Bil Harmer, the recently appointed “chief evangelist” at identity security software maker SecureAuth Corp. of Irvine, wants businesses to safeguard their systems better and stop blaming individual employees for inadvertent data breaches.
“Security people and businesspeople have historically referred to the average user as the weakest link. That is not true,” Harmer told the Business Journal. “They are the easiest targets because they’re not security professionals.”
SecureAuth technology, used to protect access to systems, applications, and data, allows those so-called average users “to trust in the solution that they’ve been given by their company.”
The newly created role of chief evangelist makes him a brand ambassador and champion for the company’s growing base of customers, while helping to develop new standards in user identity security to ward off hackers and computer criminals.
CEO Hire
Harmer has more than 30 years of experience in leading security initiatives for startups, government and established financial institutions, including the creation of a security audit methodology used by the software as a service industry.
His background also includes a stint as global privacy officer for the cloud division of German software giant SAP.
Harmer is one of the first hires of new SecureAuth chief executive Martin Savitt, who took the job in November.
“Bil will play a major role in guiding our customers into the future built around an identity-centric security program,” Savitt said at the time of Harmer’s appointment.
Along with the chief evangelist title, Harmer is also SecureAuth’s chief information security officer (CISO), a job he says makes him responsible for ensuring “that our house runs clean, efficiently, securely.”
Airlines, Insurers
SecureAuth, founded in 2005, has more than 600 customers globally, and its products are distributed in the cloud, on premises and hybrid.
Clients include two of the three top health insurance companies in the U.S. and three of the top five U.S. airlines, according to the company.
SecureAuth’s subscription software is used by companies including Scripps Health, Michaels, Esteé Lauder, Southwest Airlines, Qualcomm, Western Union, Carnival Cruise Line and the U.S. Environmental Protection Agency.
The privately held company doesn’t disclose sales; as of 2017 it was estimated to have an annual run rate in the $100 million range.
The company said it had a “strong second half” of 2019, and foresees 100% growth in new business in 2020.
The Romanian CEO?
SecureAuth asks ominously in a pop-up ad on the internet: “Does your CEO normally log in from Romania?”
Identity is the primary security weakness at most organizations, Harmer said.
Identity represents the “core future of enterprise cybersecurity.”
The SecureAuth system, based on what it calls “adaptive authentication,” considers various tools to determine whether someone should have access. There are 30 methods ranging from mobile push notifications to one-time passwords and biometrics, all provided as part of the multi-factor authentication.
Harmer said the possible security checkpoints in the future include facial recognition and fingerprints, as well as a person’s rhythm and cadence of typing on a keyboard, with some of them used in combination. Even voice recognition, DNA and retinal scans could one day be identity security elements, Harmer said.
“Maybe you get an SMS text to your phone or you have an App on your phone that creates a six-digit code that cycles every 30 seconds,” he said. Asking personal questions to get correct answers is another option.
By analyzing multiple characteristics around a device as well as location, IP address, and behavior, it becomes clear if an identity is known or unknown and the appropriate access decision can automatically follow.
“We’re trying to get away from the password, we’re trying to get away from changing the password every 60 days, every 90 days,” he said. “We’re trying to put tools in place that allow that.”
Bank Information
SecureAuth estimates organizations leave about 40% of their resources protected with only a password, leaving them vulnerable to attack.
How many steps should there be for the average user who wants to use his or her computer to look up personal bank information?
“I don’t know where the limit is,” Harmer said. “I think in a practical day for (an) average user just going about their business, probably three, would be about level.”
The goal is still to make accessing a computer or data easier, and he says change is on the way.
As an example, using a laptop inside the office may call for one level of authentication, while taking the same device to a nearby Starbucks or on a business trip to China would require higher levels, he said.
Zero Trust
“We’re in this zero-trust world in which the primary message to users is to trust nothing. But that’s not conducive to managing a productive workforce,” Harmer said. “I see SecureAuth as being the company that can bring trust back to a zero-trust world.”
According to Gartner’s 2019 Worldwide Security Spending Projection, global spending on IT security reached approximately $125 billion last year, “yet we saw a record number of breaches last year and probably will again this year.”
Still, Harmer cautioned to “never talk about totally secure because nothing is. We’re just talking about reduced risk.”
Toba Capital
Vinny Smith’s Newport Beach-based Toba Capital previously held a 45% stake in SecureAuth. Toba cashed out in late 2017 when SecureAuth agreed to a $200 million sale to El Segundo-based private equity firm K1 Investment Management.
The company has about 250 employees, with half of them in Irvine. Staff members are called “dedicated identify professionals.”
In addition to its Irvine headquarters, SecureAuth has an office in Buenos Aires, Argentina, and employees around the world, including Canada, Australia, and the U.K.
