The Next Step on Our Security Journey

Over the past 15 years, I’ve had numerous opportunities to travel the world. Nearly all of that travel was for work and each journey started with a clear goal in mind. The security journey at BlockFi will center on protecting data, people, and systems. Since arriving here, I’ve been focused on the details of my plan for reaching that goal and carefully crafting processes and programs to support it.

There’s an art to building a security program, and it requires careful balance. Aim for something too stringent and the workforce finds ways around it, implement something too flexible and attackers will exploit it.

In the last two months, my team has taken a number of thoughtful steps toward hardening our systems and processes while maintaining that balance. I’ve also spent a great deal of time on understanding the current state of our products and roadmap and building a plan to advance our overall security posture as quickly as possible.

Certainly, this approach includes technology, but it also relies on an aggressive hiring plan. Several names will be added to the team in the coming weeks and months that many in the industry will be happy to see. In fact, if you’re interested in joining the security team, take a look at our current openings: https://boards.greenhouse.io/blockfi.

In my last post, I voiced my commitment to publicly communicating the progress we’re making. I continue to be excited to hear from our community and appreciate those who have reached out already. Now, let’s take a look at the next major step forward.

BlockFi’s security journey started well before I arrived, and I’m fortunate to be leading this team. Prior to operationalizing new tools and establishing new processes, it’s important to start with a high-level goal and reduce that into actionable categories of work. We’ve done that, and are building project plans, implementing hiring strategies, and establishing partnerships to enable execution.

In an effort to be as transparent as possible, I’ve outlined those categories, which we’re calling our Major Security Initiatives. These initiatives include Endpoint, Cloud, Identity, Core Security Services, Custody Operations, Employee Training and Awareness, and Data Governance.

That’s not to say that any of these areas were previously unaddressed, but nearly all organizations can identify opportunities for improvement, especially when it comes to security. Additionally, we’ve mapped these initiatives to an organizational structure that will be responsible for their architecture, engineering, implementation, and support now and in the future. We’ll also continue to evolve our thinking and our plan as the threat landscape changes and our innovation around products and services continues to lead the market.

Within each of these Major Security Initiatives there are several projects–some small, two-day efforts, and some larger, multi-month efforts. We are taking a risk-based approach reinforced by proactive red-teaming and threat objective modeling. We triage each project and prioritize based on risk. This process will continue for the foreseeable future and enable us to not only align with numerous standards but apply proactive, risk-based security design across our systems and processes. This security design will provide layered defenses as we continue to serve our clients.

I’ll continue to provide updates and encourage our clients, partners, and vendors to contact us with any concerns or questions at security@blockfi.com. This email address is a direct line to me and my team.

It’s an exciting time in the crypto industry, and I’m dedicated to helping BlockFi continue to create a safe, steady, and thriving community.