Creating a security culture in FinTech

Date: August 30, 2018

Many financial institutions are now working with FinTech providers in partnerships that are helping transform the industry. Instead of seeing this wave of new start-ups and technological innovation as a threat, institutions are recognizing the opportunity, and young FinTech businesses are discovering potential buyers for their business. As this mashup continues, how can smaller FinTech businesses bring the required level of information security to partnerships or contracts with financial services Goliaths?

Creating a security culture in FinTech

Creative freedom

Something FinTech providers are good at, is the level of innovation and creative freedom they encourage their staff to adopt. Rapid cycles of product development and change help improve solutions and bring them to a level where they can be taken seriously by larger firms. This is great for functional development, but in cultures of high innovation and change, how can you ensure there is room for security best practice when it can often be seen as bureaucratic red tape?

Adoption is key

People and culture are central to information security. You can have all the best technology and policies in place, but if your people are not highly aware of information security and don’t adopt that awareness as part of their work culture, then security incidents and breaches are more likely to occur. Many smaller FinTech businesses don’t have the budgets for layer upon layer of sophisticated security solutions, and certainly don’t have the budget for teams of InfoSec professionals. The beauty however, is that adopting a high awareness people approach is cheap.

What do you need to create a security culture in your organization?

  1. Top level management buy-in
    • One of the most important foundations of a security culture. If management don’t want it or believe in it, neither will anyone else.
  2. The right policies to fit the business and the purpose
    • Ensure that security policies are the right fit for the size of your operations and business. Make sure they cover what is needed by your client base.
  3. Security awareness training
    • This goes without saying, but you need the right person to evangelise the security culture, so it spreads to everyone. This means creating the right levels of training that can be delivered to different stakeholders. Developers will need a different approach to finance staff for example.
  4. Encourage open dialogue on security issues or incidents
    • Make sure everyone knows that raising issues and reporting incidents are healthy practices and not something to fear. Peer group reviews of code or IT architectures help foster discussions on how to improve security.
  5. Put information security front and center as part of your new staff induction
    • The way to build in culture is to promote what’s important to your business as people join your team. This is when people form their views on your culture and what kind of team they are joining. Habits form early, make sure they are good ones.


People are also increasingly the number one target in InfoSec related attacks. Phishing is getting more and more sophisticated and with so much personal information available online, attackers can build a picture of targets before starting an attack. If small amounts of confidential data can be stolen over a period of time, attackers have a better chance of a full breech into confidential systems. Awareness training is critical in preventing this. Technology is simply another layer in the defence and cannot work on its own.


For FinTech’s success to continue and to move higher up in the value chain of services being provided to larger financial institutions, information security maturity needs to increase. Audits, certification, policies, pen-tests, firewalls, IDS, IPS, encryption key management, etc., are all important components of information security, but without a high level of awareness and a culture of best practice amongst people, smaller FinTech solutions will fail at the cyber security hurdle.


To learn more about 13f-2 watch our webinar replay Part 1: Unpacking the SEC's New Disclosure Rules for Shareholders
Join us for Part 2: Operationalizing the SEC's New Disclosure Rules, for Shareholders on December 12.