CIAM

Rela8 Roundtable: What Brands Get Wrong About Customer Authentication

Written By
Published On
Jul 14, 2022

Transcription

Francesca

So I'm delighted to introduce your moderator for today's session, Richard Malach. Richard will be here to make sure the conversation stays on track, make sure that you all get the chance to speak. And of course, we could not have these sessions without our sponsors. So I'm delighted to introduce Justin Mingo from Beyond Identity. We've also got Chris Shipton here from Live Illustration. So he'll be picking out the key points of your discussion and live illustrating them on the screen. 

I'll spotlight that too at the end of the session and I'll also share it to you via email. I'll be here for the next 90 minutes with my camera off, but if you need anything at all, please don't hesitate just drop me a message in the chatbox. So without further ado, Richard, I'll hand over to you and I hope you enjoy the session. 

Richard

Hi, everybody. My name is Richard Malach and I'll be your moderator for today. So let me tell you a little bit about myself. I've been a freelance consultant in cybersecurity, we never used to call it cyber security, for the last 25 years traditionally in infrastructure. I've been working very closely with identity both employee identity and customer identity for my blue chip customers for a few years now, and certainly, it's a subject I'm really passionate about. 

We are really, really fortunate today to be joined by Justin from Beyond Identity. So Justin, why don't you tell us a little bit about yourself? 

Justin

Hello, everybody. My name is Justin Mingo. I am a marketing manager here at Beyond Identity. I've been working with our marketing team to sort of spread the good word about what we do here at Beyond Identity in regards to both workforce and customer authentication. 

Richard

Thanks, Justin. Right. So this is going to be...this is quite a nice number, six of us, we're going to pretend we are sitting around the same table. So if I could ask Jacob and Matt, if you could turn your cameras on so it'd be like we're having a nice intimate chat. 

While we're talking, if there's anything anybody wants to chime in either use your raise hand, or raise your hand on the camera, or drop something in the chat, or just start talking. I'm here to moderate and hopefully, we'll be able to get everybody's ideas across and everybody gets a lot of good stuff out of this. So what I'm going to do is just going to go around the table, if you can all maybe introduce yourselves, say who you are, what you do. 

And really, what's top of your mind, what are you bringing to the table today? So let's start with Ido. 

Ido

So I'm Ido Dubrawsky. I'm the CISO for the Emmes company which is a CRO, a contract research organization in the Maryland area. But actually, we are a global company. We have acquired multiple smaller biopharmas. So we have both a public and a private biopharma organization. We do a lot of work with the U.S. government on health studies, vaccine trials, you know, study development, but we also work with private biopharmaceuticals. More or less, you know, some of our challenges are that we need to be both FedRAMP moderate and FISMA moderate compliant. So we're trying to find, you know, we're always on the lookout for better ways of doing it because we are currently using a multi-factor authentication solution as part of our overall authentication package. 

But we're trying to find ways of improving that so that it's less onerous on our endpoint users, as well as be able...something that can be scaled up to deal with a lot of our study clients and our study participants. 

Richard

Okay. Thanks Ido. Steve, why don't you tell us a bit about yourself and what's top of your mind? 

Steve

Yeah. Hi, Steve Giovanni. I'm the chief technology officer for Ventra Health. We're a revenue cycle management company. So, you know, authentication and identification are core to a lot of our processes in healthcare and making sure that those are secured properly. So like Ido shared, we have a multi-factor solution in place. 

But, you know, what he said that really resonated with me, which is main reason I'm here today is I want to... I always keep my eyes and ears open. Are we doing what's best or somebody else figured out something better than us? We want to always be learning and sort of improving. 

And the biggest thing I'm looking for is kind of a solution to the problem of with multi-factor authentication...okay, I think we all agree in the industry MFA is not just needed, it's kind of a mandatory, is kind of a must in 2022, right, like, we're all there. But the problem that it puts out that I don't hear talked about enough, is that there are situations where you need to have shared log-ons, right? 

So, like, you need to have a team because, like, you know, maybe we have a vendor that will only give us let's just say one account for our organization, okay? And now we have a two or three, or five-person team, and it's assigned to one person on that team, and maybe it's tied to their cell phone, for example. 

And then they're out on...maybe they're sick. How do I, you know, effectively leverage that? There are some interesting things we can do with technology to get around that. But that's kind of a question I'm always sort of percolating on. 

Richard

Steve, that's a great...sorry, Justin, I didn't mean to... 

Jacob

No, no, no worries. I actually have a quick thought on that too to chime in, Steve. It's one thing that we actually encounter in our team as well, especially in our IT help desk where we have one login too like O 365 instance, but you've got six people working. And so, one of the things that we looked at was we use essentially SMS capable platform, that pipes right into Microsoft Teams. 

And so, it comes into a team's channel in that group so no matter who it is, they're able to get that authentication message right there. So yeah, definitely hear you on that problem, and that's definitely, I think a common trend across teams that are having to work like that. 

Richard

I think slightly maybe coming from a different perspective. Part of it yes, it's protecting the account, protecting the credential. But part of it as well, if you've got the same accounts, then how can you track that you haven't got any sort of insider threats

We've actually got in the airline...so my customer is a major airline group at the moment. And we're doing...I know we're talking about customer but actually, this is actually the employee identity side of the platform. We're adding a lot of security controls or inaudible] security license to Office 365. We've got a big problem with what we call generic accounts and shared mailboxes and we're looking at having to look at ways so we can pick that that. 

Because it's one thing saying yes, it's easier for teams, and one of our international airlines is actually using this. For teams to share an account, share a mailbox, and share inaudible]. But if somebody decides to do something we don't like, then there's no way of tracking who that person is. So we're now looking at different ways and actually making sure that our first thing is to give everybody a credential, and then see what technologies we can actually use to share that as long as they log in with their own credentials. 

Jose

You lose auditability, you lose, you know, if it's something critical and a regulator comes along, and decides like, hey, you know, prove to us that you don't have anything malicious or unauthorized people are not accessing this resource or this account. And when you have a shared account like that, you can...you'll get torn apart in the audit real fast. 

Richard

Yeah, that's it, Jose. Jose, do you want to tell us a bit about yourself, who you are, what you do? And by the way, you've just given away the magic. 

Jose

Hey. Yeah, my name is Jose Pasillas. Infosec for 12 years. Been in various functions with infoSec from engineer to leader to, you know, be so doing a fraction of the CISO job. And, you know, what I'm focusing on now is the SOC and event detection and stuff like that. 

And being that we are the SOC, very interested in identity and auditing, and, you know, ensuring that authorized people are the only ones accessing things, and their IAM solution is working. And we can verifiably tie people back to who they say they are. And so, I'm here primarily to just listen. 

And it was mentioned earlier, I think Jacob said just that...or not Jacob I think it was Steve that might have said that if anyone is doing anything better, you know, want to be part of listening to that and re-evaluating the tactics and the operation model, whatever, just to inform my own operations and the team. 

Richard

Thanks, Jose. Bill, why don't you introduce yourself and what's top of your mind? 

Bill

Hey, nice to meet everybody. My name is Bill, chief information security officer for Emburse. We do expense management, invoice management, and card issuance. So we're in the FinTech space so ifi you do your expenses through Concur, or inaudible] one of those we are up against these guys in that space. And let's see, we've been growing through mergers and acquisitions so a lot of M&A activity . 

Thirteen different SaaS products that we have right now, have various types of authentication. We are considered data processor for the data controllers across the globe so the companies of data controllers. We utilize a ton of single sign-on, but we are right now getting into a whole bunch of FIDO authentication that we're looking at both through Google and also through OAuth, Auth0, excuse me, AuthO. We're trying to figure out what our customers are driving us towards, we want to make sure that we can be at the tip of the spear for them. So there's a myriad of other things. You know, I love the fact that you said FedRAMP moderate, we are starting our entire process in that space. 

We do 25 different audits a year between the 9 SOC 1s, 9 PCIs, 4 SOC 2s, and then we do 3 ISO 27000 ones and we're about to kick off our ISO 27701 next week. So we are in the auditor's chair every other week of a calendar year. 

Richard

Bill. Jacob, why don't you tell us a bit about yourself and what do you bring to the table today? 

Jacob

Yeah. So, hi, everybody. I'm Jake shields. I'm the director of customer experience and technology at Guide Star. It's a division of CCI systems so we are primarily a managed services help desk along with 24/7 contact center, network operation center. 

Eventually, we'll become a SOC as well as part of our transition. But from my side, it's always...it's more about the customer and really explaining to the customer why identity management and the authentication, multi-factor, and all these security measures are really put into place. And it's not so much that it's always just about protecting us, it's about protecting them and their information because, at the end of the day, they're the one who pays our bills. 

So really explaining to them why we're enhancing security, why we're putting all these different tools in place while it might seem cumbersome, it's more about the protection around it. 

Richard

Absolutely right. And Matt, why don't you introduce yourself and what's top of your mind? 

Matt

Sure. So I'm Matt Moore and with IHG InterContinental Hotels Group. So I have been at IHG for about three years. And when I joined, we were embarking on probably what is our first really major foray into the customer space. 

Before that, you know, if you used our loyalty program, for instance, you would have been able to log in and you might still be able to log in with a nice handy four-digit PIN. So we are, I would say, on the initial part of our maturity continuum when it comes to this space. So really just...you know, I come from financial services background, consulting background so know what good or better looks like but would love to hear kind of what the latest and greatest is and what folks are going after at this point. 

And that's about it. 

Richard

Brilliant. Okay, thanks, Matt. So we have a good chat today. The topic of today's conversation is What Brands Get Wrong About Customer Authentication. So I'm just going to ask our thought leader, Justin, just to set the scene for today's conversation. 

Justin

Okay, sure. So what we found...excuse me getting a little bit of a cold. But one of the things is that people always, at least historically, have seemed to think that user experience and security are somehow incompatible. 

And that's generally across whether the consumer space or the workforce space. But that's basically one of the things we're trying to change now, especially given the importance of MFA coming along on the Office of Management and Budget at the White House, are requiring this. And everybody is seeming to jump on the MFA bandwagon, but not all MFA is equal and that's especially true in the customer space. 

And the user experience aspect of it is even more important in the cyberspace because customers don't tolerate a bad user experience, even if it's "for their own good" in terms of logging in. So we need to have something that doesn't get between you and your customers yet gives the necessary level of security that protects both you and your customers from the dangers of ransomware or some other credential-based attack. 

And so, I don't want to say MFA 2.0 because that sounds like some sort of craziness. But there's, for lack of a better term, a better way to MFA to put it simply at least. 

Richard

Other way to MFA, we're not talking passwordless authentication, are we? 

Justin

Well, indeed we are. There is passwordless authentication, but there's passwordless authentication that's within your wheelhouse. You shouldn't have to trust Google or Apple, or Whatnot because they can deliver the UX aspects of it, but they don't deliver the security aspect of it, that would again protect you and your customer. 

Okay. I mean, I'm actually interested. I mean, how would you look to do that? 

So the way that we do it is that...a lot of other people you might have seen Apple in the news where they're talking about their Keychains or Whatnot, that's effectively a password manager. And yes, it may remove the experience of the password from the customer's eyes, but it doesn't remove it from their accounts. 

So if you're using Keychain, that customer can still get hacked. And if it's on somebody's server, then it could still be stolen. If that password still exist, it can be phished, it can be stolen, it can be done with whatever an evil person wants to do with it. A solution that I'm looking at basically binds immutably the person to the device. 

So is using MFA in terms of what you have and what you are, rather than what you know. That shared secret, that password is what gets you in trouble, what leaves you vulnerable and then that can really tear you apart. 

Richard

Yeah. Certainly knows the customer, it's all these...one thing employee passwords but on so many website, I just get so fed of different POP passwords, different formats. And most of the time, it's not really that necessary that I keep a lot of these shops or accounts I buy things from once. I have to keep on top of all these passwords, it sort of drives me a bit insane. 

Justin

Yeah, it's a major problem, I mean, 60% of online consumers reuse passwords or use simple passwords because they don't have the bandwidth to remember a different account for 137 different vendors. But here's the newsflash is that even if you could, it still doesn't make you safe because no matter how crazy or strong, or convoluted your password is, if it exists on multiple servers, it can still be stolen. 

Or if some ransomware agent can put up a site that makes you think that you're at such and such.com instead of the real thing, they can still be phished, you can still convince a customer to do something so. 

Richard

You know what? It's actually great, you know, on the introductions that everybody is here to find out a new and better way of doing things, so it's a great way to start. But we're all from reasonably different industries. So I think actually if we can dive into our discussion points, it'd be really interesting to know round the table from your own perspectives what really frustrates your customers about their authentication journey. 

I saw Jose was sort of nodding along to some of this stuff you were saying, Justin. So Jose, can I get your viewpoints maybe start with you? 

Jose

Yeah. Justin talking about...yeah, it's funny that Apple's like, "Oh, we're different." But no, you're not. You're just...yeah, it's not. Having a lot of experience in nefarious thinking in activities legally...I'll say legally, let me make that disclaimer. 

I can tell you that it's a lot easier than people think to steal passwords, steal, you know, other things that you can use to authenticate as that person. I will say one of the most frustrating aspects and you pointed it out, Richard, is that, you know...I think it was sorry, Justin. If you're across 137 sites or 137 tools having to go across and remember all of that and somehow keep those credentials in mind, unless you have a photographic memory and you scan the sheets of all your accounts and passwords, I doubt you'll be able to keep up with it in any other way. 

But yeah, it's really that jumping between. And when you're doing, for instance, a lot of M&A activities, it's hard because...at a previous company I worked at, they did a lot of M&A and that's how they grew. And going across the disparate platforms and having to get service accounts or a different type of account for each organization that's brought into the fold, especially if they're...and they're not unified ever when they first get acquired, of course, we all know that. 

But really managing that is frustrating to the engineers, it's frustrating to the customers. "Well, what do you mean this is my bank over here?" "Well, you just got acquired now you have to go do over here," but you're still authenticating back to your old portal for other functions. And it's really the frustration piece...and I'm in FinTech as well. That frustration piece is managing and making it seamless between both of those platforms. 

That right there, I've seen the most feedback both from an engineering perspective and customer perspective. 

Richard

Let's get a slightly different viewpoint. So Steve, from a health perspective, is this how you see things? I mean, what about your industry? What are your challenges? 

Steve

Yeah, you know, our biggest challenge in the healthcare space is...I alluded to it earlier, but to unpack it a little bit more. You know, so we are almost a middleman between...you know, we're in revenue cycle management, which means, like, we handle the billing end-to-end, the full revenue cycle for, like, hospitals or different medical health groups. 

And so, we will have to, for example, deal with an insurance carrier. And the insurance carrier will, let's just say, only give us one log on. And that log-on will be tied to, you know, a...you know, depending on their system. Somebody else brought up the point that not all MFA is equal. 

And I concur with that wholeheartedly. And the challenge I have is, I feel like our solution is great, but the challenge I have is managing and interfacing with the rest of the world. There are some great open standards, you know, like TOTP that I absolutely love because...you know, for example, we use an enterprise password manager called Bitwarden. 

You know, you guys talked a lot about managing all these different passwords. We can do that and we can audit all that access so it meets the auditor's requirements for like a SOC 2, right? Because I can show you exactly who accessed what password. And Bitwarden even supports TOTP codes so I can even take it one step further. The problem I have is, not every system outside of our control plays by the best standard. 

Sometimes they'll lock it down, you know, to just a, like, text number which I can get around with, I can have a RingCentral distribution group that shoots out to multiple people. Although then I do lose the auditability. 

But there's even worse than that sometimes, like, people will implement Duo, for example, very, you know, widespread industry-standard in MFA terms. But a Duo count will very often be restricted to a single mobile device. So my struggle really is, you know, how do we balance? We all agree, we want MFA. 

I agree completely with, you know, Justin's comments around passwords and how vulnerable they are and how I think passwordless is the future. In fact, I don't understand why we as an industry haven't moved further towards passwordless by now, quite frankly. But in the meantime, especially in the healthcare space, I mean, you guys...I'm sure I don't have to tell you guys that oftentimes, like hospitals, sadly, are way behind the curve from a technology perspective, way behind. 

So, you know, trying to balance Richard, the, you know, best practice security with, at the end of the day, a lot of times my business is telling me, that's all fascinating, Steve, but we still have to just do operate the business, we have to still have to get stuff done, figure out a way. 

And so that's tough. 

Richard

Steve, how do your customers feel about this? Do they get frustrated? 

Steve

So it's interesting, yeah. The customers from their perspective... because, like, we'll say something to the effect of, well, you know, XYZ party, XYZ vendor, that's really the customers' vendor, but we're having to interface with because it's their partner their customer or their vendor of choice. You know, we'll go to our customer and say, "Oh, well, they're not wanting to play nice, they're not wanting to give us multiple accounts." 

Because we would be fine saying, okay, everybody, you know, gets their own account, gets their own MFA codes or whatever. But a lot of times these vendors will just quite frankly, say no. And so, the customer almost doesn't care. Like they're looking to us to just solve the problem, right? They're looking to us to just provide the service and go figure it out. Like, they're not really willing to sort of get in between or get involved so it really falls on us to figure out things. 

And again, sometimes we can in terms of coming up with creative technical solutions, but it's also tricky to balance that from a reasonable, you know, auditability standpoint, - It's funny actually you say that, Steve. I'm just going to go on Ido in a moment. But it's just funny you say that because customers are just generally found. Just don't want to do any sort of due diligence, they want to know I'm buying stuff off you.

Richard

Ido, what about your customers? 

Ido

So the problem that we have is that our customers...the vast majority of our clients are endpoints sites that are run by individuals who have...well, to be honest with you I'm just saying bluntly, they're extraordinarily technically, I wouldn't use the word inept, but certainly would use the word innocent, okay? 

They want the minimum amount of effort, they are accustomed to pass...you know, the question of why haven't gotten rid of passwords? That's a question I've been wondering for years now. You know, everybody says, you know, we've got to move away from password, move away from passwords, seems like nobody wants to make the move. But part of it is also because there are these people who are holding you back. 

You know, it's also that like, from my experience, in some of our studies, we're dealing with people who are very marginal. I'll give you an example. We have one particular study that is done through the National Institute for Drug Abuse. You're dealing with people who are either recovering from drug abuse or are still drug addicts, okay? 

It's one thing to get them to, you know, be able to handle just being able to log in, you know, as part of the study to say, hey, I'm checking in, or whatever. It's another thing to say, okay, now, you got to do this complex multi-factor, you know, you need to have a multi-factor authentication, maybe...do we send you an SMS code back, what do we do? 

And to be honest with you, I'll tell you, SMS codes are not multi-factor authentication, okay? That's just not it, okay? And on top of that, we're also global in that we are dealing...we have connections coming in from multiple locations all over the world. These are sites in Africa, sites in Southeast Asia, where you don't know, you can't really know who is on the other side. 

But these are people who are enrolled in these studies by the site, and we have to be able to allow them to do what's called patient-reported outcomes, PROs are what we call them. But they need to be able to connect in and do that. And we have to have some level of certainty that they are who they are. So in essence, you know, we are kind of held back by the lowest common denominator that we're dealing with, okay? 

I look at it from the perspective of I'd love to go to something that is much more sophisticated maybe even passwordless for my folks. I mean, one of the things that I prefer, particularly myself personally use is with Microsoft, you know, I go into my personal Office 365 environment, I don't put in a password. It actually pushes back to my authenticator saying what number showed up on your screen, you know. 

And I'm like, "Great, I don't have to remember." Because to be honest with you, I could not remember my Microsoft password. But what I'm saying is, I'd love to have that, but that's just too sophisticated from our perspective. So really, what I feel is pulling everybody back and making it harder for this transition to a much better situation, is the fact that we are always dealing with the lowest common denominator. 

And I don't think that it's ever going to go away, I think we are always going to have to live with this burden, you know, it's like an albatross around our necks. 

Richard

It sounds like that, somewhere in the future, please. 

Ido

Well, in the future, you know, when I'm going to say beam me up, Scotty, there's no intelligent life here, then, yeah, I mean, it'll be all gone, you know, there'll be voice authentication, who knows what else. But for right now, this is where we are and this is the struggle that we have. I can deal with it from my employees' perspective, but from the fact that I have to provide a service, and I have to provide this access to our system, to our EDC, to our electronic data center, health center system to people that I have no clue who they are, and that they have to have the simplest access that we can possibly give. 

I have to live with this as like this constant oh, my god, do they have a real password? We tried to put in...you know, we tried to follow the NIST digital identity rules, but even then, it's still too difficult to...and we have to revert and allow for passwords that are much simpler. 

The best solution...one point that I kind of relented on was where they said, "Well, can we send them a survey where it's a SMS text message, they can go to the survey and they can input their information," and I'm like, "You know, is it authenticating, is it encrypted, you know, what's going on? you know, tell me?" And the developer is like, "Well, we're trying to get this as easy as possible for them." And I'm saying, "But easiest possible for them makes it as hard as possible for me." 

Sorry. I'll get off my soapbox. 

Richard

That's fine. That's fine. I want to go briefly to Justin just so you can have a chance to address some of the good points. I'm going to go over to Bill straight after. 

Justin

Okay, excellent. Thank you. So honestly, I'm loving what I'm hearing so far. And Ido, you have made my favorite comment so far today. SMS codes are not MFA. And I really want to impress upon that because there are so many people who still don't get that. I mean, obviously, the people in this room get it because you are all CISOs and equivalent, Whatnot. 

But that's something that the general public hasn't really grasped yet. That stuff really can be phished, and so SMS codes can be broken. I actually did a webinar...because I'm the marketing goon. I actually did a webinar a couple months ago, where our CTO actually got on live, and hacked through an MFA and just show people how it's done, and just how simple it is. 

So that's really impressive. But another aspect of what you're dealing with is that...so you sort of have a captive audience here. I mean, a lot of what I've been dealing with and a lot of our customers are more e-commerce-focused. And so, I can sit there and rattle off things about how say 76% of customers will abandon the cart just because they don't want to go through the difficulty of having to set up an account and do passwords on Whatnot. 

But you're dealing with a captive audience who has to do something. But at the same time, I respect that you need to find an easier way to help get them authenticated. So I mean, for example, well, I mean, the solution that we present will have you use the biometric on your device in order to help login and as I've been saying before bind that person, the identity to that device. 

Richard

I was going to point out one thing that I wanted to mention. Obviously not in my current employer, but my previous employer, one of the things that we did was...to get around that, to kind of make it a little bit easier, was we used what was called risk-based authentication. It was a tool called ThreatMetrix. 

I mean, I think they got purchased by LexisNexis. But ThreatMetrix allowed you to evaluate a person's behavior, the connections behavior, did it match previous connection behavior, did it seem to make sense, you know. You know, was it way, like...you know, earlier today, he logged in from Los Angeles, and then suddenly, he's logging in from Moscow, okay, three hours later. 

Not really possible unless, you know, obviously, using Tor. But nevertheless, and it would then say, okay, you know what, something is fishy about that. And then it would say, okay, now you have to do multi-factor authentication. Whereas had it just been one....let's say earlier in the day, Los Angeles, in the middle of the day Los Angeles from a nearby location, it would say, okay, you know, he just moved a couple of blocks over and, you know, was logging in from his cell phone, who knows. 

And they track what is the agent on the other side as well to say, is it the same agent? Is it a different agent? So we use that as a way to simplify so that we can say yes, you can do password as long as you don't do something that is funky. 

The minute you do something out of your behavior model, then you pop up the multi-factor and you say, you got to really prove who you are. I can see Bill's got his...Bill, you've been really patient. So over to you Billy. 

Bill

Thank you. I've got five kids so that teaches me how to be patient. You know, you mentioned that comment on the NIST 863. So when we take a look at identity and access management, we actually started there at the enterprise level. So we want to make sure that we can go through that exercise at the enterprise level. I mentioned all the different audits that we go through making sure that we could arm wrestle all of the auditors to make sure that they were able to accept the fact that we have longer passwords that expire less frequently, was one of the areas that we were focused on at the enterprise. 

So now that we've been able to get through the enterprise aspect of identity and access management, now we're taking a look at that customer face. You mentioned another key piece earlier as well, which was we're always going to be brought down by the lowest common denominator. We see it all the time with some of the legacy systems. We're seeing it right now with head-on battles with TLS 1.2 versus 1.3, and some of the connections that we have through, we've been told that we have to maintain it. 

We said, "Well, that's going to be a challenge for us." We have companies as some of the largest companies you could imagine down to some really small law firms that don't have anybody able to go in and actually update or patch vulnerability issues inside of their own environments. So with that said, it really does speak directly to, let's rethink how we handle identity access management. My whole focus is I've been...eliminated the password guy since I've been in senior security roles and really, that's an area that I'm very focused on. 

I mentioned in my open, just trying to figure out how we can start getting to FIDO authentication, figuring out how we can get into some of these passwordless solutions. How can we get into the passwordless, how can we do a better job with the technology. Technology is doing great people are going to be the ones that are always slowing us down inside of this area. 

So I think it's incumbent on us to make sure that we understand what standards are. We can agree to the standards, and then we just run with those standards. Otherwise, we're going to be mired in the least able to go forward. I think we have an obligation as security leaders to bring them up, opposed to having them bring us down. 

Richard

Okay. Jacob, is that how you guys see things? Jacob then Matt if I may. 

Jacob

Yeah, and I think the passwordless is huge. And really, Ido kind of going back to what you were talking about the biometrics even. One thing that we're starting to see even in the call center industry overall, is the evolution of voice biometrics. So when you make a phone call, and you're going through a phone system, and you're getting ready to authenticate because you need to make a change on your account, you need to update your services you want to cancel. 

It's doing a voice biometric authentication as part of that process. And so, now you're taking away where you maybe had like a CPNI requirement of cool, give me a passcode, tell me what it is to log in or even going to a website and getting that text message or the MFA pop up. You know, now we're starting to get into more of that biometric aspects. 

So we're starting to get away from the manual aspect. And that takes away the phishing aspect as well because you can't call in and start probing a call center agents or agents that are going to be, you know, asking you the questions. You can't get around that biometric aspects when you start to do a voice match. I mean, it's just the technology is starting to evolve. 

And you're right Bill, the technology is there, it's the people implementing and the people using it that are really going to be the challenge to really adapt to it. 

Richard

You know, when we talk about biometrics, I'll tell you what sort of scares me. We only have one set of biometrics so if my biometric data is compromised, I can't exactly change my fingerprints, or my voice pattern, or my retina, you know. 

Jacob

When that comes about, you know, we've gotten way too far into the future. 

Richard

I have to say we're getting to deep fakes, you know, it's all very worrying this sort of thing. It's... 

Jacob

It is but I think one of the challenges even with like a voice biometric is trying to really get past the system. I mean, the technology is getting more and more advanced where it's able to really determine. And if it cannot effectively determine that you're right or that person calling in, you're essentially going back to another method, there's follow-up methods. 

So I mean, you can try to get around it, but I haven't seen anybody really do it too effectively at this point. 

Richard

So Matt, one of your say no to privacy team. So what are your views? What really frustrates your customers? 

Matt

I would say biometric has become a little bit challenging for privacy, right? So being a global company, we have not only one, you know, privacy or a bunch of state privacy expectations, but we also have privacy expectations from just about every country in the world at this point, right? So as soon as we start talking about things like passwordless, biometric, anything like that, even if you could convince somebody up one side and down the other, that you're not going to "store that data anywhere" like we totally promise, good luck convincing a privacy team with that. 

So that's one challenge we've kind of had going down that route. It doesn't mean we can't do risk-based authentication or something along the lines of multi-factor to get to something that resembles passwordless. But I think totally going away from giving folks the choice of having, you know, just a basic MFA you have something you know, I feel like we're probably not going to get away from that. 

But I would be curious to know, you know, when it comes to something more like risk-based and speaking of kind of weighing the risks. Has anybody had experience or kind of gone down the route where they...you know, I think we've all kind of talked around the concept of convincing the business, right, convincing the revenue-generating side of things that we need to do the best practice security. 

You know, to what extent if you've looked at how to balance that, right? You know, so showing what the risk is of not doing it, whether it's from fraud or account takeover, or anything on our side that we can see, balanced with, you know, what we think talked about right, which is that loss, you know, whether it's perceived or real, loss of revenue or abandon on the customer side. 

Just curious if anybody has kind of gone down that route to kind of explain why the juice is worth the squeeze on the security side. 

Richard

So maybe that's a question for the table. So why do we go round if you guys want to sort of offer some opinions? So we'll go back to Justin at the end of it and see what his experience is with his customers are. So, Bill, I can see that you wanted to say something. 

Bill

Yeah. Thanks. We have set up a....we have some progressive clients who very much enjoy having very specific conversations around everything from encryption to how we handle data governance. And we have four of these clients who we would consider more advanced. 

We want to work with them to develop some of the past key type of solutions that are out there right now. So we feel like we have an opportunity to help and lead inside of this area. We're always looking for differentiation between us and our competitors. We actually see this could be one of those areas as we take the mantle of privacy, we take also that focus around identity, and we're able to work with them to create that solution. 

I've had courses, I guess you could call them 30-minute sessions with senior leaders in the organization everywhere from implementation to sales leaders to help educate them as to why it's a problem and what we want to do to address it. And we start to be able to show what this vision and strategy looks like opposed to being reactionary in that area. 

So I'll let you know how it goes in about three to six months. 

Richard

Thanks, Bill. Anybody else got any words of advice they can offer on this? Ido. 

Ido

We're talking about the risk-based authentication

Richard

Yeah, so to Matt's earlier question. 

Ido

- Right about whether it's...how do you sell it to the higher executives, the greater powers that be? So right now for where I am, it's a non-starter at the moment because of costs. I know that every...my experience with...well when we used ThreatMetrix in the previous employer, there was, you know, every single record, every single, you know, user ID was a specific cost, where we had to build that into our overall charge. 

So we had to somehow show that it's not going to be a sink for the business. I mean, I hate to say it, I mean, you know, you're dealing with people who they just look at it from a numbers perspective. But the flip side of it was, we had a really good argument because in those cases, just as Matt was talking about, it helped us, especially from a fraud perspective, tracking down fraud, tracking down account takeovers, preventing account takeovers

There was at the very end, before I left, we had a rather large customer who was kind of...you know, we were tracking fraud from one of their own employees who was, you know, basically almost...you know, we had this...the deal where she was logging in creating fake accounts, taking over accounts from people within her own company, because she worked within the HR and so she had access to this. 

But we figured out that she was doing this and we were able to say that she was basically...the employer was one of these wellness organizations. So what would happen was that you would earn points, you get an Amazon gift card. It was hilarious because, you know, we managed to figure out that she was doing, like, somewhere around $100,000 within about a two-month period of gift card fraud, okay? 

It was not trivial. Hilariously enough, the people who really cared the least about it, you know, I mean, the client itself was caring about it, and we were able to get it stopped. The people who cared about the least was Amazon because they were like, "That's just like $100,000" that's like, you know, noise for them, you know, that's just nothing. 

But the thing was the cost every single time, you know, there are costs associated with some of these risk-based systems that you got to build into it into your price structure that you charge your clients. But you also need to then turn around and show the executives that it's going to save you on the other side, oh, look, we're having fewer fraud, I'm having to spend less time, I don't need to hire...I have more fraud examiners. 

I don't have to hire, you know, more forensics or consultants in order to dig into this stuff. You know, it really benefits you but you got to sell it from that perspective, that it's the fraud that you're saving is going to outweigh the cost that you're going to spend on that risk-based authentication. 

That's where it's really going to come in because it's going to help you with saving on the cost of the investigation, cost of what you have to reimburse people for. And the potential liability of lawsuits from the end-users who...doesn't matter, you can have some of the best security you want. They'll still turn around and tell you, you should have protected my account even further. 

You should have had, I don't know, you know, retinal scans for all I know, you know, some other strange thing they come up with. People these days, they'll sue at a minutes notice. So yeah, I'll stop there. 

Richard

Go on Jose, I can see you're about to say something. 

Jose

Oh, yeah. I'm right there with you. You know, it's something that...also what needs to happen is that...and how I've proposed investment strategies, you know, to hire executives, if you will, is that essentially, it's evolving. This is always evolving, attacks are always evolving, fraud is always evolving. 

So it's no longer...you know, I used an illustration earlier, it's, you know, this type of stuff is not like maintaining a diesel engine that only needs to be rebuilt 300,000, 400,000 miles later, it's not like that at all. And that's the traditional operating model a lot of executives, they don't want to make the spend. 

Oftentimes, dollars are already allocated and it's hard to pry them away to higher priority items that perhaps aren't higher priority in their minds. What I would say definitely is reputational damage these days is something that's hard to quantify, but has a very large financial impact. 

Above and beyond like Ido was saying just the operational aspects or the end-user lawsuits, or anything like that it's that reputation. If you get the reputation for not being able to secure your clients, your competitor is going to eat that up all day. 

And how many of us have gotten those emails from unscrupulous vendors who utilize the latest news item to say why they're better. And, you know, none of us want our company to be, "Well, x is why we're better," you know, we don't want to be in that slot. So it's not necessarily fear-based more so than data-driven many times with those higher executives in that the so what to the business is oftentimes what we're called on to translate from the technical controls or technical failings, whatever, to the so what does it mean. 

And really focusing in on the aspect of you're investing now to be ready and not be caught flat-footed in the future that's coming very quickly. 

Richard

I'm going to get a view from Jacob. I can see Jacob. Jacob and Steve, then what we'll do, we'll go to Justin and get his industry view. 

Jacob

So I think a challenge a little bit on Jose's point of view of not always a scare tactic. I think one thing that we've seen actually work pretty well on our side at least with the executive buy-in is that scare tactic. And as a CX leader and professional and thought leader there, like, one thing that drives me nuts is, like, that challenge and that risk to a brand identity. 

Look at SolarWinds, look at Kayako, some of these companies that have had major breaches recently, they were headlined all over. And do you really want to be that company? Do you want to be that one that's out there going yep, we got breached and oh, we affected, you know, thousands of customers on top of it. Your brand impact is tarnished for years to come. 

And that's one thing that would absolutely drive me nuts. And that's one of my biggest arguments that I would bring to the table is, how bad is it going to hurt us the second that we have that breach? And one of our VPs as well who's in IT and cybersecurity, one of the scare tactics as well that he uses plainly talking with executive leadership is, what's the cost? 

Your cost is going to be far greater than the investment. You're going to spend tons of money in the investigation, in the follow-up, in repairing brand identity, in winning back the trust from your customers. All it takes is that one time to break that trust, and you're done. 

Customers are going to turn, they're going to go elsewhere, and they're going to move on, and they're going to find somebody who does it better. And that's really the biggest thing right there is your revenue is going to be shot. 

Richard

That's a good point. Steve. 

Steve

Yeah, you know, I echo a lot of what Jacob said. You know, when it comes to any of these solutions, like, so we talked about risk-based authentication, that's an example of one where you do the cost-benefit analysis, and then it's up to us to make the business case to our leaders. 

And definitely what you guys have been saying is spot on. Like, it's up to us to lay out not just what the investment and the solution is, but what the potential, you know, cost savings is if we were to have our names, God forbid, be the next SolarWinds in the news. I mean, I get questions...I've never seen this before in my career, but I literally get questions from our clients now like, "Do you guys even have SolarWinds in your environment?" 

Like, that kind of question. That's not the kind of question I want to be highlighted on, right? So, you know, the thing is, like, it's up to us, you know, to balance all these different solutions because if we had an infinite budget, sure, yeah, we could have Okta, we could have, you know, whatever, it doesn't matter. 

We could have all these different tools and just overspend on security. The real challenge and what makes us, what I think separates us from, you know, if we're effective or not, is being able to proactively look at what is the best bang for our buck. And so, I'll give you guys an...just in full transparency. You know, we looked at risk-based authentication versus, you know, our implementation of MFA, and we ended up basically choosing after our cost-benefit analysis to really go to the well of the company budget, and have an investment on an upgraded sim. 

So we went with a Gartner Magic Quadrant, you know, sim, we just felt like that was the best fit for our budgetary dollars. Because, again, at the end of the day, it's all about...none of us have infinite budgets. And so, it's all about really, you know, trying to figure out what's the best bang for our buck. 

Richard

Justin. 

Justin

Yeah, I had a couple thoughts here. All of these are some great points being brought up. Just personally, when I think about risk-based authentication, my mind automatically just jumps to the idea of bringing MFA only to certain people, which I mean, to me sounds nuts. I mean, I understand why people do it because, you know, it's a user experience thing. You don't want to make people suffer through MFA yet, at the same time, that MFA is there to make sure that everybody is safe. 

It is there to protect your customers and it's especially there to protect you. So the way I think of it is, is sort of like in an airport. I mean, if you go to the airport to catch a flight, like, everybody is going through that security. And if you go through the security and then go back because you forgot something or want to buy a bag of chips, and then...they're going to make you go through security again. And so they don't pick and choose. 

They don't look at oh, well, that person over there has a goatee or a handlebar mustache or something who looks like a cartoon villain we're going to make him go through, but this sweet old lady she doesn't have to go through the security that's fine. No, everybody needs to be authenticated. So that's one thing. And if we're dealing with a type of MFA that is onerous or difficult, or obstructive, or friction full against your users, then that's the part that needs to change. 

So I mean, not having people go through the MFA, you're wasting your MFA. And if say, for example, if you're making people do MFA, for example, on workforce, we see this all the time. If you're making people authenticate with MFA once per two weeks, then that means that you have MFA once every two weeks, the rest of the time people get off scot-free. 

Another thing I just want to mention very quickly before I get off my soapbox because I want to spare all of you from having to listen to me for three hours. But another thing I want to mention is that device posture is important. So I mean having a solution...there are solutions out there that can look at device postures that will say, okay, well, as part of the MFA experience, that is something that the customer doesn't see but behind the scenes. 

Part of that experience can be, okay, well, we're going to look at your device and see how safe your device is, is that firewall turned on? Do you have antivirus installed, so on so forth? So you have things like that that can be part of your MFA process. Is this phone jailbroken, so on so forth? Just like I believe it was Bill who was talking about, oh, well, this phone is logged in LA, but three hours later is in Moscow, that's a red flag. 

So you can have things like that too a solution that'll look and make sure that this device is relatively safe and has all the requirements that you need, in order to approve authentication, even if that person is known to be the proper user of that device. So there are lots of things you could add onto there, in addition to a frictionless MFA experience. 

Richard

Thanks, Justin. I'm just looking at the time, we're sort of top of the hour. I think this sort of segues nicely into a whole building that long-term relationship, customer retention side of things. You know, in my recent customer identity program, we've got a big challenge. 

I'm going to just kind of lay something out there just to get people's thoughts. We've got many operational companies, all of which have this great customer data where they can use for marketing purposes. They're all running their own customer identity systems, we're trying to convince them all to have a single golden record for the customer. 

But at the same time trying to keep as little of the customer data as possible so we're not looking at being responsible for this stuff. So we're looking at things like Self-Sovereign Identity solutions, where the customer owns their data. So what are you guys doing in this sort of respect? Is this something that you're thinking about when you're thinking about customer data? 

Well, could the customer authentication, having everything in one place be able to target the customer to obviously sell more products and services as well as giving that great experience? Ido, thanks for joining us, I know you've got to drop. Jose, what are your thoughts? 

Jose

Being in financial services, it's hard to minimize the amount of customer data we own. And that's something that we're actively working on, of course. Furthermore, it's complicated by stuff like CCPA and GDPR that says you have to use the data in a manner that's consistent with which was collected. 

So I would say that definitely something to keep in mind, you know, would it be possible? Would I actually trust my customers with that sensitive data? As weird as that sounds because so many people are not technical. This was mentioned earlier there's the expectation that a service that you provide also includes safeguarding of their own data, protecting them from themselves many times. 

Don't click that link, like we tell a lot of our users in security. Don't click that link, don't open that email, don't open that document. So speaking...and other people your mileage may vary my comments, I'll qualify that way. It's not really that possible for us to minimize the amount of customer data that we own in financial services other than don't over-collect, you know, obviously, don't over-collect. Oh, trust me as security I am Boogeyman when it comes to don't over-collect. I'll come after you if you're ever collecting because again, that's risk, that's that liability you're bringing those in. And if someone in marketing says hey, great, I'm going to take that data. And then you know, here comes California saying, "Hey, take the data. Go ahead do it, we dare you." 

So, you know, it's something that I would say that I struggle with personally try to figure out. And really, how would I say? Really cascade the knowledge to other people that perhaps aren't having the same considerations or the same exposure. But I'm interested to see what Bill has to say because his FinTech experience. 

Richard

Bill, why not? 

Bill

Yeah. I've got a lot to say inside of this space. Number one, my best relationships inside are with the legal team making sure that we understand exactly what's going on. I mentioned in my very opening that we are very focused on European data privacy, China data privacy, and of course, everything here in the United States. Through that lens, understanding what data you're holding. 

So we've gone through an entire Data Privacy Impact Assessment, thank you GDPR. I do think this is the greatest export from Europe outside of the wine was GDPR. So GDPR has matured us with our DPIA, Data Protection Impact Assessment, figuring out what data is where, how we tag it. And then Shrimp too came along, they've now helped us with understanding what is a transfer, how does the transfer agreements work inside of our organization. 

So tagging data, understanding what data goes where, making sure that...going back to your previous point, you're taking the most limited amount of data as humanly possible that's what we're able to validate through that process. Then it comes to the legalese, making sure that our standard contractual clauses are set up appropriately, making sure that our DPAs are all set up, our data privacy agreements with our customers. 

Because we do have an obligation to make sure that we are holding the least amount of data as possible and we know exactly where that is, and who has access to it. So that's the final piece, which is around our sub-processors. Making sure that we list all of our sub-processors and we produce evidence or artifact, if you will, to all of our customers updated quarterly. And we also give them the right to object to our use of a data processor if it's going to be inside of their space. 

So our relationships internally are crucial. Making sure we understand the international landscape that relates to their data is critical. And then also then educating the rest of our organization. My marketing and sales team would love to be able to take more data, they love to be able to bring Salesforce data and some of our application data and bring it together. My data analytics team wants to be able to take all this data. 

So we talk about anonymization, we talk about pseudo anonymization, we talk about what type of data can be focused in different areas, whether it's CHD cardholder data, or any other type of data, making sure that we tag it appropriately. And we make sure we segment out all those different areas that relate to some of the more privileged type of data inside of our organization. 

I said that all without taking a breath. Was that where you were hoping to go with that particular topic tagging data, understanding data, and where it's going? 

Richard

Perfect, perfect. I saw Matt wanted say something. We can go to Matt and then Justin if I may. 

Matt

Yeah, I think all of that. You mentioned the Self-Sovereign identities. I will not claim to be an expert in that so I won't I won't speak on that part. But yeah, I think, you know, we're embarking on something very similar, as far as trying to make sure that we know completely what data we have and where it goes within our environment as a separate or kind of a follow on to what we're doing here. 

You know, like you said thank you GDPR, we did a little bit of that of what I would call what we declared we have across our environment. But our environment is so extremely complex that I especially as a security professional, don't trust that. So we're going to do more of a full-blown discovery effort to go identify where everything is and classify and tag. 

So that's another big kind of call out. But no, I don't think there's anything else. I was trying to think of what else as far as where the conversation was going on that one. But I only just agree and kind of agree with what you were saying there. 

Richard

Yeah. Great. Thanks, Matt. Justin, you wanted to comment. 

Justin

Yeah, yeah, totally. Well, firstly, I want to say that as a consumer, I love GDPR and I wish we did do more of it over here in the U.S. But that's a different conversation. But one of the things I wanted to note is that...actually, I had a story about this. We have one of our customers a company we work with Snowflake. And one of their issues was...as you can imagine, Snowflake also has a lot of customer data on hand. 

And one of their issues was making sure that they can control internally who has access to that data. And so, for example, I mean, if we were Snowflake, we're not. But if we were Snowflake, me as, like, the random marketing goon, I have no need to access any of this data. And so having our MFA solution, for example, can help determine who should and should have access to any individual given system or any given SaaS app. 

So who deserves to have access to Salesforce, who deserves to have access to your Datadog, or your Snowflake, or your customer data, so on so forth. So that's another way of controlling who does and does not get access to data. But similarly...so I was at a doctor's appointment a few weeks ago. I mean, this made me think of HIPAA. 

So I mean, HIPAA requirements are similar type of thing where you have to watch out over who has access to data. And I noticed that if you're in a doctor's office, a lot of the computers in there, for example, have a login for whoever's on shift at that moment, or whoever's on staff at that moment. But once you log in, then it tends to stay open, many people don't log back out. 

And so, while I was at the doctor's office I'm sitting there in the examination room, the doctor had left to do something or whoever was them nurse technician had left. And I like walked over the computer and I was able to look into the computer and I was trying to dig through my own files. But I could have been a jerk to try to look over somebody else's files and copy things and do all sorts of stuff. 

And so, that's another issue and that's hitting back on the point that I wanted to make earlier about MFA, which is you need to have something that's always available that's dealing with continuous authentication. So, if anything, I just wanted to hit back on the note that looking over, controlling who has access to what at all times is something that you can't or at least shouldn't turn off. 

Richard

Justin, I had a similar situation with my doctor. I went in and I saw the billing information. I then set it all to zero. And I just said, "He's excused have any invoices." So it was cool. I want to go to a Steve next if I may, and then Jacob. 

Steve

Yeah, some great thoughts. You know, Jose, before he left, I was going to tell him...I know he had to deal with an escalation issue. But yeah, a lot of what he said really resonated with me. So he's speaking from a FinTech perspective, but I'm in the same boat in the healthcare industry like, unfortunately. 

So you raised a very well-pointed and provocative question, Richard, in regards to ownership of the data and sovereignty. As it stands today, while that's kind of great to think about from a philosophical perspective, and even, like, sort of some proactive planning. Today, as it stands, you know, the truth is we are just responsible for the data, we're the safeguards or the custodians of our customers' data. 

And so it really is up to us to ensure that data is safeguarded. But also, the other thing that I haven't heard mentioned that I just want to bring up is it behooves us to have a really solid retention policy, right? And to partner... something Bill said that also was great was partnering with legal that's been my strategy Bill is just, you know, making sure legal literally...our general counsel told me that, like, I'm her favorite...or that we're her favorite department. 

Because we bend over backwards to work with them, to over-communicate, to really involve them in the process and talk to them about retention, and talk to them about liability, and get their buy-in and their input. And I think if you do that early and often, it pays dividends. So just, you know, wanted to just throw out there the importance of having a good and solid retention policy. 

Richard

Yeah. Jacob. 

Jacob

Yeah, I'll second the retention policy there. That is one thing about three years ago that we really changed. Prior to that, we used to just keep data. Worst move ever is to just keep data sitting around. And the one thing that we really changed and we partnered with legal and like what you said, Steve, and Bill, really legal teams, they love us now because we talk to them so much. 

But we evolved that when customers leave, their data is gone within up to one year. But typically that data is gone like, week after they're gone. We put it in right away, we don't sit on it, we don't want to wait. But anonymizing that data to is also...we look at ways to kind of anonymize certain data or certain pieces of what we want to capture to use for different analytical purposes. 

Like what type of devices are we seeing, you know, commonly entering networks. Okay, it might be an iPhone, it might be, you know, Windows laptops, whatever. But we segment that out very separately and keep it very disjointed. And we also focus very, very heavily on privacy and CPNI-type training to make sure that the team not only annually but is always kept up to date on what are our privacy policies, what's the CPNI guidelines. 

What are, you know, specific things for PCI compliance, etc. And, like, we focus very heavily on that training and reiterating it out to the team. And if for some reason they need to get retrained sooner rather than later, it gets pushed out more commonly than once a year. But that's definitely a huge thing is that training and making sure the employees understand it. 

Richard

Thanks, Jacob. Bill, Matt, do you have any sort of anything to add to that? So I just noticed the time, we're nearly a quarter past the hour. And I just thought, you know, maybe in the final few minutes, we just go around and if I can really get any sort of key takeaways, or final was advice to the rest of the table. 

Then we'll go back to Justin for his final thoughts, and then we'll go to our illustration. So Matt, can I start with you, what are your sort of key takeaways, any final thoughts for the group? 

Matt

I guess one takeaway is, you know, there is no one way to solve this. I think we all recognize that and that we all kind of have the challenge ahead of us, or behind us, hopefully behind us, for those that have already solved for this a lot. But I think, you know, for me, it's again, I mentioned trying to get business buy-in business backing, you know, just trying to make sure that again, from a risk perspective that, you know, we're solving the challenges that need to be solved, and going and spending...you know, being basically good stewards with the finances side. 

But yeah, I'll be definitely looking up some of the partner integration side of things, and the standard side, that's a big piece for us right now is, you know, we like to not hand out our authentication, you know, as much as we can prevent that. But a lot of times, especially in the business we're in, we have to. 

And trying to do that in a standardized, methodical way, as opposed to I will say, transparently how we've done it in the past, which is about 15 different ways of integrating authentication with partners, with third parties in either direction. Whether it's I think what...I can't remember who mentioned before around, you know, logging into an insurance provider, that kind of thing, or the other direction of doling out your token as somebody else. 

Trying to do that and, again, in methodical, secure way is difficult on a good day, but especially once you start layering in other aspects whether it's MFA or RBA. So, yeah, definitely appreciate it. 

Richard

Thanks, Matt. I'm going to get to Bill next, if I may. Bill, what are your key takeaways, final thoughts, or any other bits of advice to the group? 

Bill

Excellent. I'll find you on LinkedIn. With that said, I'm very curious to find out, is anyone looking at doing any type of FIDO authentication with utilizing passkeys? Are we seeing it out there at all? Are people, like, ready to move into that space? I'm just curious. 

Maybe. 

Justin

I mean, we definitely work with FIDO except we don't need passkeys. 

Bill

- Okay. Yeah, I'm... We're looking at moving forward, we always want to be innovative, we always want to make sure that we can meet our customers at their point of need. We want to make sure that we can reduce burden, reduce friction, and introduce any type of innovative thought. 

Again, in our space when it comes to invoice management, expense management, or card issuance, inside of this area fraud is one of the biggest areas. And the teams that I'm responsible for, one of which is the fraud ops team, we're always looking at ways that we can be more innovative, know our customers. And I can tell you if any of our customers want to participate in more graduated level of authentication, they immediately go up in the KYC high score list, if you will. 

So as I start looking at fraud, as I start looking at trusted relationships, this is an area that I think we all have to be practitioners of. I think these innovative CISOs need to be the tip of the spear as it relates to this relationship between our products, our customers in that technology space. 

So with that, before I give up the microphone, a shout out to Chris. I have actually pinned you on our little list here today because I have truly appreciated all of the skills that you have in there. So thank you so much for sharing your talents with us today. That's it for me. 

Richard

Thanks, Bill. Steve, what are your key takeaways or any final thoughts to the group? 

Steve

Yeah. Well, just before I forget, I wanted to mention Bill. You know, my opinion on FIDO I love it. I think it's fantastic. We use YubiKeys internally for my team. For anyone with privileged access, we use YubiKeys that's our standard. I don't believe that the industry is going to move to it in terms of mass adoption. 

That's my opinion. I think that like, somebody brought up I can't remember who, you know, the general masses are going to stick with the, you know...oh, I think it's Ido. Logging in, I do the same thing as him. Like I log into Azure...well, I actually choose to log in to Azure with my YubiKey because you can set it up to do that. 

But I think for most people having your smartphone with your Microsoft authenticator app, for example, be your passwordless login, fits the bill. I think it really checks the box. And so, that's my opinion, as far as the masses, and that FIDO is a great sort of a niche case for things like privileged access. Key takeaways for me, you know, I really loved what Justin shared as far as, you know, thinking of...I'm going to steal that line, Justin, as far as authentication, being like an airport security. 

That's fantastic, great analogy. And I completely agree. I think that, you know, we are kind of TSA. I never thought I'd want to compare myself to the TSA. But we're kind of TSA in that regard. And that's why...you know, like we, for example, years ago, now, I made MFA for Office 365 mandatory, like, there's no exceptions. 

Like, we have security defaults in place and MFA is enforced for 100% of our users. And, you know, I got buy-in again, went to the legal and the business leaders, and everybody was on board and we pushed that out, and I believe saved us countless headaches. So, you know, just really thinking ahead and trying to stay abreast of the emerging threats and how we can best mitigate those. 

But I want to thank everybody before I give up the mic, as far as your input today has been very insightful, great group of smart leaders. I appreciate it. 

Richard

Thanks, Steve. Thank you. Jacob, over to you. What are your final thoughts or key takeaways? 

Jacob

I think hearing everybody's different input and the way different things are being accomplished is quite interesting and really valid. There's always 35 different ways to slice a pie. And I think everybody's input is very valuable in that regard of how everybody is kind of accomplishing it. But it's also critical to remember I think with all the privacy regulations that continue to come out, it's really challenged us to be better in guarding our data, and really looking at what are we capturing. 

And I think that's something that we need to keep top of mind is we're the data stewards for customer data, and we need to really focus on making sure we protect it and get rid of it when we don't need it so. 

Richard

Brilliant. Thanks, Jacob. I'm going to go to Justin. Justin, what are your final thoughts? You've heard what the group has to say, their key takeaways, any final thoughts, words of wisdom? 

Justin

Yeah, well, firstly, I didn't get a chance to say it before. But somebody mentioned about the value to your brand of preventing data breaches, preventing fraud. And that's an important point that I was really excited about but I didn't have a chance to mention anything because I didn't want to interrupt the flow of knowledge. 

So kudos to that. But yeah, at the end of the day, I noticed I believe Steve, who was wearing the...you're using a YubiKey that's a wonderful thing. I believe somebody else mentioned Duo. So yeah, these are great ways of taking authentication seriously. I mean, obviously, because I'm the marketing guy at Beyond Identity I'd like to mention that we can do that without using the second device. 

I mean I should have on three times now. Every time I get in a call where somebody has left their second device upstairs or Whatnot, actually me and my sales guys get a drink. But it's important to recognize the value of authentication. And if you can do that on a single device platform, such as Beyond Identity, then even better. I mean, you all recognize the value and I think we've been discussing between risk-based authentication versus continuous authentication

I think we're getting that point across that if you can leverage continuous authentication without causing a user experience nightmare, then that's what would be optimal to again, protect both yourselves and your customers, your clients. 

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Rela8 Roundtable: What Brands Get Wrong About Customer Authentication

Download

Transcription

Francesca

So I'm delighted to introduce your moderator for today's session, Richard Malach. Richard will be here to make sure the conversation stays on track, make sure that you all get the chance to speak. And of course, we could not have these sessions without our sponsors. So I'm delighted to introduce Justin Mingo from Beyond Identity. We've also got Chris Shipton here from Live Illustration. So he'll be picking out the key points of your discussion and live illustrating them on the screen. 

I'll spotlight that too at the end of the session and I'll also share it to you via email. I'll be here for the next 90 minutes with my camera off, but if you need anything at all, please don't hesitate just drop me a message in the chatbox. So without further ado, Richard, I'll hand over to you and I hope you enjoy the session. 

Richard

Hi, everybody. My name is Richard Malach and I'll be your moderator for today. So let me tell you a little bit about myself. I've been a freelance consultant in cybersecurity, we never used to call it cyber security, for the last 25 years traditionally in infrastructure. I've been working very closely with identity both employee identity and customer identity for my blue chip customers for a few years now, and certainly, it's a subject I'm really passionate about. 

We are really, really fortunate today to be joined by Justin from Beyond Identity. So Justin, why don't you tell us a little bit about yourself? 

Justin

Hello, everybody. My name is Justin Mingo. I am a marketing manager here at Beyond Identity. I've been working with our marketing team to sort of spread the good word about what we do here at Beyond Identity in regards to both workforce and customer authentication. 

Richard

Thanks, Justin. Right. So this is going to be...this is quite a nice number, six of us, we're going to pretend we are sitting around the same table. So if I could ask Jacob and Matt, if you could turn your cameras on so it'd be like we're having a nice intimate chat. 

While we're talking, if there's anything anybody wants to chime in either use your raise hand, or raise your hand on the camera, or drop something in the chat, or just start talking. I'm here to moderate and hopefully, we'll be able to get everybody's ideas across and everybody gets a lot of good stuff out of this. So what I'm going to do is just going to go around the table, if you can all maybe introduce yourselves, say who you are, what you do. 

And really, what's top of your mind, what are you bringing to the table today? So let's start with Ido. 

Ido

So I'm Ido Dubrawsky. I'm the CISO for the Emmes company which is a CRO, a contract research organization in the Maryland area. But actually, we are a global company. We have acquired multiple smaller biopharmas. So we have both a public and a private biopharma organization. We do a lot of work with the U.S. government on health studies, vaccine trials, you know, study development, but we also work with private biopharmaceuticals. More or less, you know, some of our challenges are that we need to be both FedRAMP moderate and FISMA moderate compliant. So we're trying to find, you know, we're always on the lookout for better ways of doing it because we are currently using a multi-factor authentication solution as part of our overall authentication package. 

But we're trying to find ways of improving that so that it's less onerous on our endpoint users, as well as be able...something that can be scaled up to deal with a lot of our study clients and our study participants. 

Richard

Okay. Thanks Ido. Steve, why don't you tell us a bit about yourself and what's top of your mind? 

Steve

Yeah. Hi, Steve Giovanni. I'm the chief technology officer for Ventra Health. We're a revenue cycle management company. So, you know, authentication and identification are core to a lot of our processes in healthcare and making sure that those are secured properly. So like Ido shared, we have a multi-factor solution in place. 

But, you know, what he said that really resonated with me, which is main reason I'm here today is I want to... I always keep my eyes and ears open. Are we doing what's best or somebody else figured out something better than us? We want to always be learning and sort of improving. 

And the biggest thing I'm looking for is kind of a solution to the problem of with multi-factor authentication...okay, I think we all agree in the industry MFA is not just needed, it's kind of a mandatory, is kind of a must in 2022, right, like, we're all there. But the problem that it puts out that I don't hear talked about enough, is that there are situations where you need to have shared log-ons, right? 

So, like, you need to have a team because, like, you know, maybe we have a vendor that will only give us let's just say one account for our organization, okay? And now we have a two or three, or five-person team, and it's assigned to one person on that team, and maybe it's tied to their cell phone, for example. 

And then they're out on...maybe they're sick. How do I, you know, effectively leverage that? There are some interesting things we can do with technology to get around that. But that's kind of a question I'm always sort of percolating on. 

Richard

Steve, that's a great...sorry, Justin, I didn't mean to... 

Jacob

No, no, no worries. I actually have a quick thought on that too to chime in, Steve. It's one thing that we actually encounter in our team as well, especially in our IT help desk where we have one login too like O 365 instance, but you've got six people working. And so, one of the things that we looked at was we use essentially SMS capable platform, that pipes right into Microsoft Teams. 

And so, it comes into a team's channel in that group so no matter who it is, they're able to get that authentication message right there. So yeah, definitely hear you on that problem, and that's definitely, I think a common trend across teams that are having to work like that. 

Richard

I think slightly maybe coming from a different perspective. Part of it yes, it's protecting the account, protecting the credential. But part of it as well, if you've got the same accounts, then how can you track that you haven't got any sort of insider threats

We've actually got in the airline...so my customer is a major airline group at the moment. And we're doing...I know we're talking about customer but actually, this is actually the employee identity side of the platform. We're adding a lot of security controls or inaudible] security license to Office 365. We've got a big problem with what we call generic accounts and shared mailboxes and we're looking at having to look at ways so we can pick that that. 

Because it's one thing saying yes, it's easier for teams, and one of our international airlines is actually using this. For teams to share an account, share a mailbox, and share inaudible]. But if somebody decides to do something we don't like, then there's no way of tracking who that person is. So we're now looking at different ways and actually making sure that our first thing is to give everybody a credential, and then see what technologies we can actually use to share that as long as they log in with their own credentials. 

Jose

You lose auditability, you lose, you know, if it's something critical and a regulator comes along, and decides like, hey, you know, prove to us that you don't have anything malicious or unauthorized people are not accessing this resource or this account. And when you have a shared account like that, you can...you'll get torn apart in the audit real fast. 

Richard

Yeah, that's it, Jose. Jose, do you want to tell us a bit about yourself, who you are, what you do? And by the way, you've just given away the magic. 

Jose

Hey. Yeah, my name is Jose Pasillas. Infosec for 12 years. Been in various functions with infoSec from engineer to leader to, you know, be so doing a fraction of the CISO job. And, you know, what I'm focusing on now is the SOC and event detection and stuff like that. 

And being that we are the SOC, very interested in identity and auditing, and, you know, ensuring that authorized people are the only ones accessing things, and their IAM solution is working. And we can verifiably tie people back to who they say they are. And so, I'm here primarily to just listen. 

And it was mentioned earlier, I think Jacob said just that...or not Jacob I think it was Steve that might have said that if anyone is doing anything better, you know, want to be part of listening to that and re-evaluating the tactics and the operation model, whatever, just to inform my own operations and the team. 

Richard

Thanks, Jose. Bill, why don't you introduce yourself and what's top of your mind? 

Bill

Hey, nice to meet everybody. My name is Bill, chief information security officer for Emburse. We do expense management, invoice management, and card issuance. So we're in the FinTech space so ifi you do your expenses through Concur, or inaudible] one of those we are up against these guys in that space. And let's see, we've been growing through mergers and acquisitions so a lot of M&A activity . 

Thirteen different SaaS products that we have right now, have various types of authentication. We are considered data processor for the data controllers across the globe so the companies of data controllers. We utilize a ton of single sign-on, but we are right now getting into a whole bunch of FIDO authentication that we're looking at both through Google and also through OAuth, Auth0, excuse me, AuthO. We're trying to figure out what our customers are driving us towards, we want to make sure that we can be at the tip of the spear for them. So there's a myriad of other things. You know, I love the fact that you said FedRAMP moderate, we are starting our entire process in that space. 

We do 25 different audits a year between the 9 SOC 1s, 9 PCIs, 4 SOC 2s, and then we do 3 ISO 27000 ones and we're about to kick off our ISO 27701 next week. So we are in the auditor's chair every other week of a calendar year. 

Richard

Bill. Jacob, why don't you tell us a bit about yourself and what do you bring to the table today? 

Jacob

Yeah. So, hi, everybody. I'm Jake shields. I'm the director of customer experience and technology at Guide Star. It's a division of CCI systems so we are primarily a managed services help desk along with 24/7 contact center, network operation center. 

Eventually, we'll become a SOC as well as part of our transition. But from my side, it's always...it's more about the customer and really explaining to the customer why identity management and the authentication, multi-factor, and all these security measures are really put into place. And it's not so much that it's always just about protecting us, it's about protecting them and their information because, at the end of the day, they're the one who pays our bills. 

So really explaining to them why we're enhancing security, why we're putting all these different tools in place while it might seem cumbersome, it's more about the protection around it. 

Richard

Absolutely right. And Matt, why don't you introduce yourself and what's top of your mind? 

Matt

Sure. So I'm Matt Moore and with IHG InterContinental Hotels Group. So I have been at IHG for about three years. And when I joined, we were embarking on probably what is our first really major foray into the customer space. 

Before that, you know, if you used our loyalty program, for instance, you would have been able to log in and you might still be able to log in with a nice handy four-digit PIN. So we are, I would say, on the initial part of our maturity continuum when it comes to this space. So really just...you know, I come from financial services background, consulting background so know what good or better looks like but would love to hear kind of what the latest and greatest is and what folks are going after at this point. 

And that's about it. 

Richard

Brilliant. Okay, thanks, Matt. So we have a good chat today. The topic of today's conversation is What Brands Get Wrong About Customer Authentication. So I'm just going to ask our thought leader, Justin, just to set the scene for today's conversation. 

Justin

Okay, sure. So what we found...excuse me getting a little bit of a cold. But one of the things is that people always, at least historically, have seemed to think that user experience and security are somehow incompatible. 

And that's generally across whether the consumer space or the workforce space. But that's basically one of the things we're trying to change now, especially given the importance of MFA coming along on the Office of Management and Budget at the White House, are requiring this. And everybody is seeming to jump on the MFA bandwagon, but not all MFA is equal and that's especially true in the customer space. 

And the user experience aspect of it is even more important in the cyberspace because customers don't tolerate a bad user experience, even if it's "for their own good" in terms of logging in. So we need to have something that doesn't get between you and your customers yet gives the necessary level of security that protects both you and your customers from the dangers of ransomware or some other credential-based attack. 

And so, I don't want to say MFA 2.0 because that sounds like some sort of craziness. But there's, for lack of a better term, a better way to MFA to put it simply at least. 

Richard

Other way to MFA, we're not talking passwordless authentication, are we? 

Justin

Well, indeed we are. There is passwordless authentication, but there's passwordless authentication that's within your wheelhouse. You shouldn't have to trust Google or Apple, or Whatnot because they can deliver the UX aspects of it, but they don't deliver the security aspect of it, that would again protect you and your customer. 

Okay. I mean, I'm actually interested. I mean, how would you look to do that? 

So the way that we do it is that...a lot of other people you might have seen Apple in the news where they're talking about their Keychains or Whatnot, that's effectively a password manager. And yes, it may remove the experience of the password from the customer's eyes, but it doesn't remove it from their accounts. 

So if you're using Keychain, that customer can still get hacked. And if it's on somebody's server, then it could still be stolen. If that password still exist, it can be phished, it can be stolen, it can be done with whatever an evil person wants to do with it. A solution that I'm looking at basically binds immutably the person to the device. 

So is using MFA in terms of what you have and what you are, rather than what you know. That shared secret, that password is what gets you in trouble, what leaves you vulnerable and then that can really tear you apart. 

Richard

Yeah. Certainly knows the customer, it's all these...one thing employee passwords but on so many website, I just get so fed of different POP passwords, different formats. And most of the time, it's not really that necessary that I keep a lot of these shops or accounts I buy things from once. I have to keep on top of all these passwords, it sort of drives me a bit insane. 

Justin

Yeah, it's a major problem, I mean, 60% of online consumers reuse passwords or use simple passwords because they don't have the bandwidth to remember a different account for 137 different vendors. But here's the newsflash is that even if you could, it still doesn't make you safe because no matter how crazy or strong, or convoluted your password is, if it exists on multiple servers, it can still be stolen. 

Or if some ransomware agent can put up a site that makes you think that you're at such and such.com instead of the real thing, they can still be phished, you can still convince a customer to do something so. 

Richard

You know what? It's actually great, you know, on the introductions that everybody is here to find out a new and better way of doing things, so it's a great way to start. But we're all from reasonably different industries. So I think actually if we can dive into our discussion points, it'd be really interesting to know round the table from your own perspectives what really frustrates your customers about their authentication journey. 

I saw Jose was sort of nodding along to some of this stuff you were saying, Justin. So Jose, can I get your viewpoints maybe start with you? 

Jose

Yeah. Justin talking about...yeah, it's funny that Apple's like, "Oh, we're different." But no, you're not. You're just...yeah, it's not. Having a lot of experience in nefarious thinking in activities legally...I'll say legally, let me make that disclaimer. 

I can tell you that it's a lot easier than people think to steal passwords, steal, you know, other things that you can use to authenticate as that person. I will say one of the most frustrating aspects and you pointed it out, Richard, is that, you know...I think it was sorry, Justin. If you're across 137 sites or 137 tools having to go across and remember all of that and somehow keep those credentials in mind, unless you have a photographic memory and you scan the sheets of all your accounts and passwords, I doubt you'll be able to keep up with it in any other way. 

But yeah, it's really that jumping between. And when you're doing, for instance, a lot of M&A activities, it's hard because...at a previous company I worked at, they did a lot of M&A and that's how they grew. And going across the disparate platforms and having to get service accounts or a different type of account for each organization that's brought into the fold, especially if they're...and they're not unified ever when they first get acquired, of course, we all know that. 

But really managing that is frustrating to the engineers, it's frustrating to the customers. "Well, what do you mean this is my bank over here?" "Well, you just got acquired now you have to go do over here," but you're still authenticating back to your old portal for other functions. And it's really the frustration piece...and I'm in FinTech as well. That frustration piece is managing and making it seamless between both of those platforms. 

That right there, I've seen the most feedback both from an engineering perspective and customer perspective. 

Richard

Let's get a slightly different viewpoint. So Steve, from a health perspective, is this how you see things? I mean, what about your industry? What are your challenges? 

Steve

Yeah, you know, our biggest challenge in the healthcare space is...I alluded to it earlier, but to unpack it a little bit more. You know, so we are almost a middleman between...you know, we're in revenue cycle management, which means, like, we handle the billing end-to-end, the full revenue cycle for, like, hospitals or different medical health groups. 

And so, we will have to, for example, deal with an insurance carrier. And the insurance carrier will, let's just say, only give us one log on. And that log-on will be tied to, you know, a...you know, depending on their system. Somebody else brought up the point that not all MFA is equal. 

And I concur with that wholeheartedly. And the challenge I have is, I feel like our solution is great, but the challenge I have is managing and interfacing with the rest of the world. There are some great open standards, you know, like TOTP that I absolutely love because...you know, for example, we use an enterprise password manager called Bitwarden. 

You know, you guys talked a lot about managing all these different passwords. We can do that and we can audit all that access so it meets the auditor's requirements for like a SOC 2, right? Because I can show you exactly who accessed what password. And Bitwarden even supports TOTP codes so I can even take it one step further. The problem I have is, not every system outside of our control plays by the best standard. 

Sometimes they'll lock it down, you know, to just a, like, text number which I can get around with, I can have a RingCentral distribution group that shoots out to multiple people. Although then I do lose the auditability. 

But there's even worse than that sometimes, like, people will implement Duo, for example, very, you know, widespread industry-standard in MFA terms. But a Duo count will very often be restricted to a single mobile device. So my struggle really is, you know, how do we balance? We all agree, we want MFA. 

I agree completely with, you know, Justin's comments around passwords and how vulnerable they are and how I think passwordless is the future. In fact, I don't understand why we as an industry haven't moved further towards passwordless by now, quite frankly. But in the meantime, especially in the healthcare space, I mean, you guys...I'm sure I don't have to tell you guys that oftentimes, like hospitals, sadly, are way behind the curve from a technology perspective, way behind. 

So, you know, trying to balance Richard, the, you know, best practice security with, at the end of the day, a lot of times my business is telling me, that's all fascinating, Steve, but we still have to just do operate the business, we have to still have to get stuff done, figure out a way. 

And so that's tough. 

Richard

Steve, how do your customers feel about this? Do they get frustrated? 

Steve

So it's interesting, yeah. The customers from their perspective... because, like, we'll say something to the effect of, well, you know, XYZ party, XYZ vendor, that's really the customers' vendor, but we're having to interface with because it's their partner their customer or their vendor of choice. You know, we'll go to our customer and say, "Oh, well, they're not wanting to play nice, they're not wanting to give us multiple accounts." 

Because we would be fine saying, okay, everybody, you know, gets their own account, gets their own MFA codes or whatever. But a lot of times these vendors will just quite frankly, say no. And so, the customer almost doesn't care. Like they're looking to us to just solve the problem, right? They're looking to us to just provide the service and go figure it out. Like, they're not really willing to sort of get in between or get involved so it really falls on us to figure out things. 

And again, sometimes we can in terms of coming up with creative technical solutions, but it's also tricky to balance that from a reasonable, you know, auditability standpoint, - It's funny actually you say that, Steve. I'm just going to go on Ido in a moment. But it's just funny you say that because customers are just generally found. Just don't want to do any sort of due diligence, they want to know I'm buying stuff off you.

Richard

Ido, what about your customers? 

Ido

So the problem that we have is that our customers...the vast majority of our clients are endpoints sites that are run by individuals who have...well, to be honest with you I'm just saying bluntly, they're extraordinarily technically, I wouldn't use the word inept, but certainly would use the word innocent, okay? 

They want the minimum amount of effort, they are accustomed to pass...you know, the question of why haven't gotten rid of passwords? That's a question I've been wondering for years now. You know, everybody says, you know, we've got to move away from password, move away from passwords, seems like nobody wants to make the move. But part of it is also because there are these people who are holding you back. 

You know, it's also that like, from my experience, in some of our studies, we're dealing with people who are very marginal. I'll give you an example. We have one particular study that is done through the National Institute for Drug Abuse. You're dealing with people who are either recovering from drug abuse or are still drug addicts, okay? 

It's one thing to get them to, you know, be able to handle just being able to log in, you know, as part of the study to say, hey, I'm checking in, or whatever. It's another thing to say, okay, now, you got to do this complex multi-factor, you know, you need to have a multi-factor authentication, maybe...do we send you an SMS code back, what do we do? 

And to be honest with you, I'll tell you, SMS codes are not multi-factor authentication, okay? That's just not it, okay? And on top of that, we're also global in that we are dealing...we have connections coming in from multiple locations all over the world. These are sites in Africa, sites in Southeast Asia, where you don't know, you can't really know who is on the other side. 

But these are people who are enrolled in these studies by the site, and we have to be able to allow them to do what's called patient-reported outcomes, PROs are what we call them. But they need to be able to connect in and do that. And we have to have some level of certainty that they are who they are. So in essence, you know, we are kind of held back by the lowest common denominator that we're dealing with, okay? 

I look at it from the perspective of I'd love to go to something that is much more sophisticated maybe even passwordless for my folks. I mean, one of the things that I prefer, particularly myself personally use is with Microsoft, you know, I go into my personal Office 365 environment, I don't put in a password. It actually pushes back to my authenticator saying what number showed up on your screen, you know. 

And I'm like, "Great, I don't have to remember." Because to be honest with you, I could not remember my Microsoft password. But what I'm saying is, I'd love to have that, but that's just too sophisticated from our perspective. So really, what I feel is pulling everybody back and making it harder for this transition to a much better situation, is the fact that we are always dealing with the lowest common denominator. 

And I don't think that it's ever going to go away, I think we are always going to have to live with this burden, you know, it's like an albatross around our necks. 

Richard

It sounds like that, somewhere in the future, please. 

Ido

Well, in the future, you know, when I'm going to say beam me up, Scotty, there's no intelligent life here, then, yeah, I mean, it'll be all gone, you know, there'll be voice authentication, who knows what else. But for right now, this is where we are and this is the struggle that we have. I can deal with it from my employees' perspective, but from the fact that I have to provide a service, and I have to provide this access to our system, to our EDC, to our electronic data center, health center system to people that I have no clue who they are, and that they have to have the simplest access that we can possibly give. 

I have to live with this as like this constant oh, my god, do they have a real password? We tried to put in...you know, we tried to follow the NIST digital identity rules, but even then, it's still too difficult to...and we have to revert and allow for passwords that are much simpler. 

The best solution...one point that I kind of relented on was where they said, "Well, can we send them a survey where it's a SMS text message, they can go to the survey and they can input their information," and I'm like, "You know, is it authenticating, is it encrypted, you know, what's going on? you know, tell me?" And the developer is like, "Well, we're trying to get this as easy as possible for them." And I'm saying, "But easiest possible for them makes it as hard as possible for me." 

Sorry. I'll get off my soapbox. 

Richard

That's fine. That's fine. I want to go briefly to Justin just so you can have a chance to address some of the good points. I'm going to go over to Bill straight after. 

Justin

Okay, excellent. Thank you. So honestly, I'm loving what I'm hearing so far. And Ido, you have made my favorite comment so far today. SMS codes are not MFA. And I really want to impress upon that because there are so many people who still don't get that. I mean, obviously, the people in this room get it because you are all CISOs and equivalent, Whatnot. 

But that's something that the general public hasn't really grasped yet. That stuff really can be phished, and so SMS codes can be broken. I actually did a webinar...because I'm the marketing goon. I actually did a webinar a couple months ago, where our CTO actually got on live, and hacked through an MFA and just show people how it's done, and just how simple it is. 

So that's really impressive. But another aspect of what you're dealing with is that...so you sort of have a captive audience here. I mean, a lot of what I've been dealing with and a lot of our customers are more e-commerce-focused. And so, I can sit there and rattle off things about how say 76% of customers will abandon the cart just because they don't want to go through the difficulty of having to set up an account and do passwords on Whatnot. 

But you're dealing with a captive audience who has to do something. But at the same time, I respect that you need to find an easier way to help get them authenticated. So I mean, for example, well, I mean, the solution that we present will have you use the biometric on your device in order to help login and as I've been saying before bind that person, the identity to that device. 

Richard

I was going to point out one thing that I wanted to mention. Obviously not in my current employer, but my previous employer, one of the things that we did was...to get around that, to kind of make it a little bit easier, was we used what was called risk-based authentication. It was a tool called ThreatMetrix. 

I mean, I think they got purchased by LexisNexis. But ThreatMetrix allowed you to evaluate a person's behavior, the connections behavior, did it match previous connection behavior, did it seem to make sense, you know. You know, was it way, like...you know, earlier today, he logged in from Los Angeles, and then suddenly, he's logging in from Moscow, okay, three hours later. 

Not really possible unless, you know, obviously, using Tor. But nevertheless, and it would then say, okay, you know what, something is fishy about that. And then it would say, okay, now you have to do multi-factor authentication. Whereas had it just been one....let's say earlier in the day, Los Angeles, in the middle of the day Los Angeles from a nearby location, it would say, okay, you know, he just moved a couple of blocks over and, you know, was logging in from his cell phone, who knows. 

And they track what is the agent on the other side as well to say, is it the same agent? Is it a different agent? So we use that as a way to simplify so that we can say yes, you can do password as long as you don't do something that is funky. 

The minute you do something out of your behavior model, then you pop up the multi-factor and you say, you got to really prove who you are. I can see Bill's got his...Bill, you've been really patient. So over to you Billy. 

Bill

Thank you. I've got five kids so that teaches me how to be patient. You know, you mentioned that comment on the NIST 863. So when we take a look at identity and access management, we actually started there at the enterprise level. So we want to make sure that we can go through that exercise at the enterprise level. I mentioned all the different audits that we go through making sure that we could arm wrestle all of the auditors to make sure that they were able to accept the fact that we have longer passwords that expire less frequently, was one of the areas that we were focused on at the enterprise. 

So now that we've been able to get through the enterprise aspect of identity and access management, now we're taking a look at that customer face. You mentioned another key piece earlier as well, which was we're always going to be brought down by the lowest common denominator. We see it all the time with some of the legacy systems. We're seeing it right now with head-on battles with TLS 1.2 versus 1.3, and some of the connections that we have through, we've been told that we have to maintain it. 

We said, "Well, that's going to be a challenge for us." We have companies as some of the largest companies you could imagine down to some really small law firms that don't have anybody able to go in and actually update or patch vulnerability issues inside of their own environments. So with that said, it really does speak directly to, let's rethink how we handle identity access management. My whole focus is I've been...eliminated the password guy since I've been in senior security roles and really, that's an area that I'm very focused on. 

I mentioned in my open, just trying to figure out how we can start getting to FIDO authentication, figuring out how we can get into some of these passwordless solutions. How can we get into the passwordless, how can we do a better job with the technology. Technology is doing great people are going to be the ones that are always slowing us down inside of this area. 

So I think it's incumbent on us to make sure that we understand what standards are. We can agree to the standards, and then we just run with those standards. Otherwise, we're going to be mired in the least able to go forward. I think we have an obligation as security leaders to bring them up, opposed to having them bring us down. 

Richard

Okay. Jacob, is that how you guys see things? Jacob then Matt if I may. 

Jacob

Yeah, and I think the passwordless is huge. And really, Ido kind of going back to what you were talking about the biometrics even. One thing that we're starting to see even in the call center industry overall, is the evolution of voice biometrics. So when you make a phone call, and you're going through a phone system, and you're getting ready to authenticate because you need to make a change on your account, you need to update your services you want to cancel. 

It's doing a voice biometric authentication as part of that process. And so, now you're taking away where you maybe had like a CPNI requirement of cool, give me a passcode, tell me what it is to log in or even going to a website and getting that text message or the MFA pop up. You know, now we're starting to get into more of that biometric aspects. 

So we're starting to get away from the manual aspect. And that takes away the phishing aspect as well because you can't call in and start probing a call center agents or agents that are going to be, you know, asking you the questions. You can't get around that biometric aspects when you start to do a voice match. I mean, it's just the technology is starting to evolve. 

And you're right Bill, the technology is there, it's the people implementing and the people using it that are really going to be the challenge to really adapt to it. 

Richard

You know, when we talk about biometrics, I'll tell you what sort of scares me. We only have one set of biometrics so if my biometric data is compromised, I can't exactly change my fingerprints, or my voice pattern, or my retina, you know. 

Jacob

When that comes about, you know, we've gotten way too far into the future. 

Richard

I have to say we're getting to deep fakes, you know, it's all very worrying this sort of thing. It's... 

Jacob

It is but I think one of the challenges even with like a voice biometric is trying to really get past the system. I mean, the technology is getting more and more advanced where it's able to really determine. And if it cannot effectively determine that you're right or that person calling in, you're essentially going back to another method, there's follow-up methods. 

So I mean, you can try to get around it, but I haven't seen anybody really do it too effectively at this point. 

Richard

So Matt, one of your say no to privacy team. So what are your views? What really frustrates your customers? 

Matt

I would say biometric has become a little bit challenging for privacy, right? So being a global company, we have not only one, you know, privacy or a bunch of state privacy expectations, but we also have privacy expectations from just about every country in the world at this point, right? So as soon as we start talking about things like passwordless, biometric, anything like that, even if you could convince somebody up one side and down the other, that you're not going to "store that data anywhere" like we totally promise, good luck convincing a privacy team with that. 

So that's one challenge we've kind of had going down that route. It doesn't mean we can't do risk-based authentication or something along the lines of multi-factor to get to something that resembles passwordless. But I think totally going away from giving folks the choice of having, you know, just a basic MFA you have something you know, I feel like we're probably not going to get away from that. 

But I would be curious to know, you know, when it comes to something more like risk-based and speaking of kind of weighing the risks. Has anybody had experience or kind of gone down the route where they...you know, I think we've all kind of talked around the concept of convincing the business, right, convincing the revenue-generating side of things that we need to do the best practice security. 

You know, to what extent if you've looked at how to balance that, right? You know, so showing what the risk is of not doing it, whether it's from fraud or account takeover, or anything on our side that we can see, balanced with, you know, what we think talked about right, which is that loss, you know, whether it's perceived or real, loss of revenue or abandon on the customer side. 

Just curious if anybody has kind of gone down that route to kind of explain why the juice is worth the squeeze on the security side. 

Richard

So maybe that's a question for the table. So why do we go round if you guys want to sort of offer some opinions? So we'll go back to Justin at the end of it and see what his experience is with his customers are. So, Bill, I can see that you wanted to say something. 

Bill

Yeah. Thanks. We have set up a....we have some progressive clients who very much enjoy having very specific conversations around everything from encryption to how we handle data governance. And we have four of these clients who we would consider more advanced. 

We want to work with them to develop some of the past key type of solutions that are out there right now. So we feel like we have an opportunity to help and lead inside of this area. We're always looking for differentiation between us and our competitors. We actually see this could be one of those areas as we take the mantle of privacy, we take also that focus around identity, and we're able to work with them to create that solution. 

I've had courses, I guess you could call them 30-minute sessions with senior leaders in the organization everywhere from implementation to sales leaders to help educate them as to why it's a problem and what we want to do to address it. And we start to be able to show what this vision and strategy looks like opposed to being reactionary in that area. 

So I'll let you know how it goes in about three to six months. 

Richard

Thanks, Bill. Anybody else got any words of advice they can offer on this? Ido. 

Ido

We're talking about the risk-based authentication

Richard

Yeah, so to Matt's earlier question. 

Ido

- Right about whether it's...how do you sell it to the higher executives, the greater powers that be? So right now for where I am, it's a non-starter at the moment because of costs. I know that every...my experience with...well when we used ThreatMetrix in the previous employer, there was, you know, every single record, every single, you know, user ID was a specific cost, where we had to build that into our overall charge. 

So we had to somehow show that it's not going to be a sink for the business. I mean, I hate to say it, I mean, you know, you're dealing with people who they just look at it from a numbers perspective. But the flip side of it was, we had a really good argument because in those cases, just as Matt was talking about, it helped us, especially from a fraud perspective, tracking down fraud, tracking down account takeovers, preventing account takeovers

There was at the very end, before I left, we had a rather large customer who was kind of...you know, we were tracking fraud from one of their own employees who was, you know, basically almost...you know, we had this...the deal where she was logging in creating fake accounts, taking over accounts from people within her own company, because she worked within the HR and so she had access to this. 

But we figured out that she was doing this and we were able to say that she was basically...the employer was one of these wellness organizations. So what would happen was that you would earn points, you get an Amazon gift card. It was hilarious because, you know, we managed to figure out that she was doing, like, somewhere around $100,000 within about a two-month period of gift card fraud, okay? 

It was not trivial. Hilariously enough, the people who really cared the least about it, you know, I mean, the client itself was caring about it, and we were able to get it stopped. The people who cared about the least was Amazon because they were like, "That's just like $100,000" that's like, you know, noise for them, you know, that's just nothing. 

But the thing was the cost every single time, you know, there are costs associated with some of these risk-based systems that you got to build into it into your price structure that you charge your clients. But you also need to then turn around and show the executives that it's going to save you on the other side, oh, look, we're having fewer fraud, I'm having to spend less time, I don't need to hire...I have more fraud examiners. 

I don't have to hire, you know, more forensics or consultants in order to dig into this stuff. You know, it really benefits you but you got to sell it from that perspective, that it's the fraud that you're saving is going to outweigh the cost that you're going to spend on that risk-based authentication. 

That's where it's really going to come in because it's going to help you with saving on the cost of the investigation, cost of what you have to reimburse people for. And the potential liability of lawsuits from the end-users who...doesn't matter, you can have some of the best security you want. They'll still turn around and tell you, you should have protected my account even further. 

You should have had, I don't know, you know, retinal scans for all I know, you know, some other strange thing they come up with. People these days, they'll sue at a minutes notice. So yeah, I'll stop there. 

Richard

Go on Jose, I can see you're about to say something. 

Jose

Oh, yeah. I'm right there with you. You know, it's something that...also what needs to happen is that...and how I've proposed investment strategies, you know, to hire executives, if you will, is that essentially, it's evolving. This is always evolving, attacks are always evolving, fraud is always evolving. 

So it's no longer...you know, I used an illustration earlier, it's, you know, this type of stuff is not like maintaining a diesel engine that only needs to be rebuilt 300,000, 400,000 miles later, it's not like that at all. And that's the traditional operating model a lot of executives, they don't want to make the spend. 

Oftentimes, dollars are already allocated and it's hard to pry them away to higher priority items that perhaps aren't higher priority in their minds. What I would say definitely is reputational damage these days is something that's hard to quantify, but has a very large financial impact. 

Above and beyond like Ido was saying just the operational aspects or the end-user lawsuits, or anything like that it's that reputation. If you get the reputation for not being able to secure your clients, your competitor is going to eat that up all day. 

And how many of us have gotten those emails from unscrupulous vendors who utilize the latest news item to say why they're better. And, you know, none of us want our company to be, "Well, x is why we're better," you know, we don't want to be in that slot. So it's not necessarily fear-based more so than data-driven many times with those higher executives in that the so what to the business is oftentimes what we're called on to translate from the technical controls or technical failings, whatever, to the so what does it mean. 

And really focusing in on the aspect of you're investing now to be ready and not be caught flat-footed in the future that's coming very quickly. 

Richard

I'm going to get a view from Jacob. I can see Jacob. Jacob and Steve, then what we'll do, we'll go to Justin and get his industry view. 

Jacob

So I think a challenge a little bit on Jose's point of view of not always a scare tactic. I think one thing that we've seen actually work pretty well on our side at least with the executive buy-in is that scare tactic. And as a CX leader and professional and thought leader there, like, one thing that drives me nuts is, like, that challenge and that risk to a brand identity. 

Look at SolarWinds, look at Kayako, some of these companies that have had major breaches recently, they were headlined all over. And do you really want to be that company? Do you want to be that one that's out there going yep, we got breached and oh, we affected, you know, thousands of customers on top of it. Your brand impact is tarnished for years to come. 

And that's one thing that would absolutely drive me nuts. And that's one of my biggest arguments that I would bring to the table is, how bad is it going to hurt us the second that we have that breach? And one of our VPs as well who's in IT and cybersecurity, one of the scare tactics as well that he uses plainly talking with executive leadership is, what's the cost? 

Your cost is going to be far greater than the investment. You're going to spend tons of money in the investigation, in the follow-up, in repairing brand identity, in winning back the trust from your customers. All it takes is that one time to break that trust, and you're done. 

Customers are going to turn, they're going to go elsewhere, and they're going to move on, and they're going to find somebody who does it better. And that's really the biggest thing right there is your revenue is going to be shot. 

Richard

That's a good point. Steve. 

Steve

Yeah, you know, I echo a lot of what Jacob said. You know, when it comes to any of these solutions, like, so we talked about risk-based authentication, that's an example of one where you do the cost-benefit analysis, and then it's up to us to make the business case to our leaders. 

And definitely what you guys have been saying is spot on. Like, it's up to us to lay out not just what the investment and the solution is, but what the potential, you know, cost savings is if we were to have our names, God forbid, be the next SolarWinds in the news. I mean, I get questions...I've never seen this before in my career, but I literally get questions from our clients now like, "Do you guys even have SolarWinds in your environment?" 

Like, that kind of question. That's not the kind of question I want to be highlighted on, right? So, you know, the thing is, like, it's up to us, you know, to balance all these different solutions because if we had an infinite budget, sure, yeah, we could have Okta, we could have, you know, whatever, it doesn't matter. 

We could have all these different tools and just overspend on security. The real challenge and what makes us, what I think separates us from, you know, if we're effective or not, is being able to proactively look at what is the best bang for our buck. And so, I'll give you guys an...just in full transparency. You know, we looked at risk-based authentication versus, you know, our implementation of MFA, and we ended up basically choosing after our cost-benefit analysis to really go to the well of the company budget, and have an investment on an upgraded sim. 

So we went with a Gartner Magic Quadrant, you know, sim, we just felt like that was the best fit for our budgetary dollars. Because, again, at the end of the day, it's all about...none of us have infinite budgets. And so, it's all about really, you know, trying to figure out what's the best bang for our buck. 

Richard

Justin. 

Justin

Yeah, I had a couple thoughts here. All of these are some great points being brought up. Just personally, when I think about risk-based authentication, my mind automatically just jumps to the idea of bringing MFA only to certain people, which I mean, to me sounds nuts. I mean, I understand why people do it because, you know, it's a user experience thing. You don't want to make people suffer through MFA yet, at the same time, that MFA is there to make sure that everybody is safe. 

It is there to protect your customers and it's especially there to protect you. So the way I think of it is, is sort of like in an airport. I mean, if you go to the airport to catch a flight, like, everybody is going through that security. And if you go through the security and then go back because you forgot something or want to buy a bag of chips, and then...they're going to make you go through security again. And so they don't pick and choose. 

They don't look at oh, well, that person over there has a goatee or a handlebar mustache or something who looks like a cartoon villain we're going to make him go through, but this sweet old lady she doesn't have to go through the security that's fine. No, everybody needs to be authenticated. So that's one thing. And if we're dealing with a type of MFA that is onerous or difficult, or obstructive, or friction full against your users, then that's the part that needs to change. 

So I mean, not having people go through the MFA, you're wasting your MFA. And if say, for example, if you're making people do MFA, for example, on workforce, we see this all the time. If you're making people authenticate with MFA once per two weeks, then that means that you have MFA once every two weeks, the rest of the time people get off scot-free. 

Another thing I just want to mention very quickly before I get off my soapbox because I want to spare all of you from having to listen to me for three hours. But another thing I want to mention is that device posture is important. So I mean having a solution...there are solutions out there that can look at device postures that will say, okay, well, as part of the MFA experience, that is something that the customer doesn't see but behind the scenes. 

Part of that experience can be, okay, well, we're going to look at your device and see how safe your device is, is that firewall turned on? Do you have antivirus installed, so on so forth? So you have things like that that can be part of your MFA process. Is this phone jailbroken, so on so forth? Just like I believe it was Bill who was talking about, oh, well, this phone is logged in LA, but three hours later is in Moscow, that's a red flag. 

So you can have things like that too a solution that'll look and make sure that this device is relatively safe and has all the requirements that you need, in order to approve authentication, even if that person is known to be the proper user of that device. So there are lots of things you could add onto there, in addition to a frictionless MFA experience. 

Richard

Thanks, Justin. I'm just looking at the time, we're sort of top of the hour. I think this sort of segues nicely into a whole building that long-term relationship, customer retention side of things. You know, in my recent customer identity program, we've got a big challenge. 

I'm going to just kind of lay something out there just to get people's thoughts. We've got many operational companies, all of which have this great customer data where they can use for marketing purposes. They're all running their own customer identity systems, we're trying to convince them all to have a single golden record for the customer. 

But at the same time trying to keep as little of the customer data as possible so we're not looking at being responsible for this stuff. So we're looking at things like Self-Sovereign Identity solutions, where the customer owns their data. So what are you guys doing in this sort of respect? Is this something that you're thinking about when you're thinking about customer data? 

Well, could the customer authentication, having everything in one place be able to target the customer to obviously sell more products and services as well as giving that great experience? Ido, thanks for joining us, I know you've got to drop. Jose, what are your thoughts? 

Jose

Being in financial services, it's hard to minimize the amount of customer data we own. And that's something that we're actively working on, of course. Furthermore, it's complicated by stuff like CCPA and GDPR that says you have to use the data in a manner that's consistent with which was collected. 

So I would say that definitely something to keep in mind, you know, would it be possible? Would I actually trust my customers with that sensitive data? As weird as that sounds because so many people are not technical. This was mentioned earlier there's the expectation that a service that you provide also includes safeguarding of their own data, protecting them from themselves many times. 

Don't click that link, like we tell a lot of our users in security. Don't click that link, don't open that email, don't open that document. So speaking...and other people your mileage may vary my comments, I'll qualify that way. It's not really that possible for us to minimize the amount of customer data that we own in financial services other than don't over-collect, you know, obviously, don't over-collect. Oh, trust me as security I am Boogeyman when it comes to don't over-collect. I'll come after you if you're ever collecting because again, that's risk, that's that liability you're bringing those in. And if someone in marketing says hey, great, I'm going to take that data. And then you know, here comes California saying, "Hey, take the data. Go ahead do it, we dare you." 

So, you know, it's something that I would say that I struggle with personally try to figure out. And really, how would I say? Really cascade the knowledge to other people that perhaps aren't having the same considerations or the same exposure. But I'm interested to see what Bill has to say because his FinTech experience. 

Richard

Bill, why not? 

Bill

Yeah. I've got a lot to say inside of this space. Number one, my best relationships inside are with the legal team making sure that we understand exactly what's going on. I mentioned in my very opening that we are very focused on European data privacy, China data privacy, and of course, everything here in the United States. Through that lens, understanding what data you're holding. 

So we've gone through an entire Data Privacy Impact Assessment, thank you GDPR. I do think this is the greatest export from Europe outside of the wine was GDPR. So GDPR has matured us with our DPIA, Data Protection Impact Assessment, figuring out what data is where, how we tag it. And then Shrimp too came along, they've now helped us with understanding what is a transfer, how does the transfer agreements work inside of our organization. 

So tagging data, understanding what data goes where, making sure that...going back to your previous point, you're taking the most limited amount of data as humanly possible that's what we're able to validate through that process. Then it comes to the legalese, making sure that our standard contractual clauses are set up appropriately, making sure that our DPAs are all set up, our data privacy agreements with our customers. 

Because we do have an obligation to make sure that we are holding the least amount of data as possible and we know exactly where that is, and who has access to it. So that's the final piece, which is around our sub-processors. Making sure that we list all of our sub-processors and we produce evidence or artifact, if you will, to all of our customers updated quarterly. And we also give them the right to object to our use of a data processor if it's going to be inside of their space. 

So our relationships internally are crucial. Making sure we understand the international landscape that relates to their data is critical. And then also then educating the rest of our organization. My marketing and sales team would love to be able to take more data, they love to be able to bring Salesforce data and some of our application data and bring it together. My data analytics team wants to be able to take all this data. 

So we talk about anonymization, we talk about pseudo anonymization, we talk about what type of data can be focused in different areas, whether it's CHD cardholder data, or any other type of data, making sure that we tag it appropriately. And we make sure we segment out all those different areas that relate to some of the more privileged type of data inside of our organization. 

I said that all without taking a breath. Was that where you were hoping to go with that particular topic tagging data, understanding data, and where it's going? 

Richard

Perfect, perfect. I saw Matt wanted say something. We can go to Matt and then Justin if I may. 

Matt

Yeah, I think all of that. You mentioned the Self-Sovereign identities. I will not claim to be an expert in that so I won't I won't speak on that part. But yeah, I think, you know, we're embarking on something very similar, as far as trying to make sure that we know completely what data we have and where it goes within our environment as a separate or kind of a follow on to what we're doing here. 

You know, like you said thank you GDPR, we did a little bit of that of what I would call what we declared we have across our environment. But our environment is so extremely complex that I especially as a security professional, don't trust that. So we're going to do more of a full-blown discovery effort to go identify where everything is and classify and tag. 

So that's another big kind of call out. But no, I don't think there's anything else. I was trying to think of what else as far as where the conversation was going on that one. But I only just agree and kind of agree with what you were saying there. 

Richard

Yeah. Great. Thanks, Matt. Justin, you wanted to comment. 

Justin

Yeah, yeah, totally. Well, firstly, I want to say that as a consumer, I love GDPR and I wish we did do more of it over here in the U.S. But that's a different conversation. But one of the things I wanted to note is that...actually, I had a story about this. We have one of our customers a company we work with Snowflake. And one of their issues was...as you can imagine, Snowflake also has a lot of customer data on hand. 

And one of their issues was making sure that they can control internally who has access to that data. And so, for example, I mean, if we were Snowflake, we're not. But if we were Snowflake, me as, like, the random marketing goon, I have no need to access any of this data. And so having our MFA solution, for example, can help determine who should and should have access to any individual given system or any given SaaS app. 

So who deserves to have access to Salesforce, who deserves to have access to your Datadog, or your Snowflake, or your customer data, so on so forth. So that's another way of controlling who does and does not get access to data. But similarly...so I was at a doctor's appointment a few weeks ago. I mean, this made me think of HIPAA. 

So I mean, HIPAA requirements are similar type of thing where you have to watch out over who has access to data. And I noticed that if you're in a doctor's office, a lot of the computers in there, for example, have a login for whoever's on shift at that moment, or whoever's on staff at that moment. But once you log in, then it tends to stay open, many people don't log back out. 

And so, while I was at the doctor's office I'm sitting there in the examination room, the doctor had left to do something or whoever was them nurse technician had left. And I like walked over the computer and I was able to look into the computer and I was trying to dig through my own files. But I could have been a jerk to try to look over somebody else's files and copy things and do all sorts of stuff. 

And so, that's another issue and that's hitting back on the point that I wanted to make earlier about MFA, which is you need to have something that's always available that's dealing with continuous authentication. So, if anything, I just wanted to hit back on the note that looking over, controlling who has access to what at all times is something that you can't or at least shouldn't turn off. 

Richard

Justin, I had a similar situation with my doctor. I went in and I saw the billing information. I then set it all to zero. And I just said, "He's excused have any invoices." So it was cool. I want to go to a Steve next if I may, and then Jacob. 

Steve

Yeah, some great thoughts. You know, Jose, before he left, I was going to tell him...I know he had to deal with an escalation issue. But yeah, a lot of what he said really resonated with me. So he's speaking from a FinTech perspective, but I'm in the same boat in the healthcare industry like, unfortunately. 

So you raised a very well-pointed and provocative question, Richard, in regards to ownership of the data and sovereignty. As it stands today, while that's kind of great to think about from a philosophical perspective, and even, like, sort of some proactive planning. Today, as it stands, you know, the truth is we are just responsible for the data, we're the safeguards or the custodians of our customers' data. 

And so it really is up to us to ensure that data is safeguarded. But also, the other thing that I haven't heard mentioned that I just want to bring up is it behooves us to have a really solid retention policy, right? And to partner... something Bill said that also was great was partnering with legal that's been my strategy Bill is just, you know, making sure legal literally...our general counsel told me that, like, I'm her favorite...or that we're her favorite department. 

Because we bend over backwards to work with them, to over-communicate, to really involve them in the process and talk to them about retention, and talk to them about liability, and get their buy-in and their input. And I think if you do that early and often, it pays dividends. So just, you know, wanted to just throw out there the importance of having a good and solid retention policy. 

Richard

Yeah. Jacob. 

Jacob

Yeah, I'll second the retention policy there. That is one thing about three years ago that we really changed. Prior to that, we used to just keep data. Worst move ever is to just keep data sitting around. And the one thing that we really changed and we partnered with legal and like what you said, Steve, and Bill, really legal teams, they love us now because we talk to them so much. 

But we evolved that when customers leave, their data is gone within up to one year. But typically that data is gone like, week after they're gone. We put it in right away, we don't sit on it, we don't want to wait. But anonymizing that data to is also...we look at ways to kind of anonymize certain data or certain pieces of what we want to capture to use for different analytical purposes. 

Like what type of devices are we seeing, you know, commonly entering networks. Okay, it might be an iPhone, it might be, you know, Windows laptops, whatever. But we segment that out very separately and keep it very disjointed. And we also focus very, very heavily on privacy and CPNI-type training to make sure that the team not only annually but is always kept up to date on what are our privacy policies, what's the CPNI guidelines. 

What are, you know, specific things for PCI compliance, etc. And, like, we focus very heavily on that training and reiterating it out to the team. And if for some reason they need to get retrained sooner rather than later, it gets pushed out more commonly than once a year. But that's definitely a huge thing is that training and making sure the employees understand it. 

Richard

Thanks, Jacob. Bill, Matt, do you have any sort of anything to add to that? So I just noticed the time, we're nearly a quarter past the hour. And I just thought, you know, maybe in the final few minutes, we just go around and if I can really get any sort of key takeaways, or final was advice to the rest of the table. 

Then we'll go back to Justin for his final thoughts, and then we'll go to our illustration. So Matt, can I start with you, what are your sort of key takeaways, any final thoughts for the group? 

Matt

I guess one takeaway is, you know, there is no one way to solve this. I think we all recognize that and that we all kind of have the challenge ahead of us, or behind us, hopefully behind us, for those that have already solved for this a lot. But I think, you know, for me, it's again, I mentioned trying to get business buy-in business backing, you know, just trying to make sure that again, from a risk perspective that, you know, we're solving the challenges that need to be solved, and going and spending...you know, being basically good stewards with the finances side. 

But yeah, I'll be definitely looking up some of the partner integration side of things, and the standard side, that's a big piece for us right now is, you know, we like to not hand out our authentication, you know, as much as we can prevent that. But a lot of times, especially in the business we're in, we have to. 

And trying to do that in a standardized, methodical way, as opposed to I will say, transparently how we've done it in the past, which is about 15 different ways of integrating authentication with partners, with third parties in either direction. Whether it's I think what...I can't remember who mentioned before around, you know, logging into an insurance provider, that kind of thing, or the other direction of doling out your token as somebody else. 

Trying to do that and, again, in methodical, secure way is difficult on a good day, but especially once you start layering in other aspects whether it's MFA or RBA. So, yeah, definitely appreciate it. 

Richard

Thanks, Matt. I'm going to get to Bill next, if I may. Bill, what are your key takeaways, final thoughts, or any other bits of advice to the group? 

Bill

Excellent. I'll find you on LinkedIn. With that said, I'm very curious to find out, is anyone looking at doing any type of FIDO authentication with utilizing passkeys? Are we seeing it out there at all? Are people, like, ready to move into that space? I'm just curious. 

Maybe. 

Justin

I mean, we definitely work with FIDO except we don't need passkeys. 

Bill

- Okay. Yeah, I'm... We're looking at moving forward, we always want to be innovative, we always want to make sure that we can meet our customers at their point of need. We want to make sure that we can reduce burden, reduce friction, and introduce any type of innovative thought. 

Again, in our space when it comes to invoice management, expense management, or card issuance, inside of this area fraud is one of the biggest areas. And the teams that I'm responsible for, one of which is the fraud ops team, we're always looking at ways that we can be more innovative, know our customers. And I can tell you if any of our customers want to participate in more graduated level of authentication, they immediately go up in the KYC high score list, if you will. 

So as I start looking at fraud, as I start looking at trusted relationships, this is an area that I think we all have to be practitioners of. I think these innovative CISOs need to be the tip of the spear as it relates to this relationship between our products, our customers in that technology space. 

So with that, before I give up the microphone, a shout out to Chris. I have actually pinned you on our little list here today because I have truly appreciated all of the skills that you have in there. So thank you so much for sharing your talents with us today. That's it for me. 

Richard

Thanks, Bill. Steve, what are your key takeaways or any final thoughts to the group? 

Steve

Yeah. Well, just before I forget, I wanted to mention Bill. You know, my opinion on FIDO I love it. I think it's fantastic. We use YubiKeys internally for my team. For anyone with privileged access, we use YubiKeys that's our standard. I don't believe that the industry is going to move to it in terms of mass adoption. 

That's my opinion. I think that like, somebody brought up I can't remember who, you know, the general masses are going to stick with the, you know...oh, I think it's Ido. Logging in, I do the same thing as him. Like I log into Azure...well, I actually choose to log in to Azure with my YubiKey because you can set it up to do that. 

But I think for most people having your smartphone with your Microsoft authenticator app, for example, be your passwordless login, fits the bill. I think it really checks the box. And so, that's my opinion, as far as the masses, and that FIDO is a great sort of a niche case for things like privileged access. Key takeaways for me, you know, I really loved what Justin shared as far as, you know, thinking of...I'm going to steal that line, Justin, as far as authentication, being like an airport security. 

That's fantastic, great analogy. And I completely agree. I think that, you know, we are kind of TSA. I never thought I'd want to compare myself to the TSA. But we're kind of TSA in that regard. And that's why...you know, like we, for example, years ago, now, I made MFA for Office 365 mandatory, like, there's no exceptions. 

Like, we have security defaults in place and MFA is enforced for 100% of our users. And, you know, I got buy-in again, went to the legal and the business leaders, and everybody was on board and we pushed that out, and I believe saved us countless headaches. So, you know, just really thinking ahead and trying to stay abreast of the emerging threats and how we can best mitigate those. 

But I want to thank everybody before I give up the mic, as far as your input today has been very insightful, great group of smart leaders. I appreciate it. 

Richard

Thanks, Steve. Thank you. Jacob, over to you. What are your final thoughts or key takeaways? 

Jacob

I think hearing everybody's different input and the way different things are being accomplished is quite interesting and really valid. There's always 35 different ways to slice a pie. And I think everybody's input is very valuable in that regard of how everybody is kind of accomplishing it. But it's also critical to remember I think with all the privacy regulations that continue to come out, it's really challenged us to be better in guarding our data, and really looking at what are we capturing. 

And I think that's something that we need to keep top of mind is we're the data stewards for customer data, and we need to really focus on making sure we protect it and get rid of it when we don't need it so. 

Richard

Brilliant. Thanks, Jacob. I'm going to go to Justin. Justin, what are your final thoughts? You've heard what the group has to say, their key takeaways, any final thoughts, words of wisdom? 

Justin

Yeah, well, firstly, I didn't get a chance to say it before. But somebody mentioned about the value to your brand of preventing data breaches, preventing fraud. And that's an important point that I was really excited about but I didn't have a chance to mention anything because I didn't want to interrupt the flow of knowledge. 

So kudos to that. But yeah, at the end of the day, I noticed I believe Steve, who was wearing the...you're using a YubiKey that's a wonderful thing. I believe somebody else mentioned Duo. So yeah, these are great ways of taking authentication seriously. I mean, obviously, because I'm the marketing guy at Beyond Identity I'd like to mention that we can do that without using the second device. 

I mean I should have on three times now. Every time I get in a call where somebody has left their second device upstairs or Whatnot, actually me and my sales guys get a drink. But it's important to recognize the value of authentication. And if you can do that on a single device platform, such as Beyond Identity, then even better. I mean, you all recognize the value and I think we've been discussing between risk-based authentication versus continuous authentication

I think we're getting that point across that if you can leverage continuous authentication without causing a user experience nightmare, then that's what would be optimal to again, protect both yourselves and your customers, your clients. 

Rela8 Roundtable: What Brands Get Wrong About Customer Authentication

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Transcription

Francesca

So I'm delighted to introduce your moderator for today's session, Richard Malach. Richard will be here to make sure the conversation stays on track, make sure that you all get the chance to speak. And of course, we could not have these sessions without our sponsors. So I'm delighted to introduce Justin Mingo from Beyond Identity. We've also got Chris Shipton here from Live Illustration. So he'll be picking out the key points of your discussion and live illustrating them on the screen. 

I'll spotlight that too at the end of the session and I'll also share it to you via email. I'll be here for the next 90 minutes with my camera off, but if you need anything at all, please don't hesitate just drop me a message in the chatbox. So without further ado, Richard, I'll hand over to you and I hope you enjoy the session. 

Richard

Hi, everybody. My name is Richard Malach and I'll be your moderator for today. So let me tell you a little bit about myself. I've been a freelance consultant in cybersecurity, we never used to call it cyber security, for the last 25 years traditionally in infrastructure. I've been working very closely with identity both employee identity and customer identity for my blue chip customers for a few years now, and certainly, it's a subject I'm really passionate about. 

We are really, really fortunate today to be joined by Justin from Beyond Identity. So Justin, why don't you tell us a little bit about yourself? 

Justin

Hello, everybody. My name is Justin Mingo. I am a marketing manager here at Beyond Identity. I've been working with our marketing team to sort of spread the good word about what we do here at Beyond Identity in regards to both workforce and customer authentication. 

Richard

Thanks, Justin. Right. So this is going to be...this is quite a nice number, six of us, we're going to pretend we are sitting around the same table. So if I could ask Jacob and Matt, if you could turn your cameras on so it'd be like we're having a nice intimate chat. 

While we're talking, if there's anything anybody wants to chime in either use your raise hand, or raise your hand on the camera, or drop something in the chat, or just start talking. I'm here to moderate and hopefully, we'll be able to get everybody's ideas across and everybody gets a lot of good stuff out of this. So what I'm going to do is just going to go around the table, if you can all maybe introduce yourselves, say who you are, what you do. 

And really, what's top of your mind, what are you bringing to the table today? So let's start with Ido. 

Ido

So I'm Ido Dubrawsky. I'm the CISO for the Emmes company which is a CRO, a contract research organization in the Maryland area. But actually, we are a global company. We have acquired multiple smaller biopharmas. So we have both a public and a private biopharma organization. We do a lot of work with the U.S. government on health studies, vaccine trials, you know, study development, but we also work with private biopharmaceuticals. More or less, you know, some of our challenges are that we need to be both FedRAMP moderate and FISMA moderate compliant. So we're trying to find, you know, we're always on the lookout for better ways of doing it because we are currently using a multi-factor authentication solution as part of our overall authentication package. 

But we're trying to find ways of improving that so that it's less onerous on our endpoint users, as well as be able...something that can be scaled up to deal with a lot of our study clients and our study participants. 

Richard

Okay. Thanks Ido. Steve, why don't you tell us a bit about yourself and what's top of your mind? 

Steve

Yeah. Hi, Steve Giovanni. I'm the chief technology officer for Ventra Health. We're a revenue cycle management company. So, you know, authentication and identification are core to a lot of our processes in healthcare and making sure that those are secured properly. So like Ido shared, we have a multi-factor solution in place. 

But, you know, what he said that really resonated with me, which is main reason I'm here today is I want to... I always keep my eyes and ears open. Are we doing what's best or somebody else figured out something better than us? We want to always be learning and sort of improving. 

And the biggest thing I'm looking for is kind of a solution to the problem of with multi-factor authentication...okay, I think we all agree in the industry MFA is not just needed, it's kind of a mandatory, is kind of a must in 2022, right, like, we're all there. But the problem that it puts out that I don't hear talked about enough, is that there are situations where you need to have shared log-ons, right? 

So, like, you need to have a team because, like, you know, maybe we have a vendor that will only give us let's just say one account for our organization, okay? And now we have a two or three, or five-person team, and it's assigned to one person on that team, and maybe it's tied to their cell phone, for example. 

And then they're out on...maybe they're sick. How do I, you know, effectively leverage that? There are some interesting things we can do with technology to get around that. But that's kind of a question I'm always sort of percolating on. 

Richard

Steve, that's a great...sorry, Justin, I didn't mean to... 

Jacob

No, no, no worries. I actually have a quick thought on that too to chime in, Steve. It's one thing that we actually encounter in our team as well, especially in our IT help desk where we have one login too like O 365 instance, but you've got six people working. And so, one of the things that we looked at was we use essentially SMS capable platform, that pipes right into Microsoft Teams. 

And so, it comes into a team's channel in that group so no matter who it is, they're able to get that authentication message right there. So yeah, definitely hear you on that problem, and that's definitely, I think a common trend across teams that are having to work like that. 

Richard

I think slightly maybe coming from a different perspective. Part of it yes, it's protecting the account, protecting the credential. But part of it as well, if you've got the same accounts, then how can you track that you haven't got any sort of insider threats

We've actually got in the airline...so my customer is a major airline group at the moment. And we're doing...I know we're talking about customer but actually, this is actually the employee identity side of the platform. We're adding a lot of security controls or inaudible] security license to Office 365. We've got a big problem with what we call generic accounts and shared mailboxes and we're looking at having to look at ways so we can pick that that. 

Because it's one thing saying yes, it's easier for teams, and one of our international airlines is actually using this. For teams to share an account, share a mailbox, and share inaudible]. But if somebody decides to do something we don't like, then there's no way of tracking who that person is. So we're now looking at different ways and actually making sure that our first thing is to give everybody a credential, and then see what technologies we can actually use to share that as long as they log in with their own credentials. 

Jose

You lose auditability, you lose, you know, if it's something critical and a regulator comes along, and decides like, hey, you know, prove to us that you don't have anything malicious or unauthorized people are not accessing this resource or this account. And when you have a shared account like that, you can...you'll get torn apart in the audit real fast. 

Richard

Yeah, that's it, Jose. Jose, do you want to tell us a bit about yourself, who you are, what you do? And by the way, you've just given away the magic. 

Jose

Hey. Yeah, my name is Jose Pasillas. Infosec for 12 years. Been in various functions with infoSec from engineer to leader to, you know, be so doing a fraction of the CISO job. And, you know, what I'm focusing on now is the SOC and event detection and stuff like that. 

And being that we are the SOC, very interested in identity and auditing, and, you know, ensuring that authorized people are the only ones accessing things, and their IAM solution is working. And we can verifiably tie people back to who they say they are. And so, I'm here primarily to just listen. 

And it was mentioned earlier, I think Jacob said just that...or not Jacob I think it was Steve that might have said that if anyone is doing anything better, you know, want to be part of listening to that and re-evaluating the tactics and the operation model, whatever, just to inform my own operations and the team. 

Richard

Thanks, Jose. Bill, why don't you introduce yourself and what's top of your mind? 

Bill

Hey, nice to meet everybody. My name is Bill, chief information security officer for Emburse. We do expense management, invoice management, and card issuance. So we're in the FinTech space so ifi you do your expenses through Concur, or inaudible] one of those we are up against these guys in that space. And let's see, we've been growing through mergers and acquisitions so a lot of M&A activity . 

Thirteen different SaaS products that we have right now, have various types of authentication. We are considered data processor for the data controllers across the globe so the companies of data controllers. We utilize a ton of single sign-on, but we are right now getting into a whole bunch of FIDO authentication that we're looking at both through Google and also through OAuth, Auth0, excuse me, AuthO. We're trying to figure out what our customers are driving us towards, we want to make sure that we can be at the tip of the spear for them. So there's a myriad of other things. You know, I love the fact that you said FedRAMP moderate, we are starting our entire process in that space. 

We do 25 different audits a year between the 9 SOC 1s, 9 PCIs, 4 SOC 2s, and then we do 3 ISO 27000 ones and we're about to kick off our ISO 27701 next week. So we are in the auditor's chair every other week of a calendar year. 

Richard

Bill. Jacob, why don't you tell us a bit about yourself and what do you bring to the table today? 

Jacob

Yeah. So, hi, everybody. I'm Jake shields. I'm the director of customer experience and technology at Guide Star. It's a division of CCI systems so we are primarily a managed services help desk along with 24/7 contact center, network operation center. 

Eventually, we'll become a SOC as well as part of our transition. But from my side, it's always...it's more about the customer and really explaining to the customer why identity management and the authentication, multi-factor, and all these security measures are really put into place. And it's not so much that it's always just about protecting us, it's about protecting them and their information because, at the end of the day, they're the one who pays our bills. 

So really explaining to them why we're enhancing security, why we're putting all these different tools in place while it might seem cumbersome, it's more about the protection around it. 

Richard

Absolutely right. And Matt, why don't you introduce yourself and what's top of your mind? 

Matt

Sure. So I'm Matt Moore and with IHG InterContinental Hotels Group. So I have been at IHG for about three years. And when I joined, we were embarking on probably what is our first really major foray into the customer space. 

Before that, you know, if you used our loyalty program, for instance, you would have been able to log in and you might still be able to log in with a nice handy four-digit PIN. So we are, I would say, on the initial part of our maturity continuum when it comes to this space. So really just...you know, I come from financial services background, consulting background so know what good or better looks like but would love to hear kind of what the latest and greatest is and what folks are going after at this point. 

And that's about it. 

Richard

Brilliant. Okay, thanks, Matt. So we have a good chat today. The topic of today's conversation is What Brands Get Wrong About Customer Authentication. So I'm just going to ask our thought leader, Justin, just to set the scene for today's conversation. 

Justin

Okay, sure. So what we found...excuse me getting a little bit of a cold. But one of the things is that people always, at least historically, have seemed to think that user experience and security are somehow incompatible. 

And that's generally across whether the consumer space or the workforce space. But that's basically one of the things we're trying to change now, especially given the importance of MFA coming along on the Office of Management and Budget at the White House, are requiring this. And everybody is seeming to jump on the MFA bandwagon, but not all MFA is equal and that's especially true in the customer space. 

And the user experience aspect of it is even more important in the cyberspace because customers don't tolerate a bad user experience, even if it's "for their own good" in terms of logging in. So we need to have something that doesn't get between you and your customers yet gives the necessary level of security that protects both you and your customers from the dangers of ransomware or some other credential-based attack. 

And so, I don't want to say MFA 2.0 because that sounds like some sort of craziness. But there's, for lack of a better term, a better way to MFA to put it simply at least. 

Richard

Other way to MFA, we're not talking passwordless authentication, are we? 

Justin

Well, indeed we are. There is passwordless authentication, but there's passwordless authentication that's within your wheelhouse. You shouldn't have to trust Google or Apple, or Whatnot because they can deliver the UX aspects of it, but they don't deliver the security aspect of it, that would again protect you and your customer. 

Okay. I mean, I'm actually interested. I mean, how would you look to do that? 

So the way that we do it is that...a lot of other people you might have seen Apple in the news where they're talking about their Keychains or Whatnot, that's effectively a password manager. And yes, it may remove the experience of the password from the customer's eyes, but it doesn't remove it from their accounts. 

So if you're using Keychain, that customer can still get hacked. And if it's on somebody's server, then it could still be stolen. If that password still exist, it can be phished, it can be stolen, it can be done with whatever an evil person wants to do with it. A solution that I'm looking at basically binds immutably the person to the device. 

So is using MFA in terms of what you have and what you are, rather than what you know. That shared secret, that password is what gets you in trouble, what leaves you vulnerable and then that can really tear you apart. 

Richard

Yeah. Certainly knows the customer, it's all these...one thing employee passwords but on so many website, I just get so fed of different POP passwords, different formats. And most of the time, it's not really that necessary that I keep a lot of these shops or accounts I buy things from once. I have to keep on top of all these passwords, it sort of drives me a bit insane. 

Justin

Yeah, it's a major problem, I mean, 60% of online consumers reuse passwords or use simple passwords because they don't have the bandwidth to remember a different account for 137 different vendors. But here's the newsflash is that even if you could, it still doesn't make you safe because no matter how crazy or strong, or convoluted your password is, if it exists on multiple servers, it can still be stolen. 

Or if some ransomware agent can put up a site that makes you think that you're at such and such.com instead of the real thing, they can still be phished, you can still convince a customer to do something so. 

Richard

You know what? It's actually great, you know, on the introductions that everybody is here to find out a new and better way of doing things, so it's a great way to start. But we're all from reasonably different industries. So I think actually if we can dive into our discussion points, it'd be really interesting to know round the table from your own perspectives what really frustrates your customers about their authentication journey. 

I saw Jose was sort of nodding along to some of this stuff you were saying, Justin. So Jose, can I get your viewpoints maybe start with you? 

Jose

Yeah. Justin talking about...yeah, it's funny that Apple's like, "Oh, we're different." But no, you're not. You're just...yeah, it's not. Having a lot of experience in nefarious thinking in activities legally...I'll say legally, let me make that disclaimer. 

I can tell you that it's a lot easier than people think to steal passwords, steal, you know, other things that you can use to authenticate as that person. I will say one of the most frustrating aspects and you pointed it out, Richard, is that, you know...I think it was sorry, Justin. If you're across 137 sites or 137 tools having to go across and remember all of that and somehow keep those credentials in mind, unless you have a photographic memory and you scan the sheets of all your accounts and passwords, I doubt you'll be able to keep up with it in any other way. 

But yeah, it's really that jumping between. And when you're doing, for instance, a lot of M&A activities, it's hard because...at a previous company I worked at, they did a lot of M&A and that's how they grew. And going across the disparate platforms and having to get service accounts or a different type of account for each organization that's brought into the fold, especially if they're...and they're not unified ever when they first get acquired, of course, we all know that. 

But really managing that is frustrating to the engineers, it's frustrating to the customers. "Well, what do you mean this is my bank over here?" "Well, you just got acquired now you have to go do over here," but you're still authenticating back to your old portal for other functions. And it's really the frustration piece...and I'm in FinTech as well. That frustration piece is managing and making it seamless between both of those platforms. 

That right there, I've seen the most feedback both from an engineering perspective and customer perspective. 

Richard

Let's get a slightly different viewpoint. So Steve, from a health perspective, is this how you see things? I mean, what about your industry? What are your challenges? 

Steve

Yeah, you know, our biggest challenge in the healthcare space is...I alluded to it earlier, but to unpack it a little bit more. You know, so we are almost a middleman between...you know, we're in revenue cycle management, which means, like, we handle the billing end-to-end, the full revenue cycle for, like, hospitals or different medical health groups. 

And so, we will have to, for example, deal with an insurance carrier. And the insurance carrier will, let's just say, only give us one log on. And that log-on will be tied to, you know, a...you know, depending on their system. Somebody else brought up the point that not all MFA is equal. 

And I concur with that wholeheartedly. And the challenge I have is, I feel like our solution is great, but the challenge I have is managing and interfacing with the rest of the world. There are some great open standards, you know, like TOTP that I absolutely love because...you know, for example, we use an enterprise password manager called Bitwarden. 

You know, you guys talked a lot about managing all these different passwords. We can do that and we can audit all that access so it meets the auditor's requirements for like a SOC 2, right? Because I can show you exactly who accessed what password. And Bitwarden even supports TOTP codes so I can even take it one step further. The problem I have is, not every system outside of our control plays by the best standard. 

Sometimes they'll lock it down, you know, to just a, like, text number which I can get around with, I can have a RingCentral distribution group that shoots out to multiple people. Although then I do lose the auditability. 

But there's even worse than that sometimes, like, people will implement Duo, for example, very, you know, widespread industry-standard in MFA terms. But a Duo count will very often be restricted to a single mobile device. So my struggle really is, you know, how do we balance? We all agree, we want MFA. 

I agree completely with, you know, Justin's comments around passwords and how vulnerable they are and how I think passwordless is the future. In fact, I don't understand why we as an industry haven't moved further towards passwordless by now, quite frankly. But in the meantime, especially in the healthcare space, I mean, you guys...I'm sure I don't have to tell you guys that oftentimes, like hospitals, sadly, are way behind the curve from a technology perspective, way behind. 

So, you know, trying to balance Richard, the, you know, best practice security with, at the end of the day, a lot of times my business is telling me, that's all fascinating, Steve, but we still have to just do operate the business, we have to still have to get stuff done, figure out a way. 

And so that's tough. 

Richard

Steve, how do your customers feel about this? Do they get frustrated? 

Steve

So it's interesting, yeah. The customers from their perspective... because, like, we'll say something to the effect of, well, you know, XYZ party, XYZ vendor, that's really the customers' vendor, but we're having to interface with because it's their partner their customer or their vendor of choice. You know, we'll go to our customer and say, "Oh, well, they're not wanting to play nice, they're not wanting to give us multiple accounts." 

Because we would be fine saying, okay, everybody, you know, gets their own account, gets their own MFA codes or whatever. But a lot of times these vendors will just quite frankly, say no. And so, the customer almost doesn't care. Like they're looking to us to just solve the problem, right? They're looking to us to just provide the service and go figure it out. Like, they're not really willing to sort of get in between or get involved so it really falls on us to figure out things. 

And again, sometimes we can in terms of coming up with creative technical solutions, but it's also tricky to balance that from a reasonable, you know, auditability standpoint, - It's funny actually you say that, Steve. I'm just going to go on Ido in a moment. But it's just funny you say that because customers are just generally found. Just don't want to do any sort of due diligence, they want to know I'm buying stuff off you.

Richard

Ido, what about your customers? 

Ido

So the problem that we have is that our customers...the vast majority of our clients are endpoints sites that are run by individuals who have...well, to be honest with you I'm just saying bluntly, they're extraordinarily technically, I wouldn't use the word inept, but certainly would use the word innocent, okay? 

They want the minimum amount of effort, they are accustomed to pass...you know, the question of why haven't gotten rid of passwords? That's a question I've been wondering for years now. You know, everybody says, you know, we've got to move away from password, move away from passwords, seems like nobody wants to make the move. But part of it is also because there are these people who are holding you back. 

You know, it's also that like, from my experience, in some of our studies, we're dealing with people who are very marginal. I'll give you an example. We have one particular study that is done through the National Institute for Drug Abuse. You're dealing with people who are either recovering from drug abuse or are still drug addicts, okay? 

It's one thing to get them to, you know, be able to handle just being able to log in, you know, as part of the study to say, hey, I'm checking in, or whatever. It's another thing to say, okay, now, you got to do this complex multi-factor, you know, you need to have a multi-factor authentication, maybe...do we send you an SMS code back, what do we do? 

And to be honest with you, I'll tell you, SMS codes are not multi-factor authentication, okay? That's just not it, okay? And on top of that, we're also global in that we are dealing...we have connections coming in from multiple locations all over the world. These are sites in Africa, sites in Southeast Asia, where you don't know, you can't really know who is on the other side. 

But these are people who are enrolled in these studies by the site, and we have to be able to allow them to do what's called patient-reported outcomes, PROs are what we call them. But they need to be able to connect in and do that. And we have to have some level of certainty that they are who they are. So in essence, you know, we are kind of held back by the lowest common denominator that we're dealing with, okay? 

I look at it from the perspective of I'd love to go to something that is much more sophisticated maybe even passwordless for my folks. I mean, one of the things that I prefer, particularly myself personally use is with Microsoft, you know, I go into my personal Office 365 environment, I don't put in a password. It actually pushes back to my authenticator saying what number showed up on your screen, you know. 

And I'm like, "Great, I don't have to remember." Because to be honest with you, I could not remember my Microsoft password. But what I'm saying is, I'd love to have that, but that's just too sophisticated from our perspective. So really, what I feel is pulling everybody back and making it harder for this transition to a much better situation, is the fact that we are always dealing with the lowest common denominator. 

And I don't think that it's ever going to go away, I think we are always going to have to live with this burden, you know, it's like an albatross around our necks. 

Richard

It sounds like that, somewhere in the future, please. 

Ido

Well, in the future, you know, when I'm going to say beam me up, Scotty, there's no intelligent life here, then, yeah, I mean, it'll be all gone, you know, there'll be voice authentication, who knows what else. But for right now, this is where we are and this is the struggle that we have. I can deal with it from my employees' perspective, but from the fact that I have to provide a service, and I have to provide this access to our system, to our EDC, to our electronic data center, health center system to people that I have no clue who they are, and that they have to have the simplest access that we can possibly give. 

I have to live with this as like this constant oh, my god, do they have a real password? We tried to put in...you know, we tried to follow the NIST digital identity rules, but even then, it's still too difficult to...and we have to revert and allow for passwords that are much simpler. 

The best solution...one point that I kind of relented on was where they said, "Well, can we send them a survey where it's a SMS text message, they can go to the survey and they can input their information," and I'm like, "You know, is it authenticating, is it encrypted, you know, what's going on? you know, tell me?" And the developer is like, "Well, we're trying to get this as easy as possible for them." And I'm saying, "But easiest possible for them makes it as hard as possible for me." 

Sorry. I'll get off my soapbox. 

Richard

That's fine. That's fine. I want to go briefly to Justin just so you can have a chance to address some of the good points. I'm going to go over to Bill straight after. 

Justin

Okay, excellent. Thank you. So honestly, I'm loving what I'm hearing so far. And Ido, you have made my favorite comment so far today. SMS codes are not MFA. And I really want to impress upon that because there are so many people who still don't get that. I mean, obviously, the people in this room get it because you are all CISOs and equivalent, Whatnot. 

But that's something that the general public hasn't really grasped yet. That stuff really can be phished, and so SMS codes can be broken. I actually did a webinar...because I'm the marketing goon. I actually did a webinar a couple months ago, where our CTO actually got on live, and hacked through an MFA and just show people how it's done, and just how simple it is. 

So that's really impressive. But another aspect of what you're dealing with is that...so you sort of have a captive audience here. I mean, a lot of what I've been dealing with and a lot of our customers are more e-commerce-focused. And so, I can sit there and rattle off things about how say 76% of customers will abandon the cart just because they don't want to go through the difficulty of having to set up an account and do passwords on Whatnot. 

But you're dealing with a captive audience who has to do something. But at the same time, I respect that you need to find an easier way to help get them authenticated. So I mean, for example, well, I mean, the solution that we present will have you use the biometric on your device in order to help login and as I've been saying before bind that person, the identity to that device. 

Richard

I was going to point out one thing that I wanted to mention. Obviously not in my current employer, but my previous employer, one of the things that we did was...to get around that, to kind of make it a little bit easier, was we used what was called risk-based authentication. It was a tool called ThreatMetrix. 

I mean, I think they got purchased by LexisNexis. But ThreatMetrix allowed you to evaluate a person's behavior, the connections behavior, did it match previous connection behavior, did it seem to make sense, you know. You know, was it way, like...you know, earlier today, he logged in from Los Angeles, and then suddenly, he's logging in from Moscow, okay, three hours later. 

Not really possible unless, you know, obviously, using Tor. But nevertheless, and it would then say, okay, you know what, something is fishy about that. And then it would say, okay, now you have to do multi-factor authentication. Whereas had it just been one....let's say earlier in the day, Los Angeles, in the middle of the day Los Angeles from a nearby location, it would say, okay, you know, he just moved a couple of blocks over and, you know, was logging in from his cell phone, who knows. 

And they track what is the agent on the other side as well to say, is it the same agent? Is it a different agent? So we use that as a way to simplify so that we can say yes, you can do password as long as you don't do something that is funky. 

The minute you do something out of your behavior model, then you pop up the multi-factor and you say, you got to really prove who you are. I can see Bill's got his...Bill, you've been really patient. So over to you Billy. 

Bill

Thank you. I've got five kids so that teaches me how to be patient. You know, you mentioned that comment on the NIST 863. So when we take a look at identity and access management, we actually started there at the enterprise level. So we want to make sure that we can go through that exercise at the enterprise level. I mentioned all the different audits that we go through making sure that we could arm wrestle all of the auditors to make sure that they were able to accept the fact that we have longer passwords that expire less frequently, was one of the areas that we were focused on at the enterprise. 

So now that we've been able to get through the enterprise aspect of identity and access management, now we're taking a look at that customer face. You mentioned another key piece earlier as well, which was we're always going to be brought down by the lowest common denominator. We see it all the time with some of the legacy systems. We're seeing it right now with head-on battles with TLS 1.2 versus 1.3, and some of the connections that we have through, we've been told that we have to maintain it. 

We said, "Well, that's going to be a challenge for us." We have companies as some of the largest companies you could imagine down to some really small law firms that don't have anybody able to go in and actually update or patch vulnerability issues inside of their own environments. So with that said, it really does speak directly to, let's rethink how we handle identity access management. My whole focus is I've been...eliminated the password guy since I've been in senior security roles and really, that's an area that I'm very focused on. 

I mentioned in my open, just trying to figure out how we can start getting to FIDO authentication, figuring out how we can get into some of these passwordless solutions. How can we get into the passwordless, how can we do a better job with the technology. Technology is doing great people are going to be the ones that are always slowing us down inside of this area. 

So I think it's incumbent on us to make sure that we understand what standards are. We can agree to the standards, and then we just run with those standards. Otherwise, we're going to be mired in the least able to go forward. I think we have an obligation as security leaders to bring them up, opposed to having them bring us down. 

Richard

Okay. Jacob, is that how you guys see things? Jacob then Matt if I may. 

Jacob

Yeah, and I think the passwordless is huge. And really, Ido kind of going back to what you were talking about the biometrics even. One thing that we're starting to see even in the call center industry overall, is the evolution of voice biometrics. So when you make a phone call, and you're going through a phone system, and you're getting ready to authenticate because you need to make a change on your account, you need to update your services you want to cancel. 

It's doing a voice biometric authentication as part of that process. And so, now you're taking away where you maybe had like a CPNI requirement of cool, give me a passcode, tell me what it is to log in or even going to a website and getting that text message or the MFA pop up. You know, now we're starting to get into more of that biometric aspects. 

So we're starting to get away from the manual aspect. And that takes away the phishing aspect as well because you can't call in and start probing a call center agents or agents that are going to be, you know, asking you the questions. You can't get around that biometric aspects when you start to do a voice match. I mean, it's just the technology is starting to evolve. 

And you're right Bill, the technology is there, it's the people implementing and the people using it that are really going to be the challenge to really adapt to it. 

Richard

You know, when we talk about biometrics, I'll tell you what sort of scares me. We only have one set of biometrics so if my biometric data is compromised, I can't exactly change my fingerprints, or my voice pattern, or my retina, you know. 

Jacob

When that comes about, you know, we've gotten way too far into the future. 

Richard

I have to say we're getting to deep fakes, you know, it's all very worrying this sort of thing. It's... 

Jacob

It is but I think one of the challenges even with like a voice biometric is trying to really get past the system. I mean, the technology is getting more and more advanced where it's able to really determine. And if it cannot effectively determine that you're right or that person calling in, you're essentially going back to another method, there's follow-up methods. 

So I mean, you can try to get around it, but I haven't seen anybody really do it too effectively at this point. 

Richard

So Matt, one of your say no to privacy team. So what are your views? What really frustrates your customers? 

Matt

I would say biometric has become a little bit challenging for privacy, right? So being a global company, we have not only one, you know, privacy or a bunch of state privacy expectations, but we also have privacy expectations from just about every country in the world at this point, right? So as soon as we start talking about things like passwordless, biometric, anything like that, even if you could convince somebody up one side and down the other, that you're not going to "store that data anywhere" like we totally promise, good luck convincing a privacy team with that. 

So that's one challenge we've kind of had going down that route. It doesn't mean we can't do risk-based authentication or something along the lines of multi-factor to get to something that resembles passwordless. But I think totally going away from giving folks the choice of having, you know, just a basic MFA you have something you know, I feel like we're probably not going to get away from that. 

But I would be curious to know, you know, when it comes to something more like risk-based and speaking of kind of weighing the risks. Has anybody had experience or kind of gone down the route where they...you know, I think we've all kind of talked around the concept of convincing the business, right, convincing the revenue-generating side of things that we need to do the best practice security. 

You know, to what extent if you've looked at how to balance that, right? You know, so showing what the risk is of not doing it, whether it's from fraud or account takeover, or anything on our side that we can see, balanced with, you know, what we think talked about right, which is that loss, you know, whether it's perceived or real, loss of revenue or abandon on the customer side. 

Just curious if anybody has kind of gone down that route to kind of explain why the juice is worth the squeeze on the security side. 

Richard

So maybe that's a question for the table. So why do we go round if you guys want to sort of offer some opinions? So we'll go back to Justin at the end of it and see what his experience is with his customers are. So, Bill, I can see that you wanted to say something. 

Bill

Yeah. Thanks. We have set up a....we have some progressive clients who very much enjoy having very specific conversations around everything from encryption to how we handle data governance. And we have four of these clients who we would consider more advanced. 

We want to work with them to develop some of the past key type of solutions that are out there right now. So we feel like we have an opportunity to help and lead inside of this area. We're always looking for differentiation between us and our competitors. We actually see this could be one of those areas as we take the mantle of privacy, we take also that focus around identity, and we're able to work with them to create that solution. 

I've had courses, I guess you could call them 30-minute sessions with senior leaders in the organization everywhere from implementation to sales leaders to help educate them as to why it's a problem and what we want to do to address it. And we start to be able to show what this vision and strategy looks like opposed to being reactionary in that area. 

So I'll let you know how it goes in about three to six months. 

Richard

Thanks, Bill. Anybody else got any words of advice they can offer on this? Ido. 

Ido

We're talking about the risk-based authentication

Richard

Yeah, so to Matt's earlier question. 

Ido

- Right about whether it's...how do you sell it to the higher executives, the greater powers that be? So right now for where I am, it's a non-starter at the moment because of costs. I know that every...my experience with...well when we used ThreatMetrix in the previous employer, there was, you know, every single record, every single, you know, user ID was a specific cost, where we had to build that into our overall charge. 

So we had to somehow show that it's not going to be a sink for the business. I mean, I hate to say it, I mean, you know, you're dealing with people who they just look at it from a numbers perspective. But the flip side of it was, we had a really good argument because in those cases, just as Matt was talking about, it helped us, especially from a fraud perspective, tracking down fraud, tracking down account takeovers, preventing account takeovers

There was at the very end, before I left, we had a rather large customer who was kind of...you know, we were tracking fraud from one of their own employees who was, you know, basically almost...you know, we had this...the deal where she was logging in creating fake accounts, taking over accounts from people within her own company, because she worked within the HR and so she had access to this. 

But we figured out that she was doing this and we were able to say that she was basically...the employer was one of these wellness organizations. So what would happen was that you would earn points, you get an Amazon gift card. It was hilarious because, you know, we managed to figure out that she was doing, like, somewhere around $100,000 within about a two-month period of gift card fraud, okay? 

It was not trivial. Hilariously enough, the people who really cared the least about it, you know, I mean, the client itself was caring about it, and we were able to get it stopped. The people who cared about the least was Amazon because they were like, "That's just like $100,000" that's like, you know, noise for them, you know, that's just nothing. 

But the thing was the cost every single time, you know, there are costs associated with some of these risk-based systems that you got to build into it into your price structure that you charge your clients. But you also need to then turn around and show the executives that it's going to save you on the other side, oh, look, we're having fewer fraud, I'm having to spend less time, I don't need to hire...I have more fraud examiners. 

I don't have to hire, you know, more forensics or consultants in order to dig into this stuff. You know, it really benefits you but you got to sell it from that perspective, that it's the fraud that you're saving is going to outweigh the cost that you're going to spend on that risk-based authentication. 

That's where it's really going to come in because it's going to help you with saving on the cost of the investigation, cost of what you have to reimburse people for. And the potential liability of lawsuits from the end-users who...doesn't matter, you can have some of the best security you want. They'll still turn around and tell you, you should have protected my account even further. 

You should have had, I don't know, you know, retinal scans for all I know, you know, some other strange thing they come up with. People these days, they'll sue at a minutes notice. So yeah, I'll stop there. 

Richard

Go on Jose, I can see you're about to say something. 

Jose

Oh, yeah. I'm right there with you. You know, it's something that...also what needs to happen is that...and how I've proposed investment strategies, you know, to hire executives, if you will, is that essentially, it's evolving. This is always evolving, attacks are always evolving, fraud is always evolving. 

So it's no longer...you know, I used an illustration earlier, it's, you know, this type of stuff is not like maintaining a diesel engine that only needs to be rebuilt 300,000, 400,000 miles later, it's not like that at all. And that's the traditional operating model a lot of executives, they don't want to make the spend. 

Oftentimes, dollars are already allocated and it's hard to pry them away to higher priority items that perhaps aren't higher priority in their minds. What I would say definitely is reputational damage these days is something that's hard to quantify, but has a very large financial impact. 

Above and beyond like Ido was saying just the operational aspects or the end-user lawsuits, or anything like that it's that reputation. If you get the reputation for not being able to secure your clients, your competitor is going to eat that up all day. 

And how many of us have gotten those emails from unscrupulous vendors who utilize the latest news item to say why they're better. And, you know, none of us want our company to be, "Well, x is why we're better," you know, we don't want to be in that slot. So it's not necessarily fear-based more so than data-driven many times with those higher executives in that the so what to the business is oftentimes what we're called on to translate from the technical controls or technical failings, whatever, to the so what does it mean. 

And really focusing in on the aspect of you're investing now to be ready and not be caught flat-footed in the future that's coming very quickly. 

Richard

I'm going to get a view from Jacob. I can see Jacob. Jacob and Steve, then what we'll do, we'll go to Justin and get his industry view. 

Jacob

So I think a challenge a little bit on Jose's point of view of not always a scare tactic. I think one thing that we've seen actually work pretty well on our side at least with the executive buy-in is that scare tactic. And as a CX leader and professional and thought leader there, like, one thing that drives me nuts is, like, that challenge and that risk to a brand identity. 

Look at SolarWinds, look at Kayako, some of these companies that have had major breaches recently, they were headlined all over. And do you really want to be that company? Do you want to be that one that's out there going yep, we got breached and oh, we affected, you know, thousands of customers on top of it. Your brand impact is tarnished for years to come. 

And that's one thing that would absolutely drive me nuts. And that's one of my biggest arguments that I would bring to the table is, how bad is it going to hurt us the second that we have that breach? And one of our VPs as well who's in IT and cybersecurity, one of the scare tactics as well that he uses plainly talking with executive leadership is, what's the cost? 

Your cost is going to be far greater than the investment. You're going to spend tons of money in the investigation, in the follow-up, in repairing brand identity, in winning back the trust from your customers. All it takes is that one time to break that trust, and you're done. 

Customers are going to turn, they're going to go elsewhere, and they're going to move on, and they're going to find somebody who does it better. And that's really the biggest thing right there is your revenue is going to be shot. 

Richard

That's a good point. Steve. 

Steve

Yeah, you know, I echo a lot of what Jacob said. You know, when it comes to any of these solutions, like, so we talked about risk-based authentication, that's an example of one where you do the cost-benefit analysis, and then it's up to us to make the business case to our leaders. 

And definitely what you guys have been saying is spot on. Like, it's up to us to lay out not just what the investment and the solution is, but what the potential, you know, cost savings is if we were to have our names, God forbid, be the next SolarWinds in the news. I mean, I get questions...I've never seen this before in my career, but I literally get questions from our clients now like, "Do you guys even have SolarWinds in your environment?" 

Like, that kind of question. That's not the kind of question I want to be highlighted on, right? So, you know, the thing is, like, it's up to us, you know, to balance all these different solutions because if we had an infinite budget, sure, yeah, we could have Okta, we could have, you know, whatever, it doesn't matter. 

We could have all these different tools and just overspend on security. The real challenge and what makes us, what I think separates us from, you know, if we're effective or not, is being able to proactively look at what is the best bang for our buck. And so, I'll give you guys an...just in full transparency. You know, we looked at risk-based authentication versus, you know, our implementation of MFA, and we ended up basically choosing after our cost-benefit analysis to really go to the well of the company budget, and have an investment on an upgraded sim. 

So we went with a Gartner Magic Quadrant, you know, sim, we just felt like that was the best fit for our budgetary dollars. Because, again, at the end of the day, it's all about...none of us have infinite budgets. And so, it's all about really, you know, trying to figure out what's the best bang for our buck. 

Richard

Justin. 

Justin

Yeah, I had a couple thoughts here. All of these are some great points being brought up. Just personally, when I think about risk-based authentication, my mind automatically just jumps to the idea of bringing MFA only to certain people, which I mean, to me sounds nuts. I mean, I understand why people do it because, you know, it's a user experience thing. You don't want to make people suffer through MFA yet, at the same time, that MFA is there to make sure that everybody is safe. 

It is there to protect your customers and it's especially there to protect you. So the way I think of it is, is sort of like in an airport. I mean, if you go to the airport to catch a flight, like, everybody is going through that security. And if you go through the security and then go back because you forgot something or want to buy a bag of chips, and then...they're going to make you go through security again. And so they don't pick and choose. 

They don't look at oh, well, that person over there has a goatee or a handlebar mustache or something who looks like a cartoon villain we're going to make him go through, but this sweet old lady she doesn't have to go through the security that's fine. No, everybody needs to be authenticated. So that's one thing. And if we're dealing with a type of MFA that is onerous or difficult, or obstructive, or friction full against your users, then that's the part that needs to change. 

So I mean, not having people go through the MFA, you're wasting your MFA. And if say, for example, if you're making people do MFA, for example, on workforce, we see this all the time. If you're making people authenticate with MFA once per two weeks, then that means that you have MFA once every two weeks, the rest of the time people get off scot-free. 

Another thing I just want to mention very quickly before I get off my soapbox because I want to spare all of you from having to listen to me for three hours. But another thing I want to mention is that device posture is important. So I mean having a solution...there are solutions out there that can look at device postures that will say, okay, well, as part of the MFA experience, that is something that the customer doesn't see but behind the scenes. 

Part of that experience can be, okay, well, we're going to look at your device and see how safe your device is, is that firewall turned on? Do you have antivirus installed, so on so forth? So you have things like that that can be part of your MFA process. Is this phone jailbroken, so on so forth? Just like I believe it was Bill who was talking about, oh, well, this phone is logged in LA, but three hours later is in Moscow, that's a red flag. 

So you can have things like that too a solution that'll look and make sure that this device is relatively safe and has all the requirements that you need, in order to approve authentication, even if that person is known to be the proper user of that device. So there are lots of things you could add onto there, in addition to a frictionless MFA experience. 

Richard

Thanks, Justin. I'm just looking at the time, we're sort of top of the hour. I think this sort of segues nicely into a whole building that long-term relationship, customer retention side of things. You know, in my recent customer identity program, we've got a big challenge. 

I'm going to just kind of lay something out there just to get people's thoughts. We've got many operational companies, all of which have this great customer data where they can use for marketing purposes. They're all running their own customer identity systems, we're trying to convince them all to have a single golden record for the customer. 

But at the same time trying to keep as little of the customer data as possible so we're not looking at being responsible for this stuff. So we're looking at things like Self-Sovereign Identity solutions, where the customer owns their data. So what are you guys doing in this sort of respect? Is this something that you're thinking about when you're thinking about customer data? 

Well, could the customer authentication, having everything in one place be able to target the customer to obviously sell more products and services as well as giving that great experience? Ido, thanks for joining us, I know you've got to drop. Jose, what are your thoughts? 

Jose

Being in financial services, it's hard to minimize the amount of customer data we own. And that's something that we're actively working on, of course. Furthermore, it's complicated by stuff like CCPA and GDPR that says you have to use the data in a manner that's consistent with which was collected. 

So I would say that definitely something to keep in mind, you know, would it be possible? Would I actually trust my customers with that sensitive data? As weird as that sounds because so many people are not technical. This was mentioned earlier there's the expectation that a service that you provide also includes safeguarding of their own data, protecting them from themselves many times. 

Don't click that link, like we tell a lot of our users in security. Don't click that link, don't open that email, don't open that document. So speaking...and other people your mileage may vary my comments, I'll qualify that way. It's not really that possible for us to minimize the amount of customer data that we own in financial services other than don't over-collect, you know, obviously, don't over-collect. Oh, trust me as security I am Boogeyman when it comes to don't over-collect. I'll come after you if you're ever collecting because again, that's risk, that's that liability you're bringing those in. And if someone in marketing says hey, great, I'm going to take that data. And then you know, here comes California saying, "Hey, take the data. Go ahead do it, we dare you." 

So, you know, it's something that I would say that I struggle with personally try to figure out. And really, how would I say? Really cascade the knowledge to other people that perhaps aren't having the same considerations or the same exposure. But I'm interested to see what Bill has to say because his FinTech experience. 

Richard

Bill, why not? 

Bill

Yeah. I've got a lot to say inside of this space. Number one, my best relationships inside are with the legal team making sure that we understand exactly what's going on. I mentioned in my very opening that we are very focused on European data privacy, China data privacy, and of course, everything here in the United States. Through that lens, understanding what data you're holding. 

So we've gone through an entire Data Privacy Impact Assessment, thank you GDPR. I do think this is the greatest export from Europe outside of the wine was GDPR. So GDPR has matured us with our DPIA, Data Protection Impact Assessment, figuring out what data is where, how we tag it. And then Shrimp too came along, they've now helped us with understanding what is a transfer, how does the transfer agreements work inside of our organization. 

So tagging data, understanding what data goes where, making sure that...going back to your previous point, you're taking the most limited amount of data as humanly possible that's what we're able to validate through that process. Then it comes to the legalese, making sure that our standard contractual clauses are set up appropriately, making sure that our DPAs are all set up, our data privacy agreements with our customers. 

Because we do have an obligation to make sure that we are holding the least amount of data as possible and we know exactly where that is, and who has access to it. So that's the final piece, which is around our sub-processors. Making sure that we list all of our sub-processors and we produce evidence or artifact, if you will, to all of our customers updated quarterly. And we also give them the right to object to our use of a data processor if it's going to be inside of their space. 

So our relationships internally are crucial. Making sure we understand the international landscape that relates to their data is critical. And then also then educating the rest of our organization. My marketing and sales team would love to be able to take more data, they love to be able to bring Salesforce data and some of our application data and bring it together. My data analytics team wants to be able to take all this data. 

So we talk about anonymization, we talk about pseudo anonymization, we talk about what type of data can be focused in different areas, whether it's CHD cardholder data, or any other type of data, making sure that we tag it appropriately. And we make sure we segment out all those different areas that relate to some of the more privileged type of data inside of our organization. 

I said that all without taking a breath. Was that where you were hoping to go with that particular topic tagging data, understanding data, and where it's going? 

Richard

Perfect, perfect. I saw Matt wanted say something. We can go to Matt and then Justin if I may. 

Matt

Yeah, I think all of that. You mentioned the Self-Sovereign identities. I will not claim to be an expert in that so I won't I won't speak on that part. But yeah, I think, you know, we're embarking on something very similar, as far as trying to make sure that we know completely what data we have and where it goes within our environment as a separate or kind of a follow on to what we're doing here. 

You know, like you said thank you GDPR, we did a little bit of that of what I would call what we declared we have across our environment. But our environment is so extremely complex that I especially as a security professional, don't trust that. So we're going to do more of a full-blown discovery effort to go identify where everything is and classify and tag. 

So that's another big kind of call out. But no, I don't think there's anything else. I was trying to think of what else as far as where the conversation was going on that one. But I only just agree and kind of agree with what you were saying there. 

Richard

Yeah. Great. Thanks, Matt. Justin, you wanted to comment. 

Justin

Yeah, yeah, totally. Well, firstly, I want to say that as a consumer, I love GDPR and I wish we did do more of it over here in the U.S. But that's a different conversation. But one of the things I wanted to note is that...actually, I had a story about this. We have one of our customers a company we work with Snowflake. And one of their issues was...as you can imagine, Snowflake also has a lot of customer data on hand. 

And one of their issues was making sure that they can control internally who has access to that data. And so, for example, I mean, if we were Snowflake, we're not. But if we were Snowflake, me as, like, the random marketing goon, I have no need to access any of this data. And so having our MFA solution, for example, can help determine who should and should have access to any individual given system or any given SaaS app. 

So who deserves to have access to Salesforce, who deserves to have access to your Datadog, or your Snowflake, or your customer data, so on so forth. So that's another way of controlling who does and does not get access to data. But similarly...so I was at a doctor's appointment a few weeks ago. I mean, this made me think of HIPAA. 

So I mean, HIPAA requirements are similar type of thing where you have to watch out over who has access to data. And I noticed that if you're in a doctor's office, a lot of the computers in there, for example, have a login for whoever's on shift at that moment, or whoever's on staff at that moment. But once you log in, then it tends to stay open, many people don't log back out. 

And so, while I was at the doctor's office I'm sitting there in the examination room, the doctor had left to do something or whoever was them nurse technician had left. And I like walked over the computer and I was able to look into the computer and I was trying to dig through my own files. But I could have been a jerk to try to look over somebody else's files and copy things and do all sorts of stuff. 

And so, that's another issue and that's hitting back on the point that I wanted to make earlier about MFA, which is you need to have something that's always available that's dealing with continuous authentication. So, if anything, I just wanted to hit back on the note that looking over, controlling who has access to what at all times is something that you can't or at least shouldn't turn off. 

Richard

Justin, I had a similar situation with my doctor. I went in and I saw the billing information. I then set it all to zero. And I just said, "He's excused have any invoices." So it was cool. I want to go to a Steve next if I may, and then Jacob. 

Steve

Yeah, some great thoughts. You know, Jose, before he left, I was going to tell him...I know he had to deal with an escalation issue. But yeah, a lot of what he said really resonated with me. So he's speaking from a FinTech perspective, but I'm in the same boat in the healthcare industry like, unfortunately. 

So you raised a very well-pointed and provocative question, Richard, in regards to ownership of the data and sovereignty. As it stands today, while that's kind of great to think about from a philosophical perspective, and even, like, sort of some proactive planning. Today, as it stands, you know, the truth is we are just responsible for the data, we're the safeguards or the custodians of our customers' data. 

And so it really is up to us to ensure that data is safeguarded. But also, the other thing that I haven't heard mentioned that I just want to bring up is it behooves us to have a really solid retention policy, right? And to partner... something Bill said that also was great was partnering with legal that's been my strategy Bill is just, you know, making sure legal literally...our general counsel told me that, like, I'm her favorite...or that we're her favorite department. 

Because we bend over backwards to work with them, to over-communicate, to really involve them in the process and talk to them about retention, and talk to them about liability, and get their buy-in and their input. And I think if you do that early and often, it pays dividends. So just, you know, wanted to just throw out there the importance of having a good and solid retention policy. 

Richard

Yeah. Jacob. 

Jacob

Yeah, I'll second the retention policy there. That is one thing about three years ago that we really changed. Prior to that, we used to just keep data. Worst move ever is to just keep data sitting around. And the one thing that we really changed and we partnered with legal and like what you said, Steve, and Bill, really legal teams, they love us now because we talk to them so much. 

But we evolved that when customers leave, their data is gone within up to one year. But typically that data is gone like, week after they're gone. We put it in right away, we don't sit on it, we don't want to wait. But anonymizing that data to is also...we look at ways to kind of anonymize certain data or certain pieces of what we want to capture to use for different analytical purposes. 

Like what type of devices are we seeing, you know, commonly entering networks. Okay, it might be an iPhone, it might be, you know, Windows laptops, whatever. But we segment that out very separately and keep it very disjointed. And we also focus very, very heavily on privacy and CPNI-type training to make sure that the team not only annually but is always kept up to date on what are our privacy policies, what's the CPNI guidelines. 

What are, you know, specific things for PCI compliance, etc. And, like, we focus very heavily on that training and reiterating it out to the team. And if for some reason they need to get retrained sooner rather than later, it gets pushed out more commonly than once a year. But that's definitely a huge thing is that training and making sure the employees understand it. 

Richard

Thanks, Jacob. Bill, Matt, do you have any sort of anything to add to that? So I just noticed the time, we're nearly a quarter past the hour. And I just thought, you know, maybe in the final few minutes, we just go around and if I can really get any sort of key takeaways, or final was advice to the rest of the table. 

Then we'll go back to Justin for his final thoughts, and then we'll go to our illustration. So Matt, can I start with you, what are your sort of key takeaways, any final thoughts for the group? 

Matt

I guess one takeaway is, you know, there is no one way to solve this. I think we all recognize that and that we all kind of have the challenge ahead of us, or behind us, hopefully behind us, for those that have already solved for this a lot. But I think, you know, for me, it's again, I mentioned trying to get business buy-in business backing, you know, just trying to make sure that again, from a risk perspective that, you know, we're solving the challenges that need to be solved, and going and spending...you know, being basically good stewards with the finances side. 

But yeah, I'll be definitely looking up some of the partner integration side of things, and the standard side, that's a big piece for us right now is, you know, we like to not hand out our authentication, you know, as much as we can prevent that. But a lot of times, especially in the business we're in, we have to. 

And trying to do that in a standardized, methodical way, as opposed to I will say, transparently how we've done it in the past, which is about 15 different ways of integrating authentication with partners, with third parties in either direction. Whether it's I think what...I can't remember who mentioned before around, you know, logging into an insurance provider, that kind of thing, or the other direction of doling out your token as somebody else. 

Trying to do that and, again, in methodical, secure way is difficult on a good day, but especially once you start layering in other aspects whether it's MFA or RBA. So, yeah, definitely appreciate it. 

Richard

Thanks, Matt. I'm going to get to Bill next, if I may. Bill, what are your key takeaways, final thoughts, or any other bits of advice to the group? 

Bill

Excellent. I'll find you on LinkedIn. With that said, I'm very curious to find out, is anyone looking at doing any type of FIDO authentication with utilizing passkeys? Are we seeing it out there at all? Are people, like, ready to move into that space? I'm just curious. 

Maybe. 

Justin

I mean, we definitely work with FIDO except we don't need passkeys. 

Bill

- Okay. Yeah, I'm... We're looking at moving forward, we always want to be innovative, we always want to make sure that we can meet our customers at their point of need. We want to make sure that we can reduce burden, reduce friction, and introduce any type of innovative thought. 

Again, in our space when it comes to invoice management, expense management, or card issuance, inside of this area fraud is one of the biggest areas. And the teams that I'm responsible for, one of which is the fraud ops team, we're always looking at ways that we can be more innovative, know our customers. And I can tell you if any of our customers want to participate in more graduated level of authentication, they immediately go up in the KYC high score list, if you will. 

So as I start looking at fraud, as I start looking at trusted relationships, this is an area that I think we all have to be practitioners of. I think these innovative CISOs need to be the tip of the spear as it relates to this relationship between our products, our customers in that technology space. 

So with that, before I give up the microphone, a shout out to Chris. I have actually pinned you on our little list here today because I have truly appreciated all of the skills that you have in there. So thank you so much for sharing your talents with us today. That's it for me. 

Richard

Thanks, Bill. Steve, what are your key takeaways or any final thoughts to the group? 

Steve

Yeah. Well, just before I forget, I wanted to mention Bill. You know, my opinion on FIDO I love it. I think it's fantastic. We use YubiKeys internally for my team. For anyone with privileged access, we use YubiKeys that's our standard. I don't believe that the industry is going to move to it in terms of mass adoption. 

That's my opinion. I think that like, somebody brought up I can't remember who, you know, the general masses are going to stick with the, you know...oh, I think it's Ido. Logging in, I do the same thing as him. Like I log into Azure...well, I actually choose to log in to Azure with my YubiKey because you can set it up to do that. 

But I think for most people having your smartphone with your Microsoft authenticator app, for example, be your passwordless login, fits the bill. I think it really checks the box. And so, that's my opinion, as far as the masses, and that FIDO is a great sort of a niche case for things like privileged access. Key takeaways for me, you know, I really loved what Justin shared as far as, you know, thinking of...I'm going to steal that line, Justin, as far as authentication, being like an airport security. 

That's fantastic, great analogy. And I completely agree. I think that, you know, we are kind of TSA. I never thought I'd want to compare myself to the TSA. But we're kind of TSA in that regard. And that's why...you know, like we, for example, years ago, now, I made MFA for Office 365 mandatory, like, there's no exceptions. 

Like, we have security defaults in place and MFA is enforced for 100% of our users. And, you know, I got buy-in again, went to the legal and the business leaders, and everybody was on board and we pushed that out, and I believe saved us countless headaches. So, you know, just really thinking ahead and trying to stay abreast of the emerging threats and how we can best mitigate those. 

But I want to thank everybody before I give up the mic, as far as your input today has been very insightful, great group of smart leaders. I appreciate it. 

Richard

Thanks, Steve. Thank you. Jacob, over to you. What are your final thoughts or key takeaways? 

Jacob

I think hearing everybody's different input and the way different things are being accomplished is quite interesting and really valid. There's always 35 different ways to slice a pie. And I think everybody's input is very valuable in that regard of how everybody is kind of accomplishing it. But it's also critical to remember I think with all the privacy regulations that continue to come out, it's really challenged us to be better in guarding our data, and really looking at what are we capturing. 

And I think that's something that we need to keep top of mind is we're the data stewards for customer data, and we need to really focus on making sure we protect it and get rid of it when we don't need it so. 

Richard

Brilliant. Thanks, Jacob. I'm going to go to Justin. Justin, what are your final thoughts? You've heard what the group has to say, their key takeaways, any final thoughts, words of wisdom? 

Justin

Yeah, well, firstly, I didn't get a chance to say it before. But somebody mentioned about the value to your brand of preventing data breaches, preventing fraud. And that's an important point that I was really excited about but I didn't have a chance to mention anything because I didn't want to interrupt the flow of knowledge. 

So kudos to that. But yeah, at the end of the day, I noticed I believe Steve, who was wearing the...you're using a YubiKey that's a wonderful thing. I believe somebody else mentioned Duo. So yeah, these are great ways of taking authentication seriously. I mean, obviously, because I'm the marketing guy at Beyond Identity I'd like to mention that we can do that without using the second device. 

I mean I should have on three times now. Every time I get in a call where somebody has left their second device upstairs or Whatnot, actually me and my sales guys get a drink. But it's important to recognize the value of authentication. And if you can do that on a single device platform, such as Beyond Identity, then even better. I mean, you all recognize the value and I think we've been discussing between risk-based authentication versus continuous authentication

I think we're getting that point across that if you can leverage continuous authentication without causing a user experience nightmare, then that's what would be optimal to again, protect both yourselves and your customers, your clients. 

Rela8 Roundtable: What Brands Get Wrong About Customer Authentication

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Transcription

Francesca

So I'm delighted to introduce your moderator for today's session, Richard Malach. Richard will be here to make sure the conversation stays on track, make sure that you all get the chance to speak. And of course, we could not have these sessions without our sponsors. So I'm delighted to introduce Justin Mingo from Beyond Identity. We've also got Chris Shipton here from Live Illustration. So he'll be picking out the key points of your discussion and live illustrating them on the screen. 

I'll spotlight that too at the end of the session and I'll also share it to you via email. I'll be here for the next 90 minutes with my camera off, but if you need anything at all, please don't hesitate just drop me a message in the chatbox. So without further ado, Richard, I'll hand over to you and I hope you enjoy the session. 

Richard

Hi, everybody. My name is Richard Malach and I'll be your moderator for today. So let me tell you a little bit about myself. I've been a freelance consultant in cybersecurity, we never used to call it cyber security, for the last 25 years traditionally in infrastructure. I've been working very closely with identity both employee identity and customer identity for my blue chip customers for a few years now, and certainly, it's a subject I'm really passionate about. 

We are really, really fortunate today to be joined by Justin from Beyond Identity. So Justin, why don't you tell us a little bit about yourself? 

Justin

Hello, everybody. My name is Justin Mingo. I am a marketing manager here at Beyond Identity. I've been working with our marketing team to sort of spread the good word about what we do here at Beyond Identity in regards to both workforce and customer authentication. 

Richard

Thanks, Justin. Right. So this is going to be...this is quite a nice number, six of us, we're going to pretend we are sitting around the same table. So if I could ask Jacob and Matt, if you could turn your cameras on so it'd be like we're having a nice intimate chat. 

While we're talking, if there's anything anybody wants to chime in either use your raise hand, or raise your hand on the camera, or drop something in the chat, or just start talking. I'm here to moderate and hopefully, we'll be able to get everybody's ideas across and everybody gets a lot of good stuff out of this. So what I'm going to do is just going to go around the table, if you can all maybe introduce yourselves, say who you are, what you do. 

And really, what's top of your mind, what are you bringing to the table today? So let's start with Ido. 

Ido

So I'm Ido Dubrawsky. I'm the CISO for the Emmes company which is a CRO, a contract research organization in the Maryland area. But actually, we are a global company. We have acquired multiple smaller biopharmas. So we have both a public and a private biopharma organization. We do a lot of work with the U.S. government on health studies, vaccine trials, you know, study development, but we also work with private biopharmaceuticals. More or less, you know, some of our challenges are that we need to be both FedRAMP moderate and FISMA moderate compliant. So we're trying to find, you know, we're always on the lookout for better ways of doing it because we are currently using a multi-factor authentication solution as part of our overall authentication package. 

But we're trying to find ways of improving that so that it's less onerous on our endpoint users, as well as be able...something that can be scaled up to deal with a lot of our study clients and our study participants. 

Richard

Okay. Thanks Ido. Steve, why don't you tell us a bit about yourself and what's top of your mind? 

Steve

Yeah. Hi, Steve Giovanni. I'm the chief technology officer for Ventra Health. We're a revenue cycle management company. So, you know, authentication and identification are core to a lot of our processes in healthcare and making sure that those are secured properly. So like Ido shared, we have a multi-factor solution in place. 

But, you know, what he said that really resonated with me, which is main reason I'm here today is I want to... I always keep my eyes and ears open. Are we doing what's best or somebody else figured out something better than us? We want to always be learning and sort of improving. 

And the biggest thing I'm looking for is kind of a solution to the problem of with multi-factor authentication...okay, I think we all agree in the industry MFA is not just needed, it's kind of a mandatory, is kind of a must in 2022, right, like, we're all there. But the problem that it puts out that I don't hear talked about enough, is that there are situations where you need to have shared log-ons, right? 

So, like, you need to have a team because, like, you know, maybe we have a vendor that will only give us let's just say one account for our organization, okay? And now we have a two or three, or five-person team, and it's assigned to one person on that team, and maybe it's tied to their cell phone, for example. 

And then they're out on...maybe they're sick. How do I, you know, effectively leverage that? There are some interesting things we can do with technology to get around that. But that's kind of a question I'm always sort of percolating on. 

Richard

Steve, that's a great...sorry, Justin, I didn't mean to... 

Jacob

No, no, no worries. I actually have a quick thought on that too to chime in, Steve. It's one thing that we actually encounter in our team as well, especially in our IT help desk where we have one login too like O 365 instance, but you've got six people working. And so, one of the things that we looked at was we use essentially SMS capable platform, that pipes right into Microsoft Teams. 

And so, it comes into a team's channel in that group so no matter who it is, they're able to get that authentication message right there. So yeah, definitely hear you on that problem, and that's definitely, I think a common trend across teams that are having to work like that. 

Richard

I think slightly maybe coming from a different perspective. Part of it yes, it's protecting the account, protecting the credential. But part of it as well, if you've got the same accounts, then how can you track that you haven't got any sort of insider threats

We've actually got in the airline...so my customer is a major airline group at the moment. And we're doing...I know we're talking about customer but actually, this is actually the employee identity side of the platform. We're adding a lot of security controls or inaudible] security license to Office 365. We've got a big problem with what we call generic accounts and shared mailboxes and we're looking at having to look at ways so we can pick that that. 

Because it's one thing saying yes, it's easier for teams, and one of our international airlines is actually using this. For teams to share an account, share a mailbox, and share inaudible]. But if somebody decides to do something we don't like, then there's no way of tracking who that person is. So we're now looking at different ways and actually making sure that our first thing is to give everybody a credential, and then see what technologies we can actually use to share that as long as they log in with their own credentials. 

Jose

You lose auditability, you lose, you know, if it's something critical and a regulator comes along, and decides like, hey, you know, prove to us that you don't have anything malicious or unauthorized people are not accessing this resource or this account. And when you have a shared account like that, you can...you'll get torn apart in the audit real fast. 

Richard

Yeah, that's it, Jose. Jose, do you want to tell us a bit about yourself, who you are, what you do? And by the way, you've just given away the magic. 

Jose

Hey. Yeah, my name is Jose Pasillas. Infosec for 12 years. Been in various functions with infoSec from engineer to leader to, you know, be so doing a fraction of the CISO job. And, you know, what I'm focusing on now is the SOC and event detection and stuff like that. 

And being that we are the SOC, very interested in identity and auditing, and, you know, ensuring that authorized people are the only ones accessing things, and their IAM solution is working. And we can verifiably tie people back to who they say they are. And so, I'm here primarily to just listen. 

And it was mentioned earlier, I think Jacob said just that...or not Jacob I think it was Steve that might have said that if anyone is doing anything better, you know, want to be part of listening to that and re-evaluating the tactics and the operation model, whatever, just to inform my own operations and the team. 

Richard

Thanks, Jose. Bill, why don't you introduce yourself and what's top of your mind? 

Bill

Hey, nice to meet everybody. My name is Bill, chief information security officer for Emburse. We do expense management, invoice management, and card issuance. So we're in the FinTech space so ifi you do your expenses through Concur, or inaudible] one of those we are up against these guys in that space. And let's see, we've been growing through mergers and acquisitions so a lot of M&A activity . 

Thirteen different SaaS products that we have right now, have various types of authentication. We are considered data processor for the data controllers across the globe so the companies of data controllers. We utilize a ton of single sign-on, but we are right now getting into a whole bunch of FIDO authentication that we're looking at both through Google and also through OAuth, Auth0, excuse me, AuthO. We're trying to figure out what our customers are driving us towards, we want to make sure that we can be at the tip of the spear for them. So there's a myriad of other things. You know, I love the fact that you said FedRAMP moderate, we are starting our entire process in that space. 

We do 25 different audits a year between the 9 SOC 1s, 9 PCIs, 4 SOC 2s, and then we do 3 ISO 27000 ones and we're about to kick off our ISO 27701 next week. So we are in the auditor's chair every other week of a calendar year. 

Richard

Bill. Jacob, why don't you tell us a bit about yourself and what do you bring to the table today? 

Jacob

Yeah. So, hi, everybody. I'm Jake shields. I'm the director of customer experience and technology at Guide Star. It's a division of CCI systems so we are primarily a managed services help desk along with 24/7 contact center, network operation center. 

Eventually, we'll become a SOC as well as part of our transition. But from my side, it's always...it's more about the customer and really explaining to the customer why identity management and the authentication, multi-factor, and all these security measures are really put into place. And it's not so much that it's always just about protecting us, it's about protecting them and their information because, at the end of the day, they're the one who pays our bills. 

So really explaining to them why we're enhancing security, why we're putting all these different tools in place while it might seem cumbersome, it's more about the protection around it. 

Richard

Absolutely right. And Matt, why don't you introduce yourself and what's top of your mind? 

Matt

Sure. So I'm Matt Moore and with IHG InterContinental Hotels Group. So I have been at IHG for about three years. And when I joined, we were embarking on probably what is our first really major foray into the customer space. 

Before that, you know, if you used our loyalty program, for instance, you would have been able to log in and you might still be able to log in with a nice handy four-digit PIN. So we are, I would say, on the initial part of our maturity continuum when it comes to this space. So really just...you know, I come from financial services background, consulting background so know what good or better looks like but would love to hear kind of what the latest and greatest is and what folks are going after at this point. 

And that's about it. 

Richard

Brilliant. Okay, thanks, Matt. So we have a good chat today. The topic of today's conversation is What Brands Get Wrong About Customer Authentication. So I'm just going to ask our thought leader, Justin, just to set the scene for today's conversation. 

Justin

Okay, sure. So what we found...excuse me getting a little bit of a cold. But one of the things is that people always, at least historically, have seemed to think that user experience and security are somehow incompatible. 

And that's generally across whether the consumer space or the workforce space. But that's basically one of the things we're trying to change now, especially given the importance of MFA coming along on the Office of Management and Budget at the White House, are requiring this. And everybody is seeming to jump on the MFA bandwagon, but not all MFA is equal and that's especially true in the customer space. 

And the user experience aspect of it is even more important in the cyberspace because customers don't tolerate a bad user experience, even if it's "for their own good" in terms of logging in. So we need to have something that doesn't get between you and your customers yet gives the necessary level of security that protects both you and your customers from the dangers of ransomware or some other credential-based attack. 

And so, I don't want to say MFA 2.0 because that sounds like some sort of craziness. But there's, for lack of a better term, a better way to MFA to put it simply at least. 

Richard

Other way to MFA, we're not talking passwordless authentication, are we? 

Justin

Well, indeed we are. There is passwordless authentication, but there's passwordless authentication that's within your wheelhouse. You shouldn't have to trust Google or Apple, or Whatnot because they can deliver the UX aspects of it, but they don't deliver the security aspect of it, that would again protect you and your customer. 

Okay. I mean, I'm actually interested. I mean, how would you look to do that? 

So the way that we do it is that...a lot of other people you might have seen Apple in the news where they're talking about their Keychains or Whatnot, that's effectively a password manager. And yes, it may remove the experience of the password from the customer's eyes, but it doesn't remove it from their accounts. 

So if you're using Keychain, that customer can still get hacked. And if it's on somebody's server, then it could still be stolen. If that password still exist, it can be phished, it can be stolen, it can be done with whatever an evil person wants to do with it. A solution that I'm looking at basically binds immutably the person to the device. 

So is using MFA in terms of what you have and what you are, rather than what you know. That shared secret, that password is what gets you in trouble, what leaves you vulnerable and then that can really tear you apart. 

Richard

Yeah. Certainly knows the customer, it's all these...one thing employee passwords but on so many website, I just get so fed of different POP passwords, different formats. And most of the time, it's not really that necessary that I keep a lot of these shops or accounts I buy things from once. I have to keep on top of all these passwords, it sort of drives me a bit insane. 

Justin

Yeah, it's a major problem, I mean, 60% of online consumers reuse passwords or use simple passwords because they don't have the bandwidth to remember a different account for 137 different vendors. But here's the newsflash is that even if you could, it still doesn't make you safe because no matter how crazy or strong, or convoluted your password is, if it exists on multiple servers, it can still be stolen. 

Or if some ransomware agent can put up a site that makes you think that you're at such and such.com instead of the real thing, they can still be phished, you can still convince a customer to do something so. 

Richard

You know what? It's actually great, you know, on the introductions that everybody is here to find out a new and better way of doing things, so it's a great way to start. But we're all from reasonably different industries. So I think actually if we can dive into our discussion points, it'd be really interesting to know round the table from your own perspectives what really frustrates your customers about their authentication journey. 

I saw Jose was sort of nodding along to some of this stuff you were saying, Justin. So Jose, can I get your viewpoints maybe start with you? 

Jose

Yeah. Justin talking about...yeah, it's funny that Apple's like, "Oh, we're different." But no, you're not. You're just...yeah, it's not. Having a lot of experience in nefarious thinking in activities legally...I'll say legally, let me make that disclaimer. 

I can tell you that it's a lot easier than people think to steal passwords, steal, you know, other things that you can use to authenticate as that person. I will say one of the most frustrating aspects and you pointed it out, Richard, is that, you know...I think it was sorry, Justin. If you're across 137 sites or 137 tools having to go across and remember all of that and somehow keep those credentials in mind, unless you have a photographic memory and you scan the sheets of all your accounts and passwords, I doubt you'll be able to keep up with it in any other way. 

But yeah, it's really that jumping between. And when you're doing, for instance, a lot of M&A activities, it's hard because...at a previous company I worked at, they did a lot of M&A and that's how they grew. And going across the disparate platforms and having to get service accounts or a different type of account for each organization that's brought into the fold, especially if they're...and they're not unified ever when they first get acquired, of course, we all know that. 

But really managing that is frustrating to the engineers, it's frustrating to the customers. "Well, what do you mean this is my bank over here?" "Well, you just got acquired now you have to go do over here," but you're still authenticating back to your old portal for other functions. And it's really the frustration piece...and I'm in FinTech as well. That frustration piece is managing and making it seamless between both of those platforms. 

That right there, I've seen the most feedback both from an engineering perspective and customer perspective. 

Richard

Let's get a slightly different viewpoint. So Steve, from a health perspective, is this how you see things? I mean, what about your industry? What are your challenges? 

Steve

Yeah, you know, our biggest challenge in the healthcare space is...I alluded to it earlier, but to unpack it a little bit more. You know, so we are almost a middleman between...you know, we're in revenue cycle management, which means, like, we handle the billing end-to-end, the full revenue cycle for, like, hospitals or different medical health groups. 

And so, we will have to, for example, deal with an insurance carrier. And the insurance carrier will, let's just say, only give us one log on. And that log-on will be tied to, you know, a...you know, depending on their system. Somebody else brought up the point that not all MFA is equal. 

And I concur with that wholeheartedly. And the challenge I have is, I feel like our solution is great, but the challenge I have is managing and interfacing with the rest of the world. There are some great open standards, you know, like TOTP that I absolutely love because...you know, for example, we use an enterprise password manager called Bitwarden. 

You know, you guys talked a lot about managing all these different passwords. We can do that and we can audit all that access so it meets the auditor's requirements for like a SOC 2, right? Because I can show you exactly who accessed what password. And Bitwarden even supports TOTP codes so I can even take it one step further. The problem I have is, not every system outside of our control plays by the best standard. 

Sometimes they'll lock it down, you know, to just a, like, text number which I can get around with, I can have a RingCentral distribution group that shoots out to multiple people. Although then I do lose the auditability. 

But there's even worse than that sometimes, like, people will implement Duo, for example, very, you know, widespread industry-standard in MFA terms. But a Duo count will very often be restricted to a single mobile device. So my struggle really is, you know, how do we balance? We all agree, we want MFA. 

I agree completely with, you know, Justin's comments around passwords and how vulnerable they are and how I think passwordless is the future. In fact, I don't understand why we as an industry haven't moved further towards passwordless by now, quite frankly. But in the meantime, especially in the healthcare space, I mean, you guys...I'm sure I don't have to tell you guys that oftentimes, like hospitals, sadly, are way behind the curve from a technology perspective, way behind. 

So, you know, trying to balance Richard, the, you know, best practice security with, at the end of the day, a lot of times my business is telling me, that's all fascinating, Steve, but we still have to just do operate the business, we have to still have to get stuff done, figure out a way. 

And so that's tough. 

Richard

Steve, how do your customers feel about this? Do they get frustrated? 

Steve

So it's interesting, yeah. The customers from their perspective... because, like, we'll say something to the effect of, well, you know, XYZ party, XYZ vendor, that's really the customers' vendor, but we're having to interface with because it's their partner their customer or their vendor of choice. You know, we'll go to our customer and say, "Oh, well, they're not wanting to play nice, they're not wanting to give us multiple accounts." 

Because we would be fine saying, okay, everybody, you know, gets their own account, gets their own MFA codes or whatever. But a lot of times these vendors will just quite frankly, say no. And so, the customer almost doesn't care. Like they're looking to us to just solve the problem, right? They're looking to us to just provide the service and go figure it out. Like, they're not really willing to sort of get in between or get involved so it really falls on us to figure out things. 

And again, sometimes we can in terms of coming up with creative technical solutions, but it's also tricky to balance that from a reasonable, you know, auditability standpoint, - It's funny actually you say that, Steve. I'm just going to go on Ido in a moment. But it's just funny you say that because customers are just generally found. Just don't want to do any sort of due diligence, they want to know I'm buying stuff off you.

Richard

Ido, what about your customers? 

Ido

So the problem that we have is that our customers...the vast majority of our clients are endpoints sites that are run by individuals who have...well, to be honest with you I'm just saying bluntly, they're extraordinarily technically, I wouldn't use the word inept, but certainly would use the word innocent, okay? 

They want the minimum amount of effort, they are accustomed to pass...you know, the question of why haven't gotten rid of passwords? That's a question I've been wondering for years now. You know, everybody says, you know, we've got to move away from password, move away from passwords, seems like nobody wants to make the move. But part of it is also because there are these people who are holding you back. 

You know, it's also that like, from my experience, in some of our studies, we're dealing with people who are very marginal. I'll give you an example. We have one particular study that is done through the National Institute for Drug Abuse. You're dealing with people who are either recovering from drug abuse or are still drug addicts, okay? 

It's one thing to get them to, you know, be able to handle just being able to log in, you know, as part of the study to say, hey, I'm checking in, or whatever. It's another thing to say, okay, now, you got to do this complex multi-factor, you know, you need to have a multi-factor authentication, maybe...do we send you an SMS code back, what do we do? 

And to be honest with you, I'll tell you, SMS codes are not multi-factor authentication, okay? That's just not it, okay? And on top of that, we're also global in that we are dealing...we have connections coming in from multiple locations all over the world. These are sites in Africa, sites in Southeast Asia, where you don't know, you can't really know who is on the other side. 

But these are people who are enrolled in these studies by the site, and we have to be able to allow them to do what's called patient-reported outcomes, PROs are what we call them. But they need to be able to connect in and do that. And we have to have some level of certainty that they are who they are. So in essence, you know, we are kind of held back by the lowest common denominator that we're dealing with, okay? 

I look at it from the perspective of I'd love to go to something that is much more sophisticated maybe even passwordless for my folks. I mean, one of the things that I prefer, particularly myself personally use is with Microsoft, you know, I go into my personal Office 365 environment, I don't put in a password. It actually pushes back to my authenticator saying what number showed up on your screen, you know. 

And I'm like, "Great, I don't have to remember." Because to be honest with you, I could not remember my Microsoft password. But what I'm saying is, I'd love to have that, but that's just too sophisticated from our perspective. So really, what I feel is pulling everybody back and making it harder for this transition to a much better situation, is the fact that we are always dealing with the lowest common denominator. 

And I don't think that it's ever going to go away, I think we are always going to have to live with this burden, you know, it's like an albatross around our necks. 

Richard

It sounds like that, somewhere in the future, please. 

Ido

Well, in the future, you know, when I'm going to say beam me up, Scotty, there's no intelligent life here, then, yeah, I mean, it'll be all gone, you know, there'll be voice authentication, who knows what else. But for right now, this is where we are and this is the struggle that we have. I can deal with it from my employees' perspective, but from the fact that I have to provide a service, and I have to provide this access to our system, to our EDC, to our electronic data center, health center system to people that I have no clue who they are, and that they have to have the simplest access that we can possibly give. 

I have to live with this as like this constant oh, my god, do they have a real password? We tried to put in...you know, we tried to follow the NIST digital identity rules, but even then, it's still too difficult to...and we have to revert and allow for passwords that are much simpler. 

The best solution...one point that I kind of relented on was where they said, "Well, can we send them a survey where it's a SMS text message, they can go to the survey and they can input their information," and I'm like, "You know, is it authenticating, is it encrypted, you know, what's going on? you know, tell me?" And the developer is like, "Well, we're trying to get this as easy as possible for them." And I'm saying, "But easiest possible for them makes it as hard as possible for me." 

Sorry. I'll get off my soapbox. 

Richard

That's fine. That's fine. I want to go briefly to Justin just so you can have a chance to address some of the good points. I'm going to go over to Bill straight after. 

Justin

Okay, excellent. Thank you. So honestly, I'm loving what I'm hearing so far. And Ido, you have made my favorite comment so far today. SMS codes are not MFA. And I really want to impress upon that because there are so many people who still don't get that. I mean, obviously, the people in this room get it because you are all CISOs and equivalent, Whatnot. 

But that's something that the general public hasn't really grasped yet. That stuff really can be phished, and so SMS codes can be broken. I actually did a webinar...because I'm the marketing goon. I actually did a webinar a couple months ago, where our CTO actually got on live, and hacked through an MFA and just show people how it's done, and just how simple it is. 

So that's really impressive. But another aspect of what you're dealing with is that...so you sort of have a captive audience here. I mean, a lot of what I've been dealing with and a lot of our customers are more e-commerce-focused. And so, I can sit there and rattle off things about how say 76% of customers will abandon the cart just because they don't want to go through the difficulty of having to set up an account and do passwords on Whatnot. 

But you're dealing with a captive audience who has to do something. But at the same time, I respect that you need to find an easier way to help get them authenticated. So I mean, for example, well, I mean, the solution that we present will have you use the biometric on your device in order to help login and as I've been saying before bind that person, the identity to that device. 

Richard

I was going to point out one thing that I wanted to mention. Obviously not in my current employer, but my previous employer, one of the things that we did was...to get around that, to kind of make it a little bit easier, was we used what was called risk-based authentication. It was a tool called ThreatMetrix. 

I mean, I think they got purchased by LexisNexis. But ThreatMetrix allowed you to evaluate a person's behavior, the connections behavior, did it match previous connection behavior, did it seem to make sense, you know. You know, was it way, like...you know, earlier today, he logged in from Los Angeles, and then suddenly, he's logging in from Moscow, okay, three hours later. 

Not really possible unless, you know, obviously, using Tor. But nevertheless, and it would then say, okay, you know what, something is fishy about that. And then it would say, okay, now you have to do multi-factor authentication. Whereas had it just been one....let's say earlier in the day, Los Angeles, in the middle of the day Los Angeles from a nearby location, it would say, okay, you know, he just moved a couple of blocks over and, you know, was logging in from his cell phone, who knows. 

And they track what is the agent on the other side as well to say, is it the same agent? Is it a different agent? So we use that as a way to simplify so that we can say yes, you can do password as long as you don't do something that is funky. 

The minute you do something out of your behavior model, then you pop up the multi-factor and you say, you got to really prove who you are. I can see Bill's got his...Bill, you've been really patient. So over to you Billy. 

Bill

Thank you. I've got five kids so that teaches me how to be patient. You know, you mentioned that comment on the NIST 863. So when we take a look at identity and access management, we actually started there at the enterprise level. So we want to make sure that we can go through that exercise at the enterprise level. I mentioned all the different audits that we go through making sure that we could arm wrestle all of the auditors to make sure that they were able to accept the fact that we have longer passwords that expire less frequently, was one of the areas that we were focused on at the enterprise. 

So now that we've been able to get through the enterprise aspect of identity and access management, now we're taking a look at that customer face. You mentioned another key piece earlier as well, which was we're always going to be brought down by the lowest common denominator. We see it all the time with some of the legacy systems. We're seeing it right now with head-on battles with TLS 1.2 versus 1.3, and some of the connections that we have through, we've been told that we have to maintain it. 

We said, "Well, that's going to be a challenge for us." We have companies as some of the largest companies you could imagine down to some really small law firms that don't have anybody able to go in and actually update or patch vulnerability issues inside of their own environments. So with that said, it really does speak directly to, let's rethink how we handle identity access management. My whole focus is I've been...eliminated the password guy since I've been in senior security roles and really, that's an area that I'm very focused on. 

I mentioned in my open, just trying to figure out how we can start getting to FIDO authentication, figuring out how we can get into some of these passwordless solutions. How can we get into the passwordless, how can we do a better job with the technology. Technology is doing great people are going to be the ones that are always slowing us down inside of this area. 

So I think it's incumbent on us to make sure that we understand what standards are. We can agree to the standards, and then we just run with those standards. Otherwise, we're going to be mired in the least able to go forward. I think we have an obligation as security leaders to bring them up, opposed to having them bring us down. 

Richard

Okay. Jacob, is that how you guys see things? Jacob then Matt if I may. 

Jacob

Yeah, and I think the passwordless is huge. And really, Ido kind of going back to what you were talking about the biometrics even. One thing that we're starting to see even in the call center industry overall, is the evolution of voice biometrics. So when you make a phone call, and you're going through a phone system, and you're getting ready to authenticate because you need to make a change on your account, you need to update your services you want to cancel. 

It's doing a voice biometric authentication as part of that process. And so, now you're taking away where you maybe had like a CPNI requirement of cool, give me a passcode, tell me what it is to log in or even going to a website and getting that text message or the MFA pop up. You know, now we're starting to get into more of that biometric aspects. 

So we're starting to get away from the manual aspect. And that takes away the phishing aspect as well because you can't call in and start probing a call center agents or agents that are going to be, you know, asking you the questions. You can't get around that biometric aspects when you start to do a voice match. I mean, it's just the technology is starting to evolve. 

And you're right Bill, the technology is there, it's the people implementing and the people using it that are really going to be the challenge to really adapt to it. 

Richard

You know, when we talk about biometrics, I'll tell you what sort of scares me. We only have one set of biometrics so if my biometric data is compromised, I can't exactly change my fingerprints, or my voice pattern, or my retina, you know. 

Jacob

When that comes about, you know, we've gotten way too far into the future. 

Richard

I have to say we're getting to deep fakes, you know, it's all very worrying this sort of thing. It's... 

Jacob

It is but I think one of the challenges even with like a voice biometric is trying to really get past the system. I mean, the technology is getting more and more advanced where it's able to really determine. And if it cannot effectively determine that you're right or that person calling in, you're essentially going back to another method, there's follow-up methods. 

So I mean, you can try to get around it, but I haven't seen anybody really do it too effectively at this point. 

Richard

So Matt, one of your say no to privacy team. So what are your views? What really frustrates your customers? 

Matt

I would say biometric has become a little bit challenging for privacy, right? So being a global company, we have not only one, you know, privacy or a bunch of state privacy expectations, but we also have privacy expectations from just about every country in the world at this point, right? So as soon as we start talking about things like passwordless, biometric, anything like that, even if you could convince somebody up one side and down the other, that you're not going to "store that data anywhere" like we totally promise, good luck convincing a privacy team with that. 

So that's one challenge we've kind of had going down that route. It doesn't mean we can't do risk-based authentication or something along the lines of multi-factor to get to something that resembles passwordless. But I think totally going away from giving folks the choice of having, you know, just a basic MFA you have something you know, I feel like we're probably not going to get away from that. 

But I would be curious to know, you know, when it comes to something more like risk-based and speaking of kind of weighing the risks. Has anybody had experience or kind of gone down the route where they...you know, I think we've all kind of talked around the concept of convincing the business, right, convincing the revenue-generating side of things that we need to do the best practice security. 

You know, to what extent if you've looked at how to balance that, right? You know, so showing what the risk is of not doing it, whether it's from fraud or account takeover, or anything on our side that we can see, balanced with, you know, what we think talked about right, which is that loss, you know, whether it's perceived or real, loss of revenue or abandon on the customer side. 

Just curious if anybody has kind of gone down that route to kind of explain why the juice is worth the squeeze on the security side. 

Richard

So maybe that's a question for the table. So why do we go round if you guys want to sort of offer some opinions? So we'll go back to Justin at the end of it and see what his experience is with his customers are. So, Bill, I can see that you wanted to say something. 

Bill

Yeah. Thanks. We have set up a....we have some progressive clients who very much enjoy having very specific conversations around everything from encryption to how we handle data governance. And we have four of these clients who we would consider more advanced. 

We want to work with them to develop some of the past key type of solutions that are out there right now. So we feel like we have an opportunity to help and lead inside of this area. We're always looking for differentiation between us and our competitors. We actually see this could be one of those areas as we take the mantle of privacy, we take also that focus around identity, and we're able to work with them to create that solution. 

I've had courses, I guess you could call them 30-minute sessions with senior leaders in the organization everywhere from implementation to sales leaders to help educate them as to why it's a problem and what we want to do to address it. And we start to be able to show what this vision and strategy looks like opposed to being reactionary in that area. 

So I'll let you know how it goes in about three to six months. 

Richard

Thanks, Bill. Anybody else got any words of advice they can offer on this? Ido. 

Ido

We're talking about the risk-based authentication

Richard

Yeah, so to Matt's earlier question. 

Ido

- Right about whether it's...how do you sell it to the higher executives, the greater powers that be? So right now for where I am, it's a non-starter at the moment because of costs. I know that every...my experience with...well when we used ThreatMetrix in the previous employer, there was, you know, every single record, every single, you know, user ID was a specific cost, where we had to build that into our overall charge. 

So we had to somehow show that it's not going to be a sink for the business. I mean, I hate to say it, I mean, you know, you're dealing with people who they just look at it from a numbers perspective. But the flip side of it was, we had a really good argument because in those cases, just as Matt was talking about, it helped us, especially from a fraud perspective, tracking down fraud, tracking down account takeovers, preventing account takeovers

There was at the very end, before I left, we had a rather large customer who was kind of...you know, we were tracking fraud from one of their own employees who was, you know, basically almost...you know, we had this...the deal where she was logging in creating fake accounts, taking over accounts from people within her own company, because she worked within the HR and so she had access to this. 

But we figured out that she was doing this and we were able to say that she was basically...the employer was one of these wellness organizations. So what would happen was that you would earn points, you get an Amazon gift card. It was hilarious because, you know, we managed to figure out that she was doing, like, somewhere around $100,000 within about a two-month period of gift card fraud, okay? 

It was not trivial. Hilariously enough, the people who really cared the least about it, you know, I mean, the client itself was caring about it, and we were able to get it stopped. The people who cared about the least was Amazon because they were like, "That's just like $100,000" that's like, you know, noise for them, you know, that's just nothing. 

But the thing was the cost every single time, you know, there are costs associated with some of these risk-based systems that you got to build into it into your price structure that you charge your clients. But you also need to then turn around and show the executives that it's going to save you on the other side, oh, look, we're having fewer fraud, I'm having to spend less time, I don't need to hire...I have more fraud examiners. 

I don't have to hire, you know, more forensics or consultants in order to dig into this stuff. You know, it really benefits you but you got to sell it from that perspective, that it's the fraud that you're saving is going to outweigh the cost that you're going to spend on that risk-based authentication. 

That's where it's really going to come in because it's going to help you with saving on the cost of the investigation, cost of what you have to reimburse people for. And the potential liability of lawsuits from the end-users who...doesn't matter, you can have some of the best security you want. They'll still turn around and tell you, you should have protected my account even further. 

You should have had, I don't know, you know, retinal scans for all I know, you know, some other strange thing they come up with. People these days, they'll sue at a minutes notice. So yeah, I'll stop there. 

Richard

Go on Jose, I can see you're about to say something. 

Jose

Oh, yeah. I'm right there with you. You know, it's something that...also what needs to happen is that...and how I've proposed investment strategies, you know, to hire executives, if you will, is that essentially, it's evolving. This is always evolving, attacks are always evolving, fraud is always evolving. 

So it's no longer...you know, I used an illustration earlier, it's, you know, this type of stuff is not like maintaining a diesel engine that only needs to be rebuilt 300,000, 400,000 miles later, it's not like that at all. And that's the traditional operating model a lot of executives, they don't want to make the spend. 

Oftentimes, dollars are already allocated and it's hard to pry them away to higher priority items that perhaps aren't higher priority in their minds. What I would say definitely is reputational damage these days is something that's hard to quantify, but has a very large financial impact. 

Above and beyond like Ido was saying just the operational aspects or the end-user lawsuits, or anything like that it's that reputation. If you get the reputation for not being able to secure your clients, your competitor is going to eat that up all day. 

And how many of us have gotten those emails from unscrupulous vendors who utilize the latest news item to say why they're better. And, you know, none of us want our company to be, "Well, x is why we're better," you know, we don't want to be in that slot. So it's not necessarily fear-based more so than data-driven many times with those higher executives in that the so what to the business is oftentimes what we're called on to translate from the technical controls or technical failings, whatever, to the so what does it mean. 

And really focusing in on the aspect of you're investing now to be ready and not be caught flat-footed in the future that's coming very quickly. 

Richard

I'm going to get a view from Jacob. I can see Jacob. Jacob and Steve, then what we'll do, we'll go to Justin and get his industry view. 

Jacob

So I think a challenge a little bit on Jose's point of view of not always a scare tactic. I think one thing that we've seen actually work pretty well on our side at least with the executive buy-in is that scare tactic. And as a CX leader and professional and thought leader there, like, one thing that drives me nuts is, like, that challenge and that risk to a brand identity. 

Look at SolarWinds, look at Kayako, some of these companies that have had major breaches recently, they were headlined all over. And do you really want to be that company? Do you want to be that one that's out there going yep, we got breached and oh, we affected, you know, thousands of customers on top of it. Your brand impact is tarnished for years to come. 

And that's one thing that would absolutely drive me nuts. And that's one of my biggest arguments that I would bring to the table is, how bad is it going to hurt us the second that we have that breach? And one of our VPs as well who's in IT and cybersecurity, one of the scare tactics as well that he uses plainly talking with executive leadership is, what's the cost? 

Your cost is going to be far greater than the investment. You're going to spend tons of money in the investigation, in the follow-up, in repairing brand identity, in winning back the trust from your customers. All it takes is that one time to break that trust, and you're done. 

Customers are going to turn, they're going to go elsewhere, and they're going to move on, and they're going to find somebody who does it better. And that's really the biggest thing right there is your revenue is going to be shot. 

Richard

That's a good point. Steve. 

Steve

Yeah, you know, I echo a lot of what Jacob said. You know, when it comes to any of these solutions, like, so we talked about risk-based authentication, that's an example of one where you do the cost-benefit analysis, and then it's up to us to make the business case to our leaders. 

And definitely what you guys have been saying is spot on. Like, it's up to us to lay out not just what the investment and the solution is, but what the potential, you know, cost savings is if we were to have our names, God forbid, be the next SolarWinds in the news. I mean, I get questions...I've never seen this before in my career, but I literally get questions from our clients now like, "Do you guys even have SolarWinds in your environment?" 

Like, that kind of question. That's not the kind of question I want to be highlighted on, right? So, you know, the thing is, like, it's up to us, you know, to balance all these different solutions because if we had an infinite budget, sure, yeah, we could have Okta, we could have, you know, whatever, it doesn't matter. 

We could have all these different tools and just overspend on security. The real challenge and what makes us, what I think separates us from, you know, if we're effective or not, is being able to proactively look at what is the best bang for our buck. And so, I'll give you guys an...just in full transparency. You know, we looked at risk-based authentication versus, you know, our implementation of MFA, and we ended up basically choosing after our cost-benefit analysis to really go to the well of the company budget, and have an investment on an upgraded sim. 

So we went with a Gartner Magic Quadrant, you know, sim, we just felt like that was the best fit for our budgetary dollars. Because, again, at the end of the day, it's all about...none of us have infinite budgets. And so, it's all about really, you know, trying to figure out what's the best bang for our buck. 

Richard

Justin. 

Justin

Yeah, I had a couple thoughts here. All of these are some great points being brought up. Just personally, when I think about risk-based authentication, my mind automatically just jumps to the idea of bringing MFA only to certain people, which I mean, to me sounds nuts. I mean, I understand why people do it because, you know, it's a user experience thing. You don't want to make people suffer through MFA yet, at the same time, that MFA is there to make sure that everybody is safe. 

It is there to protect your customers and it's especially there to protect you. So the way I think of it is, is sort of like in an airport. I mean, if you go to the airport to catch a flight, like, everybody is going through that security. And if you go through the security and then go back because you forgot something or want to buy a bag of chips, and then...they're going to make you go through security again. And so they don't pick and choose. 

They don't look at oh, well, that person over there has a goatee or a handlebar mustache or something who looks like a cartoon villain we're going to make him go through, but this sweet old lady she doesn't have to go through the security that's fine. No, everybody needs to be authenticated. So that's one thing. And if we're dealing with a type of MFA that is onerous or difficult, or obstructive, or friction full against your users, then that's the part that needs to change. 

So I mean, not having people go through the MFA, you're wasting your MFA. And if say, for example, if you're making people do MFA, for example, on workforce, we see this all the time. If you're making people authenticate with MFA once per two weeks, then that means that you have MFA once every two weeks, the rest of the time people get off scot-free. 

Another thing I just want to mention very quickly before I get off my soapbox because I want to spare all of you from having to listen to me for three hours. But another thing I want to mention is that device posture is important. So I mean having a solution...there are solutions out there that can look at device postures that will say, okay, well, as part of the MFA experience, that is something that the customer doesn't see but behind the scenes. 

Part of that experience can be, okay, well, we're going to look at your device and see how safe your device is, is that firewall turned on? Do you have antivirus installed, so on so forth? So you have things like that that can be part of your MFA process. Is this phone jailbroken, so on so forth? Just like I believe it was Bill who was talking about, oh, well, this phone is logged in LA, but three hours later is in Moscow, that's a red flag. 

So you can have things like that too a solution that'll look and make sure that this device is relatively safe and has all the requirements that you need, in order to approve authentication, even if that person is known to be the proper user of that device. So there are lots of things you could add onto there, in addition to a frictionless MFA experience. 

Richard

Thanks, Justin. I'm just looking at the time, we're sort of top of the hour. I think this sort of segues nicely into a whole building that long-term relationship, customer retention side of things. You know, in my recent customer identity program, we've got a big challenge. 

I'm going to just kind of lay something out there just to get people's thoughts. We've got many operational companies, all of which have this great customer data where they can use for marketing purposes. They're all running their own customer identity systems, we're trying to convince them all to have a single golden record for the customer. 

But at the same time trying to keep as little of the customer data as possible so we're not looking at being responsible for this stuff. So we're looking at things like Self-Sovereign Identity solutions, where the customer owns their data. So what are you guys doing in this sort of respect? Is this something that you're thinking about when you're thinking about customer data? 

Well, could the customer authentication, having everything in one place be able to target the customer to obviously sell more products and services as well as giving that great experience? Ido, thanks for joining us, I know you've got to drop. Jose, what are your thoughts? 

Jose

Being in financial services, it's hard to minimize the amount of customer data we own. And that's something that we're actively working on, of course. Furthermore, it's complicated by stuff like CCPA and GDPR that says you have to use the data in a manner that's consistent with which was collected. 

So I would say that definitely something to keep in mind, you know, would it be possible? Would I actually trust my customers with that sensitive data? As weird as that sounds because so many people are not technical. This was mentioned earlier there's the expectation that a service that you provide also includes safeguarding of their own data, protecting them from themselves many times. 

Don't click that link, like we tell a lot of our users in security. Don't click that link, don't open that email, don't open that document. So speaking...and other people your mileage may vary my comments, I'll qualify that way. It's not really that possible for us to minimize the amount of customer data that we own in financial services other than don't over-collect, you know, obviously, don't over-collect. Oh, trust me as security I am Boogeyman when it comes to don't over-collect. I'll come after you if you're ever collecting because again, that's risk, that's that liability you're bringing those in. And if someone in marketing says hey, great, I'm going to take that data. And then you know, here comes California saying, "Hey, take the data. Go ahead do it, we dare you." 

So, you know, it's something that I would say that I struggle with personally try to figure out. And really, how would I say? Really cascade the knowledge to other people that perhaps aren't having the same considerations or the same exposure. But I'm interested to see what Bill has to say because his FinTech experience. 

Richard

Bill, why not? 

Bill

Yeah. I've got a lot to say inside of this space. Number one, my best relationships inside are with the legal team making sure that we understand exactly what's going on. I mentioned in my very opening that we are very focused on European data privacy, China data privacy, and of course, everything here in the United States. Through that lens, understanding what data you're holding. 

So we've gone through an entire Data Privacy Impact Assessment, thank you GDPR. I do think this is the greatest export from Europe outside of the wine was GDPR. So GDPR has matured us with our DPIA, Data Protection Impact Assessment, figuring out what data is where, how we tag it. And then Shrimp too came along, they've now helped us with understanding what is a transfer, how does the transfer agreements work inside of our organization. 

So tagging data, understanding what data goes where, making sure that...going back to your previous point, you're taking the most limited amount of data as humanly possible that's what we're able to validate through that process. Then it comes to the legalese, making sure that our standard contractual clauses are set up appropriately, making sure that our DPAs are all set up, our data privacy agreements with our customers. 

Because we do have an obligation to make sure that we are holding the least amount of data as possible and we know exactly where that is, and who has access to it. So that's the final piece, which is around our sub-processors. Making sure that we list all of our sub-processors and we produce evidence or artifact, if you will, to all of our customers updated quarterly. And we also give them the right to object to our use of a data processor if it's going to be inside of their space. 

So our relationships internally are crucial. Making sure we understand the international landscape that relates to their data is critical. And then also then educating the rest of our organization. My marketing and sales team would love to be able to take more data, they love to be able to bring Salesforce data and some of our application data and bring it together. My data analytics team wants to be able to take all this data. 

So we talk about anonymization, we talk about pseudo anonymization, we talk about what type of data can be focused in different areas, whether it's CHD cardholder data, or any other type of data, making sure that we tag it appropriately. And we make sure we segment out all those different areas that relate to some of the more privileged type of data inside of our organization. 

I said that all without taking a breath. Was that where you were hoping to go with that particular topic tagging data, understanding data, and where it's going? 

Richard

Perfect, perfect. I saw Matt wanted say something. We can go to Matt and then Justin if I may. 

Matt

Yeah, I think all of that. You mentioned the Self-Sovereign identities. I will not claim to be an expert in that so I won't I won't speak on that part. But yeah, I think, you know, we're embarking on something very similar, as far as trying to make sure that we know completely what data we have and where it goes within our environment as a separate or kind of a follow on to what we're doing here. 

You know, like you said thank you GDPR, we did a little bit of that of what I would call what we declared we have across our environment. But our environment is so extremely complex that I especially as a security professional, don't trust that. So we're going to do more of a full-blown discovery effort to go identify where everything is and classify and tag. 

So that's another big kind of call out. But no, I don't think there's anything else. I was trying to think of what else as far as where the conversation was going on that one. But I only just agree and kind of agree with what you were saying there. 

Richard

Yeah. Great. Thanks, Matt. Justin, you wanted to comment. 

Justin

Yeah, yeah, totally. Well, firstly, I want to say that as a consumer, I love GDPR and I wish we did do more of it over here in the U.S. But that's a different conversation. But one of the things I wanted to note is that...actually, I had a story about this. We have one of our customers a company we work with Snowflake. And one of their issues was...as you can imagine, Snowflake also has a lot of customer data on hand. 

And one of their issues was making sure that they can control internally who has access to that data. And so, for example, I mean, if we were Snowflake, we're not. But if we were Snowflake, me as, like, the random marketing goon, I have no need to access any of this data. And so having our MFA solution, for example, can help determine who should and should have access to any individual given system or any given SaaS app. 

So who deserves to have access to Salesforce, who deserves to have access to your Datadog, or your Snowflake, or your customer data, so on so forth. So that's another way of controlling who does and does not get access to data. But similarly...so I was at a doctor's appointment a few weeks ago. I mean, this made me think of HIPAA. 

So I mean, HIPAA requirements are similar type of thing where you have to watch out over who has access to data. And I noticed that if you're in a doctor's office, a lot of the computers in there, for example, have a login for whoever's on shift at that moment, or whoever's on staff at that moment. But once you log in, then it tends to stay open, many people don't log back out. 

And so, while I was at the doctor's office I'm sitting there in the examination room, the doctor had left to do something or whoever was them nurse technician had left. And I like walked over the computer and I was able to look into the computer and I was trying to dig through my own files. But I could have been a jerk to try to look over somebody else's files and copy things and do all sorts of stuff. 

And so, that's another issue and that's hitting back on the point that I wanted to make earlier about MFA, which is you need to have something that's always available that's dealing with continuous authentication. So, if anything, I just wanted to hit back on the note that looking over, controlling who has access to what at all times is something that you can't or at least shouldn't turn off. 

Richard

Justin, I had a similar situation with my doctor. I went in and I saw the billing information. I then set it all to zero. And I just said, "He's excused have any invoices." So it was cool. I want to go to a Steve next if I may, and then Jacob. 

Steve

Yeah, some great thoughts. You know, Jose, before he left, I was going to tell him...I know he had to deal with an escalation issue. But yeah, a lot of what he said really resonated with me. So he's speaking from a FinTech perspective, but I'm in the same boat in the healthcare industry like, unfortunately. 

So you raised a very well-pointed and provocative question, Richard, in regards to ownership of the data and sovereignty. As it stands today, while that's kind of great to think about from a philosophical perspective, and even, like, sort of some proactive planning. Today, as it stands, you know, the truth is we are just responsible for the data, we're the safeguards or the custodians of our customers' data. 

And so it really is up to us to ensure that data is safeguarded. But also, the other thing that I haven't heard mentioned that I just want to bring up is it behooves us to have a really solid retention policy, right? And to partner... something Bill said that also was great was partnering with legal that's been my strategy Bill is just, you know, making sure legal literally...our general counsel told me that, like, I'm her favorite...or that we're her favorite department. 

Because we bend over backwards to work with them, to over-communicate, to really involve them in the process and talk to them about retention, and talk to them about liability, and get their buy-in and their input. And I think if you do that early and often, it pays dividends. So just, you know, wanted to just throw out there the importance of having a good and solid retention policy. 

Richard

Yeah. Jacob. 

Jacob

Yeah, I'll second the retention policy there. That is one thing about three years ago that we really changed. Prior to that, we used to just keep data. Worst move ever is to just keep data sitting around. And the one thing that we really changed and we partnered with legal and like what you said, Steve, and Bill, really legal teams, they love us now because we talk to them so much. 

But we evolved that when customers leave, their data is gone within up to one year. But typically that data is gone like, week after they're gone. We put it in right away, we don't sit on it, we don't want to wait. But anonymizing that data to is also...we look at ways to kind of anonymize certain data or certain pieces of what we want to capture to use for different analytical purposes. 

Like what type of devices are we seeing, you know, commonly entering networks. Okay, it might be an iPhone, it might be, you know, Windows laptops, whatever. But we segment that out very separately and keep it very disjointed. And we also focus very, very heavily on privacy and CPNI-type training to make sure that the team not only annually but is always kept up to date on what are our privacy policies, what's the CPNI guidelines. 

What are, you know, specific things for PCI compliance, etc. And, like, we focus very heavily on that training and reiterating it out to the team. And if for some reason they need to get retrained sooner rather than later, it gets pushed out more commonly than once a year. But that's definitely a huge thing is that training and making sure the employees understand it. 

Richard

Thanks, Jacob. Bill, Matt, do you have any sort of anything to add to that? So I just noticed the time, we're nearly a quarter past the hour. And I just thought, you know, maybe in the final few minutes, we just go around and if I can really get any sort of key takeaways, or final was advice to the rest of the table. 

Then we'll go back to Justin for his final thoughts, and then we'll go to our illustration. So Matt, can I start with you, what are your sort of key takeaways, any final thoughts for the group? 

Matt

I guess one takeaway is, you know, there is no one way to solve this. I think we all recognize that and that we all kind of have the challenge ahead of us, or behind us, hopefully behind us, for those that have already solved for this a lot. But I think, you know, for me, it's again, I mentioned trying to get business buy-in business backing, you know, just trying to make sure that again, from a risk perspective that, you know, we're solving the challenges that need to be solved, and going and spending...you know, being basically good stewards with the finances side. 

But yeah, I'll be definitely looking up some of the partner integration side of things, and the standard side, that's a big piece for us right now is, you know, we like to not hand out our authentication, you know, as much as we can prevent that. But a lot of times, especially in the business we're in, we have to. 

And trying to do that in a standardized, methodical way, as opposed to I will say, transparently how we've done it in the past, which is about 15 different ways of integrating authentication with partners, with third parties in either direction. Whether it's I think what...I can't remember who mentioned before around, you know, logging into an insurance provider, that kind of thing, or the other direction of doling out your token as somebody else. 

Trying to do that and, again, in methodical, secure way is difficult on a good day, but especially once you start layering in other aspects whether it's MFA or RBA. So, yeah, definitely appreciate it. 

Richard

Thanks, Matt. I'm going to get to Bill next, if I may. Bill, what are your key takeaways, final thoughts, or any other bits of advice to the group? 

Bill

Excellent. I'll find you on LinkedIn. With that said, I'm very curious to find out, is anyone looking at doing any type of FIDO authentication with utilizing passkeys? Are we seeing it out there at all? Are people, like, ready to move into that space? I'm just curious. 

Maybe. 

Justin

I mean, we definitely work with FIDO except we don't need passkeys. 

Bill

- Okay. Yeah, I'm... We're looking at moving forward, we always want to be innovative, we always want to make sure that we can meet our customers at their point of need. We want to make sure that we can reduce burden, reduce friction, and introduce any type of innovative thought. 

Again, in our space when it comes to invoice management, expense management, or card issuance, inside of this area fraud is one of the biggest areas. And the teams that I'm responsible for, one of which is the fraud ops team, we're always looking at ways that we can be more innovative, know our customers. And I can tell you if any of our customers want to participate in more graduated level of authentication, they immediately go up in the KYC high score list, if you will. 

So as I start looking at fraud, as I start looking at trusted relationships, this is an area that I think we all have to be practitioners of. I think these innovative CISOs need to be the tip of the spear as it relates to this relationship between our products, our customers in that technology space. 

So with that, before I give up the microphone, a shout out to Chris. I have actually pinned you on our little list here today because I have truly appreciated all of the skills that you have in there. So thank you so much for sharing your talents with us today. That's it for me. 

Richard

Thanks, Bill. Steve, what are your key takeaways or any final thoughts to the group? 

Steve

Yeah. Well, just before I forget, I wanted to mention Bill. You know, my opinion on FIDO I love it. I think it's fantastic. We use YubiKeys internally for my team. For anyone with privileged access, we use YubiKeys that's our standard. I don't believe that the industry is going to move to it in terms of mass adoption. 

That's my opinion. I think that like, somebody brought up I can't remember who, you know, the general masses are going to stick with the, you know...oh, I think it's Ido. Logging in, I do the same thing as him. Like I log into Azure...well, I actually choose to log in to Azure with my YubiKey because you can set it up to do that. 

But I think for most people having your smartphone with your Microsoft authenticator app, for example, be your passwordless login, fits the bill. I think it really checks the box. And so, that's my opinion, as far as the masses, and that FIDO is a great sort of a niche case for things like privileged access. Key takeaways for me, you know, I really loved what Justin shared as far as, you know, thinking of...I'm going to steal that line, Justin, as far as authentication, being like an airport security. 

That's fantastic, great analogy. And I completely agree. I think that, you know, we are kind of TSA. I never thought I'd want to compare myself to the TSA. But we're kind of TSA in that regard. And that's why...you know, like we, for example, years ago, now, I made MFA for Office 365 mandatory, like, there's no exceptions. 

Like, we have security defaults in place and MFA is enforced for 100% of our users. And, you know, I got buy-in again, went to the legal and the business leaders, and everybody was on board and we pushed that out, and I believe saved us countless headaches. So, you know, just really thinking ahead and trying to stay abreast of the emerging threats and how we can best mitigate those. 

But I want to thank everybody before I give up the mic, as far as your input today has been very insightful, great group of smart leaders. I appreciate it. 

Richard

Thanks, Steve. Thank you. Jacob, over to you. What are your final thoughts or key takeaways? 

Jacob

I think hearing everybody's different input and the way different things are being accomplished is quite interesting and really valid. There's always 35 different ways to slice a pie. And I think everybody's input is very valuable in that regard of how everybody is kind of accomplishing it. But it's also critical to remember I think with all the privacy regulations that continue to come out, it's really challenged us to be better in guarding our data, and really looking at what are we capturing. 

And I think that's something that we need to keep top of mind is we're the data stewards for customer data, and we need to really focus on making sure we protect it and get rid of it when we don't need it so. 

Richard

Brilliant. Thanks, Jacob. I'm going to go to Justin. Justin, what are your final thoughts? You've heard what the group has to say, their key takeaways, any final thoughts, words of wisdom? 

Justin

Yeah, well, firstly, I didn't get a chance to say it before. But somebody mentioned about the value to your brand of preventing data breaches, preventing fraud. And that's an important point that I was really excited about but I didn't have a chance to mention anything because I didn't want to interrupt the flow of knowledge. 

So kudos to that. But yeah, at the end of the day, I noticed I believe Steve, who was wearing the...you're using a YubiKey that's a wonderful thing. I believe somebody else mentioned Duo. So yeah, these are great ways of taking authentication seriously. I mean, obviously, because I'm the marketing guy at Beyond Identity I'd like to mention that we can do that without using the second device. 

I mean I should have on three times now. Every time I get in a call where somebody has left their second device upstairs or Whatnot, actually me and my sales guys get a drink. But it's important to recognize the value of authentication. And if you can do that on a single device platform, such as Beyond Identity, then even better. I mean, you all recognize the value and I think we've been discussing between risk-based authentication versus continuous authentication

I think we're getting that point across that if you can leverage continuous authentication without causing a user experience nightmare, then that's what would be optimal to again, protect both yourselves and your customers, your clients. 

Book

Rela8 Roundtable: What Brands Get Wrong About Customer Authentication

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.