December 13, 2023

00:38:18

Episode 233 Deep Dive: Geoff Schomburgk | Securing Digital Identity: A Discussion on The Use of Passwords and Their Future

Episode 233 Deep Dive: Geoff Schomburgk | Securing Digital Identity: A Discussion on The Use of Passwords and Their Future
KBKAST
Episode 233 Deep Dive: Geoff Schomburgk | Securing Digital Identity: A Discussion on The Use of Passwords and Their Future

Dec 13 2023 | 00:38:18

/

Show Notes

In this episode, we are joined by Geoff Schomburgk (Regional Vice President, Asia Pacific & Japan – Yubico) as we explore the transition from traditional username and password systems to passwordless experiences. Together, we discuss the frustrations with current security methods, the need for consumer awareness, and the importance of businesses and government setting the standard for security measures. From practicality and usability to the business value of security technologies, Geoff delves into the evolving conversation around cybersecurity and the potential for multifaceted benefits. Tune in for a deep dive into the future of digital identity protection and the impact of modern authentication methods.

At Yubico, Geoff is responsible for driving the Yubico business across Australia and New Zealand, working with partners and enterprise customers to implement secure modern authentication, helping make the internet safer for all.

Geoff brings a strong customer focus and a proven ability to implement complex technology solutions across a range of industries, including telecommunications, utility and transport sectors across Australia, Asia and Europe.  Critical to the success of these projects is the definition and realisation of tangible business value, where the combination of Geoff’s business consulting approach and project delivery experience consistently deliver business value.

Geoff is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global information and communications technology (ICT) industry.  Geoff has a Bachelor of Engineering and MBA and is also a Non-Executive Director and business mentor to several Not For Profit (NFP) organisations. He is a Fellow of the Australian Institute of Company Directors (GAICD), with B.E. (Hons) and M.B.A.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: Our digital identity is something of value and something that we need to protect. So if we're going to protect our digital identity, protect it with something that is phishing resistant and can stop people getting access to it. And that technology is available today, and it's going to be increasingly available more and more across all of those services that we use over the next, hopefully three to five years. [00:00:24] Speaker B: You this is KBCat as a primary target for ransomware campaigns, security and testing and performance risk and compliance. [00:00:37] Speaker A: We can actually automate that, take that. [00:00:39] Speaker B: Data and use it. Joining me today is Jeff Schomberg, regional vice president, Asia Pacific and Japan for Mubico. And today we're discussing why having zero trust in online relationships is a good thing. So, Jeff, thanks for joining and welcome. So Jeff, I want to begin with your statement about zero trust in online relationships is a good thing. So tell me more about this. [00:01:05] Speaker A: Today covers such a big part of our lives, our work, obviously, but our social media connections and the whole myriad of online services that we access, banks, energy providers, telcos, online shopping, et cetera, et cetera, et cetera. And all of these require some information about us, that is our digital identity. And with such a large number of online relationships, the risk of a cyberattack therefore increases accordingly. So as users, we're expecting these providers, either our business or these other service providers, to take steps to protect that digital identity. And recent high profile attacks down in this part of the world have shown the value of our digital identity and how easily that can be stolen or compromised. So having something that protects that digital identity is really important. And some research that we've done shows that even today, still 60% of businesses are using just a username and a password as that primary means of authentication to protect that identity. So we think we need to do something different. And moving to a mindset of zero trust, we think, is a good thing. That's because zero trust means don't trust no one. We shouldn't trust a service provider unless they can adequately be verified before we start sharing some of that information to do whatever it is we need to do. In the business world, zero trust is being adopted by large corporates to protect their company data. So we think as a consumer, the same sort of thing should apply. And the reason is to protect our security and our digital identity, which gives us peace of mind to be able to do these things far more comfortably. And we think that should start with authentication, verifying that the service provider is genuine and can be trusted. Before we get going from a Ubico point of view, we think phishing resistant authentication with something, a security key like a ubikey, is a really good start. So that's why I think we link zero trust in online relationships. It's all about protecting our digital identity. [00:03:15] Speaker B: Okay, I want to get into digital identity a little bit more because especially here in Australia, we're obviously moving more towards that, especially with, like, a driver's license, for example, I remember I was in the US last year, and I showed my digital driver's license, like, no, that's not allowed. You have to have a physical card. So it's kind of weird. Like, sometimes the US is, like, ahead of us in certain things and other things, it seems a little bit backwards, but I know that people that I speak to, which is a lot in the industry, but also people more generally, and I'm a curious person, which is probably why I run this show, but people seem to be paranoid by the whole digital identity thing. So do you have any sort of insights on that front around what you're hearing in the market? [00:03:55] Speaker A: I think it comes down to trust that our digital identity is of value. We give away pieces of information about us, such as our driver's license, our passport numbers, our credit card details, et cetera. And I think we're paranoid because we're not confident that those providers that we give that information to can keep it secure. I think that's really the essence of why we're worried about this. So we need to be assured that that identity can be protected because it is so valuable. [00:04:25] Speaker B: Okay, let's talk about assurance, because you're right. But anyone can sort of get up there and say, and people do. And to be honest, there absolutely are organizations, large and small that are probably virtue signaling saying, we really care about your identity. Now, I'm not saying that obviously breaches are going to occur, et cetera, but again, it goes back to, well, you're saying that you care, but then there's all these controls that actually weren't even implemented to start off with. So that's a great start to caring. So what are your sort of thoughts then on that? Because anyone can get up there, it's great pr, great media. We care about this, but then it's not followed up by the right actions. [00:05:00] Speaker A: The rubber's got to hit the road somewhere, doesn't it, to validate and provide evidence behind those statements. And it's pretty easy to say, yeah, we care, and consumers and customers are number one, et cetera. So we've got to see evidence in the things that we do day to day that give us that confidence that it does match. And I think that comes down to the techniques that we use every day. Are we doing more than just a username and a password to authenticate us and protect us in login? [00:05:33] Speaker B: Yeah, and you're absolutely right. I'm a very big proponent of rubber hitting the road because I don't like people who virtually signal it's followed up with action demonstrating what you're doing. So you mentioned before we want to see the evidence. So how can a company display evidence? Now? If we focus it maybe on the consumer lens, like people like you and I are in security, it's probably a little bit more apparent about what's happening of the average person. They don't really know, like, oh well, this company seems secure or appears secure. So how would you demonstrate that from your point of view? [00:06:03] Speaker A: Look, I think you can all make the statements about we care but evidence, and it's hard because we're in the security game and we know what's good practice. So as a consumer, how do you get that confidence and putting something behind your username and a password is good? And there is a perception that the one time codes or the SMS links that are a second factor that's good. Well, the reality is it's not good enough. So there's still a lot of education that has to be done across the industry to make people aware of what is good practice, what is highly secure. And look, I think that's starting. We'll probably talk about pass keys in a little while. But the fact that Microsoft, Google and Apple are all putting their weight behind this and people are starting to get exposed to that terminology and those options, they'll go, well, okay, that's the sort of thing I should be looking for. So a lot of it's to do with awareness of what is best practice. And if we start to see that in our online transactions as consumers, then we'll start to get that confidence. And maybe it's about infusion as well. And if we're doing things in our business world and we see a lot of business, particularly government and large corporates, doing the right things when it comes to security hygiene, well then we'll expect that in our online world as consumers. And if we don't see it, then we'll start to demand it. And I think we can start to feed off business versus consumer to lift the overall awareness and therefore lift the overall profile of security in everything we do. [00:07:49] Speaker B: Yeah, great points. So from my understanding, I don't know what you're seeing, but I think people are starting to demand more from businesses. So I was talking to a guy the other day, actually, on the show, he's based in the US, but he was saying, like, I think it's getting harder for businesses. Like the sweeping statement, the virtue signaling isn't enough anymore. Maybe 30 years ago, not anymore. So I think it's going to be harder for businesses to demonstrate, show the evidence, rub it to the road. So are we going to start to see businesses? I don't want to use the word scrambling, but doing a little bit more than perhaps just the baseline of what some of them are currently doing. [00:08:24] Speaker A: Yeah, well, it doesn't have to be hard. It's about change and doing something that's different. And I can see that just the groundswell moving along, that people will start to get exposed to this and expect these services to be provided and these better levels of protection being provided. So we're starting to see across industries this infusing into the marketplace and it's becoming available. I look at a lot of things through the lens of supply and demand. On the supply side, the technology is available. It is out there. So what's stopping it? What's stopping businesses from adopting this? And a lot of times it's simply about change. And some businesses, there's a lot of complex legacy tech debt that's out there. And implementing that change is not as simple as we might like to think it on the surface. So it's all about changing mindsets and changing perceptions, which takes time. Yeah. [00:09:32] Speaker B: So yesterday I was in a face to Face podcast, and then a group of guys next door working in the next office sort of rolled past. And then they were, hey, like, what are you guys doing? Et cetera? Guy I was with was like, hey, like, my friend KB, she runs a security podcast. He's like, oh, security. Yeah, I work in insurance. And he's like, you should see the amount of information we have. I'll be like, literally their whole life, financial, everything, right? And I was like, oh. I said, so tell me more about your security. He goes, I feel like I'm getting audited. Not that I was auditing, but it probably appeared that way. And then he's like, oh, yeah, we just kind of have stuff in a drive. And my face was like, what? What do you mean? I said the word drive. And that's, it really worries me. And obviously he's like, I'm not the security guy. I don't know what's going on, but what really limited me is a lot of these smaller, independent players out there that are holding serious Pii. I don't think they really know how to find the right security player. Now, this podcast is more industry specific, as well as all executives and friends. But these guys that are out there holding this information, they were sort of saying to me like, well, we don't even know where to start. We don't know who to go to. How do we find these security companies out there? And it really shocked me to be like, we're not doing good enough, probably as an industry, because you've got people here that are asking these questions, and then they were saying that because of the Optus breach, et cetera, heightened their sort of alert on, well, we've got all this sensitive information, we need to be very focused on it. So I guess it comes back to that awareness piece, and I think people are trying, but it's more. So how do we penetrate more on, yes, the consumer side, but then also these smaller independent businesses that they just don't know how to navigate the space because it is complex and it's overwhelming. And how do you know who's good and who's not good? There's a lot going on. [00:11:28] Speaker A: That's true. Yeah, it's awareness. And I think organizations like the ACSC, the Australian Cybersecurity Centre does a great job of getting information out there at all levels. So based down at the consumer level, we're aware of the significance of protecting our data as a result of the high profile breaches that we've all seen recently. But also up at the top end that the director and company boards. The risk of a cyber breach is getting to their level of attention, as it should. So we're kind of seeing a bit of a top down and a bottom up. So I think it'll happen, that awareness, but there's a lot of people to educate, and it takes its time, unfortunately. But I can see momentum really building. Yeah, absolutely. [00:12:19] Speaker B: It does take time. I think it's the right type of education because it's how we're communicating to these different audiences. I think that's something people need to sharpen. It's probably why I got into what I'm doing. I saw a massive gap, people depends on which discourse you need to speak to them into. You need to fundamentally change, whether it's podcast video, how are the videos produced, how are they deployed, are they shorter videos? All these types of things. I don't think the industry has done it really well over time, and I think they should be paying more attention on that comms piece in order to close that gap. So I want to go back now on the consumer side of things. Now, I'm a practitioner, historically moved into this space in terms of this media space, but I'm going to put my consumer lens and glasses on because obviously I'm a consumer. So I want to view this conversation through that lens because I think it's very easy for security practitioners to get bogged down into the nuts and bolts in the weeds and we're going to make something so secure that it's not user friendly. So would you say from your experience that business relationships via online accounts, people getting frustrated? Because again, I understand the security side of things, but then the usability just isn't there or there's so many things you've got to navigate through and then people get frustrated. What are you sort of seeing? [00:13:44] Speaker A: Yeah, and the consumer lens is a really good lens because we're all consumers. And from personal experience, the conversations I have with friends and family, the conversations in the industry, industry research, I think it's fair to say that we're all pretty frustrated with the complexity of our online relationships. The fact that we've got so many different online accounts and each of those different service providers has got a different way to let us access those services. So there is really no standardized approach. And I think that leads to frustration. And the frustration in two parts, you say the convenience side of it, of having to access this information in such different ways and prove our identity and log into these services in a different way can be frustrating. And the old username and password thing, you go to log in and what's my username? Is it my email address? Is it a number? What is it? And then we'll get to the frustration around passwords and eight characters, six characters, capital letters, special characters, and just when you get it right, they ask you to change it. Again, it's like, I'm frustrated with that. So the convenience side of the complexity of those relationships is really frustrating. And then, as you said, we're in the security industry, we're security practitioners, and we know that username and password is not secure. We know that some other second factor methods that we use today, such as emails and SMS and even one time passwords, they're not as secure as other methods that are phishing resistant. So we know there's a better way, we know that it should be there, but it's not. And I think that also brings a level of frustration. As we're talking before that, consumers, we're becoming more aware that we need to do something better. We're being told by the giants, the techs of Microsoft and Apple and Google that there are better solutions out there. And so it's pretty frustrating for us as consumers when we're not getting that we're not being given the best level of security that's available today. So, yeah, that frustration is definitely out there. [00:15:55] Speaker B: Yeah, most definitely. And I think that you're so right. I think now he's got so many accounts of so many different things. Look, people can think what they want about password managers. Each their own opinion. I believe, though, that people are starting to ask more of those harder questions because of everything that's happening recently, especially in Australia. So I'm just curious then to know, and I mean, look, my mind's just going at a million miles an hour right now, so I'm just going to try to make sure I don't go on a random tangent, but let's go back to username and password. So obviously that frustrates people, consumers, people like ourselves even. But then there's people saying we're going password this, we don't believe in passwords, but then where is it? I've been having this conversation. I've done 200 plus episodes talking about passwordless for a while, but I can't think of any account at the moment that technically is passwordless other than maybe logging into my iPhone. [00:16:52] Speaker A: Well, if you've got an office, three, six, five account, your Microsoft Office or your Gmail, those services have a passwordless experience available to them. You talk about your iPhone and biometrics. That's a great way of getting you into the device, but you still need to authenticate into the services that you're using on those devices. So we're starting to see more services being exposed. And Apple really only in was it January or February this year announced their support for security keys, which is a passwordless experience to protect your Apple id. It's the announcement last year in, was it October where the three tech giants, Microsoft, Apple and Google all announced their support for pass keys or passwordless. So that's relatively recent in the whole chronology of all of this. So it does take time, but we're starting to see expose that to us to make it a better way. And we're not going to get rid of the password overnight, but gradually exposing us to these alternatives. And if you're logging into your Microsoft account, for example, it'll still ask you to give me your username or your email address. But now they're putting below that sign in options or sign in with a security key. So they're exposing that to us rather than just taking it away completely. I think that'd freak a lot of people out. So gradually changing our mindset to there is a better way and making that available to us, I can see that we will get away from it, but as you say, we're still going to have passwords here and there and password managers required, but there is a better way and it's starting to seep into our everyday world. [00:18:43] Speaker B: So I've spoken to people, I said, look, do you ever think that username and passwords will ever fully go away? And their answer was no, and it's going to depend, and I know every answer depends, but what are your thoughts then on that? Do you think we'll get to a stage in like 20 years, this is abolished? [00:18:59] Speaker A: Hopefully it'll be sooner than that, but I mean, that's what we're aiming for, as I said, with the announcement that through the Fido alliance partners and fast identity online, led by Google, Apple and Microsoft, and they control, what, 90% or more of the platforms and systems that we use today, operating systems and so on, so if they're behind it, there's a real momentum starting to build as users. Yeah, and Microsoft has done a great job of passwordless, a great term, and it captures the imagination because passwordless, no passwords. Yeah, I'd love that. So back to supply and demand. The supply side's kind of getting it better and as the demand side, as the users and consumers, we're craving for something like this. So I can see it happening. I think momentum is building and our job is to accelerate that as much as possible. And, yeah, there'll always be a long tail and we're still using FM radio and instead of downloading stuff over the Internet. So some of these technologies will hang around, but hoping that the old 80 20 rule that we get to the majority of these services being able to provide us with a passwordless and secure method of protecting our digital identity sooner rather than later. [00:20:25] Speaker B: So how much sooner would you envision? Because I guess, okay, 20 years. I know it's a bit of a stretch, it's just sort of painting the picture, but five years, do you think? [00:20:33] Speaker A: No, look, I'm an optimist and I'm in the industry and that's what I want to see, but change takes time. It's hard to put a time frame on it, but I would like to think, given what we've seen in the last twelve months that we've started that process, and hopefully we're well down that track within the next two to three years. And the businesses that we're dealing with in our day to day world at Ubico, they're all moving that way. And I've seen the high profile breaches about twelve months ago, the level of inquiries have gone up, the realization that as businesses, they have to do something more and allocate some budget to do that, because the consequences are horrendous if they get it wrong. There's momentum in the business world to provide better, more secure, phishing resistant services. So yeah, I'm optimistic. And therefore, if I'm optimistic that something's going to happen in the next two to three years, then probably it's three to five years before we really see mainstream adoption. [00:21:39] Speaker B: What frustrates you the most about a password, a username and a password from a consumer point of view, I think. [00:21:46] Speaker A: I said it before, is that my username? And we've got all these services and whatever it is, 6100 services that we log into and they're all different. Well, what is my username? Have I created some special name for myself? Is it just my email? Have I got a number somewhere? I don't know. I don't have time to go back and think about that. And if I get that right, then the password conundrum is even worse. You get it right and we've all got different passwords, so we try and use the same one because it's easy and convenient, but we know that it's not secure, so we try and change it. And then once we get it right, you go to log in again to go and buy your movie tickets or go and whatever you do, online shopping, et cetera, and they've asked you to change it again. That's what's frustrating, that's what agitates us and drives us up the wall. So there has to be a better way. And we know that there is, but it's just about getting there. [00:22:43] Speaker B: So people in the industry would say, password managers, what are your thoughts on that? Do you have any thoughts on that? [00:22:49] Speaker A: Yeah, we do. Obviously, passwordless is the great way forward and that's what we're all striving for. But as we said before, we're not going to get rid of passwords overnight. And our philosophy is very much password managers are a good thing. You should use them. And if you're going to use them, protect them with something super strong that's phishing resistant, like a uv key. So we support the idea of a password manager. We're not going to get rid of them overnight. So use them to protect your passwords where you have to use them, but protect them with something strong. That's phishing resistant. [00:23:23] Speaker B: Yeah, there's a great point. What about. There are certain companies that are password management organizations that have been breached. What are your thoughts then on that? Because that rattled me a little bit. We're talking about having storing all these passwords and then they get breached. So I don't know. I mean, you're obviously more of the expert in this space than me, so I'm just curious to hear your thoughts. [00:23:44] Speaker A: Oh, look, there's no such thing as completely risk free, so it just means that we've got to be hyper vigilant about protecting the services that we offer. And if we're offering a password manager, as I say, you make sure that it can be protected with the best and most secure services that are out there today. And that's the Fido protocols that make phishing resistant, make it easy, harder for people to break in. So we're starting to see that with password manager companies implementing this Fido protocol to protect the users from their password managers. [00:24:23] Speaker B: So let's talk more about multi factor authentication, or MFA. We spoke before about people being frustrated even knowing your username, knowing what your password is, having to reset it. Maybe there's two factors, then you get multifactors. What are your thoughts on that? So people are already frustrated at what even is my username, and now we're adding more layers, more complexity, more time to log in, et cetera. So obviously, again, going back to my earlier point on, I get the security side of it, but sometimes some of these things are just not practical for people and we want to be able to reduce the friction. But security people sometimes over engineer things. I'm just curious to hear your point of view on how do we get an equilibrium on making something secure, but also ensuring that we're maintaining usability and quick access. Because at the end of the day, people want things faster. If they can't log into your ecommerce platform quick enough, they're going to go elsewhere. [00:25:21] Speaker A: Absolutely. And I think, as I said before, there's no consistent approach today. And so a standardized approach would be ideal. And I think that's what, again, drove the industry to come together and develop that standard, which is the Fido standard, or fast identity online, or pass keys, as we now refer to them. And that was designed by some of the smartest security guys in the world to be exactly that, an open standard, something that is highest level of security, easy to use, and something that can be deployed at scale. So that's what was designed from the outset. And all the technologies and techniques that we use today have not been designed from the ground up to be secure. We love using the mobile phone because it's convenient, but mobile phones were actually invented to make telephone calls, not as a security device. So the security industry has come together to try and solve this problem of taking away the complexity of passwords and managing our logins to make it easy and secure and deployable at scale. So I think if we can get that standard and the industry has done the work there, if we can get that out there so that that user experience is consistent, so that it can be, as you say, that can be done in the blink of an eye rather than minutes to log in, so easy to log in, but do it securely, then people start to feel a lot more at ease that that friction's gone away. [00:27:02] Speaker B: Do you ever think as well, with people maybe customers are speaking to, let's use like an e commerce company, for example. Just say there's no MFA. It's very easy to log in. It's a frictionless process. Wouldn't that e commerce business drive more revenue? Because, again, people can log in really quickly. Because then I think, well, if it takes me five minutes to log in, couldn't be bothered, I'll come back to it. You know, I got distracted through Instagram or something like that, and then my mind's gone off it, or I'll just go to another competitor. So do you think businesses at the executive level, or cfos, are thinking along those lines of, okay, yeah, we've got to allocate the budget, we got to make a bit of investment, it's going to be a bit of turmoil, but we may end up having better revenue in the end because there's not such a big rigmarole process to be logging on and authenticating through our platforms for actually people to spend money with us. Do you think people think along those lines? [00:27:54] Speaker A: I think it's fair to say that attention span is important, and if it takes you too long to log in that impulse, as you say, we're easily distracted these days. So to be able, for the online retailer to be able to capitalize on that buying decision, they need to make it easy for you to get in and conduct that transaction. And the first hurdle is getting in, logging in. And you said, yeah, a username. And why would you use a username and a password, when you can use something like a security key that you just insert and enter your pin, and then you're in. So research has shown that that's at least four times faster than the username password and something else. So I think, yes, I agree with you that businesses are thinking that of how can we reduce that friction? How can we get to our consumer and make it easy for them to do what they want to do, whether that's buy a new pair of shoes or whether it's to pay a bill. So making it easy and starting with that front door, if you like, that first touch point, which is logging in, if we can make that super easy, then that's the sort of benefit that we'll derive from those businesses to be able to do more transactions with their customers, be it online retailing or whatever it is. So, yeah, start with that initial exposure, that first experience of logging in. [00:29:18] Speaker B: Well, I asked that because, again, this podcast is not just about sizos and security leaders. It's about all executives, cfos and stuff like that. So sometimes, in my experience of writing reports and comms, security people, even if they're working for a vendor or whatever, they go down the wrong rabbit hole. And so the CFO is like, well, I don't really care about that. Oh, but if you can generate more top line revenue, I'm quite happy to hear your story a little bit more. So I'm trying to go down that route. And I think sometimes people may get lost on the right messaging that they need to convey in order to sell their product or their service. Look, I get that, but I think it's about, well, CFO is really going to care about generating more revenue. So if we can position it in a way where it's like, hey, by doing this, you get that. I mean, obviously there's a little bit more wording in it, but you know where I'm going with the story. I think that's what's also going to drive the needle forward more than. Because at the end of the day, a CFO, yes, okay, he cares about security, but he doesn't care about all the ones and the zeros and all the technicalities of things. And sometimes I think that's where things get lost. That's why things don't move forward at the rate we would like to see them. [00:30:26] Speaker A: As business leaders, we've got to not just get excited about the technology, which is easy enough to do. We've got to think about the business value of what we're doing. And that's either to reduce cost or increase the revenue of the business. And if we can do that, and if we can prove that the technology is actually helping us to do that, then I think we'll start to get the attention of, as you say, the ceos and the CFos of the world, that there's a business benefit behind doing this. Not just the security guy says it's a good idea because he says it's a good idea. So focusing on what is that business? How does this drive revenue? How does this increase productivity? How does this reduce cost? They're that sorts of areas that as a tech industry, we need to be focusing on more and more, not just, hey, it's really cool tech, because it does something or other. [00:31:21] Speaker B: Would you say more people are definitely taking that narrative versus the former, like the latter approach, like, it's great tech. And the security guy said we should do it because we should do it, rather than, hey, you can generate more revenue. I'm not saying all people, I'm just trying to get a barometer. [00:31:36] Speaker A: Yeah, look, I think more and more, we're not being technology for the sake of technology is not going to cut it for the majority of people. As I said before, at the executive level and at the board level, people are seeing cybersecurity as an important topic. So at that level, they're not going to be talking about ones and zeros. They're going to be talking about, why are we doing this? What's the risk that the business is exposed to if we don't do anything? How do we reduce that risk? What's the benefit that comes from that? Is it a financial benefit in terms of top line, such as the ECom example we talked about, is it increased productivity because people are spending less time? That friction has gone, so people inside the business are more productive, they're doing things better and faster. Have we been able to strip cost out of the business? All of this legacy and tech debt that we're dealing with, if we can strip that away, we can take cost out of the business. So there's many ways that a business mind or an exec will look at the problem and the benefits can come in one or more of those different ways. And because those conversations are starting to happen now at the exec level, at the board level, I'm again optimistic that more and more we'll start to focus on those outcomes, rather than, hey, this is really cool tech. [00:32:59] Speaker B: Yeah, absolutely, 100%. So I switch. We should have the answer to this. I'm just curious to know, do you have any sort of indicators or stats so you used before around the friction? Just so hypothetically, and I am not a maths person, so I'm never going to try to do the numbers, but just so hypothetically, 100 people in your company takes them approximately five minutes to log in through some system. Add that all up in terms of all the people, five minutes, and then salaries, how much money they're losing just on the five minutes of the friction, the frustration, resetting my password, calling up the help desk, I mean, that's just one element to it. Has anyone or do you know or do yourself with what you're doing within your company have any sort of stats on that? Because even that's interesting. Even that five minutes, that adds up. [00:33:45] Speaker A: Certainly at Ubico we have done that and we've got some really good case studies around quantifying the business benefits and working with others in the industry, we're all trying to gather the information that we can to prove that point. And one of the examples that we have is that using this passwordless or pass key approach can reduce the number of support calls to the help desk by 92%. That's a massive reduction because you're not getting locked out of your accounts, you're not asking for your password to be reset. So there's an immediate productivity gain there. If you can do the maths on the number of people in your organization and your it support area, if you can reduce that workload by 90%, you're going to sack those people. No, but you're going to get them to do more important things which will drive a better outcome. So there's a productivity benefit there. There are other direct costs. If you take away some of this tech debt and simplify things, there's a cost benefit there. And we look at return on investment. And at Ubico, we did a study recently on the total economic impact of modern authentication or strong authentication, and it touches on all those things. As I said before, it's a cost saving, it's a productivity improvement, or it's a return to the bottom line in terms of profitability and wrap all that up as a return on investment. What is the return on investment from doing something here as simple as if you do the right thing and you need cyber insurance, and you can be proving to the cyber insurers that you're taking all the right steps to be secure. There's an immediate cost reduction in your cyber insurance premium as well. So return on investment is really the way we need to think about security, because otherwise it's just, again, you look to the CFO and go, oh, I have to spend more money on security. When does it stop? Well, if you can prove that there's a return to that investment, then that argument goes away. It's okay, I get the benefit here. I see the logic behind what you're doing. Let's do it. [00:35:56] Speaker B: Just from your experience with obviously your role and everything, have you seen that conversation? Is what? Getting people to listen more? It's okay. Well, if it makes logical sense in a way in which a CFO who's a numbers person would look at things very analytically and very numbers driven, yeah. [00:36:12] Speaker A: They'Re the conversations that we're having more and more. A lot of what we do in the Ubico world is dealing with the security teams. But what I'm doing and the role I play is starting to build that business case, to build that return on investment, to have those discussions with the exec level, on the board level, to make it clear that this is a good business decision. [00:36:36] Speaker B: So, Jeff, is there any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:36:42] Speaker A: It's been a great conversation, and we've explored a whole range of different areas, but probably the two things that stick out to me is that as business users and consumers, our digital identity is something of value and something that we need to protect. Second thing is the tech industry has developed something from the ground up that is highly secure and easy to use, and that's phishing resistant authentication. So if we're going to protect our digital identity, protect it with something that is phishing resistant and can stop people getting access to it. And that technology, pass keys or passwordless, is available today, and it's going to be increasingly available more and more across all of those services that we use over the next, hopefully three to five years. [00:37:36] Speaker B: This is KVcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. This episode is brought to you by Mercsec, your smarter route for security talent Mercksec's exactly search has helped enterprise organizations find the right people from around the world since 2012. Their ondemand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes