Back to resources

Making Information Security a Company-Wide Priority


15 July, 2021

Ishan Agrawal
Ishan Agrawal

CTO at Funding Societies

Ishan Agrawal, CTO at Funding Societies, seeks to protect his company from security threats from all angles.


Information security is only becoming more and more relevant for every type of company. Let’s say that my Netflix account gets compromised. Sure, I’ll be pissed, but what would make me even more pissed would be if my bank account has been compromised, as well.

You need to be aware of the different levels of data sensitivity in a Fin-Tech business. What pieces of information do consumers care most about? That’s one of the basics in data security and privacy.

From another angle, Fin-Tech in the healthcare industry will most likely be regulated by a third party. You’re dealing directly with regulators in whatever market you happen to be in, not the consumers alone. You’re liable to legal penalties and so on, including fines. As a CTO, that’s one aspect that cannot be ignored. It will end up falling on you if you do so.

Actions taken

I went through this journey myself; I didn’t have a lot of experience in the area before. I had to do a lot of self-learning about technology risk and compliance. These things are nothing that you will learn at any engineering school. What you’re used to is all very technical. This involves regulations processes. It can seem very dry and a little bit annoying as well, but it’s actually quite interesting. First, you have to build that appreciation by spending time self-learning. It’s different for different people.

Within your own company, you need to build a strong culture of information security. This involves bringing in the right people who can help you build that culture. If a new developer is writing code, they have to be aware of what’s going on with it, because, at the end of the day, somebody is going to be using it. There may be a time where the product is usable but still vulnerable and rife with security issues. That brings in an educational dimension to the equation as you teach your team why these things are important. Once you start building that culture and introducing that aspect into your processes, your developers will also start picking it up and start to learn the same lessons.

There are plenty of ways to make these things accessible. You can share articles and technology talks. You can expose your developers to courses that they can take, as well. If I spend a lot of time on that, it helps everybody to prepare for regulatory issues before they come up. I don’t think that enough companies do this. That’s why you see all of these security stories in the news every other day.

The other thing involves metrics. Knowing what is going on is an advantage. As you start to build your team, they will produce these metrics for you. You want to be able to catch issues as early on in the life cycle as possible. The later that you catch it, the more costly it becomes. You will need to pay to fix it and you will inevitably end up losing business. You need to start keeping track of where you find issues consistently. This will help you spot them earlier and earlier.

Lessons learned

  • You need to understand the business that you’re in. Over time, it’s going to become more and more important. Build this culture early on. The later you wait, the more exponentially difficult it becomes to solve the problem.
  • When you hire engineers, you need to make sure that you’re asking security-focused questions.
  • Make sure that you build general awareness of security outside of your engineering team, as well. Attackers can target any part of the company, including your most vulnerable departments.
  • This is always an ongoing process as you hire new people. You will be able to see the culture change slowly all of the time. When people are aware, they will ask the right questions. It just starts cascading down. Things will only improve as you continue to invest.

Discover Plato

Scale your coaching effort for your engineering and product teams
Develop yourself to become a stronger engineering / product leader

Related stories

Myth Busting

10 December

Supporting principles on why being data led (not driven) helps with the story telling.

Managing Expectations
Building A Team
Psychological Safety
Vikash Chhaganlal

Vikash Chhaganlal

Head of Engineering at Xero

The Not-So-Easy Guide on How to grow and develop an Amazing A-Team

5 December

Your Org Team may as well be a Sports team. Let's explore how this cohesive, multi-skilled team can be optimized for Great Group Playoff.

Building A Team
Company Culture
Sharing The Vision
Embracing Failures
Team Processes
Jaroslav Pantsjoha

Jaroslav Pantsjoha

Google Cloud Practice lead at Contino

(Re)Organizing Your Teams Using Domain-Driven Design

12 July

A proposal for how to create an org structure that will deliver software systems that you want, not ones you get stuck with.

Scaling Team
Building A Team
Internal Communication
Ram Singh

Ram Singh

Principal / Founder at id8 inc

Managing Through a Team Reorganization

15 June

Mugdha Myers, former Engineering Manager at Google, discusses the challenges of leading a team through the ambiguity and anxiety caused by a large-scale team restructuring.

Changing A Company
Changing Company
Mugdha Myers

Mugdha Myers

Engineering Manager at N/A

How to Empower Teams to Build Out a Product Portfolio During Company Growth

6 June

Ivo Minjauw, Global Product Director at OTA Insight, discusses the importance of structuring your teams when undergoing company growth.

Goal Setting
Ivo Minjauw

Ivo Minjauw

Global Product Director at OTA Insight