Last week I had the pleasure to deliver a curmuegeonly talk at DarkMode, SEAL’s security side event at EthDenver 2026.

Some big takeaways:

• Sekyerrity, sekyerrity, sekyerrity (is a good spelling for the word)

• Smart contract audits aren’t enough--web2 is your exposed underbelly

• we are competing against each other to not get eaten by opportunistic attackers

Because saying the same obvious thing over and over again and seeing it fall on deaf ears invokes a tendency to curmedgeonness.

1. security is boring, and only works if you grind it out every single day. There are no magic silver bullets to make your security problems go away. That includes AI.

2. Smart web3 startups outsource most things if they can. But they cannot outsource security risk any more than they can outsource regulatory risk. You own the risk no matter what. (Risk transferral, i.e. insurance, offers little to no benefit at present time.) That means you must manage your security risk, you can’t throw the ball to some random security startup and expect them to care about your business as much as you do.

3. You will always have limited resources of money and time. So how do you spend those resources for maximum risk mitigation while enabling business velocity? That is the core challenge of the business security manager (that is, the CISO or Head of Security).

4. You and a friend go camping in the woods. The bear attacks. Who do you need to run faster than? The bear? Or your friend? An old security parable very relevant for crypto / web3 companies. (Like everything in security, the answer is: “it depends”.)

5. If I put bars on my windows and that prompts a burglar to rob my neighbor, should I feel bad? No—because my primary job is my own house, my employer. Yes—because I don’t want my neighbor to get robbed. Takeaway—we are competing with each other to run faster so that the bear eats the other company. An unpleasant fact of life we often gloss over in security.

6. Happy times, you’ve gotten so big you’ve got a permanent target painted on your back. You’ve graduated to the symmetric hard yards. Big leagues got big problems. Up your game.

7. I can’t count and skipped slide 7. LOL

8. Management, yeah. We’re talking about whole-of-company security strategy against malicious adversaries who mean you harm, and who don’t care that you locked the web3 door if you left the web2 door open.

9. Security is not a technical discipline devoid of Finance and business context. Quite the opposite—no one hires security guards to mind an empty safe. Your security spend is a pure function of the thing secured. Never lose sight of this fact. (Note how different the financial loss impacts are for crypto compared to compliance-driven regulated industries, where the financial loss comes from “slap on the wrist” government fines and ineffective consumer class action lawsuits.)

10. In an adversarial context against a sovereign nation-state that engages in coercive violence against your company as part of their geopolitical strategy (that is, “warfare”), no single formula exists for success. The CISO becomes a defense-only military general engaged in real-time strategic and tactical defense of their employer. That requires tactical science but also artistic strategy. Perspiration and inspiration both required.

I operate in the fog of war for living, constantly checking my known unknowns and my unknown unknowns. So tell me I’m wrong! Maybe I am. I’d rather be wrong and be corrected than stubbornly insist I’m right and drive my employer off a cliff.

Because in warfare, pragma survives and dogma dies.