For this month’s 'meet the team' interview, we spoke with Sheetal Joseph, who is the Chief Information Security Officer (CISO) of Finoa and one of the key leaders in the team. Her work impacts departments across the organization and is crucial to ensuring that security is built into our products from the outset.

Read on to learn about Sheetal’s career journey and hear her thoughts about the specifics of security for crypto companies, and why she chose to take the leap into this industry.

Introduction

Hi and welcome. Please take a moment to introduce yourself, the work you do at Finoa, and the team you are building.

Hello, I am Sheetal. I started my career as a Linux system administrator, and that’s when I began my tryst with security. It’s been a long journey of almost 20 years and I have worked in various roles both in security engineering, as well as in compliance.

I currently take the role of Chief Information Security Officer at Finoa, working in the risk and compliance department. The CISO team acts as the second line of defense and work with all departments, from Tech to Customer support, to ensure security compliance with the requirements of the Federal Financial Supervisory Authority (BaFin), MaRisk, KWG, and EU-GDPR.

We also work with corporate stakeholders, like legal risk and compliance teams, to understand the applicability of all of these federal and state laws and BaFin regulations and create the right framework to be able to abide by all of what the authorities are requesting from us.

Why information security?

What initially attracted you to security as a domain of information science?

As part of my first job as a Linux system administrator, I was facing numerous attacks from hackers on my web servers, and I really had a tough time trying to figure out how to secure my systems. And that is what attracted me to this domain. I really wanted to make sure I didn’t have to stay up all night or work overnight because some attack had happened on my server.

Then, I started to work and learned a lot about how to secure servers. And the more I read, the more I got interested in it. As I was working in consulting firms, I got to learn almost every aspect of what you need to do if you want to survive in security consultancy, from penetration testing to ISO 27001 compliance, and everything in between.

The security challenges of crypto-native products

Before joining Finoa, you spent many years at various tech companies, in digital identity, and business banking. Can you tell us about some of the specific challenges that crypto companies have in building their security infrastructure as opposed to most tech companies?

Honestly, the fundamentals of Information Security remain the same. There are many important factors to be mindful of when working towards security. For example, creating products with built-in security, securing your technology infrastructure and supply chain, and raising awareness about security and grafting it into the company culture, to name just a few.

The difference for crypto companies is that the amount of financial value locked in crypto makes it a lucrative target for hackers, hence the associated risk with crypto companies is extremely high. That’s why the security strategy, measures, and controls need to be very well thought-out and a lot stricter than in other industries.

Security is like a risk assessment. We have to understand the risk that we can take, and we apply measures commensurate with that risk. In crypto companies, we don’t take as many risks as you would take in other companies. Here, you have very tight controls, and shipping a new product would take way longer compared to a typical tech company, because there will be a lot of security checks from the ideation phase to the architecture phase, to ensure security requirements are built into the product. We basically build security into our product, we do not allow for even a small margin of risk. And the benefit, from a security perspective, is that I get to work in a company that takes security very seriously — which makes me enjoy doing it.

Why crypto?

What made you take the leap into the crypto industry?

Security is one of the central tenets of crypto as the name even suggests, (crypto is an abbreviation for cryptography) and security is the license to operate in this industry.

The advent of the web3 crypto industry has taken the next leap and is becoming very user-focused, operating in a hybrid world of centralized and decentralized systems. This means that the classical security and compliance system of the centralized world either needs to be grafted on or adapted to web3 ecosystems.

Finoa gave me the unique opportunity to understand and become deeply immersed in the crypto world, as well as the possibility to apply my skillsets to the web3 domain. Working as a CISO at a crypto company is a very special position for me.

Then, I spent a lot of time in the security industry, almost two decades, and I faced all kinds of challenges, securing all sorts of companies and platforms, but crypto was something that I had not been into. And it looks like the future really belongs to web3 and crypto, so I really wanted to be in this space, and I’m very happy that Finoa has given me the unique opportunity to get into this world and to use my skills to ensure security all-round.

Sheetal's security tip

What’s the most useful security tip you ever got from someone?

Security is basically the business of understanding risks and acting against them. The most useful security tip I’ve ever gotten from someone is to write down the security risks and get a sign-off from a managing director before the risk is accepted by people who do not understand its impact on the company.

This ensures there is a discussion about the severity of the risk at hand and how we must act to mitigate the risk. It also helps with creating a record of accepted actions against each risk which the management board is accountable for. And the reason is that security risks and the decisions to take those risks come from the managing board, and not from anyone lower down. So it has to be passed by the management board, and it needs a sign-off by a managing director. Ever since I followed that advice, I do see that people take the security risks we see more seriously, rather than just passing them off.