When a UK fintech startup needed to win enterprise contracts, they faced a common challenge: prospective customers demanded evidence of robust identity security—but they had no way to demonstrate it. Here's how they transformed their identity posture in 14 days.
The challenge
FintechCo (name changed) had grown rapidly to 85 employees. Their product served 12 enterprise customers, but they were pursuing several Fortune 500 prospects who required rigorous security due diligence.
The problem: Their identity infrastructure had grown organically:
- Multiple cloud platforms with inconsistent controls
- No unified view of who had access to what
- Manual onboarding and offboarding processes
- No way to demonstrate security to prospects
The pressure: A major enterprise deal was at stake. The prospect's security questionnaire included detailed questions about identity security—questions FintechCo couldn't answer confidently.
The situation before
FintechCo's identity landscape looked like many growing startups:
Systems in use:
- Google Workspace for productivity
- AWS for infrastructure
- 15+ SaaS tools (CRM, HR, finance, development)
- Custom applications with various auth methods
Security gaps:
- No MFA on several internal tools
- No visibility into contractor access
- Inconsistent access reviews
- No documentation of identity policies
Business impact:
- Enterprise deals stalling due to security concerns
- No way to respond to security questionnaires
- Growing anxiety about identity risks
- Board demanding answers
The 14-day transformation
FintechCo implemented a structured approach to identity security in just two weeks.
Days 1-3: Discovery and assessment
The first phase focused on understanding what existed:
Identity discovery:
- Connected to Google Workspace, AWS, and key SaaS tools
- Discovered 127 user accounts across all systems
- Found 23 contractor accounts with varying access levels
- Identified 8 admin roles across different platforms
Risk identification:
- 12 dormant accounts from former employees
- 3 contractor accounts with excessive permissions
- 5 systems without MFA enforced
- No documentation of access policies
Prioritisation:
- Critical: Dormant accounts, excessive contractor access
- High: MFA gaps, admin role clarity
- Medium: Documentation, policy formalisation
Days 4-7: Quick wins
The second phase addressed the highest risks immediately:
Dormant account remediation:
- Reviewed all 12 dormant accounts
- Disabled 9 accounts from departed employees
- Flagged 3 accounts for manager verification
Contractor access review:
- Reduced contractor access to minimum necessary
- Removed admin permissions from contractors
- Implemented 90-day access expiration
MFA rollout:
- Enforced MFA on all critical systems
- Implemented authenticator app requirement
- Created MFA exceptions process
Days 8-11: Foundation building
The third phase built sustainable processes:
Access review process:
- Implemented quarterly access reviews
- Created access request workflow
- Documented role-based access
Policy documentation:
- Created identity security policy
- Documented exception process
- Established ownership and accountability
Visibility dashboard:
- Deployed identity security dashboard
- Set up alerts for anomalous activity
- Created reporting for board updates
Days 12-14: Validation and demonstration
The final phase proved the security posture:
Security questionnaire response:
- Documented all identity controls
- Created evidence package for auditors
- Mapped controls to common frameworks
Board presentation:
- Presented identity security roadmap
- Demonstrated visibility improvements
- Showed risk reduction metrics
Enterprise sales enablement:
- Created security whitepaper
- Developed customer-facing documentation
- Trained sales team on security messaging
The results
After 14 days, FintechCo had transformed their identity security:
Security improvements
- Zero dormant accounts from former employees
- 100% MFA coverage on critical systems
- Documented policies for access management
- Continuous visibility into identity landscape
Business outcomes
- Won the enterprise deal worth £500K ARR
- Secured Series A funding with improved security posture
- Responded to 12 security questionnaires in first quarter
- Improved board confidence in security programme
Metrics achieved
- Identity coverage: 0% → 98%
- MFA enforcement: 67% → 100%
- Access review completion: 0% → 100%
- Time to respond to security questionnaires: 2 weeks → 2 days
What made it work
FintechCo's rapid transformation succeeded because of several factors:
Executive sponsorship
The CTO prioritised identity security and allocated resources. The board received regular updates. Security wasn't competing for attention.
Focused approach
Rather than trying to do everything at once, they prioritised high-impact actions. They built foundations progressively.
Automation
They implemented tools that automated discovery and monitoring. Manual processes would have taken months.
Documentation
They created evidence from day one. Every action was documented for future reference.
Key takeaways
For other organisations facing similar challenges:
Start with visibility
You can't secure what you can't see. Understanding your identity landscape is the essential first step.
Prioritise ruthlessly
Not all risks are equal. Focus on the highest-impact issues first—dormant accounts, excessive access, MFA gaps.
Build incrementally
Don't try to do everything at once. Build foundations progressively and mature over time.
Document everything
Create evidence from the start. Every control, every review, every decision should be documented.
Make it sustainable
The goal isn't a one-time project—it's sustainable ongoing security. Build processes that can continue.
The path forward
FintechCo continued to mature their identity security programme:
- Month 3: Implemented automated access certification
- Month 6: Achieved Cyber Essentials certification
- Month 12: Began SOC 2 preparation
Two years later, they have:
- 50+ enterprise customers
- SOC 2 Type II certification
- Zero identity-related security incidents
Their identity security journey started with a single two-week sprint. The key was starting.