Making Information Security a Company-Wide Priority
15 July, 2021
Information security is only becoming more and more relevant for every type of company. Let’s say that my Netflix account gets compromised. Sure, I’ll be pissed, but what would make me even more pissed would be if my bank account has been compromised, as well.
You need to be aware of the different levels of data sensitivity in a Fin-Tech business. What pieces of information do consumers care most about? That’s one of the basics in data security and privacy.
From another angle, Fin-Tech in the healthcare industry will most likely be regulated by a third party. You’re dealing directly with regulators in whatever market you happen to be in, not the consumers alone. You’re liable to legal penalties and so on, including fines. As a CTO, that’s one aspect that cannot be ignored. It will end up falling on you if you do so.
I went through this journey myself; I didn’t have a lot of experience in the area before. I had to do a lot of self-learning about technology risk and compliance. These things are nothing that you will learn at any engineering school. What you’re used to is all very technical. This involves regulations processes. It can seem very dry and a little bit annoying as well, but it’s actually quite interesting. First, you have to build that appreciation by spending time self-learning. It’s different for different people.
Within your own company, you need to build a strong culture of information security. This involves bringing in the right people who can help you build that culture. If a new developer is writing code, they have to be aware of what’s going on with it, because, at the end of the day, somebody is going to be using it. There may be a time where the product is usable but still vulnerable and rife with security issues. That brings in an educational dimension to the equation as you teach your team why these things are important. Once you start building that culture and introducing that aspect into your processes, your developers will also start picking it up and start to learn the same lessons.
There are plenty of ways to make these things accessible. You can share articles and technology talks. You can expose your developers to courses that they can take, as well. If I spend a lot of time on that, it helps everybody to prepare for regulatory issues before they come up. I don’t think that enough companies do this. That’s why you see all of these security stories in the news every other day.
The other thing involves metrics. Knowing what is going on is an advantage. As you start to build your team, they will produce these metrics for you. You want to be able to catch issues as early on in the life cycle as possible. The later that you catch it, the more costly it becomes. You will need to pay to fix it and you will inevitably end up losing business. You need to start keeping track of where you find issues consistently. This will help you spot them earlier and earlier.
- You need to understand the business that you’re in. Over time, it’s going to become more and more important. Build this culture early on. The later you wait, the more exponentially difficult it becomes to solve the problem.
- When you hire engineers, you need to make sure that you’re asking security-focused questions.
- Make sure that you build general awareness of security outside of your engineering team, as well. Attackers can target any part of the company, including your most vulnerable departments.
- This is always an ongoing process as you hire new people. You will be able to see the culture change slowly all of the time. When people are aware, they will ask the right questions. It just starts cascading down. Things will only improve as you continue to invest.
Scale your coaching effort for your engineering and product teams
Develop yourself to become a stronger engineering / product leader
A proposal for how to create an org structure that will deliver software systems that you want, not ones you get stuck with.
CTO at REAL Engagement & Loyalty
Mugdha Myers, former Engineering Manager at Google, discusses the challenges of leading a team through the ambiguity and anxiety caused by a large-scale team restructuring.
Engineering Manager at N/A
Ivo Minjauw, Global Product Director at OTA Insight, discusses the importance of structuring your teams when undergoing company growth.
Global Product Director at OTA Insight
Tommy Morgan, VP Engineering at Crystal Knows, recalls a time in his career when his values didn’t align with his superiors and shares his insights on preventing this outcome when taking on a new role.
VP Engineering at Crystal Knows
Dursun Mert Akkaya, Software Development Manager at Product Madness, encourages a change in mindset for heavily technical individuals as he explains the importance of communication skills.
Software Development Manager at Product Madness