Cameron D’Ambrosi [00:00:00] This week on State of Identity, we welcome Mickey Boodaei, Founder and CEO of Transmit Security. I know I say you don’t want to miss any of these episodes, and I mean that. But this one in particular. Stick around for Mickey goes into his founding journey across founding Imperva. Taking them public founding Trusteer and selling them to IBM, founding Transmit. And then raising the single largest round in cybersecurity history. Their transition from an orchestration platform into a full CIA player. The challenges of selling a 360 degree full digital identity lifecycle solution into an enterprise structure, for lack of a better word, that maybe isn’t ready to accept it, as well as Mickey’s predictions for the future of digital identity. You’re not going to want to miss this one. Stick around. Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Mickey Boodaei, founder and CEO of Transmit Security. Micky, this has been I feel like a long time in the works. I’ve been really dying to talk to you for a long time. We finally made it happen. Welcome to the podcast.

Mickey Boodaei [00:01:17] Thank you, Cameron. It’s great being here.

Cameron D’Ambrosi [00:01:19] So, you know, there’s so much that we can talk about. And I feel like Transmit is really at the epicenter, if you will, of so many of these seismic shifts that we’re seeing across the industry. But before we do that, I always love to ask folks, you know, especially founders. What was that spark? What was that explosive moment when it came to you? Like, I’m going to found this company and start tackling identity and access management and enterprise authentication.

Mickey Boodaei [00:01:50] So this this is actually the third company that I founded. And, you know, they’re all in cybersecurity. I’ve been in cybersecurity for over 30 years now and kind of like, you know, the evolution of cybersecurity since I began back in the Israeli military early nineties, it’s always been about three things, very big parts of cybersecurity, network security, endpoint security and identity. So the first company I did was more around network security, Imperva, cofounded that company in 2001. Then Trusteer, which is now part of IBM Security, was more around endpoint security, but also fraud prevention. I’ll talk about that as well. And then lastly, Transmit is all about identity. So I’m kind of like touching the three pillars of cybersecurity that, you know, like like, you know, when, when I started in the in the early nineties. Now when, when we were so my co-founder and I were on car we bought co-founded Trustee or back in 2007 and the idea on trust theories, how can we kind of like take the endpoint technologies or the capabilities of endpoint security and bring that into fraud prevention and start like fighting what was back then, just the beginning of financial malware. So we did that and then kind of like build a few products around fraud prevention, mostly for financial institutions. But what we found out very, very early on is that actually to protect customer accounts, to protect user accounts online, you need a much bigger architecture that brings together and not just the ability to detect account takeover or signs of account takeover, but also to integrate authentication and strong authentication and to bringing authorization and secure at account opening. So it’s part of a much bigger strategy. And when we tried to plug in our capabilities around fraud prevention and malware detection into some of our customers environment, we were on into, we ran into a lot of challenges or on integrating everything together. So this is when we we were like, Oh, there is no really good way of doing these integrations and there is no good way of moving really fast for organizations. Because what we did at Trusteer was like, you know, we were moving very, very fast, like, you know, even faster than fraudsters. And to bring these technologies and changes into an organizational environment and application was a really big pain. So the first thing that we started to to do at Transmit was, you know, let’s let’s kind of like find a way, find an architecture where you can make changes really fast and react to whatever it is that you add really, really fast. And that’s kind of like how we came up with the idea of Transmit.

Cameron D’Ambrosi [00:05:20] I love that, you know, in, in some ways it feels like that arc of, you know, starting with the network security piece and then moving to endpoint and moving to identity. Kind of mirrors almost a pyramid sharpening up at the coming to a point which is the end of the day. I think if, you know, 20 years ago you could have started with the identity layer, if it was feasible, that would have been the starting point. This is almost the the final form. The the. The beautiful evolution of the space. Because ultimately, I mean and forgive me because I’m a I’m an identity guy, which makes everything a nail because I’m an identity hammer, but ultimately, any of these solutions are really trying to get to that fundamental question, which is who is behind this session or this device? And and do I trust them? It’s just to some degree, we just lack the the capabilities and the technologies to really be asking the question that we’ve been intending to ask this entire time.

Mickey Boodaei [00:06:16] Yeah, look, the evolution of cybersecurity is really interesting. And, you know, it goes back to the early nineties where it was all about network security. So really everything that you saw from the, you know, the networking companies like Cisco and Juniper to specialists in cybersecurity like Check Point, they’re all like, you know, the big problem that they were trying to solve was network security. How do we keep people out of our network? And then everything started to shift because the network became less and less important. Today at Transmit, like in our network, our internal network is not important. All right. Everything is in the cloud. Everything we use, all the applications, our SAS applications, all our own applications are in the cloud. So we got like, you know, basically we got no no network, no real network or no real assets on our network. So network security became a problem of the cloud providers as opposed to like know actual modern organizations. And then, you know, problems slightly started to shift toward endpoint security because the endpoint became like, you know, the, you know, the tool that you use to access all these applications and the way to get into the networks once the the network is is more secure. So we started to see a lot of attacks on end points and malware and all that. But then like, you know, we started to see the endpoint manufacturers, specifically the OS providers, whether it’s Apple, Microsoft, Google starting to take more ownership of the security of their operating system. So kind of like we started to see. Less and less successful attacks to reduce Specter. But then, like the identity all of the sudden become became the real big pain for organizations because not only like, you know, if you go back to the nineties, you had like know pretty much username and password to your network or whatever it is, VPN, you go in and you can do whatever you want. And today you have like tons of application systems that you can log into. So everything became so much complex in terms of identity that this is really the biggest problem that we have today in cybersecurity. So from my perspective as a cybersecurity person, when I look at the last 30 years, you know, I keep saying that, but identity is by far the biggest problem right now in cybersecurity. And if you look at all the recent attacks, you know, just recent couple of weeks, whether it’s with Leo and others, it’s all it’s all around identity and accounts and taking over accounts, probably more than, you know, the statistics are more than 80%, but I think it’s more than 90% of the successful attacks against organizations involve identity and account takeover. So huge, huge problem. And obviously, when we look at fraud, you know, the biggest fraud victories, account takeover for consumers, you know, it’s always been like that. You know, it’s just getting worse.

Cameron D’Ambrosi [00:09:42] So, you know, when you came to market with Transmit initially, you know, I think calling you an orchestration player is a is a fair assessment of how you originally tackled some of these challenges. And obviously, with that big announcement earlier this month about integrating all of the different facets, facets of your platform into a unified product for CIAM is is where we see the market headed generally. Was that always the plan where you always looking to build this unified CIAM platform or did that come about as a result of you kind of taking the temperature of of what your customers were looking for in a solution?

Mickey Boodaei [00:10:22] Well, we were trying from the beginning to solve the biggest problems that our customers have in in identity and cybersecurity. Right. So like, you know, from our perspective, identity is the biggest problem of cybersecurity. And then we start to look what are the roadblocks, what prevents our customers from actually providing good security to their to their customers where the challenges are. So the first that we identified was that not in talks to do anything, right? So like, you know, all these different parts of identity, all the different parts of the identity stack specifically with very large organizations, are incapable of talking to each other. And specifically, if you want to kind of like, you know, let’s call it our orchestrate authentication with notarization and fraud. You have to do this in code like, you know, you actually have to write code to to do that. And when you’re writing code, it goes into the the queue of the developers or the development cycle. So it’s really up to the, you know, the different priorities that the organization and the application have. So that’s that, that was a big problem and we knew that like if they really want to provide good protection and good customer experience and I’ll explain why the two are identical. But if you want to provide good protection for customers, you really have to go fast. You really have to be agile. You really have to have all these different parts of the identity stack talk to each other. So this is where we started. We said like, okay, let’s build this orchestration. And there was like nothing like that when we started, you know, this was a brand new concept that we brought to market. Let’s build an abstraction layer that sits between all the applications, the entire stack, whatever the stack is. And we’ll be able to operate the stack based on configuration and policies that are given without the need to kind of like push, push software. And, you know, that’s, that’s where we started. But then we started to see that, you know, if you really want to provide good, good protection, you need to have all the different capabilities, you know, to date modernized like, you know, move with the face of the cyber criminals. So we looked at, you know, for example, the authentication landscape and it wasn’t moving fast enough. We looked at the. Protection risk detection capabilities in the market. And there were pretty much outdated since the days that we left Trusteer, which was 2013. Nothing much changed in terms of like, you know, the capabilities of these tools to to detect attacks. Identity verification, account opening registration. We haven’t seen anything good there. And we start to see a lot of attacks against registration of of accounts. So basically all the pieces that we were trying to orchestrate were broken. So it doesn’t make sense to orchestrate a lot of broken pieces. It just doesn’t give you the the result that we were looking for. So we started to build these pieces and think about each one of them. How do we modernize? How do we build it in the right way for the applications of today? So we started like, you know, five different projects for authentication, for authorization and user management and for account opening and risk and fraud. And that’s how we kind of like build the entire platform.

Cameron D’Ambrosi [00:14:20] So when we think about the entirety of the digital identity lifecycle, I mean, I think we’re in violent agreement that putting identity at the center is really the only way forward. I think the challenge has historically been to some degree, we’ve had the technology to do that, but that 360 degree view of the lifecycle for a better word doesn’t align with how the modern enterprise views identity, right? When you think about your classic bank structure. You have folks who are focused on, you know, the customer facing growth piece, but then you have folks who are focused on the cybersecurity and account takeover piece. Then you have the folks who are focused on your anti-money laundering and your onboarding risk and your fraud. And there isn’t really a key stakeholder that you can target to say, hey, you know, you own the entirety of this identity challenge. I’m going to sell it to you. Obviously, I’m hopeful in the sense that we’re seeing more organizations adopt chief identity officers to really think about these problems holistically. But for many organizations, that the stakeholders remain relatively diffuse. You know, how have you tackled that problem as a platform that really, I think, requires organizational buy in at the highest level across what could be five, six, seven key stakeholders?

Mickey Boodaei [00:15:45] You’re very much correct. Like, you know, just the other day I spoke to, you know, this this bank and they have six different fraud teams and they don’t talk to each other like, you know, they did. They don’t even communicate between these different fraud teams. Like they they kind of like responsible for different parts of the of the user journey. And that’s that’s pretty much insane because like, you know, if you want to provide good security, if you want to provide good account protection, you have to look at the entire lifecycle of the user. You have to understand the history of the user. You have to understand what they did when they opened the account, what they did when they transacted what they did, you know what they’re doing, where they’re not transacting, what they’re doing when they’re registering new devices and your credentials. All of that is part of the visibility that you must have to provide good, good attack protection. And I think that a lot of organizations are just too new, too complex when it comes to security, identity and fraud. So you would see different teams, different owners, different executives like now reporting to different parts of the organization. And it doesn’t make it easier to to address the problem like that. Right. So, you know, organizations must start to think about consolidating everything that has to do with security. And, look, there are parts of identity or parts of identity that are called identity that are not necessarily security. But a lot of it a lot of it is about security. Definitely when we’re talking about authentication, definitely when we’re talking about, you know, the are a all of parts of authorization in a lot of parts of account, opening identity verification. This is all security. Organizations must change the way they think about this problem. And like from now and then, it’s an opportunity to restructure and think about like what would be the the right organizational structure for us to be successful in providing good customer experience and good security for for our customers. So, you know, I’m kind of like, you know, when we’re when we’re building our technology, it has to be multi persona platform. So it allows different different parts of the organization to provide the the capabilities that they’re trying to build into the identity stack. So this is definitely something that we thought about when we kind of like engineered the platform. So we have, you know, parts of the platform that address the the fraud people, auto parts that address more traditional security people. And then, you know, other parts are on account opening and digital teams. So we do have that in mind. But like, you know, going forward, I really think that organizations need to start thinking about consolidating all that to provide a much better experience and security.

Cameron D’Ambrosi [00:19:10] And I think you really hit on that that key point. Right. This notion of experience is something that I think there’s remains this fundamental kind of misconception around cybersecurity in general, which is you must make a sacrifice around user experience. You must be throwing friction at people in order to secure your platform. I think that’s fundamentally not true. And I think in many regards you have and don’t want to put words in your mouth here, but you have built the Transmit Security platform centrally around that notion, which is you can have your cake and eat it, too. We’re going to deliver you best in class security. But at the same time, your highest value customers, your your most trusted customers are going to breeze through with an ease that may be a lower grade cybersecurity option was unable to provide. And I think to some degree, this ties back to the stakeholder education piece. Has it been a challenge? Convincing stakeholders within these organizations like, Hey, I am going to raise the caliber of your cybersecurity defenses, but at the same time I’m actually going to be a growth enabler and we’re going to bring more good customers through your funnel faster, despite the fact that the platform is going to be more inherently secure.

Mickey Boodaei [00:20:32] Yeah, it’s really interesting. And firstly, when you look at the customer experience problem, when you look at the friction in identity, it’s it’s all a result of security, right? It’s like there is no reason to introduce friction during authentication, during account registration, during all that, unless you’re trying to kind of like secure customers account, right? Authentication. Let’s think about how it’s all started. We need to make sure that no one can log into your account so we protect the data with the passwords. So we added some friction there, not a huge amount of friction, but then like we found out that people can guess your password. So we added restrictions around passwords. Right. They have to be a to circumvent the like includes all sorts of characters and you know that that introduced more friction and then like, you know, history of passwords. So you need to kind of like select different passwords through different accounts and you have more accounts. So and then like all that was not good enough. So we introduced like two factor authentication. So now you got another step. So we’ll send you a one time password over whatever SMS and now you need to go and do that. More friction, right? And we’ll do that over email and we’ll do that over app and whatever. And it’s all old friction. And the, the purpose of this friction is because we’re trying to to secure your account. Now, the problem here is that instead of thinking about how do we secure your account the best way, all we think about is how do we patch the existing controls we have. So everything I’ve just described, think about it. These are patches. So we had a password. It didn’t work because, you know, people could guess it. So what are we doing? We’re patching it. When restrictions doesn’t work. What are we doing? We’re patching it with another factor authentication, you know, doesn’t work. We’re moving to like SMS is not good move do OTP over applications, right? It’s like we’re patching that as well. So instead of kind of like, okay, let’s understand, how do we provide secure authentication and access to, to our customers? And once you start thinking about this from a security perspective, you find out that you’re not only improving the security because you’re not patching, you’re also improving the the customer experience because you’re not patching the patch is just another layer of friction. That’s that’s the only way to think about it. And it’s it’s it’s a temporary patch because it’s a patch. It means that fraudsters will eventually break it, go around it. So, you know, by the time they introduce two factor authentication with Esims, it was already known how to bypass this technology. Okay. So it was just a matter of time. So, you know, you see this evolution of, okay, we have this control, let’s do we have this patch, let’s put it in place. So you got the first organizations that put it in place and they see less fraud, less account takeover, because the fraudsters, guess what? They don’t like to work hard. So instead of attacking these organizations, they went to the others. So eventually, like, you know, everyone got two factor authentication and now we’re seeing that it’s easy for them to bypass two factor authentication where men in the middle tax and social engineering and a lot of, you know, SIM swapping know about two technologies. It was always known that, you know, this is the weakest link of two factor authentication the way we we built it. But like, you know, no one actually thought about, okay, let’s, let’s do something else instead of patching. Let’s try to think about a technology that is more sustainable and not only more sustainable, it will automatically improve the the customer experience. So there is no balance. That’s what I’m trying to say. It’s just make security right. And your customer experience will be great. If you try to patch your security, your customer experience will just get worse. And worse and worse. That’s that’s the kind of like the entire problem with the way the balance in identity today.

Cameron D’Ambrosi [00:25:23] I love that. In a quick follow up there, you know, on the on the consumer side, you know, do you see obviously, I think you guys see, you know, millions and millions of consumers certainly across both industry verticals and geographies. How are consumers adapting to the rollout of these new technologies moving beyond passwords? I think it’s a mistake. I think people people in the industry conflate familiarity with preference to to a certain degree around things like passwords. I see no reason why consumers would not embrace and rapidly learn to enjoy getting rid of passwords forever. I think it’s it’s just the notion of like, okay, I recognize what a password is. And even if I hate it, you know, it’s something I’m familiar with. How are you treating that consumer education challenge in partnership with your customers?

Mickey Boodaei [00:26:22] So there are different parts to this question. The first is like, you know, I have to say, there is nothing wrong with a passport. If you know how to secure it, if you can make it simple to use and you know how to secure it. Most organizations don’t know how to do that. Okay. So kind of like, you know, this goes back to patching and adding more layers and eventually having a really bad customer experience. It’s all about account protection. It’s all about being able, like, you know, even if you look at the regulators, right, and all the regulations that they’re introducing around account protection, two factor authentication, all that, what they’re trying to do eventually is they’re trying to protect consumers from account takeover. Right. So they’re kind of like mandating different kind of like controls. But the only thing that they really care about is how do you protect consumer accounts? And instead of like organizations starting to think, how do we protect consumer accounts? They’re actually thinking, how do we comply with these regulations? Okay. So if you if you did the right thing in terms of account protection and technologies of account protection, you wouldn’t have that problem of the regulators bringing in more controls. And then like, you know, you have to deal with the, you know, the the impact of it on your customer experience and then try to like, you know, do whatever you’re trying to do to minimize the the customer experience problem. So, you know, I think that’s that’s part of the part of the problem. The other part of the problem, I think, is that the vendors in the market, which are basically for many, many years, are acting as you know, we are a compliance company, will help you to comply with whatever you need to do in identity, whether it’s passwords or then two factor authentication or, you know, whatever it is. And they’re not thinking about like, how can we build a stronger identity architecture that provides better account protection? Because this is, in a nutshell, all what you know, what these platforms are meant to do, right? They’re meant to do like, you know, great account protection. Everything else is just like, you know, very, very simple to do a got a database of of users. Great. And they haven’t done that. So the the real shift in the market and what accelerated everything is when the the device manufacturers. So, you know, looking at Apple looking at, you know, Samsung, then Microsoft and all these guys start to introduce their biometric readers into into the devices. And basically they started to show everyone else they’re starting to show the same providers. Look, there are better ways to authenticate. Right. Were easier ways to authenticate, more secure ways to authenticate. We’re doing this to protect our own consumers and their devices. So it’s like it all went in the wrong in the wrong direction and kind of like the the device manufacturers took the took the lead on out to protect consumers. And then like all the oldest time vendors were just trying to catch up with. Right. It’s like, you know, we are years after the introduction of touch I.D. on mobile devices and we’re still start seeing like, you know, same vendors and and customers and vendors trying to catch up with how to introduce biometrics and device biometrics to to their customers. You know, it’s it’s it’s really interesting. And then eventually what what we end up seeing is that consumers are already educated. They’re already educated because they have you know, they have face I.D. and touch I.D. on their mobile device. They now have, you know, finger print authentication and even face authentication on their laptops. So they’re already starting to use that. So when actual applications are starting to to introduce it, they’re already familiar with it, like most of them. Many of them still like, you know, the Education channel, challenge is not that big when it comes to consumers. I think the educational challenge is is big when it comes to how do we show organizations that there is a faster, better way to achieve security and customer experience, because for the last 30 years or so, nothing has changed. So, you know, you go a few back, a few years back, you know, applications and most applications still today are using passwords. Some of them are using OTP overestimates. You know, they’re using a directory. And, you know, everything that role based authentication and everything that I’ve just mentioned, these are technologies that are 30 years old. Right. So and that’s kind of like, you know, I would say the conflict because with account protection, you have to be you know, you have to be really innovative. You have to move really fast. You have to introduce new technologies whether like, you know, Apple is a new technology on their devices. You need to be able to roll this out very fast. Right by the time you roll this out today, like, most of the technologies are already outdated, you know, almost obsolete. You know, organizations are rolling out today as OTP, right? It’s like it’s obsolete. It’s like, you know, you shouldn’t do that. You know, you should have props rolled it out ten, ten years ago. 15 years ago. Not now. Now. You need to do other things you need to do to move faster. Otherwise you’re just chasing your own tail.

Cameron D’Ambrosi [00:33:20] So a perfect Segway. Thank you for for leading us in this direction. You know, we’re we’re coming to the end of our episode here. But given, you know, I think that the visionary role that you’ve played in this space would love for you to dust off your magic crystal ball and and make some predictions for the future. You know, looking into that future, what do you see happening? What is what’s this next evolution that we’re going to see across the cybersecurity space, in your opinion?

Mickey Boodaei [00:33:48] I think more and more organizations are going to realize that the identity is basically, you know, the biggest problem and identities account account protection that drives pretty much everything. Everything else are just like, you know, relatively small problems for organizations. And once you solve this problem and you do this the right way, you’ll you’ll have the best security, you’ll have the best customer experience. You’ll move with the market, which is really, really important. Fraudsters are not going to move faster than you. So all that I’m starting to see I’m starting to see it sinking. I’m starting to see organizations realizing that this is what they need to do. It will take some time, but basically they will go and look for security vendors and not just security vendor. A cybersecurity vendor isn’t. There is a difference. We don’t have time for that. But, you know, cyber security vendors are going to solve this problem for them. So identity is going to move to cyber security for sure.

Cameron D’Ambrosi [00:35:02] Love it. Well, Mickey, thank you so much for your time again. Greatly, greatly appreciated. It’s always you know, I always jump at the opportunity to get, you know, a founder of your stature on board, let alone a three time founder of your stature. So thank you again. Really looking forward to hopefully following up with you in the future, too, to check in on progress. Shameless plug opportunity for folks who are listening, who are thinking, wow, gee, I, I have a lot of patches that I’m worried about and I want to do something better. What’s the best place for them to go to learn more about Transmit and about your product offerings?

Mickey Boodaei [00:35:40] Transmit security dot com. This is probably where you you should start. There is a section there, developers, where you can go and see all the APIs. Everything is really accessible from account registration to authentication to user management to account protection. So really kind of like we’re trying to make it really simple to use all in the same place end to end APIs for your for your applications.

Cameron D’Ambrosi [00:36:13] Beautiful. You heard it here, folks. Check it out. We’ll also be sure to include that link in the show notes below. Mickey, thank you once again.

Mickey Boodaei [00:36:21] Cameron, thank you very much. It’s been a pleasure.