Skip To Content
Menu

Expert Commentary, Industry Insights, Knowledge Base

CISOs in Crypto

6 min. read

In our industry, hackers’ methodologies evolve rapidly, and new kinds of threats appear all the time. What are some of the threats you’re keeping an eye on today as a CISO?

There are new generation of attack threats that AI has made much more dangerous (e.g. phishing, deep-fake schemes, and other AI-based attacks). There are also new crypto-related threats to be aware of, including attacks based on smart contract vulnerabilities, threats against exchanges, logic flaws, and more.

In addition to phishing and threats related to the code of smart contracts, a CISO today should be on the lookout for insider threat scenarios, third-party risks, advanced persistent threats (APTs), data breaches, and threats related to misconfigurations or code that contains vulnerabilities.

Building off of the above question – what are some of the best ways of mitigating today’s constantly evolving threats? What technologies and tools are making an impact for your organization in terms of security?

Mitigating today’s threats requires a solid security strategy. This strategy should be holistic, and should rely on a multi-layered approach (A.K.A. defense-in-depth).
The guiding principle that a CISO should adopt in each layer of their security stack is that of an offensive approach, and reducing the attack surface as much as possible. Reducing attack surface can be achieved with zero-trust and least privileges principles.

The above should be implemented in the following 5 domains:

  • Research & Development – research of blockchain vulnerabilities, smart contract validation, potential business flaws in contracts, master blockchain threats (e.g. 51% attacks, double spending, encryptions, etc.)
  • Application Security – verify that the cloud infrastructure is resilient to cyber attacks, the development life cycle code does not contain vulnerabilities. Conduct code reviews and offensive validation to code and infrastructure that serve sensitive information
  • Corporate security – Sensitive data in corporate SaaS settings should be secured from data leaks, identity and access management, corporate networks, and endpoints security
  • Security Operations – 24/7 monitoring of cyber alerts and incidents, utilizing updated cyber intelligence feeds and threats, detecting and responding to incidents, anomalies, and user behaviors, and preparing the organization for crisis management
  • Governance, Risk, and Compliance Management – the crypto market is evolving and so are regulations in different geographies. It’s best to stand in the highest level of security maturity, with clear risk management procedures, comprehensive user awareness training, robust insider threat mitigation program, internal & external audits, etc.

Promoting a culture of security awareness among employees is very important. How do you approach security education and training at your organization?

At Fireblocks, we have an awareness program that is built on 3 layers:

  • Onboardings – each employee goes through an e-learning of basic security training. In addition, there is training designed according to the employees’ roles at Fireblocks (e.g., developers are trained in basic code security practices, finance is trained in security awareness when accessing financial information, etc.).
  • Phishing drills – every few months, the security team generates customized phishing attacks based on real ones in the market. Both direct managers and ELT analyze and track those attacks. In addition, employees who need reinforcements in information security are automatically identified and transferred to a personal e-training program. Positive incentives, such as company-wide games, Kudos, or swag, also create a buzz around detecting phishing attempts.
  • Awareness sessions
    • Additional Security Awareness sessions are performed for specific departments based on security attacks and trends worldwide
    • Company-wide meetings are another platform for our CISO or CEO to reiterate the importance of security awareness in everything we do at Fireblocks. Updates on latest attack trends (e.g. AI or DeepFake attacks) are given from time to time.

The regulatory landscape in blockchain is always evolving, and can be unclear/region-dependent. How do regulations and compliance play into your role as CISO?

From CISO perspective, the governance and compliance team needs to be ahead of the curve. We look to provide our customers security solutions that will enable them to stand in regulations, regardless of where they may be located.This requires understanding the regulatory landscape in different regions, as well as how regulations may vary from industry to industry.For example, if a bank in Australia is legally required to announce a security incident within 48 hours, the security team needs to be able to address this requirement. This obviously poses great challenges, as different regulators have different requirements. A mature security program, where processes and compliance are in place, should be able to cope with such requirements, and allow the customers to function within these regulatory standards.

What do you look for when integrating a third-party solution or technology provider into your organization’s security stack? Are there certain qualifications (e.g. rigorous, independent audits) that you look for?

Third Party Risk Management (TPRM) is one of the most challenging risks any CISO has to manage. There are many pivot points with TPRM:

  • TPRM within a company’s code-based or CICD process
  • TPRM within your corporate/SaaS environment
  • External suppliers providing services to a company

There are different solutions for each of the above, and generally speaking a CISO has to verify 2 things:

  • The security posture of the external provider. For this, a company should verify the maturity of the security program that the supplier has. This includes certifications such as SOC2 / ISO, and the conduction of processes such as audits and penetration tests. Answering security questionnaires and checking the attack surface of the supplier on the web can also help. Conducting a security analysis review with the supplier to address gaps can be paramount. While those are basic steps a company should take when working with third parties, they’re not enough on their own.
  • The implementation that is being done within your company. Here lies the real risk reduction. This means connecting the external party through least privilege principles, verifying minimum data is being exported, ensuring keys are being rotated, and checking for encryption in transfer and in storage. It’s also important to monitor for deviation and identify when the supplier has been breached. Putting security guardrails around your implementation is essential.

As a CISO, it’s your responsibility to constantly be on the lookout for threats, and ensuring your employees are doing the same. How do you strike a balance between maintaining vigilance and fostering a sustainable working environment?

That is indeed a challenge. The answer lies in the right balance between managing security risks and allowing a company to reach its business objectives. Good communication between stakeholders is a must. As a CISO, you can’t “win them all,” and you need to take calculated risks in order to maintain growth, speed and efficiency of the company. In some cases preventive controls will be set, in other cases compensating controls will need to be in place. Risk management is an art, and good communication allows us to understand both sides’ concerns and find solutions. This is what makes a good CISO.

If you could give one piece of advice to fellow CISOs in the crypto and digital asset space, what would it be?

Manage your risks while prioritizing your mitigations. Continuously evolve your security measures to mitigate the ever-changing threat landscape in the crypto industry.

About Us

Fireblocks is an easy-to-use platform to create new blockchain based products, and manage day-to-day digital asset operations. Exchanges, banks, PSPs, lending desks, custodians, trading desks, and hedge funds can securely scale their digital asset operations through the Fireblocks Network and MPC-based Wallet Infrastructure. Fireblocks serves thousands of organizations in the financial, payments, and web3 space, has secured the transfer of over $6 trillion in digital assets and has a unique insurance policy that covers assets in storage & transit. Find out why CISOs and Ops Teams love Fireblocks at www.Fireblocks.com.

Topics

  • Security
Ready for a deeper dive?

Get a Fireblocks Platform Demo

Find out how Fireblocks helps your digital asset business to grow fast and stay secure.

g2 & 4.5/5 stars