Global fintech and funding innovation ecosystem

Fintech Fridays EP52: Technology Due Diligence Process and Cyber Security Risks

NCFA Canada | May 21, 2021


Fintech Fridays EP52 Technology Due Diligence Process and Cyber Security Risks 1 - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Risks

EP52: Technology Due Diligence Process and Cyber Security Risks

Featured Guests:

2. DANIEL LEE, Managing Director, Technology & Innovation, Mid-market Investment Banking, CIBC

3. MICHAEL CASTRO, Founder and Risk Executive, RiskAware Group

About Forward Security Inc.

“At FWDSEC (Forward Security) we are all about doing application, cloud, and information security better. Our team tackles security using a systematic approach, leveraging standards based and repeatable processes. We are incredibly passionate about delivering the best security solutions, and are driven to help our clients achieve the highest level of security to enable business growth."

For more information, please visit our website:

FwdSec logo colorA - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Risks

About this Episode:

On this episode of the Fintech Fridays Podcast our Host, Manseeb Khan is joined by Daniel Lee Managing Director, Technology & Innovation, Mid-market at CIBC, Farshad Abasi the Founder and CSO of Forward Security Inc., and Michael Castro the CEO of RiskAware Group. They chat about why you should make sure your company is secure from Day 1 and how you go from secure to sale. Enjoy!

Subscribe and tune in each Friday to check out the latest movers and shakers in fintech. Listen to more podcasts here:

Season 1 | Season 2 | Season 3


Fintech Friday Transcript of Episode 52

Technology Due Diligence Process and Cyber Security Risks

Intro: Welcome to fintech Friday's a weekly podcast brought to you by the National Crowdfunding and Fintech Association of Canada and partners. Covering all things fintech, blockchain, AI and alternative finance.


Manseeb Khan: [00:00:00] Hey everybody, Manseeb Khan here, thank you for tuning in to another fantastical episode of the FinTech Friday podcast. Hopefully you're having a phenomenal Friday. So today is probably a oddit bucket list episode, meaning that I have three guests at the same time.  I was going to let everybody introduce themselves and give us a little bit of what you guys do.


Daniel Lee: [00:00:27] It sounds good.


Farshad Abassi: [00:00:28] I'll go first. Farshad Abassi, I'm the founder and chief security officer at Forward Security. I've been in the IT industry could say for about over twenty five years. Half of that time has been spent in the world of software development and building systems, and the other half has been in securing those systems. And that's what it for me. There's a lot more to say, but we'll get To that later.


[00:00:49] I am Daniel Lee. I am a managing director at CIBC, where I advise technology companies, mostly software companies, on things like mergers and acquisitions, stage capital raises and recapitalizations.


Michael Castro: [00:01:04]  Michael Castro, founder and CEO of Risk Aware, which is a cybersecurity firm. Twenty-three years in cybersecurity, most of those in the enterprise space, and loving every minute of my cybersecurity life.


Manseeb Khan: [00:01:20] Give us a little rundown of how did you get started initially in security and what pulls you to security? Why is it so interesting to you guys?


Farshad Abassi: [00:01:28] I go first again


Manseeb Khan: [00:01:29]  It's a free for all. And anybody want everybody?


Farshad Abassi: [00:01:37] Yeah. For me, it was sort of a natural thing that happened as I was working and building systems and software systems and software that I built were hacked. One of my first experiences was as a fairly new software developer. Back in the late 90s, I was responsible for building an e-commerce platform for a fairly large e-commerce retailer in western Canada. And it was all my code and my team's code. And we got hacked and, you know, tens of thousands of credit cards were exposed and it was just not a good situation. So that was an eye-opener for me to learn more about security as a developer. And then as my career progressed through other companies that I worked at, Intel, Motorola, and other large organizations, for some reason it said security on my forehead. So I as a developer, they kept assigning me to development projects that had a security angle. So I found myself that over my development career that I kept gravitating towards the security problem. And I learned a lot because the systems that I built where they had security flaws. And so by gaining that first-hand experience, I accumulated a lot of knowledge in that domain. And I started actually an opportunity, came to security at a local or local institution in British Columbia called the British Columbia Institute of Technology, or BCIT. And that was in around 2002. So you know, I started just teaching the stuff that I knew. And by 2008, I was just really enjoying that. So I pivoted into a full-time security role at HSBC Global and they were putting together an I saw a security team that focused on the software problem rather than general security teams that the bank already had, which dealt with the infrastructure and policy and other domains. And it was a great opportunity for me to get involved with that. And we built a global team that focused on application security across their different lines of business and delivering consistent services. And so I ended up in that world and never looked back. And from there I know it's been security full time all day long.


Manseeb Khan: [00:03:32] That's incredible. I mean, no no better motivation than getting burned.


Farshad Abassi: [00:03:39] Pretty experience I wouldn't want to repeat, but it was I learnt a lot from it.


Manseeb Khan: [00:03:44] Painful lessons are definitely the ones you learn from the most God I had, but I love them at the same time.


Michael Castro: [00:03:52] So my start wasn't as exciting. I learned about cybersecurity when I was a teenager and had been introduced and I thought that's a pretty cool, cool gig but hadn't gotten into it. And I was working in it for a finance company, a traditional finance company that was having a great conversation with our database administrators who were showing me this wonderful database, holding all the information about all the clients of this organization and their assets and how easy it was to manipulate the data in this database to reflect upon their customers. And I kind of brought it to my boss and said, you know, you really need some security in this organization because it's not that we don't trust people, but it seems really easy that your information could be really manipulated and changed. And they kind of nodded their head and said, hey, maybe that's a job you want to do. And the star was born. So it kind of went from that. I've been, you know, gone through many different iterations and different roles. And I've been in cybersecurity for well over twenty years full time, just like Farshad and where I didn't have the breach upfront. You know, I, like many people, have survived, kind of have the scars to show for many of the attacks and the breaches that have happened over that time. But as I mentioned already, no regrets, but an exciting journey nevertheless.


Manseeb Khan: [00:05:12] Still, I mean, probably not as intense as Farshad but nonetheless, he's still battle the way I mean, you survive. You have the scars to prove it so that that of itself is incredible.


Daniel Lee: [00:05:24] Sure. So I don't have nearly as extensive a background in cybersecurity as either Farshad or Michael . Quite honestly, I know very little about cybersecurity. However, I do have an interest in that because as part of my role, which is advising companies on selling their businesses or raising gross equity from private equity firms, both equity investors, cybersecurity and technical diligence is always an aspect of the process. And if you don't have a decent familiarisation around it, then you could run the risk of a failed transaction


Manseeb Khan: [00:06:02]  That's actually a great way to probably segue into this next question. Could you just tell us a little bit more about the due diligence process and I guess related risks?


Daniel Lee: [00:06:12] Sure. Absolutely. So there's a couple of phases of due diligence in and I'll just use an M&A process. So you're looking at VC or you're a CEO of a technology business. Say it's a software business. For the purposes of this example, you're looking to sell the company. Well, there are a few phases. You'd hire somebody like me, an investment banker, and I'd help you. You can almost think of me as a real estate agent and at a stager or at the same time. Right. So I. I put your business up for sale. I reach out to the buyers and I help you stay at your home in the process of saying I'll bring in other experts to assist with certain areas. So, you know, the first sort of level of due diligence any buyer's going to do is very high level. Right. It's you know, I like the business, like the financials. I like the management team. Does it fit within my strategy? So let's sort of tick the box number, the one. And once they tick that box, I'll bet the first bid you get a bunch of first shot bids over a handful of them. The second round bids, they get a deeper dive. They get a deeper look at the business. They spend more time with the key personsel. And then ultimately what you're doing is you're driving to the just called LOI (letter of intent). Once you get to the LOI stage, there's really only a handful of things that should go wrong between that could go wrong between LOI at closing and these are confirmatory. So you can think of this as almost like a house inspection in the parlance of real estate. So. So what is confirmatory? Well, there's legal diligence. You know, are there any big outstanding lawsuits that a buyer should be aware of accounting diligence. Right. So, you know, the books being cooked, customer diligence. Right. So just getting a feel for your customers. And then the last piece really is last, but not least by the technology and cybersecurity. Right. So these are the four things that could go wrong and confirmatory post LOI. Right. And so you want to make sure that you've addressed each of these things before you enter that sort of process.


Manseeb Khan: [00:08:19] You want to make sure as baseball terms you want to have all your bases are covered before getting into anything. Right. So that's great. What makes a company attractive, I guess, to open up to that to Farshad and  Michael what makes the company attractive? From a securities point of view, both of you guys have tons of security experience. You guys can definitely see holes in companies that we might not see.


Farshad Abassi: [00:08:39] What makes a company attractive from a securities perspective, from an I guess if you want to position your company. So that is so. So that is attractive to the buyers. They're going to be looking for making sure that you're not going to have problems like technical debt. They don't want that. They don't want any ticking time bombs that they buy. There was the Vancouver company,  networks that, you know, that got purchased, PayPal, I believe, and they bought that. They bought the technical debt that they bought the vulnerability that they didn't know. That's something that the buyers have become really conscious of and they're paying extra attention to. So if you're a seller, you want to make sure that you position yourself in such a way that you could provide the right documentation, because the due diligence know there's often a short period of time where they're going through that exercise with a team. So the more prepared you are, the better you'll position yourself for being being sold by having all your security controls documented and everything prepared beforehand that would facilitate it, ease that process.


Michael Castro: [00:09:32] You know, I'd add to that, you know, the part that's like having all that in advance is what the buyer is really, I think, want to see it. If you're a seller and you're fussing and you don't have it readily available, you know, I'm sure that it's an indication that you probably haven't really looked at where security is in the organization. I'm really not prepared. And, you know, as Daniel said, I can imagine there are a lot of buyers that are weary of an organization. And we've seen some really big cases. You know, I always use the example of Marriott Hotels when they acquired SPG and didn't realize that there was a huge breach behind the scenes. And when the deal closed, only then it was disclosed that there was a big security breach, that Marriott then kind of took ownership of. So being prepared, definitely a bonus.


Farshad Abassi: [00:10:30] And these days, a lot of the clients we work with, particularly some of the startups, they're putting a lot of emphasis on that. Right. We've worked with them particularly to build security from the beginning because they know that they're building the startup to sell it. Right now, of course, I'm building this fintech and my goal is to do that. So by engaging security right from the beginning, we lay out the right foundations, both through governance policy as well as what's required in terms of the foundations in the application. And then when it comes time to promote that, it's easy. They've got everything documented. They can show that to the particular buyers and it'll make it makes quite a bit of difference.


Manseeb Khan: [00:11:02] Yeah. And makes the runway a lot easier because typically and start especially in the fintech space, especially the tech space that we're in, the technology that you kind of walk-in when it's not the technology that you live with at the door when you sell it. There's a lot of iterations, a lot of adaptations, especially for moving into cloud computing. And you need a lot of data. You need a lot of documentation. And having documentation from the start makes your job so much easier. Right. For both you guys will be the main security concerns. And what are some top concerns from, I guess, perspectives from customers and clients?


Farshad Abassi: [00:11:35]  The main concern these days. You know, it's been the supply chain and third parties based on vulnerabilities that you inherit through that. Right. That would be one of the biggest concerns. And for that, I would recommend that they have some sort of a vulnerability management program or are aware of what they're inheriting by using the third party that can come into shapes and forms. A lot of applications these days either include components that are built by another party or they ingest data that's coming from a third party. Both can be attack vectors. So organizations that should pay careful attention in terms of where that stuff is coming from, have they assess that third party that they're working with? Has that third party assess their own security? And what are the risks from that type of engagement?


Michael Castro: [00:12:18] Yeah, I would add to that what we're seeing so many attacks now that are not the traditional attacks we used to see through the through the front door. Right. So much now, along with the third party and vendor risk is on the email front. And I don't think we go through a day now without hearing about another ransomware attack. And another case of this. You know, last week it was the pipelines. I think this week we're hearing more stories in various places. And, you know, it's all about grabbing something of value. And one of the sayings now is, you know, the hackers are breaking in, they're logging in, and that's how they're really kind of attacking organizations that aren't stealing. And, you know, that is the big threat for a lot of the customers and clients that I'm seeing. And I think Farshad that as well, where they're really not realizing where their gaps are and they're really not prepared in terms of what to expect when, when these threat actors come upon.


Manseeb Khan: [00:13:16] You want to be protecting the information that you currently have. You want to make sure that since everything is getting shared right, we're moving into an age of digital identity were sooner or later all your information is going to be on your phone, we won't be able to protect that, especially being the companies behind building this kind of technology. Right. If we want people to kind of move into more digital, to have more of digital identity, if you can't protect that identity, that what the heck are we doing it right?


Michael Castro: [00:13:40] Oh, for sure. I think a lot of organizations just don't think it's fair. They don't think it's going to fall on them. They don't think that they're big enough for savvy enough or interesting enough. And you know, that's not the case. The attackers are going after everybody. And, you know, a lot of times they're not picking the times they are picky and, you know, finance and fintech is something that's very alluring.


Manseeb Khan: [00:14:04] No, it makes it makes total sense. I mean, the Internet doesn't discriminate. It's like


Daniel Lee: [00:14:10]  And Crypto exchanges.


Daniel Lee: [00:14:25] And I don't know, maybe if you don't mind, I'll start with what a buyer is looking for. Sure. And then that might help sort of shape how a seller can.


Manseeb Khan: [00:14:37] Perfect. Let's do that.


Daniel Lee: [00:14:38] So, you know, what's a buyer looking for in technology? Well, effectively, they're looking to solve for sustainability and scalability. And how do they do that? It comes down to three things and that people, process and technology. So from a people perspective, the question they're going to be asking themselves is how distributed is, the knowledge? Is it all coming from a rock star developer? Because if it is then that tactic, just the development just may not be sustainable. Right. Right. So not distributed process. What's the development methodology? You know, will it scale? Right. Again, trying to solve for sustainability and scalability and that technology and then sort of within that technology category, things that a buyer is going to double click on are are items like open source like do you have open-source wide open source code? Do you have other security issues related to it? And, you know, are you potentially improperly using some of these open-source licenses? And then the last bit in technology would be what is the tech stock? Right. And what is the tech stack you're using and why did you make those decisions? These are things you want to be able to have prepped ahead of a process like this because the last thing you want to do is provide poor quality answers that just sort of takes everybody down a rabbit hole and doesn't get you to the result that you are supposed to be shot at. And little, if anything,


Farshad Abassi: [00:16:15] Nothing that I was pretty much the same sentiment that I mentioned earlier. But, yeah, I agree with that totally.


Daniel Lee: [00:16:22] So there's also the bias factor. So, you know, if that's what the buyer is looking for a seller, how should you think about preparing ahead of a process if you've got six months, you know, you think you're going to be in a process in the next six to 12 months, the first thing you really need to do is document everything. That's a mistake that I see with a lot of companies, no matter how mature or they are improper documentation, you know, always make sure you've got some sort of solutions document or topology document and make sure you've got an open-source library, because all these things help you tell your story more effectively so that you're not put on the defensive as far as you go through the technical diligence process related to that in terms of telling your story, as you're going to want to find somebody on your team who can tell the technology story in a fairly compelling way. Right. You want a person who can address sort of the feature function architecture that maybe have a really technical engineer sort of supplement that as questions arise? Yeah. You're going to want to know where your issues are before you've been asked about it. Right. So having somebody like Farshad do an independent review ahead of time, it could be. I mean, Farshad, I'm not sure what your rates are, but, you know, we're talking in the thousands here, I'm sure, which could save you billions in transaction value.


Farshad Abassi: [00:17:43] Exactly. I was just going to say, you know, it's peanuts compared to the millions.Yeah, exactly.


Daniel Lee: [00:17:48] Exactly. Because you've got millions on the line here. So you have somebody take a look at your code and your development methodology. And, you know, it's similar to the way that we would have third-party accounts kept up the quality of earnings, or we take a company out to market. And then to the extent that a third party finds some issues, either fix them. And if you don't have enough time to fix them, at least show progress or have a plan on how you're going to fix things like shady, shoddy code quality or technical debt,


Manseeb Khan: [00:18:18] You got to make sure you have all bases are covered. Make sure that there's a plan to make sure these things are going to get fixed. The first thing you want to have is I did not know that was an issue.


Farshad Abassi: [00:18:28] Exactly.


Manseeb Khan: [00:18:29] No, I didn't surprise and see that. Oh, that hole that. Oh, you noticed that you didn't notice the whole mall?


Farshad Abassi: [00:18:41] We were talking about real estate, I think, earlier in the conversation, right? Yeah. I remember when, like last house, my parents told you, you get the inspector, but the people buying their own inspector because you don't want that gas tank to be in the backyard that you inherited because you bought that place. Right. So that could also mess up the deal as a seller, you got to make sure that you know about that gas tank, because if they put a condition in, the buyer comes and gets the inspector and then they find that your deal is out, you've wasted everybody's time and all that type of stuff. So make sure you know it. And what's happening is I've noticed that the buyers are in the past that they may not have a focus on security as much. They might have been like, let's just do a quick scan of your application and call it a day. Now they're actually bringing us an expert team like us. They're asking us to dig really deep so that because that's changed, that the seller should expect that if the seller is thinking that it's like the old days where they're just going to get a scan and buyer's going to go proceed, that's not what's happening. They're going under a lot more scrutiny. So any more any preparation, it would be quite valuable in that direction.


Manseeb Khan: [00:19:37] Having a security check, making sure like, hey, you know, is the data that we currently have. Is it reasonable? Are there any holes? That's from the first thing people think of, like when ramping up to sell accompanied by a company. But now I'm glad that people are now having this kind of a conversation, having you guys on board, making sure that people are doing the due diligence to make sure that like that they know there's a hole in the wall and have a plan to fix that hole. Right, exactly. Michael, do you want to add anything to that?


Michael Castro: [00:20:03] No, I like the House analogies, but I got to switch it to a car analogy.


Manseeb Khan: [00:20:07] Perfect. Let's go, of course, to


Michael Castro: [00:20:09] Buying the used car. Right. Buyer beware. And that mechanic needs to really check it out. Right. And so you're doing, you know, the mechanics or looking at the technology piece, but you're also having to do the governance piece. Right, in terms of, you know, making sure that it leans on the car and making sure that there are no outstanding debts. And you know, how many accidents as the Karvonen. Right. There's always the other side of it, too. And I think the same goes with deals, too, right. It's looking at the text stack, but it's also looking at the other aspects of what the company is doing in cyber to right. Because they could have a great tech stack but have really poor controls around users logging into their network or remote access. That's just opening themselves up for a back door entry. You know, when there's when the company is pretty stoked that they've covered off, you know, the application, but they kind of left the back door open at the same time.


Manseeb Khan: [00:21:02] They want to get caught with your pants, with your pants down, although that's not a fun feeling. So I guess sticking with the same thing that we currently have, what are some things that make it break and investment? And I guess how important is security ensuring high-quality investment?


Daniel Lee: [00:21:16] I would say it's more and more critical, right. Farshad Point earlier with the CEO and PayPal example. By the way, if that deal had been done today, people would have found that vulnerability and that bill would have been dead, right. Increasingly expensive things like penetration tests, like making sure there hasn't been a data breach or even on the privacy side, making sure compliance are you know, there are some things that can be fixed post-close and then there are some things that are just total deal-breakers. And you want to make sure that if there are any deal-breakers, you know, ahead of time.


Farshad Abassi: [00:21:56] Yeah, identifying those high-risk issues not only comes with a proper assessment. And again, going back to what I said earlier, doing a basic scan of your system, it's not going to give you that is where you actually go and do a risk assessment and dig deep into it, determine is this high risk? Is this low risk? If you've done that as a seller, then you're going to be looking really good because you can go to the buyer, say, hey, I've done this risk assessment here. There's only a bunch of low risks. And those are things that you can fix, right? They're not major high-risk items that are going to break the system. And I emphasize risk, as Michael can back me up like the risk is quite different than just saying, you know, you have a dozen of problems. Right. In order to determine risk, you actually have to assess what the business impact is and how likely something is to become true. And that's way more valuable than the traditional way that people assess that, assess the system, which is purely based on security gaps or vulnerabilities if you will.


Michael Castro: [00:22:49] It's more than just a paper exercise or a checklist, right? I think that's where, you know, that that that good quality investment will understand that and understand the interpretation of that of what risk really is, how to define it, and what is unique about that organization that can elevate or decrease that risk. And that's where part of it is, having the third party and the experts helping to determine that and lay that story out, either from the buyer's perspective or the seller's perspective. Because, you know, understanding that I think is key to really maximizing and, you know, getting the best value and in investment and making sure that there are no pitfalls along the way.


Manseeb Khan: [00:23:37] Yeah, you want what you want to make sure that there's no security, you don't have to go trial by fire. You want to avoid the state for growth as much as you can, right?


Farshad Abassi: [00:23:48] Exactly. Exactly.


Manseeb Khan: [00:23:50] Sticking with security breaches, should companies be especially cautious of security breaches? I mean, we touched a little bit of risk companies that are trying to ramp up for acquisition or just companies in general. Why should they be extremely cautious of security breaches?


Farshad Abassi: [00:24:02] The one thing you know, when we talk to clients, particularly to startups, their reputations, that reputation is everything for a large company. Let's take Equifax, right. They all everyone's data got breached. Everyone found out about it. Did much happen to them? Not a lot. They're so big that they're almost untouchable. When you're now talking about a small startup who's just starting in this industry, their name, their reputations, everything. So if you get a breach and you're That's that small, you're not even going to make it past that. So direct because typically a security compromise or breach can impact the confidentiality of the data integrity or availability. And depending on what the breach ends up doing if its data is exposed, and then it'll have a reputational impact. But further to that, if you're also in the finance sector, you might have regulatory, maybe regulatory repercussions. Right. So both of those things need to be considered and all of those would be way higher. And we'll have a way higher impact for smaller organizations that are new.


Michael Castro: [00:24:57] Yeah, I've got startup clients and they understand, you know, despite the fact of the product that they have or the service that if they have a security breach, they know they're done. And, you know, it doesn't matter the fact that they have a rock star product to deliver, that their age and the maturity of the organization just means that the buyers will not want to touch that. They want a piece of that because there's too much at stake. And, you know, we talk about security breaches. But, you know, as a seller, I think you also have to be understanding of the security breaches that are happening around them while they're in this phase of talking to the buyers because the buyers now and Daniel can jump in here. They're getting savvier and savvier and really will hone in on what's happening out in the world. And if there's a breach and it's happened because of a certain vulnerability and it happened the week before, I bet you they're going to be asking this client if it's that bad, if that breach pertains to them and if it does what they've done about it and how they're prepared for it. And, you know, these organizations, these sellers need to be ready. They need to have those stories and be able to to to ensure confidentiality that these type of breaches aren't impacting them or they're very confident that they have it under control.


Daniel Lee: [00:26:18] 100 percent of your stock with the technical diligence buyer would hire one group and they'd really just focus on code reviews and open source. Now, increasingly, they're hiring that group, but then they're also layering on a cyber specialist who may or may not be the same firm as the technical as the one conducting the technical assessment and I mean from a buyer's perspective. But one of the things you're trying to solve is post-deal litigation, right. Like health care-related or financial related business, a lot of buyers want to do is to inherit these sorts of liabilities going forward,


Manseeb Khan: [00:26:56] Because it's not a fun thing to eat, so I guess looking forward, looking ahead of all this risk and everything, I guess what would be the next steps that you'd recommend companies who are building modern applications into the cloud? Right. We hear about the cloud, how wonderful it is, cloud banking, everything. What are some of your guys is advice when it comes to companies that are building towards the cloud.


Farshad Abassi: [00:27:22] There are some basics that they can pay attention to in their frameworks for building secure applications and building secure cloud infrastructure. I'd say a good place to look at is that cloud security alliance CSA to have that cloud controls matrix itself. There are quite a few controls in that and they don't need to implement everything. But what they do need to remember is that when you put something in the cloud, the security cloud is a shared responsibility. I use the analogy of Lego building blocks. A company like Amazon or Microsoft Azure, give you a secure building block. But how you assemble those building blocks to build your house, Lego house or whatever it is that you're building, that's up to you. So if you don't stack those building blocks in a secure manner, you'll have pretty shaky ground. So that's why it's a shared responsibilities where the cloud provider gives you a secure building block. You're going to be putting those to create a solution. It's your responsibility to do that in a secure manner and in a framework like the Cloud Security Alliance will tell you a number of a number of things that you can do to achieve that. In addition to are applying a secure application, security frameworks such as OWASP application, security verification standard. So just paying attention to those types of things, or at least looking at the top 10 commonly occurring vulnerabilities that are reported by OWASP. And making sure that your application at least addresses them would be quite important.


Michael Castro: [00:28:41] Yeah, I'd say I totally agree. And so I keep on the banter of analogies and I'm going to go to that famous Scandinavian furniture maker and you buy one of these kits and you want to put it together and you think you can do it without the instructions. And you really don't need to take full control from the start. And sure, you can put together that bed frame and maybe it feels solid, but did you really build it properly because you really have six pieces left over at the end of all this? Really. Security has got to be a part of this. All right. From the beginning. Right. And as Farshad said right following one of these frameworks and really understanding it and building security design is going to make a better cloud-based app and try not to cut corners and really ensuring that your you're putting in the security of taking it in as you're building the application into the cloud and following the right rules and making sure that you're doing it right. Well, could make could and should make all the difference in the end in terms of really having something that is going to be more secure versus something you think is secure or your hope that secure and you definitely keep your fingers crossed every day.


Manseeb Khan: [00:29:53] It's a great analogy if you want to make sure that it is secure and that it is sound from day one because he definitely is. The worst thing you want to have in the world is that the thirty four of the bed and creek is like, OK, well yeah. And then you can have that and then that's it. And then it's like well OK I can, I could have just done it right the first time.  Right. So if there's, I use one or two takeaways that you want everybody to kind of go home with or you want that you guys want to drive home, what would it be?


Daniel Lee: [00:30:23] Say put the effort into documentation and make sure your but before heading into a process, make sure you've got all your bases covered, so to speak, and, you know, spend the money on a third party assessment because, you know, the thousands of dollars you're spending now could save you millions and millions of dollars in transaction value.


Farshad Abassi: [00:30:46] Yeah, makes sense. Makes sense. But you don't know. And what I'd like to add is documenting it. And that goes with the saying as what you don't know. You don't know. Right. So make sure that you do know your system as a as an executive or someone who's responsible for that software. Ultimately, you should know what that looks like on just trust that this has been built security. It's more common than not that developers make mistakes. That's why things like the OWASP top 10 exist, because the same kind of security issues keep happening over and over again. I've been looking at OWASP top ten for over a decade and developers make the same mistakes and even some of the basic security challenges that have been around for decades, they keep getting repeated. So I'm not having anything. Is there is the unknown, right? So you want to make sure that you have some knowledge of the posture of your system, but also that you don't get that false sense of security? So I've had organisations that came to me and said, hey, I got this company to do a Pen test. They did a Pen test, said, you know, everything is great. Right? And I'm like, well, let me see. Because not when someone says Pen test, they don't all mean the same thing. My definition of pen test is different than someone else's definition of pen test. Then in that particular example, when I did look at the result, it was actually not a pen test, it was a scan. And that scan had shown a few issues that was scaring the customer but not showing the real problem. So I looked at the results and I said, hey, look, the issues that you're jumping up and down about, these aren't actually issues. These are false positives and stuff you don't have to worry about. But what this guy hasn't told you is all the real problems that you have. And I was able to do that by just quickly looking at the system so that false sense of security or thinking, you know what, you don't or even worse yet, not knowing at all is not a position you want to be in.


Michael Castro: [00:32:20] Yeah, I say the same thing, you know, and spend the money and spend it wisely and you kind of spend it in the right way. Don't cut corners and really look to get a good person to support you, a good organisation that really knows what they're doing and, you know, spend money to make money and be prepared. And you know, where you don't think that it's a good return on investment. We can always tell you it will be in the end, it really will be, you know, the right way to spend money to avoid spend money now to avoid spending a lot more money later.


Manseeb Khan: [00:32:59] Will be the best way to reach any of you guys. If any of our audience members have any questions?


Daniel Lee: [00:33:04] Linkedin would be the best of me. I mean, I've got a tick account, but I don't know a lot of contact. LinkedIn would be the best for me.


Farshad Abassi: [00:33:12] Yeah, LinkedIn, LinkedIn or Twitter. Absolutely. Twitter is a great place to connect as well for me.


Michael Castro: [00:33:18] Yeah, me too. Like that on Twitter. We're both there


Farshad Abassi: [00:33:25] You know, when you get it to this world of security, oftentimes security folk, I'm on like pretty much every social media because as a technologist, whenever they launch a platform, I save my spot. I get my account right. Like you got a. That would you actually use them and are they all effective, right? I mean, when it comes to security, you're not going to have any interesting conversations with folks on Facebook or Snapchat. Those are just not the right platforms. The security conversations usually happen on LinkedIn or Twitter.


Manseeb Khan: [00:33:50] I mean, you got some footage of the conversations on Tik Tok. I mean, depending on who's talking.


Daniel Lee: [00:33:55] I totally get all my investment advice.


Manseeb Khan: [00:34:00] Hey, yeah, that's. Yeah, exactly. That's how I learned of selling houses. So, you know, it's also. So, guys, thank you so much for jumping on the show again and as well for everybody out there next Friday. If you guys want to hear more about what we're currently talking about, we're having a technology, due diligence, fireside chat with all three amazing guests. If you guys have any more questions, you can definitely follow up with these guys. You can reach talk. But like you said on Twitter like that. But, yeah, you can feel free. You can reach out to them. Any questions or anything again? Guys, I'm excited to see you guys at the fireside chat. Thank you so much for jumping on the show and making this bucket list episode a dream come true for both me, Daniel.


Farshad Abassi: [00:34:45] And best of luck to all the audience listening who are preparing their companies to be sold.


Michael Castro: [00:34:49] Thanks.


Farshad Abassi: [00:34:50] Thanks for having us here.

Outro : you've been listening to Fintech Fridays brought to you by NCFA and partners. Tune in weekly for the latest fintech Friday podcast by subscribing to this channel. The National crowdfunding and Fintech Association of Canada is a non-profit actively engaged with social and investment fintech sectors around the globe and provide education research industry stewardship services and networking opportunities to thousands of members and subscribers. For more information please visit Oh yeah.


End of Podcast


Subscribe and Listen to more Fintech Fridays podcasts here

Join NCFA's weekly Podcast series 'FINTECH FRIDAYS' where we sit down with the incredible people in the Fintech community and talk about leading fintech products innovations developments and challenges!

Interested in getting involved as a partner or participant?


NCFA Jan 2018 resize - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Risks The National Crowdfunding & Fintech Association (NCFA Canada) is a financial innovation ecosystem that provides education, market intelligence, industry stewardship, networking and funding opportunities and services to thousands of community members and works closely with industry, government, partners and affiliates to create a vibrant and innovative fintech and funding industry in Canada. Decentralized and distributed, NCFA is engaged with global stakeholders and helps incubate projects and investment in fintech, alternative finance, crowdfunding, peer-to-peer finance, payments, digital assets and tokens, blockchain, cryptocurrency, regtech, and insurtech sectors. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit:

Latest news - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security RisksFF Logo 400 v3 - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Riskscommunity social impact - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Risks

Support NCFA by Following us on Twitter!

NCFA Sign up for our newsletter - Fintech Fridays EP52:  Technology Due Diligence Process and Cyber Security Risks


Leave a Reply

Your email address will not be published. Required fields are marked *

13 − three =