Hiten Patel: Welcome to the Innovators Exchange, and I'm delighted to be joined today by my colleague Cosimo Schiavoni, who leads our banking technology work in Americas. And Mike Engel, who is the co-founder at 1Kosmos. Welcome to the show, Mike.
Mike Engel: So great to be here. I'm looking forward to chatting with you.
Hiten: Why don't we kick off, Mike, by you just describing or introducing what you are doing today at 1Kosmos.
Mike: Yeah, so 1Kosmos, I think it's good to start with description of the name of the company, the Genesis story Kosmos, which is with a K stands for universe, the one we use in English, but it's a Greek word. And the idea is that we're an identity company, which is very closely related to cybersecurity that will get into, but the idea is you'll have one identity anywhere that you go in the future. And if you think about the problem we're solving is actually quite significant in that you have hundreds of identities spread out all over the internet, some different identities in your pocket, and it's a real mess. And because of that, we're suffering from a terrible user experience and suffering from massive amounts of fraud and synthetic identities and all kinds of problems. So we created this company going on 10 years ago to try to solve the problem of you being able to prove who you are and have great user experiences.
Hiten: Well, it sounds super relevant, right? Given everything that's going on today, it sounds like it's bang on trend, but just rewind the tape a little bit and just talk about your journey before that, I guess started out in infosecurity at one of the big banks. This is something that you've kind of been following through quite a long time,serial founder investor. I'd love to just hear a little bit more, Mike, about the journey that got you to where you are today.
Mike: Sure, sure. Well, it goes way back to when I was 10 and my mom got me my first Radio Shack color computer for a hundred dollars and the rest is history. But no, I've been into the computers really since then. I really do have to thank my mom for that. So when I entered the workforce, I started in distributed systems. I was migrating from Novell to Windows and doing all this stuff and security didn't exist as a practice, call it back in the nineties. It wasn't a thing. It was something that some people did. Firewalls were just being created and antivirus was just becoming a thing. I ended up landing at Lehman Brothers in the late nineties and spent 12 years of my career there and just right time, right place. I was able to position myself in a security position as that field was maturing.
Mike: So they didn't even have the term CISO when I first started doing it, right? Chief Information security officer. But remember it like it was yesterday, I don't know if any of the listeners are old enough to remember the Melissa virus. If you were in corporate using Microsoft Exchange email, your mail got shut down on the day that Melissa virus came out. And so they had a new CTO start that day and he goes, all right, there's a virus. Where's the security team? And three of us stepped forward and I said, “I guess we kind of are”. And that was it. So I spent the next call it eight to 10 years after that building the program. It's just an amazing team and solving the problems of the day up until Lehman went bankrupt. And that really set me on a path for information security until I pivoted into identity about 10 years later.
Hiten: I'm just going to pause you there. Just double click a little bit and say a bit more about what did information security mean at that period? Where were those viruses coming from? What were the threats just bring to life? I think a lot of the listeners probably as you've called out, may not have been around or understood what things looked like back then. It'd be great to paint a picture.
Mike: Back then. It was all about destruction. It was really kids, not many state actors, that were releasing bad programs into the wild. And the only purpose was to just shut things down. So the Melissa virus was created by some kid who created a macro where if you double click on this email, the word macro runs and it just shut everything down and spammed itself out. And then you had the Morris worm. So back then we just tried to create a perimeter around the entire company with firewalls and with proxies. So proxies are what cause your outbound traffic to get inspected, right? So you don't go to bad sites. And so it was all about endpoint protection and keeping bad guys out with this really hard perimeter, but there was really no security on the inside. When somebody got inside, it would spread like wildfire. Back then it was “keep bad guys out, keep your good guys on the inside safe”.
Mike: Of course, we know now the cloud wasn't a thing when I started this journey in 1996, but now there is no perimeter anymore. So the threat landscape has changed dramatically. How many accounts do you have on different systems, whether it's Gmail or open AI or Salesforce, or when you go shopping at the holidays, you create 50 more accounts. There's no more perimeter anymore. So the threat landscape has changed quite a bit. And then of course, once security became front and center, it's starting to make its way up to the C level and the board level. Now there's all this regulatory, you're filing SEC postings when you get hacked, it's become a really big deal. So I feel like I got, was kind of the wild west and I was one of the sheriffs in town when I was doing it, and now it's all lawyers. So I don't miss being in that world.
Hiten: Fascinating, fascinating. Then keep us moving then post Lehman. What happened next for you?
Mike: Yeah, I started a telematics company because interesting story. When Lehman was affected heavily by 9/11, we had a thousand people in World Trade Center and all but one made it out. We lost one person who happened to be in the elevator. And then so we really were focused on individual security. How do we make sure that our people are safe when they're at the office? So in my InfoSec role, I got to keep our assets safe and protect your computers, but then I had the ability to try to protect the people and know where they were and get them out of a building. So I took on physical security technology as well. So that's your access control and your cameras. And I put a little chip in the Lehman Brothers badges that would let us know when they got out of the building because the biggest challenge in a crisis as you don't know who's out and you spend all your time looking for the 6,000 Oliver Wyman employees, but 5,500 of 'em got out of the building.
Mike: So I got really dialed into that and I took what I learned there and applied it to tracking vehicles and people for Fortune 500 companies with a company called Two Track. So we were tracking pilots as they went all over the globe, people when they got on and off of buses and vehicles. It was a really neat journey and got me into the entrepreneurial spirit. So that company is still around and doing its thing today. And I had the opportunity then to partner with an old Lehman Brothers friend in 2014 and start an IoT security company that would detect all the wireless threats in your environment. So you think about the room you're sitting in now Hiten, there's probably a hundred wireless transmitters around you. There's five in your phone, five in your laptop. There's Bluetooth, there's thermostats on the wall. So we saw a need to monitor your airspace, that company's called Bastille Networks. And so we built that. It has these hardware sensors you put in. It's really great for super secure environments like white rooms or government facilities where you can't have cell phones. And so I've moved from that corporate big budget. It was a lot of fun, put into that building and learning how to go from zero to one as they call it, where you have to take something that doesn't exist and create from scratch. And then 1Kosmos was my journey that started in 2018 after that.
Hiten: So bring us to 1Kosmos. Tell us a little bit more about the founding, the inception, what you leveraged from that previous journey that has enabled you guys to be successful in what you're doing today.
Mike: Yeah, it was putting my toes into the identity space was, I've always done identity because when you manage accounts, you're managing the identities of people. And we had a massive project at Lehman Brothers, but identity has changed in the last 10 years where in a way that is really foundational. So if you think about what the enablers are for identity today, it's you being able to look into a camera and I can tell who you are. It's you being able to present a trusted credential. And so I can reach out to you right now and have you prove that you are who you say you are. And now the time is perfect for this because you have deep fakes. Everybody's now questioning the identity of everything we see and touch online. So what I've learned is security professionals don't really know identity. They're still trying to protect the assets.
Mike: But in terms of proving who somebody is, how do you prove who your callers are into the help desk? That's where a lot of the attacks have happened lately. How do you prove who's accessing your bank accounts or opening new accounts for KYC and things like that? And so the time is right for this because in everybody's pocket is a very capable identity verification device. Your laptop that you're looking at me on right now has a camera. Your phone has a high-res camera. And we also trust these devices to keep our lives and our, call it digital certificate safe. So these are enablers that didn't exist before the iPhone 5. You just couldn't do it. The cameras were low res, there's no safe place to keep everything. So we took advantage of this and we make it easy for a company now to embrace these technologies and just say, I need some verified identity for this important business function. And we're seeing the entire industry learn to adopt some of these concepts now. It's a real revolution going on.
Hiten: Awesome. I'm just going to bring Cosimo in here. He's spending a lot of time with our banking clients in particular around some of the applications and things around the space. So Cosimo, you want to dig in a bit deeper around what Mike and the team are up to here?
Cosimo Schiavone: Yeah, thanks. Hi, Mike. Great to meet you and congratulations on the progress. Maybe a bit on the point you made the enablers. Obviously despite all of that though, there's still rise of fraud, increased sophistication of attacks. It feels like it's always catching up with what frauds are up to. Can you give us a little bit of where we are? And you mentioned biometrics. There seems to be an interesting technology. Where is it actually used and how to think about that. So maybe an evolution of where we are will be helpful.
Mike: Yeah, absolutely. So here's a pretty bold statement that I've been making for a while now. You can't prove who somebody is without biometrics. You have these things we've been using for 60 years called usernames and passwords, and then we've scraped on all this two FA stuff on top of that, trying to make it a little better. I'll send you a text message.
Cosimo: Two FA is that two factor identification.
Mike: exactly. Two-factor authentication. And I think the general population has just gotten comfortable with, oh, I have to go get a code or click a link in my email for that extra layer. But it's so painful, right? And I just saw, I was at a identity show last week in Las Vegas called IDENTI Diverse. I just saw one of the major airlines announce the move away from secrets when you log in, what was the first concert you went to and what was your mother's shoe size when you were six?
Mike: They just moved from that to A two FA code. And I was like, we were all scratching our head. That's the evolution. And so it is a long journey to change the way the public does things. And Cosimo, you being in the payments and financial services industry for quite a long time related to credit cards and chip and pin, why did it take the United States so long to go from magstripe to having a verifiable chip? If I flip that script back at you for a second, all they had to do was just do it, right? But it took, I think the Target hack was the real compelling event where you said, oh, this is a disaster. Cards can be cloned now so easily. The rest of the world did it 10 years before and the United States caught up afterwards. And that's happening in identity. You're seeing the old way of doing things.
Mike: People are afraid to change. Banks are afraid to ask their customers to do anything different. So they just accept billions in fraud and sweep it under the rug. But those billions are becoming tens of billions. The bad guys are subverting the usernames, passwords, and two FA. So you'll see two things. You'll see customers demand it. I don't feel safe at my bank, that code you're sending me, I don't trust it. Now I get five text messages a day that claim to be a Bank of America or Wells Fargo. And so you're going to see it pushed down from the organizations and pulled by the customers, which I don't think it's happened too many times in the technology industry.
Cosimo: And so I think you drew up some distinctions or parallels, and I agree, the US is often catching up on things. I think this is one, actually, we talked about digital identity in the past where some countries have adopted digital identity teams or the banks have come together and create those. It just feels like in the US we're a little bit behind when it comes. And particularly in financial services. I mean airlines, you start seeing other initiatives, government, but in financial services still feels a little bit behind, willwe eventually get there. Mike, in your view? With a digital identity solution in the US?
Mike: I think we will. There's a couple of trends that we're seeing in the identity space. So unfortunately today, the best way to verify your identity is to take a picture of a driver's license in the US because we don't have a digital certificate built into our driver's licenses. You have to take a picture and then match the face. I'm sure many of the listeners have done that, especially if they've opened a crypto account in the last couple of years. So that's not a great way to do it because now you're relying on, people can manipulate and Photoshop and do things. So we have all these compensating controls that maybe we'll get into, but you're seeing Apple and Google make a push into a safe place to store credential.
Cosimo: This is the driver license example where I think Apple is doing the mobile driver license?
Mike: Yeah, we've got an okay, start there. There's about four states that allow you to contact the DMV and pull your state driver's license into your Apple wallet. So imagine if we all had that, if I had my New Jersey driver's license right here and my passport here, and I can just tap it somewhere and boom, proof of possession, do my face idea and I'm in. So that is happening in fits and spurts. So that trend will continue to mature. And then one great thing that Apple and Google have done is gotten everybody comfortable with using biometrics on our local device. Do you use Face ID or touch Id?
Cosimo: Yeah of course.
Mike: Yeah. So we know how easy that is, right? Boom, I'm unlocked. Imagine if you could do that for a transaction when you log into your bank, not just with face id. I know we can kind of do that today, but imagine if you walk up to any online retailer and you can do that and you're seeing it happen globally. Some other countries are adopting this pretty heavily. Here in the US, you’ve got Amazon with, I believe that they're called Go where you just walk in, it knows who you are, you take stuff off the shelves, you walk out, amazing experience. Why bother whipping out some plastic or having to go through all these hoops? So as I mentioned a few minutes ago, without biometrics, you don't know who it is. We just have to get the population to trust that the biometrics are being done in a safe way. And we could talk an hour about the privacy of biometrics, right?
Cosimo: Okay. And so from your perspective, where do you see the biggest opportunities, right? Obviously I suspect it varies by verticals. Can you give us a sense of where you are and then direction of travel?
Mike: So for us, it's all about user experience. When you get in front of a computer or your phone and try to do something on a remote system, there's nine out of 10 times you're going to have a frustrating experience unless you use that every day. You log into Amazon, press a button and a box is on your door in four hours. It's amazing. But everything else is a broken experience. Today coming into New York City, I haven't used my New Jersey transit app for the longest time. I was going to pop off. I was in traffic and get on a train, I couldn't log in. I just said, you know what? I'm going to drive the rest of the way to New York. And I think that's the opportunity is how do you create a delightful experience for customers and have it be more secure? Because when you implement more security, you implement friction and hurdles and hoops, and you make your employees not want to come to work because they have 7, 8, 9 logins before they even get to lunch. So that's where the opportunity is. If you can go to a CIO and say, I will make your employees lives easier and more secure, and oh by the way, we're going to save money on consolidating five systems down to one, that's where we're seeing the conversations have a lot of merit.
Cosimo: And just one last thing. I think everything we have said applies to the sort of employee use cases as well as the consumer use cases, right? It's like both sort of technologies and both enablers. They will allow you to help your employee do their job better logging into the systems as well as conduct the transaction with your bank in a more safe manner. So there's those two sides. Maybe Hiten turn over to you.
Hiten: Yeah, I just want to build, I think it's a fascinating conversation. Thanks, Mike. I guess I'm just getting over the disappointment of not putting in my first ever concert as the secret questions. That was definitely more enjoyable than having to go and go find that email account to click the link or add the seventh exclamation mark when I have to change my password again. But just linking back what you described now to your journey at the start, I guess I always have this image in my head of a bit of an arms race. Does this kind of continual need to evolve as there's always a new way of fraud or there's a new kind of threat that you've described over the years? I guess in your mind, what's needed to stay ahead and even in of this kind next evolution of the Passwordless system, what are some of the risks and what are the kind of requirements that you need to do to stay ahead and is this the ultimate end game in your mind? If this is done right, or do we think in five, 10 years time there'll be, I dunno, is it more advanced biometrics or where do we go from here on this longer-term journey?
Mike: Yeah, the two things that make your identity secure is something you have and something you are, this is InfoSec terminology. We've used something, we know the password for so many years and that's broken. The bad guys have stolen your passwords. They know how to guess them. They can crack 'em. So now it's something you have and what do you have? You have a secure place on your phone, you got a sim, you maybe have a digital driver's license or passport, and then something you are is your face. Those are going to continue to be entrenched into our digital society. But now there's an arms race with the bad guys who know how to spoof your voice and spoof your face. So you might've heard about the organization that had $25 million stolen because they spoofed a call pretending to be the CEO and they sent out a whole bunch of wires and a live zoom pretending to be the corporate employees.
Mike: And so that's happening more and more. So how do you mitigate that? Well, imagine if you and I are on this zoom today and I had a little green check mark in the bottom left next to Hiten Patel that says verified and I trusted it. And how could you do that? Well, you presented a trusted credential when you started the call. I don't even need to look at the camera to know you're there at that point. I trust the credential, right? I trust the driver's license in my pocket and we trust the passport and our digital persona will be that trusted. I mean, we already have the tech to do it today. It's just a matter of adoption. And so you'll see this arms race and the compensating controls are that verified credential as well as the biometrics together. Because when I look at Instagram and I see some politician giving me some rhetoric, I don't know if it's them. So we need that trusted credential to go along with the biometric. And then there's a third leveler. So as you detect deep fakes, there's technologies that can tell if video's been generated, been altered, but the bad actors are going to continuously know how to, it's like a cat and mouse game on that side as well, but it's happening already.
Hiten: I guess again, hearing you speak, it feels like there's two dimensions to this problem, right? There's the technological angle and then also the behavioral and the adoption. And it's interesting how many regional variances we're seeing, right? Some of the countries in developing economies take quantum leaps and government issued identity and biometrics just enable this whole ecosystem versus this pretty grounded civil liberties, personal freedoms, debates. And even here in the UK, national identity cards has been something that hasn't been adopted. And yet, post covid, having everyone use their NHS number, you've got a massive accelerant on the services that can be deployed. So it feels like you need both the technology and then the underlying willingness to build more pillars around some of these core bio metric elements. So very exciting, very exciting space. Indeed.
Hiten: I'm going to just pivot a little bit onto the next stage of the conversation. I guess just wanted to kind of delve a little bit more into your personal journey. Mike, right? Practitioner, very passionate about an area of a field in the technical space, going to large corporate, going to starting new company. And it's really helpful for a lot of listeners to kind of, when you can just share some of the learnings from that journey. What were some of the biggest challenges or obstacles that you faced from that relatively unique path that you think merit's being passed on that others could benefit from?
Mike: Yeah. So there's a couple challenges that I faced just because of timing. The first was the crisis of 2008. The whole world shut down and from a bubble perspective, and that's when I exited Lehman Brothers, was at the precipice of that. So getting out into the real world in 2008 and trying to start a company might not have been the best time. And it was hard. I tapped out a good chunk of savings to make it happen. So I did learn some of the basics of block and tackling of getting a company started at one of the hardest times. And I think because of that, I learned frugality. If you go out and spend more than you have for too long, eventually the zero interest rates will end and money doesn't become free anymore. That's one of the biggest lessons I learned. And we went through it again in Covid. So at 1Kosmos, we were trying to build a company sitting at home in our pajamas for all those months, and it was really hard. So we learned how to adopt a technology, how to work with clients that weren't in the office anymore. And those were some of the biggest challenge. But I'd say the biggest part of it is when you're starting a company is there's a concept called build, measure, learn.
So one of the biggest lessons I learned was the ability to test something with your customer base as quickly as possible. There's a book called The Lean Startup by Eric Rise, and he has this concept called build measure, learn, build something, try it as quick as you can, and they call it failing fast or whatever. In my early days, I hung on to a certain feature or a product or market segment way too long and time and business wait for nobody. So you can spend a whole lot of time in the wrong place.
Hiten: That's awesome. I mean, that's definitely one of the key learnings. That's quite a consistent theme along the founder stories. I guess to your perspective, how was that different from when you were doing a role at one of the big banks or the big corporates where you're trying to find and navigate your way and deliver the impacts? I guess is it just that loss of the protections and there's a ruthless exposure to some of the basic constraints of funding and the need to survive or what's that compare contrast?
Mike: Right? It's your default state. So in an enterprise, if you don't show up to work for a day or a couple of days or a week or even a month or maybe do a half-ass job, you are still okay. You might get a bad review or get fired. In a startup, your default state is dead. So you have to continuously keep the company viable until you get to cashflow positive and build that base and learn how to invoice customers and have customer success and good product marketing teams, all that stuff. So that's the biggest difference is that lack of a safety net and taking the risk.
Hiten: Talk to me a little bit about what you do outside of work to keep things ticking along, any interests or hobbies that kind of enable you to do the day job in a more effective way.
Mike: Yeah, that's another thing I learned when I was running around the trading floors at Lehman Brothers and building systems. I would work ridiculous hours, and I've learned, I've got amazing wife and five kids and three dogs and grandkids and all this stuff. And that's really why we do these things is to make sure you reset at the end of the day or end of the week and be able to spend time with the things that really matter in life. Of course, you need a fulfilling job and want to what you do because it's a third of your life, but it's not what's really going to make a difference for you when you're at the end of your journey in this world. So I wish I had learned that 10 or 15 years earlier, just being able to have that balance.
Hiten: Yeah. Yeah. No, I think there's definitely a lot of post covid, a lot of people were able to recalibrate and actually a lot more optionality in terms of how much time is spent where got introduced off the back, a lot of the flexibility there.
Mike: That's right. That's right.
Hiten: The other thing we invite guests to do is to share the spotlight and call out an individual or an institution that's doing something pretty exciting or notable that you're flying a little bit under the radar. And so I wanted to invite you, Mike, if there's anywhere that you'd want to point the spotlight on for our listeners to pay attention to.
Mike: Yeah, I mean, there's companies that I admire. I drive a Tesla pretty recent Tesla driver 2021, and they have their share of bad press, but I've seen it make a difference already in my driving because I use the full self-driving. So I have been jumping in with both feet into AI and how it affects cybersecurity and identity and seeing already there's a user experience change for me. I pulled out of my driveway and I hit the button to self-drive just for a second. Then I was going to punch in the GPS and my neighbor's trash can was in the middle of the road. I wasn't looking. And because I hit that, take me there button, it zipped it right around it, it would've cost me thousands of dollars from a trash can. And I've seen the old version of it, and I don't know if you know the story behind Elon and what he did with version 12, but they went from writing code to full AI on version 12.
Mike: And it is now behaving like I do when I drive, it maybe hugs a curve a little tighter. It goes over the white line because it's okay. And so I'm seeing that in our day-to-day lives. And so I'm really impressed with at least that aspect of Tesla. And then there's a company called Perplexity. We spend so much of our time Googling and searching. Perplexity is like you just ask whatever question you want, and it's a combination of AI and search together, and it's made a big difference in just saving you so much time. So shout out to Perplexity, and if you're not using it, use the free version. It's a real game changer.
Hiten: Awesome. Well, thank you for sharing and bringing our attention to those. But we'll wrap things there, Mike. Well, thank you very much for making the time, taking us on that journey from late nineties, early 2000 firewalls, and the first stages of security to being at the cutting edge of today. And I think there'll be lots and lots of listeners who are very sympathetic and look forward to some of the visions you painted of a passwordless world. So hopefully the adoption gets there in all of the regions and geographies. But thank you for sharing your thoughts and being with us today.
Mike: No, thank you so much for having me. Looking forward to your next episodes. Thank you, Mike. Bye. Cheers. Bye Cosimo.