Having spent 20+ years developing, enhancing, and defending GRC and information security posture of one of the world’s largest financial services organizations, I found myself helping FinTech startups to do the same. I find this work highly rewarding for a number of reasons. First, I get a chance to work with and learn from brilliant and highly ambitious entrepreneurs, who relentlessly push the boundaries of what is imaginable and what is readily available—uprooting the long-held conventions by never ceasing to ask gutsy “Why not?” questions. Second, although my first financial startup experience goes back almost 20 years, the exhilaration of being an active contributor to another industry or service Big Bang in-the-making has yet to wear out on me. Third, as a creator and co-founder of a startup, a successful international professional association, I have a first-hand appreciation for just how difficult it is to navigate the many pressing strategic imperatives to successfully push a nimble startup forward.
There is, however, yet another unique reason why I enjoy my present consulting work so much. What I do today is like looking into a magical professional journey mirror. Today, on my side of the glass is usually a small team of super-talented enormously dedicated people making a new financial service or revolutionary industry-shuttering product happen. On the other side is a “reflection” of my former self—an information security or GRC manager or auditor from a major bank with which my client startup has partnered. The auditor has reached out to my client to perform a routine partner audit, a process that commonly begins with a questionnaire, which covers the full spectrum of the startup’s systems architecture, its data protection practices, and a wide range of information security processes and controls. The light version of the questionnaire contains 300+ loaded questions (e.g. each question may call for a separate document or some sort of evidence to be submitted), while full or core version of the same survey might contain as many as 900 questions. I guess this is how it must be in the world ruled by ISO 27000, ISO 31000, COSO, SOC 2, and the like. On the other hand, imagine what this means, in terms of time and effort, for a nimble startup, which invests every penny it has at its disposal to shorten the time to market for its product or service. I am not advocating cutting corners irresponsibly, but it is crucial to remember that enterprise risk management is as much about opportunities as it is about managing the negative side of risk. The 2017 revision of COSO guidance, for example, is very particular about the positive, the opportunistic side of risk. It is also the side of strategic risk-taking, which is deeply ingrained in the startup culture. On the other hand, it is also the sort of risk that is often all but lost to the usually risk-averse worldview of an information security auditor from a major bank. It takes a fascinating fusion of art and highly pragmatic practical experience to make yet another bank auditor happy while shielding the startup’s precious resources from what might easily become a slow and devastatingly disruptive journey of little or no return.