Blockchain technology is being implemented and explored for a variety of applications, and that means CISOs need to take a good, hard look to understand the technology and how to secure it.
Cryptocurrencies are the most prominent use of this digitally distributed, decentralized, public ledger. That’s something I’m very familiar with as global chief information security officer at gsr.io, a global crypto market maker, and as a former regulator for the Federal Reserve Bank of New York.
Crypto has been in the news lately because of the big plunge in its value. As with any other asset class, volatility should not be a surprise. All other asset classes have seen bear markets. If anything, this will allow crypto companies and platforms with solid value propositions to emerge stronger.
It will also bring the case for regulation to ensure the proper investor protections are in place. Digital assets offer great promise; however, there are still many scams. Most regulators have acknowledged that digital assets are here to stay, making them relevant for CISOs.
Maybe you do not work directly in the crypto industry. However, if you’re part of an organization that accepts cryptocurrency, you will have to learn some new skills, including how crypto wallets work. Is it a custodial grade wallet? How do you secure it? How do you evaluate wallet security? This is just scratching the surface; there’s more.
Blockchain technology has also been integrated into cloud computing, where it’s used, among other things, for smart contracts, digital ledgers, supply chains and records management.
These and other applications make blockchain interesting for business. CISOs operating in organizations that are adopting the technology need to figure out what problems they want to solve through its use because it will not solve everything. And then they have to secure it.
One consideration is whether it will be a private, permissioned network, or a public one.
A public network’s large number of nodes makes it almost impossible for a hacker to tamper with. However, public networks bring other considerations, such as how they are governed and how you choose the right platform. Data encryption will also be important to protect the information you are putting on a public network.
But remember, the information stored there can’t ever be deleted – something that may run afoul of privacy regulations globally, as well as privacy laws in some US states. You need a plan for which information will go on a blockchain. You’re not going to want to put personally identifiable information there, for example. You also need to plan how to protect the information and what to do if states adopt a GDPR-like principle such as the right to be forgotten, meaning you must delete those records.
If you have a private, permissioned network, you control security and governance, which you relinquish when using a public network. But you may also have a relatively small number of nodes, making it easier for hackers to attack.
Another arc CISOs must consider is the construct of smart contracts, computerized transaction protocols that live on a blockchain-type platform. Smart contracts are gaining traction because they reduce the need for intermediaries and speed up transactions. But they’re replete with possible pitfalls.
CISOs of organizations getting into smart contracts need to know how to secure and scan the code. Some big hacks have involved bugs in smart contract code that have allowed bad actors to drain hundreds of millions of dollars. What’s more, your legal team must be aware of how to evaluate that code to ensure it matches the language of what they expect to see in a legal contract.
There’s also a third issue to consider regarding the concept of finality: Crypto payments are made immediately after the client receives a product, whether the contract’s provisions are fulfilled entirely. Most smart contracts do not include arbitration clauses, as can usually be found in written contracts. Once the payment changes hands, there may be no recourse.
Laws in this space are also nascent. Contracts are typically governed and enforced at a state level. Only a few states have taken steps to recognize smart contracts or related concepts in their law formally.
These topics merit the appropriate level of due diligence to foster safe adoption.
The blockchain isn’t necessarily the solution for everything. CISOs should be there to ask the right questions as organizations adopt new technologies, and they should be aware of security and potential regulatory issues.
The technologists don’t necessarily think of that when adopting a shiny new technology. The CISOs have to be there and have that in mind.