Skip to content

Q&A with Jeff Hudesman, CISO at Pinwheel

Addressing software supply chain risks at the source, before an incident can occur.

Published on

Nov 03, 2022

Written by

Patrick Sheehan, CRO

Share

It’s been almost a year since Phylum customer Jeff Hudesman took on the role of Chief Information Security Officer at Pinwheel, a company on a mission to help create a fairer financial system. Security is paramount to the success of the company and its customers, and Jeff came in to uplevel the company’s security posture and enable the business to advance its important mission, quickly and securely.

Our Chief Strategy Officer Patrick Sheehan recently sat down with Jeff to discuss the software supply chain challenges that API-based companies like Pinwheel are facing and the role Phylum plays in addressing these concerns. Read the conversation below.



Patrick Sheehan:

Jeff, can you tell us a little bit about Pinwheel and what made you take the opportunity at the company?

Jeff Hudesman:

Yeah, absolutely. Pinwheel's on a mission to help create a fair financial system. We do this by providing income data that's engineered for fintech innovation. What that means, is our platform has persistent access to data and controls, and consumer income and employment accounts, and provides a way for our customer to make sense of this data.

Fintech's financial institutions trust us to access the data and controls with traditional and non-traditional payroll platforms, to update direct deposits, streamline income and employment verification, improve underwriting, power-earned wage access, and build innovative new products. Our API makes it easy for businesses to securely connect to payroll accounts, their applications with consumer permission, covering over 1,600 platforms, nearly 80% of anyone receiving a paycheck.

What drew me to Pinwheel was really how the CEO, Kurtis Lin, shared his vision for Pinwheel becoming the infrastructure that will power the financial system of the future. That really resonated with me. I mean, if we succeed, the next generation of innovative companies will rely on Pinwheel to power new financial products to ultimately help consumers live better financial lives.



Patrick Sheehan:

Awesome. I mean, I can't imagine losing funds and payroll, right? Not getting paid, going in there, thinking that you're getting paid and all of a sudden it's been wired somewhere else.

Not all emerging technology fintechs see security as a value proposition, and not many companies like Pinwheel even have a CISO. So why security is so important to your firm?

Jeff Hudesman:

That's something we've noticed as well. For API-based companies like us specifically, our technology has such a wide reach. The stakes are too high for fintech companies like Pinwheel not to take security seriously. With the weight of such critical outcomes top of mind, especially for 67% of Americans are considered financially unhealthy, Pinwheel wants to protect its customers much as possible.



Patrick Sheehan:

It’s a pretty daunting task. What's been the biggest challenge that you’ve faced so far?

Jeff Hudesman:

Joining a startup in security, I mean, there are tons of challenges. It's definitely not an easy feat, but specifically, I really wanted to make sure that we're doing everything possible to secure our software supply chain. So that was definitely a very high priority for us.



Patrick Sheehan:

Why?

Jeff Hudesman:

Mass migration to the cloud is driven the widespread adoption of APIs to connect applications. Initially, APIs were mostly used to feed and analyze data across applications, that have now become relied upon to facilitate more comprehensive operational functions like we do at Pinwheel. This enables critical application and business needs, but also increases the open-source software supply chain and check surface. For example, APIs have made applications more efficient and impactful by removing barriers and manual tasks associated with data management, but also allow customer data to flow more freely across multiple applications based on a single transaction.



Patrick Sheehan:

That makes total sense. I mean, everyone has a digital transformation strategy. And APIs have been a huge driver for a lot of those initiatives. Additionally, it’s the use of open-source software, right?

Jeff Hudesman:

Yeah, and securing the open-source ecosystem has long been a tremendous blind spot. So we needed to find the right vendor to do this properly and make us feel comfortable with all, as you mentioned, the 70%, 90% of modern software. And in my searches, I was really disappointed. I couldn't really find the solution that was aligned with our modern business model and high bar for security vendors. I found that most approaches were out of touch with the current threats, either addressing too little of the attack surface or only identifying issues post-compromised, and that was not good enough for us and our customers. I needed to know that it's open-source risk before the code ever makes it to the application.

I needed to understand the risk and the context of our specific business and threat model, and it was really Phylum's approach and framework that won me over. When I first met the Phylum team, I was really relieved to find a company that understood our needs and really understood the technology. I mean, they were super technical. Phylum truly allows my team to identify and address open-source software supply chain risk before a compromise occurs and enable us to make decisions quickly that advance our application innovation and support our important mission.



Patrick Sheehan:

We appreciate that. Operationalizing and realizing value from cyber investments is key, especially when it's part of your initial program investments. Those first things that you really think move the needle one way or the other. How long did it take you to start getting value out of Phylum?

Jeff Hudesman:

It was really critical for us to be able to really operationalize this quickly. So fortunately, Phylum was quick to deploy. It was a simple registration process, as I recall correctly. I was authorized via email and then use a quick-start guide to get the project started within like 15 minutes. So that was pretty quick. We had a shared Slack channel, so the support team was fantastic and really quick to respond and help with any new ways to get value from the product. It was really an easy experience and that's not super common for security products. So that was really great to see.



Patrick Sheehan:

It’s delighting to hear that you've seen the value. We're an early stage company, you one of our first and innovative clients. So making sure we're meeting the market and continue to evolve, is extremely important.

Jeff Hudesman:

Absolutely.



Patrick Sheehan:

We are lucky to have had some early success and Phylum has become the standard in software supply chain security due to working with clients like yourself. We really appreciate the early adopters and value constructive feedback. There's a long way for us to go. This is a big problem. But at the end of the day, the feedback that you've been giving us, and our other clients have been giving us, allow us to continue to optimize the platform. So I just want to thank you again for joining us and sharing your thoughts with us today.

Jeff Hudesman:

Absolutely. Thanks for having me.

Subscribe to Our Research

Subscribe to Our Research

Latest Articles

Pick a Python Lockfile and Improve Security
  |   Nov 23, 2022

Pick a Python Lockfile and Improve Security

Python dependency management is a nightmare because there are so man...

Phylum Research Roundtable 2022
  |   Nov 21, 2022

Phylum Research Roundtable 2022

Watch the Phylum Research Roundtable where we discussed Software Sup...

Q&A with Jeff Hudesman, CISO at Pinwheel
Industry Insights   |   Nov 03, 2022

Q&A with Jeff Hudesman, CISO at Pinwheel

Addressing software supply chain risks at the source, before an inci...