Welcome to the To The Point Cybersecurity Podcast. Each week, join Jonathan Knepher and Rachael Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now, let's get to the point. 

[00:15] Security in Hospitality: Juggling Turnover and Usability

Rachael Lyon:
Agreed. I'm not gonna lie, Josh. For the longest time, I was avoiding the whole two-factor authentication because it just drives me insane, because I never have like the right device, you know, that it bounces to, and it's always a thing. But I'm also kind of curious on hospitality in general. There's a fairly high turnover rate for these kinds of employees, and in this world, like restaurants, hotels, et cetera.

Rachael Lyon:
So how do you manage training? So kind of security awareness and training when you have such high turnover? To your point, like someone leaves within a week. If you have a lot of that happening, how can you manage security in that way and training in that way?

Josh Johansen:
Well, I'm not gonna sugarcoat and tell you that it was just easy. We just flipped a switch and turned Beyond Identity on, and that was that. No, I mean it is a little bit. It's a heavy lift right now for us to get people like when they start, get them enrolled, and get that passkey on board. We've got some hotel leadership, general managers, AGMs, which are really great at it. And we have other ones who are like, seem to forget it exists as a thing to do. And so we're always looking at the reports and beyond what pending enrollments are there, and like, hey, why are these folks so pending? You know, they've been here for a while, we need to work with that. So that's actually one thing we're focusing on this year, which is to make that process a little bit more streamlined.

Josh Johansen:
And I know Beyond Identity is making some hopefully platform enhancements and things that they've been working on in their pipeline to make that easier, so that users can maybe authenticate to one device and then they have a YubiKey available. We don't use Yubikeys just because it would be. It's hard enough for them to keep their name badge. Having them carry around a YubiKey, I think, would be an impossible ask. But I think the idea of, like, you know, if you've got your passkey bound to your mobile device and you can use a QR code and scan and authenticate, that would be like the wave of the future. But right now we're still working on that aspect of like, hey, how does that flow work to get them into, to get them in, because it is a little bit of a lift. But then once they're in, as far as the training we do for security, we use another company, it's called Venza, but they actually help us with all of that PCI training and cybersecurity awareness, vishing, phishing, spear phishing, all of those types of things, and they're constantly enhancing that. But it is something that we, you're right, we have some people that start like they get onboarded, all this stuff, they can literally just click there and do the training.

Josh Johansen:
And again, some leaders are really great at making sure, like, hey, you don't do anything until you've gone through this training. And then we have other people like, hey, I really, I'm swamped. I've got, you know, so many people coming on. I need to do. You're going to, you know, trenches in the ground here, let's get going. And then they, they're catching that up. So that's the other great. One of the other things that Beyond Identity has done for us with that single sign-on is it has taken the barrier away of getting to your training or getting to those jobs, because once your accounts are created and you've got that passkey, it's just one click in.

Josh Johansen:
There is no what's my username, what's my password, what's any of that which, you know, that's bound together with single sign-on and and saml with an identity provider, but still that the password is the barrier.

[03:38] The Passwordless User Experience

Jonathan Knepher:
So Josh, what's the actual user experience?

Jonathan Knepher:
Right, like you started this with like the warning of that phishing attack was.

Jonathan Knepher:
The user got queried for a password.

Jonathan Knepher:
And they shouldn't need a password at all.

Jonathan Knepher:
So how's the typical person in this scenario logging in in the passwordless case?

Josh Johansen:
So we have it connected with our Windows domain or Active Directory domain. So when folks are originally signing in, they do have a password at the very first day. Like, hey, we have a generic format of how we make it based on different artifacts from their employee file. And that's their initial password. And then when they log in, they're going to create what one. And then as soon as they log in, they would go to Microsoft the Beyond Identity portable, like Microsoft my apps, and they, you know, they click that click Beyond Identity downloads their passkey, binds it to their device. And then once that's done, now that device is all set up for them. So now when they log in, instead of using that password, they're going to use a PIN, or maybe if they've enrolled their fingerprint.

Josh Johansen:
If they have like a. They're a support office user and has a fingerprint reader on their device that they've enrolled, and they log in and then they open up their email, type in their email address, click Next, and instead of going to that Microsoft flow, it goes right to beyond identity, verifies that, and then they're in. That's literally why the gm, I think, calls it automagical, because there was no. All these forms to fill out. When you first start, it's literally, what's your username? And then it's checking that device right away. And so the flow, once they have it set up, it. It's so easy. I feel the other thing that happened, like, our CEO watched probably, like, oh, maybe it's when the new iPhone came out, they didn't transfer their passkey to their new phone.

Josh Johansen:
And so then he's trying to log in. He's like, I can't log into anything. Everything's giving me, like, what's going on? I'm like, hey, did you move your passkey over? Well, yeah, I backed up my, like, well, it's like a. You know, it's like your Apple pay card. You've got to move everything over. So then we put that pass key back on, and all of a sudden, no more problems. He said. But the idea that, hey, these people haven't typed a password in four years to actually bring back passwords on our side, I think people might actually cry or at least be like, really shaken to the core of, like, this is not easy.

Josh Johansen:
We had a hotel that had left us, and then they came back. Like, we managed for other owners as well. So we were managing this hotel when we originally had the Beyond Entity rollout. They. They left. They went to another management company, and then this year they came back to us. And one of the first things the GM said was like, oh, I can't wait to get all that integration so we don't have to type in all this stuff, you know? And so I think that's a little bit of a win, too. People prefer it once they experience it, I think, but I think they have a little bit of a hesitation for new folks that come in, and they find out we use a passkey because that word has become a little bit dirty because of this really poor deployment by the masses.

Josh Johansen:
But I don't know how we get around that. Facebook wants you to use a passkey, Google wants you to use a passkey, whatever those might be. And they don't understand how it works, or they don't use a password manager, and they don't quite get the fact of, well, what's the point of this passkey if I can just use my password? That's a good point. What is the point of the passkey if you can just use your password? But at the same time, people I don't think have a full understanding of. I think passkey's a really generic, broad term rather than a very specific thing. And so the way that I get into the technical weeds and don't really know what I'm talking about, and I'll defer to Jason here, but I understand it's like a key pair certificate rather than this magical passkey you got in the Nintendo game that you just tap on whatever device you want to get into.

[07:26] The Evolution of Identity-Based Security

Rachael Lyon:
What is the evolution of, let's say, identity-based security look like? Jason, I'm quite curious. I love the show Altered Carbon, and they use actual DNA kind of thing. But I'm curious, what does this look like? Where are we going to? Because ostensibly, everything can be spoofed, be it your voice, be it your fingerprint, or other things. But what does the future hold here?

Jasson Casey:
Interesting. Let's try and find an analogy that's in this. In the, in the style of Altered Carbon in a sleeve, or maybe even Permutation City and Greggy. And I mean, let's see, identity is basically what you are, right? And I don't know, it sounds a little philosophical, but. But it's also meaningful. So, a program, before you load it, that program has a very specific sequence of bytes. No other program has that sequence of bytes except for a copy of that program. That program's identity is literally its sequence of bytes.

Jasson Casey:
When we think about essentially how we're talking about what modern identity is, that is the concept. It's like your identity is this unique pointer that's cryptographically sealed. When we say cryptographically sealed, what we really mean is it's. It's signed in a way where the only person who could produce a signature over that unique sequence of bytes is someone who possesses that private key. All right, well, why can't I steal the private key? Well, in the modern world, so, like, go try and buy a processor. It doesn't matter if you're buying like an Intel CPU or if you're buying like a tiny little, like a tiny little ARM processor, right? They all have these things on them now called secure enclaves, which is essentially a place that will create those key pairs, keep them separated from the main processor and main memory, the key's never in memory, can't be stolen. There's no instruction that you could ever issue that says read key, right? Basically, you could think of it like imagine there's a jail and the jail doesn't have a door, but you can reach between the bars and there's a monkey with a pen on the inside. And essentially, what you're doing is you're handing a document through those bars and asking the monkey with the pen to sign it.

Jasson Casey:
That's kind of what an enclave is. And so the future of identity, and this is ultimately what is kind of at the core of passkeys and devices. And anytime you hear someone say device-bound, it's basically picture the monkey in the jail without a door, right? Anytime you hear someone say device-bound, that means your computer, regardless of what it is, has that little isolated jail, and it's able to sign things. And because it's built in that way, you know, anytime you see that signature, it's that thing and nothing else you can build on that, right? And so when you, you probably have an Apple phone or an Android phone, and I'm sure you've used it to pay for something, right? Like a mobile payment, the experience you see is you tap, and you smile, or your mask breaks the smile detector, right? And so you put a little PIN code in. You don't really think of it beyond just I bought some coffee. But what happened under the hood is you just did single-device multi-factor authentication that leveraged a device-bound credential, right? The merchant sent your phone a bill over the wireless network, and your phone said, hey, monkey, sign this. Turns out, for the key that you just asked the monkey to use, it pulled up its book, and it says, hey, the manual says to use this key, you need to do three jumping jacks, right? Now, otherwise I won't sign this for you. But instead of three jumping jacks, it's like, hey, I need you to smile.

Jasson Casey:
You send a biometric or an image of your biometric into the enclave. And if the monkey likes it, it signs it. And if it doesn't, it says, try again. Or give me an alternative, right? You give it a pen. And so that's called enclave policy. When you satisfy the enclave policy, it will then sign the document and give the document back to you. The key never moves, the key is never in memory, the key can't be stolen. And you now get a receipt of two interesting things.

Jasson Casey:
Either an inherence factor, right, the biometric, or a knowledge factor, that local pin. And because that key can't move, you have a possession factor of the device itself. So that's what makes it multifactor, that's what makes it device-bound, that's what makes it incredibly secure. And oh, by the way, any event that you produce off of that authentication now is really special and unique in your SIEM or in your XDR. It's an event that you know with certainty came from a specific device. It's an event that's not spoofable. It actually can't be faked under the assumption that the foundry that produced that chip has not been essentially compromised by the Russians or the Chinese. So it is possible to actually prevent impersonation.

Jasson Casey:
Maybe somebody in the long tail who's listening to this show is going to say oh, what about quantum? Well, the answer is pretty simple to that too. There's post quantum signature algorithms, and these systems use those as well. So, haha, you're right, flip the switch. Post-quantum signature defeated. That's what the future looks like. That's like the building blocks at the lowest layer. I think what the future looks like for users, though, is that Apple Pay experience but for work.

[13:07] How to Get Started with Identity Security

Rachael Lyon:
Interesting, interesting. So, for those out there, and I think about business leaders and others, so how did they get started on this path? A really kind of next-generation identity-based or device-based security if they're not there yet? I mean, where do you even get started in a 30, 60, 90-day plan? Because this is very compelling, and I suspect a lot of people want to figure out a path forward to help themselves be more secure.

Jasson Casey:
The easy answer is just call us. But let me talk a little bit about the architecture. So, a good identity security platform, it doesn't displace your identity stack; it plugs into your identity, and so we follow that tenant. It actually doesn't take but a day to plug us into an intro or an octave or a ping or one login or a Shibboleth or pick your IDP provider. The harder part, as we kind of talked through earlier, is the enrollment. Like, how do you actually want to enroll? And best practices that we see is you pick your rings. Your rings are kind of based on the writ, like who are the riskiest users? And that's very dependent on your business, right? So if you're in hospitality, you may define risk in a very different way than if you're software tech, than if you are education.

Jasson Casey:
Right? But we do see that pattern show up. They all agents, they call them rings. Right. So ring one, ring two, ring three. We have a couple different deployment models, but I would imagine that, over time, any solution is going to evolve with these similar deployment models. But you can deploy with an MDM to manage devices. You can enable self-service for BYOD or third-party. The hardest part in all of this is really just getting your users ready and aware for the new experience.

Jasson Casey:
Otherwise, you're going to get help. Desk calls of like, hey, I don't see my password box anywhere. And so now I don't know how to log in. And you're like, well, no, just click the button. And they're like, but no, I don't see a password box. Right. So, like, there's a little bit of a marketing exercise, even though it's to your internal workforce. But you know, we've had companies deploy 60,000 people in 60 days.

Jasson Casey:
So it's, it's, it's possible to go quick. Usually, the really quick organizations are, they're motivated, right? Like they had a breach or they had an incident. And this is a very easy, quick response to ensure that the incident doesn't persist or continue. But it's also, we also find deployment time frame is largely a cultural decision of the organization that's running the deployment. Right. Some organizations like it deployments. It doesn't matter what it is. It's going to take a period of time because that's how the organization has decided it's going to take.

Rachael Lyon:
Right.

Josh Johansen:
Right.

Rachael Lyon:
Cognizant of time. But I do want to ask kind of one final personal question, Jason. We've had a lot of entrepreneurs and founders come on the podcast over the years, and it's. I, I came across an interview you did, and you know, you talked about 19 years old was your first startup writing software. And then you, then you found a book. There was this book that you were reading from Michael Lewis. I think it was new, new thing about Jim Clark and having that unequivocal obsession of solving problems. And I just would love if you could share a little advice for our listeners who are, you know, kind of thinking about pursuing this path, and how do you get started and just take that first step?

Jasson Casey:
Yeah, the. Let's see. It's a hard thing to give advice to because it's kind of saying fall in love with X. Right. And ultimately, that's an intrinsic motivation. It's not really an extrinsic motivation. But the people that I see do this and follow similar paths. You're highly curious.

Jasson Casey:
You really understand a thing. You're not necessarily superficial on the topic. You obsess over the problem. The monetary reward isn't necessarily really what's on your mind. The fact that the problem must be solved and other people are going to solve it incorrectly is what's on your mind. It's almost like an on-the-spectrum obsession. That's the, that that's kind of what you need to, to be the North Star, to keep everybody motivated to, to get through the hard times. But also, if it were easy, the existing players would be doing it.

Jasson Casey:
Right. If it were easy, the opportunity wouldn't be yours. If it were accomplishable in 9 to 5, it wouldn't be your opportunity to try.

Josh Johansen:
Right?

Jasson Casey:
Right. So, like it's hard work. It does require a lot of persistence. The people that I see that do the best, they're naturally curious. They're systems thinkers; they go deep. They don't accept superficial responses to answers. They keep asking why they really want to understand how stuff works. They're system thinkers.

Jasson Casey:
You know, for me, you know, it was a combination of like I, I like puzzles, I like building things. I like the idea of turning an idea into something that somebody else used. Right. Like how else? It's like one of the most, one of the most obvious ways to impact others is to build a thing they use. Right. That changes their life. And you know, you don't have to change.

Jasson Casey:
We're not talking about like a movie, you have to change their life to where somebody writes about it. But like changes the way they behave for the better. Like that's, that's meaningful. Right. It means you kind of impacted society, and you know, the way you do it is technical but, but at the end of the day, you're still doing a thing to try and impact the behavior. Right. Like beyond identity, like where we're, our mission is really an obsession. Around 70 to 80% of all security incidents are preventable.

Jasson Casey:
Like for the sake of, for the love of God, can we move on to the next problem that is actually hard? These 70 to 80% problems, we can prevent them. We don't have to reduce them; we can actually prevent them. I don't know, I could go on a long time for that. But like if somebody were getting started, like don't say you want to do a startup, but you don't know what you want to do a startup on. That sounds like you should join a startup, right? Like, if you're going to start a thing, you already know what that thing is, right? There's a bit of a self-selection bias in that. I can totally see you want to do a startup, you don't know what to do. And you're inexperienced, so you just don't really recognize the situation.

Jasson Casey:
And the answer is join a startup that you can get excited by. You're going to grow really fast. You're going to give and be responsibility that you don't deserve. You're going to be given an opportunity in a noose to kind of grow or hang yourself with that. You will not experience it anywhere else. Yeah, and that's where learning comes from. That's where you get to meet great people like Josh. That's where you get to discover, like, you know, you only ever have a vague idea about, like, the specific problems, and maybe you understand the macro problems well.

Jasson Casey:
But like once you engage with the customer, then they really tell you, well, yeah, you're on target enough for me to work with you. But really, I need this, I need this change, I need this shift, I.

[20:35] Josh Johansen's Path to Cyber

Rachael Lyon:
Need real-world problems and similar kind of question. Josh, we're always interested in how people found their way into security. It's not always a linear path. Some people were PhD in linguistics or something like that, and now I see so, but yeah, always curious, kind of, how did you find your way to this world?

Josh Johansen:
Well, so I actually started school when I went to university. It was for commercial aviation. I'm a pilot, went to UND Aerospace, and my part-time job was working at a Holiday Inn, and I wanted to be a porter like the shuttle driver because I needed the tips in order to pay for rent and everything else. And I stayed with the hotels all the way through college. I did an internship with American Airlines down at DFW, and the hotel kept me on as an employee during that semester. And when I came back, finished UP school. Unfortunately, September 11th happened my freshman year, and so that kind of impacted things. By the time I was ready to go and had things lined up, a lot of that was backfilled with a lot of furloughed pilots.

Josh Johansen:
And so I thought I'd go into aviation investigation. I really liked human factors and cause and effect how things happened. But those jobs weren't available anymore. So I thought, well, the company I worked for, I said, hey, how would you like to go be a general manager of a hotel in Fort Worth, Texas? And I said probably not. But a week later, I had my car packed and was driving down to Texas, and I ended up being, I'm like, I'll do this for a few months and get back into aviation. But you know, I kind of fell in love with hospitality. I was in the operations side for a long time until about 20, and they kind of moved into the property support, and I really saw the evolution of technology and how we use it in our operations. When I first started, really, it was the CRS, the central reservation system, and the property management system, and people had a Windows login to use Word.

Josh Johansen:
But that was about all the technology we had. And now we run on so many systems and so many things. So it's been fun to be a part of that evolution and see how that happens. And then I just kind of got a knack for the IT side and kind of shifted into that full-time here about eight years ago. And so that's kind of been that's how I ended up where I am now. But I still am very passionate about hospitality and taking care of guests, and I would love to see how we can continue to equip our teams in a secure way so that free up just to deliver hospitality and not so scared about phishing emails and attacks, and did I expose or have a big breach or anything like that.

Rachael Lyon:
Wonderful pilot. That sounds scary. Well, thank you, Josh Jason, for this wonderful conversation today and incredibly insightful, and I wish we could keep talking, but I know you have things to do today. So to all of our listeners out there, again, thank you so much for joining us. And I'm going to give John the.

Jonathan Knepher:
Drum roll for Smash that subscribe button.

Rachael Lyon:
And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. 

About Our Guests

Jasson Casey, CEO, Beyond Identity

Jasson Casey is the CEO and co-founder of Beyond Identity, where the focus is on eliminating passwords and establishing secure, device-bound identity as the foundation of modern authentication. He previously served as the company’s chief technology officer, bringing hands-on engineering leadership to the development and scaling of identity security platforms built for today’s threat landscape.

Beyond his industry work, Jasson contributes to cybersecurity policy and research as a visiting fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School and as an Advanced Cyber Studies fellow at the Center for Strategic and International Studies (CSIS). His work sits at the intersection of identity, trust and emerging technologies, with a focus on how organizations can adapt as AI-driven threats accelerate.

Check out Jasson Casey on LinkedIn

Josh Johansen, Head of IT, Brandt Hospitality Group

Josh Johansen is the Director of IT at Brandt Hospitality Group, where he leads technology strategy and day-to-day IT operations across a portfolio of hotels in the United States. His work centers on building secure, low-friction systems that support frontline hotel teams while protecting guest data, financial systems and brand operations.

Josh brings a practitioner’s perspective to cybersecurity in hospitality, with deep experience in identity and access management, phishing defense and employee lifecycle controls in high-turnover environments. He focuses on reducing risk by eliminating passwords, streamlining onboarding and offboarding and aligning security controls with the realities of hotel operations.

Check out Josh Johansen on LinkedIn