Careem’s CISO explains strategy for the company’s big bet: Super App

As a vice president and CISO of Careem, the UAE-based ride hailing service acquired by Uber last year for US$3.1 billion, Christian Papathanasiou knows first-hand how a large enterprise needs to negotiate the fundamental economic shifts that a crisis may bring, and what technology leaders need to do to support a changing business model.

Papathanasiou joined Careem’s security workforce as its newest CISO just a couple of months before the coronavirus caused businesses to lock down across the world, devastating the transportation industry. In early May Careem slashed its workforce by 31 percent, laying off more than 500 employees. Mudassir Sheikha, the company’s co-founder and CEO, wrote in a blog that since the coronavirus hit, Careem had seen business decline by 80 percent.

Company officials recently have said that they expect the ride-hailing business to  bounce back faster than expected but that they do not expect full recovery until the end of next year. Meanwhile, the company, which continues to operate separately from Uber, is pivoting to leverage the various assets it holds to make the most of the new reality.

Careem Super App signals shift in strategy

Careem

The single biggest move it has made along these lines in the wake of the pandemic is the launch of its Super App, which allows users to access various services — which previously had been offered on different apps — via one unified app.

“When the pandemic started, the Super App was already in the making, but we accelerated our efforts in order to make sure we could provide for people in a time they needed it most,” Papathanasiou says.

Careem was founded in 2012 as a web platform to book cars for corporate use, but has steadily expanded, moving into businesses such as restaurant listings and food ordering; bike-sharing; payment facilitating; taxi and bus services; and pharmaceuticals and other essential products. Access to these services were offered via different apps until the company launched Super App.

“Careem’s vision to create impact turned out to be even more meaningful, especially during the lockdown,” Papathanasiou says. E-commerce and online delivery in Gulf countries, particularly the UAE and Saudi Arabia, are undergoing massive changes as the coronavirus crisis, followed by the move to remote work, sends people flocking to websites for essential goods and other products. Governments in the region have enacted rules — such as requiring sites to accept digital payments instead of cash on delivery — to encourage remote shopping.

Careem

Meanwhile, the Super App not only makes it easier for consumers to order services through Careem, but the resulting e-commerce aids the company’s delivery business.

Careem operates in more than 100 cities in 14 countries throughout the Middle East, Africa and South Asia, and different services are offered in the different locations. To make management of the Super App even more complex, Careem has decided to work with third-parties, providing APIs to allow them to offer their own services through the Super App, Papathanasiou confirms.

Super App now integrates third-party services

“We launched our Super App across all markets we operate in and we are now doubling down on making the Super App a platform on top of which other providers can integrate their own services”, explains Papathanasiou.

Careem has announced a variety of integrations with third-party services in the last few months. Under the Super App umbrella, it has for example integrated Visa services into its Careem Pay Wallet app, allowed various taxi services to connect to its platform, and enabled customers in certain locations to use WhatsApp to book Careem rides.  

Once the company started integrating third parties into its app, the security team needed to ensure adherence to baseline security policies. Key security issues include possible exposure of customers to risk as well as  platform and code vulnerabilities.

To deal with the changes to its IT infrastructure and business model, Careem made several changes and investments in its staffing structure. When Papathanasiou started work at Careem early in the year his team numbered seven, but now is three times that size, growing in part by bringing together formerly separate security and specialized fraud groups. The company has made other changes as well.

“IT now reports to Security,” says Papathanasiou. “Having IT report to security allows us to ensure that many of the endpoint controls and infrastructure controls are further secured. I also need to wear a dual hat and ensure that I don’t over-secure IT and make sure the core mission is respected: providing our employees with a great employee corporate IT experience.”

The complexity of  opening up its platform also makes Careem a bigger target for cyberattacks, requiring the company to bolster its tech teams. “We see similar attacks than any other organisation in the region,” says Papathanasiou. “What is unique about Careem is that we also see attacks on our platform. To this regard, we have built an industry-leading fraud team. We have one of the leading fraud and data science teams in the region.”

Cloud presents security challenges, benefits

As the number and frequency of multiple threats continue to grow, the complexity that organizations face in order to manage the data stored both in-house and in the cloud further complicates protection against these attacks, Papathanaisou says.

One lesson that Papathanaisou says he has learned is that CISO’s need to take a  multivariate approach — finding patterns and relationships among several variables and systems simultaneously — to formulate a risk-based security strategy. Though cloud and hybrid cloud IT setups may add complexity to the CISO’s role, the public cloud also provides tools to help, Papathanaisou says.

“We are a very heavy user of AWS. My previous role was in public sector consulting in the UAE and everything had to be on-prem,” Papathanaisou says. “However, I was pleasantly surprised that Amazon now has a solution for every on-prem security device you could think of and in many cases, it’s superior and pay-as-you-go rather than requiring very large up-front investments.”

AWS in 2018 launched two Amazon CloudFront Edge and two AWS Direct Connect locations in the UAE Arab Emirates. The former is designed to help enterprises improve the user experience through faster content delivery and cybersecurity protection, while the latter is meant to make it easier for businesses to establish a dedicated private network connection between AWS and their data centre, office, or colocation environment.

In 2019, AWS launched three cloud availability zones in Bahrain, bringing hyperscale cloud infrastructure closer to the UAE where Careem is headquartered.

“Once AWS opens up in the UAE, I can see it being further adopted by local governments especially as data sovereignty is a key concern. It makes sense and from a security perspective, it can be engineered just as securely on the cloud as it can be on-prem,” Papathanaisou says.

Big new security challenges are not far off on the horizon, says Papathanaisou, noting notes that Tesla has shown that autonomous vehicles are here to stay and in some cases have proven to be safer and can react quicker to hazardous situations than humans can. Ride-hailing services need to take notice, in large part to prepare for the security issues that autonomous vehicles are expected to create.

“Securing this is multifaceted,” Papathanaisou notes. “A great deal of intellectual property is being developed in this space which is extremely valuable and the right controls need to be put in place to ensure that access to this intellectual property is well-governed and managed. “