Crypto payment firms sit near the top of the target list for advanced persistent threat groups, and the workload on their security leaders keeps growing. Malcolm Portelli, CISO at Coinflow, runs the company’s security program from Malta. Coinflow is headquartered in the United States and operates across multiple jurisdictions. Portelli sat down for this interview at the Span Cyber Security Arena conference.

Portelli says the sector drives his threat model more than the location. “It’s more the industry which we operate in. So, financial services, Web3, and crypto and all that comes with that. Crypto is a big target, especially for the big APTs. They’re always looking at how they can get into crypto firms because that’s their chosen money.”

Malta has become an active fintech and blockchain hub, supported by government incentives aimed at attracting company headquarters to the island. Portelli credits that policy with helping the local economy and the wider tech scene.

Awareness training that stopped working

Portelli dropped monthly security awareness videos from his program after concluding they had become a compliance exercise. “Something that I’ve stopped doing is the regular monthly videos. You know, you go out and get snippets that people watch. It’s a checkbox.” He now prefers training quarterly, capped at 30 minutes of content per quarter, and supplements it with formats designed to hold attention. He also rejects the yearly-only approach as too thin and aims for a middle frequency.

Speaking to the board in numbers

Boards have grown more interested in cyber risk over the past decade, and some members potentially arrive at meetings believing they understand these risks better than they do. Portelli handles disagreements by citing published data. He points to the Verizon Data Breach Investigations Report and the IBM Cost of a Data Breach Report, the second of which prices losses in dollars that board members recognize. He also cites GDPR penalties of up to 4 percent of global revenue when European personal data is involved.

“Numbers are a universal language,” Portelli says. “If you are an accountant, if you are in technology, if you are in operations, you understand numbers.” He says board members who grasp the financial exposure tend to defer to the CISO on execution: “When they understand it, they leave it to you. I hired you. They trust you.”

Coverage of large breaches in mainstream business outlets has helped that conversation. Portelli cites the recent disruption at Marks & Spencer and Co-op, along with the attack on Jaguar Land Rover that drew UK government support, as examples that have moved cybersecurity onto the front pages read by non-technical executives.

A piece of advice he wants retired

Asked which conventional security guidance has outlived its usefulness, Portelli names forced password rotation. The UK’s National Cyber Security Centre and Microsoft moved away from that practice around 2016 to 2018. Some standards and frameworks continue to require it, which Portelli describes as a contradiction of long-settled guidance.

He also voices frustration with the volume of AI-generated content flooding LinkedIn and security blogs. Original posts get rewritten by language models within days and republished across hundreds of sites, diluting attribution and weakening the signal in threat intelligence channels. He runs a personal site dedicated to breaking down security concepts into accessible snippets and prefers to write the posts himself.

API defenses and the fraud shift

Coinflow operates primarily through APIs, which Portelli says simplifies certain controls. The company implements multi-factor authentication mechanisms for API keys utilizing already available data to validate and authenticate the client with minimal adverse effects on operational efficiency. He describes the setup as straightforward for developers to implement, yet highly effective.

Fraud has shifted toward scams that convince customers and staff to authorize payments themselves. Portelli is investing in AI-based anomaly detection and pattern recognition to flag suspicious transactions, paired with continued education for employees and end users. Banks and governments, he says, are now running awareness campaigns at a global scale.

The patching gap

Portelli expects attack volume to keep climbing for the next three years, driven by AI tools that find vulnerabilities at very low cost.

He points to Mythos, an AI vulnerability discovery system that he says surfaced numerous issues in Firefox. Recent research from TrendAI identifying around 300 vulnerabilities in widely used WordPress plugins at roughly $20 per zero-day. Defensive AI has kept up with discovery, he says. Automated patching that preserves application functionality remains an open problem. Enterprise CISOs already sitting on large vulnerability backlogs, he argues, see little benefit from a discovery tool that adds hundreds of items when remediation tooling lags behind.