In a recent interview with Help Net Security, Norah Beers, the Chief Information Security Officer (CISO) at Grayscale, shared insights into the key security challenges faced in managing crypto assets, adversary tactics, private key management, and securing both hot and cold wallets.
When asked about unique adversary tactics in the crypto space, Beers highlighted that while the adversaries themselves may not be fundamentally different between traditional finance and the crypto industry, the tactics employed by attackers in the crypto space are notably more sophisticated. She emphasized the importance of meticulous diligence when considering custodial and exchange solutions, especially since Grayscale does not custody assets and relies on third-party qualified custodian partners.
In terms of best practices for securing private keys and seed phrases, Beers stressed the need for depth of controls and contingency plans in case of potential failures. She recommended implementing multiple layers of control, data integrity controls, and limiting the use of third-party software in the transaction mechanism. Beers also highlighted the importance of having a complete understanding of custodial solutions and ensuring some controls remain independent of custodians.
When it comes to securing hot vs. cold wallets, Beers suggested tailoring the approach to the specific needs of the business. Hot wallets, being online, are riskier but offer greater speed and efficiency in processing transactions, requiring compensating controls and heightened vigilance. On the other hand, cold storage, being offline, is ideal for holding assets securely for extended periods. The operational agility of the business should dictate the balance between hot and cold wallets.
Building a strong security culture among developers and operations teams, according to Beers, involves educating team members about specific threats and the rationale behind security protocols. She noted that the crypto asset class tends to attract participants who value security, making it easier to align everyone towards a common goal of mitigating risks and fostering a proactive security mindset within the organization.
Regarding global regulatory expectations, Beers acknowledged the rapidly evolving nature of the crypto industry in comparison to the regulatory environment. She emphasized that meeting regulations should never be the sole basis for security and that security practitioners must remain vigilant in adapting their control posture to the ever-changing threat landscape. Beers mentioned leveraging established security frameworks while also innovating and refining processes specific to the unique challenges of the crypto space.
In conclusion, Beers highlighted the opportunities for innovation in the dynamic crypto industry, emphasizing the need for continuous improvement and adaptation in security strategies to stay ahead of evolving threats and regulatory expectations.