Prodity: Product by Design

In this episode of Prodity: Product By Design, Kyle welcomes Aaron Painter, CEO of Nametag, to discuss the critical role of identity verification in preventing social engineering attacks. Aaron shares his extensive experience working at Microsoft and leading global teams, emphasizing the importance of understanding diverse cultural and business contexts. Together, we explore the challenges and innovations in cybersecurity, particularly how Nametag addresses the vulnerabilities in traditional authentication methods. Aaron highlights the impact of AI in both facilitating and combating cyber threats and underscores the importance of design and UX in building trusted products. Join us for a deep dive into the future of identity verification and its implications for personal and corporate security.


Aaron Painter
Aaron Painter is the CEO of Nametag Inc, the identity verification company that stops social engineering attacks at the employee IT Helpdesk.


Links from the Show:
LinkedIn: Aaron Painter
Company: GetNametag
Book: Loyal: Listen or You'll Always Lose
Other Links from Show: Elon Musk Biography, Ring Doorbell


More by Kyle:
Follow Prodity on Twitter and TikTok
Follow Kyle on Twitter and TikTok
Sign up for the Prodity Newsletter for more updates.
Kyle's writing on Medium
Prodity on Medium
Like our podcast, consider Buying Us a Coffee or supporting us on Patreon

What is Prodity: Product by Design?

Fascinating conversations with founders, leaders, and experts about product management, artificial intelligence (AI), user experience design, technology, and how we can create the best product experiences for users and our businesses.

Kyle (00:01.105)
All right, welcome to another episode of Product By Design. I am Kyle, and this week we have another awesome guest with us, Aaron Painter. Aaron, welcome to the show.

Aaron Painter (00:10.722)
Thanks, Kyle. It's great to be here.

Kyle (00:12.585)
It's great to have you. Let me do a brief introduction for you, Aaron, and then you can tell us a little bit more about yourself. But Aaron is the CEO of NameTag Inc, the identity verification company that stops social engineering attacks from the employee IT help desk, which we're going to talk a lot more about. And before we do that, Aaron, why don't you tell us a little bit more about yourself and some of your experience?

Aaron Painter (00:38.334)
Yeah, I've had a pretty rich set of experiences, I guess, like everyone. Mine might be particularly unique in that much of my professional career in the last 20 years was outside the US. I worked at Microsoft for about 14 years, a good sort of Seattle native. I started in Seattle in a product role, sort of the first product manager for Office. Back in the day, we were trying to take things from the individual apps of Word, PowerPoint and Excel into something more integrated.

that was

Aaron Painter (01:34.442)
different cultures and people and frankly ways of doing business and Product is sort of an underlying core You know probably many of your listeners know is so neat because you get to find this intersection of The business side of the technology the engineering side and really the voices of customers and what they're looking for Or in some cases what they might not even know they need yet. And so it took me to France for several years Brazil for a few years Ultimately China for five and a half years just very heavy work outside the US

and then became a big sort of part of kind of who I am, I feel like, in many ways.

Kyle (02:09.966)
That experience is so varied and so interesting. And I want to dive into a couple of things that you talked about, because I think you have so much experience that will be exciting to discuss. Before we do that, why don't you tell us a little bit about anything that you like to do outside of the office and outside of work?

Aaron Painter (02:27.958)
Yeah, travel coincidentally is pretty high in my list. You know, living and working in so many different parts of the world has let me go off into neighboring countries and neighboring regions and just explore things that I might not have a chance to see in my work context. You know, probably my most recent trip was to Namibia just a couple of months ago. It's a country in Africa I hadn't been to and was just so pleasantly surprised by the people and the culture and actually kind of how untapped it was almost from a tourism perspective.

So that was super fun. But I'm always trying to explore sort of new regions, new countries, parts of countries that I haven't been to before.

Kyle (03:04.845)
Well, do you have a favorite place that you've traveled either previously or a place that you're looking to travel that is kind of maybe a bucket list place or a place that you're really looking forward to going?

Aaron Painter (03:16.962)
You know, I've gotten to this point where I realized that everything in the world has good and bad, including places. And so often there are things that I just love about a given country. And there are things that you say, oh, I see how it could maybe be different or better. You know, living in Brazil, for example, was just this incredible time that the attitude and the energy of the people was so positive. Like working in Brazil taught me how to have fun at work and frankly, to make work more fun. And there was just this kindness and this creativity that I love.

I was living in Sao Paulo at the time though when I was there. And unfortunately, it was also kind of dangerous and crime and safety were something you thought about in every day when I'd leave to go to the office. It was, all right, am I wearing a watch? You know, if I was in a backseat of a car or a taxi, I, you know, couldn't leave my phone visible maybe to people in the window in case someone drove by and wanted that phone. Um, it was just something that was kind of very much on your mind. And again, good and bad, right? Incredible, vibrant culture of people. It was so special and wonderful.

And yet things like safety were something that I may be taking for granted in other places I've lived in, you know, wish things were better there. So every place I've learned has this sort of good and bad side.

Kyle (04:24.985)
Yeah, I absolutely agree. I lived in Sao Paulo as well for a time and in Belo Horizonte. So we could probably geek out a little bit on Brazil and the time there. Absolutely beautiful place and beautiful country. So I completely agree. But also has, like you mentioned, the downsides of some of the different areas. But such an amazing place and amazing country. Yeah.

Aaron Painter (04:32.174)
Wow.

Aaron Painter (04:48.174)
That's amazing. What an awesome experience.

Kyle (04:50.213)
Yeah, absolutely. I'm really interested in some of your journey. You mentioned, obviously being early in product at Microsoft, what was that like? Especially with some of the main applications and pre Office 365 and some of these main things that we think of when it comes to Microsoft. As that transition, you kind of mentioned it being this transitional state.

What was that like working product there, especially early on?

Aaron Painter (05:25.134)
It's interesting to reflect back. It makes me feel like it's been a long time, but you know, pre-cloud services, the concept of product was, it was really kind of a different role because your feedback cycles were very different. You know, the concept that somebody would take two years to create code, test, and ship kind of a boxed software product. And so you're planning that years ahead. You're then making design and implementation decisions during that period of build. And then you're thinking about how do I take it to market and what's the messaging and how are customers going to respond to it?

you know, do I find early customers that would be, you know, testers such that they might then talk about it when the product goes live. The cycles were just so long that you really had to get things right. You know, during the pandemic, I got a little bit more into kind of cooking at home, obviously, as all of us did. And, you know, I got into this nuance of kind of cooking versus baking. And I realized, you know, like when you bake something, like you kind of have to be precise. It's almost more like hardware and software, particularly in cloud services world.

you can fudge a little bit up, a little more of this spice, a little bit more of that, and it's good in its own sort of way. And actually box software, package software was a lot more like hardware. You sort of had to get it right because it shipped and it was just sort of out the door and you could do service updates or update packages of sorts, but it was out there. And cloud services really changed that. And so along with it, there was certainly this transformation we started to go through at Microsoft while I was there, of course, around what does it mean to do product in a cloud services era?

How are you getting feedback? How do you even goal engineers and folks on? Where do people click? Are they using the feature that you built first one that you thought you should? But the rule changed a lot as you think about shipping something versus something that you can constantly ship updates to.

Kyle (07:05.721)
Yeah, I think that's a great, great comparison of kind of the baking versus cooking because the feedback cycles and the ability to actually take something almost, you know, we talk a lot about like this waterfall approach which it had to be because that's the way that we had to do it previously because you had to get it right because you didn't have a chance to do anything. To now where you have the ability to kind of add things as you go.

and make adjustments, whereas you just didn't have that before and kind of these different mindsets. I think it's fascinating as we look back to something that really wasn't that long ago. And now, man, I'm getting like the video here. I'm interested as well, you know, what were some of the key things that you learned as you moved into not only different parts of the organization, but different parts of the world throughout your journey? You know, what was that like?

and some of the things that you learned throughout that.

Aaron Painter (08:10.25)
Yeah, product is this sort of intersection role, as you know, between, you know, I often felt like the going one, the going left to right meant I either had to go more into engineering and kind of build and work out how the product was created or had to go more into sales and get closer to customers. And so the way Microsoft was structured at least is the majority of engineering happened in Seattle and development centers and other parts of the world, you know, particularly in China and the UK, but heavily it was based in the Seattle area and the other half of the company in terms of

volume of people were actually those folks that worked with customers and that were thought of work with companies in particular and how to implement or use technology in new ways. And so I chose to go on that path of what does it mean to get closer to the customer side. And that took me on this journey, you know, first as kind of a, a chief of staff role for Microsoft's head of international, who was based in Paris and person had a super cool role. And it gave me access to kind of a super cool role and that we just, you know, we would fly around the world. We'd meet, you know, 30 countries a year.

You'd meet with governments, customers, employees in those markets, and have this radical chance to learn from them really up close on the challenges they were facing. And then my end of the day would be, all right, now how do I translate that back into Microsoft? How do we take that feedback that we heard and make sure it's getting back to their other product teams? Or how do we think about adapting a solution to something that might solve a problem a customer told us about that day or that a government kind of raised with us? And so it became this very much, how do you connect the dots on things?

And frankly, what was a big company, how can you make that feel really small and get things done? And I loved it. My manager had a super high bar on me. And so it meant that everywhere, we did a ton of pre-work as we went into those meetings and conversations to learn about what we're getting into. And then we did a ton of follow-up work to make sure we're getting value out of them. And all of it then just in very high velocity. So for someone who loved product, it sounds like many of us do, that was just such an awesome learning role because it let me hear from customers directly.

find ways to translate that back into specs and other things for future products. And so it was a huge sort of accelerator role. And then finding things around the world where there were differences and sometimes similarities, but translating those nuances back again into product, or in some cases, how we went to market and position things inside a given country that might be different than a neighboring

Kyle (10:28.021)
Right. Yeah. That's really interesting. Now I want to talk about how you kind of transition from your previous role into what you're doing now. What did that look like and what kind of brought you from what you were doing previously to what you're focused on now at Named Tag?

Aaron Painter (10:46.646)
Yeah, I was at Microsoft for almost 14 years, and then I went to lead another company that was based in the UK, focused on cloud migrations. It was sort of AWS's first and largest partner in Europe, and we diversified into Google Cloud and Microsoft Cloud Azure, and worked with large enterprises on how to think about using the cloud in new ways to sort of change the business. So I loved it because it was very much this business connecting with technology type of work.

And we had a whole team of people who were really talented at that and matching them with the right customers. Um, that company was, did well and has kind of moved on to be part of another company now. Uh, and I was sort of exploring what to do next. And one of the areas that I realized just came up so universally in my own life, kind of from a personal perspective, was this idea of security. And more specifically, this concept of identity and what it meant to know who you're speaking with or who you're connecting with.

when someone is operating behind a screen. And so for me, it was really personal. I had the start of the pandemic, everything was sort of moving digital, everybody was remote. And I had several friends and family members who had their identity stolen. And I said, you don't want to be a good friend and be a good son, we're gonna jump on the phone, we're gonna figure this stuff out. And we'd call customer support and they would say, oh, well, before I can help you, I need to ask you some security questions. And those things were either too easy to answer or too complex to remember.

And it turned out that frankly, someone else had called before we did, was able to answer those questions and frankly take over an account. And it became sort of shocking to me that in this modern era, you really don't know who's behind the screen. You know, people operate by usernames or passwords or, you know, did you receive the SMS I sent you or can you answer these security questions? But you can't actually verify the human behind that screen. And all this was sort of pre the era of deep fakes.

And so I set out to say, hey, how can identity be used as a security tool? And I was able to assemble, you know, this incredible team of some really smart folks with a lot of expertise in the security industry. And we set out to build something that could be a really novel approach to what felt like an all too common problem.

Kyle (12:59.945)
I think you've touched on a couple of really, really interesting points and I kind of want to dive into a number of them because obviously, you know, cybersecurity is such a top of mind thing pretty consistently because I feel like it's constantly in the news. And then, you know, specifically with, you know, what name tag is doing with identity verification because it feels like that specifically is

is becoming one such an important thing and so many use cases around how it could be potentially useful for us. So I guess zooming out just a little bit, with cybersecurity, you got into it in the beginning of the pandemic with obviously identity theft and those types of things. As we look at the cybersecurity space, obviously this is a massive space and we're constantly hearing things about...

cyber attacks and those types of things. What do you see as some of the main problems within cybersecurity right now? As you look at this landscape generally, like what are the biggest issues and where do you see that going over the next little bit?

Aaron Painter (14:15.734)
Yeah, the one I'm probably closest to has been this challenge of identity. And I've learned as I got into this space, identity is a big word, and it can mean a lot of different things to different people. You know, often today, the way that we identify ourselves is really with kind of an email address. The unfortunate thing is that we've made it so easy to go create email addresses that you can kind of become anyone you want to be and spin up a new username or spin up a new Gmail account and suddenly kind of take the identity of whoever you happen to be at that email address.

Sometimes it's phone number and you say, okay, well, can I reach this person at that phone number? But unfortunately, that is only as secure as how good the telcos are at making sure someone doesn't take over your phone number. And unfortunately, if you call your mobile carrier and say, hey, I got a new phone, can you switch my number over? They also have a really hard time, it turns out, of saying, are you the actual rightful account owner? And are you the person I should transfer that number to? So again, not the most secure. And the methods that we've had over the years have...

Unfortunately, they're dated. They're from the early days of computing when it was a small trusted group of people at universities in the Defense Department. And then we added passwords, obviously, to what were university and government email accounts, there was probably the right human behind them. And then we came along Google and Hotmail and Yahoo Mail and suddenly you could have a limited number of email addresses. Passwords, we added complexity and length, but unfortunately, they became easy to get around. So then we started thinking about layers of what we call multi-factor authentication.

can be an SMS more securely, it can be an authenticator app of sorts where you get kind of a revolving pin. But all of those things are really just adding layers on top of what really is an insecure method to begin with around the username or an email address. And so what I realized was the perimeter of so many systems comes down to identity. If you can deceive someone and get into a system because the identity layer was corrupt or incorrect, or you sort of found a way around it,

then it makes it very difficult to protect your system, to protect the data, and most often to protect the whole company itself, because that compromised account can lead to things like ransomware and data breaches. So the identity really became the sort of pressing topic that we wanted to go solve in security. And frankly, we were just a little bit ahead of our time and what's happened in the last several months where it's gone so mainstream.

Kyle (16:32.289)
Right, right. So as you look at some of these major breaches or attacks or things like that have happened both on the personal level, so we see a number of those, like people who have been phished or anything like any number of things who have given over personal information enough to have bank accounts hacked.

up to some of the massive cyber attacks that have happened. How do you see identity playing into those? They may not necessarily be one-to-one, but a lot of times they can be, because it can often be that some companies can be infiltrated by getting access to a single employee's account.

How do you see identity being a key factor in some of these? And maybe it's not always the case, but how is it one of the things that can help protect either individuals or companies in some of these cases?

Aaron Painter (17:39.178)
Yeah, I think we were surprised to learn how often this comes up. And we really pushed very early on because we tried to truly listen to a bunch of the folks that we were working with kind of as advisors. And we had one advisor in particular who really pushed us to say, you know, my company, we've started rolling out two factor authentication on our customer accounts to make them more secure. But unfortunately, users are getting locked out.

They lost their phone, they upgraded their phone for whatever reason. They can't access the account because we added this additional layer of protection. And so he sort of said, Hey, can I use name tag as a way to verify that person when they're locked out? And so that I know the right person is kind of getting back into the account. We said, Oh, interesting. Hey, you know, maybe I can do a lot of things that sounds like an interesting use case, let's work with you on that. And it turned out to be a concept way ahead of its time. And so we started rolling that out and then.

Other companies are coming to us saying, hey, can you do the same thing? I have kind of an IT help desk or a customer support organization. They really struggle because they get all these inbound calls and support tickets of people who are locked out and they don't know if they're letting the right person sort of back in. And so we see, let's sort of adjust name tag to be a really easy out of the box way for companies to increase the security at their help desk and make sure that they are letting the right person back into those accounts.

when they get locked out or maybe we need to authorize a transaction or kind of any sort of high risk moment when you're on the phone, when you're chatting with, or even you're kind of self-service trying to do something online. And that became a great thing. And so last year, all these particular early in the year, all these big companies, you know, the internet domain providers, you know, HubSpot, Reddit, all these really interesting companies started applying our technology in new ways. And then August came along. And in August, MGM...

in Las Vegas had this very public breach where a bad actor impersonated an employee. They did some research on that employee in LinkedIn, called the IT help desk at MGM pretending to be the employee, answered the security questions, was able to take over an employee's account and then go wreak havoc. And it became very visible and very public because there were people that were going to check into their hotels in Vegas and couldn't.

Aaron Painter (19:56.782)
It just sort of brought them down to their knees very, very quickly. And then it turns out that continued. In fact, the weeks afterwards, Clorox had the same thing and a major supply chain disruption, you know, then, uh, Caesar's entertainment, it just sort of continued because one group in particular realized that this is a really good exploit. It's a good way to sort of take down a company. It's a good way to plant ransomware. It's a good way to, you know, maybe steal data. And they just started targeting hundreds and hundreds of companies.

And so suddenly this problem that we had kind of been pulled into early on by an advisor, a bunch of companies were using us to solve, suddenly became kind of a mainstream like epidemic in the world of cybersecurity these past several months, because it is sort of the open door. It is sort of the biggest vulnerability. And in some ways kind of the easiest way to get you into a company is simply to go knock on the back door and say that you're locked out of, you know, your, your front door keys, so to speak, or your authenticator app.

And that's really how Neamtag refined its product market fit. And it's just been a while, several months since.

Kyle (21:00.313)
Yeah, you've touched on some of the big ones that I think so many of us have heard. And there's also the very recent one that I think has been in the news very, very recently, which I think is called Change Healthcare. Just look at my notes really quick.

Yeah, Change Healthcare Cyber Attack, which I don't know if we even know yet as of the time we were recording, like how it happened, but it seems like it's the same group that did MGM, and so it could be something very similar to the way that they got in and could be through impersonating somebody within the company and going through the help desk and that sort of thing. So the ability to...

actually verify identity. It's kind of like you were mentioning, such a fascinating thing. Maybe you can walk us through like, what is it that you found as you were going through and having some of these early discussions that is so much better than the past, either the security questions or some of the things that you were able to figure out is maybe a better way of doing it than some of the previous ways that everybody was doing it.

Aaron Painter (22:17.226)
Yeah, you know, really in product design, we sat down to think about how do you, how do you verify who someone is in the offline world, in the physical world? And what is sort of the methods that tend to work? And you think about it, it trusted spaces that you might go into as a person. And you think about, uh, you know, airport security, you know, you go through sort of the TSA in the U S you know, and they asked to see your ID, someone looks at you, they now increasingly trying to put your physical ID in a scanner to see if it matches certain things, separate discussion.

It's a person looks at you, they look at the picture on the screen, they ask for your boarding pass. Anyway, you get in through security and you're sort of in a trusted area. Everyone in that space has sort of been vetted and you feel safer, hopefully. You go to an event maybe and you check in at the event and they ask for your ID and they look at you and they compare the two and maybe they ask for your business card or your work email to see where you come from and they print you coincidentally a name tag or a sort of badge you might wear around at that conference.

And you might say, great, the people that I meet in this event space, I kind of know that they've been douched for, I know that what's on their name tag is probably accurate there, that's their name and that's the company they work at. There are these sort of trusted spaces in the physical world, but yet online, that's incredibly hard to replicate. So we said, can we take that experience that works offline, of basically asking someone for their government issued ID and comparing it to what they look like? And can we do that process in a way that's sort of remote?

that allows it to happen when you're not in an in-person interaction. And it turned out, actually, people have been doing that for years. That technology had been around for 10 plus years. But there was one very consistent thing across all the different companies out there that did it. And it's that they wanted to make it super easy. They wanted to make it universal such that you could, oh, I don't have my ID with me, but you know what, let me upload a PDF. Or you know what, let me just snap it on my webcam on my desktop. They existed through web browsers.

And it made it more universal. It made it certainly easy, but it made it good enough for things like regulatory compliance. And regulatory compliance often required, let's say you open a new bank account, you go through what's known as a know your customer regulation, and you have to plausibly have checked someone's ID and make sure they match up to it. And the providers that existed were good at that. They were good at making it easy and let you upload a variety of different things and doing that process. But unfortunately, it also meant that the way they did it made it very susceptible for fraud.

Aaron Painter (24:42.358)
because you could, what's called inject, you could say, well, instead of this photo that I'm holding up at the webcam, I'm gonna use my third party camera, which is actually, let's say, a deep fake emulator and create kind of the deep fake of me. Or, you know what, maybe not chat GBT, but I'm gonna go and say, hey, make me a California driver's license with this name and this photo on it, get a beautifully printed PDF and just upload that PDF. And so the methods that work for kind of regulatory checkbox stuff did not work for anti-fraud scenarios.

or when you really needed to know who the person was. And so we set out to use a different approach, which was using people's mobile phones. When we had someone use their mobile phone, we were able to essentially get all the security benefits of a mobile phone and the cryptography that exists on that device combined with AI to essentially make sure that the process was much higher fidelity. And then we're not just using AI to defeat AI, but we're using AI and cryptography to defeat AI and deepfakes and other things.

And so in setting out to build something that was more secure, we ended up building something that actually was also a really great user experience. It was faster than what could be done in web browsers and way higher fidelity, which sort of opened it up to a whole bunch of new use cases like these help desks, like helping people recover from locked out accounts.

Kyle (25:58.178)
Yeah, that's really interesting. You talk a lot about the help desk scenario and I'm interested, are there applications for individuals, for example, or other applications just as far as identity goes? I mean, obviously, like getting back into a corporate account and having much better security around that is a great use case, but what are some of the other potential use cases around being able to really...

verify identity other than, you know, getting back into account or some being able to open account some of these that probably come to mind first that you've either been exploring or that Make a lot of sense with the technology that you've been creating

Aaron Painter (26:42.89)
realize they have to be scenarios where people truly want to know who the person is and where they value that as part of their product. And so some obvious ones might include, you know, dating, right? Like the concept that someone's going to use a dating app to get to know another person. And if it goes well, you're going to say, Hey, let's meet up in person. And then interestingly enough, a lot of those conversations say, Oh, my mother or my sister or my someone just asked if you wouldn't mind sending me a copy of your ID before we meet up to make sure it's safe.

Because these platforms, almost all of them, do a horrible job at actually verifying who a person is, other than a social media profile or word of mouth. And they make it too easy for bad actors to exist. Hence, you now have got shows like the Tinder Swindler and all these other things out there, and horrible stories of things that have happened to people using online dating sites, because they don't do a good enough job of verifying the identity of their users.

So you get in things like dating sites. Wow, what a way to really boost a trust and safety and to be differentiated as a product. But you have to want it. You have to want to use that as differentiation in your product. And so we started thinking about spaces like that could really be improved by having a more trusted experience. And we're a little bit ahead of our time. You know, the platform sort of said, well, you know, we're doing well, we're growing a lot without needing to do more with this trust and safety side. Oh, maybe there's a regulatory requirement we have to think about how to solve down the road, but.

For the most part, there wasn't a strong enough business need for them to go differentiate on trust and safety. And so you think about a lot of use cases where this will be inevitable. Online gaming, another one. You're creating a virtual community. Unfortunately, as we saw in some of the early metaverse experiences, there was harassment. There were horrible things that happened in social media platforms today, let alone on gaming communities where because it's so easy to dispose of your account and come back and create a new one.

There are no consequences. It's one thing to be anonymous or pseudonymous on a platform, but I would argue that platforms have a responsibility to know who the owner of an account is. Even if they allow you to operate and be someone different or under a fake or mass name on the platform, they should know because it's critical to creating a trusted and safe environment. Again, I think we're a little bit ahead of our time. I think that's an inevitable path, as you've seen with X and others now experiment with. But we said, let's focus in on

Aaron Painter (29:06.598)
areas where in scenarios where you really needed to know because there was your account was at stake or large volumes of money or credibility of maybe your brand or your product or yourself were really on the line. And that's where we found the fastest adoption and with companies that really said, hey, I don't have a good way to do this. This is a high risk moment that matters. Those were much faster sort of sales and adoption cycles than trying to transform industries that inevitably will be transformed.

Kyle (29:36.613)
Yeah, I think that's really, really interesting and something that's profoundly needed. And I think it'll be exciting to see how some of that takes shape over the next little while because kind of like you said, we do such a poor job as within so many different platforms in...

validating that sort of thing in kind of rooting out a lot of the problems and being able to really understand identity, even if you kind of like you mentioned, you don't have to necessarily show that, but being able to have a validation of identity in some way so that we have that level of trust established early on could do so much for so many different areas. And I think like

social platforms is such a foundational one that could change many things. I think that's a fascinating one. Do you see an application as well in maybe personal security in some way? So we've talked about, I was watching some accounts of people who have lost lots of money in, whether it's,

attacks, not necessarily, well, some of these attacks where people will get them to send the banking codes or get them win their trust and have them send information and lose money in that way. Do you see applications in those types of ways for individuals in some way as well?

Aaron Painter (31:14.942)
Yeah, a hundred percent. Whenever there is a need to know who the other person is with confidence, because it's sort of a high risk moment. It's a great opportunity to say, let's make sure it's the right person. And that's kind of where we want to slot in. I think what's been really exciting to see actually is a volume of product folks come to us and say, Hey, could I put you in my flow here? You know, could I lower my funnel maybe of intake questions so that I get a new user signed up?

then when they're about to do something that feels risky or important, maybe then I put them through a nametag flow and ask to verify their identity. It's been really exciting to think about sort of the new product scenarios that get enabled when you think about adding identity verification in a more secure way into those flows. And some of those, to your point, are end user flows. For customers, some of them are for their employees, some of them are for business to business scenarios where maybe it's a small business coming in and signing up for a new service.

But the growth that we've seen in fraud, in imposters, in impersonators, of fishing, attempts across the board that we all get on almost a daily basis, has just become absurd. And to me it points to how big this problem really is.

Kyle (32:29.093)
Yeah, absolutely. I agree completely. And it's such a fascinating product that you have created. I'm curious, like you've mentioned the product market fit and some of the feedback that you've gotten. How have you gone through some of those cycles? It's obviously such an important thing as a leader and as a product person to go through the cycles and the feedback phase.

What have been some of your experience as you've gone through that, as you've gotten user feedback and product feedback and made changes and adjustments? You kind of mentioned that as you started out. What have been some of the feedback and those phases as you've found the right features and the right product market fit? And how have you gone about getting that feedback? And how do you see that continuing? Obviously, this is an ever-evolving and fast-moving space.

How do you continue to do that in the cybersecurity space?

Aaron Painter (33:28.062)
To me, a lot of it starts with culture. And I feel really strongly about this. It's something I actually wrote a book about a few years ago. The concept of listening and how listening not only conveys respect, but it's actually a great way to learn and understand. And in our cases we're discussing now to sort of refine product. But that culture of listening, I believe, has to start internally in your organization. I believe it has to start with our team members, our, you know, my colleagues have to feel like their voice matters.

And like what they're hearing from customers or what they're seeing in performance data or product data or other things can be an insight that others are going to care about. And that makes it much more enduring. Should point, how do you stay on top of things? I feel like the culture of listening that we try and embody internally is sort of a competitive advantage because it means we're constantly hunting for feedback. Um, because we know each of us want to hear it and we're all going to learn from it. Doesn't mean you take and accept everything that you hear.

But it can certainly make us think and drive us to conversations on, have we seen this elsewhere? Are there better ways to do this? What was the person trying to solve? And frankly, a lot of our product enhancements, whether they've been anti-fraud and security tools, it's been from listening and seeing how people have tried to sneak their way around. And that's led us to great insights on how to build better defenses. As much as people who have sort of pushed us on, hey, could it do this or could I apply it to this use case or scenario? It's pushed us on features and kind of building, you know, new product functionality and capability.

So it's that sort of element of listening to our users, both the companies that hire us, the end users who are going through the flow. It's just been critical in how we've become where we are today.

Kyle (35:08.389)
Yeah, I think that's great. I'm interested too, as you've kind of gotten a lot of that feedback and listened to a lot of your users in the market, how do you prioritize it as well? Because obviously you probably get far more, all of us get so much more than we're able to do anything with immediately. How do you go about prioritizing and filtering, here's what we wanna focus on, here's what we think is going to be the most valuable or the most...

the best thing for us as a company and for our users and for everybody right now, and here's what we're going to do first, and how do you go about that prioritization process?

Aaron Painter (35:46.398)
Yeah, I'd say it's a leadership style, something that I had picked up and it was very much something at Microsoft. I don't know if I learned it there, it was just I was attracted to it, but it was very common there, particularly in a pre-Satya era. And I think Satya has continued that. But it was this sort of concept of high context. And the principle was no matter whatever you did at Microsoft, the sort of leadership at the time ensured that you had context in what was going on in other parts of the business.

So like, hey, I work on enterprise software. I don't really need to know what's going on in Xbox, but Microsoft sort of over invested and said, no, let's make sure you have a sense of what's going on in the Xbox division, right? Or in some other part of the company. And the idea was that if you had full context, you could make the best decisions and you could answer questions when you're in front of customers. And you might see something or observe something that could be used in other places. And I'd say very much we've carried that into nametag. And so by sort of everyone organizationally,

having insights into things, they're gonna see things differently. That is sort of diversity of thought. Each of our life experiences and backgrounds mean we're gonna see things in a different way. Even when the same thing might be in front of us, we're all gonna have different interpretations of it. And so we do product planning collectively. We sort of survey, we discuss, we post an exercise virtually and in person. You know, in each quarter, we build our next quarter roadmap as a collaborative exercise. And that allows whatever anyone might have been seen or heard.

to sort of shape what they think our priorities should be. And we go through several rounds of it until we get to something that's workable and actionable for the quarter ahead. But we very much use that concept of high context and making everyone a part of sort of that prioritization and planning process. And I think that's allowed sort of all voices to be heard and hopefully it's getting us to the best outcome.

Kyle (37:33.357)
Yeah, I think that's a really great approach and something that I think so many of us are constantly thinking about and probably struggling with. I know it's a constant thing that I know the teams that I have worked with and work with, we're constantly thinking about as well as how do we go about prioritization and how do you create these roadmaps of what is the most important thing for us to be doing? And I love that concept of high context, not just for what you're immediately

everything that's happening within the business, within the market, within the users, so that you can kind of collectively create this roadmap and plan for what is going to be the most impactful for what you're working on. I'm interested in as well, in the impact that you think AI is going to have in what you're doing. Obviously you mentioned earlier that using AI and cryptography to defeat AI,

and some of these deep fakes. You obviously, the tools are getting far more sophisticated both to deceive, but also probably to defeat that deception. How do you see that changing and evolving as we move forward?

Aaron Painter (38:47.278)
I think AI alone is sort of an arms race. And at the moment, the bad actors are using AI more so than good actors are able to. And that has to change, that has to invert. But frankly, it's likely always gonna be that way. Bad actors are often some of the most creative and finding new ways to get what they're looking for. And the use of AI-generated images, deep fake images and other things, it's a wild set of new tools for criminals to use.

The moment it's being used by organized criminals in particular at an incredibly alarming rates, uh, because it's just too easy to, you know, go research online, let's say, and find answers to the security questions that were leaked in some data breach, right? Security questions are an absolute joke. Few things frustrate me more personally than when I, you know, call someone for help and they're like, well, let me ask you some questions and it's, what's your email address?

Really? That's how you're keeping my account safe? Like, what's my email address? You know, what's my name or what's my address? Like, let alone, where did you live in whatever year? What street was that? It's that sort of pre AI deep fake. That was the level of sophistication that existed. And now when someone says, well, you know, let's jump on a zoom call or a video call and make sure it's you. Unfortunately, that is not something that we can necessarily trust anymore. This, you know, it's gotten a lot of talk, but in the last few weeks, you know, this is scam out of Hong Kong.

multinational institution that some employees in Hong Kong, some finance controller, they had their CFO who claimed to be based in London. Yeah, you know, the CFO said, finance controller, can you make, I need you to make these wire transfers. The controller was rightly a little bit, you know, cautious that, hmm, this is a bit odd. And the CFO claiming to be CFO said, oh, don't worry, hey, a bunch of us who you'll need approval from, you know, we're all on a video call. Why don't you just join? Here's the link. The controller jumped on the call.

recognized the faces, heard the voices maybe they had seen before. And it turns out those were deep fakes. And the people on that video call were not the actual people but they were deep fakes of the people. And of course the controller was doing the right thing and meant well and, okay, well, it looks like everyone's comfortable with this. Let me proceed with the wire transfers. And 25 million dollars later, people eventually learn that deep fakes were used in a new and more sophisticated way. What's shocking about that,

Aaron Painter (41:06.094)
at many levels, many things shocking, but it's not that difficult. The level of consumer tools to go create a deep fake of yourself, let's say, or of someone else, fortunately, they're very accessible. And when you go to platforms like Zoom, like Teams, the things that we love, by design, it's let me click a different video input. Maybe I wanna use an external camera or my webcam instead of the built-in camera. By default, it lets you pick a different video feed or a different microphone. That's a convenience feature.

But what if you're picking a video feed that's actually a piece of software generating the deep fake, you know, that's just too easy to do. And then suddenly this deep fake is the person on the call. And so our human instincts of saying, can I trust this person? They look like they sound like what I think I'm interacting with. It, we can't trust those anymore. And that's when you need more sophisticated tools. And at the least we need to be giving, uh, representatives like that controller in Hong Kong or people that work at a help desk, better tools than security questions to verify identity.

We believe in very heavily at NameTag and we built a solution to do. And even more so, we need to give them tools that can defeat things like the bad actors are using with AI. And to me, that comes down to not just using AI to defeat AI, but using AI and cryptography because encryption is something that is much more difficult to defeat. And when you couple latest AI innovations with cryptography, you actually get a more competitive posture to be able to defeat bad actors who are just using AI.

And that's been the foundation of our product. And frankly, we think a path that more companies are going to need to go down when they're looking to prevent against deep fakes or generative AI in general.

Kyle (42:43.537)
Yeah, I think you've hit so many great points and I love that. As you've led companies and led products and done so much work in so many different spaces, what have you learned that maybe has really stood out for you? Or maybe even what advice would you have for anybody who is looking to either lead teams or build businesses or build products from some of your experience?

Aaron Painter (43:13.702)
A lot of it to me comes back to this power of listening. I believe very firmly that listening with sort of a curiosity to understand just leads to better relationships. It leads to better interactions and it leads to better product. Again, feedback is a gift, but not always feedback. You don't have to take all feedback, but the ability to help understand what a person is trying to convey almost always leads to some new sled of learning or insight on both sides. And it also helps the other person that you're interacting with

to feel respected and to feel heard and to feel understood. And that's gonna lead to a better relationship. And the hardest thing in building a relationship is to have trust. And you can't have trust if it's the other person doesn't feel respected. As to me, listening is fundamental in helping other people feel respected. To your point, whether that's your colleagues or a team you might be managing or your customers that you're interacting with, they need to feel respected if they're going to trust you. And without trust, it's gonna be difficult to build a relationship that's healthy and successful.

So my biggest piece of advice there at the conceptual level is to really focus on listening and practically to mean lean in, to engage, to put down the devices, and to ask questions with that intent of understanding what another person is saying. And that to me is true sort of active listening.

Kyle (44:30.221)
I think that's excellent advice. Probably one of the best things that any of us could do for what we do in our work, but also just personally is to listen and listen well, kind of like you mentioned. Well, Aaron, this has been an absolutely amazing conversation. I have enjoyed so many of the things we've talked about and I feel like we could probably go into so many different areas of this. But before we wrap up, and I've got a couple of other questions, is there anything that you would like to add to anything that we talked about or maybe didn't get a chance to talk about?

Aaron Painter (45:00.982)
We've covered a lot. This has been super fun. I think there's just an interesting intersection that you explore a lot on your podcast and some of your writing, Kyle, with UX. I firmly believe that product is a really hard role and also a super interesting role because you're the intersection of so many components. UX and frankly design overall, I think is a critical component of effective product. For no other reason, I think the design sort of conveys trust.

and good design creates a product that, an experience that can feel trusted. And in our line of work, we are literally in the business of building trust and earning trust between companies and their customers. And that relationship of how it feels is critical and how it feels is really what comes from the design and the UX and the UI and the elements of it and brand and so many other pieces there. And so I'm a really big believer on the role that design can play in effective product.

work. I can't reiterate that enough. Hopefully, people that have used Named Tag or Seed or go to our website, you can kind of feel the importance we put there. One of our earliest hires was an incredibly talented designer. But I offer that as guidance. You cannot avoid design if you're going to build effective products.

Kyle (46:20.357)
Absolutely, couldn't agree more with that. It's going to be designed one way or another and it's kind of your choice whether you're going to do it well or you're going to do it poorly. And I couldn't agree more. You mentioned name tag. Where can people go to find out more about name tag or anything else that you're working on?

Aaron Painter (46:40.65)
Yeah, we're super active on LinkedIn. I'm pretty active on LinkedIn. So love people to reach out there, send messages. I try and post a bunch. The name tag account posts quite a bit on particularly content that's relevant to this world of identity and trust. Talking about breaches that have happened, helping understand the types of attacks and what people are doing. We have a lot of really great content there. And then of course, the getnamtag.com is the website to learn more about name tag itself as a solution.

Kyle (47:07.593)
Okay, great. Well, we will put all of the links in the show notes as well so you can check those out. Well, I do have two kind of wrap up questions and these don't have to necessarily be product or business related, though they certainly can be. Have you watched or read or listened to anything recently that you have found particularly interesting and would like to share?

Aaron Painter (47:28.378)
I would say one of the more interesting books I've read recently has been the Elon Musk biography by Walter Isaacson. And my takeaway on it sort of is it's a product takeaway where, you know, Elon, good or bad and how you feel about Elon personally or not, like he is actually an incredible product person. His ability to understand the deep technology and to understand sort of the business aspects and bring them together makes him uniquely suited to build product.

It was also sort of an interesting takeaway to see a lot of the sprints or the burst of innovation periods were driven by him being, applying relentless pressure. A lot of that might have been driven by his personal, Walter Ossoff certainly paints that as personally driven and his own challenges he might be facing internally. But the outcome in most cases was sort of better product. I just found that really kind of insightful and his sort of maniacal attention to build great product.

and then what that's meant for some of the companies he's built.

Kyle (48:28.353)
Yeah, that's a great one. It's definitely on my list. I haven't got to it yet, but it's definitely one that I want to read as well. And then final question, are there any products that you have been using recently, either digital or physical products that you have been enjoying or maybe not enjoying?

Aaron Painter (48:45.054)
It's funny, I often ask that question on product interviews of people that I meet with. I love thinking through it that way. Personally, I've been on this crazy quest to find a fast responsive doorbell camera, which you would think in today's age there are many, many good options. So I've decided to try many of the good options. And I finally, only recently concluded that my last one which felt the most commonplace which was the Ring camera, I said, you know, there must be better options than Ring.

actually what sort of shocked me is how well integrated the hardware and the software is. So the moment someone appears outside that door, let alone they actually press the button, you instantly get an alert and the video feed is just practically instant. And compared to some other platforms I tried where the doorbell rang, I opened the app, 35, 60 seconds later it's loading and there's some spinning thing, the person's walked away from the door by the time the video comes up, I've sort of been shocked at how well the hardware and software has worked on that ring appliance.

call it a very light endorsement on two days of use, but it's been after an exhaustive review process.

Kyle (49:49.409)
Okay, well that's good to know. I have a ring camera like probably many, many people and I have not experimented with a variety of them. So it's good to know that it is one of, maybe one of the better ones, but it's, I agree with you. Like it is a, it's a pretty solid experience as far as the overall hardware and software. So I can't disagree with that. Yeah.

Aaron Painter (50:11.382)
That's awesome. I'm glad. Hopefully you like it.

Kyle (50:13.581)
Yeah, it's pretty good. Well, Aaron, this has been an amazing conversation with so many great insights. Really appreciate all of the, again, the insights and stories and experience that you've brought. This has been, like I said, really, really great recording and great conversation. So appreciate it.

Aaron Painter (50:33.134)
Thanks again for having me, Kyle. It was really special.

Kyle (50:35.493)
Alright, and thank you everyone for listening. We'll talk again next time.