A technology startup is a brainchild of one or more highly capable visionary business-savvy technologists. Each member of the core startup team is usually more productive than several average workers and has the skills of the top 5% in their respective field. The founding members of a startup team commonly take on numerous responsibilities and are very comfortable with and very capable of bridging across multiple disciplines. During the first years of its existence, a technology startup CIO may routinely perform the roles of the systems architect, lead software developer as well as assume operations and information security responsibilities. For someone who has spent their career working for a large corporation, it is difficult to appreciate the complexity, the many skills required, and the challenges associated with being a successful lead technologist of a technology startup—no matter the relatively small and deceivingly simple structure of the young organization.
Imagine Joe and Brad, two expert technologists who co-founded Finnovations, a revolutionary fintech services company. Although both men are equally capable software and systems engineers Joe, who also has special business talents, became the startup’s CEO, while Brad went on to lead Finnovations’s technology functions. Nobody knows the ins and outs of the IT systems at Finnovations better than Brad does. Therefore, when a large bank approached Finnovations with a partnership proposal and recommended that the startup establish a separate IT risk management function, it felt almost like an insult to Brad’s abilities. There are two reasons for this and none of these reasons is meant to challenge Brad’s superior technical skills. First, it’s time for Finnovations to establish a more robust IT governance structure to separate the governors (the board) from the governed (the IT). Second, it is impossible for the person responsible for system and/or software design to remain impartial enough to fully identify, accurately measure and prioritize, and effectively manage the risks associated with using their creation—an independent IT risk management role is required for that. With all the rapidly shifting priorities that a startup CIO must deal with daily, it is virtually impossible to move beyond the firefighting and become proactive in managing IT security risks without additional independent assistance.
To better understand the partner bank’s perspective, I encourage the startup CEOs and chief technologists to learn about The Three Lines of Defense model. There are three steps that a fintech startup should take to achieve the next level of its IT governance and IT risk management maturity:
1. Establish and/or enhance IT governance structures. It is not uncommon for a fintech startup to have its board of directors, at least initially, made up from the members of its core founding team. It is time to revisit and if necessary revitalize and formalize the engagement of the other board members, who might have held purely voluntary independent advisory roles until now. If the board of the startup is still made up only of its core executive team members, the startup should seek to expand the board ranks to include carefully selected and well qualified individuals. Governance structures must be already in place for the following steps to work.
2. Establish the Chief Information Security Officer (CISO) role. Resist the temptation to assign the CISO responsibilities to the chief technologist, but seek instead the help of a capable IT risk and information security management professional. The good news is that you may not need to hire such an individual full-time, but bring them instead as a part-time vCISO (virtual CISO). A good vCISO will have experience in financial services industry, but a great one will also possess a first-hand startup experience to be able to fully comprehend and easily bridge the many cultural and business process differences that exist between an established and startup financial services organization. A capable vCISO will be able to walk you through a set of clearly defined deliverables and offer a roadmap of your IT risk management function maturity journey—one that is well aligned with your business priorities and strategic milestones. The candidate for your vCISO role should also convey a clear sense of how their relationship with your organization is likely to develop and what options there might be for smooth service continuity and handover. Take time and spend the effort required to find the right fit for this key role. According to the latest Gartner research, “by 2022, 20% of small and midsize or non-regulated enterprises will increase usage of a vCISO, up from 1%.” On the other hand, “by 2020, 30% of organizations that procure a vCISO will be unsatisfied due to a lack of appropriate due diligence.”
3. Establish an effective reporting structure for the CISO role. For the vCISO/CISO to be successful in fulfilling their responsibilities, the person assuming this role must have a direct link to the CEO or/and the board. Historically, many CISOs have been reporting to the CIO, but such an arrangement creates a conflict of interest, as the CIO’s priorities for rolling new software and tools will clash with the need to maintain information and cybersecurity risks at the acceptable levels. Assuming that your organization’s CxO team is fairly small, the CISO should report to the CEO—an emerging preferred choice. Reporting to the CEO will maintain the CISO’s independence and assure that candid discussions about your organization’s information and cyber security posture occur and are addressed at the right level. For a great overview of the reporting options you might wish to consider for the incoming CISO, see “What’s The Best Reporting Structure for the CISO?”
About ZHUK, INC.
We help fintech organizations establish stellar IT governance, risk, and information security programs. Our mission is to SECURE YOUR GROWTH™.