This content originally appeared on DEV Community and was authored by César Sepúlveda Barra
At the end of 2021, I joined a young fintech startup with a brilliant idea: build a lending as a service platform. The concept was fresh, bold, and quite unique in Latin America. By integrating with payment providers, we could access anonymized transaction data from small businesses and assess their cash flow. Based on that, we offered them credit, something they couldn’t easily get from traditional banks. Repayments were automatically deducted as a percentage of their daily sales.
I absolutely loved the idea. It was one of those concepts that make you stop and think, “Why didn’t I come up with this myself?”
At the time, we were around fifteen people, with a single partner, and a huge list of things that still needed to be built. I came in to do what I enjoy most: build systems, automate everything, deploy scalable infrastructure, and spend time with AWS and Kubernetes without being questioned. Life was great.
As the company grew and more partners joined, new requirements started to appear. One of the biggest was the need to show we took information security seriously. After some evaluation, we decided to go after a strong and recognizable credential, one that would quickly communicate our commitment to data protection. Since we were operating mainly in Latin America, we chose ISO 27001.
At that point, the company had grown to about fifty people. The infrastructure team? Still just two. A CISO? Not even close to being on the hiring roadmap. So I volunteered, or maybe I just didn’t push back hard enough, and took the lead. I immersed myself in ISO 27001, SOC 2, GDPR, and talked to various auditors and compliance platforms like Vanta. Thanks to a well-structured company and a very capable team, we achieved certification without much pain.
That is when the real story began. Without noticing, I had become the visible face of security.
Fast forward to today, two years after getting our ISO 27001 certification, I am also leading our GDPR efforts. The company now has around seventy people, and more are joining soon. We still do not have a CISO, and the infrastructure team remains the same two people, plus a junior IT guy who is learning DevOps.
But the scope of my role has grown much further than infrastructure.
Now I am also responsible for our ISMS, our MDM systems, and the onboarding and offboarding processes for the company. I still manage infrastructure, but I also spend a good chunk of my day inside MDM tools, updating security documentation, and trying to figure out which version of macOS broke the latest MDM policy. I am the go-to person for every security questionnaire, every due diligence request, and every enormous spreadsheet that asks for proof we are not reckless with data.
I never planned for this to happen. I did not even realize it was happening until I noticed I had not opened a terminal in three days.
There is still no CISO in sight, and although I am proud of what we have built, I cannot deny how much I miss the work I came here to do. I miss writing code, improving automation, and building systems that quietly and reliably support the business. Instead, I now spend more time inside shared folders than inside Kubernetes clusters.
This is not a complaint. Well, maybe a little. But it is mostly a word of caution for others who tend to be helpful and say yes without thinking too much. Being good at something often leads people to ask for more. If you do not draw a line, you may one day find yourself running several departments you never intended to create.
Being capable is not enough. You also need to know when to say no. Otherwise, what you do well today might become what you do exclusively tomorrow.
And believe me, managing a production cluster might be challenging, but it’s nothing compared to how boring it is to fill out 150-question forms packed with evidence requests.
This content originally appeared on DEV Community and was authored by César Sepúlveda Barra