OneSpan CEO on Joining Identity Verification and e-Signature
Matt Moynahan Shares Why Firms Want Identity Protection That's Holistic Yet Hidden Michael Novinson (MichaelNovinson) • December 5, 2022Bringing OneSpan's identity verification and e-signature businesses together in the cloud will allow the company to secure the whole customer transaction life cycle, says CEO Matt Moynahan.
Customers want security capability that is seamlessly integrated and interwoven across their entire workflow but at the same time remains hidden so the user experience isn't disrupted, Moynahan says. Yet at the same time, companies onboarding a new user or device face a variety of threats from hackers and infrastructure compromise to "know your customer" regulations, according to Moynahan (see: Going Beyond a 'Walled-Garden' Approach).
"All companies want to onboard customers," Moynahan says. "In order for them to grow, they're going online with more complex digital products. Those products are increasingly expected to be online by consumers. But there's a lot of regulatory and security threats when you're onboarding an unknown entity to a company."
In this video interview with Information Security Media Group, Moynahan also discusses:
- How Web3 and the metaverse affect identity verification;
- How customers are using the new OneSpan Virtual Room;
- Key leadership hires in his first year as OneSpan's CEO.
Before OneSpan, Moynahan most recently served as CEO at Forcepoint for nearly five years, transforming the company’s offerings from predominantly on-premises to a cloud-consumption model and driving record new business growth prior to the company's acquisition by Francisco Partners in January 2021. Prior to Forcepoint, Moynahan served as president at Arbor Networks, where he was responsible for building one of the world’s largest commercial cloud DDoS platforms and network-based advanced threat protection systems. Prior to that, he was the CEO of Veracode, a SaaS pioneer of cloud-based software security testing platforms. He also served as vice president and general manager of Symantec's consumer division, responsible for serving hundreds of millions of clients while delivering a superior end-user experience.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Matt Moynahan. He is president and CEO of OneSpan. Good morning, Matt. How are you?
Matt Moynahan: Great, Michael, thanks for having me this morning.
Novinson: Thanks so much for making the time. You started as CEO at OneSpan just about a year ago, November of 2021. Now want to get a sense of some of the biggest changes or areas of investment that you've had since joining the company?
Moynahan: November 29 marks the one-year anniversary and couldn't be more thrilled to be here. It's probably one of the most fun jobs I've ever had, really taking OneSpan, was Vasco Data Security before they rebranded to OneSpan a couple of years ago, a long, proud 30-year history in the identity verification, authentication and transaction signing space with obviously a leadership position in the global banking and financial services. And interestingly enough, the other side of the company was essentially a signature provider, an enterprise class e-signature. And we've been hard at work fusing those two things together. And so a lot of the investment has been around creating a cloud-based capability that allows us to secure the entire customer transaction lifecycle, which is really where we're appointing the company to be sort of a web real security company that allows us to take all the products and services that we have in stitching together to do something what I think no other security company has done to date, which is secure customers as they go through the entire cradle-to-cradle lifecycle with enterprises online.
Novinson: I see. What are some of the issues that you've had to navigate as you try to bring those two disparate sides of the business together?
Moynahan: It's a great question. I mean, security has always been around point products. For the most part, that's been very hard. Customers have been forced to stitch together the various types of security capabilities and in this new Web3.0 world we live in, which is incredibly dynamic, and obviously even will become more so when the metaverse comes around, the old static model of stitching together these things doesn't create a good user experience. And so I think the world needs a security capability that is seamlessly integrated and interwoven across each step of the workflow, so that it is hidden, but at the same time, delivers a high degree of security as opposed to, a good example would be people sending step-up multi-factor authentication to. It really disrupts the user experience. You have to go get your phone, you have to do whatever. So it really has been bringing together the capabilities a company has in a way that's hidden to the end user, but done in an enterprise class fashion.
Novinson: How's the dawn of Web3, and the upcoming arrival of the metaverse affected the work that you do at OneSpan?
Moynahan: Well, just, it's an extension. So identity is going to be at the core of everything. I mean, you've seen the explosion in the identity market, whether it's the identity and access management, or CIAM (consumer identity and access management), which it hasn't really taken off that much. But all customers want to, or all companies want to onboard customers, right? In order for them to grow, they're going online with more complex digital products, those products are increasingly expected to be online by consumers. But there's a lot of regulatory and security threats when you're onboarding an unknown entity to a company, whether to be a hacker or, infrastructure compromised, or just the KYC (know your customer) regulations that exist globally. And so the metaverse is just an extension of another medium, physical, digital and meta, which identity is to be stitched together across all three. And then you want to transact with those identities to go generate revenue and customer relationships. So I'm excited for what, what it will be. But I certainly can see use cases where, you're going to need to make sure that that identity, that singular identity, is fused across multiple mediums to make sure that both security and regulatory issues are addressed.
Novinson: Back in September, you launched the Virtual Room. A two-part question for you. I was wondering, first, what was the impetus for that? And secondly, what are some of the most interesting ways you've seen the Virtual Room use since its launch?
Moynahan: I'm super bullish on this capability. In fact, that was started before I arrived. So I give the team a lot of credit. Essentially, we're just getting going in the notion of securing the virtual world. I was in an investor meeting the other day, on a zoom call, there's three boxes up there, like you see with us today. And then another box came up with no video, and I went to navigate and look at who that was, because I didn't see anybody. And the person's name was Shawn Williams. And a voice came on and said, "Hey, it's not Sean, it's Mike." And I said, "How the hell do I know?" In fact, I don't know any of you. So if you look at what's happening, even with a Twitter with Elon Musk putting out there, "You're going to go charge for a verified account" and then pulling back - he pulled back recently because he was afraid of brands and enterprises and people being impersonated. No one knows who anyone is. So I don't even, I mean, I've met you before, we've actually met physically. But had I not met you, you don't know. And the consequences are high. Web3.0 is all about deep fakes and fake content and fake artifacts. And if you look at what the hacker community is doing in criminal organizations, they're impersonating, whether it be web infrastructure or people. And so, I think we're just getting going. A Virtual Room was meant to be a secure environment to conduct business. Zoom is not that. And I think our goal was to fuse the infrastructure required for companies to engage with customers and features like co-browsing and document signing and whatever it may be, but offering that secure experience that obviously can hold up in a court of law, if, for some reason, something happens.
Novinson: Want to ask as well, from a personnel standpoint, I know OneSpan made a lot of C-suite hires since you arrived as the CEO. What are you looking for, as you brought additional folks into the leadership team? And what made some of these individuals stand out?
Moynahan: So for me, culture is everything. I don't want to be at a company I don't want to work at. So number one is getting a great culture of place that is motivating to me personally, as much as all the employees. OneSpan isn't that big of a company. Right now, we're about 1000 professionals, so I call it sort of a tweener company. And our goal is to go from 2 to 500 million and then to a billion. And to do that, we have to have people that have owner-operator mindset, have seen enough scale to know what it means to get to 500 million, but not such a big company person that they're become just a people manager and not a doer. We're a big startup is sort of the mentality we're trying to have here and just strike the balance between folks who have had scale experience and those that still have that startup mentality - willing to work hard and manufacture outcomes, which is a little bit different than maybe some large organizations who have different types of structures and need more professional sort of line managers, if you will. We're trying to be doers and managers at the same time here.
Novinson: What's been the fastest growing part of the OneSpan business in 2022? And what have been the drivers of that growth?
Moynahan: Yeah, we've had, fortunately, we have two sides to the house that are being fused together - the security side, which has been incredibly stable despite the macroeconomic downturn, because most of what we do with identity verification and authentication is tied to online banking. So it's been stable, even despite some of the Russia-Ukraine conflict that has introduced some uncertainty, in addition to foreign exchange fluctuations, that has been stable, which has been great. And that's the largest piece of our business. The fastest growing one has been our e-signature business. We are the only other enterprise class alternative to DocuSign. And we're more secure than DocuSign, and have a better price per value than DocuSign. DocuSign has largely not had a lot of competition in the market for e-signature. And I think we're still very much in the early days of the e-signature market. And so the market is waking up to us. Our brand isn't as well known, we're probably the most widely used e-signature platform, outside of DocuSign. But we private label everything. So you would never know it. But our brand is getting better known. And so we're getting pulled into much larger deals. And that has been driving our growth rates on the e-signature side, better than any other product line inside of the company right now.
Novinson: Are you seeing a similar type of customer using the e-signatures, who's using your security solutions? Are these two fairly different customer profiles?
Moynahan: That's a great question. Today, they're different, but they're coming together. So e-signatures historically has been purchased as a capability to automate a physical paper process. And that has been largely driven by the digital transformation officer or chief digital products officer inside of the company. And our security products have been done more on the online banking owner, or maybe even a senior security professional, but increasingly, people are realizing, particularly, for contracting and other types of uses for e-signature that are externally focused or revenue-focused, you have to get the signer So identity verification, authentication and e-signature is becoming incredibly important. And in fact, Gartner came out and said that e-signature is becoming a feature and I wholeheartedly agree to it. What you're doing is providing cloud-based workflow of which some transactions need to have a piece of paper associated with them. But it's critical that you get the customer right. And so you're seeing these two things come together as a joint offering. They have to go that way. If you're doing business with a hacker, it's not valid. So you need to make sure you get it right for both regulatory and security purposes.
Novinson: I want to talk a little bit about the market landscape. I know you discussed e-signature side, but I'd love to hear a little bit more of the identity verification and authentication side. If you're in a competitive bid situation, who are you coming across most frequently? And what sets OneSpan apart from some of your peers?
Moynahan: That's a great question. The identity space is so big, I mean, everything seems to be identity these days, right? We operate in a fairly, I would say strategic, but smaller portion of the identity space, where we do identity verification, identity proofing and authentication, really, for business processes, for lack of a better term, an online banking mortgages, things of that nature. And so we would typically compete with, on the external side, maybe a Gemalto Thales who has similar capabilities and the token, RSA from time to time. Once in a while, we may see a transmit security and passwordless security that's, to us, is feature that we do. But if a customer is looking to implement identity and access management infrastructure from time to time, we would compete with them, and then once in a while, Yubico with their YubiKey product, then that's on the security side.
Novinson: What do you feel sets your approach at OneSpan apart, maybe from Gemalto Thales as well as some of these smaller startups?
Moynahan: They're all good companies. Our stuff just works and works well. I mean, if we go down, banks go down. And that's our heritage, so I think it's the enterprise class nature of it, we're able to support global companies, we're present in over 100 countries. And our background is, bank. And that's not for the faint of heart. So it's been that way since we were a small startup in the Vasco days, and we've grown up with that as our core. So if you want a product that works and is resilient, and highly available, use our stuff. And I think that sets us apart from a lot of the startups is just the 30 years of history and trust that we built up in high volume, high-transaction environments or banks.
Novinson: I wanted to talk a little bit about the macroeconomy as well. I have a two-part question for you here. First is with the rising interest rates, inflation, supply chain issues, etc., how has that affected customer buying behavior in recent months? And then secondly, what, if any, changes or adjustments have you made internally at OneSpan in response to that changing market dynamics?
Moynahan: It's a great question. So it's a complicated environmental threat. I don't know any CEO that's happy about it, including myself. But I would say it's really been twofold. On one hand, we're fortunate that because of the presence we have in the online banking community global, that's not going away, right? And so that's been good for us. On the security side, because we do actually make physical tokens, we have had some challenges with supply chain. And I spoke about them ad nauseam, about China challenges, the COVID-19 policy, all of that stuff. Apple is changing their production capabilities because of that. So we do have a physical product that has been impacted with some of our SKUs from that side of the house. On the e-signature side, it's really interesting. I mean, we're embedded in people's processes. So we had downstream visibility when a bank or a mortgage platform is using us for refinancing. So the interest rates have changed the nature of the transaction volumes and the BFSI vertical. And so I would say that has slowed down. In the past, you would have people buying tiers of transaction volumes, and going through them and the heady days with low interest rates. And the opposite is happening now. And so, the other thing we've seen from time to time is that sometimes the top 10 list for IT projects gets whittled down to a top five or top three, and where e-signature falls into that category is a company-by-company assessment. Security always falls in the top five for the most part, but e-signature is a little bit different. Nothing is discretionary. But you'll see projects be pushed from time to time, depending on the company's financial health, if you will.
Novinson: And so what does this mean for you at OneSpan? Have you had any workforce reductions? Have you reorganized in response to some of these changing market dynamics?
Moynahan: We haven't. We've been doing pretty well, all things considered. We did do a realignment right after I came on board, the old saying that if you change your strategy, you don't move people or dollars you didn't align to it. And so we did do an exercise about six months ago to align our company to our Web3.0 strategy. But outside of that, knock on wood, we've been fortunate. We're heads down trying to build an important company here. So, because of our foothold in the online banking space, we've been maybe buffered a little bit more than other companies might be, given the nature of our products.
Novinson: So as you look ahead, what are some of the biggest bets you're hoping to capture this opportunity around Web3.0?
Moynahan: I do believe in my heart - I've been 25 years security professional - and I do believe that we need to move from a product role to a problem-solving role. And the problem nowadays is no one knows who they're interacting with online. And they're conducting transactions of consequence. If you look at the way the internet's evolved from 1.0 to 2.0 to what's coming in 2.0, and even if you think about 4.0, which people have already started to talk about in symbiotic relationships with machines and data and all that stuff, the security threats have been getting worse and worse. I mean, there's never been more account takeovers, there's never been more credit loss, fraud, social engineering. Now we're getting into a situation where we're clearly seeing economic warfare, corporate warfare taking place. And so it's a mess. And so we always had this juxtaposition where the internet gets more and more powerful. The security companies are reacting to it. And they take products to go solve these point problems we have. We need to think holistically in how we stitch security through the business process from start to finish. And you can do that while delivering a great user experience. And so no one is going to suffer a bad user experience. And that's been the bane of security, which is security gets in the way. You're the department of no, you're locking things down, zero trust. Zero trust doesn't work on the internet. Maybe to protect your company, but now you're engaging with a consumer that if you deliver a bad user experience, or have too much step-up multi-factor authentication, or too many clicks to checkout. Everybody wants one-click checkout. We're conditioned to that as consumers. And so I think the IT security space has to move from IT to the world of enterprise, engaging in a B2B2C transaction. And so that requires a completely different way of thinking. It's not delivering a product to protect an endpoint, a payload or the network infrastructure. How do you deliver a capability that is seamlessly integrated across multiple steps, while ensuring a great user experience that hasn't been done by security companies yet? So that's what we're here to work at.
Novinson: It'd be interesting to watch. Matt, thank you so much here for the time.
Moynahan: Michael, thank you so much. Great to see you as always.
Novinson: We've been speaking with Matt Moynahan. He is president and CEO of OneSpan. For Information Security Media Group, this is Michael Nathanson. Have a nice day.