Why security culture is crypto’s strongest asset

In this Help Net Security interview, Norah Beers, CISO at Grayscale, discusses key security challenges in managing crypto assets, adversary tactics, private key management, and securing both hot and cold wallets.

From a threat modeling perspective, what unique adversary tactics do you see in the crypto space that don’t often appear in traditional finance?

The adversaries themselves aren’t fundamentally different between traditional finance and the crypto industry, but certain of the tactics they employ are distinct and the sophistication of attackers in the crypto space is notably higher.

Holding and transacting in digital assets requires unique technologies and processes, which means a significant portion of my role involves meticulous diligence when considering custodial and exchange solutions. Since Grayscale does not custody assets, I have the benefit of leveraging the extensive security resources of our third-party qualified custodian partners.

What best practices should crypto asset managers follow when securing private keys and seed phrases?

It’s best practice to ensure depth of controls. It’s crucial to anticipate potential failures and have contingency plans in place. This involves implementing multiple layers of control, including a blend of preventive and detective measures, data integrity controls, and limiting the use of third-party software within the transaction mechanism. Additionally, it’s vital to ensure any approvals require multiple participants.

It’s equally important to have a complete understanding of custodial solutions rather than relying on third parties for this knowledge. Identifying which aspects can be safely delegated to third parties and which should be managed internally is essential. To ensure security integrity, some controls should remain independent of custodians.

How should teams approach securing hot vs. cold wallets, especially in the context of operational agility?

The approach to securing hot and cold wallets should be tailored to the specific needs of the business. Hot wallets, being online, are inherently riskier but also allow for greater speed and efficiency in processing transactions. As a result, they require compensating controls and heightened vigilance.

Conversely, cold storage, which is offline, is ideal for holding assets more securely when they don’t need to be accessed for extended periods of time. The operational agility of a business dictates the balance between the use of hot and cold wallets, ensuring that security measures align with the level of risk associated with each type of wallet.

How can crypto asset managers build a strong security culture among developers and operations teams?

Building a security culture requires employees and investors to understand the potential risks and the importance of their role in mitigating these risks. The crypto asset class tends to attract participants that value security since the underlying technology is built on security protocols. In my experience, both investors and employees are motivated to see the industry thrive, making it easier to align everyone towards a common goal.

Educating team members about the specific threats and the rationale behind security protocols fosters a proactive security mindset. When employees are invested in the industry’s success, they are more likely to embrace and contribute to a strong security culture.

How do global regulatory expectations influence the security strategy of crypto asset managers?

The crypto industry is still relatively new and is evolving more quickly than the regulatory environment. Even in a regulatory environment, simply meeting regulations should never be considered sufficient security. As a result, security practitioners must continuously pay close attention to the threat landscape and ensure their control posture is appropriate for their risk tolerance.

We leverage established security frameworks to guide our decisions, but we also recognize that traditional frameworks may not always be applicable to the new and evolving technologies specific to crypto. For example, there is no consensus on best practices for custody solutions in the crypto space. Therefore, we continuously innovate and refine our processes, while still adhering to fundamental security principles such as threat modeling, penetration testing, and vulnerability assessments.

Although crypto security and traditional finance security share many commonalities, the dynamic nature of the crypto industry presents opportunities for innovation.