Why DeFi Protocols Need In-House Security Teams

If a risk firm gets paid $2.4 million a year and misses the thing that costs you $236 million, what exactly are you paying for?!

For the second week in a row, we’re talking about DeFi security exploits after the recent KelpDAO bridge hack 🫣

A big DeFi protocol often doesn’t do its own risk management in-house. It pays outside firms millions a year to assess security and be the adults in the room.

An external firm’s job is to deliver a report.

An in-house security lead’s job is to not get hacked.

On paper those two jobs look similar, but when something goes wrong, the external firm can move on to the next client when an in-house person can’t, because they have skin in the game and they’re responsible for anything going wrong.

Every protocol is about to get reevaluated against a new definition of “good,” and good now means someone in-house with the authority to push back and say “No, we’re not shipping like that”.

We’ve been placing talent into roles in this corner of the market properly for a while. A Director of Security at one of DeFi’s leading risk firms, a Head of Security at a major Bitcoin-based shared security protocol and more.

We’re working a Security Engineer role at a major ecosystem infra team right now and the shortlist is pretty thin. People who can actually do this job and have the seniority to push back aren’t sitting on the bench!

So if you read the KelpDAO post-mortem and thought “glad that wasn’t us”, go and check who actually owns security at your protocol. If it’s an external firm plus a mid-level engineer picking it up on top of their other work, you might wanna reassess that.

We’re more than happy to give you a bird’s-eye view of what the security talent landscape looks like right now. Just leave a comment below or send us a DM and we can connect you for a chat this week.