LeadHER in Security: Julia O’Toole, Co-Founder & Co-CEO, MyCena

Mathematics and Neuroscience Meet Cybersecurity: How Separating Identity from Access Could Reduce Phishing

Published

Written by:

Vishwa Pandagle
Cybersecurity Staff Editor

Julia O'Toole - Co-CEO and Co-Founder - MyCena

Summarize with:

Add as preferred source on Google

Key Takeaways

MyCena built a mathematical model that separates identity from access and eliminated password reuse.
Neuroscience helped O’Toole understand why people overlook the risks of equating identity with access.
O’Toole believes women have a strong intuitive grasp of risk, they can anticipate threats, and protect what matters.
Breaches initiated with stolen credentials take the longest to identify and contain.
With segmentation, access is granted one system at a time also reducing the attack surface.

Exploring how mathematics and neuroscience intersect with cybersecurity, MyCena Co-Founder and Co-CEO Julia O’Toole discusses reducing human-driven risk as part of TechNadu’s International Women’s Day series.

O’Toole, a mathematician trained at Université Paris-Dauphine and a multiple patent holder, focuses on redesigning credential architecture to eliminate user-managed credentials.

Leading structural innovation in access security, she represents a growing generation of women professionals reexamining long-standing design assumptions in cybersecurity.

O’Toole argues that cybersecurity should reconsider identity-based access models and rethink authentication architecture to limit credential theft and phishing-driven breaches.

Her approach separates identification from access and segments keys per system, so a single compromise cannot cascade across an organisation while giving security teams better control over access.

The conversation explores unphishable access, credential injection architecture, and why redesigning security systems may be more effective than trying to perfect human behavior.

Vishwa: You’ve been recognized for applying math and neuroscience to cybersecurity. How does that approach translate into practical security models that reduce human-driven risk?

Julia: My problem with cybersecurity started as a personal one. I was resetting my passwords every single day, and when I looked at it mathematically, I simply couldn’t justify using a password manager. If I lose that master key, I lose my entire digital life and more. The risk concentration was too high. So I lived with that frustration for years.

When I later visited the ancient city of Mycenae and saw its security architecture, something clicked. The city was protected through layers, segmentation, and fortifications. They had applied a mathematical model to minimize and contain the risks of the whole city falling into enemies‘ hands.

I realised the same mathematical model applied to cybersecurity, and that the original design flaw — equating identity with access — is the root cause of most cyber breaches. When identity is the key, once it’s verified, all doors open.

In the physical world, no company would allow employees to create their own keys to every room in a building. Yet digitally, that’s exactly what we’ve done. People create passwords. They manage them. They reuse them. Single sign-on makes access more convenient, but the design remains the same: identity becomes the key.

And no matter how much monitoring or tooling you add, all it takes is one employee or third party giving away credentials for a breach to cascade into ransomware, supply-chain compromise, or business interruption.

So we corrected the architecture. We built a mathematical model that separates identity from access. Identification proves who you are; it doesn’t unlock the building. Access keys are generated, controlled, encrypted, segmented per system, and inserted invisibly one door at a time.

By separating identity from access, we eliminate credential phishing, social engineering, and password reuse because users no longer create or know the credentials. By segmenting credentials per system, even if something is compromised, it cannot cascade across the organisation.

Separation removes the root cause; segmentation limits the blast radius. Together, they give companies structural control over their risk and how far any incident can spread.

Neuroscience helped me understand why people accepted these new risks. Our brains evolved to detect physical threats, not abstract digital ones. In the physical world, identity is who you are: if you need knee surgery, you can’t send someone else. Access is the keys to your house, car, or office. No one confuses the two.

But in the digital world, that distinction became blurred, and we accepted architectural risks without recognising them. Neuroscience also helped make the model practical and turn it into an easy-to-use technology. The brain looks for the shortest path. If security creates friction or cognitive overload, people bypass it.

So we removed the burden entirely.

No creating passwords.
No remembering them.
No resetting them.
- Just like no one cuts their own keys to their house, car, or office.

The result is less cognitive load for people and far less structural fragility for organisations. Instead of trying to train humans to behave perfectly, we redesigned access so that mistakes don’t automatically become breaches. That is how maths and neuroscience help practically reduce human-driven risk.

Vishwa: You’re described as both rigorous and easy-going in high-stakes environments. On International Women’s Day, what would you say to women who want to challenge long-standing assumptions in cybersecurity?

Julia: Cybersecurity is not that old, yet it carries many inherited flawed assumptions that are long held in people’s minds.

For example:

People need to make their own passwords,
Your identity should be your key, or
We can just add tools to stop cyberbreaches without questioning the underlying system.

I think many women have a strong intuitive grasp of risk, shaped by the need to continually assess environments, anticipate threats, and protect what matters. That instinct is powerful in cybersecurity. The field doesn’t just need more tools; it needs people willing to question what isn’t working.

Julia O’Toole

Co-Founder & Co-CEO of MyCena

For women who want to challenge long-standing assumptions, my advice is simple: don’t wait for permission to question a structure you can see doesn’t make sense. When the stakes are this high with AI-driven phishing, ransomware, and systemic risk challenging flawed assumptions isn’t disruptive — it’s necessary.

Vishwa: You describe separating identification from authentication. At a high level, how does that change the way access is handled?

Julia: At a high level, separating identification from authentication completely changes who generates and controls the access keys.

When identity = access, the identity is the key. Users identify themselves for access.
- They create the password (which can be their biometric) to access. They can give that password away.
When identity ≠ access, access keys can be controlled by the company just like in the physical world.

With MyCena, the company generates and distributes encrypted, segmented, invisible credentials for each system. The organisation — not the user — has end-to-end control of those access keys.

Users, whether employees or third parties, open an application on their mobile or desktop and identify themselves first through a multi-factor identification process that takes about 30 seconds.
Once they are in a safe environment, they simply click on any system they need, and the platform brings the right door to them and injects the encrypted credential directly.

It’s like putting a key into a door and opening one door at a time. The user never handles the key. By adding the credential separation layer, identity is no longer the key.

First, that structural separation completely changes how access is handled, as it removes human-managed credentials.
Second, by segmenting access, it limits the propagation of a breach as it prevents one malicious access from spreading beyond the specific door being opened.

Vishwa: What patterns have you observed in breaches that highlight challenges around user-managed credentials?

Julia: One of the most consistent patterns across major breach reports is the central role of compromised credentials. According to CISA, over 90% of all cyberattacks begin with a phishing email, while breaches initiated with stolen credentials take the longest to identify and contain, averaging 246 to 292 days.

The pattern is clear: attackers don’t need to break in when they can log in. As long as users — whether employees or third parties — create and manage credentials, those credentials become the largest and most scalable attack surface.

This is why adding more detection or monitoring does not fundamentally solve the issue. If identity still functions as the key, compromise will continue to propagate once authentication succeeds.

That’s why having a separate credential layer that removes user-managed credentials is so critical. It removes the structural dependency on people holding the keys. When users no longer create, know, or control access credentials, phishing and credential theft lose their economic value.

Identity verification no longer results in automatic access. And with segmentation, access is granted one system at a time under organisational control. In that model, the attack surface shrinks structurally. Instead of reacting to credential compromise, you eliminate the condition that makes credential compromise scalable in the first place.

Vishwa: When credentials become invisible to users, how does that impact security teams and access management?

Julia: When credentials become invisible to users, the impact is structural. If you don’t know something, you can’t give it away.

Today’s attack models rely on a simple assumption: users know and control credentials. Phishing works because people can type them. Social engineering works because people can share them. Credential resale markets exist because credentials are visible and transferable. When users no longer see or possess credentials, those models stop working.

For security teams, this changes the economics of defense. Instead of constantly training employees not to click, not to reuse passwords, or not to approve malicious MFA prompts, you remove the very object attackers are targeting. There are no passwords to phish, no credentials to reuse, no master keys to lose.

Operationally, the benefits are immediate. When users no longer create or manage passwords, helpdesk tickets for resets, lockouts, and access confusion drop significantly. Security teams spend less time firefighting hygiene issues and more time on strategic improvements.

Governance also becomes stronger. When credentials aren’t manually shared, reused, or stored in spreadsheets, access is centralised and visible. Security teams have clear oversight of who can open which door, under what conditions. Access becomes structured instead of organic.

Incident response becomes simpler as well. If credentials cannot be reused or shared, containment is faster and more precise. Teams can isolate or revoke access without worrying about hidden copies or credential sprawl. Uncertainty during a crisis drops dramatically.

Invisibility doesn’t just improve hygiene — it breaks the attacker’s business model. When users don’t hold the keys, they can’t leak them. And when you break the attacker’s ROI, you fundamentally change the security equation.

Vishwa: You describe “unphishable access” where users never see or handle credentials. Can you describe a phishing scenario that this model is designed to prevent?

Julia: Let’s take a very realistic scenario.

An employee receives a highly convincing AI-generated email that appears to come from IT.
It says their account will be suspended unless they verify access immediately.
They click the link.
- In a traditional model, that link leads to a fake login page.
The employee types their username, password, maybe even an MFA code.
- At that moment, the attacker now has everything needed to access the system as that employee.
They log in, move laterally, escalate privileges, and the breach begins.

In an unphishable access model, the same employee clicks the link.

The fake page loads and asks for credentials.
But the employee doesn’t know any credentials.
- There is nothing to type.
  - No password to enter. No secret to hand over.
The attack fails at the point of entry.

Phishing depends on humans holding the keys. When users don’t hold the keys, phishing loses its leverage. That’s what makes access structurally unphishable: not by training people to detect scams, but by removing the object scammers are trying to steal in the first place.

Vishwa: What kinds of environments or roles would benefit most from an unphishable access approach, such as employees, contractors, or privileged users?

Julia: Any organisation where people log in with usernames and passwords is exposed. Anyone who can access company systems —

employees,
contractors,
third parties,
especially privileged users — represents a potential entry point.

Attackers look for the easiest path. It can be

a contractor,
a finance user,
a DevOps engineer, or
even a connected device sitting at a central node.
- Anything that becomes a single point of failure becomes a high-value target.

At a board level, this is no longer just an IT issue, it is enterprise risk management. Credential compromise is now one of the primary drivers of operational disruption, ransomware, regulatory exposure, and reputational damage. In a world of AI-driven phishing, it is one of the single largest scalable risks facing global organisations.

Deployment should therefore be risk-based and aligned to blast radius. Start where compromise would create the greatest operational or financial impact:

privileged administrators,
sensitive infrastructure,
AI models,
finance systems,
supply-chain partners, and
external contractors.

Real-world incidents, such as Jaguar Land Rover, show attackers targeting contractors to gain internal access. Most breaches are not zero-days; they are stolen credentials being used as legitimate logins.

From a board-level strategic perspective, making access unphishable delivers measurable risk reduction.

It protects revenue and brand reputation,
reduces systemic exposure,
strengthens governance and regulatory posture, and, importantly,
removes employees from being the weakest link.
- Instead of placing the burden on people to be perfect, you remove them from the attack surface.

Ultimately, the principle is simple: anyone who can open a critical door should never be able to give that key away. And at the board level, that translates directly into protecting shareholder value.

Bithika Nathan - Founder - Dr.Phish Labs (1)

The Psychology Behind Phishing, Digital Coercion, and Scam Economy

Yogita Parulekar - CEO & Founder - Invigrid

Scaling AI Without Losing Control: Ownership, Identity, and Governance in Multi Cloud Environments

Ashley M. Rose - Founder & CEO - Living Security

Human Risk Is Not a Training Problem, It’s a Behavior Problem, in Real Time

Judgment, Governance, and Accountability: A Founder’s Perspective on What Boards Worry About, AI Defense, and Mentorship

Neha Garg - CEO and Co-Founder - Arambh Labs

Testing Fast, Containing Faster: AI Security at Day Zero Speed

Security Instinct in Cyber: Driving Systems Design With Fully Homomorphic Encryption at Scale

Your Weekly Cybersecurity Briefing

Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.

Please enter a valid email address.