Information security has always been central to LAB Group’s mission to standardise customer engagement with financial services. Now, as part of our continued commitment to the protection of customer data, we are proud to announce that we have received the Information Security Management System Certification.
It is a significant milestone in our corporate growth journey, highlighting the robust framework we have created over our eight years in the SaaS FinTech market. As I look back over our experiences, I want to share some of my key learnings with you.
Maintaining your business model with feasible customer acquisition
The FinTech sector is, to some extent, in conflict. On the one hand financial institutions want to work with innovative startups and use their nimble, lean and disruptive approach. On the other hand, they must adhere to the increasingly rigorous procurement and due diligence processes of the information security reviews. These reviews rightly insist on high standards, raising the bar to entry and slowing the adoption of startup solutions by financial institutions.
The result is an increase in Customer Acquisition Cost (CAC) and, potentially, the risk mitigation required by the customer such as insisting on an internally hosted solution could blow the FinTech’s business model out of the water. One tempting option for the FinTech company is to sell a controlling stake in their business to a corporation so the technology can be owned, controlled and hosted within the corporation’s environment. Although this solution bypasses the difficulties posed by the information security reviews, it’s not necessarily a great outcome for innovation and competition.
A FinTech can have the most innovative technology solution in the world, but without the required security frameworks and associated softer skills, financial institutions simply can’t do business with them.
At LAB Group we use tools to make the information security review process efficient for all stakeholders. With minimal administrative effort, our documentation sits in a technology framework which is shared easily with reviewers. The result is that we keep the CAC as low as possible while giving prospects the assurances they need to work with us.
Taking responsibility for the framework
It’s essential for employees to understand the practicalities of the business and the scope of how technology and risk have an impact in the real world. Skills such as:
- Lateral thinking
- Asking the hard questions
- Pursuing a difficult point
- Attention to detail
- Producing accurate documentation
In essence, you need efficient project managers to oversee the process of implementing an information security framework.
Cultural change begins at the top
Information security should be ingrained in the culture of organisations; it needs to be at the centre of every technical, operational and other relevant business decision. Rather than reporting the issues to the board of your SaaS company, executive management needs to be the driving force behind the implementation and management of an information security framework. It should not be up to the individual to explain why a business storing sensitive information should make security a priority.
‘Passing’ vs improving and delivering efficiency gains
‘Passing’ an audit or certification is the result of a well-run organisation. But rather than a ‘tick the box’ exercise, the experience is an opportunity to take a step back and review each function of the business. The result is a robust process of consolidation and improved procedures.
Scalability is an important point to remember when deciding how to manage procedures. For example, Jira is seen predominantly as a developer’s tool; however, we have found its support applications for operational processes extremely powerful and scalable.
At LAB Group we came out of the ISO 27001 project more efficient, scalable and robust. As a FinTech company, we want to be a competitive and innovative place to work where our people can focus on technology, product, delivery and support. We don’t want to use our people for mitigating risk through a manual process, so we endeavour to automate where possible through alternative approaches and implementation of scale.
Top of mind for future growth
Expanding into overseas markets or changing the product scope means adding further layers of complexity to a business. By ingraining information security management into the organisation’s processes, your company will be ahead of the game when it comes to passing the next audit, leaving your people the space needed to concentrate on the future growth of your business.
Click here to download a copy of our certificate.