Chief Information Security Officer at Crypto.com, Jason Lau, discusses his cybersecurity career and the role of strategy in the industry.

There are many lessons security leaders can glean from games of strategy. With a passion for playing the game of chess, he’s been playing since the age of three, Jason Lau says the game has helped influence his style as a leader in the cybersecurity industry.

“Winning in chess isn’t just about the next move; it’s about controlling the board and adapting to every challenge. In cybersecurity, success isn’t just about defense — it’s about recognizing patterns, anticipating threats, and staying one step ahead.”

Many see chess as a simple win-or-lose game, a clear black-and-white contest. But in reality — just like in cybersecurity — the line between winning and losing isn’t always so clear. Every game, every move, whether it leads to victory or defeat, is an opportunity to learn. The more you play, the more you refine your strategy, anticipate threats, and prepare for the next attack, Lau says.

“Cybersecurity, like chess, requires a strong foundation — certifications, experience, and hands-on practice. Chess theory alone won’t win the game,” he continues. “You need to make your moves, test strategies, develop your own style, learn from mistakes, and adapt. The more you play, the sharper your skills become.”

Lau says that the lessons he has learned from chess have not only shaped his approach to cybersecurity but also influenced how he manages his teams.

“Building a strong team is much like positioning pieces on a chessboard — while some moves are obvious, supporting pieces can often be more strategically important than they first appear,” Lau says. “In the same way, a CISO must identify hidden skills and untapped potential within the team, ensuring the right people are in the right roles at the right time.”

Lau, an award-winning cybersecurity professional with 25 years of experience in the industry, is currently CISO at leading cryptocurrency trading platform Crypto.com. Previously he served as a Cybersecurity Advisor at Microsoft, and currently sits on the global Board of Directors for ISACA and the advisory board of BlackHat, adjunct professor of cybersecurity and data privacy, and contributes to various Think Tanks from the World Economic Forum expert network, Forbes Technology Council, and Centre for Information Policy Leadership – just to name a few.

Hacking, gaming, and the path to cybersecurity

Lau has always been fascinated with taking things apart and of putting them back together, he says which is what drew him to study Mechatronics Engineering – a unique field combining robotics, computer science, mechanical engineering and electrical engineering together.

“At university, we were encouraged to explore, take things apart, and understand how they worked. Following in my father’s footsteps, I was always looking for devices and gadgets to modify, enhance, and push beyond their intended limits.” he says.

At the time, PlayStation consoles and games were region-based, limiting access to the latest and most popular games in certain areas. Driven by a passion for ethical hacking and exploration, Lau took on the challenge of modifying his first-generation PlayStation, enabling it to bypass regional restrictions and play discs from around the world.

Cybersecurity, like chess, requires a strong foundation — certifications, experience, and hands-on practice. Chess theory alone won’t win the game. You need to make your moves, test strategies, develop your own style, learn from mistakes, and adapt. The more you play, the sharper your skills become.

Modifying gaming consoles was just the beginning of Lau’s deep dive into technology. At the time, the concept of cybersecurity as we know it today didn’t really exist. As the Internet was emerging, he began working for a software company specializing in systems management and monitoring, gaining exposure to how major organizations operated.

“I had the opportunity to work closely with some of the world’s largest organizations — including global corporations and governments — seeing first-hand how they approached security in its early stages, long before cybersecurity became a defined field,”

In his current role as Chief Information Security Officer at Crypto.com, Lau describes the job in two parts - an internal and an external role.

“Internally, consumer protection is my top priority. Securing our global customer base requires building and leading a team that oversees cybersecurity, data privacy, blockchain security, and — uniquely in our company — IT network management and operations as well,” Lau explains. “Externally, I work closely with regulators worldwide, from Europe to the Middle East, Singapore, the United States, and beyond, ensuring security compliance and shaping industry standards. Beyond regulatory engagement, I actively advocate for stronger security across the industry and work to bridge the gap between the cryptocurrency and Web3 ecosystem and the ethical hacker community. This commitment led to launching the largest-ever Bug Bounty Program with HackerOne, offering $2 million in rewards to strengthen our security posture.”

Being at Crypto.com has brought many career highlights and accomplishments, but for Lau, none surpass the opportunity to build a security team from the ground up. Unlike the typical CISO career path — where leaders often move up the ladder and inherit existing teams — Lau had the rare chance to assemble, develop, and scale a team from scratch, shaping its culture, strategy, and capabilities to meet the demands of a rapidly evolving industry.

“It’s rare to have the opportunity to build a security team from the ground up, especially at a large financial institution. Typically, that only happens in startups, and even then, scaling from a startup to a unicorn is far from common,” Lau reflects. “We’ve grown from a $0 business to a trillion-dollar enterprise with over 100 million customers — and we’re scaling even faster. Building a team that could grow alongside that trajectory has been one of my greatest accomplishments. At the end of the day, I am the sum of my team, and this success is not just mine — it’s a testament to the collective effort of an exceptional group of professionals.”

Lau recalls that when he joined in 2017, the crypto industry was like the Wild West — largely unregulated with no established playbooks or industry standards. Rather than waiting for guidelines to emerge, he took the initiative to apply the strictest banking security standards, including ISO 27001, ISO 27701, ISO 22301, SOC 1 Type 2, SOC 2 Type 2, and government-led frameworks like the NIST Cybersecurity and Privacy Frameworks. This proactive approach helped build Crypto.com's credibility, establish a strong security foundation, and position cybersecurity as a core pillar of the company’s strategy — a decision that, in hindsight, was instrumental in earning customer trust.

The CISO role

When it comes to success in cybersecurity, Lau cautions that the role of a Chief Information Security Officer (CISO) isn’t for everyone. It demands relentless passion, resilience under pressure, and the ability to navigate a constantly shifting battlefield.

“Being a CISO is not for the faint-hearted. The role is a delicate balance of governance, risk, and compliance, combined with deep technical and operational focus. You’re constantly adapting, always playing catch-up with evolving threats. The reality is, you’ll never be ahead of all of the attackers — you can only work to stay one step behind them while fortifying defenses and anticipating their next move, so that you can react faster with your incident response” Lau explains.

Lau believes that true success extends beyond securing an organization — it’s about giving back to the industry and leaving a lasting impact. He says the modern CISO is not just a defender of networks; they are thought leaders, educators, and strategists who help shape the future of security. Serving on boards, advising emerging companies, mentoring the next generation, and contributing to industry standards are all ways experienced CISOs can drive long-term resilience beyond their own enterprises, he says.

Mentorship, in particular, is a responsibility Lau takes to heart. He often reflects on the profound influence of his late mentor, Professor Kenneth Morgan, who Lau gives credit to shaping his approach to security and strategy.

“Prof. Morgan was by far the most influential person in my professional career. He was always discussing scenarios at the intersection of cybersecurity, economics, and politics — long before others were even thinking about it. He was a masterful strategist,” Lau recalls. “He emphasizes that true growth comes from learning from those with different backgrounds and experiences, reinforcing the idea that cybersecurity is as much about adaptability as it is about expertise.”