If you're in cybersecurity, you know the name. And, if you don't, you probably should. It’s worth Googling.
As CEO of Mandiant, a trusted partner to security-conscious organizations, Kevin Mandia is the go-to expert on security breaches and cyber attacks for multinational corporations, law enforcement, and news networks.
He’s also Strivacity’s newest member on our board of directors.
Many of us, including myself, know Kevin well from our time working together at Mandiant. I took the opportunity to reconnect and get his take on customer identity — what’s working, what’s wrong with it today and where it’s going in the near future.
Q. How are we doing as an industry when it comes to customer identity?
Kevin Mandia: Customer identity is critical. And right now, almost universally, it’s terrible. Fraud on the internet, unauthorized access — these things happen when identity architecture is compromised. That's the biggest problem, and everyone has challenges with it. Until customer identity is simple, easy, seamless and accurate — and actually works — it’ll continue to be a point of failure.
Q. What’s the impact on the average customer?
KM: Customers have to compensate for sub-par identity architectures by juggling dozens of different passwords and investing in a password manager. While that’s the right advice, for most people it’s hard to implement, even for me. Even the most diligent folks have dozens of passwords in reuse. That’s hard to change. Wouldn’t it be nice if, over time, those dozens of sites were using a more advanced approach so users didn’t have to worry about that. What consumers need is for the sites and apps they use to adopt a more advanced approach so we don’t have to assume the burden of password management or worry about getting hacked.
Q. Doesn’t “passwordless” login solve this?
KM: “Passwordless” doesn’t always mean there’s no password. It can just mean the site or app has made the sign-in journey so simple and secure that the customer doesn’t have to enter or care about their password. But until we make it easy and accurate, I would argue passwordless isn’t going to be possible. To get there, a lot needs to happen behind the scenes.
Q. When you say, “a lot needs to happen behind the scenes,” what do you mean?
KM: To make it seamless, you need to lock in on people's “normal” behaviors so you know when something’s off. Think about a scenario where an attacker steals your username and password. In an ideal world they shouldn’t be able to get into your account. Good customer identity would inspect your passphrase but also use a bunch of other factors to confirm, "Okay, that's really Alisha or Alex logging in." If something looked fishy it’d challenge you. If not, you’re on your merry way. And remember, we’re talking about customers, so all that magic behind the scenes has to happen fast so the user doesn’t get frustrated and click over to a competitor.
Q. Why do you think customer identity is the fastest-growing part of the identity management market?
KM: There are two big reasons. First, the pandemic has raised the bar for what consumers expect to do online. Think of your last trip. Everything’s “contactless”. You don’t even have to talk to another human from the time you leave your house to when you get to your hotel room if you don’t want to. Second, orgs are having a hard time keeping up with those expectations. In fact, I think we’re at the beginning of a big shift. User management and customer identity have historically been trapped inside applications. Orgs have built it themselves. That’s changing because it slows them down. They can’t keep up with all of the ways customers want to sign in and interact with them. So, we’re already seeing more and more orgs pull those customer identity management capabilities out of their apps. When they do, they need a solution like Strivacity.
Q. Who do you think is doing a good job at customer identity?
KM: The best example I know of is Apple. If anybody tries to get into your Apple account from a device other than your phone or computer, they’ll fail. It’s seamless. I talked to Apple and made sure that's how it works: You get notified and the hacker gets nothing. So that's one vendor. Everybody's striving for a seamless customer experience, but not everyone has the money to do what Apple does.
Q. You’ve seen more breaches than almost anyone else. How have those experiences informed your view of what’s right and wrong when it comes to customer identity?
KM: Identity architecture is failing us today. Enterprise identity keeps blowing up on organizations, and Active Directory is getting beaten by red teams all the time. In almost every case we respond to, valid credentials are being used to do bad things. Consensus is growing fast that you can no longer secure networks with Active Directory, period. You just can't do it. And if the enterprise is weak, consumer identity is even weaker, because companies have no control over the people — the customers — who are maintaining their user accounts and pass phrases.
Q. So how is Strivacity different?
KM: Well, first we’re using a modern cloud-native architecture to actually do this right. And second, we’re doing it with a platform that’s 100 percent focused on simplifying and securing customer sign-in journeys. Everything – including all of the orchestration – is done on-platform and 85 percent of the capability is accessed via clicks … not code. What that means for our customers is it’s much faster to deploy – think weeks not months. It’s also easy to make changes as customer journeys evolve. The reality is that most of the other solutions out there were written ten or more years ago and they were designed to support workforce identity – not customer identity. So when people try to twist them to serve customer identity use cases it takes a lot of services and deployments can stretch into months.
Q. What would you tell someone who has built their own tech to manage the customer sign-in journey?
KM: Well, it makes sense for the huge tech and social media companies, because they get millions of logins and have enough telemetry to tell with a lot of fidelity if the user is legit or not. But for smaller companies with sensitive data, and whose customers log in less frequently, it just doesn’t make sense. They need a solution like Strivacity to give them telemetry on each user and make it easy to know who’s logging in and prevent accounts from being hijacked. With the kind of telemetry Strivacity offers, they can even go passwordless.
Q. You’re not on a lot of boards right now. Why join the board of Strivacity?
KM: That’s simple. It’s because of the team. Simplifying customer sign-in journeys is a real problem and Strivacity has the team that can solve it. I know your backgrounds and you’re the kind of founders I want to work with — people who’ve learned the hard way and whose experience led them here organically. You're not freshly minted business school grads with no tech experience saying, "I'm going to solve this identity problem." You guys have seen the problem solved the right way and the wrong way. And you’ve got a clever and elegant solution to a problem that's creating a lot of risk. You're a great team. That's the reason.
Q. What does the future hold?
KM: Fast forward a few years and people — all of us—will only have a digital identity. The pandemic accelerated this by a lot. We're already operating in a faceless environment for all of our accounts. Our online identity is who we are. And it’s only going to become more prevalent, more universal. That’s why we’ve got to get consumer identity right.