Insights from category creators and the investors who believe in them.

Living in the Cyber Bullseye

June 13, 2022

After two years apart, we were grateful to reconnect in person at the RSA Conference in San Francisco. In partnership with ICON, Oren Yunger, an investor at GGV Capital, recently hosted a “Living in the Cyber Bullseye” panel with Chief Information Security Officers (CISOs) from some of the biggest fintech companies in the U.S. 

Featured speakers included:

CISOs have notoriously high-stress jobs—from being responsible for an organization’s data security to balancing available resources, CISOs also need to help internal stakeholders understand the potential impact of a breach. At fintech companies, cyber breaches can add up to hundreds of millions of dollars in damages as well as severe reputational repercussions and loss of customers. 

The CISO role is also challenging because customers or internal stakeholders don’t often realize something is broken until something goes wrong. Given that fintech is an especially high-stakes industry for CISOs, we wanted to discuss some of the pressures and tough decisions that they face every day.

From analyzing trends to communicating risk, here are some of their strategies for living and working in the “cyber bullseye”:

How do you prioritize security initiatives?

Philip Martin (Coinbase): Not all issues are equal. A deep understanding of actual risk is critical. A CISO needs an understanding of the business and what actually matters at the end of the day. Prioritization and understanding of tech stack is critical.

Caleb Sima (Robinhood): Every single company has different contexts, but there are different stages. When you look at an organization’s layout, you can figure out how you can prioritize things, which I like to do in “rings.” For example, the places where attackers will go are ring 1. Think about the landscape you’re in. There are lots of generic, practical things that you can start thinking about.

Hilik Kotler (SoFi): At the same time, recognize that the landscape is constantly changing. We’re always working to understand techniques that bad actors leverage, and it helps us prioritize. Another thing that is important is to know when to let go. When you feel that you have something that is good enough, sometimes that means it’s done. Not just around crown jewels and vulnerabilities. Let it go.

Shyama Rose (Affirm): It comes down to strategy, practice, and trends. CISOs intuitively know where we should be focusing, but it’s about how we communicate it with the organization. Take the trend part as the evidence of where we should be focusing. Gathering intel is vital; cross-functional is important. Roll it all into a trend to illustrate what the internal or external landscape is. I also try to make quarterly roadmaps.

How do you secure appropriate resources and allocations?

Philip Martin (Coinbase): You have to quantify the risk reduction and show how it will improve customer experience. In the physical world, we have a set of security reflexes that we use every day, but we lack them in the online world. For example, when you leave your house, you know to lock your door. Where I see this intersecting with Coinbase is I know I cannot go and blame the victim when something goes wrong. Instead, I have to take a step back and realize they maybe didn’t yet have that intuition to “lock their door.” My job becomes education and intervention instead, to warn our customers, “You’re about to walk away from your house without locking the door!”

Caleb Sima (Robinhood): Education only takes you so far. The issue is that it’s an immediate problem. We go into the mindset of preventing the immediate problem, which can lead to a rougher customer experience (for example, asking users for lots of passwords). This kind of thing can interfere with growth, so it becomes framed as a growth versus fraud issue. I think a lot about how we develop “safety hygiene”—when a user isn’t securing their data, do we “punish” them, or do we throw in higher friction? The realistic challenge is security versus high growth, and how you balance between the two. In an ideal world, security would be the enabler, but that’s not yet been achieved.

Hilik Kotler (SoFi): Friction comes in the form of cyber controls and fraud controls. We always need to be confident that we are putting in the right controls and protections. At SoFi, we see that clients are now understanding the high-security environment that we put in front of them. They don’t necessarily see it as friction, but as us keeping their information safe.

Shyama Rose (Affirm): At some point, it comes down to a business decision—how much loss is your wider team willing to tolerate? Friction gets in between conversion rates, customer retention, and drop-offs. There’s always going to be risk tolerance issues.

What are some qualities that CISOs need?

Caleb Sima (Robinhood): A perfect CISO might be technical and a people manager. Technical understanding is part of my role, but in my day-to-day job, 99.9% has nothing to do with the technical part of it. A lot of that has shifted to my leadership team. Fraud was actually new to me when I joined Robinhood; I just know how to ask the right questions: 

  • What are the top drivers?
  • How is that trending over time?
  • Is it seasonal?

Shyama Rose (Affirm): I come from an engineering background, and learning about IT security and network security has been paramount for me, even with the support of the leaders underneath me. In fintech, you have to be far more technical than an average CISO to survive.

Hilik Kotler (SoFi): The CISO role has gone through an evolution from more tech-oriented to business-oriented, and this is happening for a reason. In my point of view, a technical background is still extremely important because our companies are increasingly reliant on technology. It’s imperative that CISOs have strong leadership and business experience and operate at the C-level so that they can drive meaningful change within their organizations.

Philip Martin (Coinbase): The best CISOs today are certainly the technologists with the ability to leverage that knowledge and love for technology to be able to find the right questions to ask. My technical knowledge influenced me to ask the right questions.

ICON (Israel Collaboration Network) is a non-profit organization based in Silicon Valley and Israel. ICON is an entryway to Silicon Valley, a place where Israeli founders can get connected, get support from others, and find mentorship. Learn more about ICON