Scaling Security Engineering: A Pragmatic Approach
Introduction
People often ask about my previous role scaling Security Engineering at Coinbase, expecting stories about novel technologies, romantic notions of security, and attack vectors. Yet in the high-stakes world of cryptocurrency, where a single vulnerability can lead to the loss of billions in customer assets, security demands a pragmatic, scalable approach.
The Stakes in Crypto Security
Working in crypto security differs fundamentally from traditional finance or tech. When you're protecting digital assets that exist purely as cryptographic keys, there's little room for rollbacks, insurance claims, or traditional fraud prevention. A compromised private key means immediate, irreversible loss of funds. This reality shaped every security decision.
The crypto industry faces unique challenges:
- Immutable transactions make security breaches irreversible
- Attack surfaces spanning both traditional web security and novel crypto protocols
- Sophisticated adversaries with significant financial motivation
- Regulatory requirements across multiple jurisdictions
- The need to balance security with user experience in a rapidly evolving market
- Transaction transparency on public blockchains makes security breaches immediately visible and traceable, unlike traditional sectors where breaches can remain hidden
Security Engineering: My Approach
While there are many perspectives on what constitutes Security Engineering, particularly in comparison to Product Security or Security Operations, I want to share how I structured and evolved this function. Security Engineering focused on building security-critical systems that solved or managed classes of risk unique to enabling the business. More specifically, we were builders who created security-critical foundations that other teams could build upon.
The evolution of Security Engineering followed a maturity curve that mapped to the organization's risk appetite, security program maturity and business needs: