In this episode of Associations NOW Presents, guest host David Coriale, president of DelCor and host of the Reboot IT podcast, talks with Elena Dumitrascu, CTO of Credivera, and Tim McCreight, CEO of TaleCraft Security. Together, they explore how secure, verifiable credentials can reduce identity fraud, validate professional qualifications, and strengthen cybersecurity. Drawing on real-world use cases in industries like healthcare and safety, the discussion highlights the growing importance of global standards and the role associations can play in adopting these technologies to build trust and security in digital spaces.

Check out the video podcast here:

https://youtu.be/y5RzrCUUTzU

This episode is sponsored by Credivera.

Associations NOW Presents is produced by Association Briefings.

Transcript

[00:00:00] David Coriale: Hello everyone. This is Dave Corelle, president of DelCor and host of the 501 C technology podcast, Reboot IT, and I am excited to be guest hosting today. We've talked about this technology before on Reboot and I'm so happy to be talking about it again 'cause I think this community needs to talk about this more.

And I have two experts with me who are going to do 90% of the talking. I have Tim McCreight and also Elena Dumitrascu. I want to welcome you and also have you introduce yourselves. Let's start with you, Elena.

[00:00:34] Elena Dumitrascu: Thank you for having me here. It's a pleasure. I'm the co-founder and CTO of Credivera. We are a technology company that supports associations with verifiable credentials, secure identity, and secure certifications for their constituents.

I got into this business because I saw over and over again how difficult it is to prove someone's identity from a workforce perspective. The long compliance issues [00:01:00] that come from that, and really some of the fraud that. Sort of seeps in as well. Again, really happy to be here and to talk about this topic.

[00:01:08] David Coriale: Awesome. Thank you, Tim.

Tim McCreight: Thanks folks. My name is Tim McCreight. I'm the CEO and founder of TaleCraft Security. We're a boutique security firm that focuses on developing security programs using a risk-based approach. And after 44 years of doing this, it's nice to finally get a chance to see some of the changes that we wanna make within the industry, and particularly with we're talking about today, these verifiable credentials.

It's been something we've been dealing with, trying to make sure it's Tim doing what Tim's supposed to be doing, nothing more and nothing less, and trying to get to a space where we're seeing that come through. It's great to talk about this today. It's a great opportunity to explore and identify what a verifiable credentials can do for organizations, but how it helps people like me in the security industry truly understand that we can start reducing risk by using this approach.

[00:01:56] David Coriale: And you are also a host of a podcast?

[00:01:59] Tim McCreight: [00:02:00] Yes sir. I am. I have my own podcast. I co-host with Doug Lease, and it's called Caffeinated Risk. It's two self creamed grumpy security professionals talking about security and risk. And we thought throwing in coffee security and risk, how can you go wrong? So this is year five now with caffeinated risk.

[00:02:17] David Coriale: And I've just gotta mention, 'cause you said this earlier, that the icon for it is the caffeine molecule. Yes sir. Yeah, it's just really fun. It looks good on the mugs and the T-shirts, so it looks really good. Yeah, that's what's important. So thanks for joining. I always like to start at these conversations, kinda the start at the top.

And what are we talking about? So you've talked about verified credentials, risk in cybersecurity, in your backgrounds, and what you are trying to accomplish. I think we're all familiar with cybersecurity. Right. There's plenty of news coming at us with what's happening in cybersecurity breaches and so on.

How is this different, like when you talk about cybersecurity and verified credentials, explain the link between the two and what you mean by verified credentials.

[00:02:58] Tim McCreight: That's a good one. I'll start [00:03:00] first and then I'll pass it on to Elena. From my perspective, one of the things that we've struggled with for years is making sure that as I access a resource, as I log onto a system, or as I gain access to different data or information across an organization, I need to make sure that Tim is actually Tim, and I need a way to validate that, and I need a way to prove that I'm given or been granted access to these different data stores data resources.

The difficulty with that is over the years we've been really restricted of what we could provide. Everyone listening knows, we first started with IDs and passwords, bringing in different factors for authentication, but there were still avenues that were open to fraudsters, to impersonate somebody. So I could log on saying that I'm Tim.

I'm not really Tim, but I have his credentials. I've got his password, so now I can gain access to the information that Tim has access to. So that became problematic and it still is. What we're finding now is there's a desire to gain greater understanding of who Tim is, [00:04:00] where I really can go, can you prove his background?

Can you show me the resources he should have access to? And now can you provide me that level of access and make it so that it's difficult or damn near impossible to steal those credentials or to copy those credentials by using different forms of encryption. That to me is when we're starting to talk about some real changes to how we gain access to sensitive information or to data that I need to see to do my job every day in an organization.

[00:04:26] Elena Dumitrascu: There's also the need for Tim to have portability. If this is his data, let him carry it with him. Obviously, if it's an email address from Tim's employer, if Tim no longer works there, that email address is no longer in his possession. But if it's a different type of identifier about Tim, like his. Digital identity, his driver's license or his university degree, or his certificate from an association, his professional designation as a security expert.

Those are all bits of [00:05:00] information that belong to Tim. I. He should be able to take from organization to organization and prove those statements about him as he gets onboarded, as he logs on every day to various systems that he should be allowed to log onto because he has those credentials. So it's more than just the username and a password.

It's all of these details about Tim that now finally can be given to Tim. In a secure, encrypted and portable way we can take from engagement to engagement.

[00:05:33] David Coriale: So I feel like this is more important, if you will, than username and password credentials. Right? Because that's what most of us think of when you, what are your credentials, username and password?

Because we're talking about verifying somebody's credentials from a professional. You mentioned just now maybe their association certification. Right. Which could impact. Their credibility. So some of this is privacy, some of this is credibility, and then some of this could be also things like the ability [00:06:00] to prescribe drugs, right?

Controlled substances as a, the, what is it? The DEA, the drug enforcement administrative number that a doctor has. If I have that number, I can impersonate someone and prescribe drugs. I'm understanding you clearly that we're talking about more than just the privacy aspect. We're talking about impersonation for nefarious or illegal activities potentially as well.

[00:06:23] Tim McCreight: Yep. A really good example, and this is one that Ellen talking about before and it really resonates, is this idea if I have specific training in, let's say one environment, and I go back to my time I spent with oil and gas or critical infrastructure. If I'm gonna be working in a facility where I have to take two trainings, so I'm required to have safety training before I enter the facility, or before I can actually go do work with a plant, and I want to be able to move from one employer to another, but my credentials for safety stay the same.

This is an amazing opportunity to take what I have learned, what I've maintained in the background that I have, the training that I have, that I can verify that I have the training [00:07:00] and that I actually am qualified to work now in an environment where I have to have H two s training for safety. This is a terrific approach to do that because now that's transferable with me because I own that credential or I own that training, and that's part of my profile.

Now when I create that verifiable credential for Tim.

[00:07:16] Elena Dumitrascu: Let's think about the cybersecurity team in that company. Tim is a new employee. They have to provision him with access to all sorts of things. You bet they get that information today from HR through something like ServiceNow Ticket that says onboard Tim.

But does that cybersecurity professional know that the right due diligence was done on Tim? They take it at face value. What if something changes from the moment when HR or someone else checked Tim's credentials? One of them expired or got revoked, right? That cyber team in today's world before verifiable credentials in the paper world or the unverifiable digital PDF world, we'll take it at face value and we'll go [00:08:00] ahead and provision Tim with the respective access and only through some kind of audit that companies typically have every six months or every year, those things get caught and by then it could be too late, right?

So yes, there's the fraudster, bad actor story. There's also the, nobody intends to be a bad actor, but it just happens 'cause all this data is connected and we're pushing paper between departments and you never know who should or shouldn't be able to access a system or a secure room.

[00:08:31] David Coriale: So is that how associations are currently using verifiable credentials to protect themselves? I'm just trying to tie it to either member services or consumer services. I'm a consumer and I'm looking for a verified speech pathologist. How are associations using this now to reduce their cybersecurity risk or their brand risk?

[00:08:52] Elena Dumitrascu: They're using it both at the onboarding phase to make sure that Tim is Tim.

There's so many people that have the same name that may have [00:09:00] gone to the same school and gotten that doctor's degree, and if that association is in the medical field and they require a degree as proof before giving them a, an extra license for a specialty, they need to know that the degree that's being presented belongs to this to him, not another one.

That this is the right constituent. All of that is verified at source in real time on an ongoing fashion, and then on the tail end of that process that the product that the association or certifying body issues for Tim. Leverages the same level of security and tampers and portability as the artifacts that Tim showed up with.

So whether it's a, a license that allows you to operate specific equipment, or in the case of Tim, particularly because he is a security professional, his security designation, right? That association can now give him that not as a badge, but as a verifiable credential [00:10:00] that. Belongs to him and no one else can borrow it and present it.

[00:10:06] Tim McCreight: And this is what I really appreciate from a security perspective because it takes away that potential mismatch from when someone's first being brought on board to when they're being granted access to systems. And it's an opportunity for us to continually assess the credentials that you're presenting and make sure that they're still verified.

And Elena's. Throughout my career I've seen where as we hire somebody and go through the hiring process, it appears as if it's a one-time review. This offers that opportunity to continually assess that individual's credentials, verify them in near real time or real time, and give us the opportunity to ensure that, yep, Tim still has this valid credential.

It's still active and up to date, he can still gain access to these confidential resources because we are relying upon this approach that's been taking for the credential. So to me, it's such a great opportunity to explore more of this within the security realm. It gives us a chance to look at different avenues for us to validate.

Where Tim can go. [00:11:00] I can also validate based on the credentials and the history that Tim has provided in those credentials, the additional opportunities we can give him or different pieces of work that he can work on based on his past experience, his past credentials, and that we can continue to verify it throughout.

So I see some amazing opportunities to leverage this in the future. I'm even thinking myself for things like national security clearances. As you progress through your career or as you start getting access to greater levels of security or secured resources and access to these documents, I can validate it still, Tim, I can validate Tim's historical context and I can take a look at his credentials to continually grant and validate his access to that information.

[00:11:40] David Coriale: So I'm listening and I'm trying to parse the difference between offering this, 'cause you were using the onboarding, the staff person example, and you're also using examples for professions and members so that their credentials can travel with them. And you're talking about it being persistent, meaning the credential is verified until it's not.

So it's portable and it's [00:12:00] up to date. It's you're using examples. Hey, it drives me nuts when somebody gets on the phone, like I'm calling someone and they say, I'm calling, I'm calling for when my dad passed away. I'm calling to try to do something. And they're like, and I say, I'm Dave Al. And they're like, we can only talked to Anthony.

How would you have known? It's insane. I can call right back and talk to somebody else. Difference. So clearly our level of verification going on right now is super minimal. You're bringing a whole new level to it. So lemme get back to where I was second with the staff versus members or both. And I've had a podcast with Juan and Hannah from IntES where they talked about with their real life example.

That's on Reboot IT. You can go listen to that one. What other examples are out there? So there's two parts. Part one, staff versus members or both. And then let's talk about some examples. It's both. Okay.

[00:12:50] Elena Dumitrascu: It's both. Why wouldn't you want this level of awareness for both staff? Could mean staff in an association or staff could mean employees in [00:13:00] a, in an organization that have credentials from an association.

In our case, as an organization, you definitely want your staff to be who they say they are. We've seen so much remote workforce lately. We haven't even touched on that yet, but it's so hard if you'll never meet that person in real life. To know, are they the ones actually doing the job? They could be, who knows.

So again, going back to the cyber thing, it's important that every staff member has been vetted and continues to be vetted and has access to these verifiable credentials about their profession and ability to do the job. And then part two, absolutely. As an association, there is now a movement towards issuing.

The licenses and the memberships as verifiable credentials to protect the brand, to make sure that the professionals, if you think about it, the industry, trust, the association to certify these people. Then yeah, it's your duty to make sure that you certify the right person and that certificate cannot be [00:14:00] forged.

So it's both.

[00:14:01] David Coriale: What about the example piece

[00:14:03] Elena Dumitrascu: In the U.S., we can definitely talk about LIOs that you mentioned. They use verifiable credentials for all of their constituents. These individuals work in the healthcare space and they are medical practitioners and doctors which operate ultrasound type equipment in hospitals.

You can imagine how important that is, that someone with that type of job is who they say they're and holds that designation. With an active status on it, A verified status on it. Sure. But that's one example. We also have safety associations that have deployed this for, again, safety professionals. If you're a safety manager, you have a specific designation you must hold.

Those are now have rolled out. We have an association in Canada called B-C-R-S-P. It's the Board of Canadian Registered Safety Professionals. They use verifiable credentials. Another example I'll give you back to the healthcare space in Canada, uh, an [00:15:00] organization called COPSW. It's the Canadian Organization for Personal Support Workers.

I personally love this use case because if you think about it, personal support workers are always dealing with the most vulnerable people, right? Our grandparents that need help in the home sometimes, right? Not even in a hospital where there can be other professionals. So having personal support workers that go through a background check and a an insurance check and then hold a verifiable credential stating that they are who they say they are and they're allowed to do that job.

Super important. So those are some examples. On the employer side, countless examples from energy to now healthcare. So think of a hospital that now onboards this way. Every professional comes with their designations that would goes to the cyber team to onboard them. So yeah, those would be some examples of employers.

[00:15:57] David Coriale: You made me think about this, that [00:16:00] could you mention. Hiring process. And recently we've seen articles about the number of North Koreans who have been hired by companies not knowing, right? Not verifying, not knowing where they actually lived. Take that a step further with, I just watched a reel on Insta the other day where everything was ai.

Not a single person talking to me was real because they'd say it at the end. They're like, Hey, here's what I did today, blah, blah, blah. And by the way, I'm AI. Is this a safeguard against accidentally hiring an AI agent that can go through an entire interview process and not have even been real or a bad actor from another location?

Is this at that level?

[00:16:42] Tim McCreight: I hope so. That's what we're hoping for. You're right. There's just some frightening aspects of how intelligent AI has become and how believable it's. What this process forces people to do is to demonstrate and have those credentials validated by [00:17:00] other parties than themselves simply submitting a letter going, Hey, hi, I'm Tim and I do this.

So it provides a bit of safeguard for that. This is where that whole idea of impersonating someone to get their credentials and then call a help desk as an example, to get a password reset so you can go ahead and move forward with that. Or I need access to a system and I'm gonna go for the prompts and I'm gonna wait for the call back.

I'll try to provide my password. If I have problems, can you help me get through it? This eliminates that type of risk, and that has been historically, one of the biggest things we faced in security was. We can't lock everything down. We just, we can't. If we could, like I have no appetite for risk. So at best days you're gonna get a notebook with a crayon and I want it back at the end of the day.

Because I really don't trust people and you're never gonna get access to the internet. But I don't run a company, I run my own company. I just don't run anybody else's. So we have to find ways as security professionals to provide the access you need every day to be successful. This offers that opportunity to do that by relying on the credential and the validation process, and then it's verified every [00:18:00] time it's being accessed or every time we need to verify it.

That credential then is accessed. Make sure it hasn't been tampered with. It hasn't been altered, it's still valid. Now I can grant you access to the systems that you're looking for. So yeah, this should help remove some of the risks that you talked about. Fingers crossed, right? All of this will be resolved with these types of technologies because it relies on the cryptographic skills for the.

Program that's in place, and it relies on the validation of the information I provide by the user to the credential store and then to the validation process to make sure that I'm still Tim and here's how I prove it.

[00:18:35] Elena Dumitrascu: And Dave at ASAE Annual, we're hosting a session exactly on this topic. Great content, authenticity and verifiable credentials.

It's taking place on August 11th. If anyone listening will be at annual, they can come see us. Speak more about that. We've also released the white paper through a SE on this exact topic, and please. Look for those assets. It gets into a lot more detail and [00:19:00] Tim is right. This is what we consider the current fighting chance against bad AI.

Because there's great AI out there, but there's also bad generated AI. That is impersonating people, and that is also making fake certificates and diplomas that are indistinguishable to the human eye. So what verifiable credentials do is basically putting a padlock on this data, similarly to how you see a padlock on a website and you know you can trust it 'cause it's secure.

It's that same idea, but at the ID level, whether it's a degree. A license. Your actual Id like your driver's license and so on.

[00:19:41] Tim McCreight: Yep. I may get my doctor's eventually, is what you're saying. I could probably do that now. Is that the, yeah, I'm kidding. I'm kidding folks. I'm kidding.

[00:19:48] Ad Read: Let's take a quick break from the conversation to hear a word from our episode sponsor, Credivera.

Verifiable credentials are an emerging web standard, helping to establish authenticity and [00:20:00] online interactions, something increasingly important in today's digital world, Credivera works with professional associations to support this shift. Through Credivera, ASAE members have the ability to issue globally acceptable verifiable credentials, such as certifications to operate an ultrasound machine that members can use to verify employment qualifications, confirm ownership of a professional license or membership, and interact more securely and authentically with their association, employers and others in their industry.

As digital verification becomes more essential, tools like these are playing a growing role in professional ecosystems in today's digital landscape. Ensuring trust and authenticity and professional interactions is more important than ever.

[00:20:49] David Coriale: So you just laid out a huge value proposition of this, which is if it's our best bet against that type of impersonation and credential theft. That's [00:21:00] a big value because people I'm sure are wondering at this point, what's the cost of implementing something like this for an organization?

[00:21:07] Elena Dumitrascu: It'ss actually not an issue. And I know sometimes with new technology, that is a big risky thing, but what the internet gods have done, specifically the worldwide web consortium, this is the governing body that governs a lot of things about the internet.

They're the ones that brought. Another standard about a couple of decades ago called CSS that allows every webpage to look the same regardless of browser, right? The next standard that they've rolled out was one for verifiable credentials. So what that means is they can be embedded in existing technologies, or they can be products like the ones creative has called Creative Exchange can be hooked into existing a MS solutions or LMS solutions without.

A huge cost, and for us, knowing who our customers are, cost was always top [00:22:00] of mind and wanted to make sure that we bring forward the solution that. Will not cost, will not be basically the item to prevent it from happening. Yeah. So it's scalable, it's supported by the internet. I think that's important to know.

As more adoption grows, your organizations, the leverage verifiable credentials will not be locked in a format that's not interoperable. Those are really important things to know that even if you're making a decision now, that decision will be good for you even five, 10 years down the road.

[00:22:33] David Coriale: Understood.

And cost in affordable are relative in, in terms of have the risk. On the other hand, which is something you, you're obviously dealing with caffeinated risk. Tim, that's kind of in your wheelhouses at risk is so great that not looking at these technologies seems to be. Foolish, at least to know what type of investment it is and what type of change management you have to put in place and so on.

What [00:23:00] is the barrier for organizations to adopt this then? If it's not cost or, and maybe there is no barrier. I don't mean to make that assumption, but Yeah. Generally speaking, our community isn't first on the bus with new technologies. So as 501Cs we are a little more cautious and there are reasons for that.

But what have some of the objections been besides cost then? Or how do you get it? Let's look at the positive way. How do you get this approved in your organization?

[00:23:23] Tim McCreight: I think how I would look at this is from, I would look at it from the risk lens first, and the reduction of risk facing, let's say an association that's granting, designations or certifications to its members, but wants to make sure that not only am I granting it to the individual who's demonstrated their skills, taken their examinations or work through the process, but that you can actually validate that credential to potential employers or your current employer, and the risk of reducing that validation process by what.

As an example, what Credivera offers for verified credentials. What if I can, as an association, provide you an avenue to demonstrate to your current or [00:24:00] potential employers that the credential that you've received it isn't gonna be altered? It's valid. It demonstrates my skills in this one particular area.

And at any time, you can come back as an employer and validate that my credential still exists, that I still have the capability to work within this. One area. I still have the skill sets to work on this technology. I've got the health and safety requirements to work on this job site. I can manage this piece of medical equipment.

Or as you move further up, I am still a lawyer in good standing, and here's the states that I can operate within. I am a doctor in good standing across Canada, and here's my credentials from the Canadian Medical Association. That to me, would be fantastic because now what I can provide is a level of assurance through my association.

That's a really big deal because now as someone presents their credentials, it can be validated and I can demonstrate that I am Tim. I have this credential. I can work in this environment. I have the skillset, or I have the ability to access this information. I. That's a huge benefit to any association, I would think if that's something that they're considering [00:25:00] and it's an opportunity to provide that as part of the membership benefit.

If I'm gaining that credential or that membership on that association, wouldn't it be great to have that ability to come back and say, anytime you wish to validate my credential, this is how we do it.

[00:25:14] Tim McCreight: I feel like what's being pointed out is how much we just rely on blind trust and a paper document and let me PDF my designation and send it to you.

And we've seen it all. And unfortunately, like honest people being honest most of the time. But we've seen this, right? Like I remember not that long ago where we were doing background investigations for an organization I was chief security officer at, and we actually had a member of the board lie about their credentials.

They sent in a like a bogus. Doctorate degree, and we're like, you didn't think we were actually going to go check? Wow. But can you imagine? All of a sudden I take away that kind of noise, right? If I say that I'm qualified to work a piece of equipment and I can demonstrate it and I have it and it's still valid, and I can go back and verify that Tim can actually operate this heavy equipment, because this is the credential that says you can.

Terrific. That [00:26:00] takes so much time and takes a lot of risk out of the employment process and onboarding, et cetera. But now we can continually evaluate to make sure that Tim can still operate this piece of equipment, is still an engineer in good standing, still has the capability to do this type of work.

It's because this process exists to validate that and to verify it.

[00:26:17] Elena Dumitrascu: And people are proud to have these designations. When I association, we also talk about member retention. How important that is, and any professional that holds designations is incredibly proud of those, and why not give those members something that proves beyond shadow of a doubt that I.

They have actually done the hard work and the exams and hold that designation. Members love this and it's in their possession. I guess we haven't talked about some of the details around portability, but it's in their possession and they can choose to decide who sees it. When it gets presented, they as the individual can [00:27:00] revoke access from a third party.

So let's say you're going to apply for a job and you just shared your license. But you don't get that job. You can now revoke access versus in today's world. You've given your stuff. You don't know what that recruiter or potential employer has done with that data afterwards. With this, you are in full control of this data.

It's in your possession at all times, and as an association, you're really giving an incredible gift to your constituent by offering them this. And that's been the feedback that we've seen and the excitement from members that we've seen where it basically just spreads through the mouth like wildfire within a community.

[00:27:41] Tim McCreight: Like I have three security credentials. I'm proud of all of them because honest to God, it took a lot of work and effort to get them. So I'm quite proud to have them. But to be able to demonstrate that I'm still a valid hold of their credential, I've demonstrated my subject matter expertise. I've continued to gather my continuing professional education credits.

I can demonstrate that I'm still a member in good standing of all [00:28:00] three. That's important, right? For security professionals, at least in my world. And when I'm looking and. Have hired in the past. I look for those credentials as well, and I ask them to demonstrate it, that it's still valid. They've been accredited, they still have their designation, they're in good standing.

This gives the member an opportunity to provide that. And to Elena's point, if I don't get the job or I'm no longer working for that employer, I can revoke that access to that credential so that I maintain. The confidentiality I maintain who gets access to my credential store. That's important, right?

Especially when I look at it from a security perspective, is I'm giving the user now an opportunity to manage their own journey with their credentials.

[00:28:37] David Coriale: But you can see right after my name, right, I have my CAE and when that wasn't showing up on Zoom or wasn't showing up on teams, I sent in a ticket. Hey. To your point, I'm proud of that.

Right, and I'm gonna keep it attached to my name and it's on all my badges. I wanna step away for one second from the association community, so to speak, because one of the things that we have issues with [00:29:00] period is identity theft. Applying for credit cards, opening up bank accounts. I saw an ad the other day for applying for a job from 1984 or something like that.

I was going through something and it said, send your cover letter with your driver's license number, your social security number. The only thing missing was your mother's maiden name from this application for a job. To your point, you made me think of it because once you've sent that in, it's outta your hands.

Just like now you go to the doctor's office, they ask for your social security number, so I don't know what you're doing with it when I'm done, because this gonna extrapolate into. Identity theft protection.

[00:29:35] Elena Dumitrascu: A hundred percent. There is an entire industry around digital identity built to support identity theft protection.

But I'm gonna put a pin in it because I'm sure Tim has a lot to say about that.

[00:29:47] Tim McCreight: Yeah. Wouldn't it be amazing if I could actually reduce this type of fraud and if I was able to do it with the type of structure that's in place and what Ellen has been talking about as well, that's to us is what we're all looking for as strictly professionals.

As you're right, David. It is [00:30:00] so easy now to impersonate somebody and you brought up. In context, one of the greatest examples that literally scares the hell out of us AI's taking over and is now interviewing for jobs. So now how do we do this? And by asking for your verified credentials and us validating who you are based on the credential story and being validated through the process that's in place, what Elena and her team have done as an example, that to me brings me solace.

I actually can trust this now. So that video was that amazing. And yet when we asked them, can you, can we provide now your credentials so we can validate it? And the screen gets blank, I think we've done our job then. Yeah, that's what we're looking for, is to now all of a sudden, oh, can I get back to you?

Oh, you know what, I'll, lemme just get back to you tomorrow and I'll be right. You'll hear whatever stall technique or tactic that they have. That to me is important because now we're putting in a control in place that you can't alter. So when you show me the cred, then I go and validate it. I know it's Tim and this is the work he's done.

Here's his credentials, here's his certifications, here's his associations. More importantly, this is what he has to demonstrate [00:31:00] who he is. Terrific. As opposed to the screen getting blank now on a video or zoom interview, and they're not calling you back. This is gonna help because we have faced this for a decade or more.

It's gotten worse these last few years. This is a great opportunity to start stemming some of that identity theft, identity fraud by putting these types of controls in place. Awesome.

[00:31:19] Elena Dumitrascu: And add on to that. When Tim is in a country across the globe, how are you gonna get his certificate to him? How are you gonna vet all of this?

You may not even know all the laws in that country. So this technology also eliminates that problem. It provides that global mobility the minute that it's live, right? Where. You can issue in the same city or in a country across the globe with the same ease. And knowing that you're meeting the privacy, the security, the compliance rules of anywhere on the globe, because again, this is a global web standard, so how it gets implemented is meant [00:32:00] to align with all of those roles.

And David. Speaking of your three letters, how great it would be if next to CAE was a little trust mark.

[00:32:10] David Coriale: Yeah, there will be. I'm confident there will be someday. Yeah.

[00:32:12] Elena Dumitrascu: Yeah. In Canada, all CAEs do have that trust Mark already. Speaking of implementations, it's been, I think live for them for the last three years, so if you do ever speak with a CAE that's been certified in Canada, they will have that trust mark.

[00:32:28] I feel like what's being pointed That's awesome. Yeah. We could talk about this for hours and we could come up with both the value side and the fear side of what we're dealing with. But what I want to close with is I'm an association. I'm not Put yourself in the position of an association exec who's running an organization, whether it be 300 or 30 staff, 5 million or $280 million budget.

You are the chief staff officer. Who and what should you be asking in order to learn the applicability of this to your [00:33:00] organization? Internally, externally, profession, et cetera? Like what's your starting point?

[00:33:03] Elena Dumitrascu: From what I've seen, you have an internal sponsor. So taking Teos, their CIO was the initial internal sponsor.

They built the case for why. Verifiable credentials make sense? Obviously they're an organization that supports the healthcare industry. Those credentials carry a lot of weight in that industry. So that's where it starts. You need that internal sponsor. Often it is a CIO or a chief credentialing officer.

They build the story as to why it would make sense. And by the way, speaking of that story, when we talk about costs. We've done some analysis. It typically costs the entire verification and issuance around $3,000 per individual. With this, you're literally talking a micro fraction of that cost and you'd set it and forget it.

That's another thing that we hear from our association customers. We just put it in place and then it just works.

[00:33:59] David Coriale: And just to be clear, you're talking [00:34:00] about like current state people verifying, putting papers around, copying, PDFing is like $3,000 per person. Yeah. Yeah. Versus, yeah.

[00:34:08] Elena Dumitrascu: Both the on of that number as well as the issuance, putting something in the mail to send to them, the phone calls they get, the online directories.

They must maintain that. You have to make sure that a web scraper cannot hack your online directory. There's all sorts of things that cost money into today's process. On average comes to around 3000 per constituent. So yeah, so you build that business case and because associations are typically bored.

Driven around these decisions. Board approval is important. Once board approval is accomplished, then it would be to engage with a vendor like Vera. We actually have a buyer's guide that I can make available to post with this podcast if folks are interested in that. Buyer's guide are all the things that you should be asking.

It is new technology, and there [00:35:00] you should be asking some specific things and then implementation. If it's a standalone implementation, it can happen within a week if it's a complex implementation with multiple systems coming into the verifiable credential exchange. That could maybe go up to 60 days, but it's not a multi-year, super complex, super involved type rollout.

[00:35:24] David Coriale: So that's one side. You've got a sponsor like Juan or whoever coming at you, the CIOs chief credentialing officer, et cetera. If you don't have that, Tim as the CEO or executive director, whatever, as the chief staff officer and you realize this could be applicable, who do you go to?

[00:35:39] Tim McCreight: So a couple things I was thinking of as Elena was walking through the process.

So I had the honor of being the global president for a SS International in 2023. So I had a chance to work very closely with our administrative team, all who are members of ASAE and who many hold the CAE designation. And as we were working at how do we establish and continue to grow the brand of ASAS [00:36:00] International across the globe and build out the credentials that we had.

A couple of things came to mind, particularly with some of the use cases that may be applicable here. I sat on the board and was the chair of the board as the president. So what I would look for at a board level is can you demonstrate the value proposition to the members? And I think you can.

Particularly in some of the security associations, the three that I belong to, it's an opportunity to demonstrate the credential that it can be verified, that it can be managed by the credential holder, it can be revoked from particular areas you manage the direction of where you wanna provide your credential.

What that does as well is it provides clarity on what that designation truly is. The work that I can do, the, the skill sets that I've acquired, et cetera. That becomes part of the value proposition for the members. And then finally, the member messaging is something you could use that includes, it's a verified credential.

It is what's under a very strong security regime to ensure that it isn't altered. You can demonstrate it to employers to present your [00:37:00] credential, as opposed to, Hey, can you send me a photocopy of your CPP or your CISA, or et cetera? No. This way I can provide it to you as an employer. You can demonstrate that you've gone through the process of vetting me.

I have my credentials. It applies in the onboarding for new employees. It applies for the hiring process, but also for the maintenance of an individual's career inside an organization. It can demonstrate how as a member, as I attain my credential in the company I work within, does that help me in my career path and to move into different positions?

Absolutely. So there are benefits from a member's perspective. If I have a credential that's offered by an association, I can use this now as an opportunity to demonstrate my skills. My credential, it's verified. You can look at it here and now that takes over some of the guesswork. If I'm applying for a new role, a new position, or wanting to advance my career in my current organization, this helps me in that journey as a member of, as an example, ASIS or ISC squared RS.

Awesome.

[00:37:57] David Coriale: Sometimes we talk about technology, and I don't mean this the way it sounds 'cause I don't [00:38:00] want to, I don't even wanna use the word trivial when I talk about technologies, right? Because everything has value to somebody. And that's what you're ending us here with Tim, is there's a value proposition for the chief staff officer to look at with the leadership team and then find the partner like Creda, who can then walk you through process and cost and value and risk reduction and so on.

But some technologies aren't as impactful as others. Is the way I'm thinking about it and just what you've laid out is so impactful from a societal perspective, not just an individual perspective that I hope people come to the session at annual that look at the white paper, your members, the organization you are in the board with a SIS.

Really get this out there into the conversation. It's not just about credentialing, it's about risk. So this is awesome. Thank you for sharing all of this. Thanks so much. I appreciate it. I think you've left us with a lot to think about, but also, [00:39:00] and I'm not afraid, I don't wanna use that word, but I'm concerned.

So let's keep this conversation going,

[00:39:06] Elena Dumitrascu: David. If we roll back the clock to 20 years ago, nobody ever imagined how much we'd rely on digital interactions. Nobody really understood the value of email before email was in our lives. Nobody understood or thought about the value of exchanging data electronically and APIs before that became a thing and made things so much easier.

But with all of that, we find ourselves in 2025 with. Being unsure if what we're looking at is real or not, because the internet has made us so easy to exchange this data. And also technology has made it so easy for bad actors to mess around with the data that we're looking at. So here we are in 2025. We know we can put the genie back in the bottle.

We know that we've become dependent on this. Like I need instant access to this information. That's a fact. But what we're talking about [00:40:00] here today is. What the next generation of the internet really needs to be, and we're just starting that path, going down that path to just put our minds at ease, that what we are looking at is actually real and verifiable.

Credentials aren't just for associations and information about a person, everything. They're similar projects in every industry, whether it's supply chain or legal industry, to confirm that a business is a business to confirm that when you travel, that a passport is a passport. Like all of these things that we now love so much to do electronically, they're all going down the path of introducing verifiable credentials to make sure that.

With the ease of doing everything. Digital comes the peace of mind that, hey, what I'm looking at is real. I don't have to worry about it. Right. And so that's really the moment in time where we find ourselves in 2025 and we should see a lot more [00:41:00] of this to the point where it will be trivial. We won't talk about it anymore.

It'll be like that. Of course. I can trust it.

[00:41:05] David Coriale: That would be awesome. And I think we should do two things. One, we should just to end on here, we should. Meet at annual in 3D to make sure we both are real. And Tim, if you're gonna be there, we'll see you too. So the three of us can get a 3D non cardboard cutout picture together.

And then two, I hope we revisit this, either reboot it here or somewhere in 2026 and see what a year has brought us. So thank you again for sharing. We could talk about this probably for two days straight, but we will, we'll meet at annual and again next year and we'll see where we are. Thanks again. Thank you.

[00:41:37] Elena Dumitrascu: Thank you.

[00:41:37] David Coriale: Thanks everyone for listening to this episode of Association Now Presents. Join us each month as we explore key topics relevant to association professionals. Discuss the challenges and opportunities in the field today and highlight the significant impact associations have on the economy, the US and the world.

Be sure to subscribe to our podcast on Apple, Spotify, or wherever you listen to your favorite [00:42:00] podcast. And for more information on this topic, visit associations now online at associationsnow.com. Thank you.