TL/DR: We created an open source security standard to help cloud native companies be “security fit” for Financial Services. Companies can use it to establish an information security baseline and work towards an industry certification as they grow.

Over the last couple of years, Tapico has been working closely with both startups and incumbent financial institutions to open and expand the financial services ecosystem. A consistent theme we’ve found is that startups aren’t clear on what the best approach to take is when implementing their information security capabilities. 

A big reason for this that the sheer volume of information in this space is overwhelming. There are plenty of industry frameworks to use and certifications to obtain (ISO 27001, Cloud Security Alliance CSM, SOC-II, NIST etc) but they are large, blunt instruments catered to the needs of large institutions with teams of people that manage compliance. 

Cloud native startups are smaller and more focussed operations that often don’t require the same style of governance that larger, more complex institutions do. They are able to achieve the same level of security using different methods, which is great from an operational perspective but this doesn’t synergise quickly with the existing industry frameworks and certifications. 

We believed that this was a solvable problem and given that we interact with reputable financial institutions, fintech startups and security companies on a regular basis, we were well placed to help. We put the word out to our network to find and collaborate with security professionals who were keen to help create a path forward. 

The result? A Tapico collaboration with FNZ, a global wealth management platform, and Occamsec, a highly respected global cybersecurity firm, to create an open source security standard that any cloud native company can use when creating their information security capability – The Information Security Guardrails.

The Guardrails are a guiding set of principles and associated requirements designed to help companies understand which controls are important to have, and why they are important. This will help companies focus resources on high impact tasks, to get the best value out of them.  

If you plan to either court business from larger, established institutions and/or obtain approvals from industry regulators, you’ll need to galvanise your information security capability as soon as possible. 

Use the Guardrails to implement high value controls and create a security framework you can evidence on a regular basis. When your company is ready, the Guardrails also form a core subset of what you’ll need in the future to meet/obtain those security industry frameworks/certifications we mentioned earlier. 

Think of them as your personal security sherpa, guiding you up the information security mountain. Download the PDF below.