In this episode of Make Yourself @ Work, Matt Tverberg sits down with Alan Mather, Head of Corporate Security at Tools for Humanity, the company behind the Orb, World ID, and the World App. Alan shares how that mission-critical mindset translates to the fast-moving world of tech, where he now protects a company whose entire product is built on trust. From planning security for high-profile launch events to navigating the blurry line between physical and cybersecurity, he unpacks what it takes to build a resilient security program at the frontier of digital identity.
In this episode of Make Yourself @ Work, Matt Tverberg sits down with Alan Mather, Head of Corporate Security at Tools for Humanity, the company behind the Orb, World ID, and the World App. Before joining the company, Alan spent more than two decades at NASA, where he led the Protective Services Division at NASA’s Johnson Space Center. In that role, he oversaw the protection of personnel, facilities, and mission operations, and earlier in his career served as a Major in the U.S. Army’s Military Intelligence Branch.
Alan shares how that mission-critical mindset translates to the fast-moving world of tech, where he now protects a company whose entire product is built on trust. From planning security for high-profile launch events to navigating the blurry line between physical and cybersecurity, he unpacks what it takes to build a resilient security program at the frontier of digital identity.
He dives into the real-time accountability gap, why the secure path must also be the easiest path, and what the future of continuous, contextual identity verification looks like. Some key lessons from the conversation include: good security is invisible but not absent, planning matters more than the plan, and real vendor relationships are mission partnerships.
This episode is a must-listen for corporate security leaders, workplace technology professionals, and anyone thinking seriously about the intersection of physical security, digital identity, and organizational trust.
—
Quotes
“Any security program that is too difficult to understand, too cumbersome to implement, or too hard to manage is not going to be implemented or adopted by the stakeholders. Your employees aren't going to do it, and management isn't going to support it, and thus it's ineffective. A good security program is one that focuses on making sure that the secure path is the easiest path.”
“The best partnerships are the ones where you're not a customer or a vendor, but both sides treat each other with respect and help each other, and we become mission partners to solve problems.”
“ The best security systems are the ones people don't have to think about, really. And I say periodically, ‘I work awfully hard to make nothing happen.’ If security becomes invisible, but yet it still works, then that usually means the security system is designed well and it's integrated into the workday, into the workflow, and so it's just natural.”
—
Timestamps
(00:32) Background on Alan and Tools for Humanity
(03:10) Planning security for a high-profile product launch
(05:22) How the mission shapes the security mindset
(10:36) Lessons from NASA: recalibrating risk in tech
(12:28) Emergency preparedness and contingency planning
(16:23) Balancing security visibility with data privacy
(20:10) The "who's present" problem: Okta, Envoy, and integration gaps
(27:01) Security leaders as systems architects
(33:17) Where physical and cyber security converge
(42:16) What security teams underestimate about human behavior
(51:10) How Alan Makes Himself @ Work
—
Links
Connect with the guest and host on LinkedIn!
[00:00:00] Matt Tverberg: Welcome to Make Yourself @ Work. I'm your host, Matt Tverberg, and I'm very excited today to introduce our guest. I'm joined by Alan Mather from Tools for Humanity. Alan is the head of corporate security, and before joining the company, he spent more than two decades at NASA, where he led the Protective Services division responsible for safeguarding personnel, facilities, and mission operations.
He has experience spanning government, military intelligence, and global technology organizations. He focuses on building resilient security programs that protect critical infrastructure while supporting innovation and growth. Man, what a resume, Alan. Thank you for being here. I'm super excited to chat with you today.
[00:00:57] Alan Mather: Thank you, Matt. It's a pleasure to be here.
[00:01:00] Matt Tverberg: So I mean, I'm sure people know what NASA is, but many may not know what Tools for Humanity is. So for listeners who may not be familiar, I guess, give us a little bit about Tools for Humanity, what the company's building, mission behind it.
[00:01:14] Alan Mather: Well, Tools for Humanity is a technology company that provides digital identity and distinguishes real humans from bots.
We make three products. So the first is the Orb, a secure biometric hardware device that scans irises to determine a user's unique real-world identity without storing any personal data. The second thing we do is the World ID, which is a proof of human passport, if you will, that allows users to verify they're human on different systems.
And third, we have the, the World, um, app, which is a digital wallet and allows users to hold and use the World Token and other digital assets. So we're a tech company. We're a hardware company. We do a lot of things like that.
[00:02:16] Matt Tverberg: Yeah, it's super interesting, and especially in a day, this day and age when, you know, AI and, and deepfakes, things like that, are beyond critical and probably more critical than anybody ever would have thought.
[00:02:26] Alan Mather: It's the right time for us to be doing what we're doing.
[00:02:30] Matt Tverberg: Recently, you actually had a, a pretty exciting launch And you held a major event here in San Francisco at the Midway, for, for those local, where you had Sam Altman join you and, and really talk about the newest version of the World App, and some integrations that you have with companies like Tinder, DocuSign, and Okta.
And, you know, that's a lot happening at once. Packed venue, and I'm sure that there was a lot of security that went into that prior to the event, during the event. So as somebody who's really responsible for that, you know, how do you plan ahead and before and during, after?
[00:03:10] Alan Mather: Good question. My role as head of corporate security is to make sure that the people, the mission, the technology, the infrastructure is all protected.
And it... Again, uh, my responsibilities are typical of most corporate security directors. You know, we look at physical, personnel, information security, executive protection, access and video management, and, uh, near and dear to your heart, visitor management. And, uh, I'm responsible for that anywhere we operate globally.
[00:03:46] Matt Tverberg: You mentioned executive protection, right? And Envoy is doing a lot in the, you know, emergency incident, emergency mass comms today. So when you think about, you know, executive protection, like how f- how far in advance do you have to plan for things like that? And then ultimately, how do you balance like the open celebratory nature of a launch, but also keeping things as secure as possible?
[00:04:15] Alan Mather: Well, when we talk about executive protection, we need to focus on, uh, uh, a lot of different things. So if we're looking at the residents, if we're looking at the office, if we're looking at transit, and if we're looking at an event, the more lead time that we have, the better that we can plan and coordinate the security.
And so that might be the routes that we take to get there- Mm ... uh, once we do the drop-off and where we stay, and then the crowd itself. You know, how do we vet the crowd? How do we look at the standoff distance? What's the plan if somebody demonstrates? What the- what's the plan if it goes really south? How do we evacuate?
How do we get out? Those kinds of things. So there are lots of contingencies and lots of things that, you know, you plan for and hopefully never have to execute. But, uh, it is, uh, important to be able to have visibility to get the product out there, to get the people out there, and to be able to do it safely.
[00:05:22] Matt Tverberg: Yeah. That's, um, a good segue because you guys are working on something pretty Ambitious around, you know, digital identity, proof of personhood. From a security perspective, how does that kind of mission change the way you think about protecting, you know, systems and people?
[00:05:42] Alan Mather: Well, the company's mission revolves around proof of human verification and trust.
So, you know, th- that becomes part of the product and part of the organization, is being able to protect that trust. And so when we approach that, it's in a comprehensive manner to be able to look at, how do we keep the system together so that people don't lose faith in what we do? Um, it's, it's not about individual tools, but it's really about protecting the entire, um, system that we used.
And, and, and whether it's production or whether it's software, or whether it's people, the whole thing has to work well and it has to work together.
[00:06:30] Matt Tverberg: And when you think about how you could potentially implement some of that into, like, security at the front desk and, I guess, just the, the first entry point into your offices, I know that there's potentially a lot of synergy in between our organizations.
And I guess, what would be your ideal outcome if things were to work together in a, in a way that is, you know, futuristic?
[00:06:54] Alan Mather: Uh, from a security perspective, I wanna know who is coming on site, and I wanna be able to do some type of check of the person. So it's important to be able to have identity. It's important to do a very basic vetting, and it might simply just be an ID check- Mm-hmm
to be able to say, "This is who the person claims they are." If we go to another level, we could look at, hey, I need to do a check or trust check on a person because I'm gonna allow them into a certain area which has restricted, um, items in it, or it might be a sensitive area, and I do wanna make sure that the person is not a criminal, is not wanted, not...
doesn't have issues. By the same token, if I'm working with export controlled or ITAR information, I might also wanna do a visual compliance check, which is very easy to be able to see if the person is on a debarred list. And so vetting at the front desk allows us to make a very seamless check, and if there are no issues, we certainly, you know, print a badge, and the person goes on and does their way, uh, does whatever they need to do.
Um, that's important to us to make sure that we keep the organization protected and we keep our people protected as well as our operations.
[00:08:25] Matt Tverberg: You know, so there's a lot more to it visiting, uh, an organization such as yours, whereas, like, we at Envoy, you know, we're certainly checking for, you know, NDAs, so we're protecting our intellectual property.
But with your type of work and the work that Tools for Humanity is doing, you have to be in compliance with many different regulations. Is that why there's all these additional checks in place?
[00:08:55] Alan Mather: Well, good security practices dictate that we perform those checks regardless of, of, uh, what regulations there might be. And, and again, it might be driven by a particular, um, product that we're working on, might be driven by a contract that we have- Mm ... or it might just be, "Hey, this is the industry standard," and we follow the industry standard because we don't wanna be negligent.
We don't wanna be malfeasant in anything that we do. So we look for robust, uh, security posture that fits well within the organization.
[00:09:35] Matt Tverberg: Yeah, and how often are you taking a look at how you're doing things and, like, evolving your security practices? Is it just, like, an ongoing thing? You peel it back once a, once a year, once a quarter?
Is it something that you're always keeping your ear to the ground on the latest and greatest?
[00:09:52] Alan Mather: Well, in, in tech, things change awfully quick. And so sometimes regulations aren't mature. Sometimes things are still, you know, shifting around. And so we do start with, uh, a, a policy that we can then scale up or we can adjust, and we're flexible and practical in how we approach that.
Um, again, it comes back to what is the right flavor for making sure that we meet whatever requirement there might be, uh, to protect the product and protect the people and protect the operations.
[00:10:30] Matt Tverberg: Yeah, that makes a lot of sense. Well, before Tools for Humanity, I mentioned at the start you used to work for NASA and, you know, protecting some of the most mission-critical environments in the world where the stakes are obvious, right?
And I'm sure you watched the Artemis launch. I know I did, and a lot of the world did, and that was very exciting. So I guess when you moved more into the tech world, how did you recalibrate your sense of risk, or did you find that the stakes were kind of just different and high in similar ways?
[00:11:04] Alan Mather: So I had an incredibly rewarding career at NASA, um, you know, with protection requirements for human space flight, for astronauts, for mission control centers, um- You know, priceless assets like moon rocks, cosmic dust, asteroid samples, multi-billion dollar programs like the Artemis program, the Shuttle program, the International Space Station program.
You know, some heavy-duty programs. But I found that moving into the tech industry and the tech sector, that the stakes are just as high, they're just different. And so the speed of innovation in tech is much faster than in government. But I found that in many ways the mindset transfers very well. Uh, you look at mission focus, you look at layered security, you look at contingencies and resiliency, and you look at failure modes, um, before they happen.
So, you know, it was good transition. It is very important what goes on in both, uh, sectors. But, uh, I really like what I'm doing, and I was very blessed to have been at NASA.
[00:12:22] Matt Tverberg: Yeah. That's... I mean, I love space. So, uh, you mentioned something though that stood out, and that's the, like, the contingency plans. And I think when it comes to emergency preparedness, you like are prepping for something that ultimately no one wants to happen.
How, how do you ensure that, you know, your employees and, and those that you're protecting are, like, aware of the plan? And how do you make sure that, "Hey, if this comes up, I know that my people are prepared and know what to do"? How, how do you balance that without being, you know, I guess it could be overbearing sometimes, but...
[00:13:00] Alan Mather: Well, it's a challenge, uh, because no one wants to spend the time to focus on continuity of business operations or emergency management. Um, but, uh, realistically, we have to look at it, and we have to, you know, have s- the discipline to sit down and say, "In the event that we have a catastrophic, uh, situation occur, how are we gonna continue operating?
And, you know, do we have, you know, supplies on hand? Do we have, um, our records and our access that we're gonna need to be able to continue doing business? Do we shift our command and control, if you will, to a different location and say, 'You operate the company while we, you know, put things back together?'"
The planning is critical. That's the most important thing, is to be able to think through it. And so in my career, I've gone through the several iterations with different kinds of events, whether it was a hurricane, whether it was COVID, whether it was SARS, whether it was catastrophic, uh, space flight accident, the Columbia incident.
Um, those kinds of things, having plans in place gets you 60% of the way there, and you're able to adjust on the fly and go from, you know, that situation. But, um, again, harking back to what General Eisenhower said in D-Day invasion, he said the planning was the most critical point because it forced everyone to think.
You know, after the first shot, it all changes, but at least you gave it, you know, a lot of detail and a lot of thinking.
[00:14:51] Matt Tverberg: And would you say, like, a lot of those events that you just listed, you know, varying in types of events, you know, from COVID to, you know, faulty rocket situations, I'm sure you learn from every situation.
Uh, how are you, I guess, applying, like, learnings across various types of events like that? Is that something that you can look at each one and say like, "Oh, I'm, I'm gonna definitely do this different"?
[00:15:20] Alan Mather: The, the value in having gone through an event is the lessons learned. So you learn more from your defeats or your mistakes than you do from your victories.
And so it's very important to be able to do an after action, um, a postmortem, if you will, for every event that you do because there are always things that we can learn, and we can have continuous improvement by doing such. Um, the unfortunate thing is the more time that passes from an event, people tend to forget, and the lessons that were learned are lost.
And so it's very important to be able to capture that information and read about what occurred so that we don't repeat the same mistakes.
[00:16:07] Matt Tverberg: That's why history is one of my favorite subjects because you gotta learn from
[00:16:10] Alan Mather: history so it doesn't repeat itself. Indeed. May not repeat itself, but it sure does rhyme a lot.
[00:16:18] Matt Tverberg: Well, let's talk a little bit about, you know, security versus privacy. You know, one of the envoy- ongoing conversations we've had together is about, you know, data privacy, minimizing sensitive information exposure. So even in things like notifications, internal tools, how do you tend to balance the need for visibility with the responsibility to, like, limit the amount of data that's being shared?
[00:16:49] Alan Mather: Well, let me say it, uh, at one level, security professionals have access to background check information, criminal history, and investigative data. Lot of sensitive information about a person that they may not share or may not want to have shared. So there's a duty to be Uh, discreet. There's a duty to be trustworthy, and there's a duty to protect that information.
So that's at one level. But let me talk about an effective information security program, which includes privacy, and, and that involves data minimization. So I only wanna collect the information that's needed, I only wanna use it for the original intended purpose, and I wanna protect it. And then after it's no longer needed, I need to destroy it, and destroy it appropriately, whether it's shredded or, you know, we run it through some type of magnetic, uh, destruction process.
But the key, I think, is to be able to publish policies, to be able to be fully transparent, and also have robust procedures where people are familiar that they are holding information, and they have a duty to protect it. And so when you have a program set up like that, and you teach people that, you know, you just can't leave this laying around, that it needs to be secured, um, that sensitive information will be protected.
[00:18:30] Matt Tverberg: And that type of policy in place, like, it's hard to keep everyone in line, you know? Uh, what's your approach to that, and are you working cross-departmentally to ensure your message is getting out there?
[00:18:44] Alan Mather: Well, some organizations take a, a more, uh, mature proc- have a more mature process where they have formal security education, where they have, uh, online training that comes out that, uh, employees are required to complete.
When you, when you do that and approach it from many different angles, then it just kind of seeps into the organization, and people have that awareness that, "Yes, I need to follow these policies."
[00:19:14] Matt Tverberg: Yeah. We do that here. Good. You know? It's, it soaks in if it's coming at you enough, you know?
[00:19:19] Alan Mather: Absolutely. Absolutely.
[00:19:23] Matt Tverberg: Well, there, uh... When it comes to, to visitor visitor management, Dave, like, who's-actually-here problem, your workplace team has been exploring ways to understand who's coming into the office using systems like Okta combined with Envoy, where an employee logs in, we know they're there, so we understand, like, a presence signal, if you will.
It sounds simple, but we have things like VPNs, authentication layers. There's global teams that can get really complicated quickly. Why does something as basic as understanding, like, who's present in the office become such a technical challenge in, in a modern workplace?
[00:20:04] Alan Mather: You know, tools like Okta and Envoy provide valuable data, and bridging the gap between a digital login and who's physically on site still remains, uh, an integration challenge.
Um, these systems were not designed to talk to each other. And so, you know, during an emergency, I wanna be able to evacuate everyone out of the building, no one's left behind, and I've gotta be able to account for everyone. And so I have to use multiple systems to be able to get that information, physical access control system, Envoy, Okta, travel risk management service.
I have to go through this, and it takes time to reconcile these multiple inputs. You know, if... I- and I'm really trying to account for both employees that I know and visitors who I don't know, so that in itself is a little bit of a challenge. You know, if we could define our operational requirements and, and specifically focus on real-time presence, then we can move from this fragmented and messy data situation to actual headcounts to be able to know, "Hey, we've got everyone here."
Um, I have in the past run into accountability problems where it's taken me 24 hours to be able to see, yes, I have everyone. Um, and that's an uncomfortable situation to be in. So maybe one of these agents, maybe there's some AI tools out there that we can take, that we can integrate all this, and just push one button and be able to say, "Hey, they're all right here."
[00:21:52] Matt Tverberg: Yeah. Well, I hope we're, we're striving for that. I know we are. I talk about it all the time with our customers. But the time to full accountability, I think is like... Is that what you would consider your, your North Star metric of what you're shooting for in, in those types of situations?
[00:22:09] Alan Mather: So, so in most of those situations, you can get about 80% pretty quick.
Uh, supervisors will know. You'll have reports that you can get. But there may be those one or two people that you just can't find, and, and it's innocent enough. Um, in a s- in a hurricane situation, the person had lost their phone. They had no communication. They were literally out of pocket, you know, just, you know, back in, uh, for all intents and purposes, the Stone Age.
And, and it took us a day to be able to account for the person. So every situation's gonna be different. Um, but I think it's something that we can work on, and we can improve, and we can do better.
[00:22:54] Matt Tverberg: Yeah. I, I wanna go back to what you mentioned of, like, what would you think is, like, the biggest area of friction and opportunity today?
You mentioned the Piecemealing together of all these different pieces of, of data to account for everyone, what would you say is maybe the lowest hanging fruit to bring down that time to accountability outside of what you just described for those edge cases?
[00:23:22] Alan Mather: Well, uh, Envoy does a good job at telling me how many visitors I have on site and gives me a picture of who came in, so that makes, uh, identification and accountability very easy.
Um, when I have employees that come through that, um, maybe they forgot their badge that day, and, uh, so now they're not in the physical access control system, but did they get a forgotten badge? Do they get a paper badge? Did they actually sign into Envoy? Um, or did somebody just hold the door open and let them walk in?
When I have those kinds of situations, it really does, you know, slow the accountability piece down. Um, not sure if, if there's an easy answer to that besides, um, you know, positive access control, which means people go through a turnstile, that, that doors, you know, are almost man-trapped, where there's one person in, one entry, and, and that's it.
That there are other ways to do this, too, through CCTV systems that can give you people counts, which can give you numbers to let you know how many people you have on board and how many people have left. But it's still not precise that, that where we wanna know is by name who is, who is in the building or who left the building.
[00:24:45] Matt Tverberg: Yeah.
I think this is a message to all the tailgaters out there, that they may think it's innocent, but there's a lot more to it than, than that if they don't badge in.
[00:24:55] Alan Mather: Some organizations do a better job in, in making sure that employees sign in and they sign out so that they have accountability of, of... you know, many organizations just want people to badge in, but they don't have them badge out. And, uh, you know, that's a decision each company has to make on their own. But certainly from my perspective, it would make it easier from, like, an accountability standpoint to know when a person came in and when they left.
[00:25:26] Matt Tverberg: Yeah, that's something that more folks have been asking for recently is the, the presence signals. We, we have all sorts of different things we can listen for to understand when someone's there. But the reverse of that, when they leave, that's a little bit more challenging. And I think that also then gets into the Big Brother type of thing that people could be cautious of as well?
[00:25:47] Alan Mather: That's, that's one of the dangers with having data. And so when you're in that situation, what's the purpose of the data? What's gonna be used? Do you have a policy that says, "We are not gonna use this for time and attendance." Mm-hmm. "We will only use this for accountability. We will not use it in a disciplinary manner," or, you know, something that may be abused.
And I think that's the reservation that people have. Um, and I get that. I understand that. You don't want somebody looking over your shoulder, uh, continuously.
[00:26:20] Matt Tverberg: Yeah. So... All boils down to trust, I guess. Indeed. We, we want this for the right reasons. So talking a little bit about, you know, security as a, a systems problem.
Corporate security is used to be... Or corporate security used to be mostly physical protection. Today, it touches identity, data governance, compliance, and workplace technology. Do you see modern security leaders becoming more like systems architects than, like, traditional security operators?
[00:26:55] Alan Mather: There's never been a better time to be a security professional with the persistent threats, the increasing cyber risks, the, the things that, uh, face critical infrastructure, uh, challenges, as well as, um, you know, responsibilities for corporate environments.
So there's a lot going on, and organizations need somebody, uh, a professional, preferably, you know, cyber and physical security, to look at these threats and be able to address them. So security leaders that are the most effective are the ones who can look at the entire ecosystem and determine a security design that fits well in the organization and, and is just kind of a natural fit.
Um, you know, a few years ago, ASIS International adopted a program called CONVERGENT. It was designed to be able to get physical security linked with cybersecurity. Kind of get that divide because they had both grown up in, in silos. And so in my case, I actually, um, went to 2 and took the Certified Information System Security Professional exam, learned more about cybersecurity.
At NASA, I took an enterprise architecture framework course, and I also took AI and ML courses just to become a little bit smarter about this area. So- In many ways, if you ask me, I think that the technology, the, the adoption of the technology in the workplace, and, and how we operate is changing the way that security professionals operate, and it's really forcing us to think more along the lines of system architects.
[00:29:02] Matt Tverberg: Yeah. And with that background, do you have a counterpart there that leans more heavily into the cybersecurity that you collaborate with closely?
[00:29:12] Alan Mather: Indeed. So cybersecurity is so important today that you have to have somebody that's dedicated to looking at your cyber infrastructure. And so looking at the threats, looking...
Monitoring of systems, you know, and whether we outsource it or do it in, in-house, you have to have somebody paying attention to it because the, the bots and the, the tools that are out there to go after your, your assets are just tremendous. At NASA, we got hit every day. It was, uh, s- astounding numbers as far as the attempts and the...
And what was hitting our systems. You know, most companies don't face that, but if you don't have it, it will devastate your organization, and you could very easily be out of business.
[00:29:59] Matt Tverberg: Yeah. And for those that are keeping their ear to the ground with AI, I'm sure you've heard of, like, Mythos and how they released that to a handful of organizations, and the, the security gaps that I- that it identified were really scary in a way, and there's a- Very
[00:30:16] Alan Mather: scary. Yeah ...
[00:30:17] Matt Tverberg: It's a good thing that they released it to such few organizations, but I think that really tells a story of how vulnerable our systems are that we may not be aware. And, you know, knowing that stuff like that's coming, and ultimately I hope it helps everyone become more secure. But how have you and your colleagues talked about those types of things and preparedness for it?
[00:30:40] Alan Mather: In that situation, I'm gonna say I'm a physical security guy. Uh, no, it is scary. And so, uh, again, I mean, this is one of those situations where shields are up and be able to protect your infrastructure as best you can. You know, it's always the situation of six-foot wall, seven-foot ladder, eight-foot wall- Mm
nine-foot ladder. And so we just continue to build and secure and build and secure and, you know, and have backups and adjust accordingly as, as we can. But there is no easy answer to this. And, and the, the other side of it is trying to take AI and apply those tools to be able to go on the offensive, if you will, or to be able to protect your, your Domain so that you don't get knocked out.
And, uh, I was gonna say, there's job security in that field, so just, you know, continue working.
[00:31:42] Matt Tverberg: Yeah. The frequency of which I- you probably have to evaluate things is increasing, I would assume, given how fast things are changing.
[00:31:51] Alan Mather: It is, and, uh, I think it bodes well for our company and what we do. Uh, I think proof of human is going to be, uh, something that many companies are going to say, "We need that, and we need it now, because we can't distinguish between what's a deep fake and what's a real person."
The technology is so good, the software is so great that, you know, people are losing money, and, and worse. So, uh, uh, again, it's, uh, it's a good time, but it's also a bad time.
[00:32:26] Matt Tverberg: Yeah. I, I think I even read, like, deep fakes have been taking interviews and things like that.
[00:32:33] Alan Mather: Doesn't surprise me. Uh, I do know that, uh, uh, s- you know, money has been lost, and, uh, and it's probably gonna be worse, so...
[00:32:45] Matt Tverberg: One more quick question about how you're collaborating with your cybersecurity counterpart is a lot of times the, like, the physical security aspects can turn into data security ones, whether it's a propped door or someone tailgating and getting in there to do something malicious with the available data.
When you think about how those two overlap, uh, what are some things that, you know, people watching might need to consider? So it's
[00:33:13] Alan Mather: important to, uh, collaborate and work together because, again, physical security is different from cybersecurity. But, you know, your data warehouse or your... where you have your servers, where you have your equipment requires physical security.
And so when you look at SOC 2 certification or you look at FedRAMP certification, those kinds of, um, requirements have physical security in them. You wanna have positive access controls. You don't want anybody walking into your facility. So, you know, what... It's not enough just to have a card reader on a door.
You need a camera, because you may catch that the badge went through there, but was the person holding the badge actually that badge holder? And so again, physical security is very important. We wanna protect that data and that... you know, it starts with, with- Again, systems that, that help and contribute to raising your, your posture so that you are secure.
Um, certifications help in many respects, but, you know, let me shift a l- a little bit from just, you know, the hardware side of physical security and talk about insider threats. So you can have employees that are disgruntled, for whatever reason, who you may not see, and they have access, and they can hurt you the worst because they know where, you know, the keys to the kingdom are.
Mm-hmm. And so it's very important to pay attention to that aspect of your security program in addition to the physical security side of things.
[00:34:58] Matt Tverberg: That has to be far more difficult or-
[00:35:02] Alan Mather: It's more challenging, but again, in, in many cases, there are signs that point to, um, you know, this person was in a downward spiral, and his behavior started to, you know, be off from what he was used to.
So lots of times security can help and, and say, "Hey, what's going on here?" And intervene and, and, and maybe help the person become a great employee again or prevent something, you know, really bad from happening.
[00:35:33] Matt Tverberg: Yeah. I imagine people don't think that HR plays a part in security, but in this part- particular situation, I feel like that would be very-
[00:35:41] Alan Mather: They do, and, and HR makes a tremendous contribution, especially when you start in the hiring process as far as- Mm
screening people. And so many times they may be looking for, "Hey, I need those technical skills to make sure that the person can do the job that we're actually hiring them for." But you also wanna make sure that they're stable, that they're responsible, that, you know, they're... they have a good track record.
And, uh, many times people can clean up and look great in an interview, but if you peel back a little bit, you might find something you're not really keen on. And so, um, that fit, coupled with, you know, a background check and looking at, you know, maybe is there any criminal history and, and are there any things that need to be further investigated?
Because the more access that you grant to a person, again, you're giving them more th- more things that they could take or more things that they could hurt, uh, the company. And so it's very important, again, to make sure that HR does their job, and that the cyber team does their job, and the security team does their job because when we look at a comprehensive approach to security, that's what we're looking for, is a team effort to be able to protect our people and our operations.
[00:37:09] Matt Tverberg: Collaboration couldn't be more important than-
[00:37:11] Alan Mather: Indeed ... situations like that. I mean, it, it's a cliche, but, you know, teamwork makes the dream work. That's
[00:37:17] Matt Tverberg: right. Everybody's got to row the, row the boat together.
[00:37:20] Alan Mather: Even if it's a small role, it's still important.
[00:37:23] Matt Tverberg: Absolutely. What about your thoughts on... I know that you'd mentioned is it the person that's...
Is the person holding that badge actually the person that we're capturing coming in? I know there's a lot of movement towards using your phone as your access, and I know that that can be a huge investment to, to migrate to that. Like, what are your opinions on one versus the other? Is there a world where they work together or...?
[00:37:54] Alan Mather: That's a great question. And so we're actually doing a pilot program over in Germany at our o- one of our offices. They are using mobile access for employees to go in and out of that building. I've gotten some preliminary feedback, but we haven't made a decision yet on, on which direction we're gonna go.
I think it's inevitable. So, um, I don't wanna date myself, but a lot of the workforce today, um, you know, if they forgot their phone, their world would fall apart. And so I've had people forget their badge, but they won't forget their phone. And so if we put the credential on the phone, that would serve as a pass to be able to get through the office, and it works great.
I've actually done that at NASA where we did a prototype and worked it, and, and, and it was very good. You still have the identification piece of who, how do I know who that person is in this building, um, on this site? And so you might go from whether it was a smart badge that might cost you $20 to make to a 25 cent PVC piece of plastic that a person has, so that you would still have that identification piece.
Um, or, you know, you could have both, and it could be a backup in the event that, you know, the, your battery died, you forgot your phone, God forbid, something like that, you would still be able to get into the building. So, um, te- again, technology is moving forward, and I think we, we adjust and adapt accordingly.
Um, may not work in every place, but I think it could work in, in many offices.
[00:39:45] Matt Tverberg: Yeah, and the cool thing about that is the ability to turn it off really quickly too. You know, that's... We- So- We're mobile credential here, and you're right, never forgot my phone at home.
[00:39:58] Alan Mather: So when you talk about the, the s- the What's really great is you could disable the credential immediately, and so it's not, um, i- it's a little bit faster, I'll, I'll say that, than having to turn a badge off.
[00:40:17] Matt Tverberg: And that's what I would consider maybe, like, an evolution in the past five years or so. And as someone who's been in security for, you know, 20 plus, if you were looking ahead f- you know, five years from now, maybe what's something that you think is, is coming and evolving and that other security leaders out there, as they look to future-proof their offices, that they should be considering?
[00:40:43] Alan Mather: Well, I think that, um, we're probably going past the, the log in once and you're done. So we'll have some type of, uh, identity check and, and then it will be an, uh, continuous, and it will be contextual. So, um, yes, I would log on, and then in the background, it would check to make sure, yep, he's still logged on.
Yes, he's still in the right place, and yes, he's still got the right accesses. So this would be seamless. Um, I also think that if we did that, the, the better security that you have, the more privacy you have. And so again, in the background, it would be able to prove, yes, that's still you. Yes, you have access, and you don't have to provide any more personal data or anything else that would be new.
[00:41:44] Matt Tverberg: Hmm. Makes a lot of sense. So touching just a little bit on the human side of security, security leaders spend a lot of time thinking about the systems and tools, which we've talked about a lot, but most real risks still involve our behavior. So, like, what's one thing people that are a part of security teams consistently underestimate?
[00:42:10] Alan Mather: I think security teams underestimate employees' creativity when they're trying to get their job done. And so if a security process is complicated, people are gonna find a workaround. I mean, how m- we talked about it. How many times have you found a rock or a brick outside an access-controlled door? They prop the door open because it's inconvenient.
It's, it's just human nature. So again, any security program that is too difficult to understand, too cumbersome to implement, or too hard to manage is not gonna be implemented or adopted by the stakeholders. Y- your employees aren't gonna do it, and management isn't gonna support it, and thus it's, it's ineffective.
So- I think it's, it's a, a, a good security program is one that focuses on making sure that the secure path is the easiest path. And if you're able to set up security options, um, that, that are, are convenient, they'll be adopted naturally. People will follow it because it's the way to do things. And so it's very important to be able to have that design, um, and, and think, think it through and work it and make sure that it's optimized so people will use it.
[00:43:38] Matt Tverberg: Where conveniency meets security.
[00:43:41] Alan Mather: Well, lots of times security isn't convenient just by design, but if we can make it a little bit better so that, uh, you know, people will follow it, you've won the battle.
[00:43:56] Matt Tverberg: Yeah.
And that getting people to follow behavior, half the battle.
Well, I know that we are really grateful for, for your partnership, and you recently were a panelist at our, our internal company All Hands, which was excellent, and you brought the Orb, which is a product that you spoke about at the beginning here. So when you think about, like, collaboration between companies, and it doesn't always happen, but what kind of vendor relationship do you feel like makes a true security partnership rather than just, "Oh, this is a, this is a tool we have, and we use it"?
[00:44:39] Alan Mather: Well, I, I think a, a real partnership goes certainly beyond software. It's, it's about shared problem-solving. It's also about building relationships and developing those relationships. Um, you know, uh, when vendors and customers collaborate and share feedback and have technical exchanges and, you know, learn about each other, uh, I think that's when you end up building better solutions to whatever the challenge you might have.
You know, Envoy asked me for some feedback about your product, and, and we certainly did provide some input, and I was pleased that, that, like others, that those, uh, ideas were actually, um, adopted and put into the software. And so it made the user's experience a lot better, and, uh, I think that's great. I think that's super collaboration when you're able to have that relationship and work together.
We've also invited the Envoy team to our office to be able to see the Orb, to talk about the hardware, talk about the software, talk about proof of human verification and what we do. And that's exactly the kind of collaboration, I think, that, that helps both sides innovate. And so, you know, the best partnerships are the ones where, uh, you're not a customer or a vendor, but both sides treat each other with respect and, and help each other, and we become mission partners to solve problems.
[00:46:26] Matt Tverberg: Oh, man, I appreciate that. And I will say as someone who works with our customers every day, it, it's why I've been here for as long as I have because I, I truly think we do care about what people are trying to do better, and we, we listen a lot. And I... Don't be shy when it comes to letting us know what we can continue to do better because I can tell you from the top down, it's something we, we listen and we...
You're making us better. So certainly appreciate it. That's,
[00:46:57] Alan Mather: that's the way it works. And in many... I won't say it's like a marriage, but it's very close. You know, there's a lot of give and take and, and it works.
[00:47:03] Matt Tverberg: And the contract's the prenup. Yeah.
Well,
I think, uh, like, the security paradox, we touched on it a little bit, but maybe just a little bit more about the better security systems get, the less people think about them, and you were touching on it a little bit.
But do you think the ultimate goal of security is to become invisible to the person? It's just so seamless that there's security without awareness?
[00:47:37] Alan Mather: Uh, perhaps. Uh, the best security systems are the ones people don't have to think about really. Um, and I say periodically, "I work awfully hard to make nothing happen."
If security becomes invisible, but yet it still works, then that usually means the security system is designed well and it's integrated into the workday, into the workflow, and so it's just natural. Um, but, you know, a number of years ago, I worked at a counter-drug organization. I, I, I led a project with graduate students from the University of Florida College of Architecture, brought them to our site where they studied it, and they made recommendations and submitted, uh, their renderings using crime prevention through environmental design concepts and principles.
So the security measures included Um, standoff distance, restricted access areas, uh, access controls. And all the things they did, they, they were aesthetically pleasing. And, and by that, I mean they used landscaping, and sidewalks, and vegetation, and trees, and boulders, and lighting, uh, to control people and vehicles.
And this blended in very well with, with the, uh, environment. And it, and it was seamless, and it was natural, and it was invisible to the untrained eye. But to a security professional, there were security features and countermeasures that were in there. And so I think that's an example of, you know, you want it to be invisible, you don't want it to be seen, but you want it there.
And so that would be the ideal state for security, is to have it invisible to the user, but it remains visible to security as well as management. Yeah, it was a pretty cool product. Absolutely. I mean, it was, it was a lot of fun. And, and, uh, I'll tell you, uh, I was leaving work, and a lady was taking pictures, and I said, "Excuse me, ma'am, you can't take pictures here."
And she goes, "I'm working on an architecture project, and I just... You know, I'm taking pictures of this old church over here." I'm like, "As, as long as you're there, that's fine." So then it made me start thinking about, I need some help, and I wrote five schools and I said, "Would you come study our site?" And I got a reply back from the University of Florida, and they actually studied it for the entire semester.
One student, actually, she wrote her thesis on this particular project. And so again, we benefited, they benefited from it, so just a lot of fun. We put them in a, a... We flew them down in a Navy aircraft to the site. They spent the weekend there. They came back another time, uh, flew back and, and, uh, we flew up there, and they presented all these, uh, uh, 3D models and drawings.
Just a super project, so yeah.
[00:51:04] Matt Tverberg: Well, my final thought for you is, you know, the podcast is called Make Yourself at Work. What, what is it that allows you to make yourself at work and gets you up every day and keeps you passionate about this industry after all of these years?
[00:51:21] Alan Mather: You know, I'm blessed. I, I love what I do.
I've been a security professional for a number of years. I've had a, a terrific career as far as working in different fields, having different- projects and programs to operate. So, you know, when I reflect upon success, it's, it's the experience where security has contributed to the mission, where the company succeeds and is able to, you know, uh, do whatever it is that they do, whether it's launch a rocket or seize illicit drugs or, um, you know, make orbs.
Uh, it's really cool. You know, security rarely gets, um, celebrated when things go right. Um, nobody calls the power company and says, "Thank you for keeping the lights on." Uh, it just kind of comes with the territory. But I will say that it warms my heart to know that some of the systems, some of the procedures, some of the things that I have done are still in effect, and it enables the company to move forward on their mission confidently and securely.
And when I think about that, I go, "You know what? We've- we're doing a great job." And, uh, it's fun. It, it gets you up every day early in the morning, and you stay late, and you go, "Wow, where'd the day go?"
[00:52:53] Matt Tverberg: Yeah. Security can't take a day off, that's for sure. Nope. Well, Alan, I want to say thank you so much for being here.
It's been a, a pleasure to chat with you, and I'm looking forward to what our companies will continue to, to do together and, uh, appreciate the partnership. And with that being said, I'm Matt Tverberg. This is Make Yourself at Work, and we will see you next time.
[00:53:18] Alan Mather: Thank you, Matt. I really enjoyed it.