Scaling Security in Fintech: Building Secure Products at Startup Speed

In the high-velocity world of fintech, the mantra "move fast and break things" is obsolete. When you are dealing with people’s money and identity, the mandate shifts to "move fast and secure everything."At VULNCON 2025, security leaders from India’s top fintech unicorns—PhonePe, Razorpay, Groww, and PB Fintech—convened to discuss the unique challenges of hyper-growth. The panel explored how to balance agility with the stringent demands of "Big Daddy" regulators, the shift toward design partnerships with Indian security startups, and the concept of Minimum Viable Security (MVS).

The Fintech Differentiator: Speed vs. The "Big Boss"

Moving from traditional banking or e-commerce to fintech requires a fundamental mindset shift. While banks may have vast resources, fintech startups often operate with perhaps 15% of the labour and tool costs, yet they must maintain the same rigour.

The primary difference lies in the regulatory landscape. As Mr Prajal Kulkarni, CISO at Groww, noted, unlike e-commerce, fintech operates under the watchful eye of a "Big Boss" - the regulators. This environment creates a necessary paranoia; companies do not have the luxury of agility without compliance. The challenge and the motivation are to manage the "three pillars" of scale, speed, and depth simultaneously.

Shifting Left: Minimum Viable Security (MVS)

Security can no longer be a Series B problem or a Q4 concern; it must be a day-one feature. Nasim Halder introduced the concept of Minimum Viable Security (MVS). Just as product managers define an MVP, security teams must define an MVS. If a product does not meet these baseline security standards, it does not ship.

To achieve this, security leaders must influence the psychology of product managers. By framing security hurdles as product failures rather than compliance blockers, security becomes an intrinsic part of the feature set rather than an external imposition.

Automation: The Force Multiplier

For security teams to keep pace with rapid development cycles, manual checks are insufficient. Ashwat Kumar emphasised the necessity of automation across the entire Application Security (AppSec) lifecycle:

• Design Phase: Using GenAI-based tools for threat modelling during the conceptualisation phase helps tackle issues before code is even written.
• Development: Integrating feedback loops directly into the pipeline ensures developers receive live feedback.
• Enforcement: Automation allows security teams to "block the pipeline" when critical issues are not fixed, ensuring that code cannot be checked in until it is secure.

The Rise of "Design Partnerships" with Indian Startups

The panel highlights a significant trend: the shift from off-the-shelf Western tools to design partnerships with Indian security startups.

Historically, Indian CISOs relied on Western tooling, which often lacked support for local regulatory nuances and suffered from slow implementation cycles. Today, the Indian infrastructure and regulatory stack are unique. Domestic startups now offer the agility to act as an "extended security arm", building bespoke solutions that solve specific problems faster and with better ROI than generic global tools.

Regulators as Collaborators

Contrary to the view of regulators as mere enforcers, the panel praised Indian bodies like SEBI and RBI for raising the bar. Indian regulatory guidelines are now described as "gold standards", often more detailed and robust than international frameworks like NIST.

The audit process has also evolved from checklist-based inspections to deep-dive technical assessments. Regulators now demand direct access to consoles (like SIEM tools) to verify configurations and operational realities rather than relying on documentation alone.

Going Global: The Data Localization Challenge

Scaling a fintech product outside India introduces complex architectural challenges, particularly regarding data localisation. Ashwat Kumar shared Razorpay’s strategy of using "Cells" - independent infrastructure units deployed in specific regions (e.g., Singapore) to meet local hosting requirements. The complexity arises in routing logic: determining where to store and process data when a citizen of one country travels to another. Success requires building routing logic that respects the data sovereignty laws of each jurisdiction while maintaining a seamless user experience.

Building Trust and Board Buy-In

Ultimately, security in fintech is a branding exercise in trust. One incident can destroy user confidence. Therefore, security teams must work to make the "invisible visible", educating users on their shared responsibility while showcasing the platform's security measures.

Regarding governance, the panel noted a positive shift in board attitudes. Investors and independent directors now conduct rigorous due diligence. Security is no longer just a cost center; it is recognised as a critical asset for protecting valuation and ensuring scalability.

Conclusion

The consensus from the panel was clear: in fintech, security is not an afterthought—it is a feature.