EPISODE 071 – The Future of HubSpot is Passwordless

Together, Alyssa and Nabil explore how this safer authentication method simplifies access while significantly reducing the risk of data breaches tied to compromised credentials. Alyssa also dives into HubSpot’s innovative approach to embedding robust security measures into SaaS product development and shares insights on balancing usability with strong protection strategies.

Show Notes: 

• 00:47 – Future of Authentication and Passwordless Security
• 02:15 – Educating People about MFA Education
• 05:48 – Balancing Security and Usability in SSO
• 08:43 – Simplifying Authentication and Data Security
• 10:45 – Improving Security with Environmental Changes
• 12:07 – Lessons in Building Secure SaaS Solutions
• 14:42 – Challenges in Safely Training AI with Sensitive Data
• 15:54 – Approaching Pentesting for a Secure SDLC
• 18:04 – Lessons from Culinary Arts Applied to Leadership
• 20:59 – Impact of Volunteering on Leadership Style

Transcript between Nabil and Alyssa

Topics: Passwordless authentication, multi-factor authentication (MFA), single sign-on (SSO), SaaS security, secure software development lifecycle (SDLC).

This transcript has been edited for clarity and readability.

Nabil Hannan: Hi everyone, I’m Nabil Hannan field CISO at NetSPI, and this is Agent of Influence. Today we have with us Alyssa Robinson from HubSpot. Alyssa, welcome to the show.

Alyssa Robinson: Thank you, Nabil. It’s good to be here.

Nabil: Why don’t we get started and you can tell us a little bit about where you are today, professionally.

Alyssa: Sure. I’m the CISO at HubSpot. I’ve been at HubSpot about six years, but only in the CISO role for a little more than a year. Before that, I was the Deputy. I ran the engineering teams that worked on security. My overall background is in security operations, DevOps for hosted and SaaS services for a long time now.

00:47: How do you see the future of authentication, and is passwordless the solution to reducing credential compromise risks?

Nabil: In our first interaction, I had the pleasure of being part of a webinar with you, and during that webinar, we had multiple conversations and points brought up around password-based authentication and multi-factor authentication, and it’s well known that around 50% or half of breaches occur due to some sort of a credential compromise.  

How do you envision the future of authentication looking? Is passwordless really the future and the way to reduce the risk of these types of breaches that are happening today?

Alyssa: I definitely think passwordless is the best solution right now. I think it’s very hard to say, if you would ask me five years ago, what do you need to do to secure your passwords, I would have said, ‘Oh, MFA, that’s what you need.’ Right?

And we all know that now MFA really isn’t good enough. Like the attackers are coming in and they’re phishing your MFA as well. So I think passwordless is great for a few reasons. Passwordless is good. One, because typically passwordless solutions are cryptographically tied to the website they’re going to, and so you’re not going to enter your key that ties into that website, into the wrong place, which I think is a big step. Then it also eliminates passwords themselves, which of course, are just fundamentally unsafe because they can be taken from you. 

02:15: How would you explain the importance of multi-factor authentication to better educate the public? 

Nabil: During the conversation we initially had, we talked about how there’s still a big gap in education and understanding of multi-factor authentication, what it’s really doing, and the rationale behind it. I think we’ve reached a point where the general population, who may not be as technologically savvy or as security aware, they go through the motions of two-factor authentication, because that’s what you have to do to get access to, let’s say, your banking system or your emails. But they don’t necessarily understand the why behind what they’re doing, and that’s leading to additional compromises, because even though it’s an additional layer of control, an additional factor for authentication, scammers and attackers are leveraging the lack of understanding of why something is done to still continue compromising accounts through creative ways.  

Can you explain to us, if you have to explain this to the general population, as to why they should care about this and how they should think about it, so we can better educate the public, what would you say? 

Alyssa: Sure, I would like to start a step back from that, even. I think most people don’t care about passwords and MFA because they think they’re not a target, right? If you ask my mother, my grandmother, they don’t understand why they would be a target, because they don’t think they have anything valuable. They don’t think they’re well-known enough for someone to come after them. But unfortunately, that’s fundamentally untrue, because even just having an email account makes you a target, because your email can be used to send phishing to someone else, or your email ties to a lot of your other accounts; might be your financial accounts or something else.  

There’s always something that attackers are looking to take from you, and it doesn’t matter who you are; it’s sprayed over millions of people every day, right?

I think then the next step is understanding how those attacks actually happen. If you watch hacker movies, you think someone’s going to brute force their way into trying to guess your password or trying to guess based on what your dog’s name is, and everything else.  

Nabil: And they always get it right.  

Alyssa: Yeah. I mean, they’re really good, but that’s not how people get your passwords, right? Maybe if you picked a very common password, they would just be able to guess them that way. But that’s typically not how it happens. They get your password because they’ve stolen it from some other website that did not store it in a in a secure way, and now they have a big list of passwords, and they’re going to test them again. Multiple websites they’re going to test if you reuse the same password in multiple places; they’re going to compromise it in one place and then use it in another place.  

MFA is a solution that’s trying to combat that, assuming someone can easily steal your password, how are you going to then protect it? MFA is generally a token that’s continually changing. So it’s something that, if you have your phone on you, and you’ve got your MFA token, that does protect it for a limited amount of time, but then the next step is attackers just set up a website that looks like the website you’re trying to log into, and then it just has the next step for you to enter that MFA token. That’s really why going to something like passwordless right now is the best solution we have. 

05:48: What are the risks of single sign-on, and how can businesses balance security and usability? 

Nabil: The other form of authentication that is just extremely popular in the business setting is single sign on. Can you help us understand better? What are some of the risks associated with adopting single sign on. And then how should businesses think about the balance between both security and then usability, especially when it comes to things like authentication?  

Alyssa: Single sign on has a lot of advantages, right? Like you said, like it’s good for businesses; it’s easier to manage because there’s only one login. If you leave my company tomorrow, it’s easy for me to shut it off in one place and not shut it off in dozens of places, and potentially leave your account laying around and have it get hacked later. It’s also easier for the person because you’re remembering one password instead of dozens of passwords, but it’s been one password that gives access to a whole bunch of different places, so it definitely ups the risk level.  

There’s typically a bunch of different mitigations that you might try to put in place. MFA is one of them, 502 compliant MFA, like cryptographic MFA, that’s going to tie you to one website gets you a lot further there, and then in a lot of places, or a lot of single sign on services offer you additional protections, like you can tie it to a managed computer that has certain agents in place, or certain signatures or certificates in place.  

Things like that provide another layer of protection, because that’s one more thing an attacker would have to steal or spoof in some way in order to get in. I think that there’s even further protections that can be taken. You’ve probably seen a lot of the solutions that they have out there that are trying to check whether you’re really you typing. Are you typing in your normal typing style? Are you moving the mouse the way you usually do? There’s a lot of behavioral analysis to add that extra layer of protection as well. So I think there’s a lot of extra steps you can take. If you’re a business, you can get SSO to really build that in. 

Nabil: I think those are some other things, additionally, from a security perspective, that are just gaining popularity, because those are actually prime examples of things that AI models and LLMs are good at – predicting and measuring behavior, mapping out and building your own signature of your behavior in a really quick manner.  

I think as we see more adoption of AI, I think we’re seeing more and more of that type of both user behavior analysis, but also like application behavior analysis. It’s not just your behavior, but it’s also, are you all of a sudden accessing a part of application that you never log into, right? Or are you trying to request or do a function that you don’t have access to and are not authorized to, but you’re trying to do that. So that application-level behavior monitoring is another thing that is gaining a lot of popularity.  

Alyssa: And in multiple places, so on your system as a layer of authentication, but then also in your team or whoever else to try to detect that weird behavior. 

08:43: What challenges do you face in simplifying authentication and data security for customers? 

Nabil: I know that you do a lot of things, and especially with HubSpot, you do a lot of stuff around both not just identity and authentication, but also around data security. So what are some challenges you see as you talk to your customer base or as you talk to others in the industry around understanding the importance of both authentication and data security, and what are some ways you try to simplify those concepts for them so they understand it better? 

Alyssa: I think at HubSpot, we’re in an interesting place, because we have a wide range of customers, right? We have people who are just starting a very small business where it’s only them, or it’s only them and one other person. And I think for those folks, it’s a very high barrier to really understand, all of the security protections you should be putting in place to really protect yourself.  

For those folks, we spend a lot of time trying to build features that are going to make them secure by default, as much as we can. It’s tough, because, as you well know, some of those introduce friction. It makes it harder to log in. It makes it harder to get to your data. But it is very important, because in a system like a CRM system, you do have a lot of personal data and a lot of things that people want to go after. In terms of trying to communicate to that that people, there are good ways of communicating it through storytelling or through relating to things that happen in your personal life. That’s probably one of the best ways to sort of try to communicate those pieces. But really what we try to do is just make the secure defaults in place, because it’s really hard for people, and there’s just so many things you have to do when you’re starting your business to have that be one more is a lot. 

10:45 – Can you share an example of improving security by changing the environment rather than individual behavior? 

Nabil: In the previous conversations we’ve had, and from what I’m inferring from our conversation right now, there’s this concept you talk about, how often people may be the weakest link in any system, any organization, any control you place, but also controlling individual behavior is almost unpredictable and unmanageable. You’ve spoken about how maybe more affecting change in the environment itself, versus trying to instill change at the individual level. Could you share maybe an example of how this type of approach has worked effectively in something you were trying to accomplish? 

Alyssa: I think passwordless is actually a really good example of that. You’re just taking away that need to understand whether you’re putting your password into the right website because you’re making it so that you can’t make that mistake. But I think there’s plenty of other examples out there. I think one of the best ways things like this work is with contextual clues, like trying to provide the advice exactly when someone needs it, or the hint to the prompt. Because, I mean, people are just trying to get their jobs done, right?

And that’s totally understandable, but it does mean we need to do a better job of giving them the information they need when they need it, instead of at an abstract time. 

12:07: What lessons have you learned in building a secure SaaS solution for sensitive data? 

Nabil: When it comes to SaaS solutions, it still fascinates me to see how far we’ve come. I’m happy with how far we’ve come, but I remember in the early days with cloud and SaaS solutions, a lot of businesses were very hesitant to put sensitive data on SaaS-based solutions because they thought it wasn’t secure.  

There was a perception of not having control over the systems and not really understanding the security models or who’s responsible for security if you’re using a SaaS solution. So you know you’ve built and are part of a very successful SaaS-based solution that actually deals in data, and not only that, you deal in data that is extremely, extremely confidential or needs to have significant levels of security, both during transmission, for storage and management, etc.  

Can you share with us a little bit about some of the things you learned as part of that journey, and how has HubSpot been so successful in building out a solution that deals with data and also security? 

Alyssa: It’s been great actually, to see it, because it’s clear that there is a real market for providing extra security for this data that is highly sensitive. So that’s been great to see. So often as security practitioners, we’re just a cost center, and you’re constantly trying to balance what you’re asking for and making sure there’s really high return on investment. So it’s great when we’re able to make a contribution that actually helps sell things to customers. We love doing that.  

I think for us, dealing with this more sensitive data, really was all about one, encryption, making sure that when you’re going after this, if an attacker is going after this data, there’s so many places they could go after it. They could go after it by doing an account takeover and getting into your account and trying to pull it out. They can go after it by going after our application, or getting into our infrastructure and going to databases. We really want to make it so that there’s encryption in place. You’re in ways that both restricts access, and if you happen to get access, makes it so that that data is readable, and so that’s a place where a lot of our efforts both from the perspective of really just adding that extra layer of authentication and authorization that’s going to really lock it down, and from making that data unreadable in many more locations. 

14:42: What challenges do you face in safely training AI models with sensitive data?

Nabil: Are there any challenges that you have run into with the additional focus of trying to leverage your own data to train LLMs and AI models that organizations are adopting? Especially because they may be training them with data that is sensitive. How do you do that in a safe way, especially when it comes to the amount of data that you’re managing, that the models might be getting trained on? 

Alyssa: I think what that pushes us to do, and what it’s pushing everyone to do, is have a much higher level of understanding about the source of data, where it’s coming from into your system, like, what contractually, what from a regulatory perspective, you’re actually allowed to do with that data? I think that’s a hard thing to do at scale. Bring that metadata along and understand where that data came from and where it’s going to so that you can have the opt outs in the right place, so that you can understand some of this data came from a partner, and our partner agreement says you can’t use this data for training your model, but this other partner it’s fine. So trying to understand all the pieces adds a lot of complexity. 

15:54: How do you approach pentesting to effectively support a secure SDLC? 

Nabil: Being in the business of building software, there are obviously very different approaches to how and when you can do different security activities as part of your SDLC or your product lifecycle as a whole. I would like to think that everyone inherently understands how doing activities as early as possible in the lifecycle just saves you cost in the long run and helps make things safer earlier, versus having to bolt on security later as an afterthought.  

My question for you is more in the vein of the application software development process, especially when it comes to pentesting. Would love to understand from you, how do you approach pentesting, and what is your philosophy on how to leverage pentesting in the most effective way when it comes to a secure SDLC? 

Alyssa: I’m sure this is a struggle for everyone, right? We’re a SaaS company. It’s a continuous deployment model where we’re constantly putting out new features and trying to get ahead of figuring out where the riskiest features are, so that we can do the right security testing at the right time, so the either architecture review or red teaming internally or paying for an external pentest, which we do all those things at different times. Depending on how risky that feature is, I think can be a tough thing to do. We leverage questionnaires for things like that and try to understand what’s coming out.  

I think there’s actually some interesting products that are starting to come out that offer better visibility into some of the threat models and things like that, which I think are really going to help here. But it’s definitely a challenging problem to figure out. What’s the level of risk for each and every feature? To try to figure out, is it going to be red team is going to defend, is it going to be both? Do we feature it in our bug inventory? There’s so many different combinations of things we can do and make the right ones in there. 

18:04: What lessons from your culinary arts journey influence your leadership style today? 

Nabil: I’m a firm believer that everything we go through in life shapes and molds us to be the leaders and practitioners that we are. You have a very unique background in the fact that you took a break during the tech crash and you went into the culinary arts. So can you share with us a little bit about some takeaways and lessons you had as you deviated in your journey for a little bit and took a detour, and how do you apply that to your leadership style and just your day-to-day career today?  

Alyssa: I think cooking is interesting. Like, I think it has applications in a lot of different places. I think there’s a few concepts that I think about when I think about how things relate. One of them is the idea you’ve probably heard this term in cooking. They call it mise en place. Plus, it’s like when you watch a cooking show on TV and they have all the little everything is ready to go.  

Nabil: I feel like cooking would be simple if someone did that for me. 

Alyssa: I know it’s so much faster all laid out. 

I think that’s a good metaphor; if you if you’ve got all the components in place, if you’re doing incident response, and you’ve got your processes in place, or you’ve really done good tabletops and things like that, people are ready. They’re much faster to go to, but I think another good one is, once you get good at cooking, like once you’ve practiced enough, you can really start to experiment. You know where to break the rules. That’s another good metaphor for life. You know you have to get good at the basics, so that you know when you don’t use the basics anymore. 

Nabil: What is your favorite dish to make?  

Alyssa: You know, I hate this question.  

Nabil: All right, what is your favorite to eat? Let me change that. 

Alyssa: I’m so bad at like, what is the favorite questions? Because I love all food, like I would be hard pressed to name a dish that I actually don’t like to eat. I’m much more of a savory cook than a baker, because I do like to experiment. I like to be able to mix things up. And the precision of baking doesn’t appeal to me as much. So I’d say, in general, I love savory cooking. I love anything that has less different spices and things like that. But I could not – I’m hard pressed to name a favorite. 

Nabil: So I joke with people, but it’s a fact. I didn’t build this figure by mistake. It’s because I love to eat, and I worked hard to make it happen. So the question, I’ll change it a little bit for you, is there a dish that you make, that others often request for you to make?  

Alyssa: Interesting, there’s a few like that, like my husband or my kids like a zucchini carbonara that we like to make, very simple, but carbonara is always so good. We call it the street cart chicken. It’s like The Halal Guys chicken, we make that. It’s always really good.  

20:59: How has involvement in organizations like the League of Women Voters shaped your leadership? 

Nabil: That’s awesome. So obviously, beyond cooking, you also have been involved in a lot of other organizations outside of security, League of Women Voters and others, can you share with us a little bit on what that experience has been like and how that has impacted you as a leader. 

Alyssa: I got involved with the League of Women Voters a few years ago when it just seemed like elections in general were really in jeopardy, like there were a lot of people questioning the results of elections. People were worried about that. And I think one of the most important things is to really guarantee that we have good transparency, openness, things like that. So I think working with the League of Women Voters has been great to just feel like you’re contributing something to that problem, making sure that our democracy stays strong. I think working in any group like that is very much like working on a team, internally, you’re making a lot of compromises and trying to adjust to different working styles, and it can be fun, but it also can be very challenging. 

Nabil: There’s a different level of stress that comes with working and being part of a group like that, especially when it comes to just the sheer volume of misinformation and disinformation that’s out there, especially with everyone having access to the internet and often just kind of getting into an echo chamber of their own personal beliefs, and they just get fed that same thing through social media and other avenues of communication that they have.  

What are your thoughts, or any guidance on how to improve that as a society, because it’s a definitely not an easy problem to solve, but that’s a key part of really understanding the integrity of critical systems in society, and elections and voting is a critical part of that in a democracy. 

Alyssa: It really is. And I think that is one of the things that appeals to me about the League of Women Voters. It’s a non-partisan organization. It’s really about getting information out there. But I think it’s really hard to do right now, like in the social media age, right? The social media companies are really, you know their algorithms work by feeding you more of what you want. And I wish I could wave a magic wand and make that not be the case, because I know I would be better off if I were seeing a more diverse set of content out there. So I try very hard to make sure that what I’m seeing is more diverse. And I think it’s probably on all of us to do that, because I don’t think we’re going to get that out of the companies anytime soon, unless the government steps in. 

Nabil: So before I let you go, I do have to ask, what are some things you’d like to do for fun outside of work in cybersecurity? 

Alyssa: So cooking is obviously one of them. I do a lot of trail running and hiking. Those are things I really like to do. I snowboard, outside stuff like that. I am not really good at sitting still; I’m going to go read on the beach person. And I think in in cybersecurity, you definitely need to take a break sometimes, but you don’t have, you don’t have to lie on the couch, right? Like, anything, any activity that gets you moving in a different direction is good.  

Nabil: How do you ensure you have a good balance of, you know, fun versus too much activity, versus coming to a conference and overbooking yourself? What’s your secret to finding the right balance? 

Alyssa: We already know I don’t have a secret, because I did a terrible job at this conference, at least. I mean, I think part of my secret is just, I have two kids. They’re teenagers. If I spend too much time in my office, they will come find me, so I think having people around who will drag you out of your work cave is a good thing. 

Nabil: Having the right checks and balances for sure. Love it well, Alyssa, thank you so much for being here. This was truly a pleasure. I’m glad we got to do this right after we did the webinar, and it’s so nice to meet you in person.  

Alyssa: It was great to see you. Thank you so much. 

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.