Lose a billion lines of PII, get a slap on the wrist. Lose a billion dollars of crypto, and you go bankrupt.

That was my message at Google Singapore’s APAC Security Summit. (also on YouTube.)

Most companies are accustomed to compliance-driven security, where the regulator requires minimum standards of data privacy to protect users. And the consequence of non-compliance? A fine. A lawsuit. The cost of doing business. A rational profit-driven enterprise will only do the bare minimum. Security is expensive, and costs have to justify themselves to the bottom line.

But crypto is different. It’s not about data privacy. It’s about preventing immediate, irreversible financial loss.

When North Korea steals fungible, non-reversible digital cash, they don’t give it back. That’s an immediate loss on your balance sheet.

No, you can’t get insurance for that. Not enough, anyway. Risk transferal—and insurance is just transferring risk at a price, the premium—is not possible at scale in crypto.

That means risk mitigation is the only option left on the table. And the only way to mitigate that risk is in-house, with your own security team.

But you don’t have to take my word for it. Google agrees. In their blog post last December (2025), they highlight the same emerging issue.

This is a fundamentally different approach to security that many struggle to adapt to. For decades, the mantra has been “security = compliance”.

Now, in crypto, it’s more accurate to say “security = war”.

Because when a sovereign nation-state engages in coercive violence across international boundaries in pursuit of its existential geopolitical aims, that has a common-sense word in English: warfare.

North Korea wages de facto war on all crypto companies of any size worth robbing.

That’s why my ETHCC[7] talk in 2024 was called North Korea Wages De Facto War on Everyone Here.

That’s why since 2022 I’ve argued that in crypto, the CISO is a Defense-Only Military General.

Yes, a business in crypto must also satisfy the regulator. If you can’t get licensed, you can’t do business. That’s why I coined the term The North Korean Love Triangle. A CISO must manage risk against two adversaries at the same time—the regulator, and the nation-state adversary. Today, in 2026, in crypto, you must do both to survive.