In this episode of Cybersecurity (Marketing) Unplugged, Bird also discusses:
- Crypto as a means of commerce in exchange due of the collapse that it’s currently experiencing;
- How crypto players and their statements are becoming more regulated than banks;
- The blockchain as an opportunistic way to create value or fuel opportunities for economic gain in the corporate world.
Richard Bird is the chief product officer for SecZetta. Bird is a multi time C level executive in both the corporate and startup worlds and is internationally recognized for his expert insights, work and views on cybersecurity data privacy, digital consumer rights and identity centric security. He’s also a senior fellow with the CyberTheory Zero Trust Institute, a Forbes tech council member, host of the “Who The Heck Are You” podcast and has been interviewed frequently by media outlets, including the Wall Street Journal, CNBC, Bloomberg, Financial Times, etc. He’s also known as the “Father of Identity Management.”
The commodity markets have created a cryptocurrency bloodbath and these declines might not yet be over. In addition, many are wondering about the apparent ease with which cybercriminals can hack into cryptocurrency trading platforms and steal funds.
Bird weighs in on his assessment about the security defense for cryptocurrency in general.
Everything works, in theory, and tells you to put it into operations. And that’s really the problem that we’ve seen as it relates to cryptos evolution. You can make an argument about growth and maturity, but I don’t know if that’s actually accurate. Look at crypto, you could make the argument that the practice and the development of crypto markets and how individual cryptocurrencies have gotten less mature, which is understandable because there are economic patterns in history that clearly showed that this was exactly what was going to happen with crypto.
Full Transcript
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Steve King 00:13
Good day everyone, I’m Steve King, the managing director of CyberTheory. Today’s episode is going to focus on the cryptocurrency market meltdown and the implications to identity proofing authentication and access management. Joining me today is Richard Byrd, the Chief Product Officer for sec Zetta. Richard is a multi time C level executive in both the corporate and startup worlds is internationally recognized for his expert insights, work and views on cybersecurity data privacy, digital consumer rights and identity centric security. He’s also a senior fellow with the cyber theory zero trust Institute, a Forbes tech council member, host of The Who the heck are you podcast and has been interviewed frequently by media outlets, including the Wall Street Journal, CNBC, Bloomberg, Financial Times, etc. He’s also known as the father of identity management. So welcome, Richard. I’m glad you could join me today. Thank you. I appreciate it. As always, Steve, it’s great to be on. Yeah, thank you. So let’s talk about crypto. First, the commodity markets this week have created a cryptocurrency bloodbath, and these declines might not yet be over. In addition, many folks are wondering about the apparent ease with which cyber criminals can hack and hack into cryptocurrency trading platforms and steal funds. What is your assessment about the security defense for for cryptocurrency in general?
Richard Bird 01:58
Well, when you look at crypto, it’s kind of funny to kind of go back to its origins and how everything got started. It was a brilliant idea, from conceptual basis. And I’m trying to think of who said the quote, but everything works in theory and tell you put it into operations. And, and that’s really the problem that you’ve seen as it relates to Kryptos evolution, and you can make an argument, growth and maturity, but I don’t know if that’s actually accurate. I think in a certain kind of, you know, look at crypto, you could make the argument that the practice and the development of crypto markets and individual cryptocurrencies has gotten less mature, which is understandable, right, because there’s there’s economic patterns in history that clearly showed that this was exactly what was going to happen with crypto. And I think those patterns also show that crypto is not invalidated as a means of commerce in exchange because of the collapse that it’s currently experiencing. But I think when you look at kind of early stage, you know, here’s the theory, here’s the market, that it creates the market and generates a massive amount of interest, investment dollars follow, and then behind investment dollars follows immediate speculation. And then the industry of crypto as we’ve seen, explodes in terms of its diversity. But, you know, a large percentage of those crypto players, you know, simply weren’t ready for primetime. And if you’ve been around for a long time, like you and me, every time there’s an economic downturn, that’s when primetime is not when it’s, you know, Great Gatsby ask and everything is, you know, blowing up and, you know, somebody takes the meme coins, and all of a sudden, you know, says something about the money increased by value 789 X, you know, it’s when the going gets tough, that you see who the true planners and survivors are, and we’re definitely seeing that in the crypto markets. You know, from a security standpoint, it’s been a whole lot of hype. I’d kind of pitch that back to you to Steve, like, I know that you and I have both seen these kinds of hype cycles, probably the most recent being, you know, 9899 2000, you know, but how much of the crypto market do you feel has been driven by by hype? Energy and, and how much do you feel it’s actually been driven by the actual, you know, financial economic value and performance is entirely driven by greed. Assessment and, and I don’t buy the, you know, the absolute security and regulation stuff that we’ve been continually fed here that, you know, we’ve got Congress losing their minds over, you know, we need more oversight. We need more oversight, but I talked to folks that are, you know, experts in the cryptocurrency space and they say that, you know, crypto is already more highly regulated than adjacent Fiat markets. So, you know, it’s hard to when or whenever you see people, you know, having access to a billion dollar gain and a 24 hour period, you know, there’s always, you know, it’s the greater fool theory, right? I mean, if I’ve, well, you were with Jamie Dimon back in the 2007, eight meltdown, and the Yep, was Washington Mutual subsumption, I guess by JP Morgan Chase. And so you know, firsthand, right, that what you end up with there. And so my view is that this is entirely driven by greed that, you know, that if I can buy some, you know, credit default swaps that I can find somebody to sell them to at some point, you know, I love that you brought the CDO example, because there’s another pattern in history, right? And here’s where I really struggle with crypto and I absolutely agree with you like crypto markets and kind of crypto performance is a is a very greed and speculation driven market. Right. But when we look at CDOs, I think it gives us another reference point for why it should have been easy. For many of us, it was you know, many of us didn’t put money in the crypto market after we kind of peeled apart, it should have been predictable. That with any kind of economic bump globally, that crypto was going to be impacted negatively. Because it kind of when you look at history, there’s very little in terms of a means of exchange, that is not tied to something of direct value. Right. So CDOs CTOs, in theory, we’re all about mortgages. But having been an old hedge fund administrator, Chief Information Officer, everyone knew after after the first lump of CDOs, were sold in the market and continuously passed, those collateralized debt obligations were tied to nothing. Right. And once once the pressure of that economy, that economic events started to cause people to start to look for liquidations, and getting out of those videos, I quickly learned that they weren’t really attached to anything. Crypto, I like the idea conceptually of the ability to do, you know, digital exchange. And I think that there’s a lot of potential value for it in the future. But that’s not what Kryptos been back to what you said, crypto has been all about creating fictitious wealth that isn’t attached to anything of intrinsic value. And there’s no way that those kinds of markets ever sustain themselves. We saw it with the internet bubble burst, we start with the CDOs. We saw it with, you know, the collapse of the economy during the OPEC oil crisis, all of them, you know, driven by the same thing, tons and tons of investing into vapor. So, you know, it’s, it’s going to happen again, before I before I’m in the dirt, maybe one or two times, but it won’t be crypto, it’ll be you know, what everyone is talking about next, like quantum? So, yeah, it is it by and you right, and it’s hard to believe that we we don’t we were in unable to learn from history, which is amazing to me, since what they were if you count the documentaries in the movies that were they were made around the, you know, the financial crisis, and oh, wait, there must be seven or eight of them that were, you know, big time events? And it will you would think that everybody’s seen them and understands what, but apparently not, you know, I don’t know. I yeah, I kind of like, you know, side with gates and Buffett in terms of their investment strategy, you know, if it, if it doesn’t produce anything, I’m probably not going to invest in it, you know, so Well, you know, I love the gates and Buffett reference too, because, you know, prudent investors have always won. I mean, throughout history, 1000s of years, prudent investors have always woman and working in hedge funds, when, you know, I was 15 years younger, better than I am now, was eye opening, because this ability to kind of just shuffle things and make money. Right, not shuffle, you know, not shuffle things that actually had tangible value, but just move paper contract around and, you know, speculate and take, you know, options and, you know, move on derivatives and all that kind of stuff. It’s like you said we don’t work from history, because the prudent investors, you know, continue to be successful over time. And then we have these flashes of these big things that happen, you know, over the duration of four or five years and then they collapse.
Steve King 09:39
But they do get, I mean, ultimately, they do get reconfigured. I do want to come back, Steve, to a point that you made about the kind of the crypto crypto players and their their statements that they’re, they’re more highly regulated than banks. That’s baloney. And I’m just going to be that’s to me when I hear that kind of stuff being talked about in the last several weeks.
Richard Bird 10:00
that falls in the category of Oh, poor me ism, right? You guys don’t understand how regulated we are. And it for me as a guy that used to sit in front of the Fed every two weeks, I can tell you that the level of oversight that crypto is exposed to in the United States is not even a scratch on the surface of what the banking industry has to manage. Now, that being said, I think that we’re way out of the universe relative to the effectiveness of regulations, and how much the banks need to manage against I think it’s, I think it’s ridiculous what the United States government has done to the banking industry, and constraining them. And the reason that I think it’s ridiculous is because by creating a situation where banks can’t be flexible and agile, to meet customer opportunities and expectations, then you create opportunities for, you know, the defy market, you create opportunities for the crypto market, and other financial services players to come in and operate with less regulation. And time and time. Again, it’s shown that when they operate with less regulation should be the right amount of regulation, when they operate with less regulation. Things go wrong, they play dirty, right, or they make mistakes that are, you know, substantial, but could have been avoided. And I think that the regulatory environment, the banking industry, probably has stifled the kind of innovation and growth that would have created opportunities for, you know, banks that have done this for, you know, centuries to be able to build a better mousetrap than we currently have with crypto markets today. Yeah, I’m sure that’s true. And I you know, as I recall, the SEC had domain authority over the rating agencies to back in Oh, seven and oh, wait didn’t seem to didn’t seem to matter that much. No. Yeah. So blockchain technology, you know, it’s all about cryptography and immutability, and decentralization and all of that. And if you have cryptographic security, you know, and these assurances that no one can modify the data, in a blockchain without the knowledge of the other folks that are involved. That seems pretty secure. Is it in your view? I would say it could be it still gets back down to that, that, you know, big bridge, you have to cross between theory and concept, and operationalization. So, we look at, we look at blockchain. Early Days blockchain specifically for you know, kind of what I’m known for blockchain for identity. The problem is, is that the digital us is a proxy for the physical sort of the analog us. And human beings are very messy, which means that we’re we have a lot of aspects about being humans that are very sporadic, temporal, untrustworthy. And I always like to use the example when I used to talk to folks in blockchain and self sovereign identity in the early days of kind of the conceptual uprising. I said, you know, I’m an old banker. So I’ll give you a great example of the deficiencies of immutable Ledger’s as it relates to banking and said, marital status is a component of identity, yes or no, and everyone SSI and blockchain all that would say, yes, absolutely. your marital status, certainly falls into an identifying characteristic. And I said, so I’m married. But I have this is a hypothetical situation, I’ll make sure everyone who’s listening knows this. I’m married, I’ve been married for 23 years, I’ve decided that I am going to be a horrible person, and I engage in illicit affairs and my partner, my spouse, decides that they no longer want to be with me, and they move out to my second home. And then about six weeks later, they clear out every bit of the joint financial accounts that we have. And so were in the immutable ledger, Ledger does married but it’s complicated, fit, or married, but not really living together anymore, or married, but we really hate each other. There’s the mechanics of human society, and translating them to the digital gets messy, because human beings are messy. Now, that being said, I think that there’s huge and my mind has changed on this substantially over the last few years. There are huge fit for purpose opportunities for blockchain. When it comes to identity. I mean, there are characteristics that are associated with being a human, that are immutable, you know, not the least of which is our birth dates and our death dates. And I think that the opportunity to leverage something like immutability, as it relates to, you know, human beings, is it creates solutions for problems like I’ve experienced personally, which is, you know, I lost a family member. That family member has now existed in the digital world without you know, any of my influence for several years because marketing organizations pick up the data and they craft a new persona, and they send out credit card offers and, you know, I can see being able to leverage immutability and blockchain to give a better perspective on the digital you in a way that has benefit and value back to you. Right? I think when we start to look at blockchain as an opportunistic way to create value or fuel opportunities for economic gain in the corporate world, then people are just unfortunately, going to take advantage of it until we start to pull it apart. I mean, maybe blockchain is going to be the next blockchain in the corporate enterprise setting and using it, you know, from a from an IT operations standpoint, maybe that’s the next hype cycle. Who knows? We’ll kind of see. Yeah, I’m sure Gartner will help us understand which one it is, if you were to, you know, create an idealized Iam system for
Steve King 16:03
all of this stuff, what would that look like? You know, and then, you know, think about in the zero trust context to with, you know, levels of granularity that we need to get to that we’re not at now. And all the rest of that, what would that what would that look like?
Richard Bird 16:19
When I get asked that question and I’m, you know, kind of trying to future cast what a not necessarily utopian state, right. But a, a really effective proxy world where the analog knee and the digital may have a much tighter relationship, there are a couple of key things that I always touch on. The first is, is that we have made a huge mistake, and requiring a human being to have to continuously authenticate as a different persona, in every single company, every single organization, every single agency that they interact with, right? It’s just, yeah, it’s this. It’s this bizarre one to many relationship that creates massive problems, massive security problems, because all I have to do is get one of you out of the, you know, I saw something recently, we all have 160 to 180, active internet accounts and identities, you know, commerce and banking, and all that kind of stuff. You know, all I have to do is get one of those and I can I can do damage to you. So I think that we look at the benefits of crypto and its association to the possibility of changing things. I’m starting to see a technical pathway to solve what I’ve been passionate about, ever since I got and into the solutions industry and out of corporate about six years ago, which is digital identity should be for the people. If you start with that, then this notion of bring your own authenticator. There’s only one me, and there’s only one authenticator, we could start to do the mechanics around that was something like an NFT for identity, right? The problem is still who owns the mint, right? That’s a, let’s just push that off for a second. It’s the operational piece, who owns the mint, but the idea that I could have some form of an authenticator that has a direct tie to me personally, and then I manifest that authenticator opens up a whole new world, on a corporate identity side, the government entity side, because almost all of the security solutions that exist outside of the identity space exist, because we can’t prove that you are who you say you are. And that’s an that’s internal, and that’s external. So if there’s a if there is a high degree of surety, that the analog person who’s trying to engage in the digital is who they say they are massive amounts of spend overhead friction, you know, inefficiencies get driven out of the digital world, because of the fact that we’ve been layering tech upon tech and solution upon solution to try and mitigate the bad outcome of just one person who’s not who they are getting into the systems. And so you know, the idea of a bring your own authenticator opens up then the second tier of that utopian landscape and identity, which is the vast majority of energy is spent in the authorization area, after I’ve authenticated. And that authorization plane is where there’s a tremendous amount of, of stranded business value, and opportunity for companies to really accelerate improving customer experiences and all that kind of stuff. Now, just I’ll just kind of tie this off with that utopian state is necessary, because I don’t know about you, but in the last three years, my digital consumer experiences have absolutely suck. Yeah.
Steve King 19:53
Yes. Yeah.
Richard Bird 19:55
I mean, they’re horrible after 20 years of digital transformation. They’re horrible. And why is it? Why is it that if I am going through multiple steps of your multi channel system? To get an answer to my problem, I’ve got to authenticate, you know, three, four different times the call service agent is asking me knowledge based questions or, you know, the system is telling me to click the stupid reCAPTCHA pictures, like, how is this where we’re at. And a lot of it is just simply because we’re relying on an identity framework that is completely dependent on these independent accounts and these independent identities across all of these different organizations that we do business with. And I think that that’s where the big changes are going to come. And I think we’re in the window. I think that, especially with Apple’s moves and Apple wallet, Google Pay, everybody’s trying to get into the Bring Your Own authenticator business, even though don’t call it that. And I think that you’re going to start to see kind of camps of corporations lining up, especially with Apple’s announcement about phyto, lining up behind these big players in and capitalizing, frankly, on Facebook’s missed opportunity. Facebook could have been the SSO and Federation for all website identity, but they dropped the ball, right? They didn’t just drop the ball, they just put the ball in the Mariana Trench, and we’ll never be able to recover it again.
Steve King 21:18
Indeed, it’s right. Yeah. So you know, with with bots, and 5g isn’t going to get even more complicated and difficult to determine whether or not you’ve got a human being entity on the other end.
Richard Bird 21:35
Without a doubt, thoughts are such a great example of this. Again, I always go back to patterns. When you give application developers a toy. And you say, Go forth and conquer, they go crazy. I’ve said this repeatedly, when I’ve spoken, cybersecurity is at least five to six years behind every major change in the technology landscape takes that long to catch up. And API’s are such a great example. API’s have been around now for API Academy, I think was written about about 11 years ago, you know, companies are now trying to wrangle security, around 10 years of application developers doing whatever they do. Yep. Yeah. And yeah, so I think that, you know, this rise of 5g and the rise of, you know, bot driven transactions certainly is problematic. If 5g I always kind of laugh, like 5g means that people are going to screw things up faster. And it’s not necessarily going to create an opportunity for better customer experience is just gonna pit create an opportunity for bad things to happen faster. When somebody clicks that damn link in an SMS text and gets had on his cell, you know, hack, right? The bot side of the equation, it has been interesting to watch from a, from a consumer as well as a corporate standpoint, because it’s pretty clear that human beings are able to suss out bots. Pretty good. Like, you know, when you’re, you know, it might take you a couple of cycles, you know, going back and forth about your last order, or UPS tracking. But after a pretty short amount of time, people are frustrated. And it’s really interesting, me talking with people, family members, friends and colleagues, how quickly people go, Okay, I’m gonna figure out a way to bypass system. Right. So I think that that doesn’t mean that that the evolution of bots and bot technology won’t continue to grow to kind of deep fake levels, I do think that there’s still hope in people wanting genuine experiences, even when they’re digital, that would suggest that, you know, the kind of where bots go is, is kind of going to be a fits and starts kind of growth, I think. And then we’re still going to see people recognizing that there’s value and true customer service and experiences. And they’re just going to shy away from them. So it’ll be interesting to see how it evolves. But, you know, on the 5g point, I just like I said, I think it’s a fail faster technology. I don’t have much hope that I’m actually going to get better bandwidth on my phone from my carrier with 5g.
Steve King 24:18
No, and then you know, speed is the enemy here. So anything that enables the bad guys to do what they do faster is, is always a bad sign for the good guys. You know, we’re already losing this war, and it’s just gonna get it’s in my estimation, it’s just gonna get more difficult with that kind of speed
Richard Bird 24:37
shift. Yep, I agree. I always like to use the reference points of cars because I’ve had quite a few in my day. Putting 5g in your hand doesn’t doesn’t make you better at the Internet, just like putting a keys for it doesn’t make you a racecar driver. Right, right.
Steve King 24:53
analogy. Yeah. What are your final thoughts? I’d say I guess I’m conscious of the time here. And I think we’re closing in on the half hour about the technology and whether I mean, this is a very loaded and broad question. But you know, is it actually worth introducing more new complexity and, and an increased load when we can barely keep up with what we already have? It’s a
Richard Bird 25:23
terrible idea, unfortunately.
Steve King 25:26
All right, while you startups out there.
Richard Bird 25:30
For me, it’s not so much the security solutions were the solution space and tech startups that are challenging because if we look at the mechanics of I had said this last week in San Francisco, the one thing that I’ve learned now being on the solution side, after so long on the corporate side is that nobody in the solution space kind of writ large, this is a broadly general statement. So if there’s one or two founders out there that take exception to it, just know that you’re the exception, and I love you, right. But but in working now, in the investment community, and working in the startup community, I am staggered by the reality that people that are in the solution space are opportunistic, they did not wake up one day and go, you know, what, there’s this massive or even, you know, a niche problem in the marketplace, that needs to be solved. And I’m gonna wake up every day and and do nothing but focus my attention on it until it gets fixed. That is not the motivation and the solutions and industry, the solutions industry is opportunistic, somebody sees a gap, they see that it has possibility to raise funding, they use that funding, then to create revenue and hope to blow that thing up into a unicorn and get out next equity exit stage. None of that makes the world safer. None of that makes the world better. And none of that makes the world less complicated. But it is the dynamic that all this players operate off of. I think that when I worry about the additional complexities, it’s more at kind of the kind of the meta platform or major technology changes piece. And the other thing that I had said last week is is like you can look at the extant reality of technology today. And 90 plus percent of all workloads are run by mainframes on a daily basis. It doesn’t matter how big the cloud is got, mid ranges are still around, I’m talking to people that are still running to ask for hundreds. I’m talking to people in the manufacturing industry that are still running Windows XP Embedded on industrial control devices. And I think that this complexity issue is missing the reality of human behavior, which is we never get rid of anything. We in when it comes to corporate technology acquisition. Corporations are like your aunt that hoards everything, right. And I know companies that you can walk into and say, Hey, I really think that you need to buy X and they go hang on, let me just take a look at the IMDB and they they look and go, Oh, yeah, we already have subscription licenses to that. Like, are you using it now but we have it, right? This hoarding mentality means that whatever comes next is just added to the woodpile, and that’s where the complexity comes, right? When we, when we think about it, my last leaving point would be, you know, bring it back to identity. If you want to be exceptionally good at identity security, what you need to be, because 20 years of history shows us that, that’s how you’re going to get breached four out of five times, right? If you want to be exceptionally good there, then you have to be exceptionally good at men and managing your identity experience across your mainframes. Your mid range is your client server environment, your everybody now wants an Apple device in the corporate space. So now you’re on the iOS side, you know, you also have the Windows side because you got people that hate apple. And then you’ve got now cloud, right, but you don’t have just cloud, you have Google, you have Azure, you have AWS, and then you have maybe a couple of regional players. And everyone’s like, talking about quantum quantum isn’t going to take everything out, it’s not going to take up a thing before it quantum is going to be added to that stack. And everybody’s going to have to try and manage across that with the exception of companies that start now and they’re just all pure Greenfield, but none of those companies that are all pure Greenfield and going with just cloud technologies are in the Fortune 2000. None of them you know, I think that this, this inability, I don’t even think that it’s necessarily you know, that there’s too much tech or there’s too much in the way of solutions, or there’s too much in these it or technology, referential stacks, I think it’s the fact that we just don’t get rid of anything that is really causing the majority of our problems. And that’s probably a conversation for a whole nother bag has the because, you know, there’s corporate politics and budgets and all that that’s kind of tied up into, you know, why do people keep, you know, keep stuff on life support, that just increases their complexity rather than going and more elegant, you know, simple or streamlined approach. But I don’t think the next thing is the problem. I think it’s the last 27 Things that are the problem.
Steve King 29:55
Yeah, I agree. 100% and, and you know that The difficulty with that is that there’s the perception that that those last 27 things actually work. In fact, they’re the probably the only things that actually work. So your reluctance to get rid of them is is understandable. What check processing has been running on COBOL systems for how many years? 50 6070 or something?
Richard Bird 30:22
Yep. Yep. Yeah. Yeah. And it’s, you know, back to what you said, it works. You know, I, something I shared last week was like, if you’ve got something that works and solves 100% of your business problem, and some cloud guy walks into your, you know, cloud application, guy walks in your organization says, Hey, we’ve got a better faster, you know, cooler, more redundant thing. But it only solves 80% of your business problems, instead of 100. Like every time somebody that’s in that seat is going to default and go, I’ll stay with what I got. Yeah,
Steve King 30:54
course. Sure. Well, and then, and that’s a whole other episode that we can talk about, too, is what is wrong with the current sales and marketing crowd, in terms of how they, how they’re going to market with this thing. So in any event, we’ll leave that for now. I think, gosh, you know, this was great. And it’s It’s always refreshing and a pleasure chatting with you, Richard. So I thank you for taking time out of your now Ultra busy day because of increased responsibilities, etc. And congratulations for that. You know, I wish you the best over there. I hope that that whole experience turns out to be as positive as we all expected when you went there, and I’m sure audience appreciates it as well. So thanks again.
Richard Bird 31:42
Thank you had a blast. Always, always do. All right. Great.
Steve King 31:45
We’ll catch you up in a few months. Thanks, Richard. Take care. Thank you.