The Evolving Role of the Fintech CISO

Fintech CISOs are facing rapid change in their sector’s technological innovations and regulations. As a result, CISOs must be the visionary for their organizations by anticipating and planning for these changes well in advance.

CISOs have to be ahead of the game with any changes that could affect the security of the organization. This could be business developments, shifts in risk posture, or sector-wide innovations.

As the rate and complexity of change has increased, the CISO’s role has also become much more of a concern. Avoiding high-profile security breaches has never been an easy task, and recent evolutions in fintech have created more avenues for incidents to occur.

What’s more, the metrics are clear: regulators are increasingly holding CISOs accountable for actions that cause, contribute to, or worsen breaches. It’s unfortunate, but they’re the organization’s fall guy if it comes to that. 

Because of all this, being a fintech CISO is an almost impossible role. CISOs burn out at a very high rate because of the business, technology, security, legal, and regulatory concerns they have to continually manage.

In order to understand why the role of a fintech CISO is so challenging, we have to take a look at the elements driving such rapid change in their industry. Keep reading as we take a look at recent changes in fintech and how CISOs have responded to them.

5 Big Changes in Fintech

Here are some of the key innovations that CISOs are commonly encountering. There are many other changes occurring in fintech, but these five areas are currently among the most prominent and challenging for CISOs.

PCI-4

First off, I’d be remiss in not acknowledging the elephant in the room that is the new PCI-4 standard. There’s been a shift in the industry toward a much more prescriptive focus on controls, including adding requirements such as a software bill of materials (SBOM).

Prior to PCI-4, fintech regulations tended to be more broad-sweeping, leaving room for interpretation as to how to meet the regulatory or compliance objective. PCI-4 does more specific mentioning of technologies, and teams are rethinking their tech staff as a result.

PCI-4 doesn’t require you to use a specific vendor, but they do expect you to have some kind of technology to manage your SBOM. That way, you know what software is in play within your organization.

Artificial Intelligence

It may be more obvious to those outside of the sector, but artificial intelligence and generative AI are also key developments for fintech companies to watch.

Interestingly, the fintech industry has actually been somewhat adverse to using machine algorithms. There’s been a lot of concern over how bias in these algorithms could impact lending and funds distribution decisions.

While some of this concern predates the rise of AI, hesitancy around using the technology has continued because of the strong regulatory nature of fintech. As a result, fintech will probably continue to adopt AI relatively slowly — at least in meaningful integration and support of business functions.

Multi-Purpose Security Tooling

Fintech has actually seen significant developments in multi-purpose security tooling. This is a win for the sector. When companies can rely on a single tool to perform multiple functions, it means they can condense their overall security portfolio and save money.

To illustrate, managing 10 different security functions with two tools is a lot less work than managing the same two functions in five different tools. Having a smaller portfolio streamlines workforces, and employees can work on security functions beyond tool management.

Zero Trust Policy

Concepts such as zero trust are also quickly taking hold in fintech. Although tooling is still pretty immature in the zero trust space, there is a clear movement in fintech toward micro-segmented networks and taking a “deny all/allow only specific traffic” to corporate networks.

Cloud Infrastructure

The move to cloud is also proving fruitful for many fintech organizations. Organizations are closing their data centers and moving apps to the cloud in record numbers. But those that are savvy about the move process are the ones that are reaping the benefits.

Organizations are discovering the hidden costs in the move to cloud, and it often ends up being more expensive than their on-prem virtualization solutions.

How Have These Innovations Changed the Way That fintech Organizations Do Their Business?

We’ll know more as the audit cycles come and go, but I predict that PCI-4 may catch many fintech organizations by surprise.

There seems to be some uncertainty around concepts such as SBOM, and the intent behind these new regulatory standards is unclear. I predict it will take a cycle or two before companies begin to settle in.

With increases in multi-purpose tooling, I also expect to see portfolio consolidations. As a result, there should significant reductions in overall costs for organizations. It should drive up efficiencies and allow for staff reductions, too — early trends are already showing this.

However, there is a catch with tooling. Many infosec vendors are targeting the IT operations space as their adjacency. Essentially, this means that security tools trying to become multi-purpose tools are targeting the run teams.

To be blunt, this strategy assumes that infosec and operations teams can play nicely together within a single tool. Historically, organizational politics have prevented this in many larger companies. There’s always a little bit of an adversarial relationship between the run teams and the security teams.

I think the vendors may be missing the mark and not fully understanding their target audience. Unless those politics play out differently or vendors reconsider their strategy, there may be some holdups in companies successfully managing multi-purpose tooling.

Things like zero-trust and limiting network access will certainly be a great help to CISOs. By their very nature, these policies protect companies from suffering devastating breaches.

Ransomware is a great example. Ransomware measures its effectiveness by how fast it can spread on the network, so if the network is segmented, it’s going to significantly limit ransomware’s ability to spread.

Lastly, moving to the cloud has become a popular trend in the fintech space. Cost savings from eliminating the on-prem and third-party hosted systems are scoring pretty highly with CFOs. But for those that push too quickly, the technical nuances tend to be tripping them up.

Oftentimes, those who try to run before they walk are finding a loss in functionality, as well as those hidden costs that I talked about earlier. Others are finding that equivalent functionality can be pay-by-the-drink, and therefore is less cost-effective.

Which of These Changes Has the Greatest Cybersecurity Implications?

Of the five areas that we covered, AI is the one with the clearest implications for cybersecurity. With AI being all the rage right now, CISOs have to deal with employees and fellow leaders attempting to use this new technology in ways that may not be vetted.

They could inadvertently be exposing intellectual property, personally identifiable information, or other types of company data through the tools. If that results in a breach, those actions may need to be disclosed, even if the breach hadn’t been externally caused.

AI is especially dangerous because the same tech is being equipped by threat actors. AI is already being used to generate malware, flawless phishing emails, and other tools that are being used against us in the fintech space.

Related: Is Your Fintech Cybersecurity Program on Track? Here’s How to Prioritize Your Needs

How Can CISOs Prepare to Handle These Challenges?

CISOs need to be extremely engaged, both with the business and with technology. Those who collaborate with other CISOs tend to be more informed and in a better position to respond to a constantly changing threat landscape.

In addition, because cybersecurity changes so rapidly, CISOs need to be hungry to learn and be willing to apply that new tech to make small and constant adjustments to the security strategy.

Black Kilt Helps CISOs Navigate Fintech’s Shifting Landscape

As a boutique firm, Black Kilt really shines in that trusted advisor role for CISOs. All of our consultants are highly engaged in the fintech industry, and as such, we’re first to see a lot of these emerging trends.

Because we have a cross-client look at the industry, we’re also able to aggregate and anonymize that data to identify those trends well before many other firms.

Lastly, our nimble size and structure allows us to react more quickly to the trends we see. As a result, we bring recommendations and expertise to our clients much faster than their direct hiring or training processes would allow.

To find out how Black Kilt can help your company navigate the changing environment of fintech, contact us today for a free consultation.

Related Posts