Q&A: Translating Traditional Crisis Management Practices to Fintech

Financial technology (fintech) services like digital banking, NFTs, blockchain, and cryptocurrency are pushing banking to the next level. But many classic crisis management strategies work here, even without significant physical assets to safeguard.

David Fortino is the director of strategic response for Circle, a fintech and cryptocurrency company aiming to make banking more accessible worldwide through technology. Fortino’s background is in the public sector, specifically as a firefighter, and he says spending time as one of the boots on the ground taught him a lot about “stress management, incident management, and the need for coordination and collaboration under unified command.”

This career choice 15 years ago ignited Fortino’s passion to help and protect people during emergencies. He climbed the ranks from firefighter to supervisor to chief of service before landing a consultant role at the U.S. Federal Emergency Management Agency (FEMA) in New York City. “This transitioned my career from lights and sirens to a more strategic career in emergency management,” he says. After 10 years at FEMA, Fortino branched out into the private sector, building a global crisis management program at a large aerospace/defense company before transitioning into his newly created position at Circle.

All of this experience taught Fortino the fundamentals of crisis management and preparedness, which he then molds to fit the needs of each organization and function. Learn more about his process in this interview with Security Management. It has been lightly edited for clarity.

What is your current role, and what responsibilities does that entail?

Fortino. My current position at Circle Internet Financial is the Director of Strategic Response. I am responsible for identifying, escalating, and coordinating any threats, any unanticipated events, or any negative disruptions that reach a crisis level. This can come from many origins, i.e. natural disasters, active shooter scenarios, terrorist events, mass violence occurrences, or even global pandemics.

Strategic Response is looking broadly across the enterprise, beyond just any immediate threat to people, property, and processes, but also any unpredictable or cascading effects on employee morale, brand reputation, or customer impacts.

What crisis management/business continuity skills did you accrue along your career path so far?

Fortino. At the time, I didn’t think of it this way, but when I was pulling up to a car accident or house fire, I was utilizing the incident management structure. I established a command, I assessed the situation, I determined what the greatest priorities were, I managed resources, and eventually stabilized the situation.

I applied those street-tactical skills into my daily career many years later. Whether it is a security incident, a federal response to a large-scale disaster, or an evacuation of a building, they all use a similar incident management process.

I am simplifying the process a bit, but the more crises, escalations, incidents, and disasters you experience, the better you just get at it. I am fortunate (or unfortunate) to have experienced my forms of response to situations in the public and private sector. The common theme, people’s safety and health are always #1.

What were some of the main challenges when you transitioned to a fintech company?

Fortino. Hmmm, where do I begin? Make no mistake about it, not only did I have to learn about the new position, but I also had to learn about crypto, NFTs, Web3, blockchains, etc. I found this all very exciting because I never want to stop learning. I know the fundamentals of resilience and protection and jumped headfirst into a new industry.

The first challenge is just the change of communication style. In all my previous roles, email was the main source of communication. In most fintech companies, Slack is the main form of communication. In Slack, there are so many different channels and 1:1 messages going off at the same time; you have to be a multitasking person.

Second, like I said, I had to understand the business. How do I protect it? What are our greatest threats? How do we assess risk? What keeps my leadership up at night? I always ask myself the question: “how am I adding value and influence across the business?”

How did the opportunity to create something from the ground up change your approach to building a crisis management program?

Fortino. I love to be creative. When it comes to security and resilience, there isn't one size fits all. I have lots of ideas and thoughts, but I like to start with an assessment to see what is already in place. I like to ask around (talent, information security, legal, tech-ops, IT, etc) how are we doing XYZ today? Are you happy with it? What would you like to see changed? Then I develop a strategy program after my evaluation.

I am very aware not to bring my previous program into a new company. I bring the knowledge and experience, but I remain open-minded to create something that’s right for this new company, the size, the risk tolerance, the expectations.

Should security be a main driver of crisis management programs? How do you decide whether security needs to be deeply involved or not?

Fortino. I think it depends on a lot of circumstances. I agree, it should be about outcomes over organization charts. Is the role at the right level with the right latitude to be able to see across all pillars of the organization? Are your cybersecurity and physical security programs separate? How do you handle crisis communication or reputational concerns?

Each company's structure is unique—what is important is how much support and visibility the crisis role gets.

How have you developed partnerships with other departments and business functions to better enable business continuity at Circle?

Fortino. Circle is a remote-first company. Remote work adds a layer of complexity when we have to respond to or manage a crisis. Gone are the days of calling an impromptu meeting and gathering in a conference room to handle the crisis. You need to develop relationships with people. I try to “get out there” on Slack or Google Chat and meet as many people as possible. Taking time to talk about the value of your program and how each line of business helps support you is important. Reach out, get four minutes on their calendar, make yourself known across the organization. It is not always easy, but putting yourself out there is how those relationships get created.

Cryptocurrency and fintech can be a volatile industry—how do outside incidents, such as the FTX crash, affect your crisis management and business continuity cycle?

Fortino. I do not get distracted by others. Yes, we have tools in place to monitor risks. However, I am 100 percent focused on Circle and building out global resilience and a strategic response program that the company deserves. Circle is a very transparent, open company, where they encourage walls to be broken down to get the job done. They don’t tolerate “stay in your lane” or “that’s not my job” behavior. We have the opportunity to fundamentally change how we move money around the world and serve those communities who do not have access to a local bank or checking account.

Claire Meyer is managing editor for Security Management. Connect with her on LinkedIn or email her directly at [email protected].