‘The world of crypto has to be secure 100% of the time; otherwise, the trust we’re building may fall’ – Ever wondered what goes into keeping your assets and accounts secure at Uphold? Well, today’s your day; we’re back with another ‘Meet the Team’ interview with our Chief Information Security Officer – Paul
What do you do at Uphold?
I’m the Chief Information Security Officer at Uphold. This basically means I’m responsible for all things cyber security. Essentially covering everything from strategic thinking, protecting our keys down to making sure that people are accessing data on their devices in the right way. I also get involved with asset management, change management, people and physical security. The role of someone in information security is a ‘trusted advisor’, you make sure that the crown jewels are identified, risk assessed and then inform the business about current status and potential courses of action. You’re not supposed to be a yes man. If someone in information security is a yes man, a company like ours will ultimately fail.
Diving into this a bit further, security can be split up into 3 parts; you’ve got confidentiality, availability and data integrity.
Firstly, addressing confidentiality, you’re figuring out whether the company is impacted if a piece of information is lost or stolen. If the information is public, then it being on a website and consumable is not a “loss” of data. If the information is private, then this is a loss and circumstances leading to a possible publication need to be identified and this risk mitigated.
Secondly; availability. This area involves looking at the risks associated with keeping the lights on. Ensuring we’re defining the situations which could threaten us delivering the service to our customers, informing the business of these threats and pushing for change where necessary. The threats to availability could be malicious actors, negligence, broken hardware; anything which threatens uptime.
The third one is data integrity which is pivotal for our business because if a cryptographic key is wrong in any way, it simply won’t work. We need to make sure that sent pieces of data are private, confidential and highly available so people can use our systems to access the services we provide.
We have people, systems and partners in place to protect us, because there are people out there who will try to undermine each one of those three pillars of security. We require all areas of the firm to pull together to make security effective. You can’t do it on your own, everyone has to be onboard.
What does your day to day look like?
So, information security and cybersecurity especially, is all about discovering and uncovering the risks to our assets. We need to check if we know about the risks, what controls we currently have in place to reduce them and analyse whether those controls are effective. There’s no point having a lock on the door that permanently has a clasp on. Part of my job is making sure that the assumptions we make about the firm’s doors (being closed) are in fact valid.
We have a mixture of automated and manual ways of checking this, an example of an automated check is constant Bug Bounty (a program where we pay for bugs that people find in the application, much better way to spot problems than a ‘traditional’ static test) attention for vulnerabilities popping up in the application, if there’s a vulnerability, we follow a certain plan, if there aren’t any vulnerabilities, nice one, we move on.
The other side is manual controls; these are things that need to be manually checked by humans. One example of this is an all access control check on employees that have recently left the company. A member of staff has to double check that their access to all facilities and programmes have been terminated.
Following that, there are high risks, medium risks and low risks when it comes to security. When our risk appetite gets down to the level of what you used to call a medium risk because all of the high risks have been taken care of, those medium risks then become the new ‘high’ and we act accordingly. Closing the previous ‘easier’ avenues means an intelligent attacker will now direct their attention somewhere else. We have to make the team and management aware and then follow the correct processes to take care of the changing threat landscape.
Another part of my job at Uphold is education. My focus here is to educate both staff and users so that they’re aware of the risks and know how to take adequate precautions to protect themselves. Customers will receive educational emails and be prompted in the app to add extra and better layers of security (like TOTP 2FA). Your work devices are more than likely secure, but we need to keep people educated on their personal cyber security in order for them to keep things secure on their side as well, social media and personal email profile security is an example of where people may not don’t think they’re vulnerable, but there’s plenty of evidence that attackers don’t respect the work/personal life boundary.
What’s the single most valuable thing you learned at Uphold?
That even when you are dealing with; cutting edge technology, brand new concepts and the smartest people in the industry, common sense is still the most powerful tool to harden a company.
What inspired you to work in crypto?
Traditional security of banks always comes down to physical security, people trust that there are entities that are built of brick, with layers of process to protect their money. There are handoffs that, most of the time, need signatures. We extrapolate those principles of a bank and then essentially wrap semi-incalculable math problems around them to ensure that people are secure. The world of crypto has to be secure 100% of the time; otherwise, the trust we’re building may fall. The world revolves around data, public and private. Distributed ledgers are the biggest shakeup of the boundaries of those worlds, potentially ever.
Trust without opacity. I wanted to be a part of that.
What company values resonate with you the most?
Seamless movement of value between asset classes.
What’s the biggest challenge that you think Uphold is facing right now?
Cryptocurrencies have achieved mainstream awareness, so the expectations are aligning with traditional banking. No more are people happy with just rails into this new world, where they are expected to be tech savvy to get onboard, they want services which they can get from their high street bank with the ease of using Spotify.
What’s a fun fact about you that would surprise us?
I’m a massive Dwarf Fortress fan. All I’m going to say further is you have to read about the ill-fated fortress of Boatmurdered 😉