#381 Combatting Digital Identity Threats: Insights from NameTag’s CEO Aaron Painter

[00:00:00]

Mehmet: Hello and welcome back to a new episode of the CTO Show with Mehmet. Today I'm very pleased joining me from New York today, Aaron Painter, the founder CEO of, , NameTag. Uh, so tell you know what you're up to and then we can dive into the discussion. [00:01:00]

Aaron: That's great. Thank you. It's an honor to be here. Uh, yeah, I work at name tag. I founded the company about four years ago. Prior to that, I spent 14 years at Microsoft, working mostly around the world. I spent only 2 of the 14 years really in Seattle and sort of Microsoft headquarters and the rest of my time was several years in France, Brazil and China, Hong Kong and focused on helping Microsoft really expand and open into new international markets.

Aaron: After that I left, I wrote a book focused on, uh, employee and customer loyalty. And the connection between the two, uh, often stems from a culture of, of listening. Uh, and then I, I went to run a cloud computing consulting firm that was based in London and was AWS's kind of first and largest partner in the European market.

Aaron: Uh, and that was a sort of crazy fun growth journey. And it was just then at the, uh, start of the pandemic, actually coincidentally, I, I moved kind of to the US or back to the us. And I was starting to think about what to focus on next and [00:02:00] where I might be able to have impact. And then I had these sort of friends and family members, all almost at the same time, the start of the pandemic, who went through this journey of having their identity stolen.

Aaron: Their, their accounts were sort of taken over. You might remember that, you know, beginning of COVID, everything was going digital. And, uh, turns out that people saw an opportunity in taking over user accounts. So I was a good friend. I was a good son. I tried to be. I said, you know, we're going to jump on the phone.

Aaron: We're going to call customer support hotlines. We're going to figure this out. We're going to figure out what happened. And it turned out when we called, you know, in order to help us, they asked us a few sort of security questions, which were either super easy or really hard and complex. But regardless, someone had called before us and they knew the answer to those questions.

Aaron: And because of that, they were able to take over the accounts of people that I cared about. So we sort of said, how does this still happen in the modern world? You know, multi factor authentication, all these layers of security we put on our, the accounts in our digital lives. How is it so [00:03:00] easy for someone to take them over simply by calling the help desk and pretending to be you?

Aaron: And it turned out that the technology didn't really exist to really prove who, who was human and who that human was behind the screen, on the computer screen or on the phone. And that's what we set out to build with NameTag, a way to verify the identity of a person with high fidelity and high confidence, and then a way to integrate that into identity solutions so people can reset things like MFA or their password without needing to call the help desk.

Aaron: And then also more advanced tools for helpdesk agents to be able to verify users with something better than, you know, a security question or an SMS.

Mehmet: Cool, Aaron. And actually, I think, um, you know, usually I ask founders like yourself, Aaron, like, what was the inspiration for you? But actually you lived it, I mean, through France.

Mehmet: And, you know, I remember as well the first, uh, I think two or three months is where everything, You know, was closed. So everyone [00:04:00] shifted to teams and zooms. And, you know, and the challenge was when I hear this from a lot of friends. So, for example, you know, the person would dial in and, you know, I'm sitting at home.

Mehmet: I'm not like wearing comfortable. I can't open the camera and, you know, like so on. And we predicted like these things will happen. But the question is, um, from your, from your point of view, why actually the technology, you know, I would not say failed us, but why we didn't see this as coming. Is this like a kind of a, so they say the COVID itself is a black swan event, right?

Mehmet: So was this like kind of a security black swan event also as well?

Aaron: You know, it's a great question. I think part of the reason has been that, The technology that existed to verify someone's identity wasn't built for security. It had really been built for regulatory compliance. It's often, you know, familiar now maybe if you open, let's say, a new bank [00:05:00] account in a remote way.

Aaron: Someone's going to ask you to scan your ID and take a selfie. And it's for, you know, know your customer regulations, anti money laundering laws, variety of jurisdictions around the world have some form of this. And the challenge with it is it's sort of good enough. You know, it checks the regulatory compliance box that you've done your best to see who someone is.

Aaron: But it was sort of a mystery to me. Why does a bank do that? And then yet, when you call the bank, let's say to transact or wire transfer to make an account change. They don't rely on that information anymore. They ask you these security questions or send you an SMS code or something to that effect. And so it turned out the technology that had been built was all about the regulatory compliance for knowing your customer.

Aaron: It wasn't about security. And so that was where for us it led to this opportunity to say, can we re innovate? Can we reinvent the same end user experience of scanning your ID and taking a selfie? But can we do it exclusively on a mobile device? And it turns out, if you use a mobile device to have someone scan the video and take a selfie, [00:06:00] we're able to create a much better end user experience.

Aaron: It averages 23 seconds the first time, single seconds the second time. It's faster, it feels slick, it feels native like a good mobile app does, but it's also much more secure. Because the, the, all of the advanced telemetry and the cryptography in the mobile device platforms let us take advantage of these features.

Aaron: And we didn't set out to solve for this four years ago. We were actually solving for what we called digital manipulation at that time. But what you would now think of as deep fakes. And the ability to use deep fakes and to deploy them, uh, when you're trying to impersonate someone and take over their account is a very real threat that by using mobile devices and the technology we created around it, we're able to prevent.

Mehmet: I don't, you know, this is very critical, I think, but let's go one step back and, you know, for And I think this is important for anyone. Like it's not only for enterprises, it's important even for individuals also as well, because to your point, [00:07:00] logging to my banking accounts, you know, I have to do this. If I am working for an organization and you know, someone does this, uh, take over, uh, you know, hack on, on my account, huge consequences, right?

Mehmet: So let, let's just go one step back and explain. To the audience, you know, in a scenario, how does this happen if we want to, you know, go step by step like the anatomy of, of, of such a social engineering attack? How, how, how does this go?

Aaron: You know, one of the best ones to look at a little bit might be the MGM attack, which came public sort of last August and MGM.

Aaron: You might know a series of casinos and hotels and things in Las Vegas. And MGM has done many things that are very forward on security, including putting multi factor authentication on their employee accounts. But a bad actor was able to call the IT help desk at MGM and pretend to be an employee and claim [00:08:00] essentially that they were locked out of their MFA, their multi factor authentication.

Aaron: And the help desk rep did what help desk reps are trained to do. The best they could, they tried to help. And so in order to get that person back to work and back into their account, they went through a series of questions and processes to verify who that person was. And those, those methods, unfortunately, were not secure.

Aaron: They often involve questions, and in that particular case, they involved even sending maybe an SMS to a phone, and that phone number then, you're sort of only as, control the phone numbers only means that the telco itself provided the phone number is also really good at preventing someone from taking over the account.

Aaron: And unfortunately, that's not true. And so it's very difficult. The telco providers, just like it is for companies, helped us. So that bad actor called the help desk, pretended to be the user in 10 minutes or so was able to get access. You know, MFA was reset and the bad actor was able to log in to the MGM network, deposit ransomware and took down MGM for almost two weeks.

Aaron: It was massively [00:09:00] significant and it turned out to be only the start of what has been really a crime epidemic in the last several months since hundreds and hundreds of companies just in the Q4 of last year alone were targeted by this very method. Because it's simply too easy to socially engineer your way into taking over an account.

Aaron: It turns out that MFA is only as secure as the reset or the recovery process. Because you've given someone a YubiKey or an RSA token or an authenticator app and you've tried to make the login really secure. The process is only as secure as what happens if you lose access to that. And that's sort of where the vulnerability has been exposed and it's very human.

Aaron: And now it's getting even more powerful because bad actors can use Gen AI in deep fakes in their impersonation attempts.

Mehmet: Got you Aaron. Now, if I want to ask how we solve this, I mean, from, from your perspective, like if you can explain [00:10:00] to us, uh, and I will come to the AID fake part later. How did you imagine, you know, the solution would work because security, you know, this is what I was taught when I took, you know, my first courses is in security.

Mehmet: So you need to authenticate with something who you are. and something you have, right? Um, so and this is where the multifactor authentication altogether came. So, like, walk me through how you, you, you imagine the solution and how you, you, you are now solving it to your customers.

Aaron: Yeah, I think one of the big challenges is that multifactor authentication today is we think of its most secure form really relies on the device.

Aaron: And you sort of say, does someone have access to a device? Is it the same device that they use maybe to log in or sign up? But if they have access to that device, then we sort of trust that they are the person. It's kind of like face ID, you might think, you know, you set up face ID on your iOS device and every time you set up your face the [00:11:00] first time and every time you open your phone, you're using the same face.

Aaron: The challenge is Apple in that case doesn't actually know who you are or whose face it is. They just know it's the same face that and that's one of the particularly big challenges. So there was a Wall Street Journal article last February where, you know, it was a dad in Florida who said, I am locked out of my iCloud account and all my family photos are there.

Aaron: My kids photos, I just want access again. And Apple said, well, sorry, you're locked out. We don't know that you're the account owner. And then he said, well, you have face ID. You see my face every day. You must know I'm the account owner. And they said, yeah, but we don't know who you actually are. And he offered 10, to fly to Cupertino to in person, try and get his account unlocked.

Aaron: But that's the reality we face. It's that when people get locked out, or frankly, even when they set up their accounts, we don't actually know who the human is behind the screen. And so multi factor authentication that relies only on the device, Simply isn't sufficient for those moments of reset up, let's say, or recovery.[00:12:00]

Mehmet: Yeah, now let's go back to the deep fake part and the AI part, Aaron. So. We heard the stories, you know, since, uh, especially, you know, the acceleration, I would call it of the adoption of AI to the mass public, uh, after opening, I released, you know, a chat GPT, of course, and people started to open their eyes.

Mehmet: Uh, 11 labs came out and, you know, people, Oh, now I can clone a voice and, you know, all these tools that start to pop out. Now, from your perspective, how. Do you think, you know, a bad actor would, would leverage, you know, such, uh, technologies like deep fake and, you know, uh, you know, AI in general to trick, to trick, you know, their, their victims that, okay, this is very legit, you know, it's us, it's, it's the IT department, uh, it's not someone else.

Mehmet: So, and what's the countermeasure for that? [00:13:00]

Aaron: Well, it's interesting, you know, so, uh, companies like Okta, Recommended after this MGM breach that you do something called visual verification, which is kind of like this means that, you know, when, when something goes wrong, you need to verify the user is, let's say, to recover their account, they recommend that you jump on a video call and on the video call, you're verifying who the person is.

Aaron: Maybe you see them, you have to ask them questions. Maybe you compare them to a badge photo, or you ask them to hold up, you know, an ID document in the video call. And then that would sort of be the best way. So many companies in the last few months have moved to that technique. The challenge, of course, is it's very time consuming.

Aaron: It's very expensive. You know, it's frustrating. The end, the user might be up, we're not able to work or access their account for a long period of time. It requires their time. It requires support team time, very expensive. But all of this relied on us trusting who's on the other end of the screen that we're seeing.

Aaron: And then a few months ago, there was this really interesting incident that's really changed a lot of people's perspective. And what happened was [00:14:00] there was a, it was rumored to be a multinational finance company. It turned out to be a design and kind of architecture company. But the CFO or the person claiming to be the CFO was in London and the finance controller was in Hong Kong.

Aaron: And the CFO said, uh, finance controller, I need you to do a series of wire transfers for me. The controller was a little bit suspicious. This seems unusual. So the CFO said, okay, well, several of us from the leadership team are on a video call right now. Let me send you a link. Why don't you join? And then you can get the approvals that you need.

Aaron: So the controller clicked on the link, joined the video call, and it turned out on the video call were a series of deepfake emulators or pieces of software that were creating real time deepfakes of members of the leadership team. So the controller said, Oh, I recognize these people. I see their voices. I see them speaking.

Aaron: You know, this, these are the people I know. Clearly, this is okay to approve. And they went on and they transferred 25 million. And so it called into question this whole concept that we can actually trust what we're seeing on these video calls. And the problem is it's very similar to what we talked about with [00:15:00] the know your customer requirements.

Aaron: They were built to solve a different problem. You know, platforms like Zoom or Teams, they make it easy to choose your camera, to choose your microphone. And so it's equally easy to choose a third party piece of software that's actually a deep fake emulating piece of software and project that right into your video call.

Aaron: And so it becomes this platform where they weren't built for security. They were built for convenience to make it easy to join those calls and to collaborate with people. But unfortunately that's also made it too easy for bad actors to put in fake or, you know, impersonate someone else.

Mehmet: Now, but someone might, uh, argue with us now, Aaron, that, yeah, but, you know, but you know, what, uh, we need the convenience because, you know, our users are complaining that, because, you know, like still many companies, they do this, they do the password rotation policy, complex, uh, password, uh, policies, two factor authentication, and sometimes [00:16:00] more.

Mehmet: And. Honestly speaking, I've seen it myself because I started my career, you know, doing helpdesk job, by the way.

Aaron: Oh, wow. Amazing.

Mehmet: So for people who doesn't know, and you know, when we used to work with, let's say the VIP people in the organization, they want convenience. Yeah, I don't have time. You know, like I have to do the meeting.

Mehmet: I don't have time to do this and that while, and this is, imagine this was like maybe Quite 20 years ago. So, you know, whenever we like, because they didn't want to change the password frequently and maybe later on, you know, the feedback I start to hear from people that I used to work with. Yeah. When the MFA start to come out the same thing.

Mehmet: Oh, we don't want another. So, Now, how much awareness, Aaron, is important on the board level? Because maybe someone say it just, you know, just a password, just a login. And why, why we need this for the helpdesk and for the people who are responsible for changing the passwords. So when [00:17:00] you meet with executives.

Mehmet: How do you put it from not only technology perspective, but also from business perspective?

Aaron: Yeah, I think there's been a big shift. You know, prior to MGM in particular, in August, we were asking companies, have you thought about this? Are you worried about the vulnerability of social engineering? And some were in fact, some of our earliest, very big name customers, big brands were aware of it and thought about this.

Aaron: But post MGM, now most boards are directly asking their CTOs and CISOs, how are we going to respond to things like the MGM risk? And most CISOs I talk to, they have either survived some sort of social engineering attack, or they are fighting it off, or unfortunately they fell victim to it. This has become the leading cyber attack vector of the moment.

Aaron: It is of the season. This is how bad actors are taking over accounts because it's not really even technical. It's pure social engineering. It's pure using a vulnerability in how the technology is set up or [00:18:00] established. I agree with you on the point of friction. And the challenge is that actually don't think MFA today is particularly low friction.

Aaron: I think maybe just a password or something like that was perhaps, but actually the idea of having to go set up your authenticator app and the friction around setting that up and then opening it and typing in the code, that's not particularly low friction, but you know, it's even worse today is that you happen to get locked out of that because then it becomes a multiple hour or sometimes days.

Aaron: There's some leading companies where it takes weeks. To get back into your account if you get locked out of MFA. And so those processes are incredibly high friction and frustration. I'm sure you remember from your help desk days. No one really loved the identification or the security questions. You probably didn't like asking them.

Aaron: The user didn't like answering them. And those things don't work. And the methods that are more secure are incredibly high frustration today.

Mehmet: I still hate them till date because so I try to be smart as well, right? So, so when [00:19:00] still, if I see any website that uses this, uh, like old fashioned kind of secret questions.

Mehmet: So what I try to do is not to put the same questions and answers everywhere. And then I end up that I forget and I don't want to write them down, of course, for security purposes. So I end up like, okay, what Which question I put on which website. So I, but so I want to now ask you something also related to this.

Mehmet: I don't like, you know, sometimes I sit down and I say, okay. We have brilliant technology, right? All over the place, whatever, you know, um, but sometimes I look on the, on few things, our concepts that we still used to use today. And I ask why no one disrupted this, for example, um, Why? Actually I still need to put a username and password.

Mehmet: Why would it come up with something more smart to identify me? Why, you know, people has been talking about [00:20:00] passwordless for long, long time. Yeah. So what's your point of view on Passwordless and, you know, not having to put your, you know, a password actually, that, you know, and we, we know that. The majority of the false will put it on a sticky note somewhere in their offices, right?

Mehmet: So, uh, and they will give the MFA to someone else to do it on their behalf. So let's, you know, I've seen this, I'm talking from the field. So why we didn't come up with something like better? And it's passwordless in the way that Many companies are talking about today is really the future of, you know, authentication into the, the, the, the internet and the internal system and so on.

Aaron: Yeah, it's a great question. I think there are really good advances in technology, but one of the big things that we often have to consider for any companies really considering when they're rolling things out is. You know, can this be universally workable today? Can it, can it work for everyone? And so when you think about pass keys, which is [00:21:00] one of the implementations that's kind of getting the most noise around password lists.

Aaron: It's sort of a misnomer. Passkeys are convenient and they are more secure in some ways. The challenge is, one, with recovery and provisioning. How do you make sure you are the legitimate account owner setting them up? That's still a concern with passkeys just as it was prior to. Also, there's a sort of a misconfusion, but you still have a password when you set up a passkey.

Aaron: It is sort of an express way to log in without typing in the password, but your account still has a password associated with it. Which means you have the same broader security risk where somebody can claim that they are you, that they are locked out, and they can't access their account. And so we actually haven't solved or stopped the social engineering risk by thinking about things like past keys.

Aaron: So one of the big things that we'd like to think about is how can you, you know, similar notion around digital IDs. Some countries are getting very progressive on a digital ID rollout and plans. India is one of the most aggressive [00:22:00] and having something that's really out there. The U S is incredibly slow and incredibly behind.

Aaron: Some states are thinking about individual state IDs that are digital and it's moving very slowly. You need something, though, that kind of everybody can use. And so, for example, our platform, we started working with digital ID platforms like Aadhaar very closely. We do wonderful things for our users in India and other nations around the world as they're building these programs.

Aaron: But we needed to work for everyone. We needed to work with the passport that they have today, with the identity card, the driver's license they have today. Because if you're going to roll out, you know, a solution for all of your users and most companies have users, employees or customers around the world, you need something that works today because the state is the crisis.

Aaron: The best today we have today are these silly security questions or things like that. And so we've tried to introduce something that can be universally applicable, that can be easy to deploy and roll out, that everybody can benefit from. And then of course, we're going to continue to integrate new technologies as they come along.

Aaron: So we advocate for surrounding what you [00:23:00] have today. Keep your Okta, keep your Duo, keep your Microsoft MFA. We're not advocating to replace it. We're actually advocating to close the security and the expense loophole of dealing with people who are, let's say, locked out.

Mehmet: That's fantastic. Now we've talked about, you know, the effect of implementing, you know, your solution on, on, let's say the, the, the employees from, from the help desk perspective, you know, how, you know, You can help, for example, the head desk manager or, you know, end user, uh, you know, director, maybe, uh, so, so I like to ask these questions because I sit on both sides of the table.

Mehmet: So if I want to think about, you know, ROI perspective, so does this, for example, reduce the number of requests that comes on daily basis for resetting the passwords? Like, does it like, um, Add any [00:24:00] productivity also to the helpdesk team, uh, all together.

Aaron: That's how we like to think of it. In fact, we have two solutions that are most common today.

Aaron: One is, uh, we call it a co pilot for helpdesk agents. So instead of the helpdesk agent having to ask you security questions, they can send you a link via chat, via email, on the phone, and a whole bunch of delivery mechanisms. And they send the link and with a little bit of instruction, hey, we use this to verify who you are.

Aaron: The end user goes through the verification process, and then the helpdesk rep knows who they're talking to. And so they can proceed with the account transaction. It's just using modern tools to make helpdesk agents lives better, more secure, better for the end user, kind of everyone wins. But then what we found was that increasingly there are certain tickets and particularly, you know, lockout tickets.

Aaron: And for most companies, up to 50 percent of their helpdesk tickets are users who are locked out or have identity related issues. So we said, what if we could make that self service? And for us, about 90 days ago on a three, four months ago, we launched sort of an out of the [00:25:00] box self service way that a company can roll out for their users so that when you are locked out, instead of having to call the help desk, you can go type in your email, verify yourself with name tag, and then we reach into octa duo and try, you know, one log in others and perform the reset just like the help desk agent would.

Aaron: So then it's a much faster experience for the end user and help desk can be more efficient because they don't have to deal with every ticket. They can focus more on the higher value tickets and the important ones while deflecting many of them to self service.

Mehmet: That's cool, Aaron. Now, something out of curiosity also, and maybe it might look like a not very good question, but just, it came to my mind.

Mehmet: I know like currently you don't play in, in that arena, but, If we can do this for individuals, right, can we think about something similar to service accounts, for example, like because, you know, everyone talks [00:26:00] about private access management solutions, you know, I had a lot of guests who always they say we always kept, you know, Coming up with solutions, but we never solved the problem because still again, you have to put a username and password over there.

Mehmet: And even if you have the multifactor authentication, here you go, the same thing. So now if I want to take this, if I want to think, can this be taken to, we know that, you know, majority of the, you know, IT services are run, of course, not by the actual people's username. It's like, there's a service account behind it.

Mehmet: Can something be done for that use case, Aaron?

Aaron: Yeah, we like to focus on verifying humans and, you know, who the human is and know every time and that we can re verify that. So this, the world where you create a one time, you know, verified profile on things like X or Twitter or Airbnb, To us, that's not sufficient because you don't know that that account hasn't been compromised, you haven't shared the credentials with someone else, [00:27:00] and so we advocate for this rule of re verification and our technology makes that really simple so that once a user creates a name tag, they can reuse it in single seconds with even just a selfie, if they're on the same device.

Aaron: And one of our technologies compares the selfie to earlier selfies back to the government ID. So it's more secure, but it's also a better user experience. So you can think about many different ways to put this into different parts of your flow. Some might be a step up off, um, or where I think you're going, we've seen companies want to do is create sort of authorized users.

Aaron: So rather than just have one shared set of credentials, you might say, Hey, these set of humans have the ability to access this service on behalf of our company. And then, you know, who each of the people are, and then you sort of associate a name tag with each person. And so you add kind of authorized users basically to an account, but they're not user names or emails.

Aaron: They're actual identities of a person, which gives you more security, gives you better audit trail and solves issues that that person might leave the company or move [00:28:00] on a whole bunch of other problems by being able to verify the human behind the screen versus just the device, let's say, or a shared email.

Mehmet: That's cool. One thing, you know, I, I forget to mention, um, a comment on, on your approach, Arad, is that I like when you say like, keep what you're using today, we come on top of that. So it's kind of, you know, decentralization of, of the whole process. So it's like you, you have, like, you, The customs will get you you on their back.

Mehmet: So in case something wrong happens. So I like this approach rather than okay, because majority of the time what happens, I've seen it, you know, people, let's say they change their phones, right? Where the authenticator it happened to me one time, actually, so I forget to export the the codes. And, you know, so I had to contact the help desk for that.

Mehmet: And this is could be actually a social, you know, engineering attempt also as well. Like, Hey, I lost my phone. It gets stolen. I have a new phone. I need to activate [00:29:00] this. So, so I've seen like, also we've done some work in, in, in that Aaron, which is just a, you know, a small comment from, from my side. I don't know if you want to say something regarding this.

Aaron: No, I think you're spot on. That is the challenge. And it's your, you might say, Oh, how often do I get locked up? Some people get locked up quite often. There's a very high frequency for a variety of reasons. But it's not just that it's that by not putting a layer of protection or insurance on your lockout process Anybody can call and claim that they're you and claim that they're locked out Then let alone if they do it in their arm with new information from you know The dark web or data set that have been leaked to answer your security questions Or maybe they're using a deep fake of your voice from one of these great podcasts Or the video, right?

Aaron: It's just too easy to impersonate someone today and our entire internet digital infrastructure, our lives revolve around the security of these digital accounts. And the best thing we had was MFA. And now I think we're realizing is that MFA alone [00:30:00] is not sufficient. Because it's too easy to simply say you're locked out of it.

Aaron: And that's where the social engineering opportunity comes in. And that's where we try to focus.

Mehmet: Absolutely. Now I want to shift a little bit gears, uh, you know, something not related to the technology. It's like more about your experience. I don't, because really it's like, uh, it's a very rich experience. So the first thing I want to ask you as, as a founder, how much, you know, your International experience, um, you know, shaped your approach to leadership and innovation.

Mehmet: And I'm asking this question because, you know, majority of the founders that I met and, you know, I, I interviewed, so let's say they are living all their lives in, in the U S or they're living all their lives in the UK or they're living all their lives here in the MENA region. So how this helped you also in, in shaping, you know, the messaging, uh, of, of the company and, you know, dealing with.

Mehmet: Yeah,

Aaron: I think one of the [00:31:00] biggest was, you know, culturally, it was, I, I lived and worked in many different countries and places where I didn't look or sound like the other people at the table. And so I had to find a way to sort of fit in. I had to find a way to earn respect in a way to find a way to try and add value to a conversation.

Aaron: And one of the techniques that I learned that was very effective in that was listening. And listening with sort of a deep curiosity to understand. And one of the things I talked about in my book was moving to markets like Brazil, or eventually even later in mainland China, for example, where I didn't, uh, you know, I certainly didn't speak the language at first and I was nervous to go out and talk to Microsoft customers in the region because I felt like I couldn't communicate with them.

Aaron: They didn't speak English. Let's say they spoke Portuguese and I didn't speak Portuguese. And so how, how are they going to want to talk with me? And what I found was that going and spending time with them and really listening to what was on their mind. And sometimes a little bit of translation, maybe sometimes they know some English words or I'd be learning some Portuguese words, but the act of listening made them feel like I [00:32:00] cared.

Aaron: They felt respected because I was so interested in trying to understand what they were expressing that by feeling respected, they felt they could trust me and we're able to build sort of a trusted relationship. And I think without listening, you really, it's difficult to feel respected and it's difficult to have trust if you don't feel respected.

Aaron: And so that's sort of a work for me, both with our customers and with my employees and the teams that I was leading was being someone who was really wanted to understand, made them feel like we could be partners and that cultural value is one that I've certainly carried with me all around the world.

Mehmet: Fantastic. Now, final question, Aaron here, um, before we do like conclusion, how much you're also experienced with big names like Microsoft helped you as a founder? Because, you know, majority of the time we hear this, uh, from expert, they say, okay, it's better to go work for like a big player, learn, you know, how things get done.

Mehmet: And then once you start your own company, things [00:33:00] would become much easy. I mean, of course, not easy in the sense of. Easy, but I mean, uh, you start to apply what you have learned with big players, how this, you know, journey also shaped the journey for you to, to be a successful founder.

Aaron: Yeah, it's a great question.

Aaron: I think there are a lot of pros and cons of working at companies of all sizes. You know, one of the things I often say is that a large company by design is meant so that a single person really can't bring it down. You can't break it. Like you have enough redundancy in the system that you, you, you want the company to be able to survive.

Aaron: If one person doesn't do something well, it does something wrong. That's sort of, it's an inherent design, whereas in a smaller company, actually one person really makes a difference. You can make a difference in both places, but you know, when someone's on vacation, you miss that, right? The company can't grow or move as fast.

Aaron: And so you have different types of impact, but fundamentally in an earlier stage, you really have a different type of impact because you, it's a small [00:34:00] number of people. And so you're a greater percentage of the horsepower, the brainpower that Kind of driving it. I've had this chance to work in really large organizations, even though I was doing very entrepreneurial things at Microsoft and big things at scale, I had a chance to work in sort of a scale up or a mid-size company.

Aaron: And then I've had a chance to, you know, build from zero into what's becoming a, a bigger company. But what really I, I get excited about from the Microsoft learning is sort of is focused on enterprise. It's very unusual for new companies to be created and really just go to enterprise first. They often start with very small business or mid market or sign yourself up.

Aaron: And we have a few users and we very early on took on very large enterprise customers because we spent several years building the technology to be, to earn their credibility, to earn that respect. So we had an enterprise ready product that we took to the enterprise. And that's, that's just been very unique in our growth pattern.

Aaron: And so now we're serving a lot of very large enterprises and more every day. One day I would like to make sure that we're serving companies of [00:35:00] all sizes and solving this problem for them. But today we're really good at solving it for large organizations in particular.

Mehmet: Amazing and great insights, Aaron.

Mehmet: And yeah, I'm, I'm sure, you know, because the problem you're solving is everyone's problem, you know, but of course, like being in enterprise, I know the taste of it and how, uh, it's challenging, but fun at the same time working with, uh, with enterprise. So a hundred percent on that. I don't like, finally the question I ask at the end is how people can get in touch and know more about a name tag.

Aaron: Uh, well, definitely our website's get name tag dot com, but we're very active in linked in. I think that's kind of become the platform of business in many ways today. And so I post a lot. We post a lot for the name tag account. We talk a lot about fraud, we try and really educate on what's happening in the market and commenting on news.

Aaron: So if this is an area you care about, and you're interested, please follow along, read some of the content, engage on it. Um, and then of course, you know, reach out if there's a way we can be helpful or it's [00:36:00] an area you're You're trying to think through in your company.

Mehmet: Great. Uh, I will make sure that the links are in the show notes Thank you.

Mehmet: So I don't really I enjoyed the conversation. I didn't even feel the time it passed very very fast because it's a Uh, you, you, you named it very well. You said it's an epidemic, you know, that happens after the pandemic, um, for, for a lot of people or organizations, of course. So thank you for, you know, sharing your insights and also sharing, you know, the way you're trying to help people solving this challenge, which is a very serious challenge.

Mehmet: You brought the story of MGM, which is, I think I discussed it a lot last year, also as cybersecurity experts on the podcast. And, yeah. Offline also as well. Um, so, so a hundred percent, you know, uh, it's something everyone should be aware of. And usually this is how I'll end my podcast episode. So this is for the audience.

Mehmet: If you just discovered this podcast by luck, thank you for passing by. I really hope you [00:37:00] enjoyed. So if you did, so please give us thumbs up, subscribe to the podcast. We are available on all podcasting platforms. We are available also on YouTube. And if you are one of the people who keep You know coming back and share their feedback and comments.

Mehmet: Thank you for doing so, please keep them coming I read all your messages and again, thank you very much for tuning in. We'll meet again very soon. Thank you. Bye