Hi, everyone. I'm Mirela Ciobanu lead editor with the papers, global financial publication. And I'm excited to speak with Max Imbiel. CISO at BitPanda. We're live here at Cyberevolution, and we are going to discuss cyber security in the crypto space and beyond. So, Max, it's so great to meet you.
Great to meet you as well.
Yeah. I'm curious to know what attracted you to working as a CISO especially now that you shifted your role within the crypto company. Since this topic is so controversial.
So I think the controversity of that is still there. Yes, to a certain degree. But, we're getting into a very more mature situation right now in crypto that it's actually being accepted as a proper, financial asset. Right. We have new regulations, coming up, MiCAR, for example, markets in crypto, assets regulation, that will be the the cornerstone of making it acceptable for, for not just individual people. But also for all kinds of companies and corporations to actually invest in. And so I joined with panel because their focus is pretty much, here on not just providing crypto for for every single person out there, but also for businesses, to actually use crypto and to offer that to their customers as well. Right. We're partnering with, with other banks. That, we offer our white label solutions to and then they can just have that included in their own products, basically. And it's for their customers. It's a, direct flow in their app and their services that they can now all of a sudden invest in crypto into. And we're in the back end providing this service. And I'm really happy to just see that our our field, this is getting and our industry is getting more mature because I'm personally have been invested in crypto for for quite a while now. And I think it's it's the next step in the financial evolution.
Yeah. And for the other CISOs working in the, the crypto space, what are the main concerns that they are currently facing?
Main concerns, I think are always a little bit, depending on where exactly you're working. So, the main concerns were a company in the US might be different than from us here.
Let's take it for every, geography. Let's start with Europe since you mentioned. Okay.
Yeah. So, exactly. So in Europe right now, I think for a crypto company that wants to be sustainable and that wants to keep growing and wants to be, more and more mature, focus is, of course, a lot on on compliance. Right. The new regulations coming out DORA the Digital Operation and Resilience Act that is also applicable to all financial institutes, which we are also one of those. So we also have to apply the same standards as a Deutsche Bank has to, which of course, for a smaller company, for like us compared to Deutsche Bank. It's sometimes hard to really identify how can we keep up with these regulations. But luckily, we have had a very stable environment already being set up, in the past from a technology perspective. And so my, my concern in that area really is now enabling our business going forward. Right? Making it, possible that we keep our licenses, that we're actually complying with these new regulations so that we can also showcase this, to our partners and to our customers. And, all the while, of course, because it's always not just not just a compliance tick box that we need to check staying, staying secure and staying safe.
Yeah. Before we go into saying secure and safe, because I'm curious to see what are the main, fraud types, fraud attacks. Let's also there were bit in the US space maybe regarding the, some of the challenges probably related to compliance again, for crypto providers, maybe to share some...
I think in the US right now, especially in crypto, they have everybody's pretty much eager to see what is happening, in the next, legislature. Right. Once, once that is happening in January. How much of the promises that that Donald Trump basically made, during his campaign, he will actually follow up in terms of the crypto industry because that will potentially offer, a huge benefit for the crypto industry. And also give it another push. I mean, we've just seen this morning bitcoin hit the $100,000 mark. So so the market really is striving and eager to, to see what is happening there. But then on the other hand, especially the US crypto companies are pretty much targeted also by, adversaries from from North Korea and from Russia. And so that, of course, is then also a huge topic that they also need to have, in their view, how to protect themselves against that.
Yeah. And now since we mentioned about, protections. Yeah, maybe to share some of the new type of attacks or threats that are, climbing the crypto space,
So I think especially in crypto right now, what we can see is that overall, the the fraud scheme that we have seen throughout the last couple of years in, in banking and traditional banking is actually, jumping over into crypto now. So these adversaries out there that have been targeting customers directly in terms of social engineering, via phone calls, via phishing emails, via smishing. So SMS text messages asking them to, send their money somewhere or to just enter their account on a, on a malicious link. Right. And so they could actually pull, the, the account numbers and then the passwords and whatnot. From those pages, that is more and more transitioning over also into the crypto space. And, these kinds of attacks are getting more and more sophisticated as well. I think AI here is a very much a driver for those adversaries because they are much more efficient now in just basically tailoring their approaches to, to different companies and to different setups. It's not them just doing this all by hand anymore, but they have the AI support in the back end that is basically drafting up all of this for them. And it's just enabling it to, to make it faster and more widespread.
Yeah. And since, you previously had the, session on security 3.0, I'm asking now how to prevent on this type of attacks, with some ideas that, you shared earlier with the audience.
Yeah. Sure. So in security 3.0, as I call it, prevention has a little bit of a higher priority than detection and response because I'm of the opinion that if we tackle something before it has actually happened, we can more properly protect ourselves against it. So, and the the parallels that I'm drawing here is to like modern medicine, where the approaches to, have a view of your own personal health before you get sick, actually, so you can tackle something that could potentially, like, make you really sick in the next couple of years. And so that is exactly where, I have a focus on for that security 3.0 and saying, okay, what do we see on the next couple of months? And maybe even years down the road in potential attacks that could hit us or adversaries that are just targeting other crypto companies as well? So, enforcing and enabling us in more of a preventive approach. Right. That is just about to building up the walls before something actually hits us.
Yeah. And did you notice, actually, companies are adopting this preventive approach or more have started to.
I think the preventive approach is getting more traction. Also, again, because of upcoming regulations like DORA, because they're more targeting really on on resilience. And you have to do exercises. Right? So I mean, we in banking, especially in Germany, with with the regulations that we've had in place so far, they were asking us or requiring us to do the same levels already for quite a while. And the good companies out there, that have been existing for quite a while and that were successful, have also been doing this. So, stress testing themselves. Right, having proper red teaming exercises on their security. But now as these regulations are more widespread and global or, very much for the whole EU, right, which is Dora, I think this gets more traction in terms of like really testing out what you are putting up in place. So, you know, how potentially an adversary could, could hack you or. Right, could, could just find their way into your network. And this is again, exactly the, the pinpoint, and the priority for my security 3.0 topic where we have to repeatedly test ourselves against, what is standard nowadays, but also what could be a potential attack vector in the future. And then we're better prepared in the end.
Yeah. And regarding preparations sometimes. Yeah. C-suite, gives it pays attention to CISOs when it's related to an incident or compliance. How can we make them see. Yeah. Security and compliance more than just the ticking box. But something like a business enabler how to put, suspects on their agenda.
So I think, I mean, one possibility that you could use, is pretty much the security 3.0 approach, right? Where I say at the very end, hey, if you're sitting with your board, the next time, maybe ask them why they're doing sports, right, maybe they're playing tennis, or they're running or they're golfing or whatever. But basically ask them, why are they doing this? Right. Because most certainly they will answer to be healthy, right? To keep looking, to keep living as long as possible. And, and to to sustain my own health and say, hey, cool. Then why don't we use the same approach for security as well, right. So we can actually stay healthy and secure as a company because, we're pretty much the doctors, right? For, for for a company. We're, there to make sure we're not getting sick or when we're sick. Then we are tackling what has attacked us, so to speak. And I think, I mean, especially in crypto, I know that security is and was always a very important cornerstone of, of every C-level or, founder of companies because it was always very much targeted and attacked, because of the very new environment. That crypto still is. Right. And so to have that more broader, application of security in other fields as well is really all about we're here to, to not just putting up, road blockers, so to speak, in the way, for the company to just say this is compliance and or this is just security stuff that we have to do, but it's really about, security's there to enable also the business in like a long term, point of view, because only if we have the right security measures in place. The next attack that could potentially destroy the company is actually not destroying the company. Right. And so that is what I'm always also trying to convey to everybody. Security is a business enabler. And we always have to remind people about this.
Yeah. And even nicer, I'm thinking that, when you are prepared for an attack, even the teams feel more confident and more loyal to the company that. Yeah, I'm working in, a sustainable and, yeah. Meaningful company. And, since I mentioned all the time about your presentation and we are here at Cyberevolution, I'm curious, what are your events take so far?
My events take so far are, It's great to to see everybody again. It's my second time, I think, I've been here and, the network of security professionals and experts, participating here and, and, and more actively in collaboratively sharing with each other is really, really important in our field. Because just by sharing some of these stories, sharing some of the insights on on what people are working on, what they have seen right happening out there in the field is hugely important for me to take away. And then also getting back to my teams and saying, hey, look, I, I've just heard that they're addressing this topic with, with that tool, maybe something with that could we could also look into or I could bring in possible not possible, but like a good examples, from, from our own environment, from our own company where I say, hey, this worked really well with us. Maybe this is something that you could also look into. So this sharing and collaborating is, it's just very much important and exactly what is happening here. So that is what I really like. And I mean, of course, the, the presentations, that I've seen so far, we're all great. So that that also knowledge sharing from that perspective is is tremendous.
Yeah. And integrates perfectly with your method, security 3.0 because part of the medicine was collaboration and sharing knowledge.
Yes.
Exactly right. Thank you Max. And, yeah, we look forward for the next edition to continue our discussion.
Thank you very much.
