Coinbase CISO strives to align crypto security with the pace of innovation
Share!
When your company is involved in the crypto market, it has a tendency to make you a target. Consider that just last week on February 21st, crypto exchange Bybit dealt with an historic $1.5 billion hack, followed by $4 billion in panic withdrawals. This is the kind of news that has to keep Coinbase CISO Jeff Lunglhofer up at night.
But it's not as simple as locking everything down and hoping this won't happen to us. Running too tight a ship could dampen innovation, which Lunglhofer points out, is the lifeblood of a crypto exchange. “If you don't innovate within 12 months, maybe 18 if you're lucky, you're dead. Your company is gone and the technology and the market have moved past you,” Lunglhofer told FastForward.
Ultimately, it boils down to assessing whether any new feature is worth the potential risk, and how much it will cost if the worst case happens. These are the kinds of decisions he has to make in conjunction with his colleagues across the company. It’s what makes running a crypto exchange so different from running a conventional bank.
Guarding the gates
Lunglhofer, who previously worked at BNY Mellon, a huge conventional bank with over $50 trillion under custody, understands the stark contrast in risk appetite between his previous employer and a crypto exchange. While both types of firms share security concerns when it comes to protecting their core assets, they diverge significantly in their pace of change.
From a security perspective, that creates some interesting challenges. “You've got lots of new products hooking into core systems and that can create risk, and that's something we have to be very cognizant of as we've designed and executed security programs,” he said. (It’s worth noting that the year before Lunglhofer joined the firm, Coinbase suffered a hack.)
“If you don't innovate within 12 months, maybe 18 if you're lucky, you're dead. Your company is gone and the technology and the market have moved past you.”
Under his watch, they have put a lot of resources into protecting the company’s core custodial assets. “From the Coinbase perspective, that's our institutional deposits that we have in our Prime product, the large volumes of deposits that we hold for companies and individuals, and the amount of protections we put around those is very, very significant.”
He explains that crypto is stored in two ways: cold wallets and hot wallets. Hot wallets are connected to the internet and provide easy access to crypto assets for customers, while cold wallets are stored in cheaper cold storage where they are less accessible. He has to set up his security systems differently for each type, and protecting those cold wallets is one of his most important jobs.
Coinbase heavily protects their cold wallets, which hold the majority of their assets, through the use of MPC key management solutions to eliminate single points of failure. “The vast majority of our assets are in cold storage. No one owns them. No one has those keys. In some cases, they have never been assembled in one place, and they are based on our MPC protocols,” he said.
If the call is coming from inside the house
But it’s not just about protecting the core assets from external threats. Part of protecting crypto assets involves limiting administrative access to core systems to those who absolutely need it. They are very strict when it comes to accessing and committing new code to these systems, requiring multiple checks.
“The highest level of control is reserved for the most sensitive aspects of our core business,” he said. “So if you want to go in and mess with that system or make any updates or changes to the system, which again, is actively handling the hot keys associated with the transactional business of Coinbase, buckle up. I mean, that's a major level of access and tons of approvals are required.”
Yet they can’t put those kinds of obstacles on something less critical like the latest wallet release, so in those cases they put a dollar amount on the estimated risk associated with the change, and they decide if it’s worth it should the worst case scenario play out.
“So for those [less critical] areas of the business, we create risk budgets where we just say, ‘hey, you know what? This is a $5 million potential loss product, or a $10 million loss product,’ and we're willing to take that kind of risk, and if there is an incident, we'll cover it,” he said.
While he didn’t explicitly state where the line was in terms of the cost of acceptable risk, he made clear it’s part of the cost of innovating. “It's really about taking strategic risks in areas of our business where we know we need to innovate in order to grow and satisfy customer demand, and being prepared for and funded to deal with any issues that may come up.”
Communication is critical
Figuring out whether something is critical involves maintaining close communication with his colleagues across the organization. To that end, he has open Slack communications with the head of platform, head of product, all product leads, business leads, head of consumer and all VPs in the organization.“We're having regular conversations around risk and new initiatives or new products that we're rolling out.”
To facilitate decision-making, especially when there's disagreement, Coinbase employs the RAPID (Recommend, Agree, Perform, Input, and Decide) methodology developed by Bain and Company.
“If there's a decision that needs to be made, we will spin up a RAPID which is a typical tech company documentation process where everybody will put in their input. You'll assign a directly responsible individual, a DRI, and that person will make a decision,” he said. Lunglhofer makes sure there is security representation as part of this process, giving the right recommendations so decision makers know exactly what they’re up against from a security perspective.
He acknowledges that even with these systems in place, bad things can and do happen at every company, no matter how careful you are, but he appreciates the culture of accountability they have at Coinbase.
“It's about being as transparent and straightforward about those risks as we can be, and then how you respond when something bad does happen. How quickly you manage it and deal with it really sets a good CISO apart from [the rest].” As we saw with the Bybit hack, you always have to be ready for the worst case scenario and protect against it as best you can.
Featured photo courtesy of Coinbase.
