CTO POV: The yin and yang of a CTO and CISO in harmony

David King
David King
is CTO at Flywire.

Editor’s note: Flywire is a whirlwind of innovation driven by software and global network expansion that pushes the boundaries of traditional finance. At the center of this Yin and Yang dance are two critical figures: the Chief Technology Officer (CTO) and the Chief Information Security Officer (CISO). In this post David King and Barbara Cousins break down the responsibilities of each role and talk about how their collaborative relationship is critical to delivering the best software that drives value in payments with the highest security standards.

How have they produced such perfect harmony in collaboration, innovation, speed, and security with others? Let’s listen.

The role of the CTO: Pioneering innovation

As the CTO, my job is to deliver value to the company and our customers through delivering deeply integrated software that leverages our global payment network. Speed is the name of the game in fintech. We need to constantly explore cutting-edge technologies such as artificial intelligence, and rapidly develop and launch new features to stay ahead of the curve. Every second counts, and it’s critical that security be incorporated into the process, without becoming a roadblock. This is where Flywire’s amazing CISO comes into play. Barb and her team deeply understand the threats. They’re also innovative thinkers who partner with product and engineering to ensure our solutions are secure without stifling our progress and innovation.

Flywire cto ciso image 1

Role of a CTO

Address complex topics such as:

  • Product management and development
  • Product implementation and delivery
  • Driving value and efficiencies for the organization
  • Code security

Development and deployment of technology to increase business

Say YES first

The Role of the CISO - Build a Security Fortress

As the CISO of Flywire, my role is to build a robust security posture, regulatory compliance framework, and business continuity practices that address everything from a server outage to a global pandemic. Data security is paramount for Flywire. Our customers entrust us with managing their customers' most important and complex payments. To protect Flywire, my team implements robust cybersecurity measures including encryption protocols, access controls, threat detection systems, regular security audits, and penetration tests. We stay constantly vigilant.

I partner with David to understand the business needs, and technology landscape needed to translate those into practical and highly secure measures. We ensure that security is integrated into every stage of the software development lifecycle. David and I partner to find the right balance of agility without compromising security.

Flywire cto ciso image 2

Role of a CISO

Address complex topics such as:

  • Regulatory complexity
  • Security architecture
  • Cyber threats
  • Compliance
  • Policies and procedures
  • Business Continuity (disasters, pandemics, civil unrest etc.)

Guardian of information in all forms (paper & electronic)

Try not to say “NO” first and assess the business benefit

The CTO-CISO dance in action: What are the elements that build harmony?

  • Foster the relationship: Be sure your CISO and CTO are treated as peers in the organization. We have weekly 1:1s to understand each other's challenges and address key topics for the organization.

  • Practice security-first development: The CISO isn’t just the post-development auditor. At Flywire, we collaborate in tandem to deliver highly secure software in a rapid fashion to our core verticals of B2B, education, healthcare, and travel.

  • Embed security into processes and operations: The CISO and CTO need to create a culture that prioritizes security as the responsibility of the whole organization, instead of considering it a function of the IT/Security department alone. This requires analyzing security risks at many different levels and engaging everyone in the organization about the necessity of following organization security practices. Together we are the champions of security.

  • Prioritize secure vendor management: All organizations today work with various vendors for their needs across business units and functions. Vendors can often be the greatest security threat to an organization if they are not vetted and managed correctly. The CISO is responsible for setting the security standards that dictate how we acquire and work with vendors and their tools.

  • Coordinate a collaborative threat response: If a security incident occurs, we have to act as a unified command center. The CTO needs to understand the impacted systems and quickly isolate the issue, while the CISO directs the remediation efforts, ensuring regulatory compliance and data protection.

Fostering a relationship


Treated as peers by the entire organization


Engage CISO early in planning process — they are usually left out until a decision is made


CTO needs to frame conversations around help with risk


CISO needs to frame conversations around help with driving value


CTO & CISO should have regular 1:1s

The CTO-CISO maturity model

At Flywire, we have a maturity model to measure our collaboration and ability to develop and deliver software that drives value for our customers and is highly secure. We share this with you so that you can measure your organization's maturity.

  • Unprepared: CISO is pursuing CTO and the business to find out what is going on.
  • Reactive: CTO engagement has improved, but CISO is still chasing business stakeholders making go/no-go decisions at the 11th hour.

  • Proactive: Both CTO and business bring CISO into the conversation, but after the initiative is already in progress.

  • Anticipatory: CISO is engaged by both CTO and business at the very beginning before any decisions are made. (We are here!)

CTO-CISO maturity model

UnpreparedCISO is pursuing CTO and the business to find out what is going on.
ReactiveCTO engagement has improved, but CISO is still chasing business stakeholders making go/no-go decisions at the 11th hr.
ProactiveBoth CTO and business bring CISO into the conversation, but after an initiative is already in progress.
AnticipatoryCISO is engaged by both CTO and business at the very beginning before any decisions are made.

Harmony achieved

When the CTO and CISO work in harmony, the results are amazing. Together they create a secure and agile environment that fosters innovation while protecting sensitive information. This empowers Flywire to move fast, stay ahead of the game, and build trust with its customers. It’s about collaboration, understanding, and a shared vision for a better payment experience for our customers.