Hello there, I’m Maxime and I’m the Chief Information Security Officer (CISO) here at Personal Capital, responsible for everything cybersecurity at our company. Security is serious business to Personal Capital. More than two million people use our financial tools for free to help transform their financial lives. We also manage more than $9.5 billion in assets for over 20,000 wealth management clients.
Partnering with the crowd
Being a CISO is not an easy job. Much like other executive roles, you often find yourself balancing competing priorities and doing so with fewer financial resources than you’d like. But for a CISO, you’re not just thinking about risks a couple times a day, your job is all about risk — specifically, mitigating it.
One of the first things I did when I joined Personal Capital was to build our expertise, not only with our internal team, but also our security partner ecosystem so that we could tap into external resources for extra bandwidth and creativity.
Given the enthusiasm around, and maturity of, crowdsourcing platforms now available in the market, it was a natural step for us to begin engaging with Bugcrowd to create our private bounty program. This has allowed us to give great security researchers an opportunity to poke at our platform and suggest areas for improvement. Over the years, we’ve been the beneficiary of useful insight from the security researcher community that has helped us continuously improve our security. As we continue to receive feedback from this active community of researchers, they are helping us solving for all the basics, as well as some pretty intricate, outlier cases that would have never been found by any scanning tool out there. Because we’re a cloud-first company, providing a clone environment (minus any sensitive data, like customer information) has been fairly easy for us and it allows the most liberty to researchers as there isn’t anything bad to break.
One of our core values here at Personal Capital is: We get behind being upfront. This resonates with us really crisply when it comes to security. The way we see it, there is no value in security through obscurity. If there is anything that can be improved, we want to hear about it so we can fix it.
Providing a path for the new generation
Nowadays, the only “next-gen” thing that I’m interested in is the next group of young security enthusiasts working to grow their security skills and careers so they can take our place as the next leaders. In the early days, learning security in an ethical and safe way was quite complicated. There was no available academic curriculum and you were left searching online for text files published by odd groups worshiping deceased mammals. It was also quite hazardous to report a security issue to companies, where you probably faced a 50/50 chance of being thanked or sued.
By making our platform available to the bug bounty ecosystem and encouraging ethical enthusiasts to try to hack it, we believe that we’re helping create that safe path for the next generation to build their skills and further their careers without legal threat hanging over their heads. That’s why we’ve also adhered to the Bugcrowd safe harbor initiative. If you are acting in good faith security research, and work with us to responsibly disclose issues, we are not going to threaten or sue.
Helping us transform financial lives
With the core Personal Capital experience being free, we’re having a real impact transforming people’s financial lives. Together with the help of the community we can work to make our platform, protecting everyone’s financial data, as hardened as can be. Are you ready to join in and help us? Head over to our Bugcrowd program page here.