The third of Clarke's three laws says “Any sufficiently advanced technology is indistinguishable from magic”. Security is one of those advanced technologies. When it works, it works, and to the beneficiary, it could feel a bit like magic. The invisibility of security obfuscates the sophistication and rigor that go on behind the scenes to make everything secure.
In this conversation, Jeff Hudesman, Pinwheel’s Chief Information Security Officer, goes behind the scenes of Pinwheel’s security posture, painting a very visible picture of how we prioritize security.
Q: Jeff, please walk us through your background and how you first got involved in information security?
A: Well, I’ve been in security for about 15 years now. I’ve always been the kind of person that needs to be constantly learning new things and security is an area where new things are developing all the time. There are new technologies, new vulnerabilities and new exploits. All new technologies and products have their own security risks and characteristics that make them unique. These characteristics first attracted me to information security and I’ve never left. Over the last 15 years I’ve held global leadership positions at companies such as DailyPay, Sony and PR Newswire. I also advise several startups and nonprofits.
Q: So you’ve been Pinwheel’s CISO for about a year and a half now. What are the benefits of Pinwheel hiring a CISO so early on?
A: At Pinwheel, we decided that hiring a CISO very early on would be in our and our customer’s best interest. There are many benefits to having a CISO, especially at a fintech company that wants to build long-lasting solutions that truly benefit customers. We wanted to ensure security and compliance are a top consideration every step of the way. A few of the most significant benefits include improved security, risk management, reputation as well as enhanced compliance and better decision making.
Q: Can you elaborate a bit on the benefits and how it relates to Pinwheel and its customers?
- Improved security: A CISO is responsible for implementing and overseeing the organization's security strategy, which can help to improve the overall security posture of the organization.
- Enhanced compliance: A CISO can help an organization to meet regulatory requirements and standards, such as PCI DSS, by implementing appropriate security controls.
- Improved risk management: A CISO can help an organization to identify, assess, and manage risks to its technology systems and data, which can help to prevent costly security incidents and data breaches.
- Better decision making: A CISO can provide valuable insights and guidance to the organization's leadership team, helping them to make informed decisions about technology and security.
- Improved reputation: Having a CISO can demonstrate to customers, partners, and other stakeholders that the organization takes security seriously and is committed to protecting its technology systems and data. This can help to improve the organization's reputation and build trust with its stakeholders.
Q: I know a big focus of Pinwheel is to always ensure our customers' data is protected. How do we do this?
Protecting customer data is important for several reasons. First, it is important to protect customer data because it is sensitive and personal. This information can be used to identify individuals and can be misused if it falls into the wrong hands. Second, protecting customer data is important because it is the law. There are strict laws in place that require companies to protect the personal information of their customers. Finally, protecting customer data is important for a company's reputation. If a company fails to protect its customers' data, it can damage its reputation and customers may lose trust in the company. There are several measures that we take to protect our customer’s data. Some of these include:
- 100% on-shore development: We reduce risk exposure by keeping sensitive user data only in the United States.
- Build using the latest cloud technologies: We use modern cloud technologies to host the Pinwheel API. By using cloud infrastructure, we’re able to leverage advanced security mechanisms to better protect data.
- Enforcing multi-factor authentication: This requires users to provide multiple forms of authentication to access their accounts.
- Securing the supply chain: We automatically analyze all open-source packages and their dependencies for supply chain risk. This enables our team to act and defend our software supply chain from malicious actors.
- Encrypting data: We help keep your data safe and private with bank-level encryption protocols like the Advanced Encryption Standard (AES 256) and Transport Layer Security (TLS).
- 24/7 monitoring: Our systems are monitored 24/7 to respond to and resolve any potential issues.
- Independent security testing: Pinwheel’s API and security controls are regularly audited by industry-leading security testers.
- Providing security training: Providing regular security training to employees helps raise awareness of security best practices and reduces the likelihood of security incidents.
- Conducting regular security assessments: Regular security assessments help an organization to identify and address potential security vulnerabilities.
- Check out our Information Security Overview here for more information on how Pinwheel addresses information security.
Q: What does the future hold for security and privacy?
A: There are several emerging trends that are likely to shape the field in the coming years. The first trend I’m seeing is increased use of artificial intelligence and machine learning. As these technologies become more advanced, they are likely to be used more widely to help detect and prevent security threats. The next is an even greater emphasis on privacy. As concerns about the collection and use of personal data continue to grow, there is likely to be an increased focus on privacy and the protection of personal information. More stringent regulations is another. Governments around the world are likely to continue to implement new regulations to protect the security and privacy of individuals and organizations. Supply chain risk will continue to soar. The continued surge in risk to the supply chain will force CISOs to reevaluate their vetting of partners and update risk management practices. Lastly, human error continues to be a top-tier threat. Social engineering and phishing continue to be top threat vectors for malicious actors. Accidental data leaks and misconfigurations will only grow as cloud complexity increases.
Q: Pinwheel has earned a number of certifications including its status as a CRA and the highest marks on the latest Security Scorecard. We’ve also earned SOC 2 Type 2 and ISO 27001 certifications. Why are these certifications so important?
First off, being a CRA allows Pinwheel to provide consumer-permissioned income and employment data to our clients while ensuring that consumers have protections available under the Fair Credit Reporting Act. We wanted to be a CRA because our clients are regulated lenders, and want to respect the laws of lending. We were the first provider in the industry to earn CRA status and have always acted in the best interest of our customers.
As for the next certifications, SOC 2 and ISO 27001 are both industry-recognized standards that provide organizations with a framework for implementing effective controls to protect their technology systems and data. SOC 2 certification is specifically focused on security, availability, processing integrity, confidentiality, and privacy, while ISO 27001 certification focuses on information security management.
Obtaining SOC 2 and ISO 27001 certification can be beneficial for organizations in several ways. These certifications can help to demonstrate to customers, partners, and other stakeholders that the organization takes security seriously and has implemented appropriate controls to protect its systems and data. This can help to build trust and improve the organization's reputation.
Additionally, SOC 2 and ISO 27001 certification can help organizations to comply with industry regulations and standards, such as PCI DSS, which require organizations to implement certain security controls. This can help to avoid costly fines and penalties.
Overall, obtaining SOC 2 and ISO 27001 certification can provide organizations with a number of benefits, including improved security, enhanced compliance, and improved reputation.
Get in touch with us to learn more about how Pinwheel is committed to information security and helps banks become their customers' primary financial institution.