Translating the Value of InfoSec with Masha Demidova
Our customers trust us with their money and data; making every employee at N26 responsible for security. An informed and vigilant user is a key defense.
But even internally, different functions define “security” as it is most relevant to them. In short, security is a mechanism that protects something from a threat and exploit. The level of protection would depend on the perceived value of said thing, differing from company to company and even from team to team.
In this employee profile, we chat with Sr. Information Risk Manager in New York, Masha Demidova. Right now Masha, like many of us, is learning the ups and downs of working from home. Outside of work, she is using her free time to make candles and take part in online yoga sessions with her girlfriends. Masha shares her tech journey to N26 and the importance of creating shared value of information security across numerous cross functional teams.
What has been your journey in tech so far?
I started my career in Data Privacy and Information Security while still in college, working as an Information Security Analyst for the Mayor’s Office of Vladivostok in Russia, where I am from originally. From FinTech to FoodTech with a quick stint in AI and now back to FinTech, I’ve always had operational exposure to InfoSec. Since 4 years ago, I’ve come full circle and have been fully dedicating my professional time to information security and data privacy.
What are some of the challenges you faced in your role?
Creating a shared definition of the work that needs to be done is a big one. For example, from engineering perspective, an unlocked screen of the company’s accountant with the P&L balance on public display might not possess an economic exposure threat via social engineering. From the accountant’s perspective, a lack of consent box on the company’s website is not a big compliance issue that may result in a substantial profit loss. #facebookbipalawsuit. From Legal’s perspective, allowing clients to pen test internal systems on a whim is acceptable. Driven by internal sales KPIs, the Legal team might not even realise that the way the Product team operates from here on just changed, which, subsequently will change the end product of the company itself.
It is on the Information Security and Risk function to put in place relevant protective mechanisms to ensure confidentiality, integrity, and availability of services, and help internal organisations to understand the impact of their actions or inactions on the rest of the organisation.
The most difficult part of my job is not analysing the organisation from a security perspective (ex: BIA), identifying opportunities for improvement (Gap Analysis), or even communicating the diagnosis and starting the treatment (IT controls). The difficult part is translating the value of InfoSec.
Security is not static and is not cheap but it is an enabler for a business, not a blocker. So, in my experience, it is often with the example by the Senior Leadership that the rest of the company views the security function as necessary.
N26 has a strong security organisation led by experienced global leadership. Travis Carelock, Global CISO at N26, for example, brings experience from places like Black Hat, and the State of Louisiana Department of Justice. Flamur Abdyli, the Global Information Risk Management Lead, comes with 10+ years of experience in the banking sector. Nic Kopp, the CEO of N26 Inc., was the first person to ask me: “How can I help to enable your function further?” when I joined the company.
N26 runs a Bug Bounty program offering rewards to security researchers able to identify and notify us about bugs and vulnerabilities. These are the examples of organizational and leadership maturity rooted in genuine desire to succeed as a product while showing utter dedication to our customers — ensuring our customers data is secure and remains protected.
What’s the last thing you really geeked out about?
Siamese connection standpipes. They each have a personality and look a bit different in each city/country. You can read more about them in this article by the New York Times.
