Crypto payment firms sit near the top of the target list for advanced persistent threat groups, and the workload on their security leaders keeps growing. Malcolm Portelli, CISO at Coinflow, runs the company’s security program from Malta. Coinflow is headquartered in the United States and operates across multiple jurisdictions. Portelli sat down for this interview at the Span Cyber Security Arena conference.
Portelli says the sector drives his threat model more than the location. “It’s more the industry which we operate in. So, financial services, Web3, and crypto and all that comes with that. Crypto is a big target, especially for the big APTs. They’re always looking at how they can get into crypto firms because that’s their chosen money.”
Malta has become an active fintech and blockchain hub, supported by government incentives aimed at attracting company headquarters to the island. Portelli credits that policy with helping the local economy and the wider tech scene.
The Threat Landscape for Crypto Payment Firms
Crypto payment companies are uniquely exposed. Unlike traditional financial institutions with decades of security infrastructure, these firms often operate with lean teams and fast release cycles. Advanced persistent threat groups (APTs) target them not only for direct theft of cryptocurrency but also for access to payment rails that can be abused for money laundering. The combination of high-value assets and sometimes immature security controls makes crypto firms lucrative targets. Portelli explains that the threat model is driven more by the industry than by geography. Even though Coinflow is headquartered in the US with operations in multiple countries, the nature of handling crypto transactions means that the organization is constantly under scrutiny from sophisticated adversaries.
The rise of artificial intelligence has added a new dimension. AI tools can automate reconnaissance, generate convincing phishing messages, and even discover vulnerabilities at scale. Portelli notes that defensive AI has kept pace with some of these advancements, but the asymmetry remains: attackers only need one successful breach, while defenders must protect every entry point.
Rethinking Security Awareness Training
Portelli dropped monthly security awareness videos from his program after concluding they had become a compliance exercise. “Something that I’ve stopped doing is the regular monthly videos. You know, you go out and get snippets that people watch. It’s a checkbox.” He now prefers training quarterly, capped at 30 minutes of content per quarter, and supplements it with formats designed to hold attention. He also rejects the yearly-only approach as too thin and aims for a middle frequency.
This shift reflects a broader industry debate. Many CISOs question the effectiveness of traditional awareness programs that rely on passive consumption of videos. Interactive simulations, gamification, and role-specific training are gaining traction. Portelli believes that quality over quantity is key: shorter, more engaging sessions that actually change behavior, rather than simply satisfying audit requirements. He also emphasizes the importance of measuring outcomes—like reduction in phishing click rates—rather than completion rates.
Communicating Cyber Risk to the Board
Boards have grown more interested in cyber risk over the past decade, and some members potentially arrive at meetings believing they understand these risks better than they do. Portelli handles disagreements by citing published data. He points to the Verizon Data Breach Investigations Report and the IBM Cost of a Data Breach Report, the second of which prices losses in dollars that board members recognize. He also cites GDPR penalties of up to 4 percent of global revenue when European personal data is involved.
“Numbers are a universal language,” Portelli says. “If you are an accountant, if you are in technology, if you are in operations, you understand numbers.” He says board members who grasp the financial exposure tend to defer to the CISO on execution: “When they understand it, they leave it to you. I hired you. They trust you.”
Coverage of large breaches in mainstream business outlets has helped that conversation. Portelli cites the recent disruption at Marks & Spencer and Co-op, along with the attack on Jaguar Land Rover that drew UK government support, as examples that have moved cybersecurity onto the front pages read by non-technical executives.
Effective board communication is not just about presenting risks; it’s about framing them in terms of business impact. Portelli advises CISOs to align cyber metrics with key performance indicators that executives already track, such as revenue, customer churn, and operational downtime. By translating technical vulnerabilities into potential financial loss, the CISO becomes a strategic partner rather than a mere gatekeeper.
Outdated Security Practices That Should Be Retired
Asked which conventional security guidance has outlived its usefulness, Portelli names forced password rotation. The UK’s National Cyber Security Centre and Microsoft moved away from that practice around 2016 to 2018. Some standards and frameworks continue to require it, which Portelli describes as a contradiction of long-settled guidance. The rationale is clear: frequent password changes often lead to weak, predictable passwords, and users are more likely to reuse them across accounts. Instead, modern guidance recommends enabling multi-factor authentication, using password managers, and focusing on anomaly detection rather than arbitrary rotation intervals.
He also voices frustration with the volume of AI-generated content flooding LinkedIn and security blogs. Original posts get rewritten by language models within days and republished across hundreds of sites, diluting attribution and weakening the signal in threat intelligence channels. He runs a personal site dedicated to breaking down security concepts into accessible snippets and prefers to write the posts himself. The challenge is not just about credit—it’s about accuracy. AI models can introduce subtle errors that propagate quickly, making it harder for practitioners to trust online information.
API Security and Fraud Prevention
Coinflow operates primarily through APIs, which Portelli says simplifies certain controls. The company implements multi-factor authentication mechanisms for API keys utilizing already available data to validate and authenticate the client with minimal adverse effects on operational efficiency. He describes the setup as straightforward for developers to implement, yet highly effective.
Fraud has shifted toward scams that convince customers and staff to authorize payments themselves. Portelli is investing in AI-based anomaly detection and pattern recognition to flag suspicious transactions, paired with continued education for employees and end users. Banks and governments, he says, are now running awareness campaigns at a global scale. The human element remains the weakest link, but technology can help by alerting users in real-time when a transaction looks out of pattern.
API security is particularly critical for crypto payment firms because APIs are the primary interface between the company and external partners, exchanges, and customers. Portelli advocates for a defense-in-depth approach: rate limiting, input validation, encryption in transit and at rest, and continuous monitoring for unusual API call patterns. He also stresses the importance of secure key management—storing API keys in hardware security modules (HSMs) or using key rotation policies that are automated rather than manual.
The Challenge of AI-Powered Attacks and Patching
Portelli expects attack volume to keep climbing for the next three years, driven by AI tools that find vulnerabilities at very low cost. He points to Mythos, an AI vulnerability discovery system that he says surfaced numerous issues in Firefox. Recent research from TrendAI identifying around 300 vulnerabilities in widely used WordPress plugins at roughly $20 per zero-day. Defensive AI has kept up with discovery, he says. Automated patching that preserves application functionality remains an open problem. Enterprise CISOs already sitting on large vulnerability backlogs, he argues, see little benefit from a discovery tool that adds hundreds of items when remediation tooling lags behind.
The patching gap is one of the most pressing issues in cybersecurity today. While AI can find vulnerabilities faster than any human, the process of testing and deploying patches without breaking production systems is slow and risky. Portelli suggests that the industry needs better runtime protection and virtual patching capabilities that can mitigate vulnerabilities until a permanent fix is available. He also calls for more collaboration between vendors and researchers to streamline the disclosure and patching pipeline.
Coinflow has adopted a layered approach: continuous vulnerability scanning, prioritized risk scoring based on exploitability and business criticality, and automated rollback mechanisms to quickly revert changes that cause issues. Portelli believes that until automated patching matures, organizations must invest in detection and response capabilities that can catch attacks early, even if the underlying vulnerability hasn’t been patched.
The interview at the Span Cyber Security Arena conference highlighted that while the crypto payment sector faces unique pressures, many of the challenges—such as board communication, training efficacy, and vulnerability management—are universal. Portelli’s approach combines pragmatic risk management with a willingness to challenge outdated practices, all while navigating a rapidly evolving threat landscape shaped by artificial intelligence.
Source: Help Net Security News