In India’s fast-evolving fintech landscape, innovation often races ahead of regulation — and security must sprint to keep up. For Ashwin Sekar, Chief Product & Technology Officer at InCred, the goal isn’t to slow that momentum but to build the right frameworks that make rapid, secure innovation sustainable.
“Secure innovation is not about restricting creativity,” Sekar explains. “It’s about designing strong frameworks and multiple protective layers. Once those guardrails are in place, people can innovate freely without breaking the system. If we rely only on people’s good intentions, we can’t scale. But with the right structure, we can grow fast and stay hungry for innovation — securely.”
From agility to assurance: A framework built on six golden signals
InCred’s approach to cybersecurity and product velocity rests on what Sekar calls six golden signals — the measurable, real-time indicators that govern its information security posture.
“We’ve evolved from an ad-hoc security model to a formal, data-driven posture,” he says. “Our framework is built around six golden signals that we track continuously.”
He breaks them down:
Security incidents – tracking frequency and nature of events;
Compliance status – measuring alignment with regulatory standards;
Risk management – maintaining a live risk register and mitigation matrix;
Control effectiveness – assessing how well security tools actually perform;
Employee awareness – testing and strengthening teams against phishing or social engineering threats; and
Incident response – evaluating detection, containment, and recovery readiness.
“This framework guides everything we do,” Sekar points out. “It allows us to balance agility with discipline.”
The philosophy translates directly into InCred’s software development lifecycle (SDLC). “Our SDLC pipeline includes automated checks for vulnerabilities — static and dynamic testing,” he adds. “Every deployment must pass multiple gates before entering production. Developers can move fast, but they can’t skip the guardrails.”
This model extends to infrastructure as code as well. “A lot of issues happen due to misconfigured infrastructure,” he notes. “By using Terraform and automation, we ensure consistency and repeatability. Mechanisms like this allow innovation to flourish without compromising resilience.”
At InCred, teams are organised into independent pods, supported by a domain-oriented microservices architecture. “This structure allows each pod to innovate independently without stepping on each other’s toes,” mentions Sekar. “We also nurture a culture that’s tolerant of taking smart risks — being okay to fail fast and learn — as long as those experiments happen within well-defined guardrails.”
Protecting the data that powers trust
For a fintech company handling sensitive financial data, data protection is paramount. InCred takes a multi-layered approach, applying security at every stage — from encryption and masking to fine-grained access control.
“All our data stores at rest are encrypted using AWS keys,” Sekar explains. “In transit, everything runs over TLS 1.2. Personally identifiable information (PII) is encrypted at the database level, and what’s displayed in applications is masked by default.”
Access control, he adds, follows the principle of least privilege. “Only those who absolutely need access are granted it, and even then, only to the specific fields required. It’s granular and role-based.”
These safeguards, he notes, aren’t static. “Data protection is a continuous improvement item. We’re constantly upgrading, monitoring, and evolving our practices.”
Generative AI: Potential meets prudence
As generative AI (GenAI) reshapes industries, fintechs are grappling with its dual nature — an enabler of efficiency and a potential new source of risk.
“GenAI introduces exciting opportunities, but also new attack surfaces,” Sekar cautions. “Prompt injection attacks, data leakage, and inadvertent exposure of sensitive data through public tools are emerging risks.”
To mitigate these, InCred has taken a multi-pronged approach. “We’ve standardised on a single enterprise-grade GenAI provider,” he says. “Our contract explicitly ensures that our data will not be used for model training. We’ve also blocked access to public GenAI tools that don’t offer enterprise-grade controls.”
Internally, every new GenAI initiative must pass through InCred’s architecture council and tech risk management review. “We rely on the same governance framework that defines our other systems,” he explains. “No AI integration bypasses those checks.”
Staying ahead: Threat intelligence and automated defense
As cyber threats become more sophisticated, InCred’s security architecture is built for layered defense and real-time detection.
“At all endpoints, we use CrowdStrike — which leverages AI-driven models to detect and stop malware or advanced threats,” Sekar says. “For traffic inspection, we rely on Netskope to monitor ingress and egress, blocking access to unapproved cloud applications.”
On the cloud side, AWS security services help monitor workloads for anomalous activity. “All these signals — from endpoints, servers, and firewalls — feed into our SIEM (Security Information and Event Management) tool,” he explains. “Our dedicated Security Operations Center (SOC) monitors these alerts around the clock, following playbooks to respond, contain, and learn from incidents.”
He likens cybersecurity to an arms race. “You can’t stand still,” he says. “You have to keep investing, automating, and evolving.”
Navigating regulation: The DPDP Act and beyond
The Digital Personal Data Protection (DPDP) Act is redefining accountability for fintechs. For InCred, compliance is a journey already underway.
“We’ve engaged external consultants to conduct a gap assessment between our current posture and the Act’s requirements,” Sekar shares. “The biggest focus is consent management — the foundational pillar of the law.”
InCred has prioritised enhancements to its data classification policies, data loss prevention (DLP) programs, and monitoring controls. “We’re ready to adapt once the Act is fully notified,” he says. “Because we already have a robust framework, we’ll extend it seamlessly to ensure compliance without compromising agility.”
Managing third-party risk: Security by association
Fintechs thrive on collaboration — APIs, platforms, and service providers. But every external integration brings new risks.
Sekar underscores the importance of formal third-party risk management.
“No vendor can be onboarded without a security due diligence review from our InfoSec team,” he explains. “Each vendor is categorised based on risk and materiality. High-risk partners undergo detailed annual assessments to ensure they continue meeting our standards.”
These findings feed directly into InCred’s security compliance dashboard, closing the loop with its six-signal framework. “It’s not rocket science,” he says. “But it requires discipline, consistency, and leadership commitment.”
Security as a culture: Leading by example
At InCred, security is a shared responsibility, not just a function. “If leaders don’t prioritize or invest in security initiatives, the organisation reads those signals quickly,” Sekar admits. “You can’t just talk about security — you have to demonstrate it.”
To nurture this mindset, InCred runs monthly phishing simulations, awareness programs, and gamified scorecards to track resilience. “We measure how teams respond to simulated attacks, and those who fall prey undergo reinforcement training,” he says. “It’s about creating awareness, not blame.”
For Sekar, leadership visibility matters as much as investment. “Consistent messaging and follow-through — that’s what creates a security-first culture,” he adds. “Culture doesn’t happen on demand; it’s built over time.”
Resilience over rhetoric
When asked about the technologies shaping the next phase of secure digital finance, Sekar is refreshingly pragmatic. “There’s no magic bullet or tool that guarantees security,” he says. “What matters is building a measurable and resilient governance program that continues to enable innovation.”
At InCred, the philosophy is simple: work backward from the customer. “The customer’s need for safety and trust drives everything — from functional design to architecture,” he explains. “Our responsibility is to ensure that the trust they place in us is repaid with diligence and care.”
In the race between innovation and risk, Sekar’s view stands out: speed is valuable — but only if it’s sustainable. And sustainability, in fintech, begins with trust.
