May 21, 2025
00:03 JORDAN: Hello and welcome to the Security Podcasts from Security Magazine, where we talk about all aspects of security, from leadership, security posture, risk management, and much more. I’m Jordan Elger, Managing Editor at Security Magazine. Today we’re here with Dave Cox, CEO and co-founder of ID Dataweb, an organization detecting identity fraud and mitigating those risks in real time. Welcome, Dave.
00:27 DAVE: Thank you, Jordan. I appreciate your time today and look forward to this conversation.
00:32 JORDAN: So do I. Thank you. So getting us started, can you tell us about your background and career?
00:37 DAVE: I finished up a master’s in engineering from MIT and would work as an energy economist. So right away, people were saying, why didn’t you use your engineering degree? But then went on to run a company, sell a company, and got involved with venture capitalists, which is kind of an interesting path, but worked with Bank One Equity Capital, which was a $2 billion evergreen fund out of Chicago. They got merged into, when Jamie Dimon joined them, he merged them into Chase Capital Partners, and then I went my separate way, eventually really spending a lot of time in security and identity as not only a hobby, but a real interest and passion of mine. So we joined up with some friends who became partners, ultimately. We raised some money, but ultimately just started a company from scratch called Criterion Systems. That was a government contractor we sold two years ago, grew it up to several hundred people, like 500 people, doing work in cybersecurity as well as various types of national security interest roles across the country. Things like the security associated with the movement of nuclear weapons and things like that, or three-letter agencies with a lot of things we can’t really talk about. Now, as part of one of the things that we did there, we were working with NIST, the National Institute of Standards and Technology. They, during President Obama’s first term, started an initiative to create an identity ecosystem. And that became a series of projects that were funded by government under Department of Commerce, one of which we submitted a proposal and won to create an identity ecosystem. Just before that, I filed the patents on what eventually became ID Dataweb’s core infrastructure. And then we went and started working with folks like Google, Facebook, Microsoft, others, the biggest players in the industry, who were trying to resolve this problem associated with identity at internet scale, how to make it secure, resilient, interoperable, and of course, interoperable means a lot of things from a privacy perspective as well. So we actually implemented our initiative successfully with some very, very large enterprises, as well as government agencies, graduated from that, and that became the basis for ID Dataweb. We raised a little bit of money, put a little bit of our own money in there. And then what happened was we started getting some real interest from major customers. What had happened in parallel throughout this was identity fraud and account takeover became more and more prevalent, not just with small enterprises, but identity theft and wholesale from every firm, large corporations, healthcare institutions. And that’s what we did. And that’s what led us to the Credit Bureau’s globally data about users and individuals of being stolen and used for fraud. So as we rolled out, we found that there was some really interesting perspectives that you have to think about as organizations move towards digital interactions, you need to ensure that there’s trust of who is the other person on the other side of the line, and are they the same as the physical person that they expect to interact with? At the core of this is trust. If you trust as an individual, the organization you’re dealing with, or your trusty enterprise that you’re employed with, or your trust as a partner, you’re trusted to come in and do work in their environment, then everything goes well. It’s that question of, is enough trust able to be measured in such a way that you can secure the enterprise from fraudulent activities?
04:19 JORDAN: Would you consider today’s business environment unstable or chaotic? And why is that?
04:25 DAVE: Well. I’ve been through a few of those in the past, and reality is that as business environments change, whether they’re driven by external policies, internal policies, new technology, everybody has a huge, a unique perspective on this. So if they feel threatened by a change in any of these factors and policy, or if they’re being bought, for example, or integrated into another enterprise, there’s always going to be a lot of chaos associated with those. There’s an instability. But what we try to do is resolve the very core of what they’re doing. They’re offering services online or interoperating with, again, third parties, whether they be partners or government agencies. Well, this is where the interaction is trying to, they’re trying to resolve who is this person coming in, not only when they create an account, but every time they log in. So this uncertainty gets compounded by the fact that there’s been some increase. And the number of tools and awareness that people can be compromised if they don’t protect their enterprise effectively.
05:32 JORDAN: In chaotic or unstable environments, what’s the biggest risk that security teams tend to overlook?
05:38 DAVE: Interestingly enough, I think people are aware of it, but insider threat tends to be something that in chaotic environments can drive compromise of individuals. But also, again, you have folks that are now using AI driven spoofing tools. Deep fakes, if you will. Everything in the environment is becoming interconnected because now we have these smart devices on our hips or we’re driving around in smart cars. We have smart networks. Applications are getting easier and easier to work with, but you need to really consider what happens. There are trade-offs that you have, obviously, clearly, with basically users coming in and giving them access to the user interaction with that. That system. So you need layered defense strategies that account for signals or contextual signals, not just static controls like giving somebody a login credential, a username and a password in the old days, but now even smart cards, because those can be compromised and they have been. Credentials get stolen all the time. So if you do this in a way that the security teams can take into account all of these different use cases. Some of which are employee centric, others of which just used internal applications, some of which are exposed to contractors, others of which are purposely exposed to consumers outside of their environment. Well, each of those have a lot of interesting trade-offs that you have to deal with. Mostly if you’re going outside, obviously you’re going to, you want to, you want to contextually increase the friction. So if you’re going to move money in a bank transaction, you probably increase the friction significantly. Like taking a selfie with and checking biometrics as well as the device and a variety of other tools that are available. So that’s, you know, what, what is available today to most organizations is, is really, really very state-of-the-art services that can help them and across any, any kind of application that they expose, whether it’s internal, external, or to consumers. So that’s what we’re finding is, is that. Yeah. A lot of the security teams, security teams, you know, may not be aware because identity is kind of a special application space. But they’re becoming more aware and we’re trying to do the best we can to make them aware especially as they work in communities like let’s say aviation or healthcare or government financial services, where there are a lot of different actors that are moving constantly in that environment.
08:52 JORDAN: How do organizations do that? How do organizations balance security with the user experience in periods of uncertainty?
08:59 DAVE: That’s a great question. Well, you know, if you remember, I remember a time when, you know, username and password was what you used for getting access to everything. Then people realized that wasn’t strong enough so they did a one-time out-of-band, you know, PIN code and then they figured they could hack that. So as time goes on, what consumers, you and I are consumers, we’re going to have to figure this out. So we, you know, we want to trust. If we don’t trust an organization, if trust gets violated, you’re not going to use it. You’re just going to stop. And particularly if your private information is shared on the web and so, you know, their privacy concerns aside, you have security concerns. The fact that you are exposed to risks. You don’t want to be going into, you know, and check into a pharmaceutical environment to buy drugs. Right. Everything is compromised, for example, or likewise going into a hospital where something associated with the health is compromised. This is not an option. It’s like when you start messing around with security, it’s almost like taking away food from people. You need to have it. There’s no option not having it. So instability is one of those things that in a way makes people want more trust because they feel more comfortable with those organizations. How much money do we spend on brand awareness in these major organizations? Well, one trust violation and you can lose all that money that you’ve invested in your organization very quickly with your constituents. So I just think, you know, as we go through these periods of uncertainty, whether they, you know, no matter where they come from, you are going to, I think we’re going to see more and more friction in the interaction. And I think consumers kind of expect it unless you’re just going into, you know, download an app or playing a game or something like that. And even that you want to trust the source of that. So it’s a, it’s a, it’s a real interesting trade-off. It depends on what you’re trying to do, the security associated with it and the risks associated with it.
11:06 JORDAN: Has external instability, economic, political, or other led individuals to change their security posture?
11:14 DAVE: Well, I’m not sure I’ve seen that. You know, what we’ve seen is an expansion of, from enterprises now really. Yeah. Starting with one use case or two use cases, and then suddenly going, well, that works so well. I want to expand across all these other use cases that we normally wouldn’t try to secure. It’s partly because, you know, the more tools become available, you can begin to examine the risks and the fraud, fraudulent activity in terms of actual indicators, and that makes people more aware. So I think, I think external instability to the extent that, that it’s perceived as in instability or a risk by an enterprise, they tend to want to lock down a little bit tighter because they want to manage the trust, the trust, again, their brand and the interaction they have with these different constituents. So you can’t, you can’t stop it once you get going, because if you, if you open yourself up to the risks, you’re, you’re not going to be around for, for very long. And we’ve seen this time. And again, we see it in the marketplace where people who don’t protect their enterprise properly. Are just not around for, for, for a very long time.
12:25 JORDAN: And is there anything else that we haven’t talked about that you would like to add?
12:29 DAVE: I understand how instability, it makes it difficult for enterprises and companies to, you know, change their strategy, but what we’ve, what we’ve tried to do in, in, in some cases, you know, as markets have shifted, take, take the real estate industry where people are work, started working from home during COVID and they’re grappling with remote work. Well, you know, that’s, that industry has gone through a huge change, state change, and it still will take many years to recover government contractors, you know, working remotely and suddenly having to come in, for example, is really changing the way people interact with their customers as well as their, their, their employer. You know, you can go on and on and say, there’s a lot of things that are shifting, even in the airline industry, which they now, you know, seem to be in the news almost every day, whether it be through FAA’s exposure or others, you know, the, the, the accidents that are going out there, they’re just, people are very, very sensitive and they need to have the ability to roll out much more cost-effective security solutions in a way that is easy for them to deploy and measure the outcomes from it. So, you know, I think, I think people want to have a single interaction with a single contractor, single contact contract. The ability to play different tools and, and manage the risk on an ongoing basis, because it’s not static. You can’t just say, hey, I gave them a really strong credential and that’s good enough. That’s not anymore. That’s not good enough. So having adaptive authentication when you have a strong credential, it’s a, you have to have it. Robust fraud mitigation, fraud proofing while they’re starting out the process, even in turbulent times, this, this, this is the way you begin to train your, your constituent users. But also… You know, get them so that they’re aware that you are taking care of them and you’re not going to compromise their security or their privacy as they interact with your, your enterprise. It’s, it’s, it’s, you need to have it, especially in uncertain times, but if you’re going to maintain a brand, that security and trust is a competitive advantage. And I think organizations that are aware of that will be here for a long, long time and be prosperous.
14:49 JORDAN: That’s all the time we have for today. Thank you. Thank you for joining us, Dave.
14:53 DAVE: Thank you, Jordan. Appreciate you taking the time.
15:08 Jordan: This podcast is sponsored by Security Magazine. Thanks for tuning in. I’d like to take a second to invite you to subscribe to Security Magazine and follow us on LinkedIn, Twitter. And Facebook for the latest and greatest in enterprise security trends and thought leadership. That’s www.securitymagazine.com forward slash subscribe to sign up for free access to our e-magazine, e-newsletters and website and find us on all socials at Security Magazine. Happy listening.
