a16z Podcast - a16z Podcast: Making Security More Useable
Episode Date: May 8, 2015The days of cramming security down employees’ throats or sending out best-practices advice emails are over. “You have to make security more useable,” says Pindrop CEO and co-founder Vijay Balasu...bramaniyan. Especially in a world of ubiquitous connected devices, from smartphones to smart thermostats. Security also has to be attractive, argues Okta CEO and co-founder Todd McKinnon. For example, if an employee uses a more sophisticated form of authentication from the road, then they should get access to a deeper, fuller set of data or applications than if they hadn’t gone through that extra layer of security. In this segment of the a16z Podcast, Balasubramaniyan and McKinnon discuss how they approach the problem of making security something that is both powerful and easy to use. From more sophisticated voice analysis to shifting from two-factor to three-factor and beyond authentication, where can technology push security next? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business tax
or investment advice or be used to evaluate any investment or security and is not directed
at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com
slash disclosures. Welcome to the A16Z podcast. I'm Michael Copeland. And we are here at the
Octa World Headquarters in San Francisco with ACTA CEO Tom McKinn. And also joining us from
Atlanta is Viji Paul Supermanian, CEO of Pindrop.
Welcome, both of you.
Thank you.
Great to be here.
You guys might not be familiar, and hopefully you are, with both Pindrop and Octa,
but you guys are security-minded companies, and you approach things in different ways, honestly.
And so this conversation, we want to focus on the trends you're seeing in security
and how you guys are addressing them differently for your customers.
And a lot of the focus is on the enterprise, so let's begin there.
But I, so I want to ask you guys, security seems to be on everyone's mind these days, but is it?
And have people really found sort of God in the wake of some really horrible breaches?
Vijay, what do you think about that?
Right.
So, you know, with a lot of these breaches, I think fundamentally what comes to the forefront is the fact that security is a constantly evolving thing, right?
the perimeter is constantly changing.
You had just your data center, now you have the entire cloud to worry about.
You had individual devices that were purely used for personal reasons.
Now they're used for everything other than personal as well.
And so the perimeter is constantly changing.
What is defensible is constantly changing.
The attackers themselves are constantly changing.
So the fact is that each of these attackers have such a large area to attack you.
on and they've increased the sophistication of their tools.
And what's more is they're collaborating and they're trying to get through to you
through a variety of channels, be it the network, be it the call center.
They're trying so many different things because they're motivated, they're well-funded,
and they clearly have a target to go after.
So it's a really hard battle and this is the reason you find a lot of these breaches happening,
a lot of new technologies when they get introduced without security.
paradigms in place, they immediately break at the basic onslaught of a fraudster.
One of the things that we've seen, it's the people that are chief security officers or
security professionals or even CIOs, their level of vigilance and their level of concern
about this over the last 18 months is pretty consistent. What's clearly changed is the people
above them. The CEOs, the board, they are all about security now. And I think a lot of it is
just some of these high profile vulnerabilities and attacks in the mainstream media.
Right.
You get the CEO of Sony's email on the public internet, and all of a sudden, every CEO in the world is going, how is my security?
Right.
You get the CIO at Target that loses his job.
All of a sudden, every CIO is like, what's going on in my security?
So the level of heightened awareness at the highest levels in the organization is different in the last year.
How do you move the dials in or twist the dials between kind of like that heightened sense and an, and, and, and, and, and, and, you?
urgency for security and then running a business. And so Todd, I know, you know, Octa, you guys go in
and, you know, your hope is that you make it easy for people to be secure. But there's always this
kind of tension between, look, we got operations here and, you know, what security can do.
Yeah. How has that conversation changed if it has and how do you guys approach that?
I think so the, along with the CEOs and board members and other people, hire people in the
organization wanting to have the security conversation, it's changed for us that we are talking
to people hire in the organization.
So business leaders,
CIOs,
CEOs, board members are bringing us
into conversations and deals
more that's happened in the past.
Our product has really two different
value props. One is we make it easy for end users,
and the other is we make it more secure.
So maybe two years ago is more
we were being brought in because it made it easier.
And now more often we're being brought in
because it makes it more secure often
from hire people in the organization.
Right.
Yeah. What we're also seeing
is a globalization of the fraud function.
As these organizations are growing bigger and bigger,
you have multiple lines of business,
multiple folks who weigh in on the security state of the company,
and now we're starting to see the emergence of pretty solid global organizations
that have pretty significant paths on deciding
what are the tools they use across these different lines of business.
And that's an important thing,
because if you don't have that,
you can be completely secure on one side of things,
and then the fraudsters will find that.
weakest link, right? And so the fundamental thing is, since these guys are expanding their scope,
what we're finding is once we convince one line of business to use the solution, often within
the next six months, we're finding that the entire enterprise buys an enterprise-wide license,
which all goes well for security companies as well as the security posture for these
companies. Let's talk about that then how you convince lines of business or an entire company
to take on this, you know, what some people will view as an extra kind of step or hurdle or burden.
I mean, how do you, or maybe that's not the right way, you don't have to convince them at all anymore.
But once you do convince them, how do you make that behavior change or that shift so, you know, people do what
they're supposed to do?
And that at the end of the day, the security works how it's supposed to work.
I think it's an uphill battle to try to get, especially in the modern era of IT, to try to get users
to do something that is inconvenient or out.
of band. I think that, and what we see in our customer base and the prospect base that
companies in IT departments that try to do that are not very successful. So the key is to find
solutions that are make it easier and make it more secure. And it's not always, it's not,
you have to look for the right solution and you have to put some good design thinking into
it a lot of times. But I think it's just with all the options people have and all the devices
they can use outside of their corporate endorsed framework and all the applications, I think trying
to put a step in there and just send a nice well-written email out to say use it because
it's better for you. It's just a losing battle. So you have to figure out a way to make it
easier. Like a simple example is, a simple example is maybe you have a, it's more secure
and maybe require stronger authentication, but the information resource you get to when you go
into an application is better. So it's somehow better than the alternative you would have if you
did your own consumer application off to the side. So good IT departments and good companies,
I think are figuring out how to make the services attractive and more secure.
So if you follow this hygiene, if you follow these protocols, you get access to the full
burrito, enchilada, however you want to say it.
Yeah, and it's a good enchilada.
It's going to taste good.
It's not going to be some crappy Mexican food that you're going to feel bad after you eat it.
Right.
It's your metaphor, not mine.
It's a good point, right?
Making security, oftentimes before, if you had something secure,
that was more secure, it was a pain to get in, right?
Like that, so making security more usable is really, really important.
And we see this too, right?
In our case, what we do is we protect call centers and the voice channel from fraud.
The current state of the art is asking you a whole bunch of questions.
So you call into a bank and they ask you what's your mother's maiden name, what's your date of birth.
That takes a long while.
If you have a technology that can substitute for that and very quickly identify that it's really you on the other end,
you've just saved the customer a whole bunch of time, you've saved the organization a whole bunch of time,
and you've made the entire experience wonderful.
So there's that one part, right, security paradigms that are more usable.
The second part of it is actually training and doing this at a grassroots level, right?
Like when you get an engineer to code something, right?
Right now, one of the key criteria is how big of a scale of a system have you coded up, right?
How performant is it?
How scalable?
Most people, when they talk about, okay, when we put the solution, it shouldn't break as soon as we have 100,000 users hitting the site, right?
It's ingrained in everybody's mind that you need performance scalable code.
What we need to do is add to that you need performance scalable and secure code, right?
And that needs to happen at a grassroots level, either to training or through, you know, getting individuals who are more security-minded.
Well, let's get into your sort of philosophies about usability and ease of use, and because you guys, you know, you go have to.
different markets, but you approach things in different ways.
VJ Pindrop is, like you say, voice recognition,
and I want you to describe kind of where that goes more broadly.
And then, Octa, you know, you guys have a sort of two-factor,
single-sign-on view of the world.
But so, Todd, talk to me about how you guys approach design and usability
and kind of where you would like to see it go as things progress.
The best example, so another, Vij, your example of the call center
and not being asked for your mother's maiden name,
times is great. Another good example that's right in front of all of us is the fingerprint
reader on the iPhone. I mean, they've turned on pass codes and more people have their phones
lock now than ever before because they made it easier. You didn't have to type in that code
and now they have a fingerprint reader. I think that's a good inspiration and we take inspiration
from things like that where it's like, hey, how can we make this easier for the end user while
at the same time making it more secure? The other, the other, when think about that tradeoff or
that the design challenge that goes behind making something more secure and more usable.
A lot of times it comes down to alternatives or competition.
And what's happening in the marketplace, Apple being a good example with the fingerprint reader,
is that there's inspiration and competition where there never was before.
It used to be that you would have a crappy Windows application running on the client,
and that was what you used, and you come hell or higher water.
Now you have alternatives for other kind of applications,
the applications your company is provided
have to up their game, make them more usable.
Same thing for security.
Every website that does security well,
every website that has a good design,
your company systems have to match that
because those are alternative and there's inspiration.
And we try to take inspiration from all the companies
that are setting these examples.
Vijay, you guys use voice
and like you said, you secure call centers.
What are you able to do with voice
that perhaps we weren't even thinking about
years ago. Right. So, you know, even before, you know, talking a little bit about what we do,
it's just, you know, what's happening in the world, right? Like, as the world is moving forward,
the kinds of interfaces people are using is changing pretty rapidly. So, you know, traditionally,
I mean, you can, you can see this at a place like CES where, you know, you have the smart watch,
smart belt, smart ring, smart everything, right? And the reason that they're smart is that
they're able to understand what you're saying. They don't depend on existing interfaces like the keyboard,
right? Imagine a Google Glass device outfitted with a keyboard that you had to type into.
That would be a horrible future to be a part of, right? Instead, you speak to the device
and it immediately determines what you want to do, right? So as these interfaces changes,
there is the opportunity to define that security from the ground up. And this is a little
bit of what we're spending our time on, right? Which is we're trying to make sure that when
we see these voice interactions or these voice devices, we can add a layer of security, trust,
an identity to that in order to make sure that that transaction is indeed coming from who
it's, you know, who it's coming from. And so we look at a variety of things, right? We look at
your voice. We look at the device that you're coming from and, you know, the fingerprint that's
inbuilt into it through a variety of ways. We look at things that your voice is doing, emotion,
duress, urgency. There's a whole bunch of these things. But ultimately, all of that goes towards
the fact that we can do all of this in the background and ultimately leave the customer a
experience. You bark into your smart TV, say, I want to pay my AT&T bill. There's a bunch of
companies that are going to figure out, you know, what you said and what to interpret it. Our
role in that is to decide that it is indeed coming from you. Because it might not be an
AT&T bill that you're paying. It might be you're trying to turn off your burglar alarm.
Right. Right. You want to know, is that, is that Michael saying, turn that burglar alarm
off? Or is it, you know, the fraud store is just broken through your window, right? Right. Right. Or
Or even, it sounds to me like you're heading in the direction, or I'm at home and there's some
bad person standing next to me saying, tell the burglar alarm to turn off.
Yep.
And you might be able to sense that.
I mean, that is way out in the future, right?
I mean, ultimately, our goal is to provide that layer of security, trust, and identity.
We want to be that platform that does that.
So as these new exciting interfaces come out, right, Amazon rolled out, Echo, Facebook botwit.a.i.
to integrate all its messaging with voice.
Google has Google now on its nest thermostats.
As these interfaces emerge,
we think there's a great opportunity
to essentially change the security battlefield
by setting the right paradigms in place.
Todd, how do you guys think about that expanding
kind of world of things and data to secure?
Should it all, again, kind of fall under one single sign-on
kind of paradigm or how do you guys think about it?
ACTA is about building a system of record or a graph that connects together, a logical
connection of people, applications, devices, and organizations. And the idea is that once
you have that system of record, then you can put the right policy on top of that group of
connections based on the right context. So, for example, if you are logging into one application
that's just an application that doesn't have very much sensitive information.
You can do it from the road, from a public Wi-Fi,
but if you're logging into a financial application,
a more sensitive application for work,
you must have strong authentication.
You can only do it from certain networks.
That's an example of context and policy.
But you can only do that in a centralized, feasible manner
if you have this system that Octa is
that actually has all those connections and knows which applications are sensitive,
which users can get to which applications,
which devices.
So that's what it's about.
So if you expand that out
to not just phones
and tablets and computers,
but if you expand that out
to the nest thermostats
or any kind of device
that might exist
on the internet of things,
our point of view on that
is that those are all important,
but they all relate back
to a user some way.
It could be, for example,
in the enterprise,
it could be assets.
It could be, you know,
these 10 steam shovels
which don't exist anymore,
but you get my point.
Maybe it's a museum
of steam shovels
and that's what they display.
Yeah, yeah.
But for us, it's all about, it's getting back to the person.
And ultimately, it's going to go back to a person.
The person's going to want to consume the data or understand where that asset is.
And that's why we think that having that logical map all the way back to the person is very valuable.
Speaking of people, it seems that most of the sort of high profile hacks that we've been reading about and talking about of late, at the end of the day, there was a person who or people who didn't do what they were supposed to do.
There was all these morning signals and they were ignored.
How do you help make people better at security and, you know,
and, you know, maybe it's removed them from the equation,
which seems like a tough thing, but how do you approach that?
Right.
So I think, you know, given the massiveness of organizations and the scale at which these
organizations are growing, right?
I mean, we see Slack, which has so many millions of users now and, you know, has done
that in the last 24 months. So as these organizations are growing, you know, distributed
geographically, have a variety of networks. I think you're always going to have people
slipping up. You're always going to have networks preach. So I think that's a given, right?
The one thing that CSOs as well as security folks within that organization have to figure out
is what is it of importance that they're defending and make sure that, you know, once someone
gets on a network, they don't have access to the, and
Kingdom, right? So, I mean, it's, I mean, if you look at Octa, right, Octa does network
authentication to a certain level and we do authentication on the call center. If you change,
I mean, like we keep getting worried about, okay, breaches into the network, right? Someone got
access to our network, but look at the call center, right? In order to get access to the
call center, all a fraudster needs to do is pick up the phone and speak to a call center
agent. Right. That tells you how easy it is. You should look at the network exactly like that.
It's that simple.
Getting access to the network or getting access to a person within an organization is really, really simple for a motivated fraudster.
Once you make that assumption, you then start deciding within the system, how do you protect the keys to the kingdom, right?
Yeah, I think similarly to what VJ was saying, I think that you have to be able to define the parlance in the security industry as least privilege, right?
So you make sure you give every person least privilege.
possible so no one has a bunch of privileges they don't need so if they get
compromised they can't be used to take advantage of the problem with least
privileges is hard to do it's much simpler to say you know what we have this
firewall we have this perimeter and anything inside that's copacetic we can
bless it anything out that it's bad but when you start breaking it apart and say
well all the services are in my data center people roaming around then it gets
harder and trickier so just the basics making sure people only have access to
what they should have access to making sure that when people change functions
that gets updated, it's not a simple problem, but that's some of the basics of the access.
If you look a lot of these cases, these breaches, it was very basic things that were used
or problems that were used to take advantage of these networks or these systems, and it was
just simple stuff that wasn't cleaned up. It was the administrative access on a hardware
monitoring system that had public internet access. It was, you know, the employee that
hadn't used their account and was used to log into when it should have been shut
down a long time ago. So just it's almost like the housekeeping of it all and making sure the
least privilege access is the first step because I agree you're not you're never going to have
perfect human compliance. It's just impossible. So if you just define really what is important
you have you have a way to put least privilege access and then you have a way to actually this is an
important one. You have to put in systems to monitor and understand so you know when you've been
breached. Just knowing we've been breached will allow you to, will allow you to
react much quicker and minimize
the damage. Some of these attacks, they've
been breached for months and months and months.
They didn't know. Really found out because some contractor
came in to do some work and said, hey, what's this massive
log file that shows everything being
exfiltrated off the network?
So it's like,
it should have been caught sooner than that.
Right. And something done about it, in which case,
you know, and in many cases nothing has been done
until the worst happens.
Do you feel like
customers and
just, you know, the enterprise at large,
has a sense that, look, the bad folks are already inside, or are they not there yet,
or should they be there for that matter?
Yeah, I think, you know, whoever we talk to makes the assumption that they've been breached.
They've been breached.
They have to have great monitoring systems to understand the extent of the breach, you know,
what's going out, right?
And then the second part of it is, you know, deciding, you know, what is important to defend, right?
if you have a database of emails, I mean, of usernames and passwords, that's important.
That's everything that you have about all your customers.
And so you need to protect that very, very carefully.
The only problem is, you know, companies are growing this rapidly that they forget to stop
and think about this.
And I can talk about it from just personal experience, right?
We're growing massively.
How often do I get into a meeting where my engineers are saying, you know what,
we need to be careful about the security of these boxes.
When we roll out a VM with our software and with calls, sensitive calls,
we need to be careful about that.
We do that very, very aggressively, but, you know, I would want more of that to be done, right?
When you're growing at the rate at which we're growing,
it's always a question of functionality versus security.
And you need to figure out a balance between making sure things are as secure as you add functionality.
What we see is that, like earlier I was talking about the,
CEO, board level, and then CIO's chief security officer, we see that the CIOs and the chief
security officers, they understand that they've likely been breached and they're very into monitoring
and so forth. Senior level people, more senior than that, CEOs, boards, their mindset is we've never
been breached. Well, we're not one of these four companies you've heard in the news in the last six
months. We've never been breached. How do we never be breached? So a little bit is, you know,
the communication starts because those
CEOs and boards are so interested
and now it's up to the CIA and the
chief security officers to have that conversation where they
explain, hey, you know, we're spending
a couple million dollars on this monitoring
service because
we may have been breached, but
we're not sure anything's been done. So it starts
that conversation. I think it's healthy for the whole industry.
Well, and how do you shift that mindset from
like we've never been breached to those
people on the inside understanding that you probably have
to then setting policies
and procedures that can kind of keep
up. I mean, Vijay, you talk about how you're a fast-growing company, and there's new kind of
scenarios every day. So, Todd, if you're setting policy, how are those policies, and I'm just
thinking about an approach that companies can use to be flexible enough and kind of reactive
or foreseeing enough to build something or build a mindset that can account for what's going to
come next? I think the key is kind of like the government has, you know,
different levels of classified. They have super classified and like double super classified and only the
president can see it and then they have things that are unclassified. I think companies need to
have that kind of framework, maybe not that formal, but they have to define what's super sensitive,
lock that down in a way that's commensurate with the sensitivity of the information, and then
think of it like concentric rings outside of that. The things that aren't a sensitive or classified,
be more flexible, be faster. But at the end, if they get that risk reward,
they can, I think, take the appropriate amount of focus and care for the super important things,
the secret sauce, and things that aren't as sensitive can be faster and more flexible and maybe
take more risk.
Right, right.
Yeah, I mean, I think the important thing is to not be reactive, but to be proactive about a lot of this.
And to be, you know, really clear about what you're defending.
Like, I remember this incident, we were going on to do a POC with this particular client.
And just after the, I mean, we were well on our way to get the POC sign.
And just after the target breach happened, that POC just got completely locked down.
They said, we're not doing a POC because we don't know, we don't want to give any data.
And it was completely not sensitive data that they were working with, right?
That's a knee-jerk reaction.
So they swung too far.
They swung too far, right?
So it's like this wildly swinging pendulum that goes one way here.
And when you're trying to do everything, what ends up happening is it seems so onerous that you, you know, you're like, okay, we're not going to win this.
We're not going to take care of it.
And then you go all the way to the other extreme saying,
oh, we've spent so much time and we've got so little to show far
that we're now going to change back to being an agile, functional company.
And so you keep moving between these things
and the idea is to always find the right balance.
Are we going to win this, or is that even the right question to ask?
I think, so the way I think about it is,
do companies and organizations take advantage of technology
to make them more effective?
So that's winning.
I think that if you think about winning is not zero breaches.
I think winning is moving your organization forward.
And that means taking some risks in some areas, guarding things and being very slow in other
areas and figuring out the right way to do it.
Another thing we haven't talked about, which is interesting, might be a whole other podcast,
but it's the role regulation has all this.
We're talking about security and fraud, but there's another big question mark companies have,
especially internationally, which what are the regs, what are the regulations, and what
are they mean? And are they even applicable? And that's a whole other variable when you think
about what to lock down and what not to lock down. Well, we are going to do another series
of podcasts on regulation. I can tell you that. But yeah, like you say, disclosure, like who gets
to know what and when and what are the sort of liabilities and what are the requirements?
Because by the way, that drives as much board concern and CEO concern as security does.
Interesting. We'll definitely revisit that as another topic. Vijay, what's winning?
Yeah. I mean, I think, you know, the one thing is that the fraudsters are constantly changing.
But the nice thing about what we have here is the platforms are constantly changing.
So the battlefield is constantly changing, right?
You have newer interfaces.
So there is really a chance to build security up from the ground up, right?
We keep forgetting to do this.
And we keep calling it a cat and mouse game.
It's really not a cat and mouse game, right?
It's a, I mean, the fraudster is not a mouse, right?
Like the cat and mouse game is traditionally that the mouse is so weak that, you know,
The cat chases him, catches him, and then lets him go.
That's really not the story, right?
It's a cat and dog came.
You're trying to catch the dog when you're a cat, right?
And so it's a particularly hard thing.
And by virtue of what we're seeing is more and more organizations are becoming more holistic
in the way they look at things.
Not only look at just the network, but look at call centers, look at it across, because
the fraudsters are not saying, I'm only going to attack you on the network side.
And then they're also doing collaboration, right?
That's also really important.
Once you collaborate with other organizations, what happens in one organization definitely affects you.
We saw this in the entire Dropbox leak, right?
Like everyone said Dropbox had been compromised, but what these fraudsters had done had figured out username, passwords at all these other breaches that actually worked on Dropbox.
So you're no longer just one entity.
So when I talked about line of business and being able to be cross-channel across these different lines of business, I believe that organizations should look across themselves and collaborate.
and contribute. And that's the only way you can get, you know, you can win. And, you know,
winning is a relative term. It's, you know, how do you manage to do all the things that you need
to achieve in the next year or so without having, you know, without giving away the keys to the
kingdom? You guys are building the future of security. And I just want to get a sense from
you. And maybe it will be invisible, right? Things will be secure. Internet of things,
all these devices we have will be secure without us knowing it. But what does that future
start to look like from a user standpoint and from a CISO sitting in a large enterprise?
I was just thinking, you know, just because there's been bank robberies forever, we never got
rid of money, right? I think it's, I think it just is part of the environment. I think the more
we embrace technology, the more people, organizations go value from it, the more they'll invest
in it, there'll be some malicious attacks and we'll have to deal with those. And it's, it'll
be kind of a constant thing. I mean, bank robberies never go away. They get, they change and we
get better at them. That's kind of, that it'll be with us, I think, for a long time. I think that
the, I mean, I think that the security technology will get better. I think the fact that,
in a somewhat of an ironic way, I think that the world is becoming, the fact that the world
is becoming more mobile and more cloud, you know, you use the term earlier, VJ, about
attack service, and increase attack service. That is true. But I also think we have a ton of more tools
that we can use to secure the surface.
I mean, the fact that we all have computers in our pocket now
in terms of authentication, a simple example,
or a fingerprint reader in our pocket gives us a tremendous tool
to make things more secure.
While at the same time, giving a bigger attack service
because we have mobile apps that are running on all these devices
with tons of data.
So I think it's kind of an evolutionary thing.
And I think that, again, you know, I just,
when I talk to people a lot, I just say, listen,
you know, just don't lose the opportunity
to embrace some of this new technology
and move your organization forward
because you were so scared and so risk-averse
for everything that you had to lock it down.
I think that's, you know,
and that is a real risk.
I'm sure there are companies out there right now
losing opportunities because they're locking things down.
Yeah, yeah.
And they wish for the old days
where it was all literally like, you know,
in servers locked into a room someplace.
Yeah, yeah.
We're not getting rid of money.
We're not getting rid of credit cards.
There's going to be fraud, but, you know,
we've got to move forward.
Yeah, I think, you know,
we have to just change the mindset
that this is something that we need,
need to do, right? There's no way we cannot do it and somehow stay secure, right? So it's almost
like breathing, right? The question is, can you stop breathing and still function well? You can't,
right? You have to have security built in. And we have to start realizing that what we're
considering breaches is also going to constantly change, right? With the millennials, the amount
of stuff they post on Facebook and Twitter, that would have been considered a breach, right? Like,
they voluntarily voluntarily give all that information. My parent,
would consider that a breach of privacy, right?
A cartoon.
Hi, you've been breached.
No, no, I wasn't breached.
It's giving that.
So then the question is, once you have all this information out there,
is that what an identity really is?
If I compile all those pieces of information, does that make Michael Copeland?
No.
That's where the security companies decide, you know,
through authentication, more clever authentication,
how do you determine that this is really Michael Copeland, right?
It just can't be because of the fact that I know,
your mother's made a name, or I know when you were born, right?
That clearly is not you.
I'm wondering why you know my mother's made a name because we met just today.
Ancestry.com is a great site.
Well, VJ, Todd, thank you guys so much.
That's great.
We're definitely going to follow up and talk more about this, but, you know,
we'll use your security tools too and hopefully be more secure.
Yeah, absolutely.
Really appreciate the questions.
They were very insightful.
Thanks.
Thanks, guys.
Thank you.