Make it personal: Identity has been a niche for so long, but in fact it’s relevant to every single person. As business leaders, the more we can step back from our corporate mindset and consider our own daily routine — the breadcrumbs we leave behind as we shop, sign up, send money, log in — the more we’ll understand that identity does not function as a niche. It’s a basic right and invaluable key to how society and commerce come together. If we design for privacy, choice and access — embracing cutting-edge protocols and encryption methods for protecting data — we’ll solve important business issues simultaneously for ourselves and our companies.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewingCarey O’Connor Kolaja, chief executive officer of AU10TIX, the global leader in automated identity intelligence and cyber fraud prevention.
She is one of the top influential women in the fintech industry, and has more than 25 years’ experience, leading the Fortune 500, from start-up ventures to scale-up enterprises.
During her time as global chief product officer at Citi Fintech and vice president of global consumer products at PayPal, she was responsible for the adoption of innovative technologies and cutting-edge commercial strategies, meeting the new and developing needs and interests of customers in global markets.
Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My fascination with ensuring the safety of online transactions and interactions dates back to my days at PayPal. However, there was one particular moment, almost a decade ago, when it really clicked for me that this is what I’m supposed to be doing. I got an email from someone who created a pseudonym with an associated email address, who knew a lot about me and aspects of my life. I immediately began to question the integrity of the information and the perceived individual who sent it across the web. I was brought up to not ever talk to strangers, however there was something about this communication that compelled me to reach out to the sender; initiating a fascinating and “thriller movie like” exchange. That was when I started to question how we can know that the information someone is sharing with us can actually be trusted. The threat is no longer the stereotypical lone hacker. Rather, fraud is a global, organized and interconnected adversary.
Can you share the most interesting story that happened to you since you began this fascinating career?
We live in a world of misinformation and bad behavior. Rather than singling out any one story, I’ll tell you that we see situations every day of people misrepresenting themselves and defrauding systems, people and companies. Fraud can happen to anybody — even the most astute and attuned — but it helps to understand what signals to look for when you’re trying to detect whether or not something is authentic.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
You’re right. People who have had incredible careers and opportunities to influence change and scale don’t do it alone. I do have a handful of people who have been very instrumental in helping me get unstuck at moments in my career or who have believed in me more than I believed in myself. Brad Peterson, who’s the CTO of NASDAQ, was a mentor and a manager for me when I was at Paypal. Not only was he a leader above all others, but he was also incredibly ethical, kind, smart, and yet ruthless in a constructive manner when he needed to be. He showed me that it’s possible to balance being an authentic leader with getting a very high-powered job done effectively. Secondly, there were moments when he gave me a chance before I may have thought I was ready. Those opportunities really stick with me because they refined my skills and the type of leader that I am today.
Are you working on any exciting new projects now? How do you think that will help people?
I’ve made it a point to curate my career, choices and decisions to spend my time helping other people, so that means I’m almost always working on an exciting new project. Most recently, that’s been AU10TIX’s INSTINCT platform, which we’ve used to bring the global business community together to fight synthetic identity fraud. The concept for INSTINCT sprang from the realization that just as fraudsters leverage networks to amplify their attacks, it is time we did the same to strengthen our defenses. INSTINCT is now up and running and helping companies automatically identify risk based on historical behaviors, emerging patterns and facts that other companies have shared.
I’ve also been really engaged in my work as chairman of the board of Everest Effect, a disaster recovery platform that confirms that people who need help after a disaster are not only who they say they are but that they actually have a need when they say they do. A lot of us want to help others recover after a crises, whether that’s a pandemic, a hurricane or a fire, but first we want to be sure our money will go directly to funding resources for people with real needs. Using technology to fill the gap between verifying and quickly responding to needs, Everest Effect is helping solve for the waste, fraud, and inadequacies in supply chains that have prevented more people from getting help when they need it.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The biggest piece of advice I give my team is to be unafraid to live an unconventional life. And part of that is to not shy away from living an integrated life. The days of working from nine to five no longer exist. Give yourself permission to take what you need at any time in the day so that you can lead your best life, be your best self and enjoy an integrated existence. Know what it is that you need in order to be at your best, and recharge when needed.
What are the 3 things that most excite you about the cybersecurity industry? Can you explain?
Sure, first, I think one of the pandemic’s silver linings is that, for the first time in society, we’re all experiencing the same things. This has become a catalyst for raising collective awareness of the importance of data protection and how digitally connected we are. By driving a greater collective awareness around data protection, and the risks of being careless, it has accelerated business to create more trusted experiences, and consumers to become more astute in identifying fraudster attacks.
Secondly, while technology helps minimize risks in cybersecurity and keep the world safe, in and of itself, technology is not enough. We live in a world that’s interconnected, and there are a lot of people who are good at something, but in order to be great at solving a problem, we have to bring them together. Policies need to change, and companies need to work together. I’m excited that there’s been a rise of unexpected partnerships happening that never would have before.
Lastly, just 10 years ago the idea of creating risk models to protect our customers was kept completely separate from their front-end experience. Today, we’re now creating trust with the end customer in mind, and designing new products or experiences with privacy and protection by design. This will inherently improve our overall existence and create technologies that don’t put us at risk.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Yes, there are many companies and industries that didn’t think about fraud up until a year ago and are now rushing to play catchup. While the financial sector has been dealing with digital fraud for decades, it’s now something that’s become top of mind in sectors like education, social networks, and healthcare. If cybersecurity wasn’t core to an organization’s existence before the pandemic, it needs to be now. That means not just investing in the technology, but also investing in the people and education. Because far too often organizations put policies and technology into place to fight what they know about. This leads to organizations being one step behind because fraudsters are fast, agile and incredibly intelligent. I believe the most critical threats are those companies don’t know about, and that’s where the education piece comes in. They need help thinking through all potential threats and how to respond to maintain trust with their customers in the event of a breach.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We’ve been big into fighting synthetic fraud this past year. Because the threat is no longer the stereotypical lone hacker. Rather, fraud is a global, organized and interconnected adversary, and annual losses due to synthetic fraud are estimated to be in the billions. Cybercriminals now have everything they need to create complete, convincing identities that bypass existing fraud detection solutions. In launching our INSTINCT platform, AU10TIX is helping defy these damaging trends.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Well, it’s not so much the tools that we’re using at AU10TIX, but the tools that we’re creating. The maturity of technologies in deep learning, biometrics, data encryption and data science is really paving the path for the future of authentication and has allowed us to build the most sophisticated cybersecurity tools to date Our enterprise-grade, SaaS solution provides autonomous end-to-end ID authentication and processing. It allows our clients to rapidly and effectively verify and digitize consumer identities, through a multi-layered, automated, algorithmic approach that screens, classifies, extracts and authenticates ID documents such as passports and driver’s licenses to workable digital records. Our tools drastically reduce ID-based fraud and the costs associated with client processing.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The need for cybersecurity isn’t any different when a company reaches the point at which they’re ready to have a CFO or CEO. There are certainly different points in the maturation of a company in which you have to double down on certain functions and technologies, and when it comes to making these decisions, it’s going to depend where you are on that spectrum. If you’re a fitness app that’s being used to cross train, perhaps you can delay that decision. However, if you are a fintech app that is going to move money, a CISO would be one of my first hire.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
When dealing with fraud, the most important thing to do is stay diligent and educate yourself about the topic. There’s a wealth of information online for consumers. And depending on what country you live in, tools provided by your government are usually a rich resource for identifying and reporting potential fraud. But as I said, it can happen to anyone. In the U.S., I would visit the FTC website, which has great information on helping you identify, understand, report and recover from digital theft.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Every company should have an incident-type response where they retroactively look at what happened so they’re better able to prevent future breaches. Beyond understanding the breach, the most important aspect of this process is to protect your customers and the business and to communicate to those who may have been impacted. The cascading impact of that information being used in other instances put customers more at risk. If you look back at Equifax, Target or Twitter, all of these breaches resulted in hundreds of millions of pieces of personal information being stolen. Those who have come out of it successfully handled it with transparency and empathy while providing the right support structure to help their customers. Those who faltered throughout the process didn’t say anything until it was too late.
Ensuring compliance with privacy measures outlined within the CCPA and GDPR is core to what we do in our work to protect data, our customers and their end-users, but we would honestly be taking all the same precautions, whether or not it was a policy. As data ends up becoming the currency of businesses to drive more insights, you have to take the necessary precautions to protect the information that flows through these systems. It takes a long time to build trust, but a nanosecond to lose it.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake companies make is thinking it’s not going to happen to them, and therefore they don’t put in the necessary precautions. Because of this, one of the areas that’s been a real concern for me is the world of a distributed workforce. We have quicky transitioned to a situation where information is being brought into homes, personal computers, and personal assets. If the right protection measures aren’t in place, then it increases the likelihood of some sort of exposure. Additive measures have to be taken in this current workforce.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. The Economist has noted a 75 percent increase in daily digital crime since COVID-19 began; and the FBI is reporting as much as a 300 percent increase. We live in a digitally-dependent world, and the pandemic has only accelerated the mass digital migration. With every personal device that we connect, another pathway gets opened as an access point for fraudsters. As people move fluidly between physical and digital interactions, static identities are no longer sufficient to verify people, their actions or intentions. However, with technology, progressive policies and consumer education, we can create a trustworthy digital identity ecosystem that improves the security, privacy and convenience of identification
Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Embrace adaptive identities and contextual privacy: Our identities are dynamic — shifting and adapting as we evolve through our lives — so we should also have adaptive security and authentication solutions that change as we change. Companies must begin to embrace the future of adaptive identities, which will include important identity documents like driver’s licenses and passports, but also new solutions to capture and connect contextual identity signals that suit the natural flow of our lives as consumers and citizens.
- Design for physical and digital security: Physical and digital security will increasingly tie together as virtual and in-person experiences blur. There are real-world implications to cyberattacks and breaches, and this will force enterprises to assume responsibility for digital security. At the same time, technology products exist to help securely automate many in-person tasks linked to our physical identity, such as DMV appointments, voting, doctor visits, remote work access, and real estate closings. Just as there are now “card-not-present” transactions, the dualized future calls for the ability to securely perform person-not-present transactions. We can design this by curating technology, mashing up verification systems and creating trusted partnerships.
- Acknowledge that “things” need an identity, too: We have arrived at a moment when our behavior and choices are captured by “things” — our phones, computers, cars, TVs and wearable tech — and these devices and machines are now influencing our financial well-being, our right to participate in sports, our right to access restaurants and buildings, and our right to cross state and country borders. Verifying that these devices belong to us and that it’s our behavior they’re capturing will become a critical piece of a bigger identity picture.
- Collaborate to compete: Would anyone have guessed a year ago that Apple and Google would share data? Probably not, but as COVID-19 spread they broke down rivalries to fight a common enemy. The same concept applies in fighting synthetic identity fraud, which we cannot defeat entity by entity, individual by individual — but as a unified, global consortium working to detect fraud.
- Make it personal: Identity has been a niche for so long, but in fact it’s relevant to every single person. As business leaders, the more we can step back from our corporate mindset and consider our own daily routine — the breadcrumbs we leave behind as we shop, sign up, send money, log in — the more we’ll understand that identity does not function as a niche. It’s a basic right and invaluable key to how society and commerce come together. If we design for privacy, choice and access — embracing cutting-edge protocols and encryption methods for protecting data — we’ll solve important business issues simultaneously for ourselves and our companies.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
From a business perspective, we need to harness the power of digital identity and identity literacy and take steps to move businesses and society forward. We need to ensure that everyone benefits from broadening the definition of identity — beyond a name, a citizenship, a gender — while also making identity more universally understood. Similar to how we are starting to better understand financial literacy at a younger age, a shift in learning about identity literacy would be greatly beneficial.
From a personal perspective, what if we can pay it forward to those in need with items that are excess in our lives? For instance, I’m entitled to health insurance through work, but I don’t need it because my husband has health insurance. However, there are millions of people out there who need health insurance. If I knew that person needed health insurance, why couldn’t I gift it to them? Simply put, how can we live in a world where we’re able to redistribute waste and wealth in a trusted and verified way?
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!