What does a director of fraud and identity do?

Chris Sienko: Hello and welcome to another episode of CyberSpeak with Infosec, the weekly podcast where industry thought leaders share their knowledge and experience in order to help us all keep one step ahead of the bad guys. As part of Infosec's effort to close the skills gap and empower people through security education, I'm happy to announce that we're launching our annual scholarship program this month. Visit InfosecInstitute.com/scholarship for the full scholarship details. In line with that goal, over the next four weeks, we'll be speaking with diverse and interesting women in the cybersecurity industry, including today's guest.

Kimberly Sutherland, senior director of fraud and identity strategy at LexisNexis Risk Solutions leads the America's commercial market strategy for consumer fraud analytics, identity verification, authentication, and fraud investigation. She joined LexisNexis Risk Solutions in 2006. With over 20 years of experience leading business strategy and product management, Kim's responsibilities have spanned from building global professional services practices to developing cross industry best practices and technical standards. Kim is vice chair of the Open Identity Exchange and serves on the Board of Women and Identity. She's a graduate of Vanderbilt University and Otterbein University. Kimberly, thank you very much for being here today.

Kimberly Sutherland: It's an honor to be here.

Chris: Thank you. So, to start at the very beginning, how and when did you first get started in computers and security? Were tech computers and security always your main interest, or did you move down that avenue later in life?

Kimberly: I mean, I definitely see technology as a way to get to a solution versus the solution. So, from my standpoint, I became interested in technology, which then of course became computers and other aspects, just to address information assymetry. So, really, I think from the standpoint when I was in graduate school focusing on public policy, I really started understanding that the disparity between individuals and their ability to have access to information is greatly driven by the tools that they use and the availability of data and information. And so, I think maybe, gosh, 30 years ago, that really started becoming interesting to me.

Chris: Okay. So, that's a very interesting subject. Now, tell me a little more about that, with regard to sort of information accessibility and who has the means of information and so forth.

Kimberly: So, I think I've coming down the path for the world that I'm in now in a very different path than just maybe programming and those kinds of things. In undergrad, I was Pre-Med in human and organizational development, so I'm really focused on how organizations work. And I thought I wanted to be a doctor at that point, as most people kind of have these different dreams of themselves versus what they really do. I decided that I wanted to deal with big world issues, and back then, there wasn't even managed care so access to health insurance was a real challenge. So, the people I wanted to serve couldn't even get access to health information or to health care.

So, I decided to go down the policy route, so I went to Vanderbilt Institute of Public Policy Studies for graduate school and focused on health policy and at risk populations. And that's when I started understanding things around health commercials first started coming on the scene, and how do I look at a commercial and assess whether or not it's accurate or not? How do I look at things like... WebMD didn't exist at that time, so how do I get access to information so I can work with a doctor and be able to diagnose myself a little bit, or at least have accurate information, so that I can be on a more level playing field? So, it started with simple things like that, but the answer to all of my issues always dealt with getting better information, getting access to that information, and technology has always been the key.

Chris: And how did that transition into, then, going from access to the information to securing the information?

Kimberly: Yeah. So, I think that when you start looking at data quality, you start also looking at who has access to it and how secure is that access and issues around privacy. So, I went from a Master's and Doctoral program in public policy to actually getting, later, an MBA focusing on technology management, and that's where I really started understanding more about security, privacy, and really, the importance of building strong ecosystems and protecting data.

Chris: So, tell me a little bit about LexisNexis Risk Solutions. I mean, I know personally, when I think of the name LexisNexis I think of their research databases for libraries and for lawyers and so forth. So, what are some of the principle areas or specialties that the risk solutions arm of the company provides?

Kimberly: Yeah, that's a great question. And I actually knew first about LexisNexis, also, from the information standpoint before there was Google. That's what I used to be able to [inaudible 00:05:15]

Chris: That was the gold standard. You know, the one person that you knew who had a LexisNexis account, boy, everyone... Yeah,

Kimberly: That's right. It was in my law library, and that's what I used because I knew that was quality information. But we are a risk sciences company. We're focused on helping organizations use data and analytics to make better decisions on some real world issues. So, again, that's where we're looking at some of the most challenging topics but looking at it from a data and analytic standpoint and building solutions to help our customers make better and faster decisions.

Chris: So, what are some of the most recent issues and solutions that you've presided over and worked with?

Kimberly: Wow. So, we look at issues ranging from cyber crime, identity theft. At the core, of everything that we do, it really does focus on financial inclusion and financial transparency, so those two are kind of like the pillars for us. And then, from there, all of our key areas kind of build from there. So, we have a whole practice around fraud and identity management. We have an area that focuses on business risk management, on credit risk decisioning, on how we deal with collections and investigations. So, all of those areas, and really being able to hone in on different markets and around the world, kind of helps us to leverage all of our data assets and our in our analytics solutions to build out models and then try to address specific issues that commercial organizations, government agencies, and nonprofits even think about.

Chris: Two of the topics that you mentioned in our sort of pre-meeting here that are very interesting to us at the moment at Infosec, are identity proofing and authentication. We've talked about those sort of regularly on our website. What are some of the emergencies of authentication, and is the news sort of covering these properly? Are they not fully understanding them? What are some of the ramifications of a lax authentication system for your organization?

Kimberly: So, I think identity proofing is often overlooked. People think about authentication a lot because it's something that is dealt with every day, right? You log into websites, you have to provide passwords, you go to airports now, and they're starting on the scan biometrics. So, that whole concept of authenticating yourself, or even your phone, right? Your mobile device now either has a numeric code that you put in, something that you're swiping, or a biometric that you're using. So, it's really interesting to see how much authentication itself has become a common thing for people to think about. A lot of people think of it as a painful process, and getting people to start thinking about the importance of having the right person access services and accounts is a thing that, I think, is becoming more commonplace. But identity proofing is one of those things that I think doesn't get talked about as much.

I'd say it's not as sexy to a lot of people, but it's [inaudible 00:08:39]. Before I start to give you authentication capabilities, I really need to know, are you the person that you say you are? And that varies based off of the type of relationship that I have with you. There are times when maybe all you need is my email address, and there are other times where I need to have your name, date of birth, your address, your phone number, and a host of information because that's the type of access that you're going to have in the end. So, those are the topics we look at. We see that identity proofing varies by industry, and it also varies by country in terms of what's expected, or region.

Chris: I see. So, when I think of identity proofing, as you describe it, I think of the times that I have to call my bank and they ask for the name of my first dog and what street I grew up on and all these different things. So, obviously, finance is one that that does a lot of identity proofing. What are some industries or areas, sectors that could stand to do more of that, that aren't doing it right now?

Kimberly: So, I think that all industries are really paying attention to that much more. The things that are more entertainment driven or from more of a social standpoint, maybe have less rigor in their processes, but there is a reason to do some form of identity proofing, even if it's just to improve the customer experience so that you don't get asked over and over about your mother's maiden name or your dog or all those things, because that example that you gave is actually authentication, it's not identity proofing. Proofing happens when you opened your bank account the first time. They make cues to proof you subsequent times, but every time you want to interact with your financial institution or the company you want to do business with, they shouldn't treat you like a stranger every time you go to access them.

So, we care about that, and we also care about all the channels that you are interacting with that company. Because in the past, much of our transactions were in person, but that's evolved over time. Now, we are dealing with individuals that are 100% digital. They may only interact with their financial institution via their mobile app or via their website or something in a browser. And so, in that situation, the way that you proof that identity the first time and the way that you authenticate them ongoing is very different.

Chris: Do the issues of identity proofing vary between private and corporate entities and government entities? Do they all sort of have the same problems or are there sort of specific issues that large companies, small companies, private, public sector, so forth, have to deal with?

Kimberly: At the core, the situations are very similar in nature, so whether you're a government agency or a healthcare organization, you have a lot of the same issues. What is different is that there are different laws and regulations that different industries follow, and so it's important to pay attention to those and then work with vendors that can help you achieve those requirements.

Chris: Oh, that jumps perfectly into my next question here. How do you feel that recent measures such as Europe's GDPR and California's CCPA are going to affect the issues of authentication and identity proofing?

Kimberly: Well, I hope that any law that is developed helps to strengthen security practices and put organizations in a position to not have more fraud, but one of the core tenants of those two laws was also around privacy. And being able to respect the privacy of individuals and ask for consent is really an important thing. I think that more and more companies are trying to build models that are built on... A concept they talked about a lot is privacy by design, that you don't try to add privacy at the end of something, but you went into the process thinking about it early on. And to ask for consent, it's only one of those logical things, right? I really want to establish a trust relationship with the company I'm working with or the agency that I'm working with, and so to build that trust relationship, I should consider to ask you, "Is it okay if I do this?" and to give more visibility of how I'm going to use that information and to use the information for the purpose that I intended to.

So, I think that's at the core of those things. And so, from a standpoint of is this the right thing for consumer, I think it makes a lot of sense that we have to always make sure we have those carve outs to address privacy... or sorry, to address security and fraud prevention as well. Because, as you can expect, a fraudster probably isn't going to want to give consent, so let's make sure that we do things to also protect the organization and protect the consumers' accounts and their identity information.

Chris: Would there be a possibility of creating something like a parallel track, something similar to a GDPR or a CCPA that specifically deals with identity and authentication? And if so, if you had the sort of magic gavel to do that, what would you sort of put into such a law?

Kimberly: Yeah. So, I do love public policy a lot, but that is not my job.

Chris: Okay.

Kimberly: So, I definitely think that... I would love to be able to give, again, focus on putting the consumer first in the process, making sure that the identity proofing and authentication processes are consumer centric, but also protect against fraudulent activity. But in terms of how that would look, I would defer to those experts that have really studied that area a little better than me.

Chris: Okay. So, walk me through your everyday work day with LexisNexis Risk Solution. As a senior director of fraud and identity management, what are some job duties or tasks that you perform every day, and what are your favorite aspects of the job?

Kimberly: Wow. My team and I spend our day really caring about the overall market. So, how our customers, and those customers again, range from financial institutions to healthcare organizations to delivery services in transportation and hospitality, how they are interacting with their end customers, you and me. So, my day is a lot about what I do in my off hours, right? So, I might need to have access to my bank account so I can look at my balance or make sure a check went through. So, then we're thinking, what is the best way to help the banking customer get access to their account in a safe manner? I may need to transfer funds to one of my children who happens to live out of the country while they're going to college. So, how can we deal with cross-border transactions?

I may be watching CNN when I get home, or some other news media outlet, and I'm listening a little about the latest thing that passed at the federal level in the U S or outside the country, and so, then, when I'm back at work, I'm thinking about how do the new laws and policies impact our current product portfolio? And how do we modify to be able to align with these new regulatory guidelines? So, I work with the sales team, I work with the product team, I work with their marketing team, I work with a host of support services to make sure that we have the right solutions for our customers. And then, I spend the other part of my time listening to customers, right? Understanding what they need, understanding what their consumers need, and then thinking about how that translates back to the offerings that we have.

Chris: So, really, it sounds like, based on what you're saying, that what you're working on is basically ripped from the headlines. You're seeing real-time risk issues that are coming in. You can come in the next day and say, "All right, this is the next thing we need to do to sort of keep our portfolio fresh."

Kimberly: That is the most fun part about dealing with fraud and identity, and any fraud and identity professional will tell you every single day is a brand new day for us, that there is a new issue to deal with. There is no stale issues and fraud and identity. Fraud and identity constantly evolve, and so you're absolutely right. We don't want to be reactionary, and so we're always trying to pull further out. So, a lot of times we're doing a lot of of fortune telling, almost. We're trying to guess where things are going head, but we spend a lot of time looking at trends and then how that translates into the future from a fraud standpoint. And a great example is, a few years ago the word of the year was selfie, and when that became the word of the year, I said, "We have got to get that much stronger focus on biometrics because this is going to be the wave of how we deal with authentication."

And that was well before we started using facial recognition in a lot of our solutions, but it just kind of goes back to, again, looking at at trends. Because the one thing in focusing with consumers, it's really about what consumers are willing to do. When you work with employees, companies can tell employees to do a lot of things that a consumer would just go to another company to find an alternative approach. So, we really are paying attention to trends in the marketplace. We're listening, we get our inspiration from things we hear on the radio as we're driving into work, things that we see in the news, or even a sci-fi movie that we watch on the screen, because eventually, we see those things actually happen in the real world.

Chris: Yeah, those are going to catch up to us eventually.

Kimberly: Yeah. Or maybe they already have now [inaudible 00:19:36]

Chris: Yeah. They're happening, and they're gestating somewhere in a corner of the world.

Kimberly: That's right.

Chris: So, as I mentioned at the top of the show, this month, we're talking to women in the cybersecurity industry and women of color and people of color in the cyber security industry, and I just wanted to ask you a little bit about it that. What has been your experience as a woman, and specifically a woman of color, in the security and cybersecurity field? What are some specific challenges and setbacks you've maybe had to endure that are not likely put upon men of a similar background and skill set, and how do you overcome them?

Kimberly: Right. So, I have never thought of being a woman or a person of color as a challenge for me. I see it as one of those great assets that I bring. So, I often look at things in a different manner than maybe someone who doesn't have the same background as myself, and sometimes people tell me that I have a mothering mentality, which was quite funny to me. But I think in general, the benefit of having a different perspective than, maybe, all those around me is that it gives me the opportunity to present new ways to solve problems. It gives me, maybe, a more connected view sometimes to our customers who may look just like me, because we definitely are seeing a big change in who sits at the table to make decisions, those buying decisions, those key decisions around how companies evolve. And so, as those become more diverse, the vendors also need to be just as diverse. So, I think that I'm starting to feel a whole lot more comfort at the table.

Chris: That's great to hear, so I'm glad to hear that. So, what can we do in the tech and security fields to make tech careers more accessible to women? And conversely, I mean, you sort of said it with regards to the problem solving, but how can we make the tech industry as a whole understand that more women and more people of color in tech ultimately make the entire industry stronger?

Kimberly: I think as the problems that we try to solve become more complex, we have to be able to solve all those problems in new and more innovative manners, and that requires different ways of thinking. And so, I think that, naturally, organizations are going to have to evolve to be able to add more women, more people of color, people from different backgrounds in general. Right? So-

Chris: Yep. Economic backgrounds and... Yeah.

Kimberly: Absolutely. And even also from a geographic standpoint. There may be a way that something's being solved in Israel or Australia or Singapore, completely differently than we've been solving it in the US, and so it's really important to get a much more diverse perspective. But the way that companies are going to need to do it is that we're going to be much more patient in our hiring. It might not mean that we can fill a position in two weeks, we might need to cast the net broader so that we can get the right individual. Instead of taking two weeks to fill a position, maybe we spend two to three months to find the right individual that's going to give us that additional asset, that additional perspective in that process so that we can better solve our problems for our customers.

So, it does really become a financial decision. It's the smart decision to grow a business, to get more revenue, to be able to address more customers, and you're going to have to do that not with everybody being the same. It also means, though, that companies have to invest in their existing personnel to keep them, so that means mentoring programs, it means developing affinity programs when someone needs to have a like individual with you. I said that I went to Vanderbilt University for undergrad and grad school=, actually, and there were very few people of color on campus. And so, while again, I've never thought of my personal background being a limiting factor, there are times when you can feel like an outsider or feel lonely when you don't see anyone like you. And so, being able to recognize that it's not wrong for like groups to sometimes congregate to share information. It's one of those learning lessons for organizations, it's not bad for there to be affinity groups. It actually helps bolster the individual so that they can continue to excel and rise in a company.

Chris: Right. So, I think that that's worth noting. We've even heard that a lot, but I think it's worth noting that this isn't just going to be a matter of looking for the right diverse candidates, but also sort of fostering the culture within the organization in ways that it's more comfortable and you don't, like you say, constantly feel like you're sort of alone in a corner or on a different wavelength or what have you.

Kimberly: That's right. And developing effective mentor programs is really important as well, and it doesn't mean that a female needs to be mentored by another female. It's really, again, helping people grow in their strengths and to identify the weak areas also and grow those. And so, maybe I need to be paired with somebody who his a male in the technology area or a female in the finance area or someone in the legal area. So, find out what people's interests are and really help the... And this is something that, I guess, it's not even limited to trying to address females and people of color, it's for all your employees. If you want to retain and grow your employees, find their passions and help strengthen them.

Chris: Yeah. I mean, you could even do a do a round robin rotate, so you have multiple mentors at that rate.

Kimberly: Absolutely.

Chris: So, what tips would you give to women and people of color currently entering the world of cybersecurity?

Kimberly: Definitely play to your strengths. Don't feel that you have to have one path that you go after. Again, my background started with public policy. I entered the technology space by looking at consumer empowerment, right? Again, addressing those information assymetry areas, and how do we give consumers access to things and let them do more self-service, and those pieces of it. That's a different approach, but I'm going to play to my strengths. And so, I went down a path around consumers. I think that every person brings an area that they're passionate about, and I think that they can build onto that and, really, then find others that can see the value in their vision.

Chris: So, for companies that are trying to recruit more women and minority professionals, what should they not only do to find these candidates and hire them, but to make themselves more desirable to these professionals that they're trying to recruit? I think we talked a little bit about this with corporate culture, but is there a way sort of maybe even at the application process you can say like, "This is a welcoming space. We are committed to a diverse workforce," things like that.

Kimberly: I think it's easy to market a company when you're already doing a lot of the right things. So, before you start to tell a great story to prospective candidates, do the right thing internally within your company. So, a couple of things I'm really proud about with LexisNexis Risk Solutions is that we have cares hours, so we give employees a set of hours that allows them to spend time doing work in the community. That's something that appeals a lot to Millennials and definitely to women, as well, but to all of our employees. It's amazing to see the types of things that people do in their off hours. Some people maybe work with Scouts, other people work with seniors, people work around the world with different groups. And to know that your company is really focused on trying to have a connection with the community and allowing their employees to try to help others, it's really a powerful thing.

So, that sells itself, if you explain that's what you deal with. Having flexible hours, everybody's work day can't start and stop at the same time. Life kind of gets in the way, right? So, being able to try to give your employees enough flexibility that they can work with than some standard hours, but maybe if they need to work a little later on some nights and leave a little early on others to address things around child care or whatever, or senior care, because many people are not just dealing with children but also taking care of their parents. Those are important situations.

And then, also showing that you care about their thoughts from a professional standpoint, and so showing the types of things that innovation in your company can do is a really great opportunity to try to attract females and, again, all employees. I mean, those are the types of things that people care a lot about now. What are you doing with the community? What are you doing to show that I need some type of work life balance? And then, are you helping to foster my interests?

Chris: Yeah. This is the next step after the obligatory free foosball in the break room and stuff like that. These are much better incentives, I think.

Kimberly: Absolutely. Those are the easy things, right? So, having beer in the fridge and foosball, that might get a few people, but that's not going to keep your employees and that's definitely not going to help me grow professionally. So, I think those are the key items that I, at least, see when I talk to others.

Chris: Yeah. So, as we wrap up today, what are some security issues pertaining to identity and authentication in 2019 and beyond that you are currently watching out for? Like you said, you're watching the news every night, so what's on the horizon for 2019?

Kimberly: Yeah. So, I think the two things that I would definitely focus heavily on is the intersection between digital and physical identity. Most of us have very strong digital presences now, right? We have social media accounts, we access things with sometimes our email address and you never even know our name. We use our devices for everything. If you are missing your device, it's like you've cut off an appendage, right?

Chris: It's the end of the world. Yeah.

Kimberly: That's right. So, being able to understand somebody's digital identity and how that intersects with their physical identity is where we're seeing a lot from our... And physical identity and main things like standard things that we think of, name, address, my driver's license, all of those types of things. So, how do those things intersect? Because most companies care about working with a real individual. I just saw a thing on the news yesterday about fake likes on accounts and fake evaluations of services, and so being able to tell if that is a bot or if that's a human is really important. And that [inaudible 00:31:20] such in between physical and digital identity really helps us get there. So, that's one topic.

The other thing is omni-channel. That, as a consumer, I want to be treated in a way that makes sense when I'm interacting with an organization in person, and there might be a different way that you need to treat me when I'm online. Or maybe if I buy something online and I want to return it in the store, that you don't put me through some very rigorous process when it's the same identity. So, trying to help our customers deal with omni-channel solutions is really important. Those are the two, probably, big issues that I think that we're focused heavily on.

And I guess the third one would just be around how can we limit the amount of friction in the process to make that consumer experience as positive as possible, while helping to grow other companies bottom line, right? We want people's... Or top line, actually. We want their revenue to go up, and we want to make sure that we are giving the best customer experience possible, so eliminating friction and only putting it where it's necessary.

Chris: So, if our listeners wanted to learn more about LexisNexis Risk Solution, where can they go?

Kimberly: Well, we have a great website, so that would be LexisNexisrisk.com. We have some great conferences that we attend. We hold our own, our Digital Identity Summit, and we have a lot of different identity meetups around the world. So, I would say that we're trying to have a way to interact with us and in the way that best fits our customers' preferred channel. We also have, I think, a YouTube channel they can go to, and we have a LinkedIn page. So, we would love free for anyone to reach out to us. You can definitely connect with me on LinkedIn or any other manner.

Chris: Fantastic. Kim, thank you very much for joining us today. This was great.

Kimberly: Thank you. It was a pleasure to get to spend a little time with you.

Chris: And thank you all as well for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in CyberSpeak with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your work day, all of our videos, including this one, are also available as audio podcasts. Just search CyberSpeak with Infosec in your favorite podcast app.

See the current promotional offers available for podcast listeners and to learn more about our Infosec Pro Live Bootcamps, Infosec's skills on demand training library, and Infosec IQ security awareness and training platform, go to InfosecInstitute.com/podcast or click the link in the description.

Thanks once again to Kimberly Sutherland, and thank you all for watching and listening. We'll speak to you next week.