The Real Strength of a Security-Driven Culture

As the digital asset sector evolves, security remains a paramount concern. High-profile breaches, changing attack methods, and growing regulatory scrutiny emphasize the necessity of not just technical safeguards but also a supportive organizational culture.

As per the IBM Cost of a Data Breach 2024 report, the average global breach cost has soared to $4.88 million, with companies now investing $6.08 million on handling data breaches. Establishing a security-first culture—embedding awareness, responsibility, and vigilance into a company’s core—can significantly reduce such risks.

Security within the digital asset space is often viewed through the lens of blockchain technology: multi-signature wallets, air-gapped storage, and advanced encryption. While these measures are crucial for safeguarding the operational security and integrity of digital assets, they are not foolproof and should be considered as part of a broader defense strategy. Most major security breaches in the crypto industry, including the Bybit hack earlier this year, primarily arise from traditional web2 vulnerabilities rather than blockchain weaknesses.

This is crucial because the measures surrounding these breaches must adopt more “traditional” approaches. This includes Endpoint Detect and Respond (EDR), Web Proxy tools to scan and block harmful URLs, Sandbox technologies to analyze attachments and downloads, and email security controls to block payloads that often lead to breaches. Lastly, and perhaps most crucially, fostering a strong security culture is vital in preventing compromises before they happen.

A security-centric organizational culture ensures that human factors are proactively addressed. In a landscape where one mistake can lead to significant financial and reputational harm, nurturing a security-focused culture is essential—no longer optional. Employees are both the weakest link and the first line of defense; therefore, emphasizing their role in security while minimizing vulnerabilities is critical.

Fostering a security-first culture

Establishing and maintaining a robust security culture is challenging, particularly in fast-growing or resource-limited organizations. Cultural transformation requires buy-in from leadership, consistent reinforcement, and a willingness to learn from both internal and external incidents. It also necessitates a balance between operational efficiency and stringent controls, often a source of tension in dynamic environments. Organizations aiming to cultivate a security-first culture should concentrate on the following key areas:

1. Formalized incident response through planning, preparation, and shared responsibility

A Computer Security Incident Response Team (CSIRT) exemplifies organizational maturity with its cross-departmental structure and thorough workflows. This team must possess the authority to respond, restore, and allocate resources during crises without needing approval, supported by clear duties across the organization. From the Incident Commander overseeing the entire process to specialized roles managing regulation liaison, production response, and operations coordination, the CSIRT delegates responsibilities while maintaining centralized command. When an incident arises, the organization mobilizes this established framework, ensuring that everyone comprehends their role and has the authority to act. This isn’t merely hypothetical; it demonstrates leadership’s commitment to security as a collective duty.

2. Intelligence-driven phishing resilience

Phishing continues to be a significant attack vector in the sector. Effective strategies extend beyond generic training. Campaigns should be inspired by adversarial trends seen across the ecosystem. As phishing tactics evolve from basic credential theft to complex fake security checks executing malicious commands, training programs must similarly adapt. Occasionally, campaigns should reflect active attack trends to bolster awareness; at other times, they should diverge deliberately to keep staff vigilant. This flexible approach sustains high resilience and strong engagement, transforming phishing defense into an organizational asset rather than a weakness.

3. Security drop-in sessions

Hosting monthly open sessions on security operations, attended by a substantial portion of the organization, can be incredibly effective. These sessions should address evolving technologies, AI developments, new platforms, and how these shifts relate to security in both professional and personal contexts. By initiating discussions with accessible, straightforward explanations of global incidents and innovations, the sessions engage participants before delving into organizational impacts, equipping staff to safeguard themselves. This commitment to both organizational and personal security can transform the security function from a burden into a topic employees actively pursue, encouraging teams to identify potential risks proactively.

4. Positive accountability through peer reinforcement and gamification

Security awareness transcends formal training. For instance, our effective “donuts” protocol shifts device security from mere policy to practice; leaving an unlocked device unattended in the office prompts a colleague to share “I love donuts” in team chat, resulting in that user bringing donuts for the team. This playful approach has shown remarkable effectiveness, creating immediate consequences while fostering camaraderie around security practices rather than instilling fear. The outcome? Clean desk policies and screen locking become ingrained habits across the organization.

5. Investing in personal security beyond work

Progressive organizations extend their security commitment beyond working hours by providing comprehensive personal protection for staff. Where applicable, organizations can offer enterprise-quality security tools for personal use, such as premium privacy suites, VPN services, encrypted storage, data removal platforms, and necessary anti-fraud measures. Moreover, offering physical security training enhances staff’s personal safety and situational awareness.

This investment in individual security, while a direct cost to the company, yields dividends through heightened security awareness and signals that the protection of individuals extends beyond workplace obligations. When employees feel that their employer genuinely cares about their personal digital and physical safety, they are more likely to engage with organizational security.

A long-term imperative

These initiatives can deliver measurable outcomes, with security-related alerts from non-security personnel often increasing significantly post-implementation. Beyond metrics, they cultivate a more valuable asset: an environment where vigilance becomes second nature rather than a chore and where collective incident response is a shared capability rather than an isolated function.

In custody, trust is paramount. However, trust cannot be achieved through technology alone; it must be reinforced daily by individuals who perceive security as part of their role instead of a hindrance. As digital asset custodians become increasingly integral to the financial system, those with a robust security culture will be best positioned to navigate volatility, maintain regulatory trust, and cultivate enduring confidence from clients and partners.

Organizations that succeed won’t solely be those with superior technology; they’ll be those where every employee recognizes that security is a collective responsibility, embraced rather than endured, and where the entire organization can effectively mobilize in the face of threats.