Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. Jackie Shoback joins us today. She is the co-founder and managing director of Fourteen Fourteen Ventures, a venture firm focused on the rapidly evolving digital identity space. With more than twenty five years of executive leadership experience, including CEO, CMO and CEO roles, Jackie has led transformation across major organizations like Fidelity, TIAA, Staples and Boston Private. She brings a unique blend of operational leadership, board governance, and deep expertise in cybersecurity, data privacy, and digital transformation. She also serves on multiple boards, including TruStage, where she chairs the Human Capital and Compensation Committee and actively contributes to innovation through MIT’s ecosystem and the Forbes Business Council. Jackie, thank you so much for joining us today.
Jackie Shoback: Thank you, Greg. It’s great to be here.
Greg: So as I start every one of these episodes, we’d love to hear your story. Yours is a little bit different from my typical guests. Cause usually I start off by saying, well, tell me how you got into cybersecurity, but, but, but you’re, you have a different path and what you do is a little bit different than our, than our say typical guests. So, uh, take us from the beginning up to, um, where you’re at with.
Jackie: Sure. Well, you did a great job of, uh, providing a synopsis of my background. So thank you for that. Before I started Fourteen Fourteen with my colleague, we spent many years in industry. As you mentioned, I’m a former CEO, CMO, COO, and I’ve been in financial services for fifteen years prior. Before that ten years in enterprise. And I mentioned that because I’ve sat in a lot of different chairs, a lot of different functions. So I really was very fortunate to have the experience of launching and scaling businesses early in my career. As a result, I became an operator at heart. And by launching businesses, I mean launching the digital business at Staples, growing that from zero to a billion in revenue within three years. When I joined the company, we were three hundred million in revenue. I worked for the founder. CEO of the company and over the ten years that I was there we grew to fifteen billion so I mentioned that because I probably got thirty years of experience jammed into ten that definitely created not only a growth mindset but I would say a scale mindset and then my fifteen years in financial services as I mentioned um places like Fidelity, TIAA, Boston Private, everything from launching a digital bank to overhauling the platforms for our banking, private, wealth management, technologies, all of that led to this common thread, I’d say, around digital transformation and underneath digital transformation over that twenty five years, it’s really all about digital identity and data. And what I mean by that is the safeguarding, the privacy, the security as you monetize, share, capture, store. And I’m very fortunate over the twenty five years, I feel like data went from something that you captured as a result of participating in a transaction or an interaction and not really a strategic asset to now data is really in many companies, the crown jewels.
Greg: Yeah. And you mentioned the financial services and that got me thinking about, well, we always talk about, I was, I was a bank CISO for the longest time. We always talk about the concept of know your customer. This is sort of an extension of that in, in some, some way. Right.
Jackie: For sure. So let me just step back real quick. So what do I mean by digital trust, digital identity? Sort of the area where we focus with our investment firm. So as I mentioned, we started in twenty twenty and we named ourselves fourteen fourteen after the Safe Conduct Act of fourteen fourteen King Henry the fifth that was the beginning of the modern day passport. And I mentioned that because that’s critical to where digital
trust is headed today. That original act was the beginning of know your customer. And I feel like now, you know, KYC There’s also know your agent, know your business. There’s gonna be KY fill in the blank because that’s kind of where we’re headed with the proliferation of, I’m gonna use the word parties that you can interact and engage with in the exchange of data and information. So we started fourteen fourteen back in twenty twenty. We raised our first fund in twenty one. We made fourteen investments since then. We’ve had two exits, nine up rounds, and we’re very excited about the portfolio of companies we have. They do everything from identity threat detection and response. managing human identities as well as non human identities. That’s off mind one of our portfolio companies all the way to SwiftConnect, which is an identity access management play in the digital and physical world as they use their technology to streamline and efficiently enable use cases in the whole property space, buildings and access to buildings for employees and visitors. So really cool platform there.
Greg: Well, let’s pivot a little bit to focus specifically more so on cybersecurity as it relates to identity. And of course, identity access management is a big part in the cybersecurity world. But you talked about in your intro about some of these large scale transformations that you’ve done across different businesses, different business lines and different segments. And during that time, I guess I should digress for a moment. I came up in IT, and so cybersecurity has always been traditionally a technical function, and then information security is sort of overarching of cybersecurity for the governance and all that. Really, there’s been a merging of those, and we no longer see cybersecurity as in and of itself being just strictly technical. How, from your perspective, because this is one of the things I really love about doing these podcasts and interviews is that, again, all different perspectives, but from your perspective, how has cybersecurity evolved from a technical function purely to a strategic business enabler?
Jackie: Yeah, no, it’s, it’s a great question. And I feel like in my operating career before starting the fund, that change was underway. And then I feel like the last five years since I’ve been more focused on venture capital, and then of course being a board director, both in mature companies, public companies, as well as startups, I’ve really seen all of this play out in spades. So I’d say a few things have driven this momentum behind cybersecurity moving from really kind of buried in the back office to now front and center. First, I’d say is the value of data and how that’s risen exponentially. capturing, sharing, storing, analyzing, monetizing, all of that has evolved to such a sophisticated state nowadays. And so as a result of this evolution of the value of data, we’ve had these tech breakthroughs as well, right? From mobile to cloud to Gen AI, quantum is coming soon as well. We can talk about that later, but Data has evolved into a currency now, both literally and figuratively, right? If you even think about tokenization. So these two drivers, the importance of data and security has happened because of these drivers. And so as a result, if you’re management, if you’re the board, you have to really be thinking strategically about how you’re not only deploying your most valuable assets, your data, your people, how you’re creating hybrids between those environments, but also you have to be thinking how you’re protecting that and also how you’re staying compliant. Every company needs to consider their data strategy nowadays as part of their overall business strategy. And cyber is right in there. How to be resilient, knowing where your data is. And it’s kind of like the old saying, one size doesn’t fit all. Not all data is of the same caliber, meaning just like you segment, you know, I was a marketer in addition to bein
g a COO and a CEO, I was a marketer as well. One of the things I always used to do was segment my customer data to figure out the different segments and sub segments and where the high value, high potential customers were. And same thing here. It’s kind of the same thing with your data. You really have to segment it and understand What’s your most valuable data, but also what’s the most prone to being potentially stolen or breached? Where do you have the most risk? I think it’s really interesting Cybersecurity has really, I think, across the board become this enterprise risk that really every company has in their purview. They have to. Some companies more than others, certainly. But I think it’s also very telling. I happened to be reading Fortune today, and I was really struck by a comment Jamie Dimon made that geopolitics used to be the greatest risk to the global economy. And he actually said he now considers cyber to be a bigger risk. Why? Because the bad guys can use cyber and they’re getting stronger and more powerful in terms of finding vulnerabilities and so that’s really what it’s all about if you’re in a company you have to know where your data is you have to know how you’re accessing it you have to understand the different tiers of data that you have and where you’re most vulnerable those are Those are both the challenges in running a company today in terms of understanding all of this and staying on top of it and staying one step ahead of the fraudsters. But it’s also the opportunity, again, like I said, using the data to fuel especially if you’re adopting Gen AI, let’s say into your business model, knowing what data to feed, knowing what data not to feed and how to safeguard it and ensure that it’s trustworthy.
Greg: Well, I think, I’m glad that you brought up that comment. You had mentioned that to me before. I hadn’t read it, but you had mentioned it to me before we started the recording from Jamie Diamond about cyber being a more impactful geopolitical force economically. I think we see this in some ways currently with what’s going on in the Persian Gulf and with Iran, more from a conceptual state. I’m not talking so much about cyber here, but I just wanted to point out this analogy for other folks to chew on. One of the things that has made the operation over there a little bit difficult is that Iran has relied upon some relatively low technology things at scale that they can deploy, the unmanned drones, like ten thousand dollar drones. my point being and getting back to what diamond said was that it levels the playing field in in a bit it’s like no longer do you have to have as a as a threat whether it be geopolitical from a from a war standpoint or or in this case economically um you know economically the old way to put some pressure on might be like a blockade in the in that they’re seeing in the gulf But cyber, you can do an awful lot of damage. That’s why it’s so important to ensure that critical infrastructure is adequately protected and that only those who need to get in, for example, to use that critical infrastructure, I’m thinking like power plants and water plants and all that. You’ve talked about along those lines about identity being the cornerstone of modern cybersecurity. I kind of like it being phrased that way because You know, up until recently, I might have said, well, you know, the cornerstone of cybersecurity, I would say, well, it’s networking or it’s a database or it’s something, you know, technical related in that aspect. But identity and identity management is more than technology. Why do you see it that way?
Jackie: Well, several reasons. So first, I’d say is we view digital trust, this capability to be able to have confidence that who you’re interacting with, the other party, if you will, the interaction, the engagement, the transacting, that it is who they represent themselves to be, right? That it really is who you say you are, right? And that’s all about the data. To be a
ble to do that in today’s world, it’s really all about the data being that one source of truth, if you will. And so identity really is at this point of inflection, as I mentioned, digital trust, Because it sits, the way we think about it, all of that data sits at the nexus of cybersecurity, marketing data, payments and e-commerce. If you think about the data that is attributable uniquely to you as an individual or to an entity or to an object, It’s data coming from any one of those sources. And so as a result, especially as digital adoption has escalated so much over the last few years, I mean, the pandemic definitely supercharged that. We had more digital transformation happen in the first three months of the pandemic than like the five years before that. So that really supercharged things. And then think about it, Gen AI came right on the heels of all of that. And so as a result, the whole digital identity and digital trust has evolved from this back office function to now the foundational layer for trust, privacy, and security for our digital economy, right? If you think about fraud prevention, data privacy, agentic AI identity management, You have to be thinking about the data, and that data is all what I would sort of call digital identity data. And then, of course, with global cyber crime, there are three big factors also really driving this. Global cyber crime will be twenty one trillion dollars this year, global cyber crime. And then on top of that, you have deep fakes going up two thousand percent. And identities expected to surpass human identities online by twenty thirty. The role that digital trust platforms are playing or will need to play with safety and trust will only increase. There’s a saying identity is the new perimeter. I wholeheartedly agree with that because at the end of the day, it’s all about the data and it’s all about the data infrastructure.
Greg: Well, a lot of this can only work as it is with a lot of new approaches, new technologies, new ways, as if it’s adopted in a rather massive form, if you will. What I’m getting at is that traditionally in information security and also in privacy, and I want to focus on privacy for a second, but traditionally, We tend to run up against a little bit of resistance when it comes to maybe a little bit more resistance when it comes to the C-suite with regards to implementing change, because it’s hard to understand that this is really a problem. You almost have to sell the idea and sell it in a way that the businesses can not only understand, but that clicks in the mind. It’s like, oh, I really need to pay it. We really need to pay attention about this. And you were talking about privacy and that that really struck me because I think that companies are doing a little bit better with security nowadays. But I think that privacy there are a lot they’re lacking in. And I’m wondering, it’s just from your perspective, I mean, what are companies getting wrong with privacy today and how can this help change that?
Jackie: Well, a couple of things. I’m glad you asked about that. But with privacy, I think there’s a lot of room for improvement there. I think part of it has to do with the fact that companies capture a lot of data, and I’m not sure that they’re very good about their data hygiene, meaning making sure that they’re expunging and permanently removing data that they don’t need anymore. And frankly, is more of a liability than an opportunity.
Greg: Yeah. Data retention policies are one of the things that when we come across businesses, and of course we deal with smaller businesses, but I think it’s the same with larger businesses. It’s just not paid attention to. It’s just like, we’ll just keep it.
Jackie: It’s pervasive. So that’s one. And then I think the second item around privacy has to do with third parties. I’m a huge proponent on using partnerships and alliances with third parties to you know enable your growth to enable your strategy it’s
often a faster way to grow and if you don’t have a core competency but that said again going along with the implementation of third parties, you need to have a good overall enterprise risk management approach to managing how those relationships work with these third parties. A lot of companies have third parties as very involved in their data sharing and storing and data management practices, I’ll say, and they really lack visibility into what’s going on at the third parties, if the third parties have a breach, what’s going on with their service levels, et cetera. So as we’ve seen the rise of more third parties and more interconnectedness through APIs, there isn’t quite the degree of transparency into how they’re handling things. A lot of that has to do I think also too with just really strict rigorous procurement policies and approaches and upfront service level agreements requiring these companies to meet the internal requirements you have so that you’re in a position if there’s a breach or there’s a vulnerability, you’re aware of it. And then just lastly, one thing I want to mention, we don’t need to get into details on it, but another area where I feel there’s a ton of opportunity for improvement around privacy is actually privacy for minors. That’s been in the news quite a bit lately. It’s an area that we at Fourteen Fourteen feel very strongly about as well. a lot of eighteen or under children, minors, are engaged digitally and many of the companies that house their data and serve up the you know, the engagement could be social media or otherwise, they really do not do a great job of adhering to the rules and regulations around privacy for minors, even though they should, they’ll pay the fine and sort of move on. I think that’s an area where we really need to up the ante because it has downstream implications that are negative.
Greg: yeah I I have often said that that there’s a part of me that is very much glad that I I am not a youngster in today’s environment because it’s just this is just so much out there and it’s it’s so hard to to navigate no no maybe it’s just a function of like everybody says that as technology goes and we get older and all of that but uh I think it’s certainly a problem. But you also mentioned, I love talking about risk management. You talked about ERM, enterprise risk management. I do believe that all of this needs to be a part of that for any organization. And financial services is probably the one vertical that is the most mature when it comes to ERM. And I think that that is very much significantly helped in a lot of ways, managing the risk because it’s actually part of them. But, you know, I mean, financial services, what is like eight or nine core risks, operational liquidity. I can’t remember all of them. I should, but I used to have them memorized. But information and cybersecurity, I think, fell underneath operational. I think that that helps, but I also think that it can be a hindrance if you, particularly in the highly regulated industries, if you spend too much focus on checking boxes and not actually, I see this in financial services all the time now too, where it’s just like, well, we did well on our exam or our IT general controls audit, everything was fine. But really, they’re focused more on passing that audit or exam as opposed to really getting into the weeds. So how do you feel? Are regulatory requirements, do they do a better job of shaping effective security practices, including identity management, identity, or do they hinder or kind of a mixture of both?
Jackie: Yeah, I think. Certainly in financial services, I serve on the board of a diversified financial services company and I’ve served on other boards as well. So I’ve seen the difference. There are regulations that you must meet to do business, right? So as a result of that, and certainly publicly traded companies have other regulations that you must meet. as a result of being public. So the point being, all
of those things are good because they force a certain baseline. But I think to your point, the question around the checking the box versus really having a culture, a culture of security and safety, that’s the difference. And to me, the difference is I’ll just use the example like in the boardroom, having the discussion at the entire board level and everyone sort of taking that fiduciary obligation around understanding the ramifications of what some kind of cyber incident could lead to. And when I say ramifications, I don’t just mean the cost part of recovering your data, if that’s the case, or fixing things to ensure the systems are up to snuff. It’s more the brand and reputational risk that you really run. Because again, I mentioned trust earlier, digital trust. This is around brand trust. Trust is pervasive in doing business. And if the trust is broken, if you don’t have the digital trust in place, then the brand trust can be broken. And the board is, I think, along with management, that’s where the buck stops. And so those companies that take it seriously, and elevate the conversation and model that this is something we care about and it’s in our values and we operationalize it. That’s the other thing, operationalizing it, which is not checking the box. Operationalizing it is talking about it, having education, internal education available to explain why we’re training you on safety and security protocols. And there’s never one silver bullet on this. What I mean is, like many things in life, having a culture of safety and security, it’s a thousand little things. And it is built into how you run your business. It’s built into the operation. So I think more and more companies if they’re checking the box they need to get on the maturity spectrum here and evolve towards more of embedding it into how they run their business because we’re in like an arms race the stakes just keep going up with it’s never ending it’s never ending and The truth of the matter is it’s just going to continue to escalate because the tools that we have available to make things better and to improve are the same tools that unfortunately the bad actors have available to try to exploit vulnerabilities and cause havoc.
Greg: Well, and I mean, identity management has been around for so long in different ways, shapes or forms. And I’m just curious in my mind right now. This isn’t a question for you. This is like it’s just me asking a question out loud to the general audience. It’s like I’m wondering how many, if any, have understood why I wore this shirt today. And I’m well, I’ll explain. I’ll explain the the the correlation. The suit only worked on Ralph. And if you understand what I’m saying, then you were an eighties child or you were an eighties sci-fi channel that came from the greatest American hero. So he, he, he, he got a suit, a super suit, but it can only work on him because of his identity. And so we grew up most geeks like me. with regards to identity management and making sure that you know your customer. In this case, I guess from the aliens, you know you’re a superhero human. But it doesn’t change the fact that all this can be very stressful. Our career is stressful. Our field is stressful. Everything, as you just said, is changing always. It’s an unending arms race in that sense. and we need to do um we need to do as best a job as we can to to um decompress is the word I like to use from that stress and do it in a healthy manner so what’s one of the things jackie that you do to help decompress from the stresses everything cyber and identity and also uh uh startup investing related
Jackie: Yeah. Well, I’ll tell you, being a startup, investing in startups, and the startups are digital trust startups, we could do a whole show just on that. I just did my first angel investment a couple of months ago. So yes, it’s a very stressful thing to do from the investor side as well.
Greg: Yeah, it’s a lot of work.
Jackie: So interesting
ly enough, a couple of things I love to do. So first off, I’m in Boston. The weather has finally gotten a little bit warmer. I think it’s in the fifties today. So that to me is like, I know.
Greg: Well, to me up here, that’s warm. I spent ten years in Buffalo. I understand.
Jackie: Okay. So you get it. I really enjoy running outside. To me, that’s super invigorating. I’m one of those two and a half to three mile kind of people. Thirty minutes, it’s all over, but the thirty minutes clears my head I never run listening to music I run and I really typically work through different things while i’m running I might be thinking about business opportunity or I might be thinking about some fun vacation we’re gonna go on but that’s that’s my time to decompress and get some exercise too.
Greg: Yeah, because you need that first like mile or so for the endorphins to start kicking in. Yes. Because it takes a little while to get hummed up. But then when you’re in there, you’re kind of in your own zone. And I agree about three miles being a sweet spot. I have often said it’s like I don’t really see much point in doing less than that. Actually, as I’ve gotten older, I’ve done more along the lines of time instead of miles because I could run three miles a lot faster twenty years ago. But I think I got that actually from William Shatner. I think that he said almost the exact same thing many, many moons ago. And the guy’s like, ninety-five, so he must know what he’s talking about.
Jackie: Well, so three miles. kind of my thing and it’s funny a few years ago there was a time where I I worked up I think I worked up to like five or six miles but the incremental benefit to me it just it wasn’t the roi kind of like flattens right
Greg: yeah yeah I mean it was nice but it took like an hour instead of thirty minutes so I do that and then to mix it up i’ll i’ll do zumba sometimes uh but I do that probably once a week, but I’ll do that because that is another great exercise calorie burn. And it goes by so quickly. You’re so busy trying to keep up with the moves. You don’t even realize that an hour has gone by. So to me, that’s really fun. And then I’m an avid reader. I love to read. I started a book group a couple of years ago and, uh, love to read and really enjoy reading mysteries as well as historical fiction and things like that. So between all of that, and then of course I love to travel. We usually go on one really fun family trip. We’ve gone to places like Portugal and where else have we gone recently? France and Just fun. Canada, we went to British Columbia through their national park. So we definitely go on adventures. The Galapagos, that was a good adventure. The Galapagos, very fun. But definitely need to get away from turn off somehow or another.
Greg: I don’t know about just from my perspective, and this is just me, like thinking about Zumba, I think that that would be a little more stressful for me because I’m so uncoordinated. I’d probably hurt myself. I’d probably have to sign a liability waiver or something before I did that.
Jackie: Yeah, definitely. You use a lot of different muscles when you’re doing those moves. So, yeah, you do have to be careful about that.
Greg: so uh what about uh future plans for yourself or for fourteen fourteen or
Jackie: yeah well uh so I think I mentioned yeah so fourteen fourteen so we um So we’ve got ten portfolio companies and we’re very busy part of our model. So not only do we invest in this digital trust space, which we feel is unique and we have deep expertize. So that gives us access to really amazing opportunities. But also my partner, my co-founder and I and then our partners, we have a very impressive advisory and venture partner network, about about twelve individuals who have deep expertise in digital identity, digital trust, cyber, all these different areas. We employ what we call this operator investor investor operator model. So really what that mea
ns is we don’t come from traditional venture backgrounds. We’re all entrepreneurs, operators, marketers, technologists, but all having come from industry, in some cases, series of startups, other cases, bigger companies like mine. And we really lean in and work with our companies to help them accelerate their growth. So against that backdrop between the fact that our space, huge growth, it’s already a big market. Not like a thirty percent CAGR. It’s growing quite a bit over the next few years. expected to double probably, it doubled in the last four, it’ll probably double in the next two. So that’s quite exciting. So we’re going to be raising our next fund to continue to tap into the huge opportunity that we see and bring our unique perspective and approach to this next generation of digital trust companies. As we see it, there’s a control plane that is missing. And if you think about the AI guardrails, you think about tokenization, you think about even quantum, as I was mentioning, encryption, post-quantum, and sort of a world when that’s a reality, there’s a huge, huge opportunity for this next generation of data infrastructure and digital trust and ensuring this next level of safety, privacy, and security.
Greg: Oh, awesome. Jackie, I’ve really appreciated you taking the time to come and speak with us today. Fascinating stuff, a little bit of scary stuff, a little bit of confusing stuff. Probably could have gone down like many more rabbit holes, but time is short, so we might need to have another chat at some point in time. But thank you again for joining us today.
Jackie: Well, thank you so much, Greg. I had a great time and really glad you invited me to be here.
Greg: Awesome. And everybody, stay secure.