. The company places customers - and its people, squarely at the centre of its philosophy - both in terms of management and service experience.
It was this aspect that drew Fernández to the role - and stokes his enthusiasm for the job. He explains, “What attracted me to Naranja X? Many things! First and foremost, the focus we have: "People are key", not only the customers but also the employees.”
Technological innovation is a driving force behind this, and he describes the working environment as one of ‘learning and satisfaction. “Naranja X provides an environment that has a multi-cloud and on-premise infrastructure, where you can find an offline business and an online business, cutting-edge technologies that we use and a focus on employee development.”
Market differentiators
But in a sector as competitive as the fintech market, staying competitive is key to survival. Latin America is one of the globe’s fastest emerging markets when it comes to technology and finance - so how difficult is it to maintain an edge over other growing services? Fernández says it comes down, once again, to looking after people.
“For us, people come first, and they are at the centre of our decisions. We strive to offer them products, benefits and services that make their daily life easier. To achieve that, we implement technologies that make their interaction with our app or in-person service in any of our 180 branches a fully efficient, personalised and positive experience.”
In-house DevSecOps
In a world where connectivity and being part of an ecosystem is often central to scalability, Naranja X is playing things slightly differently by using an in-house DevSecOps. But is this something that works better specifically in the Argentine market?
Fernández believes so. He says, “To have a good product and a good business case is as important as outsmarting our competitors. However, Security has often been perceived as a hand brake that slows down the product development process. Instead, we aim to become a safety belt, an airbag cushion that can safeguard the business health, not hinder its development and pace.”
Fernández explains that the DevSecOps specialist enables the pace by automating security in each of the pipelines Naranja X uses to make its products available. The developer, then, is well aware that the product has complied with the security steps before its deployment.
He says, “Launching a product before the competition is not the only factor that gives us a market advantage. We need to provide reliable default security characteristics because customers and users have become more demanding.
“To pick up from the analogy we used earlier, in the 80’s nobody paid attention to safety belts and other security features when buying a car. Today, it would be inconceivable. The same is happening in the world of technology. That is why we have stopped being security auditors to become product co-creators.”
Strategic partnerships
Although developing in-house systems has its advantages, forming connections that can drive innovation forward is also critical to Naranja X. Currently, IntSights is one of the company’s key partners that played an essential role in managing the digital processes required to service customers during covid-related restrictions.
Fernández explains, “During the lockdown, digitalisation of processes and tasks increased considerably – not only in the case of our company but in the business world in general. This increase attracted cybercriminals. Therefore, we decided to monitor Naranja X brand health in the Dark Web or Deep Web, and we chose IntSights as our strategic partner in Brand Protection.”
He continues, “Our indicators show an 800% increase in scams, phishing and vishing – a trend also seen in many other financial companies in Argentina. IntSights offers visibility of BIN data, email addresses or domains, user lists and passwords in a proactive way so that we can detect and remedy wrongful activities by site takedowns and other contention and preparation actions.”
Naranja X also partners with IntSights to manage their external threat intelligence, which has resulted in the fintech company having a 360° view that exceeds its current, in-house possibilities. Fernández says, “The platform operates on different webs and can identify potential threats, collect and analyse content from different open sources such as social networks, blogs, chat boards, etc… IntSights early threat detection makes it possible for us to answer effectively.”
IntSights also carries out early identification of potential phishing activity and classifies these threats, which in turn leads to screening any “false positive” cases. The platform’s open integration API, with its easy access and sound documentation, assists Naranja X to mitigate damaging events early and assist in automation.
“IntSights is used not only by Information Security but also by Fraud Prevention. This type of tool has become a commodity for other teams in the company as well,” says Fernández.
A people-centric future
In an industry that increasingly places technology and customers at the heart of its operations, Naranja X is ahead of the game and emphasises its employees’ welfare and development.
Fernández surmises, “On the other hand, we are committed to our staff’s constant development. In 2020, over 13,300 training hours were delivered by our Data and Analytics Academy to focus our employees’ attention on Data-Driven culture. We also have a framework and collaborative tools for data search which democratises practices.”
In terms of the next 18 months, money management as well as technology-based products, services and functionality will be a main focus for the company, as well as a number of new product launches.
“Soon, the Naranja X account will render interest on funds deposited, a new dollar account will be offered to our customers, and the prepaid card will become a debit card. These new products will provide solutions to our customers’ personal and business financial needs.”
He adds, “To meet these challenges and the planned business growth, we will continue recruiting talented professionals in the field of technology for our engineering, architecture and data and analytics teams.”