Glovo: Tech unicorn multi-category app, dining at top table
Alexander Antukh is the Director of Security at Glovo, a Barcelona based start-up. Having grown incredibly fast and currently sitting at unicorn status (meaning a start-up with a valuation of at least +€1 billion), they are looking at a number of global new market entries.
As part of this rapid growth, there is a significant job to keep their ‘super app’ (similar to the likes of Gojek), secure and safe as the backbone of their organisation. Antukh had to establish a security infrastructure, working closely with Glovo’s technology partners to achieve this.
Antukh is a seasoned cybersecurity executive, who is passionate about strategy and enterprise security architecture. Knowledgeable on the principal security frameworks, he has a proven track record of building successful Information security programs from scratch.
“I joined Glovo a year ago and I think the most significant market changes were as a result of the pandemic. Our global, multi-category app was able to take the majority of our orders through food delivery. We saw record levels of growth throughout 2020, and we continue seeing the demand following ever-evolving consumer trends accelerated by the pandemic.”
In Antukh’s mind, the market is experiencing rapid change as more and more companies are racing to capture specific markets, meaning that “you can carve a niche for yourself. We were multi-category to the very big companies from day one. And I think that puts us in a very good position right now.”
Glovo’s security mission
The first task for Antukh’s team was to formulate a mission for the company to buy into.
We see ourselves as a business and executive function, rather than purely a technical one. So our mission, as we say, is to drive efficient cyber risk management. And we have that goal, that mission in our mind, in whatever we do.”
The starting point for Antukh is security governance, risk management, and compliance (GRC), which guides the other teams and helps define Glovo’s security objectives.
Next is product and platform security, which makes sure that whatever products and whatever code Glovo produces is secure by design. This is followed by corporate security, which is about protecting global work environments. Antukh adds that “that's about security awareness and phishing, secure configuration of our systems and generally everything around user devices.”
Cyber defence is next, which ensures Glovo is prepared for security incidents; including protective and detective measures and timely response.
Finally, there’s data security function - even though it's already integrated in other areas, we really wanted to be focused specifically on sensitive data identification and protection. “And that's not just about compliance and GDPR, but also our commitment to care about our stakeholders.” said Antukh.
Trust built over time
Glovo has come a long way as a company in the general understanding of the threats posed to the IT infrastructure. “When we started, we had to develop security training for our employees. People were quite open-minded and that also helped us, as that attitude is part of our global culture.”
The importance of explaining the need for security was very important in this process, according to Antukh; “Once we proceeded, it definitely helped not just to say, ‘hey, I'm an expert, just trust me’ .We were able to show why we believe so. We also needed others to believe in it to make it happen, so it was in our best interests to make them understand the importance of it, and as a result we were able to provide better and more effective training. This is something I'm really pleased about.”
Another key starting point was to open a security help desk, speeding up (and logging) requests and generating security awareness campaigns, onboarding and materials for all staff. Glovo opened the central service desk of JIRA, so that they were able to register and track requests from our employees. As Antukh remarks, “that allowed us to be constantly in touch with our employees and to start changing the mindset towards a more security-aware one.”
“We started the Security Champions programme in product security, so we are able to ensure the security by design of our code,” he continued. Firstly, Antukh established guidelines and policies such as passwords, but the second factor involved Bitwarden, a key partner for Glovo.
Bitwarden helping to keep Glovo secure
Bitwarden is an open source password manager, and is considered one of the most secure and privacy-first options on the market. As Antukh explains, “when we started, we were tackling the problem of weak passwords at Glovo. I'd personally been using Bitwarden for some time. We just decided to try it for corporate security purposes, and it was a big success. Our primary use case is to secure the shared set of credentials files, and other sensitive information, among the team members. So we specified a list of authorised users and ensured that no one from the list had access to sensitive information Bitwarden helped us to comply with PCI DSS. They also helped us to cover a few important controls of our cyber security framework. So overall, they have become an integral security tool for the whole company. We are pleased to see how they can contribute in future to the overall protection of Glovo.” he said.
Cyber concerns of now and the future
Like others in the tech space, one of Glovo’s common enemies in the cybersecurity realm is the increase in rates and sophistication of ransomware and potential cyber attacks in general. Glovo has a complex approach to how they protect against this and that concerns all teams. One of the key adoptions is that of zero trust, which aims to tackle the major problem of phishing attacks.
Antukh is aware that “there are many talks about zero trust, and I think that's a very good strategy overall, but then of course, we need to remember the foundations, such as asset inventory and visibility of what we have in our networks, and patch management. It is, however, keeping security by design in mind in how we build our products. I think it is really important that we tackle security as a whole company. So there is the risk ownership and there is awareness of what it means to own the assets. And always asking what risks are there”
Speaking on the impending explosion of quantum computing over the next decade, Antukh cites quantum computing and quantum cryptography as a major issue. He adds, “I think it's again more about the mindset. So whenever there is a new technology, whenever there is a new approach, there are inherent risks in that. So it's about how we are able to build that threat model, how we're able to identify those risks. And what are the controls there?”
One example Antukh evokes is that of the Metaverse from Facebook/Meta, which is moving to a new reality. “Hacking that reality might have some consequences, which we don't even think about right now, but might be quite serious. And there’s also deep fakes, for example, or imitating the voice of somebody to pass some of the traditional controls, for banking transfers, among many others threats.”
How Glovo stays ahead of the pack
The focus for Glovo is to keep growing and expanding into countries and continue to strengthen their footprint in existing markets in which they currently operate. “We are in 24 countries, in more than a thousand cities worldwide, and we have over 4 million users. So I believe that Africa is going to be a focus for us. And over the next 18 months, we’ll look forward to expanding further.”
When asked to describe Glovo’s competitive edge, Antukh says that it is two-fold to him personally, starting with an amazing culture that employees strongly believe in. “This is about how we work all together and we support each other. However, from the market perspective, I would say it's the fact that we are a multi-category app from day one. So again, many companies are now entering this field and are focusing on groceries. We've been there already, so it helps us to anticipate the next moves and be the market leader where we already are established.”
Another example of Glovo’s uniquely forward-thinking culture was embodied by the recent announcement that they’re becoming an official signatory of The Climate Pledge (TCP), alongside more than 200 other businesses, making a commitment to decarbonizing and reaching net-zero by 2040 or sooner. Glovo had already made a commitment to becoming carbon neutral across all its operations by December 2021, through a combination of emission reductions initiatives and investments in carbon offset from internationally certified nature-based and technological projects, in conjunction with partners Pachama and South Pole.