Reflections on FinTech Security Leadership
CISO, Director of Information Security, VP of Security, Head of InfoSec — titles aside, taking up the mantle of the senior information security leader in a fintech company comes with challenges and rewards that are in some ways very different to more established larger companies. It is an exciting role to explore, with some pitfalls to be aware of. The following is a crude and incomplete consolidation of some thoughts, views and reflections.
Top Tips / Summary
- Have short, medium and long term plans — know what fits into each and dont let curveballs and speedbumps derail the long term plan.
- Take the time to regularly zoom out and review strategy, progress and approach — things change rapidly.
- Be very clear about your company’s risk appetite and work within these boundaries — you might be surprised at some of the tolerance levels.
- Get involved in Enterprise Risk Management — cyber security permeates through all risk types.
- Take the lead for security and lead upwards — it is up to you to define the security stance and build security culture.
- Don’t only focus on tech — the dynamic and social structure of a fintech is conducive to people-centric security. Context and tools empower staff to manage security themselves.
- Finally, don’t take things personally and maintain focus and empathy when the going gets tough.
The Fintech operating environment
Fintech companies can be relatively young, dynamic, built around an inspirational/optimistic idea, founder-led and small in size. They chase aggressive growth and as a result take higher risks while operating in ecosystems with larger, more established players who are beholden to stringent regulatory and corporate governance requirements. This makes for a very interesting backdrop to building and maturing a security program — which needs a foundation and context to grow. While your company may not (yet) have the same governance, risk and compliance (GRC) requirements, it is wise to keep an eye on these — your partners or investors may still measure you using the same benchmarks. Get good at assurance — it can happen a lot and at the same time. Build a knowledgebase and make processes visible.
What the company strives to do is inevitably hard (if it was easy it would have already been done right?). This could mean the company is used to dealing with challenges and facing setbacks — you’ll need to figure out how best to embed and build security culture within this. Early on, find the connection between security and the company’s mission and/or product, and establish guiding principles around this — it helps give security context and meaning.
All companies are subjected to the challenge of differing and shifting priorities. Smaller companies can rally and solve this quicker. The business will expect you to be able to adapt and pivot rapidly, getting involved in new top priority initiatives while continuing to build and maintain an effective security program (that involves keeping the lights on, maintaining a good security posture and responding to incidents). An initial 100-day plan will be helpful, but so will a 10-day and 1000-day plan. It’s important to find the right avenues to plug in and keep updated on company work, and over time to see how to influence these where relevant to embed security considerations at the right time (processes like Go To Market and prioritisation).
Your business may call on you to assist with business projects, and it is up to you to balance this with the other critical security processes that need care (as these are sometimes invisible to the broader company). At times things can feel a bit chaotic, so remember to measure your output not your input. It’s a good way of checking that you are not dwelling on something too long without addressing it. Extended planning without execution is wasteful. You’ll need to create plans, execute fast and plan again. If possible, solve manual problems first (that address the more mundane aspects to security) to free up limited capacity.
Your role
You are the go-to person for security. Therefore you have to lead the charge and shape the company view of security. Execs will have a view — make sure you check, challenge and educate where necessary so their view is informed and accurate. Remember that if they were able to identify and drive the InfoSec agenda themselves then your job is irrelevant. The fact that the job exists means the company has identified the need for a senior security person to a) define and drive the strategy and b) weigh in on the company’s perspective of security/risk.
Internal structure
Structurally, the distance between the top of the fintech company (Board & Exco) and the rest can be more compressed than in a larger company where many layers of hierarchy exist. Therefore, information will flow differently — i.e. it can be more frequent, ad-hoc or immediate. There is arguably less reliance on detailed metric/KPI driven reports, which means security needs to be articulated in conversations and not always in flashy risk reports (these are of course critical, but not always the primary method of communicating key facts in the moment). You will need to find the right method of communication that maintains engagement, which is also an advantage in that you can rely less on reports and have more direct conversations, resulting in quicker decisions.
Your team
Such an important place to start, especially if you have been parachuted in to the leadership position of an existing team. You can learn a lot about culture, good practices and the general lay of the land from your team members. If you are new you start with practically no credibility and need to build this. Take the time to understand your team’s roles, expectations and strengths. You’ll inevitably be working with a small team which faces two challenges:
1. Capability — the ability to cover all key parts of a diverse security program with a small set of people, and
2. Capacity — the small team will also need to balance BAU, projects, incidents and ad-hoc work (of which there is often a lot in younger less-structured setups).
With the team, have open conversations and be authentic. Give feedback timely.
A small team is not necessarily a bad thing — you work closer together. To bolster capability or capacity you can look at external services (e.g. that will provide 24/7 managed detection and response) as its unlikely you’ll have the budget or capacity to fill all requirements upfront. It’s great to look at these as partnerships and not outsourced arms-length relationships — you can’t outsource security. Those external connections must be an extension of your internal team, not a transfer of risk. The right partner will provide capability and/or capacity with open two-way engagement that allows you to influence and direct parts of the agreement (often to their advantage too).
Your approach
Establishing a clear plan is key to provide focus and collaboration. But see this as a guiding light rather than an absolute. Things will change that require adjustments. Acknowledging this upfront and building in the ability to deal with them turns them into exciting digressions rather than frustrating distractions. At times you may need to temporarily alter the structure/setup of the team to tackle a top priority issue. As long as you don’t drop the ball with fundamental work, these digressions can really bring the team together and produce speed, fresh ideas and opportunities for learning and growth.
Turbulence and change can help sharpen focus. I.e. you’ll need to know what is really important and top priority, because you can only focus on one thing at a time. While it can feel unsettling, it is really a great tool to validate what is important. E.g. with data security — is it more important to start with securing customer records or internal office documents? Be comfortable that you can’t solve everything at once. Keep short term focus (priority) but always know what the longer term plan is.
The company may have an established process of defining and reviewing deliverables, e.g. using OKRs (Objectives & Key Results). Make use of these where relevant, but don’t expect to run the security program entirely through this cycle for two reasons:
1. OKR’s are often outward/business goal focused and so in the early stages it may not be apparent where/how core security objectives tie in to the overall picture.
2. OKR’s are stretch goals, and if misunderstood or mis-used could result in setting objectives that bypass core foundational steps (required when building a new security program).
Find a way to measure change and progress. And have fun doing it. You can even build your own security maturity tool (taking elements of leading practice and combining with your internal needs). It is extra work, but building your own tool/product/process increases the chance of people caring for it.
Culture
Don’t be afraid to change processes or structures. Abandon wasteful rituals and try new ways of prioritization/focus that are driven by the security compass (the guiding light referred to earlier). Learn and adapt. There is no better place than a growing startup to experiment with new things.
Work with the respective teams to define what security culture means. We know security culture is not just security awareness, which is not just quarterly phishing campaigns, which is not just the train-punish-repeat cycle. And information security is not only about technology. With context, awareness and tools, your people are a vital asset in defence. With the right approach you can empower the workforce to manage and secure their own devices/assets/areas — which also promotes the idea of shared responsibility and bolsters the capability of your small team, while enhancing security awareness for people in general (a vital life skill).
This doesn’t mean ditching all parts of the cyber security strategy other than the human firewall (that would be ineffective as your defences must be able to protect against one or one hundred people clicking on the wrong link), but see the human element as a fundamental part of the cyber security program, and make this a reality through embedding it in the company culture. Allow the time to immerse in the culture. You know what needs to be done with regards to security. Take the time to figure it how best to be effective in guiding and influencing.
Starting
Start somewhere relatively quickly and then build on it. Evaluate the current state of security. Make a plan with a northern star and work towards it. Don’t be scared to start with a cert like ISO 27001 — it’s a great way of embedding good security practices across a range of business areas and could also be beneficial in displaying security commitment to your ecosystem partners. But remember to see it for what it is — a foundation of the security program and not the ceiling. And also remember that compliance (to the cert) does not necessarily make you secure. Take the time to zoom out and review the short, medium and long term plans. Adjust accordingly given the inevitable changes to the company, direction or priorities. Remember it is up to you to steer the security ship so keep cool, calm and collected, but act with urgency when needed.
Personal development
Grab all opportunities to learn and challenge yourself — do roadshows and standup talks, get involved in leadership discussions, volunteer for other pods. Security might not be top of mind for many people at your company, but thankfully what we have to talk about is very interesting. So exploit that fact (without succumbing to the FUD approach of course). Enjoy what you do! A litmus test — how do you feel when you wake up? If you are not motivated, figure out why. Create your own space and plan (e.g. when and how to work from home). Factor in your personal life and be ok with work and personal intermingling when they need to.
Things to watch out for
- Be careful where and how decisions are made and by whom. Don’t let security decisions be made without you.
- While you are expected to be agile, be careful not to be too ruthless or risky. We know the defenders dilemma all too well, made more interesting in a growing environment. So always keep an eye on your top threats and manage these.
- It can be tough to negotiate with vendors who price based on endpoint or headcount. There is no easy solution here so look for good vendors and partners.
- Monolithic corporates can live their GRC expectations vicariously through you. Find a way to have a balanced conversation so as not to spend excess time responding to one-way due diligences that may not be necessary.
- Startup risk appetite is very different to corporate risk appetite. Make inroads with senior management to make sure your view of risk is aligned so you are not chasing down ‘critical’ risks that are not important in the eyes of the Board. This is a two-way street and you are also expected to challenge the risk appetite and tolerance view if it is too liberal.
