Compliance Uncomplicated Episode 11: Securing the Future of Financial Innovation With Pinwheel’s CISO
In the latest episode of Drata’s Compliance Uncomplicated podcast series Pinwheel’s CISO, Jeff Hudesman, joined Drata's VP of Security and CISO, Matt Hillary, and SDR Manager, Kayla Cytron-Thaler, for a value-packed conversation.
Join us in this episode where we talk about the significance of early-stage security hires and valuable advice for security leaders.
Meet Pinwheel: Unlocking Financial Innovation With Real-Time Income Data
In a world increasingly dependent on real-time data, Pinwheel is making waves in the financial landscape with its innovative payroll data integration solutions. By providing a secure platform that allows individuals to share their payroll information with trusted applications, Pinwheel empowers consumers and businesses by streamlining financial transactions.
Pinwheel’s seamless functionality improves the overall user experience for use cases like direct deposit switching, income and employment verification, and earned wage access.
First-Time Security Hires: The Value of Baking Security In
Recognizing the criticality of security in their operations, Pinwheel made a strategic decision to hire a CISO early on. Jeff plays a pivotal role in ensuring the security of Pinwheel's systems and protecting the sensitive data they handle.
Jeff advises companies to "bake security in from the beginning." He underscores the value in taking small steps such as setting up email protection and security awareness training. “Baking in usable security” from the start enables companies to build products and become industry leaders without compromising security.
As an early-stage startup, a CISO should be versatile, able to educate themselves quickly, and have soft skills like effective communication to best work with other departments.
“They need to really be a jack of all trades. Someone who’s willing to learn it all, learn it all fast, and then execute.”
Advice for Security Leaders
Taking versatility a step further, Jeff believes a successful security leader must ensure accountability throughout all departments to prevent any potential threats that could harm the company.
“As the security leader, it really comes down to making sure you meet with all of the executives and department leads, ensure that security trickles down and that these department leads hold their staff accountable.”
Scaling Your Security Team and Processes Today
When it comes to scaling your security team and processes, there are several impactful factors to consider. Jeff shared some insights that can help organizations navigate this important phase of growth.
1. Maturity Assessments
Despite their potential difficulties, performing maturity assessments is crucial. As Jeff said, “The onus is on the security leader to come in and do a maturity assessment… there’s a lot of value there to just vet what’s currently happening and what we aspire to move to.”
2. Executive Buy-In
Getting buy-in from your executive team helps bring everyone on board with the security measures being implemented. This only increases in importance as the company grows and more people want to weigh in with their thoughts.
3. Legal Collaboration
Collaborating with the legal department, especially when it comes to privacy issues, is another critical aspect. This collaboration helps in negotiations, contracts, and risk mitigation with third-party suppliers.
In Pinwheel’s case, Jeff has found a lot of value in their relatively large legal team that has a lot of privacy expertise.
“It's great I get to work very closely with our general counsel—I feel like that's very important, especially for negotiating contracts. We can't eliminate all risk with our third-party suppliers, so we have to codify things into contracts.”
4. Bird’s-Eye View
In Jeff’s opinion, “The best security leaders are the ones that are not going to be too engineering-centric, but they kind of go everywhere, see where risk might be, and try to minimize it as best as possible.” Effective security leaders need to be versatile, keeping a bird’s-eye view of all operations and potential associated risks.
Protecting Your Company From Future Risks
CISOs play a critical role in ensuring the security of a company. During the episode, both Jeff and Matt dove deeper into potential areas that could impact CISOs and running a successful security program.
1. AI Risks
Artificial intelligence (AI) is shaping the future of many industries, including cybersecurity. While it brings numerous benefits, it also poses significant challenges and sophisticated threats.
AI can offer security leaders enhanced security features, but it's crucial to scrutinize their privacy practices before diving into them. Jeff explains the approach they take at Pinwheel saying, “The first iteration was more just vetting the solutions, seeing what kind of privacy features they offer, and what is our input that’s going to go into their models.”
If you’re going to use AI solutions, there are steps you can take to minimize risk, such as working with your general counsel, obscuring code, and using approved solutions.
2. Privacy Laws
Next to AI, Jeff identifies privacy laws as a significant challenge, particularly with the emergence of new state-level regulations in the U.S.
“I share privacy responsibility with our general counsel, but keeping tabs on that… the ways we have to tread data and what we can share, that’s definitely a high priority to keep an eye on.”
3. Cloud Complexity
The adoption of cloud services has become increasingly prevalent, with industry giants like AWS, Google Cloud, and Azure leading the way. While these cloud platforms offer numerous benefits such as scalability, cost efficiency, and flexibility, they have also introduced a new layer of complexity when it comes to managing cybersecurity.
4. Operational Costs and Choices
Operating a security program can be an expensive and burdensome endeavor. Matt reflected, “I think there's a big potential consolidation of a lot of tools vs. people going after best of breed.”
In addition to cost, risk management is another major challenge. “Generally, I think of risk management as strategically letting certain fires burn while you attack bigger fires,” Matt shared. “And with that, trying to figure out what the most brightly burning fires are out there that we need to go and attack as a team to most use our time effectively.”
Listen to the Episode
Want to be in the know? Subscribe to our newsletter, Trusted, to keep up with the latest news.