Danny Jenkins

I think you need to know that you've made improvement to your security in a tangible way.

That's one example.

Hey, my phishing's not gone down, but no one can log into my accounts because we implemented something that does device authentication.

Or the other reason I don't agree with the metrics being the priority is

If you're using some kind of detection and response tool, you probably have a fantastic tool saying that we've managed to block 50,000 new threats this month.

However, when you block everything by default, we don't know whether we blocked any threats.

We just know we blocked what you don't need.

So I always think the metrics is less important than knowing I've got tangible controls in place.

And that's... By the way, that's not just... Are you making...

Oh, if I had the choice of saying you have great metrics, great detection and response versus no metrics, no detection response, but good controls, I'm choosing good controls all the time.

If you have to choose one, I'm always choosing good controls.

And by the way, that's not just insecurity.

Every time I go to my marketing department, they want to show me a new chart.

I don't care about the chart.

Andy just stole my answer.

So I'm going to say the word identity, though, in general.

And you're right.

It is about authenticating more than the human.

And the idea of dual factor originally was it's something you have and it's something you know.

But the bottom line is it's still a single point.