May 31, 2024

00:35:38

Episode 259 Deep Dive: Dima Postnikov | Why Digital ID is Changing How We Think About Fraud Prevention and Defence

Episode 259 Deep Dive: Dima Postnikov | Why Digital ID is Changing How We Think About Fraud Prevention and Defence
KBKAST
Episode 259 Deep Dive: Dima Postnikov | Why Digital ID is Changing How We Think About Fraud Prevention and Defence

May 31 2024 | 00:35:38

/

Show Notes

In this episode, we sat down with Dima Postnikov (Head of Identity Strategy and Architecture – ConnectID) as we explore the challenges and potential of digital identity technologies in Australia. From fraud prevention to data privacy, Dima discusses the complexities and opportunities in the evolving landscape of digital identities, shedding light on the importance of trust, security, and consumer education.

Dima is an identity industry leader 20+ years of experience who is influential in the advancement of digital identity ecosystems globally.

Dima has a passion for digital identity, open banking and trust ecosystem design, having spent the last 10+ years focused on architecture, design and implementation of the technology platforms that underpin online systems of Commonwealth Bank of Australia (CBA), Westpac and Australian Securities Exchange (ASX).

Dima has significant technical experience in developing customer identity solutions in the areas of identity proofing, authentication, authorisation, application and API security, Digital identity, Open Banking.

As an active member of standard and industry organisations globally, Dima has been heavily involved with OpenID Foundation, IDPro, Trust Over IP, FIDO, Kantara and Open Wallet Foundation and ISO.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: I think the biggest message to all information technology and cybersecurity professionals is really look at the data you deal with. Why do you need certain data? Why do you need to store? Try to minimize the data that you are storing within your systems, try to share that and try to understand how much you can put trust in the data. So if we can minimize the data flowing around the economy, and I think all of us can do our path, it will be significant improvement in everyone's cybersecurity position. [00:00:37] Speaker B: This is KBCs as a primary target for ransomware campaigns, security and testing and. [00:00:44] Speaker C: Performance risk and compliance. [00:00:46] Speaker A: We can actually automate that, take that data and use it. [00:00:53] Speaker C: Joining me today, this is Dima Posnikov, head of identity strategy and architecture from Connectid. And today we're discussing why digital id is changing and how we can think about fraud prevention and defence. So, Dima, thanks for joining and welcome. [00:01:06] Speaker A: Thanks for having me. [00:01:07] Speaker C: So, okay, let's start perhaps maybe with your view of digital id. So, just so that everyone is listening, we're on the same page. Tell me everything, what's in your mind, what comes up first? [00:01:17] Speaker A: Sure. Digital identity is a very large domain space. It's an umbrella term for technology domain that deals with many things like identification, authentication, authorization. This does include multiple types of identities as well. Citizen identity, customer identity, organizational identity, employee identity, and even machine identity. These type of identities, they look the same and they look different at the same time. Where we focus most of our time is, is within reusable digital identity space, mainly within the citizen and consumer domain. [00:01:54] Speaker C: So you said they look the same but are different. What do you mean by that? [00:01:58] Speaker A: There are different concerns that need to be taken care of. For example, if you're trying to employ a person, the organization typically owns that digital identity and can terminate it anytime with a citizen and consumer identity. It's are much more owned by the citizen and consumer themselves. One of the examples. So the different approaches. [00:02:18] Speaker C: Sure, thanks for clarifying that. Now, I have an interesting question, because, you know, if I read sort of content online or in the comments on social media, etcetera, people, and when I say people, I mean just, you know, the general population seem a bit rattled by digital ids. So where do you think this sort of stems from? [00:02:35] Speaker A: A lot of concerns with digital come from misunderstanding and the fact that it's relatively new technology. What's important for me to. I think it's important for us as cybersecurity and identity professionals to educate people around us to show the benefits of digital identity. But it's also very important to understand where we come from. If you look at some examples, how we deal with digital, with identity related things or identity related processes right now, it's very often it's a horrible, cumbersome, inconvenient process that has a lot of privacy issues. If you look side by side at two different processes, where you're trying to prove your identity with paper at the moment and you're trying to prove your identity using true digital identity ecosystem, the difference is amazing, and the difference will convince most of the people that it's the right way to go. People will have more transparency, will have more control or where their data is being shared, why and how. [00:03:37] Speaker C: So do you think when you said people don't really understand, is that the part that people don't understand? Do you think that people feel a bit vulnerable that you're saying that people do have more control? Walk me through how people have more control now with the digital identity versus historical identity. [00:03:53] Speaker A: Well, it's about transparency, right now. If you walk into, let's say you try to check in at the hotel, you need to present your paperwork, you produce your passport or digital driver's license. The photocopy of your driver's license will be taken, and then you lost that data forever. It's sitting somewhere, hopefully in a secure location, in a physical location, or in a digital secure storage, but you don't have any visibility where it is, how it's used and what's happening with it. With the digital identity, I can see from that being built right now, globally, you have much more control and much more transparency. You're able to see where you shared your data in the past. You're able to see why you shared it and what specific elements of data being shared apart from a general data minimization. Because in digital identity ecosystems, you don't have to share your documents, at least not as much. [00:04:46] Speaker C: And do you think it's going to now? Because, like you're sort of saying we're traversing a digital id, you can be able to tell where you've shared it, who, etcetera. What about for the, you know, the old school, you know, identity? If you look at it like that, for example, how's that sort of going to go? Are people going to know, like, where everything's been shared? Is it going to be hard now to sort of, you know, get that back in terms of having the control or what does that look like? [00:05:10] Speaker A: It's probably hard to take control over things that already happen outside of digital identity ecosystems. But what we can do is we can reduce, going forward, we can reduce the reliance on the document, for example. So there have been massive data breaches in Australia where all of your document data has been shared. And to date, a lot of companies are relying on determining that you are who you say you are based on the documents that you provide them. And if someone has your document, a lot of times they can impersonate you. So there is nothing we can do to deal with the documents that have been leaked and already out there. But what we can do is digital identifying systems are aimed to move a needle to reduce the reliance on those documents. So instead of relying on a document, you might be using bank grade authentication to authenticate that person on the way into your system. [00:06:06] Speaker C: And so just going back to the everyday australian or people in general, is it because this is just new and foreign to them? Perhaps. Obviously there needs to be that adoption there towards digital ids similar to the Internet when that came out in the nineties, for example. Is it just going to take a little bit of time? And then if so, like how much time do you think this will take before people feel a bit more comfortable with this new way of operating? [00:06:29] Speaker A: Like with any new technologies, there are people that came to jump on it immediately and there are people that will be sitting and waiting for wider adoption and majority of the people will be somewhere in the middle, in my view, the reality from a consumer perspective, where I see the biggest shift will happen where a large or a number of large reliant parties or the number of large organizations will start using digital identity in their processes and people will see the difference if I have to prove my identity. And it's actually quite interesting right now, when we work with some of our merchants, which we call the line party, we sometimes map out their existing journeys, identity proofing journeys, and we map out the new journey using, for example, connect ID, reusable identity, it's a massive difference in convenience, security and privacy. And if customers have experienced both, my assumption is that they will use simpler and more secure option, which is reusable digital identity where it's available. And they will be asking their merchants and the organizations that they work with whether reusable digital identity is available. Some of the basic concepts, not necessarily in a high assurance way, have been familiar to consumer market for a long time. You login to different sites, using your login with Google, using your Google account, using your Facebook account. These are the low assurance examples of digital identity. But consumers already used to that, and that gives them ability not to create an additional password and additional account with different ecosystems and with different organizations, people already use it. What we aim to provide here at Connect ID is to give a high assurance band grade authentication option for usable digital identity. [00:08:20] Speaker C: Okay, so you just made a comment there around high assurance. Talk to me a little bit more about that. What does high assurance look like? [00:08:25] Speaker A: Connectid is an ecosystem that brings trusted identity providers that people that already have relationship with. For example, it could be a government, it could be a bank. And we started off with large australian banks. Those banks have many other obligations in order to KYC their customers. So they need to implement certain processes to guarantee that you are who you say you are and you're entitled to do what you're planning to do through the particular financial institutions. So there are hundreds of people involved in large financial institutions trying to look at how, how it's best and the most secure way to. More secure and convenient way to authenticate the customer. [00:09:06] Speaker C: I want to press on that a little bit more, but before we do do that, perhaps now, from my understanding, there has been more of an increase towards adoption for digital ids. Now, I know if we talk, we spoke before around the consumer more broadly, that's a little bit different, but maybe it's more towards, to your point, financial institutions that are adopting this. Talk to me more, a little bit about that, why that's the case. Are we going to see more rapid adoption as we sort of traverse into 2025 and beyond? What are your thoughts then on that front? [00:09:36] Speaker A: We are doing more and more things online in general going forward as consumers and looking at the use cases that we have privileged to explore right now with connect id, they're not limited to financial institutions at all. In fact, the majority of the conversation that we're having right now, they are in travel space, employment space, rent and purchase of the property. And the interesting point there is, if you look at the processes that a consumer has to do right now, where are those the most paper intensive and what are the processes that you are supplying a lot of your personal documentation right now. So these are the processes where the biggest day you're using proper digital identity and this is where the concentration will probably happen. This is where the biggest benefit and the consumers will see it. Like I said earlier, as long as you have ability to experience the old way and the new way, I believe it will be a no brainer for a lot of consumers to adopt digital identity. [00:10:38] Speaker C: Okay, so let's talk more about the fraud side of things. You mentioned that before with financial institutions. I myself used to work in a big four bank here in Australia in cybersecurity. And I used to look at the numbers in terms of fraud, scams, etcetera, that was reported monthly by cyber criminals, et cetera, doing the wrong thing. Those numbers were pretty high. That was probably about a decade ago, and it's probably a lot higher since then. Maybe talk me through that a little bit more, how we're going to see a reduction then on, in on the fraud side of things. Just do you want to use financial institutions as an example to run with that? [00:11:11] Speaker A: Yeah, sure. If you look at the scams landscape or province scams landscape in general. A couple days ago, ACCC published a report that showed that Australians lose $500 million a year on average due to scam and fraud. And if you look at the types of scams that been quoted in that report, some of them are related directly to identity. So there is identity fraud category, which is quite large portion of the scams. But a lot of the other ones, whether it's investment scam, employment scam, fishing, false dealing, a lot of them are related to identity in one way or another. What I believe what we can do is, well, first of all, there is no silver bullet. There's no solution in the market that can help to solve the problem 100%. But there are certain things we can certainly prove. If you are dealing with a financial, for example, you get a call from a financial institution to authorize a certain transaction. If we can establish the authentic chain of trust where you know that the phone call that you got indeed came from your bank and the person that's calling you is authorized to do what they asking you to do. If the bank has the hundred percent assurance that you are who you say you are and what you're trying to do, you're authorized to do, we're improving significantly the whole landscape. That will definitely reduce some of those scams, because a lot of those scams link to someone impersonating either someone impersonating you or someone impersonating a product or someone impersonating a company. So what digital identity ecosystem tend to work on is trying to create the authentic relationships, ultimately achieving the high level of trust. Once again, there is no steal the bullet. And a lot of guests on your podcast, they provide a piece of a puzzle that helps organizations and consumers to solve some of those frauds. And I think the challenges, but it's just a piece of the puzzle. And we see ourselves connect IDC itself as a key piece of a puzzle to solve the identity related. [00:13:17] Speaker C: So Dima you've probably seen online, in the news, et cetera, about. Let's go with the. I think there was a couple in Melbourne, they, I don't know, got a message from big four bank, and so and so and so, they ended up transferring their entire life savings. I think it was, you know, just shy of. Then they sort of turned around, was like, it was the bank's fault. Now, look, I get it from a consumer perspective, they made a mistake. But then it's like, well, hang on a second, you will, as in you, the consumer, willingly transferred the money. Now, it's very different if, oh, I wake up one day and I've got $100,000 stolen in my account or something like that. But when you've willingly transferred it because they were tricked into thinking it was ex bank, how does that sort of sit in your mind? Because again, I go in both worlds. I look at every side, obviously, because I'm a journalist, but working in a bank myself, I'm looking at it going, well, you guys didn't actually do the appropriate steps. You just willingly transferred it. Now, it shouldn't really be on the bank to be like, okay, we're just going to refund you the money. If it was the other way around and someone had siphoned off all that money, I get it. When it's willingly transferred, that's where I think this space gets really interesting. What are your thoughts on that? [00:14:30] Speaker A: Fortunately, these stories are quite common. And part of the reason is that right now, these consumers, they don't have tools. It will allow them to understand that it's a bank calling them or it's a legitimate party. If someone impersonated an investment company and convinced them to send their money, there's very little we can do. But at the same time, there are no tools available. So I know telecommunications industry is working on improving the process of how we identify organizations that call us, even cybersecurity professional identity professionals. Confused. Very often when they get a phone call from Ato or someone else, it could be legit or it could be fraudulent. Sometimes they're obvious science, and sometimes they are not. Even the people that are aware of those scams can determine for sure, but the regular population, normal people, they don't have the tools. And I know, like I said, telecommunications industry working on some initiatives in this space. Organizational identity is one of the future trends in digital identity that will definitely be strong over the next few years. And that's also partially trying to solve the problem. When you are contacting someone, being contacted by someone, how do you determine that they are truly represent a certain organization? And how do you trust that that organization is the one that you meant to talk to? So that's organizational. I think it's not there yet. The job of identity professionals and cybersecurity professionals to provide more and more of those tools to consumers. [00:16:02] Speaker C: And look, you are right in terms of they have the tools. I get that. I just think the, that banks are running these awareness campaigns, et cetera, to say like we're never going to contact you, or if we do contact you for whatever reason, call us back on the actual number. So that there is, and I know that sounds really rudimentary and really basic, but that does help. But then I've spoken to people on this show and they're like, maybe we just don't make good technology. Maybe we're failing as technologists because perhaps consumers don't need to be as aware is what we're putting the onus then on that. Where does your sort of mind sit on that front? Because again, all I do is really ask the questions and come from a place of neutrality. So I'm curious then to see what's your thoughts if you sort of apply that to sort of the digital identity space. [00:16:46] Speaker A: So there are things that we can do in a technology space. If it involves system interactions, we can definitely solve it. I agree. It's very hard to solve problems related to human psychology using technology. How many stories have we heard about those organizations like financial institutions telling their customers that they're more likely being scammed right now when they're trying to do something and customers have overridden and continued with their transaction, ultimately, that's their free will, and there is not much that can be done there. But at least if we can identify the obvious scenarios and give them tools, give them warning where it's possible. I know large financial institutions in Australia work on that. Well, if we improve detection and warning system by 5%, it will save a lot of money. [00:17:33] Speaker C: Consumers even by 5%? What is that? Do you have any sort of numbers or. [00:17:37] Speaker A: All I'm trying to articulate here is that even a small improvement in each area will generate significant benefits across the industry. For example, if you look at the whole data breach problem, if you reduce the amount of data you store, less chance you're going to be breached, less data will be impacted. If you reduce the amount of data you own share to other organizations, once again, privacy will be improved, control will be improved if the consumer is aware of it, and third parties will store less of your data as a result of digital identity. Overall, we improving each party's interactions, each party system by five to 10%. Small number, not an exact number. Overall, there will be a massive benefit to the industry and increasing trust, especially if we are starting to reduce the reliance on this data. A lot of the data that's being lit is public right now. If we rely left on the data to identify you, this is where we. [00:18:35] Speaker C: Really, the biggest impact is just on the privacy front. I interviewed a privacy professional probably about two weeks ago. What he was saying was, yes, to your point, how we're collecting it. I think they are trying to bring in more regulation around that. Especially. For example, we spoke about retailers, number one. So the collection of that. But then the second part is like sharing of that information, parties, et cetera. But is that going to be hard now to sort of claw that back, do you think? Like the genie is that out of the bottle? Because, like, who potentially would know after so many years with all this information, who has it been shared with? Because a lot of these terms and conditions are written in a way where it's like they're still stipulating what they're going to do with it without being super clear. And unless you're a lawyer, which I am not, it's very hard to decipher what these very small fine print t's and C's mean, which kind of means, hey, we're just going to share all your information with all these third parties as we please. But then when you're sort of backed up against the wall, what are you going to do? You either have to sign it to use the system, or, you know, procure whatever you're doing. So sometimes you have no option. What are your thoughts then on that? How are we going to call some of this stuff back? [00:19:40] Speaker A: We can't claw a lot of this stuff back. The regulations can definitely help the industries and organizations in Australia to do the right thing with the data that they previously collected. The best practices industry breath best practices and tools and processes can definitely help with remediating part of it. But as I consume my personal opinion, a lot of this data is already gone and we have to accept it. But what we can do is to make sure that it doesn't really matter if someone knows my driver's license number, it shouldn't really matter who shouldn't be used for identity proofing purposes by anyone. If no one can impersonate me with the driver's license number, it doesn't matter if someone knows it. It's probably not great. And in the future, it should not happen. But if it have happened, we should be removing the reliance of it. [00:20:34] Speaker C: And you're saying we are getting to that point where we're removing the reliance on it. And would you say, you just mentioned before, we have to accept it? Do you think people are accepting it because, and I asked that question because of all those major, you know, data breaches that have happened in the last two or so years. I don't know whether people are becoming a little bit more desensitized. Like, oh, another breach. Like, who cares? My stuff's already out there anyway. I'm hearing a little bit of that from everyday people who are not in cybersecurity. Are you afraid that people will become desensitized perhaps to their identity or not really? [00:21:01] Speaker A: People definitely accept that their data has gone. At the same time, people are scared because they know that someone can impersonate. And I think there's a big fear right now that's sort of growing, where people are realizing that someone can impersonate them, and people are trying to be careful, trying to monitor. But a lot of times you wouldn't even know right now if someone opens a bank account using your papers, your documents somewhere else, you don't get notified. So there is also fear at the same time. And this is why I think it's important to focus on removing the reliance on those documents, whether the breaches will happen or not, whether the data will be cleaned up or not. And it doesn't really matter if people change their driver's licenses and passports to make their old numbers invalid. Once again, we're coming back to the point where digital identity ecosystems more than you direction of removing reliance on the documents and the document data, you still have to do with some of the institutions, larger institutions have the right processes to deal with it, and that this is not the only thing that they rely on. But at the moment, the reality, the status quo in the industry, is that we force the small companies to look at identity documents and try to determine whether those identity documents are legit or not and rely on document data and use additional services. So every company has every, no matter how small or big they are, became a company that sort of specializes in identity proofing and in general in cybersecurity space. We know that it's best to delegate this type of responsibility to professionals. And if we can isolate an island of trust that you prove yourself three, four times to government, to big financial institution or small financial institution, but you do it once or twice and then you can reuse your digital identity based on what you've done before with the rest of the industry. The rest of the industry doesn't have to prove you again, they can still do some level of proofing, but they don't have to go to the same level. And not everyone has to do everything themselves because that's what it is right now. Everyone starts with every organization that you deal with right now. They start from scratch and they have to do everything themselves. And a lot of them are not equipped. This is why I'm a little bit worried about the small and medium sized companies that don't have enough resources, don't have enough skills to deal with it properly. And this is where connectivity partially provides a solution, because Connectid is a network that enables you to share your existing proof identity with a smaller financial, smaller organization. [00:23:33] Speaker C: So, DiMA, with your experience and your role at the moment, if you were to zoom out, what do you think is the biggest problem in the identity space today that you see as of we're talking through this conversation? [00:23:46] Speaker A: Biggest problem in the identity space is probably adoption time or speed per market. You've highlighted in our conversation just now, you highlighted a lot of different problems. We're just starting on our journey and we're starting an hour journey. It takes time to get there. So we have a lot of problems. Like I mentioned before, we have a lot of problems we have to solve in organizational identity space. It will take time for the industry to get there. We need the solution now, and it takes time to develop those solutions. [00:24:18] Speaker C: And going back to your point before, around the reduction of 5%, do you think sometimes when people can see, hey, 5%, I'm saving 5%, that sort of spurs people on a little bit more to make faster decisions because at the end of the day, you're a CFO, you're not going to want your organization losing money, like 5%. For a large company, that's still a significant amount of money. Do you think sometimes that's what encourages companies to move and adopt a little bit more? Because if they've got a solution or there's a better way of doing something, which means they're not losing as much money, therefore they're more willing to adopt faster. Would you say that's the case? [00:24:56] Speaker A: Possibly. I think had the other day I was thinking about it, and I feel that digital identity is one of those areas where the problem doesn't become a massive problem for organizations. It is a big problem, but it's not a massive problem. It's kind of spreading between different parties. So it's inconvenient for the customer. It's probably not convenient and not very privacy preserving. Right? In the current processes, it's inconvenient for the merchant or potentially the staff member that dealing with that particular customer, it's inconvenient to them. But the problem is spread out between different participants. It's not concentrated in one place to be visible enough a lot of times. And that's potentially why it's not clear for organizations that they have a nicer problem and they have to deal with it. Now, if you look at overall landscape, how much each customer service, if you make it a difficult process right now for a customer and don't use any of the modern tools, it might take an hour for a customer. Customer might complain, but customer a lot of times doesn't have a choice. If they try to consume service or certain product, they will go through that process, they will complain, but they will forget about it as soon as they can. So it's not necessarily visible to the organization how much of the problem it is for the customer. Especially if customer doesn't have a significant choice to go and walk away to another provider when it becomes competitive advantage, the onboarding processes, their privacy. When privacy will become a differentiator, I think that will change our industries forever. [00:26:31] Speaker C: Yes. And what are your thoughts then on privacy being the differentiator? [00:26:35] Speaker A: I do believe that companies that think about privacy as a differentiator are definitely positioned much better in the future. The privacy becomes embedded in their processes and consumers will trust them much more than organizations that don't care about the privacy look. [00:26:51] Speaker C: That's a good point. The only other way perhaps, which was interesting to look at it, that all these companies out there, and I've worked in large corporates, they're all going to say, we care, we care. But either their actions don't represent that or there's data breaches that happen. Now, I know no one's perfect. I get that. However, more so, how genuine are they being? Is it virtue signaling? Like, oh, we care about your privacy. It's very easy to have some marketing person stick that sort of quote up on their site somewhere. And then when a privacy breach happens and like, oh, well, we really care about it's on our site, how can people be more genuine about it? Because again, for me it's followed up with actions, not just words. [00:27:28] Speaker A: Yeah, a lot of times privacy and can stand related items, it's sort of hidden in the T's and C's somewhere. And we know that consumers don't read T's and C's and not many organizations are able to present those T's and C's in a way that consumer can understand in the flow when they try to make a certain transaction. Therefore, I do believe that it's a long process for each organization to establish their trust. And if they can make it clear and visible to the customer what's happening at any point in time. Capture their consent and consent has to be specific and it should be a true choice for a customer to consent for certain type of transaction. Then it builds up trust. [00:28:11] Speaker C: Switch gears now and talk maybe a little bit more about like identity theft. So your view is that this will decrease. I'm really curious to hear your thoughts, like how will we see a reduction in this with the adoption towards digital identities? [00:28:23] Speaker A: So identity theft is related to the crimes that where another entity or another person can impersonate you, at the moment it's possible to do it because we rely on the documents. A lot of times a lot of organizations rely on you presenting the right documents to them. And sometimes it's not even physical documents presenting themselves, it's just the documents metadata document. The card number, for example, for driver's license and the driver's license with a proper name and a date of birth might prove to some organization that you are who you say you are. And that's definitely not enough. We have to change that. And this is where the government potentially can help as well by clarifying what each organization needs to do in order to prove the identity. Because all document check, all document check does at the moment is validates that this person does exist in the real world. It's not a synthetic identity. It does exist. It doesn't prove that the person that's presenting those documents or presenting this data to the organization is the same person. This is where it's important to differentiate identity. Proofing that identity exists somewhere. We differentiate from authentication and this is where connectid potentially helps because we also couple those together. So when an organization receives an identity information from an identity provider, within connectivity ecosystem, they get two things. They can verify data from a trusted institution about the customer, but they also utilize. They're also able to utilize banks, if it's a bank, as a financial, as an identity provider, they're also able to utilize authentication. So the person authenticates using the whole set of tools that banks implement to authenticate a person. And reliant party is able to use that so they get additional assurance. So I think we forget a lot of times identity theft is possible because we forget about authentication. We're not checking who's presenting those documents to you. [00:30:23] Speaker C: And would you say this problem has just sort of crept up on us as an industry over the years, and therefore, we're trying to figure the problem we're dealing with now is a lot greater than what it used to be like back in the day. So do you think perhaps now people are working even harder to fix this problem because this problem, you know, gets out of control? It's not an easy one to fix immediately, but also the scalability of this problem is significant. So do you think people are aware of the, the risks that are attached to this, or do you think that people are still, you know, figuring it out? [00:30:56] Speaker A: The recent breach has definitely made everyone aware of the problem, and I think both organizations, we see it definitely in our merchant relying party community that we're talking to as a part of connectid rollout. They definitely are aware of it, and they definitely are looking for better solutions. It did creep up in a way, and a lot of it was sort of the final straw was some of those large data breaches. When the large data set became available and the large data sets of document data became available, the problem existed always because people relied on documents only. But this document data was hard to get, and now suddenly, it's not. So this is why everyone realized, well, we got to the point where we cannot rely on those documents ever again. [00:31:41] Speaker C: So, DiMa, in terms of people listening to this interview, what can people sort of take away? And what would you sort of encourage people to start thinking about maybe not implementing? Because, again, it's not an easy thing to do. But what would you sort of advise, especially, you know, moving forward now with your knowledge and your experience? [00:32:00] Speaker A: I think the biggest message to all information technology and cybersecurity professionals is really look at the data you deal with. Like, why do you need certain data? Why do we need to store it? Try to minimize the data that you are storing within your systems. Try to share that and try to understand how much you can put trust in the data. So if we can minimize the data flowing around the economy, and I think all of us can do our part, it will be significant improvement in everyone's cybersecurity position. [00:32:34] Speaker C: So just a quick question that I'm minimizing the data flowing around in people's organization. Like ten years ago, I remember everyone sort of saying, we've got to get as much as we can so we can analyze people, and now we're saying the opposite. So what's happened that wasn't even that long ago, 810 years ago. I remember, you know, looking at cloud, Dara and friends like this, like everyone's saying, let's get as much information on people as possible. Do you think that we didn't really think it through in terms of the risks? [00:33:01] Speaker A: Absolutely. And the requirements came from different sites. And I've also observed that in for or the large banks as well, where on one side, cyber security professionals and identity professionals are trying to minimize the data and trying to lock down the data as much as possible. On the other side, marketing professionals, and to a certain extent, even pro professionals, tend to try to absorb as much data as possible, either for fraud decisioning or for personalization. So these are the things that still have to be reconciled by the banks. But this is where you have to look at it as a whole. You can't look at it in isolation, either in the marketing space or in a cybersecurity space. You have to make decision as the company, what's your posture in regards to the data? Of course you need to enable the better experience. Of course you need to protect the data. And this is where I see digital identity probably being a little bit different from pure cybersecurity, where I see the main two goals. One is to protect customer the data, the assets. But on the other side, it's also to enable, to enable journeys, customer journeys that are not previously possible or customer employee journeys that not previously possible. We need to look at both together, not separately. [00:34:16] Speaker C: So, Dima, do you have any sort of final thoughts or any closing comments you'd like to leave our audience with today? [00:34:22] Speaker A: Everyone should look critically what their teams are doing in regards to the data. In regards to the identity. We need to utilize industry best practices. We need to understand what other jurisdictions are doing because the world is evolving the way we were. The conversation we were having five years ago, they've changed. So we are talking a lot more right now about reusable digital identity. And now it's available. [00:34:56] Speaker B: This is KVCast, the voice of cyber. [00:35:00] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:35:08] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes