In my latest interview, we take a change of direction, talking to one of the leading service providers for the FinTech industry - Entersoft Security. I spent an hour with the CEO, Mohan Gandhi last week to discuss Cyber Security, white-hat-hacking and how to hire in one of the most technical areas of Development.
Matthew Parker (MP): So why did you start Entersoft, why did you feel it was necessary and what is your differentiator?
Mohan Gandhi (MG): We started with a simple objective to be a cyber security company, providing security for anything digital that needs protection. But more than that, we wanted to build a cyber security company that hackers can come and do actual hacking for the greater good. We had observed that working in security for corporates and governments that sometimes hackers can get stuck not using their skills and end up fading away. So we created an environment where they can really reach their full potential and keep hacking! But we have moved so far beyond that, so now we work as white-hat hackers - you tell us about the most important parts of your business, the core competencies, and then we hack into those to test their strengths. You pay us only when we are able to break through and hack into your application. This formed the base for Entersoft.
While we were doing this, we had seen the applications and the websites were generally the core competencies and their business would go down if the website went down. The data is also one of the things they want to protect and often these are stored in the apps. Naturally, app security became a big focus for us. Typically people use a lot of audit tools and scanners, but the biggest problem is that most businesses don’t have the capabilities to fix the bugs, or it takes a long time. Ultimately, it comes down to the DevOps competency of the businesses. So, we started to help people fix those bugs and fix them fast. We don’t just stop at audits and scans; and go end-to-end with app security.
Ultimately we want to make clients self-sufficient when it comes to dev-ops and security. Over the past 3 or 4 years we have served over 300 customers, and we are currently working with 87 businesses. Around 60% of them are start-ups, and the 40% would be enterprises and banks.
MP: Why did you pick FinTech and Internet of Things (IoT) as target verticals?
MG: For us it was pretty clear the growth of these sectors combined with the complexity of the security and the impact when it goes wrong. FinTech has been targeted for a long time as companies are holding money and there could be a valuable reward for hackers. FinTechs represent a really big challenge for hackers as they are built on things like blockchain and are very secure, and the returns are very high, but also the impact on the ecosystem is very high. Businesses can close down if there is a security breach which could have a big snowball. We also love working with businesses that are forward thinking and innovative and are open to our approach and ideas. We can work really closely with them to embed security into their business which is more interesting than hacking and auditing security for a bank.
IoT has been targeted a lot by hackers, and security is a massive component as one part that is down can affect everything. You are thinking on a gateway and cloud level and everything is connected. You have to consider IoT security in many different angles. These are two of the most challenging verticals and have both been big targets to hackers for a very long time.
MP: What do you think are some of the biggest challenges for Fintech businesses in regards to security?
MG: We have worked with more than 40 FinTechs now, and the biggest challenge most of them face is scaling up. Typically there are only a handful of developers or product people in the business, and they are thinking of the cost of security whilst trying to drive down spending. But the biggest gap is that it’s difficult to scale up engineering. You don’t have a proper dev-ops process or security when you set up the company, which has a big negative impact on their growth as there is no security process. We recently audited an AI chatbot that responds like a virtual assistant. They’re a brilliant and smart team with some good developers and they’ve signed up a few banks and need to scale up. But they had to scale up their security, support and engineering team all at the same time. They also didn’t have a proper dev-ops process and they had to rethink what they were doing which took a long time to deliver to customers. FinTechs should be thinking on the backend earlier.
The other challenge is compliance when they need to integrate with Financial Services businesses. Most FinTech businesses that need to work with banks are given a huge checklist of security. But they don’t necessarily have the capability to do this internally so we are brought in. It takes a fairly long time to get to this level of security and the banks are asking for quite a lot, most of which is around the security of the data. Most FinTechs find this quite a challenging and drawn out process to get to the right level of security compliance.
MP: How do clients assess whether they need Entersoft’s help?
MG: It’s difficult for businesses to assess whether they need our help... In my perspective they need it all the time right from the start. The trend we’re seeing is when they have small breaches or they have had someone hack them, we get brought in. But the best time to think about security is at the beginning when you’re building the application. Being proactive will reduce the cost massively and create great process around dev-ops and security. If you’ve developed the product you can still implement some great dev-ops but it’s slightly more difficult.
MP: What are some of the biggest challenges in growing a cyber security business?
MG: The biggest challenge has always been talent and the talent that fits in our culture. We are people who have very organised but very unbalanced lifestyles. We’re a team of hackers! It’s quite demanding when we have clients on. There’s a lot of pressure on us if we don’t do our job right as this has a big impact on businesses and could result in real loss. We don’t want to grow for the sake of it and effect this culture, but we also have to hire and grow. That being said, no hacker has left us in the last 2 years. You get a lot of exposure to lots of different businesses to hack and it’s a very diverse role. There’s also a big education piece which we‘ve been trying to do, moving businesses from thinking that security is a cost or after-thought or luxury. Alongside this is making sure that once we’ve done the education, they understand the long-term view of security that is across the entire business, versus just one advocate that could leave.
MP: How do you hire for a cyber security business? What’s the biggest thing you look for when hiring?
MG: So firstly, they need to be good hackers, but typically this is quite hard to find. Most applications we get are not from start-ups, they’re from people who worked in enterprise. These people are normally good in scanning and auditing etc but they don’t fit our culture. If you maybe interview 100 you will find one person who fits in.
One thing we do is hiring young talent with a lot of curiosity who thinks everything is insecure. We call them noobs! But you need to have the core characteristics and wanting to learn but don’t need to have all the skills. We then shape this talent over the next 2 or 3 years to make them into really good hackers. We’ve been training hackers for years and have become really good at it. We train at least 20 people in a month and then take in about 2 or 3 people. The rest always have a core understanding of the code and all of these. Unfortunately this is a really time-intensive way to hire and people take a long time to grow, so it’s difficult to balance between training and putting hackers on active projects.
Our interview process is quite intense too. We typically have a phone interview to assess the technical expertise, then set people a 4-12 hour project. This will be something like, giving them an application of our business or one of our team members, and making them hack us. Some people are successful and they are hired immediately. This helps us to hire talent that think differently to people who are already in the business. It takes time to hack a business that has already been secured by hackers.
MP: How do you find operating your business out of Brisbane and India? Are you able to attract the right talent?
MG: Currently we have a team of 3 in Brisbane plus our MD, but our biggest team sits in India with myself and 11 hackers. We also have a sales office in Singapore. We have tried setting up a training division in Australia, the communication skills is great, but the technical skills are not as strong in comparison to some of the people we have in India, but their comms skills aren’t as good. It’s always a balancing act. Creating a global culture is a big challenge. We have been slow in the way we grow our team, but we have grown aggressively with the way we grow our customers and so use our time more effectively.
As a final word - the community has to know that security is an investment, you can’t look at it is a cost later on cause it will cost you more, but if you invest in it early you will save heaps of money.