alaguAlagappan Karuppiah (Alagu), Head of IT at Diners Club International, the global payments network, has over fifteen years of experience in software, retail banking, IT governance & security and is an expert in smart cards and advanced payment systems. Here we ask him to discuss issues surrounding IoT, security and governance, as well as advise on heading up an IT department.

How are you expecting IoT to affect the payments sector?

The Internet of Things (IoT), from remote control to automobiles and smartwatches, is spreading its wings as the technology behind it matures. Connecting various types of electronic devices together for improved experience of day-to day activities is promoted as the ultimate objective of IoT.

Today there are smartwatches being used for payments and transactions, but it would be interesting to see other appliances with such features. One payment brand recently tested car payments for take-away pizza. The technology logs the car arriving at a drive-in, and the user is able to pick up the pizza immediately while the car processes the transaction.

I also foresee home appliances offering the ability to complete online grocery transactions, ordering required items when the inventory is low. In addition, if an appliance tracked foods consumed and calorie intake it would be able to recommend exercise programs to the user. This information could also be sent to health insurers, with users receiving loyalty points based on their food consumption. Fiction of the future maybe, but as Albert Einstein said “I never think of the future, it comes soon enough.” 

How do you approach security and privacy, handling such large amounts of sensitive customer data?

…finding a passionate person with a positive attitude is an uphill task. We need to find candidates who are business enablers, not blockers.

In Singapore the TRM (Technology Risk Management) guidelines and the PDPA (Personal Data Protection Act) provide excellent guidelines and recommendations on security and privacy for financial firms, as well as for other industry institutions.

The challenge is multifold, firstly in understanding ‘sensitive data’ and secondly knowing where data resides and where it is being used in the organization. Most organizations face the challenge of lack of awareness around collected data. For example, a security office in a building might be collecting data on its visitors, but whether it is sensitive information and if it is being used, stored or destroyed remain key questions.

One approach is to de-sensitize customer data in such a way that it doesn’t impact operations but is of no value if used outside of the organization.

The IT Governance Institute (ITGI) mentions five areas of focus for better IT governance, these sound complicated.  How do you actually implement everything involved in IT governance?

Start with a framework, trying to reinvent the wheel requires lots of resources. There are many to choose from, but using at least one means it has been trialled and tested by industry experts worldwide. These frameworks even offer implementation guides. According to a survey by PricewaterhouseCoopers, in conjunction with the ITGI, 95% of companies use one of the major IT governance frameworks, while only a few create their own. The CoBIT framework is well-suited to organizations focused on risk management and mitigation. While ITIL is a good fit for those concerned about operations.

The more business-general framework COSO is less IT-specific than the others, while CMMI is particularly well-suited to companies looking for help with application development, lifecycle issues and improving the delivery of products throughout the life-cycle.

Most companies choose CoBIT or ITIL and many audit organizations use these as a standard.

What do you look for in a candidate when you recruit in the ever-changing IT security and risk space?

Passion and a positive attitude trump experience, but finding a passionate person with a positive attitude is an uphill task. We need to find candidates who are business enablers, not blockers. This is due to the changing role of IT, which today contributes and makes business decisions. Decades ago it was only the department that built the technology infrastructure for the organization who made and influenced decisions.

We look for winners who don’t give up. The sad truth about people who give up is that they are generally just as capable as those who don’t. The main difference is their attitude. Tom Northup, author of Five Hidden Mistakes CEOs Make, wrote: “Hire to attitude, promote to attitude and fire to attitude.”

How do you manage your work and team as Head of an IT department?

You need to both motivate and be motivated. It is also important to maintain a work-life balance for yourself and ensure this balance is echoed in the team and department.

I often refer to a blog post at Goinglobal, which has listed a number of qualities that managers should have to effectively head up a department. These include the ability to deal with ambiguity and constant change. Employers must also keep up-to-date about the industry, and take moderate risks even in unfamiliar situations.

The blog suggests that managers must act in a diplomatic way and build lasting relations – in the real and in the virtual world. They should create visions and strategies for the future, and put them into practical plans and actions.

Finally, it argues that department heads must execute leadership, regardless of position, and have respect for different nationalities, cultures and religions.


These answers are personal opinion and do not necessarily reflect the views of Diners Club International.