Exactly three years ago I left my Senior Security Advisor role at Microsoft to establish a security engineering and penetration testing consultancy, working primarily with fintechs at Level 39 and elsewhere. Three years is a long time in this business, and it seems a good time to reflect on what has and hasn’t changed since.
First, what has changed: fintechs of all stripes have dramatically proliferated, partly thanks to various accelerators and incubators, but what is more important, both fintechs and regulators appreciate the need for cybersecurity more than before.
Fintechs are now more security-aware and realise that a single security compromise may seriously undermine customer trust and endanger their chances of success. Awareness then has certainly increased. So what hasn’t changed?
Despite being more aware of cybersecurity risks and failures, most businesses, new and old, fintech or not, are still far away from being able to honestly say that they have engineered a secure product and operate a secure service — or that they have independent assurance to prove it.
Some only act when clients, investors or regulators ask for penetration test results or security policies.
For others, security or otherwise of their product too often depends on efforts of a single member of the team instead of being embedded in development and operations, leading to inconsistent or ineffective controls.
With fintechs increasingly attracting the attention of cybercriminals and others interested in the data they hold and process we better get better at securing it – or else.
Edgar ter Danielyan
