The a16z Show - a16z Podcast: Making Security More Useable
Episode Date: May 8, 2015The days of cramming security down employees’ throats or sending out best-practices advice emails are over. “You have to make security more useable,” says Pindrop CEO and co-founder Vijay Balasu...bramaniyan. Especially in a world of ubiquitous connected devices, from smartphones to smart thermostats. Security also has to be attractive, argues Okta CEO and co-founder Todd McKinnon. For example, if an employee uses a more sophisticated form of authentication from the road, then they should get access to a deeper, fuller set of data or applications than if they hadn’t gone through that extra layer of security. In this segment of the a16z Podcast, Balasubramaniyan and McKinnon discuss how they approach the problem of making security something that is both powerful and easy to use. From more sophisticated voice analysis to shifting from two-factor to three-factor and beyond authentication, where can technology push security next? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax,
or investment advice, or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash
disclosures. Welcome to the A16Z podcast. I'm Michael Copeland. And we are here at the OCTA World
Headquarters in San Francisco with ACTA CEO, Tom McKinnon. And also joining us from Atlanta is
Viji Paul Supermanian, CEO of Pindrop.
Welcome, both of you.
Thank you.
Great to be here.
You guys might not be familiar, and hopefully you are, with both Pindrop and Octa,
but you guys are security-minded companies, and you approach things in different ways, honestly.
And so this conversation, we want to focus on the trends you're seeing in security
and how you guys are addressing them differently for your customers.
And a lot of the focus is on the enterprise, so let's begin there.
But so I want to ask you guys, security seems to be on everyone's mind these days, but is it?
And have people really found sort of God in the wake of some really horrible breaches?
Vijay, what do you think about that?
Right.
So, you know, with a lot of these breaches, I think fundamentally what comes to the forefront is the fact that security is a constantly evolving thing, right?
the perimeter is constantly changing.
You had just your data center, now you have the entire cloud to worry about.
You had individual devices that were purely used for personal reasons.
Now they're used for everything other than personal as well.
And so the perimeter is constantly changing.
What is defensible is constantly changing.
The attackers themselves are constantly changing.
So the fact is that each of these attackers have such a large area to attack you.
on and they've increased the sophistication of their tools.
And what's more is they're collaborating and they're trying to get through to you through a
variety of channels, be it the network, be it the call center.
They're trying so many different things because they're motivated, they're well-funded,
and they clearly have a target to go after.
So it's a really hard battle and this is the reason you find a lot of these breaches happening,
a lot of new technologies when they get introduced without security.
paradigm's in place, they immediately break at the basic onslaught of a fraud stuff.
One of the things that we've seen, it's the people that are chief security officers or
security professionals or even CIOs, their level of vigilance and their level of concern
about this over the last 18 months is pretty consistent. What's clearly changed is the people
above them. The CEOs, the board, they are all about security now. And I think a lot of it is
just some of these high profile vulnerabilities and attacks in the mainstream media.
Right.
You get the CEO of Sony's email on the public internet, and all of a sudden, every CEO in the world is going, how is my security?
Right.
You get the CIA at Target that loses his job.
All of a sudden, every CEO is like, what's going on in my security?
So the level of heightened awareness at the highest levels in the organization is different in the last year.
How do you move the dials in or twist the dials between kind of like that heightened sense and an, and, and, and, and, and, and, and, you?
urgency for security and then running a business. And so Todd, I know, you know, Octa, you guys go in
and, you know, your hope is that you make it easy for people to be secure. But there's always this
kind of tension between, look, we got operations here and, you know, what security can do.
Yeah. How has that conversation changed if it has and how do you guys approach that?
I think so the, along with the CEOs and board members and other people, hire people in the
organization wanting to have the security conversation, it's changed for us that we are talking
to people hire in the organization.
So business leaders, CIOs,
CEOs, board members are bringing us
into conversations and deals more
that's happened in the past. Our product has
really two different value props. One is we make it easy
for end users, and the other is we make it more secure.
So maybe two years ago was more
we were being brought in because it made it easier.
And now more often we're being brought in
because it makes it more secure often from
hire people in the organization.
Right. Yeah. What we're
also seeing is a global
of the fraud function, as these organizations are growing bigger and bigger, you have multiple
lines of business, multiple folks who have, you know, who weigh in on the security state of the
company.
And now we're starting to see the emergence of pretty solid global organizations that have pretty
significant paths on deciding what are the tools they use across these different lines
of business.
And that's an important thing because if you don't have that, you can be completely secure
on one side of things and then the fraudsters will find that weakest link, right?
And so the fundamental thing is, since these guys are expanding their scope, what we're finding
is once we convince one line of business to use the solution, often within the next six
months, we're finding that the entire enterprise buys an enterprise-wide license, which all
goes well for security companies as well as the security posture for these companies.
Let's talk about that then how you convince lines of business or an entire company to take on
this, you know, what some people will view as a business.
an extra kind of step or hurdle or burden.
I mean, how do you, or maybe that's not the right way, you don't have to convince them
at all anymore.
But once you do convince them, how do you make that behavior change or that shift so, you know,
people do what they're supposed to do?
And at the end of the day, the security works how it's supposed to work.
I think it's an uphill battle to try to get, especially in the modern era of IT, to try to get
users to do something that is inconvenient or out of band.
I think that, and what we see in our customer base and the prospect base that companies in
IT departments that try to do that are not very successful.
So the key is to find solutions that are, make it easier and make it more secure.
And it's not always, it's not, you have to look for the right solution and you have to
put some good design thinking into it a lot of times.
But I think it's just with all the options people have and all the devices they can
use outside of their corporate endorsed framework and all the applications, I think trying to
put a step in there and just send a nice well-written email out to say use it because it's better for you.
It's just a losing battle. So you have to figure out a way to make it easier. Like a simple example is,
a simple example is maybe you have a, it's more secure and maybe require stronger authentication,
but the information resource you get to and you go into an application is better. So it's somehow
better than the alternative you would have if you did your own consumer application off to the side.
So good IT departments and good companies, I think,
are figuring out how to make the services attractive and more secure.
So if you follow this hygiene, if you follow these protocols, you get access to the full
burrito, enchilada, however you want to say it.
Yeah, and it's a good enchilada.
It's going to taste good.
It's some crappy Mexican food that you're going to feel bad after you eat it.
Right.
It's your metaphor, not mine.
It's a good point, right?
making security, oftentimes before, if you had something that was more secure, it was a pain to get in, right?
So making security more usable is really, really important.
And we see this too, right?
In our case, what we do is we protect call centers and the voice channel from fraud.
The current state of the art is asking you a whole bunch of questions.
So you call into a bank and they ask you what's your mother's maiden name, what's your date of birth.
That takes a long while.
if you have a technology that can substitute for that and very quickly identify that it's really you on the other end,
you've just saved the customer a whole bunch of time, you've saved the organization a whole bunch of time,
and you've made the entire experience wonderful.
So there's that one part, right, security paradigms that are more usable.
The second part of it is actually training and doing this at a grassroots level, right?
Like when you get an engineer to code something, right?
Right now, one of the key criteria is how big of a sense?
scale of a system have you coded up, right? How performance is it? How scalable? Most people
when they talk about, okay, when we put the solution, it shouldn't break as soon as we have
100,000 users hitting the site, right? It's ingrained in everybody's mind that you need
performance scalable code. What we need to do is add to that you need performance scalable and
secure code, right? And that needs to happen at a grassroots level, either to training or through,
you know, getting individuals who are more security-minded. Well, let's get into your
sort of philosophies about usability and ease
of use, and because you guys, you know, you go after
different markets, and you approach things in different
ways. VJ. Pindrop is, like
you say, voice recognition, and I want you to describe
kind of where that goes more broadly.
And then, Octa, you know, you guys
have a sort of two-factor, single-sign-on
view of the world.
But so, Todd, talk to me about
how you guys approach
design and usability and kind of where
you would like to see it go
as things progress.
The best example, so another,
Vijay, your example of the call center
and not being asked for your mother's made name 50 times
is great. Another good example that's right in front of all of us
is the fingerprint reader on the iPhone.
I mean, they've turned on pass codes
and more people have their phones locked now than ever before
because they made it easier.
You didn't have to type in that code
and now they have a fingerprint reader.
I think that's a good inspiration,
and we take inspiration from things like that
where it's like, hey, how can we make this easier
for the end user while at the same time making it more secure?
The other, when you think about that,
that trade-off or the design challenge that goes behind making something more secure and more usable,
a lot of times it comes down to alternatives or competition.
And what's happening in the marketplace, Apple being a good example with the fingerprint reader,
is that there's inspiration and competition where there never was before.
It used to be that you would have a crappy Windows application running on the client,
and that was what you used, and you come hell or higher water.
Now that you have alternatives for other kind of applications,
the applications your company is provided have to up their game make it more usable.
Same thing for security.
Every website that does security well, every website that has a good design, your company systems have to match that.
Because those are alternative and there's inspiration.
And we try to take inspiration from all the companies that are setting these examples.
Vijay, you guys use voice and like you said, you secure call centers.
What are you able to do with voice that perhaps we weren't even thinking about five years?
ago.
Right?
So even before, you know, talking a little bit about what we do, it's just, you know, what's
happening in the world, right?
Like as the world is moving forward, the kinds of interfaces people are using is changing pretty
rapidly.
So, you know, traditionally, I mean, you can see this at a place like CES where, you know,
you have the smart watch, smart belt, smart ring, smart everything, right?
And the reason they're smart is that they're able to understand what you're saying.
They don't depend on existing interfaces like the keyboard, right?
a Google Glass device outfitted with a keyboard that you had to type into.
That would be a horrible future to be a part of, right?
Instead you speak to the device and it immediately determines what you want to do, right?
So as these interfaces changes, there is the opportunity to define that security from the ground
up.
And this is a little bit of what we're spending our time on, right?
Which is we're trying to make sure that when we see these voice interactions or these voice
devices, we can add a layer of security, trust and identity to the
that in order to make sure that that transaction is indeed coming from who it's, you know,
who it's coming from.
And so we look at a variety of things, right?
We look at your voice.
We look at the device that you're coming from and, you know, the fingerprint that's inbuilt
into it through a variety of ways.
We look at things that your voice is doing, emotion, duress, urgency.
There's a whole bunch of these things.
But ultimately, all of that goes towards the fact that we can do all of this in the
background and ultimately leave the customer a great experience.
you bark into your smart TV, say, I want to pay my AT&T bill.
There's a bunch of companies that are going to figure out what you said and what to interpret it.
Our role in that is to decide that it is indeed coming from you.
Because it might not be an AT&T bill that you're paying.
It might be you're trying to turn off your burglar alarm.
Right.
You want to know, is that Michael saying turn that burglar alarm off?
Or is it, you know, the fraud store is just broken through your window, right?
Right, right.
Or even, it sounds to me like you're heading a number.
the direction or I'm at home and there's some bad person standing next to me saying
tell the burglar alarm to turn off.
Yep.
And you might be able to sense that.
I mean, that is way out in the future, right?
I mean, ultimately, our goal is to provide that layer of security, trust, and identity.
We want to be that platform that does that.
So as these new exciting interfaces come out, right, Amazon rolled out, Echo, Facebook bot
wit.
com, to integrate all its messaging with voice, Google has Google.
now on its nest thermostats, as these interfaces emerge, we think there's a great opportunity
to essentially change the security battlefield by setting the right paradigms in place.
Todd, how do you guys think about that expanding kind of world of things and data to secure?
Should it all, again, kind of fall under one single sign-on kind of paradigm?
Or how do you guys think about it?
ACTA is about building a system of record or a graph that connects together,
a logical connection of people, applications, devices, and organizations.
And the idea is that once you have that system of record,
then you can put the right policy on top of that group of connections based on the right context.
So, for example, if you are logging into one application that's just an application
that doesn't have very much sensitive information.
You can do it from the road, from a public Wi-Fi.
But if you're logging into a financial application,
a more sensitive application for work,
you must have strong authentication.
You can only do it from certain networks.
That's an example of context and policy.
But you can only do that in a centralized, feasible manner
if you have this system that Octa is
that actually has all those connections and knows
which applications are sensitive,
which users can get to which applications, which devices.
So that's what it's about.
So if you expand that out to not just phones and tablets and computers,
but if you expand that out to the nest thermostats or any kind of device that might exist on the Internet of things,
our point of view on that is that those are all important,
but they all relate back to a user some way.
It could be, for example, in the enterprise, it could be assets.
It could be, you know, these 10 steam shovels, which don't exist anymore,
but you get my point.
Maybe it's a museum of steam shovels, and that's what they display.
But for us, it's all about, it's getting back to the power.
person. And ultimately, it's going to go back to a person. The person's going to want to
consume the data or understand where that asset is. And that's why we think that having that
logical map all the way back to the person is very valuable. Speaking of people, it seems that
most of the sort of high profile hacks that we've been reading about and talking about of late,
at the end of the day, there was a person who or people who didn't do what they were supposed
to do. There was all these warning signals and they were ignored. How do you,
help make people better at security and, you know, and, you know, maybe it's removed them from
the equation, which seems like a tough thing, but how do you approach that? Right. So I think,
you know, given the massiveness of organizations and the scale at which these organizations
are growing, right? I mean, we see Slack, which has so many millions of users now and, you know,
has done that in the last 24 months. So as these organizations are growing, you know, you know,
distributed geographically, have a variety of networks, I think you're always going to have
people slipping up, you're always going to have networks preach. So I think that's a given,
right? The one thing that CSOs as well as security folks within that organization have to figure
out is what is it of importance that they're defending and make sure that, you know, once someone
gets on a network, they don't have access to the entire kingdom, right? So, I mean, it's, I mean, if
you look at OCTA, right, Octa does network authentication to a certain level and we do authentication
on the call center. If you change, I mean, like we keep getting worried about, okay, breaches into the
network, right? Someone got access to our network, but look at the call center, right? In order to get
access to the call center, all a fraudster needs to do is pick up the phone and speak to a call
center agent. Right. That tells you how easy it is. You should look at the network exactly like that.
It's that simple. Getting access to the network or getting access to a person within an organization
is really, really simple for a motivated fraudster.
Once you make that assumption,
you then start deciding within the system
how do you protect the keys to the kingdom, right?
Yeah, I think similarly to what VJ was saying,
I think that you have to be able to define the parlance
in the security industry is least privilege, right?
So you make sure you give every person
least privilege possible.
So no one has a bunch of privileges they don't need,
so if they get compromised, they can't be used to take advantage of.
The problem with least privileges is hard to do.
It's much simpler to say, you know what, we have this firewall, we have this perimeter,
and anything inside that's copacetic, we can bless it, anything out that is bad.
But when you start breaking it apart and say, well, all the services are in my data center,
people are roaming around, then it gets harder and trickier.
So just the basics, making sure people only have access to what they should have access to,
making sure that when people change functions, that gets updated, it's not a simple problem,
but that's some of the basics of the access.
a lot of these cases, these breaches, it was very basic things that were used or problems
that were used to take advantage of these networks or these systems. And there was just simple
stuff that wasn't cleaned up. It was the administrative access on a hardware monitoring
system that had public internet access. It was, you know, the employee that hadn't used
their account and was used to log into when it should have been shut down a long time ago.
So just, it's almost like the housekeeping of it all and making sure the least privileged access
is the first step because I agree you're not you're never going to have
perfect perfect human compliance it's just impossible
so if you just define really what is important you have you have a way to put
least privilege access and then you have a way to actually this is an important one
you have to put in systems to to monitor and understand so you know when you've been
breached just knowing we've been breached will allow you to
react much quicker and minimize the damage some of these attacks they've been
breached for months and months
months. They didn't know. Really found out because some contractor came in to do some work and said,
hey, what's this massive log file that shows everything being exfiltrated off the network?
So it's like, it should have been caught sooner than that. Right. And something done about it,
in which case, you know, and in many cases nothing has been done until the worst happens.
Do you feel like customers and just, you know, the enterprise at large has a sense that,
look, the bad folks are already inside? Or are they not there?
yet, or should they be there for that matter?
Yeah, I think, you know, whoever we talk to makes the assumption that they've been breached.
They've been breached.
They have to have great monitoring systems to understand the extent of the breach, you know,
what's going out, right?
And then the second part of it is, you know, deciding, you know, what is important to defend,
right?
If you have a database of emails, I mean, of usernames and passwords, that's important.
That's everything that you have about all your customers.
And so you need to protect that very, very carefully.
The only problem is, you know, companies are growing this rapidly
that they forget to stop and think about this.
And I can talk about it from just personal experience, right?
We're growing massively.
How often do I get into a meeting where my engineers are saying,
you know what, we need to be careful about the security of these boxes.
When we roll out a VM with our software and, you know, with calls, sensitive calls,
we need to be careful about that.
We do that very, very aggressively,
but I would want more of that to be done, right?
When you're growing at the rate at which we're growing,
it's always a question of functionality versus security.
And you need to figure out a balance between making sure things are as secure
as you add functionality.
What we see is that, like earlier I was talking about the CEO, board level,
and then CIO's chief security officer,
we see that the CIOs and the chief security officers,
they understand that they've likely been breached
and they're very into monitoring and so forth.
Senior level people, more senior than that,
CEOs, boards, their mindset is,
we've never been breached.
We're not one of these four companies
you've heard in the news in the last six months.
We've never been breached.
How do we never be breached?
So a little bit is, you know,
the communication starts because those CEOs
and boards are so interested.
And now it's up to the CIA
and the chief security officers
to have that conversation
where they explain, hey, you know,
we're spending a couple
million dollars on this monitoring service, because we may have been breached, but we're not sure
anything's been done. So it starts that conversation. I think it's healthy for the whole industry.
Well, and how do you shift that mindset from, like, we've never been breached to those people
on the inside, understanding that you probably have, to then setting policies and procedures that can
kind of keep up. I mean, Vijay, you talk about how you're a fast-growing company, and there's new
kind of scenarios every day. So, Todd, if you're setting policy, how do those policies and
I'm just thinking about an approach that companies can use to be flexible enough and kind of
reactive or foreseeing enough to build something or build a mindset that can account for what's
going to come next.
I think the key is kind of like the government has, you know, different levels of classified.
They have super classified and like double super classified and only the president can see it
and then they have things that are unclassified.
I think companies need to have that kind of.
framework, maybe not that formal, but they have to define what's super sensitive, lock that down in a way that's commensurate with the sensitivity of the information, and then think of it like concentric rings outside of that. The things that aren't as sensitive or classified, be more flexible, be faster. But at the end, if they get that risk reward right, they can, I think, take the appropriate amount of focus and care for the super important things, the secret's loss. And for things that aren't as sensitive can be faster and more flexible and maybe take more risk.
Right. Yeah. I mean, I think the important thing is to not be reactive, but to be proactive about a lot of this.
And to be really clear about what you're defending. Like, I remember this incident, we were going on to do a POC with this particular client.
And just after the, I mean, we were well on our way to get the POC sign. And just after the target breach happened, that POC just got completely locked down.
They said, we're not doing a POC because we don't know, we don't want to give any data. And it was completely not sensitive data that they were working with.
right? That's a knee-jerk reaction. So they swung too far to some other
far, right? So it's like this wildly swinging pendulum that goes one way here. And when you're
doing, when you're trying to do everything, what ends up happening is it seems so onerous
that you, you know, you're like, okay, we're not going to win this, we're not going to take
care of it. And then you go all the way to the other extreme saying, oh, we've spent so much
time and we've got so little to show far that we're now, you know, going to change back
to being an agile, functional company. And so you keep, you know, moving. And so you keep, you know,
between these things and the idea is to always find the right balance.
Are we going to win this or is that even the right question to ask?
I think, so the way I think about it is do companies and organizations take advantage of
technology to make them more effective?
So that's winning.
I think that if you think about winning is not zero breaches, I think winning is moving your
organization forward and that means taking some risks in some areas, guarding things
and being very slow in other areas
in figuring out the right way to do it.
Another thing we haven't talked about,
which is interesting,
maybe a whole other podcast,
but it's the role regulation has on all this.
We're talking about security and fraud,
but there's another big question mark companies
have, especially internationally,
which what are the regs?
What are the regulations?
And what do they mean?
And are they even applicable?
And that's a whole other variable
when you think about what to lock down
and what not to lock down.
Well, we are gonna do another series
of podcasts and regulation,
I can tell you that.
But yeah, like you say, disclosure,
like who gets to know what and when?
And what are the sort of liabilities
and what are the requirements?
Because by the way, that drives as much board concern and CEO concern as security does.
Interesting.
We'll definitely revisit that as another topic.
Vijay, what's winning?
Yeah, I mean, I think, you know, the one thing is that the fraudsters are constantly changing.
But the nice thing about what we have here is the platforms are constantly changing.
So the battlefield is constantly changing, right?
You have newer interfaces.
So there is really a chance to build security up front.
the ground up, right?
We keep forgetting to do this and we keep calling it a cat and mouse game.
It's really not a cat and mouse game, right?
It's a, I mean, the fraudster is not a mouse, right?
Like the cat and mouse came is traditionally that the mouse is so weak that, you know,
the cat chases him, catches him and then lets him go.
That's really not the story, right?
It's a cat and dog came.
You're trying to catch the dog when you're a cat, right?
And so it's a particularly hard thing and by virtue of what we're seeing is more and more organizations
are becoming more holistic in the way they look at things.
Not only look at just the network, but look at call centers,
look at it across, because the fraudsters are not saying,
I'm only going to attack you on the network side.
And then they're also doing collaboration, right?
That's also really important, right?
Once you collaborate with other organizations,
what happens in one organization definitely affects you?
We saw this in the entire Dropbox leak, right?
Like everyone said Dropbox had been compromised,
but what these fraudsters had done
had figured out username, passwords,
at all these other breaches that actually worked on Dropbox.
So you're no longer just one entity.
So when I talked about line of business
and being able to be cross-channel
across these different lines of business,
I believe that organizations should look across themselves
and collaborate and contribute.
And that's the only way you can get, you know, you can win.
And, you know, winning is a relative term.
It's, you know, how do you manage to do all the things
that you need to achieve in the next year or so
without giving away the keys to the kingdom.
You guys are building the future of security,
and I just want to get a sense from you,
and maybe it will be invisible, right?
Things will be secure, Internet of Things,
all these devices we have will be secure without us knowing it.
But what does that future start to look like
from a user standpoint and from a CISO sitting in a large enterprise?
I was just thinking, you know,
just because there's been bank robberies forever,
we never got rid of money, right?
I think it's, I think it just
is part of the environment. I think
the more we embrace technology,
the more people,
organizations have got value from it, the more
they'll invest in it, there'll be some
malicious attacks and we'll
have to deal with those, and it'll be kind of a
constant thing. I mean, bank robberies never go away.
They get, they change
and we get better at them. It's kind of
that to be with us, I think, for
a long time. I think that the,
I mean, I think that the security technology will
better. I think the fact that in a somewhat of an ironic way I think that the
world is becoming the fact that the world is becoming more mobile and more
cloud you know some that you use the term earlier VJ about attack service and
increase attack service that is true but I also think we have a ton of
more tools that we can use to secure the surface I mean the fact that we all
have computers in our pocket now in terms of authentication a simple example or
fingerprint reader in our pocket gives us a tremendous tool to make things more
secure while at the same time giving a bigger attack
service because we have mobile apps, you know, that are running on all these devices with tons of
data. So I think it's kind of an evolutionary thing. And I think that, again, you know, I just,
when I talk to people a lot, I just say, listen, you know, just don't lose the opportunity to embrace
some of this new technology and move your organization forward because you were so scared and so
risk-averse for everything that you had to lock it down. I think that's, you know, and that is a
real risk. I'm sure there are companies out there right now losing opportunities because they're
locking things down. Yeah, yeah, and they wish for the old days where it was all literally like,
you know, in servers locked into a room someplace and... Yeah, yeah, we're not getting rid of money,
we're not getting rid of credit cards, there's going to be fraud, but, you know, we've got to
move forward. Yeah, yeah, I think, you know, we have to just change the mindset that this is
something that we need to do, right? There's no way we cannot do it and somehow stay secure, right?
So it's almost like breathing, right? Like, the question is, can you stop breathing and still
function well, right? You can't, right? You have to have security built in. And, and, and, and,
we have to start realizing that what we're considering breaches
is also going to constantly change.
With the millennials, the amount of stuff they post
on Facebook and Twitter, that would have been considered a breach.
Like they voluntarily, voluntarily give all that information.
My parents would consider that a breach of privacy.
A cartoon.
Hi, you've been breached.
No, no, I wasn't breached.
It's giving that.
So then the question is, once you have all this information
out there, is that what an identity
early is. If I compile all those pieces of information, does that make Michael Copeland? No.
That's where the security companies decide, you know, through authentication, more clever
authentication. How do you determine that this is really Michael Copeland, right? It just can't be
because of the fact that I know your mother's made a name or I know when you were born, right? That
clearly is not you. I'm wondering why you know my mother's made a name because we met just today.
Ancestry.com is a great site.
Well, Vijay, Todd, thank you guys so much.
That's great. Thanks a lot.
Yeah, we're definitely going to follow up and talk more about this, but, you know, we'll use your security tools too and hopefully be more secure.
Yeah, absolutely. Really appreciate the questions. They were very insightful. Thanks. Thanks, guys.