In FinTech, security rarely sits quietly in the background; it defines whether the business is trusted at all. Jonathan Signorino, Chief Information Security Officer at Powens Group, operates at the center of that reality, leading security for a regulated Open Finance platform spanning Europe and Latin America. His role sits at the intersection of governance, risk, architecture, and product delivery, where every decision ultimately connects back to one thing: protecting the trust between financial institutions and their customers while still enabling the business to move at speed.
This edition of CISO Diaries explores how that balance is maintained in practice. Signorino shares how he filters signal from noise in a fast-moving regulatory and threat environment, why staying technically grounded remains essential even at the executive level, and how AI is reshaping both attack surfaces and security strategy. His perspective highlights a shift that is becoming central across modern security leadership: success is no longer defined by how much you block, but by how effectively you align security, business strategy, and customer trust in one coherent system.
How do you usually explain what you do to someone outside of cybersecurity?
I usually explain it as the person responsible for protecting something most people do not think about until it breaks: the trust customers and partners place in the company. In FinTech, that trust is the product, so security is not a support function; it is part of what the business sells.
In practical terms, my role is to translate business strategy into a security program that protects the company, supports the regulators we answer to, and enables the teams that move the business forward. When all three are aligned, the role becomes a lot more interesting than just “the person who blocks things.”
What does a “routine” workday look like for you, if such a thing exists?
Routine is probably the wrong word in FinTech, but structure is not. My week follows a clear program with defined priorities, recurring reviews, and well-known interfaces with engineering, compliance, and the business. That structure is what allows the team to absorb the unexpected without losing direction.
Day to day, my time goes into analyzing risk, making and documenting decisions, and translating technical exposure into business terms. The real skill is knowing when something genuinely changes the priorities and when it is just noise dressed up as urgency. Good security leadership, in my view, is mostly about that distinction.
What part of your role takes the most mental energy right now?
Staying ahead of the AI wave, both as a defender and as a target. The pace at which AI-driven threats are evolving makes it genuinely challenging to evaluate whether the program, the strategy, and the daily execution are still pointing at the right problems. That continuous re-evaluation is exhausting in the best possible way.
The other heavy lift is strategic discipline: making sure we are investing resources where they actually reduce risk, not where they feel productive. In a landscape this volatile, saying no to the wrong initiative is as important as saying yes to the right one.
What’s one security habit or routine you personally never skip?
Reading security news every single day, but with intent. Not skimming headlines, but actually understanding what happened, why it worked, and what it would have looked like in our environment. Most of the best decisions I have made in this role started as a story I read in the morning and could not stop thinking about.
A close second is staying technical. The more executive the role becomes, the easier it is to drift into pure strategy and lose touch with how things actually work. I make a deliberate effort to keep that connection alive, because a CISO who cannot challenge their own team on technical detail is a CISO who is easy to mislead, including by themselves.
What does your own personal security setup look like?
Deliberately unremarkable. A password manager for every credential, MFA on everything with hardware-backed factors where it matters, full disk encryption, automated updates, encrypted backups with versioning, and a strict separation between work and personal devices.
If anything stands out, it is the mindset, not the tools. I treat my personal security the same way I treat the company’s: assume something will eventually go wrong, and make sure that when it does, the blast radius is small. The hardest part of personal security is not choosing the right tools; it is being consistent with the boring ones.
What book, podcast, or resource has influenced how you think about leadership or security?
Honestly, the biggest influences in my career have been the managers I have worked with. I have been lucky to work with people who trusted me, gave me opportunities, and shared how they thought about leadership and risk. I kept the best of each of them and built my own perspective from there.
More recently, preparing for the CISSP certification has been surprisingly formative. The “think like a manager” mindset that the exam forces on you is, in itself, a great exercise in shifting from technical execution to security leadership. I also follow a curated group of security leaders on LinkedIn and a few industry news outlets to keep my perspective broad and current.
What’s a lesson you learned the hard way in your career?
In security, nothing happens until it does, and the day it happens is one of the worst days of your career. That single sentence shaped how I prioritize risk, how I invest in detection, and how I communicate urgency to the business.
The lesson behind it is that prevention is invisible until it fails. Building the muscle to detect, contain, and respond at the right moment is what ultimately defines whether your program is mature or just well-documented.
What keeps you up at night right now, from a security perspective?
The pace and creativity of the threat landscape, especially how AI is compressing the time between a new technique appearing and it being used against real targets. The honest version of the question is whether the strategy I am executing today will still be the right one six months from now.
That uncertainty is part of the role, but it is also the reason why staying adaptable and humble about what you do not know matters more than ever.
How do you measure whether your security program is actually working?
The clearest signal for me is whether the security program is actively supporting what the business is trying to achieve. I do not believe in security as an isolated function that inventories assets and applies generic controls. Especially in FinTech, security has to protect, enable, and accelerate the business at the same time.
In practice, that means every security objective is mapped to a business objective, aligned with the short, medium, and long-term strategy of the ExCom, and translated into language that the rest of the leadership team can act on. When the board, the product teams, and the security team are looking at the same risks with a shared vocabulary, the program is working.
What advice would you give to someone stepping into their first CISO role today?
Make sure you have real executive sponsorship and visibility from day one. The CISO role today, especially in regulated industries, cannot be executed from a corner of the IT organization. You need a seat at the table, a clear reporting line, and active backing from the ExCom, otherwise you will be solving symptoms instead of root causes.
Beyond that, invest as much energy in understanding the business as you do in understanding the threats. Technical depth is still essential to challenge your team, ask the right questions, and validate decisions, but the modern CISO succeeds or fails based on how well they connect security to strategy, to customers, and to the way the business actually makes money.
What do you think will matter less in security five to ten years from now?
I think the deep, hands-on technical execution that defines a lot of security work today will matter less because AI will absorb a meaningful share of it. Ten years ago, the universal advice was to learn how to code. Coding is still critical, but it is no longer the differentiator it used to be.
What will not be replaced is judgment: the ability to interpret context, challenge assumptions, decide what risks the business should accept, and communicate that clearly to non-technical stakeholders. Security needs stronger leaders and fewer narrow specialists, and AI is going to make that shift even more visible.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Governing AI and non-human identities. Today, security teams still spend most of their time around human users, endpoints, and traditional infrastructure. In ten years, I expect a large share of the work will be focused on AI agents, machine identities, APIs, and automated decision-making systems that operate faster than any human reviewer can supervise.
That shift will require new disciplines: continuous AI risk assessment, identity governance for non-human actors, real-time third-party and supply-chain risk management, and security programs that can prove resilience on demand rather than once a year. The CISO of 2035 will look much closer to a Chief Trust and Resilience Officer than to a traditional security operator.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.