3515: How Portnox Connects Cognitive Science With Access Control

[00:00:03] Welcome back gang, Neil here again. Before we start, let me ask you something. Why do smart people still click on things that no they shouldn't? It's one of those questions that sits at the heart of modern security and yet most conversations still focus on tools rather than behaviour.

[00:00:20] Well, my guest today has spent his career studying the habits and blind spots that shape our decisions long before we ever reach for a password or even a passkey. He's the CEO of Portnox and he's also a rare voice who blends cyber security with cognitive psychology.

[00:00:39] And he has a way of explaining zero trust without drowning you in acronyms. And he brings a very clear view of why people react the way they do when facing security prompts or policies. So our conversation today will move from psychology, identity and offer some practical steps that businesses can take to build security that feels natural rather than forced.

[00:01:03] So if you've ever wondered why the simplest phishing attempts still work or why passwordless adoption still keeps stalling, even when everyone agrees it's a better idea. This is the episode for you. Before I bring today's guest on a quick thank you to my friends over at Denodo, who are passionate about logical data management for AI success, because let's be honest, AI is evolving fast.

[00:01:28] But the elephant in the room is initiatives are still failing, not because the models aren't good, but because the data foundation isn't ready. That's why organisations are increasingly turning to Denodo and logical data management. Denodo unifies your data across every cloud and every system without the need for massive replication.

[00:01:50] So you can power trustworthy AI, accelerate lake house optimisation and build data products that make self-service real for every team. So CIOs, architects, business leaders each get exactly what they need and when they need it. And Denodo's partners also help you get value even faster. So if you're ready to make AI actually work, visit denodo.com and put logical data management to work today.

[00:02:19] But now let's get today's guest on. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? My name is Denny Leconte. I am the CEO of Portnox, which is a cybersecurity company focused on access control. Well, it's a pleasure to have you join me today.

[00:02:42] And in every episode, I try and get people thinking differently about the ways that technology impacts our lives. Very often industries that you don't associate with technology and also how many aspects you don't consider are related in life do often collide. And with that scene set, I've got to ask you about your origin story to begin with. So when I was doing a little research on you, I read about you've got a background in cognitive psychology.

[00:03:09] So how did that shape the way that you approach modern security problems in present day? And when did you first notice the behavioral patterns that most leaders overlook? Because I find the synergies of these two separate worlds incredibly fascinating. Yes. And so and just to make make it clear, cognitive psychology, but probably not what most people think when they hear psychology.

[00:03:35] It's more like cognitive science is is what studying the way people think, remember process information that not like people's, you know, depression and whatnot. That's all important, but it's never been my thing. Um, but, uh, through a series of accidents after I got my PhD, I ended up in, um, IT, uh, infrastructure and cybersecurity.

[00:04:03] And so honestly, the thing that I, you know, I've always noticed this once you become a, uh, cognitive scientist, you see the world differently. And so one of the things you realize is that people aren't rational. Like that's probably a big theme you take away is that we're not clear thinkers. We rely heavily on mental shortcuts and heuristics. Uh, and that is what hackers exploit.

[00:04:32] They take advantage of the fact that people are not thinking through things carefully and they also get, you know, hundreds of attempts where, uh, attacking and you only get the one, one chance defending. And so it's very much, uh, an asymmetrical game.

[00:04:52] So just to bring that to life a little, what do you see as the most common psychological triggers behind something like a phishing attack and a phishing successful attack today? And how can security teams maybe respond in ways that actually work with human behavior rather than fighting against it? Uh, there's a few things. One of the things that they really, uh, rely on talking about heuristics is something called the benevolence heuristics.

[00:05:18] So people tend to assume that other humans, uh, are going to be good because we evolved in, you know, cooperative groups. Humans are social animals. So you assume until proven otherwise that people are going to be, uh, cooperative and friendly. And so they do that and rely on the fact that when you see a thing, you, you take it for granted that it's going to be okay.

[00:05:43] Same thing, um, something called confirmation bias that you see what you expect to see. So if something looks like it's coming from HR and it's asking for information, benevolence, confirmation that this is, you know, probably what I think it is. And it makes you more likely to go along. Uh, another one is something called loss aversion. The, uh, idea there is that loss hurts more than gain feels good.

[00:06:12] So if I, if you lose $20, that hurts more than if you gain $20 feels good. Right. And so one of the things you see in a lot of phishing attempts is they'll tell you you've been hacked or if you don't do something right now, you are going to lose X. Like you're going to lose access or you're going to lose money and it makes you sort of freak out.

[00:06:33] Um, and then I will say what, what should security teams do is they should not give you the chance to give away your information. That is, that is the overarching theme. I would say is that you just can't, you can't rely on people to be good. We're, we're not, we're kind of built the way we're built. And so the bad guys are going to take advantage of these things. And when they do, you want, you want it to be harder.

[00:07:01] You need to make it so that the, your employees cannot do the easy, careless thing and give away all your information. And I think zero trust is another big topic right now. Many firms that we see on our news feeds, they all claim to follow zero trust principles. And despite this adoption still feels uneven right across the industry.

[00:07:24] So just to ensure we don't leave anyone behind here, how would you explain zero trust to a non-technical audience in a way that might cut through some of that heavy jargon that's preventing that adoption? Sure. I mean, look, it's kind of in the name, right? You assume that everyone is a hacker. I'm not going to trust anyone. So I assume if somebody is trying to get into my network or onto an application, you're probably a hacker. I'm not going to trust you.

[00:07:52] And I'm going to make you prove that you are who you say you are. But more importantly, that zero trust, you don't transfer the trust. One of the things we used to do is if you got in one place, I let you in every place. And an analogy I sometimes use, if you ever remember the movie Ocean's Eleven, one of the tricks they play is the guy comes in to the casino and he pretends to be a repair person. And they're like, oh, you're a repair person. You got a toolkit. They let him in.

[00:08:21] And then once he's there, he can get into all the other things. And he's got free reign. Well, we used to treat networks like that. You got in one place and I kind of let you in everywhere. And in zero trust, I am going to assume you're a hacker. I'm going to ask for your ID. I'm not just going to look at your little repairman's outfit and assume, oh, you're probably OK. No, I'm going to assume you're probably a bad guy. So prove you aren't.

[00:08:47] And then at every door to everything I care about, I'm going to ask again. I'm going to check again. I'm just going to assume at every point that you might be a bad guy. And look, that's not nothing's perfect. But it does mean that you have to kind of hack me over and over and over again. If you want to get to something, it's not like a cute trick. And now you have the run of the castle. Such a good point and a great analogy there.

[00:09:16] And what I'd love to do, we know how systems have been traditionally designed. But let's say we were starting from scratch here. Where do you think organizations typically go wrong when designing security policies that people are expected to follow every day? And what does a realistic alternative look like in your eyes? Because we've all seen those dreaded compliance training lessons that come through once a year. You just hit next for 20 seconds and that's it. You're done for another 12 months.

[00:09:45] But if we look at the whole corporate strategy there around security, where are organizations going wrong? I think the key is in assuming that I can fix people. If I just train them enough that they will stop doing the things that hackers take advantage of. And what my background in cognitive science says is that's just not going to work.

[00:10:10] In fact, there was a study that came out recently about fishing training where they looked at eight months of fishing training. And at the end, almost everyone had clicked on at least one. Even though they got all this training, everyone fell for it at least once. Not everyone. But the vast majority of people made a mistake because on your worst day, you're really busy. You're just going to do a dumb thing. Like I'm in a cybersecurity company.

[00:10:39] We talk about cybersecurity all the time. But people still fall for our fishing training. We do it because compliance requires us to do it. But the reality is it doesn't work. So what should you do is, okay, if they're trying to get your passwords, change your environment so users don't have passwords to give away. You can use things like our product does certificate-based authentication.

[00:11:06] So internally, Port Knox employees don't really have anything other than the password to their device. And that, then there's a certificate on their device that basically lets them into their apps. And look, there are other vendors doing the same thing. But what you want is get rid of your passwords. If a human has a password, a smart hacker has a good chance of sneaking it out of them with the right trick. So no passwords. I can't give you things I don't have.

[00:11:35] So you basically tie your identity to your device, either to your phone or to your laptop. And that becomes your password. So now the bad guy would have to steal your machine. Then they would have to hack into your machine. Look, that's a pretty good bad guy at that point, right? Like, they've gone to a lot of trouble. The vast majority of things are just these social engineering tricks.

[00:12:01] So the advice I give to all of our, all of Port Knox customers is, look, let us help you get rid of all your passwords. You know, it's hard to do 100%, but every one you eliminate is you reducing your attack surface. So that's, that ultimately is the answer. And I think, you know, even big players like Microsoft and Google are trying to go passwordless. That's why you see people using pass keys. It's going to take a long time because technology is hard to change.

[00:12:31] It's embedded everywhere. But at least inside of a corporation, you can, you can really go passwordless and reduce a lot of the footprint that gives you so much pain. And I'm glad you've raised this because I've been doing this show for 10 years. We spoke to everyone from the Fido Alliance and that dream of going passwordless. Companies want it. Employees want it. As everyday users, we want it.

[00:12:55] And passwordless authentication, it is gaining traction through many of us now. And although on the flip side, there's many that still hesitate to let go of that password habit. So I've got to ask what sits behind that resistance and how can companies support a smoother shift, a smoother transition? I think I've talked to lots of CISOs about this. Sometimes they don't know it's possible. I've given talks to groups.

[00:13:25] And when I start saying, hey, we can help you get rid of passwords. They're like, tell me more because they're skeptical. Because, come on, lots of vendors offer, you know, dreams that when you try and implement it, they don't work that well. So they've been burned. So they're skeptical. That's one problem. Sometimes organizations are just conservative and they don't want change. But then also they think it's harder than it is.

[00:13:52] They're sure, oh, I'm going to have to touch everything. I'm going to have to change all of my environment. And we have stuff to do. And there's a fire burning right in front of me. We'll get to that later. So I think that's the biggest problem is that they believe it's harder than it is or that the technology is not where it actually is these days. It's not that complicated.

[00:14:15] And you do have to go and, like, if you're going to use certificates instead of password, you're going to have to install a certificate on every device. But there's plenty of ways to do that. If you're Microsoft, you can use Intune. On Macs, you can use something like Jamf. Lots of vendors make it not that hard. But I know it's not hard because we help people do it every day. But if you're a CISO, you might not know.

[00:14:41] And, man, CISOs and CIOs have a zillion things coming at them every day. And every vendor is like, buy my thing. It'll solve all your problems. So, of course, they're skeptical. So I think that's part of it. I do feel like there is a movement that's happening where people are like, you know, 60%, 70% of all hacks start with passwords. What if we got rid of the passwords? That sounds great. Is it possible? And they're digging into it finally. And they're more receptive.

[00:15:11] And there could be a lot of CISOs listening to this podcast. And we are at that magical time of year where we're looking towards the beginning of a new year, 2026, looking at doing things differently, improvements and different ways of stopping problems, for example. And identity has become the front line for attackers recently. So from your vantage point, what emerging identity risks worry you the most over the next few years? Anything really caught your eye?

[00:15:41] Anything keep you up at night? I would say, I would say, I would say, at this point, I am tired of both hearing about and talking about AI. And yet I'm going to do that. Because the more you've got the big guys talking about agentic AI, well, you need to control. Those are going to be identities. Those are going to be entities on your apps, on your network.

[00:16:05] And you need to be very, very constrained in what they have access to. I want you to do this. But like we can see, AIs will go sometimes out of their charter and maybe get you into trouble. So I do think that is a, like, how do we adapt our whole identity framework to deal with non-human agents? Agents, right?

[00:16:34] We've got lots of dumb agents that are just like, you know, like a CrowdStrike or a Microsoft Defender. It's an identity. We know how to control that. But it only kind of runs and does what it says, whereas an AI agent can do a lot more. So we're going to need to learn to lock those things down without making them so locked down that they are useless. That's going to be the push and pull, I think.

[00:17:01] And I'm so glad you've raised that because I've been to so many tech conferences this year. And almost every new supplier is saying, hey, you too could have swarms of agents talking to everyone, doing this, doing that. And just the thought of swarms of agents from a business going out there, doing stuff and what they've got access to. Nobody seems to be thinking about the security aspects of a lot of these big promises. Security is always what they think about last.

[00:17:26] And usually somebody has got to get kind of bit in the butt a little bit. And then hopefully it's not you and you see somebody else and you realize, oh, I should definitely start trying to make this thing secure. But I am sufficiently cynical about the way things work that I don't think people are going to – most people are not going to do it proactively. They're going to wait until there's some sort of disaster. Yeah.

[00:17:55] And I think one of the reasons that many of them wait is they've been burnt on the other side of too much security, slowing things down, causing friction, making things more complex. There's a bit of a balancing act goes on there. So for you, what does a truly friction-free access control experience, what does that look like in practice in the real world? And how close are we to making that a standard outcome in enterprise environments? Because it has notoriously been tricky to get that balance right, hasn't it? Yeah.

[00:18:25] It's usually a trade-off between usability and security. Yeah. I will say, and I'll toot our own horn, one of the things we talk about with our customers at Port Knox is this is one of the few cases where we can actually make the experience better while making it more secure.

[00:18:43] Because what's frictionless is, again, you tie your identity to your device so that once you're if you're accessing something you're supposed to access, the system should check your identity, check the device for a certificate. If both of those things are what they're supposed to, I give you access to what you're supposed to have. And it should be really fast. And because your device is basically a factor, the certificate is your identity is a factor.

[00:19:13] You can actually do away with 20, you know, MFA prompts that you get every day so that you can act. You can actually have fewer questions asked and that you just get onto your apps much, much quicker. So that's possible today. And again, I know my company, we can do it.

[00:19:38] There are other vendors who who are offering this that where it's all the same idea is device, device centric and then identity centric. And then that's what gets you on. But it's actually it's available. People just need to do the work to check out the different vendors, pick one and then implement it. And you just have to make that a priority. And as I said earlier, we are at that magical time here.

[00:20:05] There may be a lot of technical and business leaders thinking about their New Year's resolutions already. And I'd love to try and give them a bit of inspiration here. But if I could give you a virtual wand of sorts, if you could change one long held assumption that business leaders still carry about cybersecurity or human behavior, what would you challenge during our conversation and why? Let's see if we can bust a few myths and misconceptions and create some improvements of our own next year.

[00:20:34] Does anything stand out? Anything bug you? I think, you know, if you talk to IT people, but also cybersecurity people, they complain a lot about end users. They're like, oh, they're going to do dumb things. And if only they would read the manual or if only they would like learn the policy. Look, that's that's your flaw. Like, yeah, they're not gonna people are not like if anything, we're reading less these days, not more.

[00:21:03] But I think you have to design a system with the humans you've met in mind, not with the humans you wish in the way you wish they would be. But I get that a lot where like if only people wouldn't be so dumb, then everything would be great. I'm like, yeah, but they are like they it's not. I mean, the smartest people I know will occasionally do dumb things that happens. So design accordingly.

[00:21:31] And if you if you keep that in mind at all times, then it's your job as a as a security person to work around human failings and to stop hoping that they're going to get better. They won't. Love that. I'm conscious we have been very forward looking today, but we did begin our conversation talking about your background in cognitive psychology, how that helps you shape the way you approach modern security problems.

[00:21:58] And as we come full circle here, I want you to look back throughout your career one more time, because none of us are able to achieve any degree of success without a little help along the way. Very often somebody see something in us, invest some time or helps mentor us. So it's a particular person that you're grateful towards who helped you get you where you are that maybe we can give a little shout out to today. Who would it be and why?

[00:22:22] It would almost certainly be my grad school professor, a guy named Mike Watkins. He trained me from when I was 22. I had just grown up in South Louisiana. The accent. He had a little bit. He gave me a merciless teasing about the accent because he knew I wouldn't be taken seriously. But he taught me, honestly, a lot about how to think.

[00:22:48] So who I am today is a huge piece of it that still I attribute to him. He helped me to think. He helped me learn to write well. But it's who I am, even as a CEO. Deep down, I'm still a cognitive scientist, I would say, because of him. I love that. Massive shout out to Mike Watkins there, who obviously began teasing you about your accent.

[00:23:16] But he gave you so much and, as you said, shaped everything about who you are today. And I suspect if Mike can listen to this, he will be blissfully unaware on the scale of the impact he's had on your life. So I think that's one of the reasons it's so important to share stories like this. And back to present day, Port Knox, great name, by the way. I suspect it's a play on words of Fort Knox, obviously. And he can share. Can you tell me more about the company, the kind of problems that you're solving?

[00:23:44] And maybe what we can expect from you next year. So we are an access control company. We started with network access control, which is a domain that's been around for a long time, has a, frankly, a bad reputation because there's lots of on-prem players. I won't say any of them, but they're all hard to deploy, hard to manage. They're kind of a pain.

[00:24:08] And what's unique about Port Knox is that we came late, looked at the problem, and then built a cloud-based solution that makes it really, really simple. Because this is a great solution that sort of makes it so that when you open up your laptop in the office, it should just jump on the wireless if it belongs on your wireless.

[00:24:30] And then it also protects your Internet of Things devices, all the TVs and, you know, sensors and whatnot, the cameras that's in every office today. You want to make sure that only the right ones are there and identifies what's on your network. So we can, you know, limit what access people have to your network.

[00:24:52] And then this year we've launched more of an application-focused product known as a Zero Trust Network Access, which is a goofy name, but is actually more about applications. It's similar to what big players like Zscaler or Netscope do. We think we have a differentiated solution that is faster and simpler.

[00:25:14] And what that lets you do is instead of rolling out a VPN, which tends to be very broad, just like I said, it's not Zero Trust. VPNs sort of let you into the – to do everything. Zero Trust Network Access says, I'm going to let you get onto this application that's behind the firewall or to this SaaS application.

[00:25:37] And only that – and I could do that from the office, but I could also do it from a Starbucks or from my apartment. It doesn't really matter. And that you get access to exactly what you need and nothing more. And it is – there's a huge wave of replacements going on where people are trying to get rid of VPNs, which are frankly, you know, last century's technology. It's really, really old. They're not that secure.

[00:26:06] But to make up for it, they're very hard to manage, right? So, like, IT people can't stand their VPNs. So, we're sort of offering a vision of unified access control so that whatever data you have, whatever applications, whatever network, we're going to offer a single platform that's really, really simple. That's sort of a big piece of it is that IT people, security people, very, very busy. You make it so that they don't have to think too hard.

[00:26:36] They deploy this. And then it just runs in the background and everybody can do their thing. And they don't have to type passwords. And you're more secure. But mostly, the product is set it and forget it, right? You don't want to be messing with it every day. You don't want to have to have another tool to babysit. You just want something that makes your life easier in the background. And that's kind of our vision for the product. Well, I'd love to stay in touch with you and see how things continue to evolve next year.

[00:27:05] But before I let you go, for anybody listening who wants to dig a little bit deeper on anything we talked about, find out more information about Portnox or connect with you or your team. Is there one particular place or a few places you'd like me to point everyone? Well, if they want to learn more about the products, they should go to Portnox.com. And that's P-O-R-T-N-O-X. We don't have the K. Although I think we own the domain with the K. So it'll take you to the right one anyway.

[00:27:33] So Portnox.com is the place you should go. You can learn about our products and sign up for a free demo or a trial. The products are very simple. You could just do it yourself and see if it'll solve your problems. And you'll probably get a call from the sales guy wanting to help you. But they're very simple. Awesome. Well, I'll add links to everything that you mentioned there.

[00:27:59] And we packed a lot into 30 minutes today from the psychological reasons for breaches, zero trust for the non-technical. Hopefully we've made everything clear there. And also taking a glimpse at the future of identity. So more than anything, thank you for talking about this in a language everyone can understand. Hopefully we will inspire a few CISOs next year. But thanks for joining me today. Thanks, Neil. I appreciate it. It's been great. For me, I think that was a refreshing take on security there.

[00:28:30] Denny brought a level of honesty that cuts through the noise and reminds us that every breach, every weak point, every stalled project usually starts with a human reaction rather than a technical flaw. But he painted a clear picture of how shifts in identity, behaviour and trust are going to define the next phase of cyber security. And why it's hard to walk away without thinking how we design experiences for our teams.

[00:28:57] Because here's the thing, security only works when people can live with it. And Denny made that point again and again today. And it lands with force when you consider just how much friction still exists in our everyday workflows. So from zero trust to passwordless, the future looks less about control and more about the designing of systems that match the way people think. But I'd love to hear your thoughts.

[00:29:24] What part of Denny's perspective made you rethink your own assumptions about cyber security? And just to clarify for everybody listening there, anybody wanting to find out more information, go to portknox.com. And I need to clarify the spelling here. It's P-O-R-T-N-O-X dot com. And you can find out more information. But to save you getting confused and getting pencil and paper, I'll also include a link to the show notes.

[00:29:54] Simply click there for more information. As always, techtalksnetwork.com. You can leave me an audio message there. There's three and a half thousand interviews too. Or send me a DM on LinkedIn X Instagram just at Neil C. Hughes. But we're out of time, I'm afraid. I'll return again tomorrow with another guest. But thank you for listening as always. And I'll speak with you tomorrow. Bye for now.