.svg)
Customer Identity Today & Tomorrow: Insights From Kevin Mandia
If you're in cybersecurity, you know the name. And, if you don't, you probably should. Itβs worth Googling.
As CEO of Mandiant, a trusted partner to security-conscious organizations, Kevin Mandia is the go-to expert on security breaches and cyber attacks for multinational corporations, law enforcement, and news networks.
Heβs also Strivacityβs newest member on our board of directors.
Many of us, including myself, know Kevin well from our time working together at Mandiant. I took the opportunity to reconnect and get his take on customer identity β whatβs working, whatβs wrong with it today and where itβs going in the near future.
Q. How are we doing as an industry when it comes to customer identity?
Kevin Mandia: Customer identity is critical. And right now, almost universally, itβs terrible. Fraud on the internet, unauthorized access β these things happen when identity architecture is compromised. That's the biggest problem, and everyone has challenges with it. Until customer identity is simple, easy, seamless and accurate β and actually works β itβll continue to be a point of failure.
Q. Whatβs the impact on the average customer?
KM: Customers have to compensate for sub-par identity architectures by juggling dozens of different passwords and investing in a password manager. While thatβs the right advice, for most people itβs hard to implement, even for me. Even the most diligent folks have dozens of passwords in reuse. Thatβs hard to change. Wouldnβt it be nice if, over time, those dozens of sites were using a more advanced approach so users didnβt have to worry about that. What consumers need is for the sites and apps they use to adopt a more advanced approach so we donβt have to assume the burden of password management or worry about getting hacked.
Q. Doesnβt βpasswordlessβ login solve this?
KM: βPasswordlessβ doesnβt always mean thereβs no password. It can just mean the site or app has made the sign-in journey so simple and secure that the customer doesnβt have to enter or care about their password. But until we make it easy and accurate, I would argue passwordless isnβt going to be possible. To get there, a lot needs to happen behind the scenes.
Q. When you say, βa lot needs to happen behind the scenes,β what do you mean?
KM: To make it seamless, you need to lock in on people's βnormalβ behaviors so you know when somethingβs off. Think about a scenario where an attacker steals your username and password. In an ideal world they shouldnβt be able to get into your account. Good customer identity would inspect your passphrase but also use a bunch of other factors to confirm, "Okay, that's really Alisha or Alex logging in." If something looked fishy itβd challenge you. If not, youβre on your merry way. And remember, weβre talking about customers, so all that magic behind the scenes has to happen fast so the user doesnβt get frustrated and click over to a competitor.
Q. Why do you think customer identity is the fastest-growing part of the identity management market?
KM: There are two big reasons. First, the pandemic has raised the bar for what consumers expect to do online. Think of your last trip. Everythingβs βcontactlessβ. You donβt even have to talk to another human from the time you leave your house to when you get to your hotel room if you donβt want to. Second, orgs are having a hard time keeping up with those expectations. In fact, I think weβre at the beginning of a big shift. User management and customer identity have historically been trapped inside applications. Orgs have built it themselves. Thatβs changing because it slows them down. They canβt keep up with all of the ways customers want to sign in and interact with them. So, weβre already seeing more and more orgs pull those customer identity management capabilities out of their apps. When they do, they need a solution like Strivacity.
Q. Who do you think is doing a good job at customer identity?
KM: The best example I know of is Apple. If anybody tries to get into your Apple account from a device other than your phone or computer, theyβll fail. Itβs seamless. I talked to Apple and made sure that's how it works: You get notified and the hacker gets nothing. So that's one vendor. Everybody's striving for a seamless customer experience, but not everyone has the money to do what Apple does.
Q. Youβve seen more breaches than almost anyone else. How have those experiences informed your view of whatβs right and wrong when it comes to customer identity?
KM: Identity architecture is failing us today. Enterprise identity keeps blowing up on organizations, and Active Directory is getting beaten by red teams all the time. In almost every case we respond to, valid credentials are being used to do bad things. Consensus is growing fast that you can no longer secure networks with Active Directory, period. You just can't do it. And if the enterprise is weak, consumer identity is even weaker, because companies have no control over the people β the customers β who are maintaining their user accounts and pass phrases.
Q. So how is Strivacity different?
KM: Well, first weβre using a modern cloud-native architecture to actually do this right. And second, weβre doing it with a platform thatβs 100 percent focused on simplifying and securing customer sign-in journeys. Everything β including all of the orchestration β is done on-platform and 85 percent of the capability is accessed via clicks β¦ not code. What that means for our customers is itβs much faster to deploy β think weeks not months. Itβs also easy to make changes as customer journeys evolve. The reality is that most of the other solutions out there were written ten or more years ago and they were designed to support workforce identity β not customer identity. So when people try to twist them to serve customer identity use cases it takes a lot of services and deployments can stretch into months.
Q. What would you tell someone who has built their own tech to manage the customer sign-in journey?
KM: Well, it makes sense for the huge tech and social media companies, because they get millions of logins and have enough telemetry to tell with a lot of fidelity if the user is legit or not. But for smaller companies with sensitive data, and whose customers log in less frequently, it just doesnβt make sense. They need a solution like Strivacity to give them telemetry on each user and make it easy to know whoβs logging in and prevent accounts from being hijacked. With the kind of telemetry Strivacity offers, they can even go passwordless.
Q. Youβre not on a lot of boards right now. Why join the board of Strivacity?
KM: Thatβs simple. Itβs because of the team. Simplifying customer sign-in journeys is a real problem and Strivacity has the team that can solve it. I know your backgrounds and youβre the kind of founders I want to work with β people whoβve learned the hard way and whose experience led them here organically. You're not freshly minted business school grads with no tech experience saying, "I'm going to solve this identity problem." You guys have seen the problem solved the right way and the wrong way. And youβve got a clever and elegant solution to a problem that's creating a lot of risk. You're a great team. That's the reason.
Q. What does the future hold?
KM: Fast forward a few years and people β all of usβwill only have a digital identity. The pandemic accelerated this by a lot. We're already operating in a faceless environment for all of our accounts. Our online identity is who we are. And itβs only going to become more prevalent, more universal. Thatβs why weβve got to get consumer identity right.
