Prototyping and aiding vendor selection for a fintech company’s data inventory solution
Snapshot
The fintech industry has seen tremendous growth in recent years, and safeguarding the privacy of customers is a major concern. While customer trust is paramount in a business model that hinges on managing personal and financial data with the utmost care, many companies still treat privacy as an afterthought.
A company specializing in online money transfer was falling behind in privacy needs after recent audit preparation findings. Seeking a data inventory solution that would pave the way for a comprehensive, engineering-centric approach to privacy, the company turned to Kalles Group for guidance. Despite challenges around project ownership and clarity, the KG team successfully delivered results far ahead of schedule.
Challenge
A need for data privacy compliance and better technical privacy resources post-IPO
Having been a startup not all that long ago, the fintech company had little in-house data privacy experience, no technical privacy resources, and a large amount of isolation between different parts of its business. Since its IPO, the company has been trying to formalize its structure and comply with regulations. This has been primarily driven by the internal governance, risk, and compliance (GRC) team.
The fintech company is complying with several regulations, including KYC (Know Your Customer), AML (Anti-Money Laundering), GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and others. Kalles Group came in on the heels of an audit that surfaced issues requiring remediation, and the company’s leadership was not sure exactly what to do about them. Thus, a large component of this project involved getting a better understanding of the data the company had and what controls they had around it.
Determining data inventory project ownership and dealing with a vacuum of opinion
Like a lot of organizations that are working to formalize their structure, the fintech organization was having difficulty determining ownership of major projects like this one. The data inventory project rested on the shoulders of engineers directly under the CISO. Ideally, there would have been a well-defined structure and privacy expertise within the organization, but this was not the case.
This lack of clarity around who would own the project long-term and how many resources would be needed (from both Kalles Group and the company’s internal team) created a chaotic situation. Without clear executive input, Kalles Group needed to determine the nature of the project in order to provide recommendations for the best path forward. The KG consultants also needed to consider the company’s reduced aptitude for new spending and deal with a reallocation of internal resources.
Approach
Building trust by taking ownership, creating a plan, and pivoting when necessary
One of Kalles Group’s great strengths is the ability to walk into a chaotic situation and work closely with stakeholders to determine concrete goals and come up with a clear and customized plan. Remaining flexible to the client’s changing needs and identifying decision criteria for success are key ingredients in Kalles Group’s consulting process.
As the KG consultants learned more from the fintech company’s stakeholders about what they needed, they went through several pivot points within the first six months of the contract. This allowed Kalles Group to understand the bigger problem in context and take ownership of it. Throughout the process, the consultants prioritized the documentation of their findings, the decisions they made, and the expertise they were able to bring.
Seeing this level of commitment from the KG team, the fintech company trusted them to own the problem as if they were full-time engineers in-house. This meant that the consultants were often representing InfoSec and GRC as key privacy stakeholders to broader parts of the organization and to external vendors.
From data inventory prototyping to engaging with commercial vendors
After a month of meetings with stakeholders, Kalles Group showed what the data inventory was supposed to look like and how it would help the company. From there, the team worked on rapid prototyping. Within four months, they had a rough prototype and began exploring the question of whether the company should build and staff the solution internally or engage with a commercial vendor.
The timeline in this process can be summarized as follows:
- Month 1: Delivered comprehensive tooling requirements.
- Month 4: Built an engineering prototype of the data inventory.
- Month 6: Identified commercial vendors and trade-offs to continued internal development.
- Month 8: Aided vendor selection and onboarding to client engineering, security, and compliance needs.
- Month 10: Delivered the data inventory before year end in Q4.
Kalles Group narrowed down the list of vendors to just five and showed the fintech company the long-term cost savings. The consultants helped cut through the vendors’ sales talk and zero in on which products would serve the company’s needs. This turned a potentially predatory sales relationship into one where both sides could meet at the same level and talk in terms of concrete use cases.
Results
Building rapport and delivering value ahead of schedule — despite the initial lack of clarity
Kalles Group delivered the initial inventory ahead of the anticipated timeline, completing the process in less than 12 months—a significant acceleration compared to the typical two to three years. The consultants facilitated cross-team connections that smoothed things out between stakeholders outside of the project.
The KG team’s ability to determine what the job really was — and how the project would fit into the way the rest of the organization works — was key. According to the company’s Privacy Engineering Manager, “With something between zero and chaotic requirements, Kalles Group was able to deliver great iterative value quite independently.” The initial ambiguity provided an opportunity for Kalles Group to demonstrate its capabilities as both a strategic partner and tactical executor, culminating in the project’s successful completion.