Secure to the core: How to build a culture of security while maintaining speed

As CTO of a financial technology company, it’s natural that security is one of my top priorities. But for other businesses, where the risks are not so visible, security can be an afterthought. That’s not surprising; a retailer’s expertise is in sourcing and merchandising great products. A hospitality business’ focus is on delivering amazing experiences. It’s easy to think of security as an expensive, time-consuming exercise, which adds little to a customer’s experience.

Until you’re breached. Then there are angry customers, expensive enquiries, and reputational damage to deal with. Security pays off and it doesn’t have to be arduous. In fact, approached in the right way, it can actually accelerate your growth. Ultimately, it’s about doing the right thing for your business and part of that is ensuring it’s built securely.

FF News kindly invited me to join their Virtual Arena to discuss security along with Mark Phillips, Information Security Consultant from Dionach. We explored how and why businesses should embed security into the core of their operations and why security is ultimately a human thing. You can read a write-up of the discussionhereor listen to it in fullhere. Read on for a summary of our key themes:

In a world where things move faster all the time, it can be tempting to leave security out of your planning in order to speed things up. The problem is, you might want to roll out some really great initiatives only to find the security team stepping in to prevent your next data breach. As Mark explained: “The key is to empower employees to use security as a tool, rather than see it as a hindrance. You don't want to be halfway through a project only to find out that a piece of tech you wanted to use has horrific security vulnerabilities.”

Mark also makes the point that security has to come from the top-down “so you have a clear vision and strategy that leads to defined information security objectives.” And, while I do agree that security must be prioritised and promoted from the top, day-to-day decisions are typically made from within the organisation. Security needs to be top-of-mind for everyone rather than being seen as ‘someone else's' responsibility’. For me, it’s all about the mindset that it’s part of your job, whether you’re an account manager, a sales rep, or an engineer.

Part of ensuring your employees are comfortable with security is to instill a positive culture around it which avoids blame. For example, if someone clicks on a link in a phishing email, they’re not tempted to keep quiet and hope for the best but, instead, feel safe to report it. Advancements in technology mean that people are often the weakest link in the chain. But they can also be your first line of defense. Make sure everyone is trained and feels confident to own the shared responsibility.

Nowadays, many businesses outsource data processing, storage, and related services to cloud services and other third parties. But Mark revealed an interesting trend: Some organisations are beginning to pull back from the cloud because, as he puts it: “When you hear the term ‘cloud’, you’ve just got to replace it with ‘someone else's server’.” This rings true at Adyen. To me, cloud services introduce a new set of risks, which differ depending on your provider and you’ll never have complete control. So, while cloud services might seem more efficient at the beginning, it’s easy to underestimate the amount of time and specific skills required to ensure the set-up is secure and reliable. That’s why, for us, it makes sense to use datacenters, located around the world, in which we own the hardware and maintenance.

we run as much risk of becoming legacy as any businessOf course, every business is different and cloud services might make a lot of sense to your organsiation. With our experience in building a global financial technology platform, using third parties would have been more a hindrance than an advantage. But, for other companies, relying on trusted partners might be the best way to keep your data protected. What’s important is to ensure you fully understand the scope of the risks you’re exposed to. Maintain a clear oversight of your technology partners and how they operate and protect their data - especially if they’re handling yours.

In the world of fintech, we talk a lot about the legacy systems we’re helping to update. And, while we strive to be at the forefront of innovation, we run as much risk of becoming legacy as any business. I think it’s important to recognise that, without constantly renewing itself, any business can fall behind. And, while it’s easy to criticise the players that have been around for a long time, it’s also worth considering how they’ve managed to succeed for as long as they have. As we’ve seen again and again with our customers, even the most traditional businesses are capable of transformation. And they do it without compromising their original identity or values.

In the context of security, this means no business, no matter how new, can afford to be complacent. At the same time, it’s never too late to introduce security into the core of your business.

Ultimately, the security of your business is in the hands of your employees; they can be both your weakest link or your strongest defence. But there are also steps you can take from a strategic perspective to ensure you remain resilient. Understanding how and where your data is processed and stored is critical. But it’s also important to recognise where your expertise lies and know when to outsource responsibility to expert providers. Make the most of the technology ecosystem available to you, focus on what you are good at, and let trusted partners shoulder some of the burden. With security covered, you’ll realise your ambitions faster.