Today, Iâm talking with Jameeka Green Aaron. Sheâs the chief information security officer, customer identity at Okta. Okta is a big company, a Wall Street software as a service darling, and also just the thing a lot of us have to log into at work 50 times a week to get anything done. So I was very curious to dig into the business of Oktaâs business.
Technology
Biometrics? Bring it on: why Okta’s Jameeka Green Aaron wants passwords to go away
Okta CISO, Customer Identity Jameeka Green Aaron explains why identity is central to security — and how biometrics, AI, and diversity are affecting the present and future of the field.
But Oktaâs point of view, Jameeka told us, is that itâs not just a security company; itâs an identity company. So we talked at length about what the whole concept of âidentityâ even really means in 2023. Is it your whole actual self? Is it a digital replica of your vital stats and permissions? How do you define what it means to be you in the 21st century, and how does that relate to the way you use technology, tools, and systems? How is an identity-based approach to systems more or less secure than other approaches?
We also talked about what identity means in the offline space â the real world, at work â and why that matters for all the rest of us.Â
As Iâm getting ready to host the Code Conference next month, AI is absolutely top of mind across basically every industry â and cybersecurity is no different. Jameeka told us what her real concerns about the new wave of AI tools are: not that they can move faster, although they can, but that they can disrupt security at the level of identity and make it harder to tell, well, whoâs real.
A few notes: We talked about passkeys quite a bit, which big companies like Apple, Google, and Microsoft are all signed on to as a biometric replacement for passwords. Weâll put links in the show notes to various Verge stories about it, but the basic idea is that you can sign in to your accounts using your fingerprint or Face ID instead of a password. Google already supports it, Microsoft is testing it in Windows 11, and Apple will support it soon with the release of iOS 17 and macOS Sonoma.Â
We also talked a lot about the idea of keys and key management in general. At the most basic level, a key is what allows computers access to various systems, but once you have a big database with lots of users and complicated APIs, managing all those keys becomes a big problem that affects everyone. And thatâs really very much the business Okta is in.
Lastly, youâll hear us refer to âPII,â which stands for âpersonally identifiable information.â That means data thatâs unique to you, like your name or social security number, as opposed to data like âwhat kind of phone is this person using.â That kind of data being compromised is the stuff security breaches are made of.
I had a lot of fun talking to Jameeka... right up until she made fun of my iMac.Â
Okay: Jameeka Green Aaron. Here we go.
This transcript has been lightly edited for length and clarity.
Jameeka Green Aaron, you are the chief information security officer, customer identity at Okta! Welcome to Decoder.
Thank you for having me. This is cool! Iâve been listening and following you for a while, and youâre a good interviewer, so I hope you take it a little easy on me.
The people who say that are usually people who are most prepared, so get ready because the org chart questions are coming. Thatâs what we do here.
Okta is a really interesting company. We use it here at Vox Media. It is a big company; itâs a darling of Wall Street. While weâre talking today, the stock price is up. Itâs a big enterprise company. Everybody needs it.
For most people, itâs the thing that comes in the way between you and the thing you want to use at work. So, if I want to log into Airtable at work, Iâve got to stop and use Okta and then check the two-factor somewhere. Thatâs how most people experience Okta. So give people just a high-level view of the relationship between the thing they experience of Okta and what Okta is as a business.
Okta, as a business? Weâre about people. Weâre a technology company thatâs about people. Our goal is to enable everyone to safely log in anywhere they want to log in, essentially â safely use the internet and log in. And so when we think about what Okta really is, weâre just a login box. In laymanâs terms, weâre the login box.Â
Weâre building a primary cloud for identity. Well, what does that really mean? What is a primary cloud? Salesforce is a primary cloud for CRM, or Workday is a primary cloud for HR. We are building a primary cloud using workforce identity and customer identity for identity. Thatâs what weâre trying to do, or thatâs what weâre doing, at Okta. And we touch people everywhere that they are. So, yes, you see them at work, but what people donât realize is that you also interact with us on the consumer side â when youâre logging in to your banking application or when you go to a baseball stadium, you are also interacting with the login process of Okta. Thatâs what we do.
I think of web applications â really, I think of all computer stuff â as a series of modules. I log in to a bank â they need a database vendor and a web design company. And youâre saying even through that, even through just logging in, youâre the vendor that supplies secure logging in to a bunch of people that need secure login, and then you can go and use your application?
Is that where it ends for you, or are you trying to go beyond that?
Thatâs where it begins for us. We absolutely are trying to go beyond that, because I think, to take your example, when you log in to a bank, you donât just log in. You log in and youâre prompted for additional factors â so, multifactor authentication. So youâre prompted with a one-time pin, a password, or an additional password. Youâre prompted with a social login or some other way to verify you. And so we are not just the login box â weâre not just securing the login box. Weâre trying to blend the user experience into the login box. So thereâs that. I think there are other new technologies that are coming out and that are changing that are also going to change what we do, like the way we protect personally identifiable information. And so we are now a part of that as well.
So I wouldnât say that thatâs where we end. Iâd say we are at the beginning of the process. Weâre trying to change the way people think about passwords and the way they think about how they log in, and thatâs hard because the password is deeply ingrained into society. As long as weâve known computers, weâve known thereâs a username and password, and weâre now saying, âHey, letâs move beyond that. Letâs get beyond that. Letâs go into passkeys, letâs go into passphrases, letâs go password-less.â And so weâre thinking about all the ways in which we can do that securely but also in a way that people will actually use the technology to keep themselves safe.
I want to talk about passkeys in particular. That seems like a big trend thatâs coming â Apple and Google are into it, Microsoftâs into it. But I want to stay focused on Okta for just a second here. When you think about that problem space, we want to make identity and logging in better â thatâs a big problem. And it ties into a bunch of social factors. It ties into how people want to use the internet. It ties into the very notion of whether you should be the same person everywhere on the internet or different versions of yourself on different platforms. Does Okta have a view there, or are you more âokay, weâre for you at work, weâre for you when you interact with a businessâ?
âWeâre about people. Weâre a technology company thatâs about people.â
No. I think we have a perspective that digital identity is important. From that perspective, when we think about digital identities, we want you to own your actual digital identity. I think thatâs the most important thing when we think about people and technology. I want Nilay to own all the versions of Nilay on the internet. I want the threat actors not to own any of those versions.
So when we think about our trajectory as a cloud identity company or as a primary cloud for identity, we are thinking about: How can we make it so that wherever you are, you actually own your true identity? And thatâs a really big problem space, and itâs hard. Because you have to think about ... We are thinking about passports, about driverâs licenses and things that you physically hold that also can eventually relay into your digital identity. And weâre seeing some of that interplay now, right? You see your physical identities be scanned into digital platforms and verified that way. But ultimately, we want this to be a seamless process where who you are in real life and your digital identity align and they are both protected. And so, Okta has the problem space of trying to innovate in a way that we can protect both of those identities at the same time.
I hear that. Thatâs the big vision. Iâve heard that from a lot of companies over a long period of time. Then it runs into reality for me, which is â boy, maybe I donât want my driverâs license on my phone. This is a very practical thing that big phone companies would like me to do. Apple would love me to put my driverâs license on my phone. Probably because they just want me to use their credit card. Throw away your wallet entirely.
They want you to use your digital wallet.
Now use Apple Pay. We will take some ... Itâs very transparent whatâs happening there, but theyâve got to get my driverâs license on the iPhone for that to happen. And then I think: I would never in a million years hand my phone to a cop. Itâs not going to happen. I need a warrant. You got to show me a warrant before I hand my phone to a cop.
But if I get pulled over, and I drive too fast, and I get pulled over, the first thing they ask me for is to hand me their driverâs license. As a business, Okta has a vision. That vision probably extends all the way to your state-issued ID should be digital in some way. And thereâs the practical reality of a bunch of people are never going to hand their phone to a cop. Is there an interplay there? Do you see that?
Do you have to hand your phone to a cop? Thatâs the question. Do you actually have to hand your phone for them to getâ
I think if a cop has an excuse for me to give them the phone, they will take it.
Yeah, I think so! In my mind, when I think about a digital identity, I would not want to hand my phone to a cop. So I agree with you there. I agree with that sentiment. But at the same time, we donât hand our credit cards over now when we swipe to pay. When I think about just me, Jameeka, and the future of digital identity: Iâm pulled over, and Iâm in my car, Iâm driving my car. Letâs give that example. And my driverâs license is not only tied to my registration in my car, so when Iâm pulled over and my license plate is run, thereâs information thatâs given to a police officer that says, âThis is Jameeka Aaronâs car, and this is her driverâs license, and this is what she looks like.â And so when they see me, they go, âOh, we already have some of her information, or weâre using technologies like NFC to actually transmit that information over to them.â
So I donât expect to hand over anything else anymore, essentially. I expect that when we think about the future of digital identity, I donât think people are quite ready to part with anything physical, and thatâs fair. I think thereâs the physical identities that we have, but then thereâs our ability to transmit that identity to those who need it for specific reasons. And I think it goes beyond that. Itâs not just: transmit my identity, everything on it â my name, my address, my social security number. Itâs: Hey, in this particular case, all you need to know is my name and if I have a valid driverâs license. And so when I think about the future of digital identity, Iâm transmitting my name and the fact that I have a valid driverâs license over to a police officer in a wireless way, and thatâs all they really need to verify at that point. Is she who she says she is? Hereâs her photo, and she has a valid driverâs license. I think thatâs the future of identity, and I also think that allows the consumer the ability to control what data is provided and where.
When you think about digital identity, that, to me, is what we should be thinking about. Right now, we donât have a lot of control over the information that we provide to anyone. If you go through the airport and they scan your driverâs license or your passport, you donât actually really know what information is being garnered in that particular case. The future of digital identity is one the consumer controls â where the consumer decides which information is actually needed, and do I want to provide that information? If Iâm buying a drink and all you need is my name and that I am old enough to drink, then all Iâm sending you is my name, potentially, or maybe not even that. Maybe Iâm just sending you information that Iâm old enough to drink, and yes, you can serve this to me. And so I think when we think about the larger world of digital identities, itâs really one where the consumer decides, and thatâs, I think, whatâs important to Okta. Weâre thinking about: how do we put this back into the consumerâs hands and give them choice while also keeping them safe?
âRight now, we donât have a lot of control over the information that we provide to anyone. ... The future of digital identity is one the consumer controls â where the consumer decides which information is actually needed.â
And that to you is, thereâs one unified identity that I control? Itâs: I have an identity, and Iâm picking and choosing what comes out of that database of identity characteristics.
Absolutely. Itâs yours. It belongs to you. Correct.
How do you go from âa bunch of people have Okta accounts at their workplace with the name of their company and the login screenâ to âeveryone has a unified Okta account that interfaces with everything from local bars to cops?â
Number one, I think public-private partnership is going to be critical to that. And thatâs not something that weâre totally good at yet. The fact that we have a state driverâs license tells us that weâre not good at unifying the identity space just yet. We totally have the capability to just have a driverâs license, right?
Yeah. But the political will in this country to do that does not exist.
Itâs nil! But thatâs what itâs going to take. Itâs going to take that level of unification, not just across states but across companies. And one of the things that we [at Okta] pride ourselves on is neutrality. Weâve decided that weâre not going to pick. Weâre going to work across many platforms, across various platforms, with thousands of partners, in thousands of ways that weâre connecting different infrastructures. That is what Oktaâs trying to do: Our goal is neutrality.
I think us choosing neutrality, in some cases, everyone wants you to pick a side, and I think we have. We picked the side of neutrality and the side of our customers and our consumers. On the flip side of that, Oktaâs not just workforce identity. My job is actually in the customer identity space. So, itâs the login box for everything else when youâre not at work. And so we have unique insight and unique data into how people actually move around. And one of the things that we have to do is identity proof all the time.
And when you think about identity proofing, itâs, âHey, Jameekaâs got two email addresses, and she signed into this account, and is this the same one? If it is, letâs merge those together.â So I think thatâs the other space where we really have the opportunity to innovate because we can identity proof, and we can go, âBoth of these are Nilay. This is him. We know itâs him. We know these are his two email addresses.â
So when you think about putting that together in a larger identity space, weâve got the ability to verify you at work. When you go to work, there are lots of verifications that happen that say: Yes, you can work, you pay taxes, those things. And then we also have the ability to identify you in the consumer space. Now, our two products right now are totally separate, but what they offer us the data and the opportunity to do is to look at people, how they move around, and put together the ideas of what digital identity will look like and how it will work. And so weâre still working on that. We havenât solved the problem yet, but we understand that thereâs this wide problem space, and we have a lot of data to be able to solve it.
You mentioned neutrality. Do you think the solution is that Okta maintains a neutral centralized database of identity, and everyone picks and chooses from it, and then we all trust Okta to keep that database secure? Because that seems like a rich target in the end.
âUltimately, identity-based attacks are still the number one attack, and they are effective.â
I mean, Iâm a CISO, so-
Thatâs why Iâm asking you. I think this has to keep you up at night. âOh, Iâm building the greatest honey pot known to man!â
Yeah! I never think that itâs the best thing to do â to trust one place to do everything â because hackers know that, and they are good at what they do. No, I donât think that you should just trust Okta. I think that the technology that weâre building and what weâre thinking about, you should trust the ideas that we have and the perspective that we have on the identity space. I donât think that that database will be sitting solely with Okta. I think it will be decentralized.
But what I do think is that when I talk about public-private partnership, I do think thereâs an opportunity for Okta to say, âHey, US Passport Agency! We would like the opportunity to partner with you on digital identities and how we create the next space for digital identities.â So I donât think that itâs a good idea to have any amount of data â specifically PII data â because ultimately, identity-based attacks are still the number one attack, and they are effective. I donât think itâs a good idea to have that data sitting in any one space, but I do think that the opportunity for partnerships sits there for us to look at spaces and databases and really connect and figure out how we keep those safe while also having the ability to transfer information and share information.
A couple more questions about Okta, then I want to get into the Decoder questions and how you operate instead of Okta. Really basic here: Who are Oktaâs competitors? When you have the big C-suite meeting, whoâs on the list? Weâve got to beat X, Y, Z companies. Who are your competitors?
We have no competitors!
Yeah, sure.
Iâm just kidding. Of course, Microsoft, Ping [Identity], OneLogin. Those are some of the ones that come up pretty frequently. I think whatâs unique about Okta is that we are a cloud identity company, and thatâs what we do. That is our space. And we are, again, powered by neutrality. But we are not an on-prem company. Thatâs not what we do. Thatâs not in the stars for us. We are really focused on the cloud identity space. And so thatâs why when I said, hey, weâre building the identity cloud of the future, thatâs the space that weâre ferociously focused on. There are not other lanes that weâre trying to get into.
Youâre not going to put out the Okta internet appliance that I can install in my small business tech office.
Microsoft is a huge competitor in many ways. They are on-prem. Theyâve had Active Directory for what seems like a billion years. For one minute, it seemed like a monopoly provider of identity services to big companies.
Theyâre under fire right now. We had Adam Selipsky from AWS on the show. Heâs like, âMicrosoft security practices are horrible.â He wouldnât say their name, but he was like, âThat company starts with an M.â Other cloud providers are saying Microsoft has problems. They just had a breach. Is your pitch, âFundamentally, the cloud is more secure,â or is it, âWeâre more secure than those guys?â
I am a firm believer in not trashing other companies, because your dayâs coming. And thatâs me, the CISO, speaking. Iâm like, listen â everyone has their day on the front page of The Wall Street Journal. Weâve had our day as well. I think that thatâs something that I just try not to do. What I will say is, we work with Microsoft. We work with Amazon. We work with all of these companies in various capacities, either because weâre users of them also but also because weâre neutral. Our goal is not necessarily to put other companies out of business; our goal is to make the best experience for our customers. And so when we think about workforce identity, weâre not just multifactor authentication. Weâre single sign-on. We have partnerships. We have 15,000 partnerships and connections to various partners to allow you to do your work securely.
I wouldnât say that we are better than them in the capacity of âweâre more secure.â I would say that we offer more options available to you. We are not trying to put you in the Okta ecosystem. Weâre saying, figure out what ecosystem works best for you, and Okta will work with that ecosystem, and it doesnât matter what company you are. Weâre pushing very heavily on our partners to really create this space where itâs frictionless for the users, because once the users start abandoning our processes, it doesnât matter how secure you are. If the user abandons the process, youâre going to get hit with an attack. And again, because we are aware that identity-based attacks are our number one, weâre thinking about that because weâre there, weâre the identity provider for so many. And so I donât think of it in terms of who the competitors are or what we do better.
I think our neutrality makes us strong because it allows you to think about your seam and your sore systems. It allows you to integrate threat modeling. It allows you to look at our data, integrate our data and our threat intelligence into your model. So weâre wide open. Weâre saying, hey, use whatever you would like but also use multifactor authentication. Use phishing-resistant factors. Really make sure that youâre building an ecosystem that is secure. Weâre not necessarily saying choose a product. But if I had to say, choose a product, I say, hey, choose us.
Let me run at this a slightly different way. There are these phrases that everybody uses: security by design, privacy by design, innovate, make sure you build security in the beginning. Every company uses these phrases. As you look at the breaches Microsoft has had recently, some keys were leaked. I think they provide the Commerce Department with email. The Commerce Department email was hacked â these are huge breaches out of Microsoft. What are you learning as a CISO at Okta from those about your own processes and about places where the attack surfaces mightâve been different than what you had assumed?
I think when I look at some of whatâs happening just in general in this space, key management is a challenge for everyone. Every company, every CISO that I talk to, key management is a huge challenge. I am an absolute fan of security by design. It is a practice that we employ implicitly within Oktaâs customer identity cloud. It is a practice that takes co-conspiratorship of your CISO, your chief product officer, your chief technology officer. And one of the things that you have to build in your software development life cycle is key management and key storage and really flesh that out. And we have had to learn some hard lessons as well around this space. And so I think when I think about it, weâre just not there yet because the technology has moved very rapidly. Weâve all moved into the cloud very rapidly. I think that was the right thing to do, but sometimes security doesnât catch up.
âOnce the users start abandoning our processes, it doesnât matter how secure you are. If the user abandons the process, youâre going to get hit with an attack.â
Now weâre playing this catch-up game where weâre trying to figure out how do we manage 40, 50, 60,000 keys in the space that all of our developers have access to and that theyâre writing code with? Theyâre embedding them in many cases. Theyâre in our GitHub repositories. Theyâre everywhere. Keys are everywhere. And so, in this particular space, this is one that we all have to go take a look at, take a step back and go, âWe need to do a better job with key management.â
What does that mean? It means is it built into the products that youâre using? Is it built into the clouds that youâre using? Are you using a third-party key management system? And even within that space, when you think about keys and secrets and paths, these are all things that mean various things throughout the software development life cycle.
Ultimately, when you think about secure by design, this is one of the issues that weâre going to have to tackle. Well, when do you tackle it, and how do you tackle it when youâve already got this architecture in place or youâve got this stack in place? Thatâs the bigger question, and thatâs where I think many industries are getting hit. They understand that they have a problem. Theyâre working to solve the problem of key management, but they havenât gotten there yet because you still have a stack thatâs in place that didnât take that into account.This is where secure by design becomes critical â because you build key management into your stack, and then itâs always managed. I think itâs one that we struggle with. Itâs one that weâre going to continue to struggle with. One of my people put it this way. Itâs an arms race. It is. This is one that weâre going to have to get after because the ability to pick up our keys and to⦠Especially when theyâre hard-coded, when a hacker gets a hold of them, they can get in, and you wonât be able to detect them.
Because theyâre using a real credential.
Theyâre using a real credential that belongs to you. It is yours, and now it is out there in the wild, wild west. And so this is a big deal, and it is unfortunate, but itâs going to keep happening until we actually start to practice secure by design.
It seems like keys are a really big issue in security, especially when youâre building software products and software businesses. Explain very quickly what you mean by a key and why theyâre important to protect.
A key is essentially a password that a machine uses. When systems are talking to each other, there is a need to protect the information and the data and also to verify or authenticate that the information and the data is coming from trusted sources. So when you think about a key, a key is essentially a password that a machine or that an API might use to verify that it is who it says it is and it does what itâs supposed to do. And thatâs the really simple short version of what it is.
We use them all the time as our systems talk or our containers talk to each other or as theyâre passing data. Thereâs a key that happens or that is exchanged in the process of that conversation.
In many cases, thereâs key pairs â thereâs one key, thereâs a public key, thereâs a private key. There are all kinds of keys that look like that. But essentially, theyâre passwords. They are a key to a door. You have a front door; it has a key to it. We have a front door, a back door, a side door, and 42 windows â they all have keys to them, and they all have different keys. And essentially, in many cases, we will build our software to have those keys as a part of the software. So theyâre hard-coded into the software. We have to rotate them sometimes because we get broken into. They expire. You change neighborhoods or you change doors, and you rotate keys. Essentially, when that key is compromised or someone who isnât supposed to have that key now has it, they can open all the doors. Thatâs the problem space that weâre in now.
Key rotation is another big part of the key management process. And so, in many cases, keys live in your software for a very long time or forever, and you have to go and find them and rotate them. And so thatâs the other part of the space. You need to rotate your keys, and you need to manage your keychains. If you do neither, someone else will end up with your keys. Theyâll end up with your keychain. Theyâll end up with old keys, and theyâll go and theyâll start unlocking doors. And when they do that, they have full access to your environment, depending on what those keys do.
Letâs say Iâm a small business owner, a small startup making a piece of software. Iâm like, look, I need a secure login. Iâm going to hire Okta. Does Okta come in and say, âWeâre also going to audit your key management and your software,â or do you come in and say, âWeâre going to do this for youâ?
This is where Okta becomes super important. We do this for you. Letâs put the keys back in the phrase of passwords. We are going to help you manage this so that you donât have to do it yourself. And Okta works with tons of startups. We have Auth0 for startups. We have free versions for small businesses. And this is really, honestly, a big part of what Iâve been doing these last couple of years, is talking to small businesses, talking to our NGOs, talking to spaces where they donât think they need to do identity management because theyâre not big enough for that.
Thereâs no size. If you have one employee, you should be thinking about this. If you have 10, you should be thinking about this. And so, Oktaâs coming in and saying, âDonât try to do this yourself. Donât try to do identity yourself. Let us build it for you.â Whether thatâs workforce identity with multifactor authentication and single sign-on and FastPass, which allows you to go password-less, or itâs on the customer identity side where weâre saying youâve got a login box thatâs facing the internet and you need some extra security. You need CAPTCHA, you need an SMS, you need social logins, you need something else thatâs going to add an additional factor of protection. And so we are saying, âDonât build it yourself. Let us do this piece for you, the identity piece.â
And then inside of that, like I said: Okta is a darling of Wall Street. How do yâall make money?
How do we make money? I guess itâs not a tough question, but essentially, we make money by protecting logins.
Do you get a nickel every time I log in to work?
Something like that.
Itâs that simple. Itâs like just every timeâ?
No, itâs based on number ofâ
Because then Iâve got to keep my computer logged in a lot more than I do.
On the workforce side, itâs based on a number of employees. Itâs not every time you log in. Itâs based on licensing and a number of employees. Itâs based on MAEs. Itâs based on a number of users. And this brings actually up another point, particularly on the consumer side. Because in the workforce, you know, I have 10,000 employees, I need 10,000 Okta accounts. The consumer side, not so. You donât have any employees â you have consumers. And this is also where weâre saying, âDonât build this yourself because itâs going to cost you more.â So, in many cases, consumer logins are incentivized. Log in, and you will get some miles. Sign up, and you will get 10 percent off. And ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.
They want those miles. They want those 10 percent offs over and over and over again. And so theyâre going to populate your space with fake logins and fake identities. And so this is the other thing that we do on the consumer side is weâre really trying to help companies make sure that those identities that are logging in are real identity and theyâre not bots and theyâre not folks that are trying to take advantage of rewards programs. Because when that happens, when you have millions of false logins, not only are you taking up cloud computing space, which is costly â youâre not going to be able to make any money. Youâre not going to be able to advertise. Because these are not valid shoppers. These are not valid consumers. And so on the consumer side, weâre really thinking ... And I talked about identity proofing a little bit. This is where identity proofing comes in.
Weâre thinking about â or weâre working to resolve â the problem of fake users, bots signing up, taking advantage of programs. Weâre going through. Weâre looking at databases and making sure that login credentials are valid. Weâre kicking out invalid login credentials. Weâre also going through ... We have the capability of automatically resetting passwords of compromised credentials. And so when you ask what we do, I guess I didnât dive into everything that we do, but we are using lots of technologies to help us make sure that your consumers are your actual consumers that you want.
Now, this is great for me as a CISO, but itâs also great for our marketing teams. Our CMOs are thinking about omnichannel operations, and theyâre thinking about, âI want to make sure that Nilay gets this new shoe, and I want to make sure that he actually gets it and he gets the code and he is a valued customer of ours.â And so a part of our job is to make sure that your identity is protected, but also, for the businesses that you actually utilize, they understand who you are, theyâre looking at real metrics about you, that itâs really your login. And so thatâs the other side of it. And so itâs both for us. Itâs both the consumer and the workforce.
I want to come back to that, but youâve led me directly into the big Decoder question. Okta does a lot of things. Thereâs a big enterprise part of it. Thereâs a consumer part, which youâre a part of. Then thereâs sales. How is Okta structured? How does the company work?
We have 18,000 customers. We have 6,000 employees. And weâre structured into our two primary clouds. So essentially, how Iâve been talking about it, thatâs how weâre structured. We have our CEO, Todd McKinnon, and then weâre structured into our two primary clouds, our workforce identity cloud, which is focused specifically around workforce logins and employees. And then our customer identity cloud, which is focused around consumer internet, consumer apps, SaaS apps, internet-facing applications. And then, we have teams that support each of those primary clouds.
Then thereâs the other big Decoder question, which is always very interesting to ask security people because the tradeoffs around decisions when your focus is security is very different. How do you make decisions? How do you influence what the company does?
âConsumer logins are incentivized: ... Sign up, and youâll get 10 percent off. Ultimately, you are thinking about trying to get valid customers to sign up. Well, this is where the attackers come in.â
Iâm a product CISO, and this is my first time being a product CISO, and so, over my 25 years, itâs changed. I would say when I first started in the industry, I was hardcore security. There is no tradeoff. It has to be secure and as little risk as possible â very risk averse.
Now that Iâm a product CISO and our product is security, security has to be a business enabler. I have the unique position of not only being the CISO of CIC but also of being the chief tester of products. I get to really look at some of our products. So when I first landed at the company, we were thinking about a product called Security Center. That product is now in GA [general availability], but we were thinking about it. And they came to me and said, âHey, would you like to have this?â And I was like, âHell yes. This is a dashboard that gives me all of the data around bots, around credential stuffing attacks. And this is something that I would love to see so that I can actually make good decisions around security.â
Let me give you an example. We have the ability through Security Center to tell you if an influx of activity is actually consumers trying to log in because you maybe have a new product launch, like a sneaker, or if itâs bots that are actually attacking you to take advantage of that new product. And then with that, you can turn our controls up and down. You can turn on advanced attack protection, you can turn on bot protection. And so, for me, I was so excited about the product that I leaked it accidentally a bunch of times because I wanted to talk about it, I wanted to share it, and I wanted other CISOs to see it.
So for me, as a CISO, this is the best place to work ever because I get to really see how our products are going to impact my own peers, and I get to understand if theyâre going to be helpful, not just from talking to my peers but from actually testing the products out myself. And so itâs a really interesting role. Itâs very different than all the other roles Iâve had because my previous roles were specifically about protecting our intellectual property, protecting the crown jewels.
This job is different. This job is about making security a business enabler â using the knowledge that I have of this industry to create better products for Okta and to create better products for our consumers, but also for our CISOs. And so weâve got threat intelligence or threat insights coming out where it allows us to really seed information from our systems, which we see billions of logins every day. We get to see the real ones and the fake ones. It allows us to share information and intel.
The other thing about this role that I think has been fun and unique is that I am a fan of sharing information with other CISOs. We are so secretive oftentimes because we just canât share. Our companies donât really want to share the details around cyber attacks.
But ultimately, CISOs I think are a trusted community where we can share information because weâre all fighting the same adversaries. And one of the things that the adversaries have on their sides is that they share information. They go, âI did this, this attack was effective, and you try it now.â We are not doing that, and I think we have to get so much better at it. One of the things that I get to do is share information about what kinds of attacks Iâm seeing in real time with the community so that they can do something about it. And so, for me, very different roles. Security is a business enabler now, but itâs not just a business enabler to me â itâs a business enabler to marketing, to our product officers, really, really helping them to understand how what theyâre doing in this space can change and uplift the entire community.
Thereâs a tension youâre identifying there, and I want to just push on it a little bit more. In your previous roles, and [with] other security folks Iâve talked to, a lot of their decision-making is about, âOkay, the company wants to go fast, but I need the company to go slower and button up and protect those crown jewels and make sure that we are not introducing new kinds of vulnerability, but weâre thinking it through from a security perspective before we rush out to market.â It sounds like you are in a different role now where youâre selling the security to the market, and youâre able to act differently. How has that changed your decision-making process?
Itâs both. I am selling security, but I also am still the CISO of a line of business. And so we talked a little bit earlier about secure by design. I am hardcore about it. What Iâve had to do is really change my relationships internally with my counterparts. So my CTO, sheâs my co-conspirator. We spend a lot of time together thinking about secure by design and also thinking about the software development lifecycle and how we can build security into that. It makes my job easier on the backend because, when thereâs a vulnerability, we are already thinking about⦠we donât just patch them. We roll out a new version of our product where the vulnerability is resolved. And so thatâs one piece of it that I get to impress upon the software development life cycle that security should be built into it. So thatâs really my primary job â to reduce risk as much as I can.
The other side of it is, while weâre doing that, Iâm also thinking about the final product and the ways in which that product can be helpful to a CISO. And so itâs both. Itâs yes, Iâm selling a product, and yes, itâs a security product, but I get this unique perspective on the entire process from start to finish. When we start ideating around whatâs next, Iâm sitting at the table saying, âI donât think that thatâs going to be what CISOs want, but let me go ask them.â
Or actually they will tell you. Obviously, CISOs are vocal people. Theyâll share with you unsolicited, âThis is what I want to see next. This is what I need from you.â And so I get to be their voice in the process, but I also get to see those outcomes. And so itâs a very different kind of job in that security is not just there to reduce risk. I still have the standard teams. Governance, risk, compliance, detection and response â we have platform and product security. So all of those teams still exist, and theyâre still there, and we still have our primary job. But I think we all are challenged with this really higher level of thinking about security, and weâre thinking about it from the consumer perspective as well.
How do we create a product where a consumer can log in and itâs frictionless or as frictionless as it can possibly be? Because ultimately, theyâre our first line of defense, and so weâre thinking about the entire process all the way through to the consumer. Itâs a very different role.
Letâs talk about that process, because we are in a time of change for security right now. Probably in a few weeks, iOS 17 is coming along with the new iPhone. Appleâs already previewed it. Theyâre pushing into passkeys; Google said theyâre going to do passkeys; Microsoft has said theyâre going to do passkeys. This is a big change thatâs coming. Describe to the listeners whatâs going on with passkeys and how you think itâs going to change the experience of identity on the internet.
I talked a little bit about friction, and I think that, ultimately, what passkeys allow us to do is remove some of the friction from the login process. In many cases, weâve experienced passkeys already, and weâre just not completely aware of it because the process is very smooth. If you are using your mobile device in any capacity to log in to something, there is likely a passkey involved â most likely with your bank. Banks are really good and really forward-leaning in terms of protecting the login space.
Why is this important? Because everyoneâs on board. And the reason that everyoneâs on board is because we feel like this is the right way to go. This is the way that we need to drive the industry. Well, why do we think that? Because the consumer ultimately decides how and the ways in which our products will work and if theyâre successful or not. Passkeys make it very easy to log in to things, and they remove so much friction from the login process.
What is friction? Because Iâve said it a bunch of times, but Iâve not actually talked about what is friction. Anytime you have to stop and think about something else in the login process, itâs friction. So Iâll give you an example: Youâre going to a website. Youâve put in your username and password. It says, âWe donât think this is you. Weâre going to send you an email.â Now youâve got to go to your email â thatâs friction. Or CAPTCHA pops up, and maybe itâs not the greatest CAPTCHA, and you canât really figure out how to get through it, and you canât. Thatâs friction.
At this point, I assume every CAPTCHA is me training an AI modeling system somewhere. Iâm like, âIâm just contributing to some AI model somewhere.â Iâve identified all the crosswalks in America at this point.
All the motorcycles, all the stoplights.
So passkeys are the next version of our ability to log in without friction. They are critical, and they are secure â thatâs the other thing. And so when you see massive, massive amounts of industry, and youâre in this industry with us, moving in one direction, itâs because we feel like, universally, itâs the right direction to move in. Would I love to say that Okta spearheaded that? Yes. But I think itâs a mutual agreement amongst all of us that safety and security of the consumer is of utmost importance. And so thatâs why weâre headed in that way.
So the consumer experience of the passkey is: Iâve got my phone. My phone authorizes me, usually with some biometrics, in every example that Iâve seen â Touch ID, Face ID, whatever. Now my phone knows itâs me, and now all logins are handled everywhere because my phone is authed to me. Is that how you see it playing out? Because I see a bunch of big companies saying we still want our employees to log in.
I think that that is how I see it playing out. And the reason for that is that people â itâs not because of the technology. Itâs honestly because people hold onto their cell phones with a death grip. This is just my own perspective from just watching humans do humanity things. If you lose your cell phone, you lose your mind. You want to find it, youâve got a tracker on it, youâve got a way to trace it. And so the passkey takes advantage of something that weâre already doing naturally, and I think thatâs why itâs going to be more successful. We already are building biometrics. Theyâre not are building; theyâre there. Weâre already building this additional vector of authentication into the capability of every cell phone. And weâre so serious about holding onto our cellphones, having them near us.
Even when you sleep. When you wake up in the morning, you go straight ... And so I think weâre thinking about the way the world is actually moving and going. We need to build the technologies that people are really using. We donât want to come out with something new and force people to do it because theyâre still holding on ferociously to the username and password. And what weâve done is iterated. Passkeys are an iteration upon that.
I love using biometrics. Itâs one of my favorite things to use. And in many cases, if a login box pops up and thatâs not an option, I am like, âI donât even want to do this.â If I canât turn it on ... But it also is predicated on building a login process that has FIDO2 technologies, WebAuthn. You canât use these new technologies if youâve not built those into your stack. And so, there are some things that we still need to do to get to the place where everyone can use passkeys, but I do think itâs the way of the feature, and I think itâs the right thing to do.
âBiometrics are insanely secure. Thereâs only one version of Jameekaâs face.â
Biometrics are insanely secure. Thereâs only one version of Jameekaâs face. I think we still have a ways to go around biometricsâ ability to detect people. Iâm a Black woman, and so, in many cases, biometrics has failed me. I donât use facial recognition, but I do use my fingerprint pretty often. And I donât use it because it doesnât work for me. The models have not been trained enough with diversity in mind to get there, but we are going to get there. I do think weâre going to get there. And so I think when we think about the future with passkeys and with all of these different ways that we can use pass keys and we can access them, yes, itâs the way of the future, yes, itâs going to happen, and weâre all going to march in that direction, and people are going to â I think when they realize that, theyâre going to like it.
I just got my mom â it was her birthday two days ago. It was my mother-in-lawâs birthday. We got her a new iPhone. She is using biometrics now, and she thinks this is the best thing in the world. Sheâs 73 years old. She was like, âWait a minute.â And she had an iPhone. Now, mind you, she had an iPhone 6. So this just tells you.
But I think about the world. I think about my own family when Iâm thinking about the new technologies that weâre putting in place. So we got her a brand-new iPhone. We set it up for her. She loves it. She literally uses her fingerprint. She also uses facial recognition, and she thinks itâs the most amazing thing ever, which lets me know that when you get walked through the process properly or when you get to understand what it is that youâre doing and you get to see the technology work ... She literally was like, âWell, what else can you do with this?â
So now Iâve got to go back and give her a whole lesson in all the places she can log in using passkeys or using biometrics. I think that if a 73-year-old can pick this up in 10 seconds with a little bit of help from her kids, the world can pick this up. And I think that thatâs what weâre thinking about is what is going to be easiest for the world.
The other thing I think is that, in many cases, technology is not accessible to everyone, but there are cellphones. And so even when you donât have a desktop or a laptop ... I donât know anybody that has a desktop anymore. But even when you donât have a laptopâ
Iâm talking to you on an iMac. Come on. This is a 2015 iMac. This is state of the art.
2015.Â
Itâs still rocking, man.
Passkeys are coming, and youâre still ... I canât even believe you just admitted that.
I love it. Iâm never letting this thing go. Itâs perfect. It does its job exactly right.
Even to that point, she held onto her iPhone 6, youâve got your 2015 iMac, and youâre both going to get passkeys. So I think that, yes, weâre thinking about making technology accessible to everyone. I know that the manufacturers of hardware products are thinking about that, and weâre thinking about how we layer software on top of that that makes it accessible and secure.
So a big piece of this puzzle here is you bought your mother some new hardware. By the way, the CISO explaining all the websites you can securely log into to their mother â thatâs like a childrenâs book for kids who want to grow up to be CISOs. Itâs great.
But youâre dependent now. Okta was a startup. It became a unicorn. Now, itâs very successful because it leaned into a technology shift that was happening, away from on-prem into the cloud. Youâve talked about the cloud a lot.
Here youâre saying, âOkay, well, Appleâs got to ship Face ID and fingerprint sensors. Googleâs got to enable this across the Android ecosystem. Microsoft has to do it on Windows, and then Lenovoâs got to put that system on their laptops, and itâs all got to work together, and Oktaâs going to sit in the middle of it.â Does that create a new set of dependencies for you? Because that seems like itâs going to get very complicated in a way that for Okta and the enterprise, the entire pitch was just âdo this in the cloud, weâll handle it for you.â And you werenât dependent on 50 of the biggest companies in the world all working together.
Thatâs what weâre doing. These companies are our partners. And yes, we compete in some spaces, but they are also our partners. And it is predicated on us as industry leaders to lead the way, so sometimes we have to work together. But this is also where industry standards become important. Because, in many cases, we are building with an industry standard in mind. And so weâre not necessarily saying that Okta is the dependency â weâre saying build toward the industry standard. And if you build with the industry standard, then Okta will pick up and manage identity for you.
Is there buy-in around this standard? Because Iâ
Yeah!
We cover our standards a lot here at The Verge and, boy, can that get loaded.
Yeah. I think thereâs tons of buy-in around FIDO2 and WebAuthn. I guess Iâm a forward-leaning technologist, so of course, Iâm going to say yes. I havenât seen a space where I just couldnât use it⦠yet. But again, I think Iâm biased because Iâm a technologist at heart, and so Iâm trying to figure out more ways in which I can use it. But no, I think there has to be industry buy-in for certain standards. USB-C. Itâs all over the place now.
Right. But when I say, boy, can that get complicated â thatâs another hour of how that standard is not actually easy to use and it has been corrupted in 50 different ways.
Yes. But it is a standard. And I think that sometimes you have to have a standard for the sake of interoperability. And I think that thatâs what these standards are about, is interoperability. Because capturing market share is really, really challenging. And in many cases, you cannot capture market share when you do not have that interoperability.
âWe all are reliant on each other. The failure of one technology, itâs like dominoes falling. â
There is no one company that owns the space completely. In many cases, we all work together in vast ways. In order for us to have that level of interoperability, we are working from a set of standards. Okta has 15,000 connections. Now, are some of them built on standards? No. Some of them are like, âNo, we just really need to make this API work.â And so thatâs what weâre doing. But we take that challenge. There are some that will be standards-based. There are some where we will just partner and say, âWe need to make this work because itâs going to be a benefit to our customers.â Itâs both.
Let me give you an example of just standards among these companies. I will abstract it out so you donât have to talk about your competitors/partners directly. One big company agrees to do a standard with another big company. The first big company loves to just do the whole thing. All in, idealistic, weâre doing it. And then the other big company, which is just down the road from them, usually is like, âWeâre taking three pieces of the standard and building our entire stack on it, and the rest of it will be completely ignored because this is the jewel-like user experience that weâre after.â Iâm not saying which companies are which. Iâm just saying thatâs a pattern I see happen over and over again. For you as Okta, building on top of that, how do you manage that as you try to push out the consumer products that youâre building in a secure way?
Some of it is just ... Well, in some cases, they just say no, and we go, âOkay.â
Sometimes youâll hear us say weâre 80 percent of the way, because not everyone always wants to get on board. Thatâs going to happen. We know that. When you have your own ecosystem, you have flexibility to say, âNo, Iâm not going to participate.â It is our hope that when we think about identity, this is about people. This is not about market share. This is not about having your own ecosystem for Okta. This is about people, and this is about protecting people. And so it is my hope, it is Oktaâs hope, that that becomes the forefront of standardizing if it is a benefit to people and protecting our consumers. Because ultimately, when our consumers are compromised or when we are compromised through our consumers, we lose trust. Trust rides in on a tricycle and leaves in a Rolls Royce. It comes in slowly, and it goes out on a jetpack. And so when we lose consumer trust, we all lose.
So what we are trying to do is to get the âcompanies that beâ to say, âYes, this is something that we all should do.â Is it hard? Is it difficult? Absolutely. But is it the right thing to do? Absolutely. And itâs a task or a challenge that Okta is willing to do. Because if weâre going to say that weâre neutral, we have to get as many partners on board as we can. And so thatâs what weâre doing.
Iâll tell you, we have been wildly successful in that. In talking to some of the larger companies and saying it is important that this particular standard, passkeys, is the one that we agree on because itâs about people. If we keep that in mind, it makes the conversations different and a lot more smooth because, ultimately, nobody wants to be the company that is on there and saying 3 million of our customersâ data has been breached. That is what we are all facing when all of us donât get on board.
We all are reliant on each other. The failure of one technology, itâs like dominoes falling. [If] we get compromised in the identity space, many, many other areas are compromised as a result of that. We donât want that. So we are really, really focused on not only being a good partner but building those good partnerships. And sometimes, that means bringing everyone along, even if they donât want to come along.
So let me ask you â thatâs the work. It sounds very complicated. You sound very passionate about it. How long until the password goes away? The password as we know it.
Oh gosh. In one interview, I say, âforever,â and in one interview, Iâm like: âtomorrow.â I donât know. You know what? Thatâs a question that I really donât know. I donât know how long itâs going to be. I would like it to be in the next five to 10 years. Thatâs still a long time. I donât have the answer. I think weâre really pushing toward it going away, but I donât know. Thatâs one I just canât answer. I would love to say that itâs sooner rather than later, but I donât think that thatâs true.
You donât think that something like the release of iOS 17 with support for passkeys leads to rapid adoption and then an exponential curve of passwords going away?
No. I think that it will speed up the adoption, and I think that this is what has to happen. I think that we have to have these kinds of releases where they speed up adoption. But ultimately, in order for passwords to go away, everywhere that thereâs a password, it has to have the technology built in for it to go away, or they have to use a product in front of their login box for it to go away. Now, obviously, we can do that for you.
Good plug.
We can do that for you â that is a good plug! But I think weâre still a ways out because people are emotionally tied to it. I think that they want it there. They think itâs important. And so I think weâre still a ways out because of the emotional connection, not because of the technical capability. I think the technical capability is there. I think that again, as we continue to partner and we continue to do software releases and hardware releases that this is available, people will just naturally migrate to it, and then itâll become a part of how they do business every day. If you had to nail me down, Iâd say weâre five to 10 years away from the password going away.
Thatâs a good answer. Thatâs what all the self-driving car CEOs say, too. Itâs just enough to be specific but just fuzzy enough to be never. Nailed it. Itâs a real theme on Decoder.
Well, you got an âI donât knowâ out of me, so thatâs the real answer, right? You got me to say, âYeah, I donât know.â
I think a lot of people want it to go away, and I think itâs comforting to people. I want to come back to that, actually. That thought of the fact that itâs real people that are going to drive the shift. But one more question about the passkeys in general. You mentioned biometrics â you really like it. There are big tradeoffs with biometrics. You mentioned that youâre a Black woman, and facial recognition systems generally have not been trained well on people with darker skin. Iâve experienced this as well. Thereâs bias in that data.
Weâre also coming up on a time of massive AI development, and it seems like a lot of AI bad actors are going to point it right at biometric systems. The big tradeoff in biometrics is once itâs breached, itâs done, right? I canât change my fingerprint, at least not yet. How are you thinking about those tradeoffs, especially in a time when AI systems seem poised to be used by bad actors to attack them?
Yeah. Iâm worried. If I had to say, the biggest thing that Iâm worried about is what happens when they lose my fingerprints? What happens when those are breached, and what are we going to do about it? I think that the tenets of protecting data and protecting PII â those are not new. As we start to think about how weâre storing and how weâre handling data and encryption and at rest, weâre going to have to, I think, uplevel our skillset around protecting biometric data. It is, I think, again, the thing that I am most worried about. And again, not as a CISO but as a human being. What happens when they lose my retinal scan? What happens? And I think that thatâs one of the reasons why I am such a fan of having the capability on your cell phone. Because youâre holding it.
Locally, you mean. Not in a cloud.
Locally, right. Locally. When I say your cell phone, I mean locally. Iâm a fan of that technology because weâre holding onto it with a death grip. But it also allows us to have some ownership and protection of it. And because there are tons of ways to wipe and delete remotely, thereâs tons of things that we can do with cellphones to really protect that. And so I think thatâs one of the reasons why I like the technology.
But I am very worried about how we protect the data. We have not gotten to where we are, I think, universally good at protecting data and protecting databases. I think, even more so, you talked a little bit about AI. When I think about AI, I think about these large language models that are being built and the ability for me as a CISO â one of the things that we can do right now is understand if itâs a human or if itâs a bot. Generative AI is bringing in deep fakes that are human-like. The thing about generative AI is that it mimics us. And so our ability to detect if itâs a human or if itâs a bot is diminishing, itâs going to diminish. And so this is where the challenge becomes really critical because what happens when those deep fakes can also mimic our faces and our biometrics?
I can imagine an attack where I get between the camera and the facial recognition system and deepfake your face onto my head. That would be crazy. Iâm just saying I can imagine it.
Thatâs our future. Thatâs our future.
Thatâs where the attack happens, between the camera and the security system. And I deepfake your face, and youâve only got one face. And once thatâs done, thatâs over. Thatâs the tradeoff with biometrics. Itâs easy and convenient and the most secure right now, but itâs also⦠once youâre off the cliff, youâre done.
Yeah. And this is the CISOâs journey. This is a part of what ... Oftentimes, theyâre like, âOur CISOâs crazy, and theyâre telling us about all these things.â I know they say it. Weâre telling these horror stories. But AI is real. Itâs not new technology. Weâve been using machine learning to defend against bots for years. Itâs not new to us. And so, in that case, itâs not new.
Whatâs new is how generative AI is being used. And so yeah, Iâm concerned. And I donât have an answer for how we fix this yet. OAuth just came out with the top 10 for large language models, and Iâve been ferociously reading through it. Itâs 30 pages. Itâs a great read, though. And the Cloud Security Alliance has also put out some really great information around how we defend against it, but itâs not solid. We can use AI to defend against it. Thereâs still a lot of thought around if itâs going to be the defenses that have been proposed are effective, and none of them are talking about biometrics man-in-the-middle attacks.
âWe also canât get so far behind the mark with [AI] security as we do with other technologies. Weâve done it over and over again. We should know better by now.â
They are talking about adversary in the middle, but not this particular example that youâve given. Weâre not there yet. And when we think about why there is so much consternation about AI, this is the reason why. Because we all can come up with these various examples that none of us have thought about how we defend against yet. And so, while Iâm a super fan of AI, also Iâm like, we also canât get so far behind the mark with security as we do with other technologies. Weâve done it over and over again. We should know better by now. We really are going to have to get really, really good at this particular space of security and defensibility in the space of AI.
Not happening at a rapid pace the way I would like to see it. But what I do know is that I think it is as important to us as it is the folks who are making AI to do this work and to secure this work. Weâve let something loose. I look at some of the AI generators around headshots, and Iâm like, âThese look great, and they look just like me.â And how would you know if I sent you a headshot that wasnât really me at this point? Itâs hard to know. Thatâs the good part of it because Jameeka looks great all the time. The bad part of it is when you take what Iâve sent you and use it biometrically to log in to everything that I own. So itâs both. I think weâre going to have to be very, very thoughtful about security in the AI space.
Thereâs lots of talk about, like, âHey, what happens when my developers dump all of my code in?â Iâm not super concerned about that, and Iâll tell you why. The reason for that is you have to have a lot of data to change a large language model. And then the person whoâs attacking you has to know that your dataâs out there and that itâs a part of a model. And so itâs pretty sophisticated. You wouldâve to dump all of the entire source code in there â theyâd have to know how to use it. Youâd have to have all the secrets in there. So, yeah, I donât want our developers doing that, but at the same time, in order for it to actually go into a public large language model thatâs crawling the internet, youâve got to really put a lot of instances out there for it to pick it up. I am much more concerned about what youâve talked about here. I donât have the answer yet. Itâs one that we are all digging into in the security community and trying to figure out how do we not create these scary stories but really get finite user-centric details around what can actually happen with generative AI and what are the threats that are out there.
Do you think that itâs worth slowing down the headlong rush toward passkeys and biometrics on phones while this gets sorted out?
No. No, I donât.
Why is that?
There will be times when technology doesnât move at the same pace. And so I think that we, as ferociously as AI is moving forward, we are going to have to move forward as well because if we stop the rollout of passkeys and biometrics, AI is still going to keep going, and those deepfakes are still going to happen, except for now, those deepfakes are just going to be using username and passwords. And so itâs one of those things where itâs like, no, you canât â you shouldnât stop, because ultimately the answer could be an AI technology. It will likely be that we fight AI with AI. And if we donât keep moving to advance these technologies, AI is not going to stop. Itâs not. As much as the flag has been raised and people said, no, no, no, you donât see it slowing down at all. And so, why would we slow down when we know that this technology is moving that we need to be able to protect and defend against? And so I would say no. Actually, what needs to happen is that we need to move faster, and we need to be uniquely acquainted with AI and all of the risk and vulnerabilities and threats that it presents. And we need to continue to evolve these technologies to go right along with AI.
I want to end with just a bigger-picture question. Weâve talked a lot about people in this episode, how they behave and what they like and what theyâll do and how you can get them to act in a more secure way by making it easier, by reducing friction. You have a pretty unique background here. You came out of the Navy. Youâre a woman of color in the security industry. Thatâs fairly rare.
It seems like understanding peopleâs behavior broadly is really important to security, and the cast of characters in the community has been pretty narrow, been pretty insular. Theyâve all pretty much looked the same from the same backgrounds. Do you see that changing? Do you see that pipeline of people from the military, for example, from other walks of life, coming into the industry? How do you accelerate that? Because it feels like thatâs the key. Youâve got to understand the 73-year-old mom if you want to make passkeys work and that the community understands itself right now.
Itâs my lifeâs work to diversify the community that Iâm a part of. Itâs important to me because diversity of thought is important â to your point, the 73-year-old mom, the person of darker complexion or darker skin. We have a ways to go. We didnât create the society that we live in overnight. This didnât just happen to us. This is hundreds of years in the making. Itâs been done through various mediums. And so what weâre seeing now is the end result of intentional behaviors. And so what we need to fix this is intentional behaviors. We need people who are leaders who are willing to go and find diverse candidates and not say things like, âWeâre going to lower the bar.â Thatâs bullshit. Itâs bull. Youâre not lowering the bar when you go and look for candidates of color â youâre going out of your comfort zone. And thatâs what I want the community to be honest about â that we are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.
âYouâre not lowering the bar when you go and look for candidates of color â youâre going out of your comfort zone. ... We are going to have to get out of our comfort zone to create a technical community that represents the world we actually live in.â
There is not a place where one person with one train of thought can do everything for everyone because youâre not going to be able to include everyoneâs hopes and dreams and wishes in that. But when you go and you seek out a diverse community and diverse thought, then you will get a larger intersection of the world. And it is my hope that someday I will look around and the world that I live in doesnât look like the world that I work in. I want the world that I work in to look like the world that I live in because it is incredibly diverse and it is a beautiful community of people who are brilliant and bright and who have all these great ideas.
And so weâve got to be intentional. The leaders in security have got to be intentional about how we recruit, but not just how we recruit. Because I see tons of diverse candidates come in through the pipeline, they get new jobs, and then the culture of the workplace is horrible to them. Weâve got to retain those folks that we bring in. The culture has to be friendly. The culture has to be accepting. The culture has to be one in which people feel like they can bring their true selves to the office because when you do that, thatâs when you get brilliance. And Iâve said this to leaders that Iâve worked with before.
Iâve spent many, many times in many, many positions where I was not an authentic version of myself. I was a version of myself that I felt was appropriate for work. And I spent so much time being that person that there were many great ideas that I didnât bring to the table. And then I came to Okta. And I have been able to be a very authentic version of myself. You canât do everything at work. Itâs work. Itâs not recess. But what they have gotten is some of my very best work and some of my very best thought leadership because Iâm not thinking about âAre they concerned about what Jameeka looks like? Are they concerned about how she talks?â Theyâre not concerned about these things. Theyâre concerned about, number one, âHow can Jameeka bring her very best thought leadership?â But number two, âJameeka also has unique challenges that the rest of us donât face, and we want to make sure that weâre not a part of perpetuating that problem for her.â
We have not been intentional about diversity. Looks like weâre walking it back a little bit in many cases. And so I think that we have to be really intentional about diversity, and we have to be really intentional when we bring diverse candidates and employees in. We are also intentional about making sure that they are welcome and that their ideas are welcome and that weâre listening.
Ultimately, when we think about these big jumps, thereâs someone out there whoâs going to solve this AI security problem, and we donât know where they are in the world. And if weâre not looking for them, weâre not talking to them, then weâre never going to have the answer. And there are other answers out there in the world that weâre not going to get because we donât have diverse audiences. And so thatâs my soapbox on that. But I think itâs important to me. Iâve got a long time left in industry, and I think that it is going to continue to be a big part of what I do to make sure that we have diverse spaces where people can thrive.
It seems very important to me in the security space in particular that you understand the people â like all the people, not just some of the people.Â
But youâve given us so much time, Jameeka. This has been an incredible conversation. Thatâs a great place to leave it. It sounds like you have a lot of problems to solve, so weâve got to let you get back.
Iâve got a lot of problems. Iâve got a lot of work to do.
Weâve got to let you get back to work. Youâve got to come back soon. Let us know how this passkeys thing is going. This has been great. Thank you so much.
Awesome. Have a good one.
Decoder with Nilay Patel /
A podcast about big ideas and other problems.