Leveraging over a decade of cybersecurity expertise, Ethan brings his passion for securing the digital asset space to Interlock, where he advises on enterprise product strategy. His experience spans from leading comprehensive security programs as a CISO (Chief Information Security Officer) to specializing in crypto architecture and control design, with prior roles at Citadel Securities, Galaxy Digital, and Bank of New York Mellon.
Can you tell us about your path and how you got into cybersecurity?
I started a couple of decades ago. I studied computer science, got a job at a tech company, and did a mix of software engineering and operations. A few years later I managed to get hired as a technologist at a prestigious hedge fund.
Financials tend to invest heavily in their information security, and it made it the perfect setting. It wasn't an instant match, but a couple of years in I had this big realization - I was grasping infosec concepts faster and better than a lot of folks around me. Something just clicked. Eventually, an opportunity opened up to move into their security department and I jumped in. I spent a few years learning, studying, rotating roles, making friends, finding mentors, and generally growing into it.
What's a day in the life of a typical CISO like?
The life of a CISO (Chief Information Security Officer) varies widely. Lots of aspects can influence it. For example an organization's assets and threats, size and maturity, infosec staffing, risk appetite, ability to reasonably plan and budget for handling evolving risks, and quality of engagement with other execs and the board.
At smaller companies, a hands-on CISO is common. They'll be in the weeds building solutions, reacting to incidents and company needs, trying to keep up with evolving threats and capabilities, and maybe leading a small team. On the other end of the spectrum CISOs at large organizations are highly seasoned executives. They deal with company-wide and department-specific strategy, budget, management, etc.
And there's also everything in between. The key part that's common across almost all CISOs though.. is the ongoing need to help companies understand their threats and how to efficiently deal with them.
What do you find today is the biggest threat vector for businesses?
Several threat vectors concern me, but three key areas stand out. First, the control and protection of cloud services pose significant challenges due to the shift from on-premises setups. It's not just one configuration or tool. Protecting cloud services requires a robust defense-in-depth strategy. Second, ransomware remains a persistent threat, particularly for organizations heavily reliant on older tech approaches like running flat networks and using Active Directory. Lastly, the human factor in security remains a fundamental and challenging aspect. From help desks being socially engineered, to business email compromise, to executive overconfidence.
Why is security so paramount in Web3, especially with self-custody?
Web3's unique characteristics, such as ownership of bearer assets via keys and digital signatures, emphasize the critical role of security. Unlike traditional setups with social security numbers or bank accounts, self-custody allows individuals to control their funds. It offers a different level of government and institutional bank censorship resistance and finality of transactions. This paradigm shift demands a different approach to security, recognizing the absence of traditional safeguards and the need for robust measures to protect against potential threats.
What types of attacks are prominent in the Web3 space?
The spectrum of Web3 attacks is vast, encompassing on-chain and smart contract vulnerabilities, node vulnerabilities, encryption vulnerabilities, and others. It also includes traditional threats like business email compromise, phishing, and stealing or manipulating small amounts of highly sensitive data. Existing attack patterns find new applications, and specific Web3 attack patterns, such as flash loans, add a layer of complexity. The evolution of Web3 ecosystems means adapting even more quickly to challenges and expecting the unexpected.
What excites you about Interlock, and why did you choose to join as an advisor?
Interlock addresses a significant gap in cybersecurity tools. The unique approach of combining AI and crowdsourcing threat intelligence, by incentivizing everyday Iinternet users through both passive browsing data sharing and active threat flagging, adds intriguing dimensions. Incorporating Web3 principles, such as decentralization and incentivization, aligns with the current trends and motivations in the technology landscape. Knowing that users not only contribute to societal cybersecurity but also receive something tangible in return creates a more transparent and engaging paradigm.
How does Interlock differentiate itself from traditional security tools?
Interlock stands out from traditional security tools in several key aspects. Unlike conventional solutions that rely solely on centralized threat databases, Interlock harnesses the collective knowledge of its user community to gather and share threat intelligence. This unique approach combines passive data sharing with active threat flagging, enabling the platform to identify and address emerging threats in real time. Furthermore, Interlock incentivizes user participation through a tokenized reward system, fostering a collaborative environment and promoting the platform's long-term viability. Also, Interlock prioritizes transparency and user control over data collection, providing individuals with clear insights into how their data is used and ensuring they retain full autonomy over their privacy.
Why do you believe incentivizing security participation is crucial for Web3?
Over the last couple of decades, we've seen big tech make enormous profits by bulk-leveraging data that most of us freely provide. We've got lots of free services in return, but it's not necessarily a fair deal. Many of those services can be basically canceled anytime, at the whims of a relatively small number of tech leaders and execs. This approach is very different, with web3 digital asset incentives. It's more equitable and puts users in more control.
