Security Q&A with Dashlane CPO Donald Hasson and Secureframe Compliance Manager Marc Rubbinaccio
We recently sat down with Dashlane’s Chief Product Officer, Donald Hasson, and Secureframe’s Manager of Compliance, Marc Rubbinaccio, to hear about their work in cybersecurity and the significant developments they’ve seen in the field lately.
Read on for conversation highlights and hear their takes on cybersecurity topics such as Identity and Access Management (IAM) and passwordless futures. (Get even more insights by watching their webinar on modern technology essentials for IAM here.)
Q: How did you get your start in cybersecurity/tech?
Donald Hasson (DH): I’ve worked in tech since early on in my career. I started in hardware and software, military, top-secret GPS, and anti-jamming simulations. From there, I moved on to early forms of Internet of Things (IoT), where we used cellular technology to optimize industrial and, later, residential energy usage. After that, I worked at a startup, solving complex, real-time remote access problems. This led me to focus on cybersecurity, because that’s what customers needed at the time. I focused on Identity and Access Management (IAM). IAM is critical as 84% of surveyed organizations experienced an identity-related breach within the past year.
Marc Rubbinaccio (MR): I started becoming interested in cybersecurity while working at Best Buy and hanging out at the Geek Squad table. I thought it was incredible that those guys could remove a virus from a computer in a matter of minutes. Eventually, I ended up with my own Geek Squad badge, and the rest is history.
Q: What’s one major aha! moment you had related to cybersecurity, either personally or professionally?
DH: When I began working in IAM, it became painfully obvious that the cybersecurity industry was not prioritizing the human and machine identity element. Cybersecurity comes down to protecting information, which means only giving it to the right person (the authorized identity). Essentially, the heart of cybersecurity is protecting that moment when a human or machine identity attempts to connect to some asset or application for the purpose of exchanging information. That’s it. If we solve that, we solve for the vast majority of modern data breaches.
Yet, instead, there is a constant focus in cybersecurity on protecting the “walls” of an organization, hoping to keep bad actors out. It’s a fool’s errand, especially with insider threats. This is why we now say, “Identity is the new perimeter.” In other words, instead of protecting the walls of your organization, focus on protecting each and every application or asset at the moment of entry (the login). This is done through modern approaches such as zero trust and Just-in-Time (JIT) access. These methodologies allow necessary access, and if done right, they guarantee that the access is also permitted and justifiable.
MR: As a penetration tester, the more I learned, the more I realized I did not actually know. I had the absolute worst case of imposter syndrome meeting hacker after hacker with specialized knowledge. At that point, I realized cybersecurity is incredibly deep and incredibly broad. It’s important to collaborate with colleagues rather than become an expert in every aspect of cybersecurity.
Q: What’s one question related to cybersecurity you are frequently asked in your role?
DH: I’m often asked, “Why is it still so hard to protect my organization?” Despite decades and billions spent on cybersecurity, we still experience breaches at an alarming rate. This is why Dashlane puts so much emphasis on simplifying security and making it accessible to even the smallest organizations.
MR: “How soon can we become compliant?” This is easily the most popular question I get at Secureframe. Organizations are hitting a wall with prospective customers or their service providers when trying to spin up a service if they are not meeting their cybersecurity requirements, which can usually be met by a compliance report such as SOC2. Secureframe and our support is the absolute fastest, most efficient, and most accurate way to meet cybersecurity compliance requirements to break through these walls.
Q: What is the most alarming statistic you have seen that should make people care more about the future of cybersecurity?
DH: It’s easy to become desensitized to statistics when we’re inundated with them daily, but I’m still blown away when I see that more than 80% of data breaches are due to weak or stolen credentials. This is such a solvable problem, and we in the cybersecurity vendor community are simply not doing enough to solve it. Dashlane wants to make this simpler for organizations. We recently launched Dashlane’s Site License Program, which gives all your employees access to enterprise-level security and the simplest UX in the industry. It simplifies seat management for IT admins and eliminates the need to purchase additional licenses as your company grows.
MR: It’s not surprising that phishing, ransomware, and social engineering are still the most prevalent ways attackers gain access to data and credentials. With all of this modern technology, it may be easy for organizations to overlook that their production environment or customer data can be breached with a simple phishing email or malicious download. Security awareness is and will continue to be an important investment for maintaining a strong security posture.
Q: How are you contributing to "demystifying" the cybersecurity field?
DH: This is something I believe we at Dashlane do well. We offer Password Health scores to clearly show when you’re at risk. We offer direct means to mitigate the issues with your digital identity. Then, we educate users, including directly in our product, on why and how to improve your score.
MR: The key to Secureframe’s product is turning these convoluted, hard-to-interpret compliance frameworks into step-by-step controls and tests. We help organizations with no compliance or security expertise on staff complete tasks to meet and maintain compliance requirements.
Q: Any big shifts you have seen this year that show people are taking cybersecurity much more seriously?
DH: Being in the credential and IAM space, I’m biased, but by far the biggest shift in decades is the move to passkeys. What passkeys are able to solve, and the pace of adoption we’re seeing across the industry, is unprecedented.
A recent survey from FIDO showed that users who adopted passkeys had an authentication success rate of 95% to 97%, compared to 80% for multifactor authentication (MFA) and 70% for non-FIDO sign-ins. These are some impressive stats. From our own Dashlane data, we saw a 70% improvement in sign-in rates with passkeys. The benefits of passkeys and the success of adoption are clear.
MR: I believe cybersecurity is becoming a factor in procuring vendors and software more selectively. Breaches still pose a threat to the industry, and businesses are doing their due diligence when procuring vendors that interact with customers' data. This requires many more businesses to achieve compliance efforts or fill out security questionnaires in order to prove to potential customers that they are effectively securing customer data.
Passkeys are a faster, more secure way to log in. Learn how they work and how to use them.
Q: What inspires you most about working at your current organization today?
DH: A lot of what I mentioned above. We’re literally at the heart of the biggest cybersecurity challenge today: Identity. We’re solving this challenge in ways that even the smallest organizations can benefit from while leading innovation by moving away from traditional passwords to the future of passwordless and passkeys.
MR: We’re working to help multiple small businesses achieve compliance and implement security controls previously thought infeasible due to the lack of budget and in-house expertise. It means a lot to be able to help these small businesses secure their customers' data successfully.
Want to learn more from Donald and Marc? Check out their webinar on modern technology essentials for Identity and Access Management.
Sign up to receive news and updates about Dashlane