“In finance and technology, security forms the foundation of trust and drives innovation.” -Doug Innocenti.
Doug Innocenti is a distinguished cybersecurity, information technology, and financial technology leader. He brings decades of experience to his role as a strategist and innovator. With a sharp focus on bridging the gap between cutting-edge technology and secure, scalable solutions, Doug has been instrumental in shaping the cybersecurity industry within the crypto and fintech industries.
As a champion of proactive security measures, Doug has guided organizations toward building robust infrastructures that prioritize prevention, adaptability, and compliance. His leadership extends beyond technical expertise, developing cross-functional collaboration and cultivating a culture of transparency and trust within his teams. Doug’s commitment to advancing secure and user-friendly financial systems has positioned him as a decentralized finance, regulatory alignment, and enterprise security leader. His ability to blend visionary thinking with actionable strategies makes him a driving force behind
MoonPay’s global success and continued innovation. In this interview, Doug shares his thoughts on the evolution of cybersecurity in the crypto and fintech industries, strategies for balancing innovation with security, and the importance of nurturing cross-functional collaboration.
Let’s dive into Doug’s vision for a secure and innovative future at MoonPay and beyond:
With your extensive experience in IT and security, how has the cybersecurity sector evolved over the years, especially in the fintech and crypto space, and what do you believe are the biggest challenges companies like MoonPay face today?
Cybersecurity is a game of 3-D chess between threat actors, governments, individuals, and companies. It is a cat-and-mouse game—threat actors grow more sophisticated while organizations constantly adapt to new methods of attack. Crypto and fintech companies, specifically, are at the center of threat actors’ attention due to our sensitive financial and personal information.
At MoonPay, our cybersecurity strategy revolves around four key pillars: prevent, detect, respond and recover. Prevention is our top priority. By staying ahead of potential threats, we create robust defenses that protect our users and systems before incidents occur.
Further, it’s also critical that our users know how to stay safe online. We want to give them the knowledge they need to protect themselves, so we offer resources and tools to help them stay informed and ahead of potential threats. The security team’s ultimate job at MoonPay is to protect the organization and our customers while enabling them to protect themselves.
As MoonPay’s CISO, how do you balance the need for cutting-edge security with the innovative and fast-growing nature of the crypto and fintech industries? Can you share an example of where this balance was tested?
Our constant challenge is balancing the need to innovate quickly with the obligation to maintain robust security in our products. To support the product and engineering teams, our team focuses on enabling developers to move fast while embedding security into the software development lifecycle.
The key is to “shift security left”—bringing security considerations into the development process earlier. By integrating security into every phase of the software development lifecycle, from planning and design to coding, testing, and deployment, we create an environment where developers can innovate without being slowed down by security bottlenecks. For example, automated security checks, such as static application security testing (SAST) and dynamic application security testing (DAST), are built into CI/CD pipelines, enabling developers to identify and resolve vulnerabilities as quickly and efficiently as possible.
At the end of last year, we launched our latest product, MoonPay Balance, which enables users to hold cash balances in their non-custodial MoonPay account. Integrating security reviews into every phase of the development process was critical.
Our security team developed an internal methodology that automated defect and vulnerability management. This improved security engineering engagement and response times and ensured that security considerations didn’t impede developers. Ultimately, this type of approach cultivates a more collaborative relationship between engineering and security, reinforcing the value of security being at the core of the engineering lifecycle. MoonPay operates in a highly regulated environment.
How do you ensure compliance with global regulations while maintaining agility and innovation within the company’s security strategy?
The crypto industry has a very challenging regulatory environment, and the rules of the road constantly change as this relatively new industry becomes more established.
As a foundation, our team must have a deep understanding of global regulatory frameworks, such as GDPR, AML, and CCPA. We work closely with our compliance team to monitor for any updates or changes. We also leverage automation where we can. Automated tools help us monitor transactions for suspicious activity, ensure data encryption standards are met, and generate audit-ready reports.
Lastly, we constantly collaborate with compliance, legal, product and engineering to ensure we stay compliant while enabling innovation.
In overseeing IT strategy and security governance, how do you align the company’s broader business objectives with the technical and security goals? Could you share a specific instance where this alignment led to a successful outcome?
Maintaining a certified information security program at MoonPay, encompassing PCI, SOC2 Type II, and ISO 27001, means integrating security as a fundamental element of our culture. A security-first culture includes regular training, awareness programs, and a commitment to proactively identifying and mitigating potential risks. We also invest in advanced technologies to safeguard our systems, data, and customer assets, including multi-factor authentication, intrusion detection systems, and continuous real-time monitoring to respond to threats.
In 2024, as MoonPay expanded its products and licensing globally, the Global InfoSec program was tasked with adapting to support multiple regulatory regions, all applied to a common technology infrastructure. The IT and security teams not only added additional certifications with ISO but also met the challenge of maintaining the global program without compromising our security posture. This was a great example of our team’s ability to adapt and enhance security standards while supporting rapid business expansion.
Given your experience with deploying SaaS, contact centers, and infrastructure platforms, how do you assess and mitigate the unique security risks associated with these technologies in the fintech space?
I’ve worked with several different technologies, and I’ve realized something important: even though each one has its own uses, they all share the same basic building blocks: things like data structures, algorithms, how the system is put together, etc. But out of everything I’ve seen, contact center architecture and security are the toughest. Contact centers are the central hub for customer interactions—phone calls, emails, chats, social media—so they have to be super reliable and able to handle massive amounts of activity. And they deal with sensitive customer data.
In addition, customers’ expectations and technology are constantly changing, making things even more complicated. Contact centers must be flexible to keep up with new communication channels, technologies, and customers’ wants.
It takes a deep understanding of the technical side and how things work in the real world to ensure customers have a good experience and their data stays safe. As I’ve told people before, if you want to know about technology and security, go into contact center technologies. It’s a proving ground where you need to master all layers.
Collaboration with internal teams like product, engineering, legal, and regulatory groups is critical in your role. How do you ensure these cross-functional teams work effectively to achieve your IT and security goals?
Cross-functional collaboration is at the heart of successful organizations. At MoonPay, we cultivate this collaboration through shared OKRs (objectives and key results) and by tracking the OKRs of other teams.
Collaboration is most impactful during the planning cycle, where understanding each team’s roadmaps and key results is crucial. By aligning goals and priorities across teams, we ensure everyone has the right objectives, clear visibility into others’ goals, and opportunities to provide constructive feedback.
Ultimately, effective collaboration is about balancing priorities. If another team has items they want to include on my roadmap, it’s essential to work together to determine what needs to be prioritized. Senior leaders play a crucial role in this process by ensuring that the organization is aligned on the most critical objectives and that resources are allocated effectively.
Can you describe a major IT or security initiative you led at MoonPay? What were the key challenges, and how did you ensure its successful implementation and integration across platforms?
Over the past three years, MoonPay has undertaken a comprehensive initiative to overhaul and fortify its IT and security infrastructure. Achieving this required a complete dismantling and reconstruction of the entire infrastructure, encompassing everything from endpoints and security protocols to authentication mechanisms and cloud platforms. The overarching strategy and methodology also necessitated a thorough reevaluation and redesign.
The tangible outcomes of this extensive undertaking are reflected in the numerous certifications that MoonPay has successfully attained, including ISO 27001, ISO 27018, SOC2 Type 2, and PCI. These certifications underscore our commitment to upholding the highest information security and data privacy standards.
Our commitment to security strengthens the organization’s internal operations and positions MoonPay as a leader in the industry. As the crypto industry continues to evolve, our dedication to maintaining a secure and reliable infrastructure will be a cornerstone of our success in the years to come.
With the increasing focus on resilience in cybersecurity, what key strategies do you implement to ensure that MoonPay’s infrastructure remains resilient and operational even during high-stakes incidents orattacks?
There are two types of security controls: automated and manual. Relying on manual efforts to secure networks doesn’t scale. At MoonPay, we aim to implement automated security controls so that they are in practice 24/7. Automation is the only scalable solution for security in a company, which is why it’s an integral part of our security stack. For instance, by building and deploying secure application frameworks, we can prevent incidents before they occur – removing vulnerabilities at the root.
While prevention is the ideal focus, with robust frameworks and automated controls, we can also minimize the time spent in response and recovery. By ensuring developers use secure application frameworks, we create a system where specific security issues are eliminated, providing long-term confidence in our defenses.
As a leader with a deep technical background, how do you nurture a culture of cybersecurity awareness and continuous improvement within your team and across the organization?
Security and IT often operate as ” black boxes,” where the inner workings remain hidden. To cultivate cybersecurity awareness and a culture of continuous improvement, it’s essential to establish a transparent framework where the rationale behind security measures is openly shared.
By demonstrating the reasoning behind policies, even the more stringent ones, employees gain a deeper understanding of their necessity and are more likely to embrace them. Of course, certain aspects of security cannot always be fully disclosed. However, establishing a trust and open communication baseline makes these decisions more likely to be understood and accepted.
Looking ahead, what trends in the intersection of fintech, crypto, and cybersecurity are you most excited about, and how is MoonPay preparing for these developments in IT and security infrastructure?
I’m particularly excited about the convergence of decentralized finance and traditional financial systems. Our latest product, MoonPay Balance, will completely transform the decentralized field by making it more approachable to new users—more like the “TradFi”experience.
As decentralized protocols mature and become more interoperable, we’ll also see increased institutional adoption and the emergence of hybrid financial products that blend the best of both worlds. This will require robust security measures to protect against hacks and exploits and regulatory compliance to ensure consumer protection and financial stability. I am proud that MoonPay is actively investing in advanced security infrastructure and compliance frameworks to support these future innovations.
MoonPay had an incredible year. We partnered with Venmo and PayPal, opened our new London office, and broke records for nearly every financial metric. What’s important is that we can maintain this growth level while protecting our customers and partners. That’s fundamentally what my team and I do on a day-to-day basis.
