Securing Customer-facing Workflows for a Web3 World: OneSpan CEO
OneSpan CEO Matt Moynahan sat down with iSMG to discuss a variety of topics, including the security challenges businesses face as the internet evolves, how Web3 impacts identity verification, and the transformation he's leading at OneSpan.
Identity security, e-signature, and securing customer-facing workflows for a Web3 world
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Matt Moynahan, president and CEO of OneSpan. Good morning, Matt. How are you?
Matt Moynahan: I'm great, Michael. Thanks for having me.
Novinson: You started as CEO at OneSpan just about a year ago, in November of 2021. And I want to get a sense from you of some of the biggest changes or areas of investment that you've had since joining the company.
Moynahan: November 29th marks the one-year anniversary, and I couldn't be more thrilled to be here. It's probably one of the most fun jobs I've ever had, taking OneSpan, with VASCO Data Security before they rebranded to OneSpan a couple of years ago, a long, proud 30-year history in the identity verification, authentication, and transaction signing space with, obviously, a leadership position in global banking and financial services. And, interestingly enough, the other side of the company was essentially an e-signature provider, an enterprise-class e-signature, and we've been hard at work fusing those two things together.
A lot of the investment has been around creating a cloud-based capability that allows us to secure the entire customer transaction lifecycle, which is really where we're pointing the company, to be sort of a Web3 security company that allows us to take all the products and services that we have and stitch them together to do what I think no other security company has done to date, which is secure customers as they go through the entire cradle-to-cradle lifecycle with enterprises online.
Novinson: And what are some of the issues that you've had to navigate as you try to bring those two disparate sides of the business together?
Moynahan: Great question. Security has always been around point products, for the most part. Customers have been forced to stitch together the various types of security capabilities. And in this new Web3 world we live in, which is incredibly dynamic and, obviously will become more so when the metaverse comes around, the old static model of stitching these things together doesn't create a good user experience.
I think the world needs a security capability that is seamlessly integrated and interwoven across each step of the workflow, so that it is hidden but at the same time, delivers a high degree of security. A good example would be people sending step-up multi-factor authentication (MFA). It really disrupts the user experience. You have to go get your phone. You have to do whatever... So it really has been bringing together the capabilities the company has, in a way that's hidden to the end user but done in an enterprise-class fashion.
Novinson: How has the dawn of Web3 and the upcoming arrival of the metaverse affected your work at OneSpan?
Moynahan: It's an extension. Identity is going to be at the core of everything. You've seen the explosion in the identity market, whether it's the identity access management or CIAM (consumer identity and access management) which hasn't really taken off that much.
All companies want to onboard customers. In order for them to grow, they're going online with more complex digital products. Those products are increasingly expected to be online by consumers. But there are a lot of regulatory and security threats when you're onboarding an unknown entity to a company, whether it be a hacker or infrastructure compromise or just the KYC (Know Your Customer) regulations that exist globally. And so the metaverse is really just an extension of another medium: physical, digital, and meta, in which identity needs to be stitched together across all three.
And then, obviously, you want to transact with those identities to go generate revenue and customer relationships. So I'm excited for it. I don't know what it will be. But I certainly can see use cases where you're going to need to make sure that identity, singular identity, is fused across multiple mediums to make sure that both security and regulatory issues are addressed.
Novinson: Now I think in September, you launched the Virtual Room. A two-part question for you. I was wondering, first, what was the impetus for that, and secondly, what are some of the most interesting ways you've seen the Virtual Room used since its launch?
Moynahan: I'm super bullish on this capability. In fact, it was started before I arrived, so I give the team a lot of credit. Essentially, we're just getting started with the notion of securing the virtual world.
I was in an investor meeting the other day on a Zoom call. There was three boxes up here, like you see with us today. And then another box came up with no video. And I went to navigate and look at who that was, because I didn't see anybody. And the person's name was Sean Williams. And a voice came on and said, "Hey, it's not Sean. It's Mike." And I said, "How the hell do I know? In fact, I don't know any of you."
So if you look at what's happening, even with Twitter, with Elon Musk putting out there, "You're going to go charge for a verified account" and then pulling back. He pulled back recently, because he was afraid of brands and enterprises and people being impersonated. No one knows who anyone is. I mean, I've met you before. We've actually met physically. But had I not met you, you don't know.
And the consequences are high. Web3 is all about deep fakes and fake content and fake artifacts. And if you look at what the hacker community is doing in criminal organizations, they're impersonating, whether it be web infrastructure or people. And so I think we're just getting going. And Virtual Room was meant to be a secure environment to conduct business. Zoom is not that. And I think our goal was to fuse the infrastructure required for companies to engage with customers and features like co-browsing and document signing and whatever it may be, but it's offering that secure experience that, obviously, can hold up in a court of law if, for some reason, something happens.
Novinson: From a personnel standpoint, I know OneSpan's made a lot of C-suite hires since you arrived as CEO. What were you looking for as you brought additional folks into the leadership team, and what made some of these individuals stand out?
Moynahan: For me, culture is everything. I don't want to be at a company I don't want to work at. So number one is getting a great culture in place that is motivating to me, personally, as much as all the employees. OneSpan isn't that big of a company. Right now, we're about a thousand professionals. So I call us sort of a tweener company. And our goal is to go from $200 to $500 million and then to $1 billion. To do that, we have to have people that are really in the owner-operator mindset, who have seen enough scale to know what it means to get to $500 million but not such a big-company person that they're just a people-manager and not a doer.
We're sort of a big startup. That is the mentality we're trying to have here. And just strike the balance between folks who have had scale experience and those who have that startup mentality, willing to work hard on outcomes. Which is a little bit different than maybe some of the larger organizations that have different types of structures and need more professional line managers, if you will. We're trying to be doers and managers at the same time.
Novinson: What's been the fastest growing part of the OneSpan business in 2022? And what have been the drivers of that growth?
Moynahan: Fortunately, we have sort of two sides to the house that are being fused together. The security side, which has been incredibly stable despite the macroeconomic downturn. Because most of what we do is identity verification and authentication, tied to online banking. So it's been stable even despite some of the the Russia-Ukraine conflict that has introduced some uncertainty in addition to foreign exchange fluctuation. That has been stable, which has been great, and that's the largest piece of our business.
The fastest growing one has been our e-signature business. We are the only other enterprise-class alternative to DocuSign, we're more secure than DocuSign, and have a better price per value than DocuSign. DocuSign has largely not had a lot of competition in the market for e-signature, and I think we're still very much in the early days of the signature market.
The market is waking up to us. Our brand isn't as well known. We're probably the most widely used e-signature platform outside of DocuSign, but we private-label everything, so you would never know it. But our brand is getting better known, and so we're getting pulled into much larger deals, and that has been driving our growth rates on the e-signature side better than any other product line inside of the company right now.
Novinson: Are you seeing a similar type of customer using the e-signatures? Who's using your security solutions? Or are these two fairly different customer profiles?
Moynahan: That's a great question. Today they're different, but they're coming together. So e-signature historically has been purchased as a capability to automate a physical paper process. And that has been largely driven by the digital transformation officer or chief digital products officer inside of the company. Our security products have been more with the online banking owner or maybe even a senior security professional.
But increasingly, people are realizing, particularly for contracting and other types of uses for e-signature that are externally focused or revenue focused, you have to get the signer's identity right.
So, identity verification, authentication, and e-signature are becoming incredibly important. In fact, Gartner came out and said that e-signature is becoming a feature, and I wholeheartedly agree. What you're really doing is providing cloud-based workflow, of which some transactions need to have a piece of paper associated with them, but it's critical that you get the customer right. And so you're seeing these two things come together as a joint offering, and they really have to go that way. If you're doing business with a hacker, it's not valid. So you need to make sure you get it right for both regulatory and security purposes.
Novinson: I want to talk a little bit about the market landscape. I know you discussed the e-signature side, but I'd love to hear a little bit more on the identity verification and authentication side, if you're in a competitive bid situation, who are you coming across most frequently and what sets OneSpan apart?
Moynahan: It's a great question. The identity space is so big. Everything seems to be identity these days. We operate in a fairly, I would say strategic, but smaller portion of the identity space. We do identity verification, identity proofing, and authentication really for business processes, for lack of a better term, and online banking, mortgages, things of that nature. So we would typically compete with, on the external side, maybe a Gemalto Thales who has similar capabilities in the token. RSA from time to time. Once in a while, we may see Transmit Security and passwordless security. That to us is a feature that we do. But if a customer is looking to implement identity and access management infrastructure, from time to time we'd compete with them and then once in a while Yubico with their YubiKey product on the security side.
Novinson: What do you feel sets your approach at OneSpan apart maybe from the Gemalto Thales as well as some of these smaller startups?
Moynahan: Listen, they're all good companies. Our stuff just works and works well, right? I mean, if we go down, banks go down. And that's our heritage. So I think it's the enterprise-class nature of it. We're able to support global companies globally. We're present in over a hundred countries and our background is banking. That's not for the faint of heart. It's been that way since we were a small startup in the VASCO days, and we've grown up with that as our core. So if you want a product that works and is resilient and highly available, you use our stuff. And I think that sets us apart from a lot of the startups. It's just the 30 years of history and trust that we've built up in high volume, high transaction environments like banks.
Novinson: I see. I wanted to talk a little bit about the macro economy as well, and I have a two-part question for you here. First is, with the rising interest rates, inflation, supply chain issues, etc., how has that affected customer buying behavior in recent months? And then secondly, what, if any, changes or adjustments have you made internally at OneSpan in response to the changing market dynamics?
Moynahan: It's a complicated environment out there, I don't know any CEO that's happy about it. And I include myself. But I would say it's really been twofold.
On one hand, we're fortunate that, because of the presence we have in the online banking community globally, that's not going away. And so that's been good for us. On the security side, because we do actually make physical tokens, we have had some challenges with supply chain and I spoke about them ad nauseam. Remember China's challenges, the no-COVID policy, all of that. Apple, obviously, is changing their production capabilities because of this. We do have a physical product that has been impacted with some of our SKUs from that side of the house.
On the e-signature side, it's really interesting. We're embedded in people's processes. We actually have downstream visibility when a bank or a mortgage platform is using us for re-financing. So obviously, the interest rates have really changed the nature of the transaction volumes and the BFSI vertical. And so I would say that has slowed down. In the past you would have people buying tiers of transaction volumes and going through them in the heady days with low interest rates. The opposite is happening now. And so the other thing we've seen from time to time, is that sometimes the top 10 list for IT projects gets whittled down to a top five or top three. And where e-signature falls into that category is really a company-by-company assessment. Security always falls in the top five for the most part, but e-signature is a little bit different. Not saying it's discretionary, but you'll see projects be pushed from time to time, depending on the company's financial health, if you will.
Novinson: And so what has this meant for you at OneSpan? Have you had any workforce reductions? Have you re-organized in response to some of these changing market dynamics?
Moynahan: No, we actually haven't. We've been doing pretty well, all things considered. We did do a realignment right after I came onboard, the old saying that if you change your strategy, you don't move people or dollars you didn't align to it. And so we did do an exercise about six months ago to really align our company to our Web3 strategy, but outside of that, knock on wood, we've been fortunate. We're heads down trying to build a really important company. Because of our foothold in the online banking space, we've been maybe buffered a little bit more than other companies might be, given the nature of our product set.
Novinson: So as you look ahead, what are some of the biggest bets you're hoping to make to capture this opportunity around Web3?
Moynahan: I really do believe in my heart -- I'm a 25-year security professional -- I do believe that we need to move from a product world to a problem-solving world.
The problem nowadays is no one knows who they're interacting with online. And they're conducting transactions of consequence.
If you look at the way the internet's evolved from 1.0 to 2.0 to what's coming in 3.0 and even if you think about 4.0 which people have already started to talk about in symbiotic relationships with machines and data and all that stuff. The security threats have been getting worse and worse and worse. There's never been more account takeovers. There's never been more credit loss, fraud, social engineering. Now we're getting into a situation where we've clearly seen economic warfare, corporate warfare taking place. It's a mess.
We've always had this juxtaposition where the internet gets more and more powerful. The security companies are reacting to it and they take products to go solve these point problems we have. We need to really think holistically. How do we stitch security through the business process from start to finish?
You can do that while delivering a great user experience. So no one is going to suffer a bad user experience and that's been the bane of security, which is: security gets in the way. [Security] is the department of no, you're locking things down, zero trust. Zero trust doesn't work on the internet. Maybe to protect your company, but now you're engaging with a consumer. [You can't] deliver a bad user experience or have too much step-up multi-factor authentication (MFA) or too many clicks to checkout. Everybody wants one click checkout. We're conditioned to that as consumers.
I think the IT security space has to move from IT to the world of enterprise engaging in a B2B2C transaction. That requires a completely different way of thinking. It's not delivering a product to protect an endpoint payload or the network infrastructure. It's how to deliver a capability that is seamlessly integrated across multiple steps, while ensuring a great user experience.
That hasn't been done by security companies yet. So that's where we're hard at work.