Making Information Security a Company-Wide Priority

Problem

Information security is only becoming more and more relevant for every type of company. Let’s say that my Netflix account gets compromised. Sure, I’ll be pissed, but what would make me even more pissed would be if my bank account has been compromised, as well.

You need to be aware of the different levels of data sensitivity in a Fin-Tech business. What pieces of information do consumers care most about? That’s one of the basics in data security and privacy.

From another angle, Fin-Tech in the healthcare industry will most likely be regulated by a third party. You’re dealing directly with regulators in whatever market you happen to be in, not the consumers alone. You’re liable to legal penalties and so on, including fines. As a CTO, that’s one aspect that cannot be ignored. It will end up falling on you if you do so.

Actions taken

I went through this journey myself; I didn’t have a lot of experience in the area before. I had to do a lot of self-learning about technology risk and compliance. These things are nothing that you will learn at any engineering school. What you’re used to is all very technical. This involves regulations processes. It can seem very dry and a little bit annoying as well, but it’s actually quite interesting. First, you have to build that appreciation by spending time self-learning. It’s different for different people.

Within your own company, you need to build a strong culture of information security. This involves bringing in the right people who can help you build that culture. If a new developer is writing code, they have to be aware of what’s going on with it, because, at the end of the day, somebody is going to be using it. There may be a time where the product is usable but still vulnerable and rife with security issues. That brings in an educational dimension to the equation as you teach your team why these things are important. Once you start building that culture and introducing that aspect into your processes, your developers will also start picking it up and start to learn the same lessons.

There are plenty of ways to make these things accessible. You can share articles and technology talks. You can expose your developers to courses that they can take, as well. If I spend a lot of time on that, it helps everybody to prepare for regulatory issues before they come up. I don’t think that enough companies do this. That’s why you see all of these security stories in the news every other day.

The other thing involves metrics. Knowing what is going on is an advantage. As you start to build your team, they will produce these metrics for you. You want to be able to catch issues as early on in the life cycle as possible. The later that you catch it, the more costly it becomes. You will need to pay to fix it and you will inevitably end up losing business. You need to start keeping track of where you find issues consistently. This will help you spot them earlier and earlier.

Lessons learned

• You need to understand the business that you’re in. Over time, it’s going to become more and more important. Build this culture early on. The later you wait, the more exponentially difficult it becomes to solve the problem.
• When you hire engineers, you need to make sure that you’re asking security-focused questions.
• Make sure that you build general awareness of security outside of your engineering team, as well. Attackers can target any part of the company, including your most vulnerable departments.
• This is always an ongoing process as you hire new people. You will be able to see the culture change slowly all of the time. When people are aware, they will ask the right questions. It just starts cascading down. Things will only improve as you continue to invest.