Since the annual RSA conference was in San Francisco last week, the topic of this week’s edition of The FinTech Blog is cybersecurity.
I was at RSA last year with Morgan Stanley, and just read that the key takeaways for 2015, according to Network World, are: 1) visibility (i.e. seeing how you’re doing); 2) data center security; 3) two-factor authentication; and 4) services.
I’m emphatically not a security expert, but can speak to certain aspects of security – from a business perspective – which can be of value to early-stage FinTech startups and industry enthusiasts less familiar with security.
I recently sat down with Barry Schneider, CEO of LOYAL3, perhaps one of the most interesting of the FinTech firms based in San Francisco. While a later edition will include the full interview, I was struck by his comment that doing things right on security, regulation and privacy isn’t just ‘important’ – “it’s everything.”
Security Is Everyone’s Business
From my own experience in financial services and at FinTech startups, the role of security is more than technology. At Morgan Stanley, for instance, everyone takes an annual training class on the importance of protecting private information, knowing your customers (KYC) and enforcing Anti-Money Laundering (AML) rules.
There’s a lexicon of terms, beyond KYC/AML, such as PII (Personally Identifiable Information) and Material Non-Public Information (MNPI) to learn. It’s a lot to learn, but I’ve found Intuit Developer maintains a great security blog.
Having briefly played the role of a risk officer – which convinced me of the need to return to role in product management and/or digital strategy – I can tell you that the people in this area play critical roles. I’ve learned a lot from some great managers working in risk, such as Morgan Stanley’s Lynn Riehl.
If you’re at a FinTech startup in engineering or operations, you should be aware of requirements for who are regulated. The rules are complex, but a good start is familiarity with PCI rules for cards and the FFIEC guidelines for some banks.
Although too costly for a seed-round firm, mid stage startups would be smart to seek out experts such as Adam Shapiro, at Promontory Group, who can help navigate regulatory issues, and legal advice as they build their products.
Role of the CISO
Over the last few years, some of the larger financial services firms, along with some other industries, created a new role, the Chief Information Security Officer (CISO). Morgan Stanley has one of the best in Gerard (Jerry) Brady, who taught me a lot about information security.
From knowing the difference between IDS (Intrusion Detection Systems) and IPS (Intrusion Protection Systems), I later learned you should assume you’ve been made, i.e. never think you are secure, and the old paradigm of securing a perimeter is no longer sufficient (which speaks to key takeaway from RSA on visibility).
Startups probably think less about some issues, like data centers, since many use AWS instead of their old data centers, but it’s never too early to have a CISO if you are even a partner to a bank, or other financial services company.
Jerry also had an almost encyclopedic knowledge of companies in the security space, being able to explain and cite the pro’s and con’s of working with innovators such as CloudFlare, Passages Security, vArmour and Prevoty.
The old paradigm of securing the perimeter is no longer sufficient…
The CISO can play various roles, but should lead thinking on new threat vectors, staying on top of what’s new, manage the vulnerability assessment and Information Security (InfoSec) teams looking at third-party providers.
Data Center Security
In terms of data center security, another key theme at RSA, I won’t speak to this as much, but advise mid-stage FinTech startups to follow the industry leaders in this space, such as Palo Alto Networks and more players to enter this place, such as Illumio (backed by Joe Lonsdale’s Formation 8; Joe co-founded Palantir, a key player in security at banks).
While it’s less relevant to a FinTech startup, I was intrigued to read that two-factor (2FA) security was a key theme at RSA last week. At many banks, employees use RSA token generators, but seldom make clients out of concern over cost. For clients, the second factor in 2FA is often the mobile phone. Many have asked whether banks are doing enough.
Although I didn’t get as much opportunity to work with Dave Chen – the leader of Morgan Stanley’s banking team focused cybersecurity – as I’d liked when on Sand Hill Road, it was clear Dave is the banker in the world for security technology.
The final key theme at RSA was services – so it’s telling that Dave was ahead of the curve, putting together the deal to merge Mandiant, the services team called in to address crises such as the breach at Sony Pictures, with FireEye.
Although excited to be back on the business side, I wanted to give a shout out to one of the truly great service providers that I had the chance to work with recently:
Bracket Computing. I’m a big fan of this company and its CEO, Tom Gillis, along with his stellar team, including CTO Jason Lango; VP of Sales, Chris Pappas; and VP of Product & Marketing, Ambika Gadre.
I’d also like to congratulate Bracket on their selection last week into Wells Fargo’s exciting new Accelerator program.
Hopefully this week’s post will shed some light on the criticality of security, complexity of the regulatory issues, for for some of the FinTech startups or others who haven’t worked in strictly regulated industries.
And if you want gain deeper insights into security from actual security experts, check out these videos of keynotes from last week’s RSA event!Follow @fintechblogger