Positioning a security-first culture to win over customers in FinTech: Wisdom from Upvest CSO Sebastien Jeanquier

This episode features an interview with Sebastien Jeanquier, Chief Security Officer at Upvest, a fintech startup that empowers other fintechs to provide their customers with seamless, reliable and secure access to the full range of investment opportunities. Sebastien has over 15 years of experience including security advisory consulting, penetration testing and incident management. On this episode, Sebastien and host Tim Chase discuss how to strike the perfect balance of functionality, process and education to build a security-first fintech ecosystem, what it means to take a bottom-up approach, and how to treat security as a first-class citizen.Key Quotes*”Security as a domain is now as wide as it is deep, and it's a very delicate balance; to have the sufficient depth but also breadth of knowledge to be able to go and have a conversation with the most technical person in your team and be a meaningful sparring partner for them, even if you're not going to be involved in this sort the details of how that thing gets implemented. “*”Management has to make it clear that the expectation is for security to be taken as a top consideration, whether it's part of developing a product or as part of your back office operations and processes. It also means making someone responsible for that, not as a side job…putting someone, with the relevant skillset and experience in a position with their peers, with some of the other business leaders. For very small companies, this can be tricky because they may mean committing early on to hiring a senior security leader, which is not something that a lot of startups can feel like they can afford to do. But at the same time, that security leader can help lay the foundations for robust security culture and controls, whilst also helping to enable other teams.” *”You can do a great deal of work very early on, with very little team and budget. But the earlier you can set the foundations, the more dividends they will pay off over time. Because, the rework of trying to implement security later on, both from a cultural perspective, but also from a technological and control perspective, it just gets exponentially harder…If you're at a stage where you do have a CISO, then effectively they should report to the CEO or a managing director, or in a larger organization directly to the board. That person needs to have the ability to disagree with their counterparts, and not just be overlooked and say, ‘No, the priority is to ship the product. But the priority is not compliance right now.’ You need to be able to have that constructive criticism between each other without fearing that you're stepping on your manager's toes.”*”The traditional CISO of traditional or legacy organizations and a lot of top down or risk-focused security, they expect to put good sounding policies and standards in place, and expect those to get implemented as strong technical or procedural controls at the bottom. And I think that's overly optimistic. A modern CISO in the kind of space that we're in now has to have a strong grasp of the layers in between their strategy and the policies, all the way down to the kinds of threats that their kind of organization faces. And what does an effective control look like to counter those?”*”Security is especially an enabler in regulated environments where a certain number of controls will be imposed on you regardless of what you're doing. And any number of controls poorly implemented will result in a drain on your company's resources over time.”Time Stamps[0:27] Introducing Sebastien Jeanquier, Chief Security Officer at Upvest[1:41] What does it mean to treat security as a first class citizen?[5:51] What advice would he give other companies to take security as a top consideration?[9:09] How do you approach security from the bottom-up?[12:30] How is security a business enabler?[15: