Ep6 | Effortless Encryption and Decryption: Enhancing User Experience and Data Protection for a Global Enterprise

Good afternoon. My name is Matt Howard. I'm the chief marketing officer at Virtru. I'm here today with my colleague Dana Morris to chat about some interesting and exciting news that we've had at virtual here in the last couple of months.

Dana, welcome. Thanks, Matt. Good to see you, too. So I've been with the business now a year and a half, almost two years.

And I remember when I joined the company, you know, seeing how Virtue had a number of large enterprise customers that were sort of deployed at a modest level, but not in deployed sort of at a massive scale across a very large, sophisticated enterprise. We recently had some exciting news at Virtue where that changed. I'm curious to kind of big picture, get your perspective on what it's like adverb at virtue of deploying our technology in support of one of the world's largest banks, for example. Yeah, it was pretty interesting.

I mean, it's funny because a lot of it, the process actually just becomes planning the actual software. Bits in the results were relatively straightforward, but probably months of planning. I think one of the things that's really interesting is, you know, working with large banks, how they tend to take a very methodical approach and really try to think about balancing both the compliance concerns of the bank and the user experience concerns of their end users. And in particular with this large enterprise, that was kind of the crux of their focus for probably three or four months of just planning in terms of how can we make the policies simple enough and scalable enough to really protect the bank, but do it in a way that the users really don't have to do much at all and really kind of do that centrally.

And so let me just level set the playing field for those who might not be familiar with the details of our trade. But at our core, we're helping small, medium and large enterprises protect sensitive data that's commonly shared via workflows like email, file sharing, SaaS applications. And in this case, we're talking about one of the largest financial services organizations in the world, deploying virtue across several people, both all of them employees of the bank, but sharing sensitive information via email workflows with, arguably, I don't know, millions of people external to the bank. So

there's both the sender, which is the employee of the bank as well as the recipient. I'm curious to get, Danny, your thoughts when you say user experience, how much of it is about the employee of the bank versus how much of it is about the recipient or the partner of the bank? Yeah, I think the impetus for this particular organization working with us started from our external customer's experience with our current solution is terrible. I mean, those were their words right there, their surveys from their customers, their reviews on, on, you know, app stores and other things.

But the technology that those customers were interacting with were universally poor. And in fact, that had reached a sort of a headwind or kind of a tipping point when a couple of very large particular high well, high wealth organizations or end users basically gave feedback and said they were going to move on from that bank to another bank because they hated the experience. So that's what led to this organization reaching out to us. Now, once they decided to use our technology to solve that problem and make it really easy for the external parties to actually access encrypted data, then they really started shifting their focus to saying, now that we feel like we've got a handle on that through virtue, how do we make sure that our internal employees experience when they're trying to send encrypted communications, is equally simple and scalable and auditable and just all the things that they need to worry about on that.

And so it was kind of a really interesting, you know, starting point of, hey, what is the external person's experience? And then, OK, let's not lose sight of the internal people as well. And I really like that balance. Yeah, I do too.

And I think one of the things I keep coming back to is, as you know better than I do, it's pretty easy for people to encrypt information. I mean, I would argue that the bank's prior solution to virtue was actually pretty easy for their employees to encrypt information. The real pain, if you will, was how party partners of the bank or external recipients would struggle to kind of decrypt the information. And as you know, we step back and think about the bigger problem across large enterprises.

Anyone can encrypt information. It's making it really elegant and really simple. For someone to receive encrypted information and to decrypt it without any hassle is part of the ultimate value that we're bringing to the table for this organization. Would you agree?

I would agree. I definitely think that their mindset continues to be focused on that problem because obviously terrible user experience in today's world for your customers. Typically results in a declining business, not a growing business. So a couple of other things.

I, you know, I just want to put into sort of perspective for everybody that might be watching this. I mean, it's super exciting for me to be part of virtue and see our technology get deployed at just this very, very large scale for this very, very important enterprise globally in the economy. And as I think about that, there's some other very cool things happening beyond just making it elegant for a partner of the bank to receive and decrypt information. There are some very neat policy controls that the bank is now able to apply with Roku's core technology.

Things like revocation. And other policies. I'm just curious, like, how do you sort of beyond just the recipient experience? How do you think about policy that's getting applied?

Yeah, I think what's interesting is the encryption piece is obviously essential. You're going to have keys around the data that gives you some of that control. But then it's a question of what obligations do you put around people interacting with that data? How do you enforce those and how do you audit those?

So the policies that this particular organization has put in place are actually relatively straightforward in terms of not getting into a really complex if then else kind of condition and basically saying that, you know, everything that is leaving the bank is going to have a certain expiration period, meaning that after that period people can't access it anymore. It's going to have a certain it's going to prevent forwarding, for example, so that there can only be a back and forth communication. You're not having proliferation of that information to other parties hands. And then, you know, really trying to make it simple for both the person at the bank to just if they want to trigger the encryption, all they're really deciding is an on or off.

And then the policies take hold at that point and then externally the same kind of thing, saying, here's the policies we've defined for our interactions with our customers and we're not really going to ask the customer to make any decision either other than to just replying back. And then because that's all kind of routing centrally through our email gateway product, it gives them a lot of control centrally. And then also they could audit essentially they know what's happening with the data, who's accessing it, how successful that process is. Yeah and you know, you think about all of the different vendors that this organization would have gone to help them solve this very, very large problem.

And what's kind of cool is, you know, they selected virtue and they did it after a really rigorous assessment of the market. And, you know, we've touched on two key things right now. Again, I'm going to emphasize for the benefit of anyone that's watching this, you know, any vendor arguably can encrypt. It's a special vendor like Virtue that can make the decryption experience elegant.

The other thing I want to emphasize is, you know, not everyone makes it really easy to apply policy around the data. And it's another example of where virtue does some very compelling things with respect to the value add, which is in policy management. That's simple, scalable and value add to the bank in this particular case at scale. Thoughts?

yeah, I think the other thing that really stands out to me, Matt, is like we talk about email, we tend to focus on the type of content as this broad thing. And they're all email messages, but not all email messages are created equal in terms of value to either me as a customer of that bank or the bank itself. Right so for example, I would say, you know, you or I buying a house, I would say that the data is exchanging with an organization to get a mortgage. I consider that to be quite valuable.

I don't really care if it's an email message to me. It's a mortgage application supporting documentation. It's my passport, my paystubs, my tax returns. I mean, if that data falls into the wrong hands, basically somebody can steal my identity and, you know, take me to the cleaners versus, you know, you and I sending an email back and forth about lunch is not really something that I care about encrypting.

But even if I did, it's pretty low value. And what's interesting with this bank is while they're rolling out, you know, email gateway from mercury, when they're doing that across a whole bunch of different applications and aspects of the bank, most of the cases where they're applying the technology are their highest value data. Just so happens that it's email is the exchange format. The data itself is way more valuable than a simple, you know, message.

Yeah, 100% So when you think about that, I know it's early in our sort of journey with this particular enterprise customer, but certainly as an organization, you know, we've sort of view ourselves as, you know, leading innovators in data centric security for, you know, email file workflows and Sas workflows. And so, you know, it's not just email, but email oftentimes is the primary sort of collaboration workflow where sense of data is exchanged. But increasingly as just large file sharing, for example, becomes a key workflow or Sas applications like Zendesk or Salesforce or Slack even become sort of key collaboration points for exchanging sensitive information, the ability to sort of, you know, apply the encryption that we talked about earlier and the ability to apply simple policy controls around that sensitive data exist regardless of the, quote unquote collaboration channels are correct.

Yeah, for sure. I mean, it's one of the kind of going back to my earlier point, I've never liked the idea of just calling it email encryption, you know, sort of calling an email and just focusing on the type. It would be like saying, you know, calling Salesforce a database. Yes, it is a database.

But the data that they're writing there is incredibly valuable. It's data about your customers, you know, or to your point. And you said Zendesk is another use case, right? That's that's valuable data you're exchanging with your actual customers.

Just so happens it might be stored in a database or a text index or it's a file or an email. But who cares about the format? It's about what's valuable here, right? What am I actually exchanging with you?

And in this case, what's nice, one thing that is nice about email is the sort of communication medium is that there's established standards like SFP. So it's very easy for us to plug-in encryption and policy control in a very seamless way that doesn't interact, it doesn't interrupt the normal flow of the people that are actually sending and receiving emails. So it's just a really nice combo of protecting high value data through a well known kind of standard and really giving you and ultimately visibility into how that data is being accessed and used. Yeah one thing I'd love to get your thoughts on, you know, it's it's, you know, we're a vendor and you know, I in my day to day life, I generally take, you know, vendors sort of with a grain of salt a lot of the times.

And I say that as a chief marketing officer, but I do want to emphasize sort of the empirical of this, too, because we say it's really elegant and simple and easy for people to receive and decrypt information. You know, we're now several weeks into this massive implementation for this very large global enterprise, and they're sending huge volumes of protected emails to these partners, external to the bank. And if someone is struggling with an email and they're having a difficult time opening it, they're going to contact a helpdesk which is ours, and they're going to ask for assistance. And

I'm just curious, what's that look like, the volume of tickets that are inbound at this early stage just based on the volume? And, you know, I mean, it's one thing to say that it's easy. What's the data tell you what's interesting. And so right now, this bank is averaging around 150,000 protected emails per day.

So we're up and over 2 million since we went live. And in that time, I think we have maybe 1,000 tickets to. So the volume is relatively low. There are a couple obviously like any other roll out where you have a couple of particularly like weird kind of situations with browsers and caching and all the things you can run into at scale.

When you start talking about a diverse population of people on like old windows versions and old browsers and such. But for the most part, the ticket volume is incredibly low, considering how much data we are protecting and generally speaking, and across so many different, you know, organizations and humans. Yeah I mean, it's when you start thinking about the number of people you're touching there and the diversity of browsers, technical skill, you know, ages, I mean, you've got to figure a bank is probably sending email, encrypted email to people that are teenagers that have their first credit card account, possibly all the way up to, you know, advanced senior citizens who are like, you know, 80 plus and dealing with retirement accounts.

And so that the massive kind of breadth there of people and devices is pretty staggering. And so I think, yeah, we're pretty proud of the fact that the ticket volume has stayed as low as it has given that diversity. Yeah and to me, you know, it's was one of those things where, you know, you don't have to take our word for it. You know, when you see an organization like this go to this scale of an implementation with this breadth and depth of coverage across that horizontal population of people with very diverse technical skills, to see that ticket volume is, I think, proof positive that our recipient experience is truly, truly elegant and another great reason that we continue to see so much momentum in the business.

You know, I know you and your team worked really hard to kind of, you know, prepare for the implementation. You know, and again, at this scale, it's it's, you know, arguably one of the largest we've ever done, maybe the largest. But, you know, aside from the things that you would typically imagine being kind of, you know, important to cover with respect to an enterprise deployment like this, the technology itself kind of worked as advertised. I mean, no real surprises there.

The gateway product is very proven, very battle tested in the wild, so to speak, across many, many, many thousands of customers. And so, you know, I'm just curious to kind get your perspective different from the technology, you know, the actual implementation and working closely with all of the different IT teams at this big bank, you know, where, where, how, how do you view that balance between implementation? I would say process versus just technology? Yeah, I think technology wise, the gateway product is relatively straightforward.

And even in this large enterprise, that piece of it was actually fairly straightforward. The bigger risk, I think, for the rollout on the customer side was simply a lot of the networking changes that happen when you go live and you switch email traffic and routing from one place to another, that's always just inherently risky, right? Doesn't matter what, whether it's a gateway or whatever you're putting in, there are new VPN. You start touching network traffic and it's always risky.

But that went off relatively without a hitch policy wise, incredibly simple. No real challenges there. Most of the work as the go live was happening and then in the first week or two has really just been when you're switching over from one system to another like this customer did at scale across 400 applications across, you know, 300,000 users worldwide, the three data centers, the real challenges have just been like all the little use cases that were implemented over many years from these custom applications where maybe they were actually doing something incorrectly. And for example, virtus gateway really sticks to the RBC really well.

And so maybe there was some app that wrote an email incorrectly and was getting away with it. And now that they switched to the virtual system and it's following the RC strictly, perhaps they're finding that the app has a little bit of an interruption. They've got to make some changes on the app side. So there's been a lot of that kind of work of the combo of process and technology working with line of business applications to get them fully switched over and make sure everything's moving smoothly.

The team on the bank side has been able to do that relatively quickly. So in most cases, you're talking about them seeing an issue, correcting it within 24 hours and very little interruption to their workflow to the business unit or to the customer. Yeah and you said the word, I think smooth is what comes to mind. Again, you know, being part of the team here at virtu, it's just really, really impressive.

I've been in this game a long time. And to see something of the scale get implemented like this at this type of an organization, with this type of smoothness all the way around, is a testament to you and your team and the software that you guys have built. So congratulations on that for sure. I think we're about we're at time now.

But, you know, just again, super interesting story that kind of speaks for itself in terms of where the virtual technology is and the value that it's bringing to the real world every single day. And I appreciate you taking the time today. Yeah, thanks, Matt. I hope anybody watching this reaches out of here looking for a similar journey.

Like I'm happy to partner with them. That's awesome. All right, Dana, thanks, man. Thanks