2026-05-08 –, Main Stage
What would you change if you could go back and rebuild your company’s security foundations from day one?
In 2020, I had the chance to build a security program from the ground up for a brand new company in the banking/fintech space.
Some of the decisions we made aged well, and would still be relevant in 2026.
Other decisions, or the lack of them, have not, or simply could not be made back then due to a different technological environment.
In this talk, we'll look at what worked great, what didn't, and what we'd have to do differently if we tried again today.
Building a new company in a highly regulated field facing <buzzword>sophisticated threat actors</buzzword> brings its share of challenges, but also allows you to build things without worrying about legacy environments and problems.
What you are building today will, however, become the legacy problem in the future.
Specifically, we will talk about decisions that were made in 2020 to build a secure company back then, and contrast that to 2026 and the decisions I believe we would make now.
Topics covered will include:
- Core architectural decisions that are "one-way doors"
- Programming languages and ecosystems
- Threat modeling from the beginning
- Immutable and ephemeral infrastructure
- Everything as code
- Identity
- Supply chain security and its downstream impact on endpoint security
Guillaume is an expericed security nerd mostly operating on the blue team side, who is equally experienced in very large organizations and startups, typically in the cyber security or fintech spaces. He was head of security for companies such as JupiterOne, FleetDM and Finaptic.
The thing he dislikes the most about security is the use of old avice and "best practices" that do not reduce risk for real companies and people, and he much prefers to base his work on real data and threats.