Services About Insights Book Assessment
Home / Insights

Tools and perspectives for FinTech and crypto operators

Practical guidance based on 20+ years in security leadership and the work of taking a crypto company public.

The Pre-Series B Security Checklist for Crypto Companies

The 5 areas that generate the most friction in Series B security diligence. What investors actually look for, and how to pass the test before they ask.

  • Compliance & audit readiness
  • Crypto-specific security controls
  • Incident response & operational resilience
  • Third-party & supply chain risk
  • Board reporting & governance

Based on 20+ investor diligence calls and the security program that took Bitcoin Depot public.

No spam. Unsubscribe anytime. We never share your email.

Latest perspectives

Deep dives on the topics that keep operators and investors up at night.

Why Your SOC 2 Auditor Might Be the Wrong One

Most crypto companies fail SOC 2 on key management and access control — not because they're sloppy, but because the standard was written for SaaS, not digital assets. Here's how to evaluate whether your auditor understands your business model before you waste $30K.

Read more →

The Security Question That Killed a Term Sheet

A founder told me his Series B term sheet was delayed 6 weeks because of one security question. Not a breach. Not a failed audit. Just a question he couldn't answer well. Here's what it was, and how to make sure you're not the next story.

Read more →

NYDFS Part 500: What Changed in 2025 and Who It Actually Applies To

NYDFS Part 500 was updated in 2023. Most companies I talk to are still operating under the 2017 version. The biggest change: the "covered entity" definition now captures companies that "control" or "maintain" nonpublic information of New York residents. If you have even ONE customer in New York, you need to read this.

Read more →

How to Run a Security Tabletop Exercise That Actually Prepares You

Most tabletop exercises are theater. The team sits in a room for 3 hours, checks a box, and goes back to work. Here's the format I've used at the public company level — including the one scenario that reveals whether your incident response plan is real or fiction.

Read more →

AI Governance: The Three Questions Your Board Will Ask

I reviewed the AI governance policies of 12 FinTech companies last quarter. 11 were copy-paste jobs from a law firm template. Only one was actually usable. The difference? It answered three specific questions that boards and investors are starting to ask.

Read more →

From IT Function to Governance Function: What Going Public Taught Me About Security

Taking Bitcoin Depot public changed our security program in ways no one warned me about. Security went from reporting to the CTO to reporting to the Audit Committee. Every incident became a potential 8-K disclosure. Here's what I learned — and what every company should do now, even if an IPO is years away.

Read more →

Want these delivered to your inbox?

I send one practical security briefing per month — no fluff, no product pitches, just what I'm seeing across diligences, audits, and boardrooms.

Join the List