1 00:00:00,040 --> 00:00:01,680 It's like me playing Grand Theft Auto. 2 00:00:02,160 --> 00:00:04,440 They're sure there's a main story and a main quest or 3 00:00:04,440 --> 00:00:06,880 whatever you want to call it, but I just happen to just 4 00:00:06,880 --> 00:00:08,840 randomly drive around and find random things to work on. 5 00:00:09,880 --> 00:00:12,520 So I need like something that's a little more on rail sometimes. 6 00:00:13,680 --> 00:00:16,320 Right. And it's like if we achieve the 7 00:00:16,320 --> 00:00:21,400 scope of getting $35,000, we can get a better car in the game. 8 00:00:22,680 --> 00:00:25,600 That's really what I think. It's the difference between the 9 00:00:25,600 --> 00:00:29,920 word objectives and goals. I agree with you, they probably 10 00:00:29,920 --> 00:00:34,160 mean about the same thing. I think objectives implies that 11 00:00:34,160 --> 00:00:39,680 there's some kind of metric driving like we want to get 10% 12 00:00:39,680 --> 00:00:44,280 more efficient or we want to improve our security platform by 13 00:00:44,720 --> 00:00:48,560 some metric and that ought to be the objective. 14 00:00:48,960 --> 00:00:51,840 So you see, the objective is like the measurable result of a 15 00:00:51,840 --> 00:00:52,840 goal. I think. 16 00:00:52,840 --> 00:00:56,400 So OK, I mean I can argue it both ways, but I don't, I don't 17 00:00:56,400 --> 00:01:05,239 want to argue. This is identity at the center 18 00:01:05,960 --> 00:01:09,040 if it has anything to do with IAM. 19 00:01:09,040 --> 00:01:15,600 This is the go to podcast now your hosts Jim McDonald and Jeff 20 00:01:15,600 --> 00:01:23,520 Stedman. Welcome to the Identity at the 21 00:01:23,520 --> 00:01:25,440 Center podcast. I'm Jeff, and that's Jim. 22 00:01:25,440 --> 00:01:27,640 Hey, Jim. Hey, Jeff, how are you? 23 00:01:29,400 --> 00:01:32,240 Oh, not so bad yourself. I think we're having the 24 00:01:32,240 --> 00:01:36,360 Internet as you're saying, we are best on this episode, but 25 00:01:37,160 --> 00:01:39,200 we'll just. It's very laggy, that's for 26 00:01:39,200 --> 00:01:39,920 sure. I feel like there's like a 27 00:01:39,920 --> 00:01:43,680 delay, like I'm saying something and then the gears are turning 28 00:01:43,680 --> 00:01:46,080 in your brain like, oh, processing, processing. 29 00:01:46,080 --> 00:01:51,200 OK, now we put out voice. I'm responding as soon as I hear 30 00:01:51,200 --> 00:01:53,760 your question mend. That's all I can tell you. 31 00:01:53,760 --> 00:01:57,720 But minimally tell, we're doing our best to stay on track of 32 00:01:58,360 --> 00:02:01,880 recording an episode and publishing one every Monday. 33 00:02:02,160 --> 00:02:05,960 That's our commitment to our loyal listeners. 34 00:02:05,960 --> 00:02:09,960 And hey, sometimes it's going to be a shit show. 35 00:02:12,320 --> 00:02:15,000 Yes, very well, maybe. So I'll do my best at this and 36 00:02:15,000 --> 00:02:18,440 make it sound natural, but if there are unnatural delays in 37 00:02:18,440 --> 00:02:22,120 between things that I just can't do cleanly or make it sound at 38 00:02:22,120 --> 00:02:24,680 least somewhat normal, I might just leave them in and just, 39 00:02:24,680 --> 00:02:27,360 yeah, deal with it. Hopefully the conversation and 40 00:02:27,360 --> 00:02:31,000 the topic makes up for it. And yes, this is the the joy of 41 00:02:31,000 --> 00:02:33,840 being an identity consultant and living in out of hotels. 42 00:02:33,840 --> 00:02:35,880 This time you're in the hotel and I'm actually at home. 43 00:02:35,880 --> 00:02:37,520 So that's a little bit of a role reversal there. 44 00:02:38,360 --> 00:02:44,360 Big time and well anyways I had meetings in Austin, TX very cool 45 00:02:44,360 --> 00:02:51,320 city, great food and and what I learned was that I dated 46 00:02:51,320 --> 00:02:53,960 Concentric stickers are in fact currency. 47 00:02:54,320 --> 00:02:57,640 You can use them for people who are die hard this years. 48 00:02:58,000 --> 00:03:01,520 We had a few at company called towels. 49 00:03:01,600 --> 00:03:07,440 They do B to BCIAN and as they're in my role as a 50 00:03:07,440 --> 00:03:10,480 consultant for RSM, that's my day job. 51 00:03:11,320 --> 00:03:15,320 We partner with them. It's a good relationship. 52 00:03:15,680 --> 00:03:19,360 I was there with Chad and Fletcher from our team. 53 00:03:19,840 --> 00:03:23,960 And again, they talk about the podcast like they just love it. 54 00:03:24,040 --> 00:03:28,120 And it's amazing, Jeff, because people keep asking like, why 55 00:03:28,120 --> 00:03:30,120 didn't you guys start doing this podcast? 56 00:03:30,360 --> 00:03:32,880 You know, five years ago, podcasts weren't even a big 57 00:03:32,880 --> 00:03:36,080 deal. And it's pretty cool. 58 00:03:36,080 --> 00:03:39,720 Just, I mean, the story's pretty, pretty lame. 59 00:03:39,720 --> 00:03:42,480 It's like, yeah, Jeff asked me to probably just start the 60 00:03:42,480 --> 00:03:44,480 podcast and like, yeah, I guess so. 61 00:03:44,840 --> 00:03:48,480 Like what else are we doing? Yeah, all you have to do is just 62 00:03:48,480 --> 00:03:50,080 speak into a microphone, right? It's that easy. 63 00:03:51,680 --> 00:03:55,360 Which one of these? I mean, you know. 64 00:03:56,760 --> 00:03:59,400 Well, except, except when we're dealing with weird Marriott 65 00:03:59,400 --> 00:04:02,160 Internet foibles. You know, that's the one thing 66 00:04:02,160 --> 00:04:06,840 that I think hotels have really missed the boat on is just black 67 00:04:06,840 --> 00:04:10,040 luster Wi-Fi all over the place. It's just not good. 68 00:04:10,160 --> 00:04:13,320 Yeah, totally. And even enhanced Internet is 69 00:04:13,840 --> 00:04:18,079 enhanced of a what over horrible Internet that operates at the 70 00:04:18,079 --> 00:04:21,000 speed of like flip phones? I don't know. 71 00:04:21,160 --> 00:04:22,960 Well, you're tethered to your phone, so we'll give it a shot. 72 00:04:23,320 --> 00:04:26,400 Why don't we get into a couple of the conferences that we want 73 00:04:26,400 --> 00:04:27,840 to make sure people are aware of. 74 00:04:28,240 --> 00:04:29,960 We can talk about Identity Week in Asia. 75 00:04:29,960 --> 00:04:31,960 We were just at the DC conference, which was a lot of 76 00:04:31,960 --> 00:04:35,680 fun about Asia still taking place October 22nd and 23rd. 77 00:04:35,680 --> 00:04:39,160 And if you use the code IDAC 30, that gets you 30% off. 78 00:04:39,400 --> 00:04:41,040 We'll have a link in our show notes for people to check that 79 00:04:41,040 --> 00:04:43,840 out. But before that, we've got the 80 00:04:43,840 --> 00:04:46,840 authenticate conference that you and I are going to be at October 81 00:04:46,840 --> 00:04:51,640 14th through the 16th in Carlsbad, CA IDAC 15 gets you 82 00:04:51,640 --> 00:04:55,720 15% off of your registration and I am very much looking forward 83 00:04:55,720 --> 00:04:57,640 to that conference. We've got some exciting plans 84 00:04:58,320 --> 00:05:00,360 for what we're going to be doing there. 85 00:05:00,360 --> 00:05:04,320 As part of sort of the official agenda, if you received an 86 00:05:04,320 --> 00:05:07,960 e-mail asking you to fill out a survey with a bunch of identity 87 00:05:07,960 --> 00:05:10,640 questions, please do so because that's for us. 88 00:05:11,080 --> 00:05:14,360 And it's something that Jim and I are working on and we need as 89 00:05:14,360 --> 00:05:17,000 much participation as possible from people listening. 90 00:05:17,000 --> 00:05:20,720 So if you're attending the final conference, whether it's remote 91 00:05:20,720 --> 00:05:23,320 or in person, hopefully you have an e-mail. 92 00:05:23,320 --> 00:05:28,600 If not, check your spam folders and look for that survey so that 93 00:05:28,600 --> 00:05:31,960 we can collect some information from folks and turn into what we 94 00:05:31,960 --> 00:05:34,120 hope will be a really fun session at the conference 95 00:05:34,120 --> 00:05:36,040 itself. That will be in person, and I 96 00:05:36,040 --> 00:05:37,160 believe it's going to be streamed too. 97 00:05:37,160 --> 00:05:39,160 So it'll be a lot of fun, but we need your help. 98 00:05:39,160 --> 00:05:42,600 So that's my tweet. Everyone has register register 99 00:05:42,640 --> 00:05:44,360 using our code. Yeah, of course. 100 00:05:44,720 --> 00:05:47,800 So you save money, we get a, we get a little bit of of credit as 101 00:05:47,800 --> 00:05:49,880 far as like, hey, you know what, we want to partner with you guys 102 00:05:49,880 --> 00:05:53,240 again because we were able to drive some some folks to attend. 103 00:05:53,240 --> 00:05:55,920 So that's how that works. Yeah. 104 00:05:55,920 --> 00:06:00,360 So conferences and I think today's is kind of be about 105 00:06:00,880 --> 00:06:04,240 conversations that you and I have both been having and sort 106 00:06:04,240 --> 00:06:07,160 of our real jobs around IM programs. 107 00:06:07,160 --> 00:06:09,200 I'm kind of like thinking about this like, all right, so you 108 00:06:09,200 --> 00:06:12,760 want to start an IM program, Cool. 109 00:06:12,760 --> 00:06:17,160 Now what, what do you do 1st and maybe kind of take a high level 110 00:06:17,160 --> 00:06:19,880 approach here from a, from a strategic perspective, say, OK, 111 00:06:20,320 --> 00:06:23,400 here's how we want to go about building out an identity and 112 00:06:23,400 --> 00:06:26,120 access management program. And I think this applies to 113 00:06:26,120 --> 00:06:30,000 really any organization. If you have an IM program, 114 00:06:30,000 --> 00:06:33,440 great. Take a look at it and let's see, 115 00:06:33,440 --> 00:06:35,440 you know, if there's anything that we mentioned here that you 116 00:06:35,440 --> 00:06:38,000 might want to incorporate. If you haven't started 1A, 117 00:06:38,000 --> 00:06:40,880 better time than now to start thinking about, OK, how do we 118 00:06:40,880 --> 00:06:44,520 want to get things kicked off? So why don't we start there? 119 00:06:44,760 --> 00:06:47,760 And I think the first thing that you probably want to start to 120 00:06:47,760 --> 00:06:51,960 think about is what is your IM program want to be when it grows 121 00:06:51,960 --> 00:06:54,640 up? What are its goals, its hopes, 122 00:06:54,640 --> 00:06:57,240 its dreams? What is the scope? 123 00:06:57,680 --> 00:07:00,200 You know, what is it your program is meant to address? 124 00:07:00,640 --> 00:07:04,600 Is it internal enterprise workforce, you know, employees, 125 00:07:04,600 --> 00:07:09,320 is it customer, is it both? Should you mix both into the 126 00:07:09,320 --> 00:07:11,360 same program? You know, I think there's, 127 00:07:11,360 --> 00:07:13,280 there's different options there's but what do you think 128 00:07:13,280 --> 00:07:16,480 about starting there? Jim is like, hey, let's, let's 129 00:07:16,480 --> 00:07:19,240 figure out what we want to be before we start to design this 130 00:07:19,240 --> 00:07:21,640 thing. Yeah, I think golds and scope 131 00:07:21,640 --> 00:07:25,400 are obvious two things that you need to define. 132 00:07:25,760 --> 00:07:29,080 I think sometimes you have to work backwards into that. 133 00:07:29,480 --> 00:07:31,320 In other words, what are the drivers? 134 00:07:31,320 --> 00:07:34,600 What are the outcomes that you're trying to achieve? 135 00:07:35,720 --> 00:07:40,680 When I think about these drivers and the outcomes, a lot of times 136 00:07:40,680 --> 00:07:46,640 it's it boils down to improved efficiency, reduced cost and 137 00:07:47,200 --> 00:07:52,320 improved security and a rich reduced risk, improved 138 00:07:52,680 --> 00:07:56,520 compliance results. So if you have those objectives 139 00:07:56,520 --> 00:08:01,080 in mind, that helps and certainly helps you drive your 140 00:08:01,080 --> 00:08:05,240 scope because if all these things require that you're doing 141 00:08:05,960 --> 00:08:09,440 a workforce saying customer I am, that may be the scope of 142 00:08:09,440 --> 00:08:12,600 your project. You may know those things are 143 00:08:12,600 --> 00:08:15,760 scope of your program, you may know those things going in. 144 00:08:16,480 --> 00:08:20,160 But either way, I think it's important to define what are the 145 00:08:20,160 --> 00:08:23,200 drivers, what are the outcomes that you're looking to achieve 146 00:08:23,600 --> 00:08:25,600 within your program? I feel like we're saying the 147 00:08:25,600 --> 00:08:27,080 same thing. We're setting goals, we're 148 00:08:27,080 --> 00:08:29,400 saying outcomes. So I think we're on the same 149 00:08:29,400 --> 00:08:31,960 page and I think those goals and outcomes are very different 150 00:08:32,000 --> 00:08:35,480 based on your scope. So if your, if your remit within 151 00:08:35,480 --> 00:08:38,640 the organization is you're in charge of employees, that's 152 00:08:38,640 --> 00:08:42,200 going to be a very different, you know, set of outcomes that 153 00:08:42,200 --> 00:08:44,640 you're trying to put in place if it, you know, compared to 154 00:08:45,000 --> 00:08:46,880 customers, right, true customers. 155 00:08:47,320 --> 00:08:49,640 And maybe maybe organization is more in the middle where it's 156 00:08:49,640 --> 00:08:52,120 like B to B is more like partners and other vendors and 157 00:08:52,120 --> 00:08:53,760 things like that. Think of like like a dealer 158 00:08:53,760 --> 00:08:56,200 network, right? Or insurances like that too, 159 00:08:56,200 --> 00:08:57,320 right? We have a lot of different kind 160 00:08:57,320 --> 00:08:59,480 of B to B partners that are, are doing things. 161 00:08:59,920 --> 00:09:05,080 So certainly figuring out those initial things starts to take 162 00:09:05,080 --> 00:09:07,640 the, the, the universe, right, and make it a little bit 163 00:09:07,640 --> 00:09:09,520 smaller. And I think that's, that's 164 00:09:09,520 --> 00:09:12,280 helpful because if you have a tighter scope and a tighter 165 00:09:12,600 --> 00:09:17,160 vision of what's of what you're trying to do, that helps narrow 166 00:09:17,160 --> 00:09:20,080 the focus and say, OK, here's the path you want to follow. 167 00:09:20,080 --> 00:09:22,600 Because otherwise, you know, it's like a, it's like me 168 00:09:22,600 --> 00:09:25,320 playing Grand Theft Auto. They're sure there's a main 169 00:09:25,320 --> 00:09:27,440 story and a main quest or whatever you want to call it, 170 00:09:27,960 --> 00:09:30,000 but I just happen to just randomly drive around and find 171 00:09:30,000 --> 00:09:33,080 random things to work on. So I need like something that's 172 00:09:33,080 --> 00:09:36,120 a little more on rail sometimes. Right. 173 00:09:36,440 --> 00:09:41,680 Maybe it's like if we achieve the scope of getting $35,000, we 174 00:09:41,680 --> 00:09:43,480 can get a better car in the game. 175 00:09:44,760 --> 00:09:47,680 That's really what I think. It's the difference between the 176 00:09:47,680 --> 00:09:52,000 word objectives and goals. I agree with you, they probably 177 00:09:52,000 --> 00:09:56,240 mean about the same thing. I think objectives implies that 178 00:09:56,240 --> 00:10:01,800 there's some kind of metric driving like we want to get 10% 179 00:10:01,800 --> 00:10:06,360 more efficient or we want to improve our security platform by 180 00:10:06,800 --> 00:10:10,640 some metric and that ought to be the objective. 181 00:10:11,040 --> 00:10:13,920 So you see, the objective is like the measurable result of a 182 00:10:13,920 --> 00:10:14,920 goal. I think. 183 00:10:14,920 --> 00:10:18,480 So OK, I mean I can argue it both ways, but I don't, I don't 184 00:10:18,480 --> 00:10:20,640 want to argue. Yeah, no, not. 185 00:10:20,640 --> 00:10:22,840 Let's just call it that for now, yeah. 186 00:10:22,840 --> 00:10:25,560 That's how it feels, obviously that's how it feels at the 187 00:10:25,560 --> 00:10:28,200 moment. OK, so we've got our objectives, 188 00:10:28,200 --> 00:10:32,280 we've got our goals and scope. What do you think is the next 189 00:10:32,280 --> 00:10:34,120 step that we that we want to start to think about? 190 00:10:35,040 --> 00:10:39,280 Well, normally what we do and we engage in this process with the 191 00:10:39,280 --> 00:10:41,400 client is we start with an assessment. 192 00:10:41,880 --> 00:10:46,720 And so it's very helpful to have people who have perspective. 193 00:10:47,000 --> 00:10:51,520 So either maybe people on your team have a good deal of 194 00:10:51,520 --> 00:10:56,440 experience of working at different organizations within 195 00:10:56,960 --> 00:11:01,760 your industry and have some background in how I am is being 196 00:11:01,760 --> 00:11:06,000 done at different places. Or you engage with the third 197 00:11:06,000 --> 00:11:11,840 party and which I've experienced with seeing what works well, 198 00:11:11,840 --> 00:11:15,560 what doesn't work well from an identity perspective. 199 00:11:16,000 --> 00:11:20,000 And then designing, well, really performing an assessment of 200 00:11:20,600 --> 00:11:25,520 where you sent, how mature are your current processes compared 201 00:11:25,520 --> 00:11:31,320 to other organizations in your industry and a world at large. 202 00:11:31,560 --> 00:11:35,320 Yeah, I think about it as, all right, I want to build this Lego 203 00:11:35,600 --> 00:11:38,520 car, spaceship, boat, whatever it may be. 204 00:11:38,880 --> 00:11:43,000 What Legos do I have that will help me get to that end state of 205 00:11:43,000 --> 00:11:44,280 whatever it is I'm trying to building? 206 00:11:44,880 --> 00:11:46,600 And more importantly, what Legos am I missing? 207 00:11:47,120 --> 00:11:49,040 Do I need, Do I have the right people? 208 00:11:49,040 --> 00:11:51,200 Do I have the right processes, the right technologies? 209 00:11:51,680 --> 00:11:53,760 So I think about it from an inventory perspective to say, 210 00:11:53,760 --> 00:11:57,000 OK, here's what we've got, here's where we're trying to go, 211 00:11:57,440 --> 00:11:58,720 what's working, what's not working? 212 00:11:58,720 --> 00:12:00,080 What are the parts that are missing? 213 00:12:00,280 --> 00:12:03,800 What are other people doing to solve for maybe some of these 214 00:12:03,800 --> 00:12:05,320 gaps? Maybe there's a unique Lego 215 00:12:05,320 --> 00:12:07,760 shape and there's only three of them in the world and you're not 216 00:12:07,760 --> 00:12:09,280 going to have access to it, so you've got to come up with an 217 00:12:09,280 --> 00:12:12,560 alternative. So I think working through that 218 00:12:12,560 --> 00:12:17,040 process of assessing and saying, OK, these, these are the things 219 00:12:17,040 --> 00:12:19,120 we have to play with. What does our toolbox look like? 220 00:12:19,800 --> 00:12:22,960 Are the tools we have good enough or do we need to buy new 221 00:12:22,960 --> 00:12:28,240 tools or upgrade our current tools or train our current tools 222 00:12:28,680 --> 00:12:31,320 right? Or maybe learn to use our tools 223 00:12:31,320 --> 00:12:33,800 in a different way through a business process or something 224 00:12:34,160 --> 00:12:35,480 that makes things more efficient? 225 00:12:35,560 --> 00:12:39,520 So I'm totally with you right there is like, OK, goals, let's 226 00:12:39,520 --> 00:12:41,280 set them up. Let's set our objectives now 227 00:12:41,280 --> 00:12:43,720 let's assess and see what we've got to play with and where we 228 00:12:43,720 --> 00:12:45,880 want and how are we going to get there with the tools we've got. 229 00:12:45,880 --> 00:12:47,880 Does that make sense? Yeah. 230 00:12:47,880 --> 00:12:50,000 And it it makes you think of an example. 231 00:12:50,000 --> 00:12:53,160 So one of the areas that we talked about in this one of 232 00:12:53,160 --> 00:12:57,120 these Lego boxes is what is the system of record for your 233 00:12:57,120 --> 00:13:00,040 identities? Normally companies do a very 234 00:13:00,040 --> 00:13:04,360 good job of having all their employees in a single HR system. 235 00:13:04,880 --> 00:13:08,720 They have a good search system of record for who works. 236 00:13:08,720 --> 00:13:13,200 Sierra Star's employees, contractors, It's really hit or 237 00:13:13,200 --> 00:13:16,000 miss. Some, many organizations have 238 00:13:16,280 --> 00:13:21,000 spreadsheets or databases of contractors without having the 239 00:13:21,280 --> 00:13:24,920 perspective of what is best practice, what are other 240 00:13:24,920 --> 00:13:30,440 organizations doing Startsheet good enough databases could not. 241 00:13:30,440 --> 00:13:33,360 I mean, generally the answer is going to be no. 242 00:13:33,680 --> 00:13:35,320 But how would you know such things? 243 00:13:35,320 --> 00:13:39,800 So I think having some experiences because trying to 244 00:13:39,800 --> 00:13:42,880 think about the identity management, it's experience 245 00:13:42,880 --> 00:13:46,400 based and you know from a consulting standpoint it's 246 00:13:46,680 --> 00:13:50,200 experience based. It's not like you go into each 247 00:13:50,200 --> 00:13:53,360 client organization and come up with the Whizbank solution, 248 00:13:53,760 --> 00:13:57,320 coming up with the solution based on what you've seen work 249 00:13:57,320 --> 00:14:01,600 in other places and what you've seen where it's caused major 250 00:14:01,600 --> 00:14:03,520 problems. You want to avoid major 251 00:14:03,520 --> 00:14:06,040 problems. So that example I just used, a 252 00:14:06,040 --> 00:14:09,920 major problem is an organization where we've got a spreadsheet 253 00:14:09,920 --> 00:14:14,400 for every country and they may or may not have the contractors 254 00:14:14,400 --> 00:14:17,800 in that spreadsheet. We may or may not have all the 255 00:14:17,800 --> 00:14:20,560 identity identities in the system of record. 256 00:14:21,040 --> 00:14:24,560 That is not going to be a good starting point for an IGA 257 00:14:24,560 --> 00:14:26,400 implementation. Yeah, if you're trying to go 258 00:14:26,400 --> 00:14:28,240 down the IGA route, you definitely are. 259 00:14:28,480 --> 00:14:31,400 The goal is to become more data-driven in that aspect is 260 00:14:31,520 --> 00:14:35,200 you want good timely quality data sources to drive that 261 00:14:35,200 --> 00:14:37,400 automation. But let me take the alternative 262 00:14:37,400 --> 00:14:41,920 here. If contractors are only 1% of 263 00:14:41,920 --> 00:14:48,200 your total users, is it worth saying, OK, well, we haven't won 264 00:14:48,200 --> 00:14:52,320 the battle yet to put him in our work day or whatever, you know, 265 00:14:52,320 --> 00:14:55,240 ADP, whatever the identity source of truth is for for 266 00:14:55,240 --> 00:14:59,200 employees. Can we get away with. 267 00:14:59,240 --> 00:15:00,800 Yeah, you know what, that's going to have to be a 268 00:15:00,800 --> 00:15:02,960 spreadsheet for now. And maybe it's a little bit of a 269 00:15:02,960 --> 00:15:05,400 Field of Dreams approach where we say, well, we're going to 270 00:15:05,400 --> 00:15:08,080 build it and we're going to hope there comes the employees will 271 00:15:08,080 --> 00:15:10,760 be taken care of and people are going to start to wonder why 272 00:15:10,760 --> 00:15:15,480 contractors don't have the same experience and they are more of 273 00:15:15,480 --> 00:15:17,840 a hassle. Well, here's why, because we've 274 00:15:18,200 --> 00:15:20,920 we've got the tools, we've got the business processes in place 275 00:15:20,920 --> 00:15:24,200 to manage our employees. But for whatever reason, non 276 00:15:24,200 --> 00:15:27,600 employees have, you know, don't have feature parity, right when 277 00:15:27,600 --> 00:15:29,080 it comes to those business processes. 278 00:15:29,960 --> 00:15:31,840 And so that's an option, you know, I guess. 279 00:15:31,840 --> 00:15:34,280 So I'm just. One example, but I think it's 280 00:15:34,320 --> 00:15:36,600 good that you bring up the devil's abdicated approach 281 00:15:36,600 --> 00:15:42,800 because I think the scenario you brought in was a very edge use 282 00:15:42,800 --> 00:15:47,400 case where the company has, let's say thousands of employees 283 00:15:47,880 --> 00:15:52,600 and only 1% of those employees are, I should say a thousands in 284 00:15:52,600 --> 00:15:56,400 the workforce and only 1% of those are non employees. 285 00:15:56,880 --> 00:16:03,040 That's I, I almost goes as far as to say I've seen that very 286 00:16:03,040 --> 00:16:06,800 rarely or maybe never. It's almost always a greater 287 00:16:06,800 --> 00:16:10,520 percentage, always almost always dealing with hundreds or even 288 00:16:10,520 --> 00:16:14,280 thousands of contractors. In those cases, you need to have 289 00:16:14,280 --> 00:16:16,520 a system record. When you're talking about a 290 00:16:16,520 --> 00:16:22,120 couple dozen individuals, you may be able to come up with a a 291 00:16:22,120 --> 00:16:24,480 more simplified way to manage to choose. 292 00:16:25,000 --> 00:16:27,800 Ultimately, you do need to come up with a solution. 293 00:16:28,080 --> 00:16:32,040 That's just one example of many identity use cases. 294 00:16:32,240 --> 00:16:34,280 Yeah, I mean, I agree with you. I, I, you know, there's there's 295 00:16:34,280 --> 00:16:37,400 no magic number, right? 1% of 1,000,000 is a lot of 296 00:16:37,400 --> 00:16:40,680 people. So I think it really is kind of 297 00:16:40,800 --> 00:16:43,640 let's take into context and say, OK, well how big of a problem is 298 00:16:43,640 --> 00:16:46,880 this? And do we, do we stop progress 299 00:16:47,040 --> 00:16:50,480 because 1% of our population is not going to be addressed and 300 00:16:50,480 --> 00:16:55,240 addressed very well? I'd argue no, unless that 1% is 301 00:16:55,240 --> 00:16:59,040 like critical to the business and causes a outsized amount of 302 00:16:59,040 --> 00:17:01,720 risk that you're unwilling to take, then OK, let's figure it 303 00:17:01,720 --> 00:17:03,760 out. Ideally you've got everyone 304 00:17:03,760 --> 00:17:06,599 covered, but I think in the real world, you have to make 305 00:17:06,599 --> 00:17:10,000 sacrifices sometimes. And that might be a battle that 306 00:17:10,000 --> 00:17:13,680 you, you know, push down the road a little bit rather than 307 00:17:13,680 --> 00:17:16,079 just waiting for everything to be perfect before you start, 308 00:17:16,079 --> 00:17:17,400 because that's it's, it's never going to happen. 309 00:17:17,440 --> 00:17:19,920 You got to start somewhere. But I'm with you on that because 310 00:17:19,920 --> 00:17:22,520 a lot of times these programs we start to think about this is 311 00:17:22,520 --> 00:17:25,720 like, hey, this, this advice you're, you're saying Jim and 312 00:17:25,720 --> 00:17:30,440 Jeff sounds, you know, pretty, you know, common sense like duh. 313 00:17:30,880 --> 00:17:34,400 Well, some of it is, yes, but people aren't doing it. 314 00:17:34,400 --> 00:17:36,600 It's like, OK, well, why aren't you doing it? 315 00:17:36,640 --> 00:17:38,440 Why aren't you setting a structure around this? 316 00:17:38,440 --> 00:17:40,640 You know, who owns identity and access management, right? 317 00:17:40,640 --> 00:17:42,040 Things like basic questions like that. 318 00:17:42,520 --> 00:17:46,080 And so sometimes it doesn't sound so innovative until you 319 00:17:46,080 --> 00:17:49,280 get further down the road and say, oh, yeah, we needed to 320 00:17:49,280 --> 00:17:52,840 like, build the base, you know, before we started to add in all 321 00:17:52,840 --> 00:17:55,360 the fancy stuff that that we really were thinking about 322 00:17:55,360 --> 00:17:57,560 getting to. But if you had tried to do, you 323 00:17:57,560 --> 00:18:00,760 know, let's put AI on top of it right now, terrible time. 324 00:18:01,040 --> 00:18:02,480 You're, you're, you're not going to enjoy it. 325 00:18:02,960 --> 00:18:05,400 The data will be suspect and you'll wonder why you ever did 326 00:18:05,400 --> 00:18:08,800 this in the 1st place. So I, I'm a firm believer in and 327 00:18:08,800 --> 00:18:10,480 thinking about that firm foundation. 328 00:18:10,480 --> 00:18:11,960 And that's where that assessment part comes in. 329 00:18:11,960 --> 00:18:13,760 It's like, OK, what do we have to play with? 330 00:18:13,760 --> 00:18:15,280 What's realistic? I see. 331 00:18:15,400 --> 00:18:19,480 The other thing about an assessment is that you're going 332 00:18:19,480 --> 00:18:23,680 to find where are your big gaps, Where is it that you really need 333 00:18:23,680 --> 00:18:28,360 to have a mature, stable process and you're underwhelming. 334 00:18:28,880 --> 00:18:34,920 And I think probably most practitioners intuitively know 335 00:18:34,920 --> 00:18:39,240 where those gaps are. But putting together a bar chart 336 00:18:39,240 --> 00:18:43,440 of like we're here in terms of maturity, we need to get there 337 00:18:43,640 --> 00:18:48,640 or where we are, where we are heading, I think that's an 338 00:18:48,640 --> 00:18:51,000 important exercise. I think it's important. 339 00:18:51,000 --> 00:18:54,680 I don't place as much. I mean, it's a bar chart and you 340 00:18:54,680 --> 00:18:56,560 know, 50% of all stats are made-up. 341 00:18:57,080 --> 00:19:00,720 So you know, it's kind of like, OK, maybe that's what you need 342 00:19:00,720 --> 00:19:04,160 to get executive buy in because ultimately you're going to need 343 00:19:04,160 --> 00:19:05,920 executive buy in to get this thing going. 344 00:19:06,520 --> 00:19:10,240 And so maybe, you know, your executives are very big on 345 00:19:10,240 --> 00:19:12,520 charts and you need to quantify everything or as much as you 346 00:19:12,520 --> 00:19:15,400 possibly can, but sometimes those metrics might be a little 347 00:19:15,400 --> 00:19:17,040 bit subjective and you have to kind of explain. 348 00:19:17,040 --> 00:19:19,560 OK, well, you know, the Active Directory team is doing a great 349 00:19:19,560 --> 00:19:23,480 job, but AWS stinks. So how do you try to combine 350 00:19:23,480 --> 00:19:25,880 things into like 1 bar chart might be a little bit 351 00:19:25,880 --> 00:19:27,600 challenging. So I think you have to kind of 352 00:19:27,600 --> 00:19:30,960 understand as part of that assessment process to say, OK, 353 00:19:31,480 --> 00:19:33,360 here's what we're doing. Well, here's where we need 354 00:19:33,360 --> 00:19:36,400 improvement and let's figure out how to get this together because 355 00:19:37,080 --> 00:19:39,360 unless you've got executive buy in, you're going nowhere where 356 00:19:39,360 --> 00:19:40,920 you're going to have a very difficult time. 357 00:19:40,920 --> 00:19:44,360 This is not a grassroots campaign that you can typically 358 00:19:44,560 --> 00:19:47,800 stand up and all of a sudden you've got, you know, whatever 359 00:19:47,800 --> 00:19:50,800 investment people or technology that you need to get things 360 00:19:50,800 --> 00:19:53,240 started and certainly not you don't have the support to do 361 00:19:53,240 --> 00:19:55,400 business change, which is really, really hard. 362 00:19:55,960 --> 00:19:58,000 That's probably the hardest thing of us, if it's the change 363 00:19:58,000 --> 00:20:00,600 and you need the executives to be part of that, that process. 364 00:20:00,600 --> 00:20:04,600 Yeah, I think that's one of the reasons I love interviewing 365 00:20:05,040 --> 00:20:08,800 chief information security officers on the podcast is that 366 00:20:09,320 --> 00:20:14,840 they speak the executive speak, but understand cybersecurity. 367 00:20:15,120 --> 00:20:20,760 So they're able to put investments and return on 368 00:20:20,760 --> 00:20:24,640 investors in terms that executives get. 369 00:20:24,640 --> 00:20:27,960 Why would I spend money to reduce risk? 370 00:20:28,280 --> 00:20:33,320 I could spend that money to improve my business in other 371 00:20:33,320 --> 00:20:36,080 ways. So it's important to make that 372 00:20:37,480 --> 00:20:42,320 that business case, that return on investment case for investing 373 00:20:42,320 --> 00:20:46,120 in identity and access management, investing in an 374 00:20:46,120 --> 00:20:50,040 improved user experience or improved security posture. 375 00:20:51,760 --> 00:20:54,040 Yeah. And so you need the people who 376 00:20:54,400 --> 00:20:58,280 get that, who understand that and are good at making that case 377 00:20:58,760 --> 00:21:03,160 or you're going to be running around and doing IM on, you 378 00:21:03,160 --> 00:21:06,360 know, pocket change. That is no fun. 379 00:21:06,760 --> 00:21:10,680 Not only is it no fun, but it's hard to be effective and you're 380 00:21:10,680 --> 00:21:12,920 going to constantly be chasing your tail. 381 00:21:13,160 --> 00:21:16,880 Yeah, I think one thing that I've seen a a big improvement 382 00:21:16,880 --> 00:21:19,520 over the years in talking with CSO's and others at the 383 00:21:19,520 --> 00:21:24,240 executive level is their ability to articulate why something 384 00:21:24,240 --> 00:21:27,280 needs to be done. Because a lot of times the pain 385 00:21:27,360 --> 00:21:31,480 and suffering is hidden because there are heroic IM people 386 00:21:31,480 --> 00:21:36,000 running around doing things that are beyond the scope of their 387 00:21:36,000 --> 00:21:39,320 role or going above and beyond to fix things just out of the 388 00:21:39,800 --> 00:21:41,160 they know what's the right thing to do. 389 00:21:41,160 --> 00:21:42,960 And a lot of times that stuff gets hidden and covered up. 390 00:21:43,000 --> 00:21:45,200 Well, nothing's broken. Why do we need to fix it? 391 00:21:45,600 --> 00:21:50,040 Well, let's open up the the covers and look at this, you 392 00:21:50,040 --> 00:21:52,440 know, engine that is like a bunch of popsicle sticks and a 393 00:21:52,440 --> 00:21:54,800 hamster. Like that's not, you know, 394 00:21:54,800 --> 00:21:58,280 that's that's not where you want to be and it's it's a risk, 395 00:21:58,360 --> 00:22:00,240 right? If one of those popsicles has a 396 00:22:00,240 --> 00:22:01,640 break, the whole thing kind of falls down. 397 00:22:01,640 --> 00:22:05,160 Or if the really important hamster leaves, who's going to 398 00:22:05,160 --> 00:22:08,920 drive this engine? So I think, I think that a lot 399 00:22:08,920 --> 00:22:11,360 of the executives that you and I both talked to have gotten 400 00:22:11,360 --> 00:22:15,280 better and articulating that of here's why the investment is 401 00:22:15,280 --> 00:22:17,280 important. Now ultimately the business is 402 00:22:17,280 --> 00:22:19,400 going to decide. And I think it's the CSO's job 403 00:22:19,400 --> 00:22:23,320 or whoever's in charge of making that, that case really needs to 404 00:22:23,320 --> 00:22:26,800 understand the risk component for it and be able to articulate 405 00:22:26,800 --> 00:22:28,720 that out to others to secure the other buying. 406 00:22:28,720 --> 00:22:31,760 Because it's not like CSO's can do this all on their own either. 407 00:22:32,000 --> 00:22:34,840 Typically they have to go out and get support from their peers 408 00:22:34,840 --> 00:22:37,320 and other executives right within the organization. 409 00:22:37,840 --> 00:22:41,720 So it's important that that executive buy in is in place, 410 00:22:41,720 --> 00:22:45,040 not just in information security or wherever the IM program is 411 00:22:45,040 --> 00:22:47,680 going to live, but across, because you're going to need 412 00:22:47,680 --> 00:22:50,360 people across the organization to make this thing happen. 413 00:22:50,600 --> 00:22:53,000 You're going to need a cross functional team, which is really 414 00:22:53,000 --> 00:22:56,200 where you start to say, OK, we've got our our goals. 415 00:22:56,640 --> 00:22:58,760 We've started to think about what we have in place. 416 00:22:58,760 --> 00:23:01,960 We've got executives saying, yes, you know, proceed, let's 417 00:23:01,960 --> 00:23:04,720 start to figure out what's next, and let's put together A-Team 418 00:23:04,720 --> 00:23:06,960 because you talked about those conversations that you have with 419 00:23:06,960 --> 00:23:08,200 a whole bunch of other people as well. 420 00:23:08,480 --> 00:23:10,920 It's not just information security as part of an IM 421 00:23:10,920 --> 00:23:15,360 program, it's infrastructure, it's the help desk, it's the 422 00:23:15,360 --> 00:23:17,760 business themselves. So you really want to make sure 423 00:23:17,760 --> 00:23:19,520 that you pull enough people together, but not too many 424 00:23:19,520 --> 00:23:24,240 people to be able to have insight and windows into the 425 00:23:24,240 --> 00:23:27,200 different parts of the organization so that whatever it 426 00:23:27,200 --> 00:23:29,880 is you're designing works for as many people as possible. 427 00:23:30,920 --> 00:23:33,520 Yeah. And suddenly pulling that 428 00:23:33,520 --> 00:23:38,480 information in Billy Evangelist in the cross functional area. 429 00:23:38,480 --> 00:23:44,440 So HR and other parts of IT or other departments, they can go 430 00:23:44,440 --> 00:23:50,280 out and talk to their teams about how I am is coming with 431 00:23:50,280 --> 00:23:53,960 the strategy, how it's important to align with the strategy, 432 00:23:53,960 --> 00:23:59,000 adopt the shared services. I always like to talk about the 433 00:23:59,000 --> 00:24:06,000 360° view of IM conference. And we worked with a guy named 434 00:24:06,000 --> 00:24:09,840 Ben and he's like, oh, gag. Like 360. 435 00:24:09,880 --> 00:24:13,760 Like that's so cliche. And I don't think it's about 436 00:24:13,760 --> 00:24:18,360 7/27/20 is like make your head spin on. 437 00:24:18,640 --> 00:24:23,440 But I think about the 360 is like looking at bulb on and 438 00:24:23,440 --> 00:24:27,320 communicating what the IM program is contributing to the 439 00:24:27,320 --> 00:24:31,440 company and getting feedback about what the business is doing 440 00:24:31,640 --> 00:24:34,360 and how the IM team can support that. 441 00:24:34,640 --> 00:24:40,280 It's, you know, working down with the IM implementation 442 00:24:40,280 --> 00:24:44,800 teams, with the operation teams, the project management office 443 00:24:45,440 --> 00:24:50,680 and understanding how things are going with the DJ on the ground. 444 00:24:51,040 --> 00:24:56,760 It's also working laterally with the business and with other 445 00:24:56,760 --> 00:25:00,560 technology teams to make sure that the services you're 446 00:25:00,560 --> 00:25:05,000 creating as an IM team are effective, that business can use 447 00:25:05,000 --> 00:25:08,200 them, that the business understands them, and that from 448 00:25:08,200 --> 00:25:12,320 a technology perspective, they're fitting in with what the 449 00:25:12,320 --> 00:25:14,720 needs are. If you're doing all those 450 00:25:14,720 --> 00:25:17,800 things, you're going to build evangelists and the people are 451 00:25:17,800 --> 00:25:20,960 going to say, hey, the sign in program is not so bad. 452 00:25:21,160 --> 00:25:23,680 And you're getting results out of it and things are happening. 453 00:25:23,680 --> 00:25:26,600 And it's not just, you know, a committee for committee sake, 454 00:25:27,120 --> 00:25:30,720 that kind of thing. Here's why I don't like the 360 455 00:25:30,800 --> 00:25:33,040 term. I get where your, your head is 456 00:25:33,040 --> 00:25:37,000 at makes sense. But to me, 360 is 2 dimensional. 457 00:25:37,600 --> 00:25:40,600 And it's, it's more like it needs to be like a sphere or a 458 00:25:40,600 --> 00:25:43,920 globe And to be able to say, oh, we are, you know, we're, we're 459 00:25:43,920 --> 00:25:46,280 communicating at in all directions. 460 00:25:46,280 --> 00:25:50,720 I don't know if 360 gets that three-dimensional aspect to it. 461 00:25:50,720 --> 00:25:55,080 Does that make sense? Well, definitely, I mean in 462 00:25:55,080 --> 00:25:59,480 terms of the mathematics of the 360 is definitely 2 dimensional, 463 00:26:00,520 --> 00:26:02,880 so I get that. I don't know what the sphere 464 00:26:02,880 --> 00:26:08,480 would include that the 362 D view doesn't when what are you 465 00:26:08,480 --> 00:26:09,040 thinking there? Let's. 466 00:26:09,200 --> 00:26:11,040 Let's just go with it. Yeah. 467 00:26:11,040 --> 00:26:13,120 I mean, let's let's go with it because I think, I think the 468 00:26:13,120 --> 00:26:15,360 concept makes sense and I don't want to, I don't want to get 469 00:26:15,360 --> 00:26:20,120 into a geometric discussion, but I do want to ask you what's at 470 00:26:20,120 --> 00:26:23,040 the core of that 360 at the center? 471 00:26:23,040 --> 00:26:24,880 Would that be the I am program manager? 472 00:26:25,920 --> 00:26:29,760 So I always think of the I am steering committee as kind of 473 00:26:30,080 --> 00:26:33,040 the core body that pulls all together. 474 00:26:33,040 --> 00:26:38,360 But if you go even more central to the core, yeah, like now 475 00:26:38,360 --> 00:26:40,800 you're in that little ball and center of the earth. 476 00:26:41,080 --> 00:26:43,880 This is the I am program manager. 477 00:26:44,080 --> 00:26:45,800 I don't think it's just one single role. 478 00:26:45,800 --> 00:26:50,440 I think that person holds it together that the IAM architect, 479 00:26:50,680 --> 00:26:53,480 they become a team. It's like the business person 480 00:26:53,480 --> 00:26:57,760 and technology person and really the IAM program manager running 481 00:26:57,760 --> 00:27:02,400 around who doesn't get the tech is going to have a problem being 482 00:27:02,400 --> 00:27:05,560 effective. The person who gets the tech but 483 00:27:05,560 --> 00:27:08,760 doesn't understand the business is going to have a hard time 484 00:27:08,760 --> 00:27:11,080 getting around. So usually it's two different 485 00:27:11,080 --> 00:27:12,760 people. I guess there could be one 486 00:27:12,760 --> 00:27:17,160 person who really guess both aspects of it, but it's both 487 00:27:17,160 --> 00:27:20,080 sides ahead. And then the third leg of the 488 00:27:20,080 --> 00:27:24,240 stool, there is one is the executive who's kind of saying, 489 00:27:24,240 --> 00:27:27,800 all right, this is what the business needs to buy in. 490 00:27:27,800 --> 00:27:32,640 So it's not Even so much conversations upward because 491 00:27:32,640 --> 00:27:35,160 they're so hard to have. You don't get that much time 492 00:27:35,160 --> 00:27:39,800 from executive teams, so if you have somebody who's from that 493 00:27:40,120 --> 00:27:43,880 that world who is part of your core, they can tell you like 494 00:27:43,880 --> 00:27:46,880 this what the business is expecting from the program. 495 00:27:49,840 --> 00:27:51,800 And they might be part of the steering committee or something 496 00:27:51,800 --> 00:27:52,880 like that. But I'm with you. 497 00:27:53,000 --> 00:27:56,800 I think there's like this, this core I am team that kind of sits 498 00:27:56,800 --> 00:27:58,200 in the middle. And there will be other 499 00:27:58,520 --> 00:28:02,040 resources that kind of spin in almost like planets orbiting or 500 00:28:02,040 --> 00:28:04,720 moons orbiting a planet, right? That kind of situation, you 501 00:28:04,720 --> 00:28:06,840 know, maybe HR is really important for this first phase 502 00:28:06,840 --> 00:28:09,920 because you mentioned IGA, we need HR to be there because 503 00:28:09,920 --> 00:28:12,480 we're going to be using their data to drive automation. 504 00:28:13,000 --> 00:28:16,600 Once that's done, maybe they spin out into a further orbit 505 00:28:16,600 --> 00:28:19,960 where they're, you know, not as I want relevance, not the right 506 00:28:19,960 --> 00:28:22,400 word, but they're not the focus. You know, maybe now we're 507 00:28:22,440 --> 00:28:25,440 pulling in IT infrastructure team because we're doing 508 00:28:25,440 --> 00:28:28,240 privileged access management. They become much more in focus 509 00:28:28,240 --> 00:28:31,600 and then OK, we fix that and they kind of slowly drift into a 510 00:28:31,600 --> 00:28:33,480 further orbit and then, you know, you've got these other 511 00:28:33,480 --> 00:28:36,280 components that are coming in. But I think I'm with you in that 512 00:28:36,280 --> 00:28:37,640 like you've got a program manager. 513 00:28:37,640 --> 00:28:39,880 I'm going to tell you, a good program manager is really hard 514 00:28:39,880 --> 00:28:42,920 to find someone that can communicate and understands the 515 00:28:42,920 --> 00:28:47,360 technology are exceedingly rare. If you are one of those people, 516 00:28:48,040 --> 00:28:51,200 be sure you're taking advantage of that, of those skills and 517 00:28:51,200 --> 00:28:52,440 really driving your organization. 518 00:28:52,440 --> 00:28:54,720 If you're, and if you're a, if you're a techie and you're 519 00:28:54,720 --> 00:28:56,240 really not great at communicating, work on it. 520 00:28:56,240 --> 00:28:59,840 I mean, start to work on the communication and if you're a 521 00:28:59,840 --> 00:29:01,920 good communicator, but you understand the tech, you know, 522 00:29:01,920 --> 00:29:04,880 watch videos, get more involved with that stuff and kind of 523 00:29:04,880 --> 00:29:07,800 learn it. Because I do see that that 524 00:29:07,800 --> 00:29:11,640 Unicorn of a single program manager that understands the 525 00:29:11,640 --> 00:29:15,520 vision of the program can communicate why that's important 526 00:29:15,520 --> 00:29:17,880 and what people are going to get out of that in layman's terms, 527 00:29:18,680 --> 00:29:21,520 terms that everyone's going to be able to understand, but also 528 00:29:21,520 --> 00:29:23,320 understands the technology. They don't need to be a 529 00:29:23,320 --> 00:29:25,320 developer. They don't need to be, you know, 530 00:29:25,320 --> 00:29:29,160 in the guts of the applications configuring things, but they 531 00:29:29,160 --> 00:29:31,880 need to understand the capabilities that are there and 532 00:29:32,080 --> 00:29:35,640 have the resources at their disposal to enact those things. 533 00:29:36,040 --> 00:29:38,600 Engineers, analysts, you know, whatever that looks like for the 534 00:29:38,600 --> 00:29:41,520 tools. Yeah, I mean, let's try the most 535 00:29:41,520 --> 00:29:43,480 important role in the program overall. 536 00:29:43,720 --> 00:29:46,440 You brought the cross functional team line is thinking about 537 00:29:46,440 --> 00:29:48,640 that. You know everything we just 538 00:29:48,640 --> 00:29:54,360 described would work as well for a workforce IM program or 539 00:29:54,360 --> 00:29:57,400 customer IM program. Oh, you think about that 540 00:29:57,400 --> 00:29:59,480 important role of the program manager. 541 00:30:00,000 --> 00:30:03,360 How often have we talked to folks who've made their way 542 00:30:03,360 --> 00:30:08,360 through I to become the identity program manager, You know, 543 00:30:08,360 --> 00:30:13,480 essentially the the chief practitioner of IAM for their 544 00:30:13,480 --> 00:30:17,520 organization and how many different paths people can take 545 00:30:17,960 --> 00:30:21,400 to get there. I usually find that it's people 546 00:30:21,400 --> 00:30:26,440 who understand the business, know how to make the case for 547 00:30:26,440 --> 00:30:30,440 return on investment, and have enough technology understanding 548 00:30:30,440 --> 00:30:34,320 that they know what the parts of pieces are or more. 549 00:30:34,800 --> 00:30:37,520 You know, I don't think that just because you're not 550 00:30:37,520 --> 00:30:42,080 technical, you should use as an excuse to say I don't need to 551 00:30:42,080 --> 00:30:44,160 learn that or I don't want to learn that. 552 00:30:44,440 --> 00:30:48,200 I think be a sponge. I think if you're technical, 553 00:30:48,560 --> 00:30:51,000 learn as much as you can about business. 554 00:30:51,360 --> 00:30:54,480 They can only help you in whatever position you take. 555 00:30:54,560 --> 00:30:57,640 Yeah, I totally agree. I think once you've got that 556 00:30:57,680 --> 00:31:00,920 team in place, now you start to think about the tools you're 557 00:31:00,920 --> 00:31:04,720 going to do battle with, right? What are the capabilities you 558 00:31:04,720 --> 00:31:06,480 want to bring in? Do you need an IGA tool? 559 00:31:06,480 --> 00:31:08,920 Do you need privilege access? Do you have single sign on and 560 00:31:08,920 --> 00:31:11,560 MFA? Have you got all that, you know, 561 00:31:11,560 --> 00:31:15,200 figured out already and now you need to do something with ITDR 562 00:31:15,200 --> 00:31:18,000 or some other analytics? Or maybe you're on the customer 563 00:31:18,000 --> 00:31:18,880 side. You're like, hey, we don't 564 00:31:18,880 --> 00:31:21,080 really have a good way for our customers to manage their 565 00:31:21,080 --> 00:31:24,600 profiles or maybe their their data consents, especially if 566 00:31:24,600 --> 00:31:27,120 you're in Europe or other places where you have, you know, laws 567 00:31:27,120 --> 00:31:30,960 like GDPR, for example. So I think really understanding 568 00:31:30,960 --> 00:31:34,840 what the technology fits are is important because these are 569 00:31:34,840 --> 00:31:37,560 typically long term decisions that you're making, right? 570 00:31:37,560 --> 00:31:40,520 You don't buy Octa and say, OK, well, we'll get rid of it in a 571 00:31:40,520 --> 00:31:42,240 year. These things are generally too 572 00:31:42,240 --> 00:31:43,760 expensive to like turn over that quickly. 573 00:31:43,760 --> 00:31:45,360 They're not disposable in that way. 574 00:31:46,120 --> 00:31:47,960 And that can be really challenging because there's a 575 00:31:47,960 --> 00:31:51,920 lot of really good products out there, products that are like in 576 00:31:51,920 --> 00:31:54,880 your face and everyone knows about and ones that just for 577 00:31:54,880 --> 00:31:58,760 whatever reason struggle with awareness and, you know, 578 00:31:58,800 --> 00:32:01,480 presence in the market. And they're new or upcoming or, 579 00:32:01,680 --> 00:32:04,640 or maybe they're big in Europe, but they're not big in the US or 580 00:32:04,640 --> 00:32:06,120 vice versa, right? Things like that. 581 00:32:06,120 --> 00:32:09,560 So I think understanding the technology landscape is very 582 00:32:09,560 --> 00:32:13,760 helpful because it almost always comes down, in my experience, to 583 00:32:13,760 --> 00:32:16,520 the details. You're going to buy an IJ tool. 584 00:32:16,520 --> 00:32:18,040 Guess what? They can all do provisioning. 585 00:32:18,400 --> 00:32:20,920 They can all create an Active Directory account, you know, 586 00:32:20,960 --> 00:32:23,040 remove it, add permissions and run an access review. 587 00:32:23,680 --> 00:32:25,640 It's all the details around it that are typically the 588 00:32:25,640 --> 00:32:29,240 differentiators at this point for a, for a, for a technology 589 00:32:29,240 --> 00:32:31,920 that's that mature, you know, up and coming things maybe like an 590 00:32:31,920 --> 00:32:34,920 ITDR or some sort of, you know, AI enhancements as we're seeing 591 00:32:34,920 --> 00:32:37,120 now, maybe there is a little bit something there. 592 00:32:37,120 --> 00:32:40,360 It's like, OK, you know, there is a little more maybe meat on 593 00:32:40,360 --> 00:32:41,680 the bone that we need to kind of chew on. 594 00:32:42,600 --> 00:32:46,520 But I think the, the right technology is, is really key 595 00:32:46,520 --> 00:32:49,960 because you're going to be stuck with that for probably, well, at 596 00:32:49,960 --> 00:32:52,640 least three years if it's SAS, cause three-year subscription's 597 00:32:52,640 --> 00:32:56,080 basically right, but probably longer because people are going 598 00:32:56,080 --> 00:32:58,400 to ask you, well, why did we spend all this money 599 00:32:58,400 --> 00:33:01,560 implementing this tool only to RIP it out three years later? 600 00:33:01,600 --> 00:33:03,240 That's a really tough pill to swallow. 601 00:33:04,400 --> 00:33:07,040 Yeah. Well, I mean, that's the 602 00:33:07,040 --> 00:33:11,600 question is like what should be the horizon that folks should 603 00:33:11,600 --> 00:33:14,920 look me at? It almost seems like to say 10 604 00:33:14,920 --> 00:33:21,840 years is like a little bit polyamic or unrealistic. 605 00:33:21,840 --> 00:33:28,320 At least five years I kind of feel like is the minimum where 606 00:33:28,320 --> 00:33:30,880 you start to really get your money's worth. 607 00:33:31,200 --> 00:33:34,520 You're ripping it out at five years and having to rebuild. 608 00:33:35,240 --> 00:33:40,240 That's a major reinvestment. There's a tough decision. 609 00:33:40,280 --> 00:33:45,280 I think one thing is just saying this company is the leader now 610 00:33:46,080 --> 00:33:48,760 and assuming they're going to be the leader in five years. 611 00:33:49,040 --> 00:33:53,920 Well, if history is any teacher, that's not always the case. 612 00:33:54,160 --> 00:33:59,920 In fact, it's rarely the case. I don't know if history is the 613 00:33:59,920 --> 00:34:04,400 right teacher for this. I mean, you look back on this 614 00:34:04,400 --> 00:34:09,679 industry 15 years ago, you have said you choose Oracle or CA or 615 00:34:09,679 --> 00:34:12,679 IBM. None of those companies are 616 00:34:12,679 --> 00:34:14,480 really relevant in this space anymore. 617 00:34:14,480 --> 00:34:20,239 Maybe IBM, but CA and Oracle are not relevant in their identity 618 00:34:20,239 --> 00:34:24,280 space anymore. They owned the identity space. 619 00:34:24,719 --> 00:34:26,560 They were the only choices really. 620 00:34:26,560 --> 00:34:32,239 And now you look around and the other incumbents, will they be 621 00:34:32,239 --> 00:34:38,159 around 5-10 years down the road? I think they it feels like they 622 00:34:38,159 --> 00:34:42,639 will. It's choosing the right 623 00:34:42,679 --> 00:34:45,880 technology is is not easy. No, because there's so many good 624 00:34:45,880 --> 00:34:47,840 choices. And the truth is you could 625 00:34:47,840 --> 00:34:49,880 probably be successful with almost any of them if you're 626 00:34:49,880 --> 00:34:53,560 willing to adopt their business process that they bring to the 627 00:34:53,560 --> 00:34:55,920 table. That's sometimes a challenge for 628 00:34:55,920 --> 00:34:57,960 organizations. You know, you bring up this this 629 00:34:57,960 --> 00:35:01,360 idea of like, will the company be around in five, 1015 years? 630 00:35:01,360 --> 00:35:05,200 I think that's real important. You know, IBM and you know, the 631 00:35:05,200 --> 00:35:07,560 CAS and the Oracles, they've been around for a long time. 632 00:35:07,560 --> 00:35:10,160 And yeah, they kind of had their heyday in the IM space, but they 633 00:35:10,160 --> 00:35:12,480 were around for a long time. I mean, it wasn't like they were 634 00:35:12,480 --> 00:35:15,800 only an IM for like 5, you know, 5 minutes, five years, whatever 635 00:35:15,800 --> 00:35:18,600 that is. It was decades, you know, that 636 00:35:18,600 --> 00:35:21,760 they were kind of the the only real players in that enterprise 637 00:35:21,760 --> 00:35:24,560 market now. They let, you know, upstarts 638 00:35:24,560 --> 00:35:28,120 like Sale Point and others, you know, come up and kind of steal 639 00:35:28,120 --> 00:35:31,040 the market away from them. But there will be other vendors 640 00:35:31,040 --> 00:35:34,120 that come up. But when do you make the 641 00:35:34,120 --> 00:35:37,800 investment in a small player versus an established player is 642 00:35:37,800 --> 00:35:40,080 always interesting 'cause I think a lot of that has to do 643 00:35:40,080 --> 00:35:42,920 with the risk appetite of the organization. 644 00:35:43,360 --> 00:35:45,320 If you're a small organization, maybe a little bit more nibble 645 00:35:45,320 --> 00:35:46,720 in your choices. Maybe you are willing to go 646 00:35:46,720 --> 00:35:48,840 with, you know, somebody who's new where it doesn't have the 647 00:35:48,840 --> 00:35:51,760 track record, Maybe they don't have, you know, that's the fancy 648 00:35:51,760 --> 00:35:53,600 training portals and kind of all that stuff. 649 00:35:53,600 --> 00:35:56,040 But you feel good about their technology and you've gotten 650 00:35:56,040 --> 00:35:59,480 maybe some insurances from leadership over there, right, 651 00:35:59,480 --> 00:36:02,360 The CEO or people who are maybe more hands on maybe than than 652 00:36:02,360 --> 00:36:05,000 another organization. Or maybe your organization is a 653 00:36:05,000 --> 00:36:08,160 little more adverse to that type of risk and wants to have an 654 00:36:08,160 --> 00:36:10,120 established partner. And those are the types of 655 00:36:10,120 --> 00:36:12,040 organizations that will say, well, give me the Gartner Magic 656 00:36:12,040 --> 00:36:13,280 Quadrant. Let me just look at the upper 657 00:36:13,280 --> 00:36:15,680 right. I don't. 658 00:36:15,680 --> 00:36:17,080 Think there's anything wrong with that? 659 00:36:18,240 --> 00:36:20,920 I it might be, but maybe that's just the profile of the 660 00:36:20,920 --> 00:36:23,320 organization. They're not willing to look at a 661 00:36:23,320 --> 00:36:26,720 smaller company until they've grown and gotten through that, 662 00:36:26,720 --> 00:36:30,160 that hump of hey, we're in the market, We've been around now 663 00:36:30,160 --> 00:36:34,720 for 5-10 years and we have a bunch of customers and there's 664 00:36:34,720 --> 00:36:37,080 less of a concern that they might die overnight, for 665 00:36:37,080 --> 00:36:38,200 example. I can get that. 666 00:36:38,200 --> 00:36:39,440 I get the risk. I understand it. 667 00:36:39,960 --> 00:36:42,160 I don't agree with just saying look at upper right of Gartner 668 00:36:42,160 --> 00:36:44,440 and even Gartner will tell you don't look at just Gartner upper 669 00:36:44,440 --> 00:36:45,640 right. That doesn't mean as much. 670 00:36:46,800 --> 00:36:51,200 But there are organizations that do not want to play with the 671 00:36:51,200 --> 00:36:53,840 smaller fish. They're looking for the more 672 00:36:53,840 --> 00:36:56,680 established fish in that case, and I get it. 673 00:36:56,680 --> 00:36:58,800 I think that's just something that you have to think about. 674 00:37:00,240 --> 00:37:03,080 You have to think about it. So you know, as you've been 675 00:37:03,080 --> 00:37:08,280 talking, I was thinking I just talked about Oracle CA and IBM. 676 00:37:08,800 --> 00:37:12,480 People are saying I think you probably, yeah, that ancient 677 00:37:12,480 --> 00:37:18,080 history in terms of identity. They were replaced by Octa 678 00:37:18,440 --> 00:37:23,400 paying for Jack. No, they were replaced by Gigya 679 00:37:23,720 --> 00:37:28,440 and January. Those companies basically don't 680 00:37:28,440 --> 00:37:31,760 exist. They're bought by Akamai and SAP 681 00:37:32,640 --> 00:37:36,320 and they pulled back those capabilities so much that I mean 682 00:37:36,320 --> 00:37:40,720 when was the last time they've either seen SAP or Akamai and an 683 00:37:40,720 --> 00:37:44,560 identity conference. So these things run in cycles. 684 00:37:44,920 --> 00:37:48,840 There's acquisitions that can take place and then companies 685 00:37:48,840 --> 00:37:55,400 can deemphasize the portfolio. Can you take that and like glean 686 00:37:55,400 --> 00:37:58,200 me the operation from it? No, I just think it means that 687 00:37:58,680 --> 00:38:01,240 you're saying the right technology is even harder than 688 00:38:01,240 --> 00:38:03,080 you think. Yeah, I agree. 689 00:38:04,240 --> 00:38:08,480 OK, So we've got our program, we are, we've got our goals, our 690 00:38:08,480 --> 00:38:11,360 scope, we've done our assessments, we've got our buy 691 00:38:11,360 --> 00:38:13,800 in from the executives. We've got a team kind of put 692 00:38:13,800 --> 00:38:16,960 together. We've, we've muddied through the 693 00:38:16,960 --> 00:38:19,480 process of, OK, we figured out the technology we're going to 694 00:38:19,480 --> 00:38:21,200 use. Now how do we get it 695 00:38:21,200 --> 00:38:23,720 implemented? And typically you'd probably 696 00:38:23,720 --> 00:38:25,840 want to do this in a phased approach versus a Big Bang. 697 00:38:26,240 --> 00:38:29,200 Because Jim, I'm going to go off and build this thing. 698 00:38:29,200 --> 00:38:32,160 I want you to give me $3,000,000 and I'll see you in three years. 699 00:38:32,160 --> 00:38:33,560 Are you going to give me that money? 700 00:38:36,320 --> 00:38:39,480 No, I might give you a loan to the first phase. 701 00:38:41,920 --> 00:38:45,600 Right, so I need to show wins right along the way. 702 00:38:47,040 --> 00:38:51,320 You didn't need to show wins. I think my feeling on 703 00:38:51,320 --> 00:38:54,280 implementation has been maturing. 704 00:38:54,280 --> 00:38:55,920 So I'm going to tell you where it's at. 705 00:38:56,480 --> 00:39:00,080 Today I came up as a wonderful guy. 706 00:39:00,440 --> 00:39:05,760 I have a PMP and I learned that PMBOK and it's waterfall based 707 00:39:06,120 --> 00:39:09,640 project management. It's create phases. 708 00:39:09,960 --> 00:39:12,000 You start a project, get into project. 709 00:39:12,000 --> 00:39:16,040 At the end of the project, you have a bunch of functionality 710 00:39:16,040 --> 00:39:19,680 that you defined and built requirements for and designed in 711 00:39:19,680 --> 00:39:24,120 the beginning of the project. Today things are shifting more 712 00:39:24,120 --> 00:39:27,360 towards agile project methodologies where you do 713 00:39:27,360 --> 00:39:30,560 sprints and they're very short. They're almost like many 714 00:39:30,560 --> 00:39:33,920 projects where you do requirements design, 715 00:39:34,680 --> 00:39:39,360 implementation or I'm sorry, development, testing and then 716 00:39:39,360 --> 00:39:43,080 implementation all within a two week time period or something 717 00:39:43,080 --> 00:39:46,760 very short. That's the way I think the 718 00:39:46,800 --> 00:39:50,880 industry is going. I don't think that approach 719 00:39:50,880 --> 00:39:53,560 works well for initial deployments. 720 00:39:54,240 --> 00:39:58,360 MVP deployments are called them where you say, OK, today we have 721 00:39:58,760 --> 00:40:02,520 some legacy technology that's barely supported anymore and 722 00:40:02,520 --> 00:40:06,760 it's doing automated provisioning or it's doing some 723 00:40:06,760 --> 00:40:10,160 basic capability within the identity space. 724 00:40:10,400 --> 00:40:13,480 I still think that. You know, defining a project and 725 00:40:13,480 --> 00:40:16,840 saying we're going to RIP and replace, that's the way to do 726 00:40:16,840 --> 00:40:19,080 that. But then when it comes to 727 00:40:19,440 --> 00:40:22,760 integrating more applications into your environment, when it 728 00:40:22,760 --> 00:40:25,960 comes to enhancing functionality or rolling out new 729 00:40:25,960 --> 00:40:29,920 functionality, I think that agile approach works really 730 00:40:29,920 --> 00:40:32,720 well. I think 1 is a little bit more 731 00:40:32,720 --> 00:40:37,880 difficult is taking that approach and communicating it to 732 00:40:37,880 --> 00:40:41,080 the executives because ultimately they want to know 733 00:40:41,080 --> 00:40:42,600 what they're going to get for their money. 734 00:40:43,080 --> 00:40:46,120 And you can't say, well, every two weeks we're going to decide 735 00:40:46,840 --> 00:40:51,160 what we're going to work on. So I'm still kind of struggling 736 00:40:51,160 --> 00:40:52,600 with that. And it's not like I learned 737 00:40:52,600 --> 00:40:55,640 about Agile last week. I've been struggling with this 738 00:40:55,640 --> 00:40:59,520 for a decade, you know, since I've really kind of like brought 739 00:40:59,520 --> 00:41:04,840 my head around it. I think that in a way you're 740 00:41:04,840 --> 00:41:10,840 kind of like layering phases and layering non pure agile on top 741 00:41:10,840 --> 00:41:14,560 of agile to say, all right, we're going to do 8 sprints. 742 00:41:14,960 --> 00:41:18,680 At the end of the 8 sprints we're going to deliver this set 743 00:41:18,680 --> 00:41:22,040 of features and functionality. But within those sprints you 744 00:41:22,040 --> 00:41:27,560 decide what to work on when. So that's kind of how I feel 745 00:41:27,560 --> 00:41:32,200 like, you know, the approach to the implementation plan, 746 00:41:32,840 --> 00:41:35,520 realistic reality being thought. Right now, I feel like to some 747 00:41:35,520 --> 00:41:39,760 degree you're almost bound by whatever your organization tends 748 00:41:39,760 --> 00:41:43,240 to do for projects. Some organizations are 749 00:41:43,240 --> 00:41:47,440 waterfall, some are agile, and some are somewhere in between. 750 00:41:48,640 --> 00:41:50,840 But I think a lot of times, especially if you're in a big 751 00:41:50,840 --> 00:41:53,880 organization, you know, large enterprise, they probably have a 752 00:41:53,880 --> 00:41:57,280 program management office or project management office, and 753 00:41:57,280 --> 00:42:00,800 they have a defined set of criteria that every project goes 754 00:42:00,800 --> 00:42:03,680 through. And sometimes it's not a great 755 00:42:03,680 --> 00:42:06,160 match, but you still have to do it anyway because that's just 756 00:42:06,160 --> 00:42:10,080 the way the organization works. I do think the phase approach 757 00:42:10,160 --> 00:42:13,800 generally makes sense. I think if you're implementing a 758 00:42:13,800 --> 00:42:18,240 technology, almost always the first phase looks alike no 759 00:42:18,240 --> 00:42:21,360 matter what technology vendor you pick in a certain area. 760 00:42:21,360 --> 00:42:25,040 So I'll pick on IGA again. If you're going to deploy IGA, 761 00:42:25,440 --> 00:42:28,160 you're probably going to connect it to identity source of truth, 762 00:42:28,160 --> 00:42:30,640 right? Your, your HR platform, you're 763 00:42:30,640 --> 00:42:34,320 probably going to connect it to Active Directory and or your 764 00:42:34,320 --> 00:42:36,480 Intra directory or Azure Active Directory. 765 00:42:36,840 --> 00:42:39,480 And maybe you're going to connect it to service now or 766 00:42:39,480 --> 00:42:43,000 some other ITSM tool, your ticketing system, that might 767 00:42:43,000 --> 00:42:47,440 look like phase one for any IGA platform because they generally 768 00:42:47,440 --> 00:42:51,080 all will kind of start in the same area. 769 00:42:51,560 --> 00:42:54,480 Then from there, it might iterate based on, well, we are a 770 00:42:54,480 --> 00:42:56,760 financial organization, so we have socks and other things that 771 00:42:56,760 --> 00:43:00,280 we need to be aware of. So maybe financial apps come 772 00:43:00,280 --> 00:43:02,760 next because you need to do that, right? 773 00:43:02,920 --> 00:43:04,880 Or maybe they're included as part of phase one. 774 00:43:04,880 --> 00:43:07,080 But guess what? The real phase one is still 775 00:43:07,080 --> 00:43:10,520 probably AD first, then the other financial apps, right? 776 00:43:10,880 --> 00:43:12,480 And maybe that's the same for you. 777 00:43:12,480 --> 00:43:14,120 If you're doing an authentication, you're putting 778 00:43:14,120 --> 00:43:17,000 it into IDP, what you got to connect it to is probably going 779 00:43:17,000 --> 00:43:18,640 to be whatever your new directory is. 780 00:43:19,480 --> 00:43:23,680 Your first step is hopefully going to be enabling MFA and 781 00:43:23,680 --> 00:43:25,760 then you're going to talk about, OK, what are the applications 782 00:43:25,760 --> 00:43:29,080 that we want to connect to that? And so I think a lot of times 783 00:43:29,080 --> 00:43:32,600 these, even though it's like the same pattern, it's really the 784 00:43:32,600 --> 00:43:34,920 technologies are really going to start in the same spot. 785 00:43:34,920 --> 00:43:38,640 What what the variation ends up being is what are the objectives 786 00:43:38,640 --> 00:43:40,440 that you've already defined to say, OK, well, we're doing this 787 00:43:40,440 --> 00:43:43,280 because we need to be compliant because we failed our socks on 788 00:43:43,280 --> 00:43:45,160 it. OK, well, let's start planning. 789 00:43:45,160 --> 00:43:49,040 So this time next year, we have those applications under 790 00:43:49,040 --> 00:43:51,560 management in our new platform. They're going through a new 791 00:43:51,560 --> 00:43:55,720 access review process and we'll feel more confident that we'll 792 00:43:55,720 --> 00:43:57,400 be in a better position to be more compliant. 793 00:43:57,720 --> 00:44:01,000 Or maybe it's our cyber insurance is going to be due for 794 00:44:01,000 --> 00:44:03,320 renewal and they charge us an arm and a leg because we didn't 795 00:44:03,320 --> 00:44:05,760 have MFA or we couldn't get insurance because they didn't 796 00:44:05,760 --> 00:44:08,480 have MFA or because they're starting to ask questions around 797 00:44:08,480 --> 00:44:10,360 privilege access management. And we don't have good answers 798 00:44:10,360 --> 00:44:12,800 to that yet. Let's not be in that position 799 00:44:12,800 --> 00:44:15,800 next year. Let's start with the phased 800 00:44:15,800 --> 00:44:18,000 approach to get there. And let's start with the 801 00:44:18,000 --> 00:44:20,880 priorities to say, OK, what do we need to get cyber insurance 802 00:44:21,480 --> 00:44:24,520 MFA mandatory? OK, now we know what our first 803 00:44:24,520 --> 00:44:27,160 phase is for an IDP. And I think you can take that 804 00:44:27,160 --> 00:44:29,840 same logic and apply it to any technology that you're looking 805 00:44:29,840 --> 00:44:34,720 to deploy, especially in a core identity solution or identity 806 00:44:34,720 --> 00:44:39,160 situation, Your authentication, your life cycle management and 807 00:44:39,160 --> 00:44:42,200 your privileged access, like those three things are generally 808 00:44:42,200 --> 00:44:43,920 going to kind of start in the same ballpark. 809 00:44:43,920 --> 00:44:47,320 And then Spira from there based on your business use cases or 810 00:44:47,320 --> 00:44:49,000 things that you want to address. Does that make sense? 811 00:44:49,720 --> 00:44:54,320 Yeah, I, I'm wondering if you're from running to folks in the 812 00:44:54,320 --> 00:44:58,160 business who say, all right, you're, you're building a plan 813 00:44:58,160 --> 00:45:02,280 for the company that we are we're planning to triple in size 814 00:45:02,280 --> 00:45:07,960 over the next five years. You know, really that plan to 815 00:45:07,960 --> 00:45:13,400 me, I mean, my, the initial log that comes to my head is crawl, 816 00:45:13,400 --> 00:45:15,440 walk, run. In other words, you can't go, 817 00:45:15,640 --> 00:45:19,000 you're crawling today. You're doing things in a certain 818 00:45:19,000 --> 00:45:24,440 way that you're saying we just, we want to run, teach us how to 819 00:45:24,440 --> 00:45:28,440 run. Like feel like we need to teach 820 00:45:28,440 --> 00:45:29,760 you how to walk first? Right. 821 00:45:29,960 --> 00:45:32,400 You ever, you ever been sitting on your foot and your leg falls 822 00:45:32,400 --> 00:45:34,800 asleep and then you try to get up and run, you're going to fall 823 00:45:34,800 --> 00:45:38,000 over and look like a dummy. Yeah, you know, and sometimes 824 00:45:38,000 --> 00:45:40,240 after you know, that's what needs to happen is like, hey, 825 00:45:40,240 --> 00:45:43,400 you know what if if you could run, wouldn't you be doing it 826 00:45:43,400 --> 00:45:46,040 already? But you're not because there's 827 00:45:46,040 --> 00:45:47,600 problems. You've got to solve some of 828 00:45:47,600 --> 00:45:50,160 those root issues first. I don't know any organization 829 00:45:50,160 --> 00:45:52,400 that's like, hey, we're going to plan, we're going to be smaller 830 00:45:52,440 --> 00:45:55,160 in five years. No, no, no company does that. 831 00:45:55,160 --> 00:45:57,080 Every company is looking to get bigger. 832 00:45:57,400 --> 00:45:58,960 There's nothing unique about that. 833 00:45:59,480 --> 00:46:03,160 Every company is the goal is to make more money, grow larger, 834 00:46:03,280 --> 00:46:04,120 blah, blah, blah. Right. 835 00:46:04,560 --> 00:46:09,680 So yes, you want to design your program to meet the future, but 836 00:46:09,680 --> 00:46:12,200 every program has foundational building blocks. 837 00:46:12,200 --> 00:46:15,480 No matter how big or small you want to be, if you don't have 838 00:46:15,480 --> 00:46:17,720 those foundations in place, you're going to struggle. 839 00:46:17,800 --> 00:46:20,160 You're going to have, you know, dead leg and you're going to 840 00:46:20,160 --> 00:46:23,960 fall over and look like a fool. That's, that's my $0.02 on it. 841 00:46:24,200 --> 00:46:26,840 I love it. All right, so we've got our 842 00:46:26,840 --> 00:46:29,240 phased plan, we'll call it, or at least you're starting to 843 00:46:29,240 --> 00:46:31,320 figure out like what chunks that you want to do from an 844 00:46:31,480 --> 00:46:33,600 implementation standpoint for technology. 845 00:46:34,600 --> 00:46:36,480 I don't think you didn't want to ignore the user experience 846 00:46:36,480 --> 00:46:38,360 because you can have the best technology in the world, but if 847 00:46:38,360 --> 00:46:41,160 nobody can use it, guess what? Nobody's going to use it and 848 00:46:41,160 --> 00:46:45,440 you'll use your ROI and you got unhappy campers literally all 849 00:46:45,440 --> 00:46:48,880 over the place. So when you're designing the 850 00:46:48,880 --> 00:46:51,600 implementation of these tools and you're evaluating which 851 00:46:51,600 --> 00:46:55,120 tools you want to use, you should be looking at what is the 852 00:46:55,120 --> 00:46:57,800 end user experience. Does this make sense? 853 00:46:58,440 --> 00:47:01,320 Does it look like a program that was designed in the last 10 854 00:47:01,320 --> 00:47:03,880 years even, right. I mean, I think you and I have 855 00:47:03,880 --> 00:47:06,000 seen a lot of products where it's like, well, that was a 856 00:47:06,000 --> 00:47:07,760 great interface for the year 2000. 857 00:47:07,800 --> 00:47:11,480 You know, here we are in tier 2024 and nothing has changed and 858 00:47:11,480 --> 00:47:13,720 it still looks like that. Does that give me confidence 859 00:47:13,720 --> 00:47:17,600 that the user experience is going to be good maybe for a 860 00:47:17,600 --> 00:47:21,920 certain part of our workforce that understands that, but maybe 861 00:47:21,920 --> 00:47:25,040 that part of the workforce is aging out and moving on in our 862 00:47:25,040 --> 00:47:28,520 in our newer workforce totally doesn't get it and they think 863 00:47:28,520 --> 00:47:31,160 it's a terrible user experience. So I think you've got to focus 864 00:47:31,160 --> 00:47:34,880 on your constituents, right? Who are the scope of your of 865 00:47:34,880 --> 00:47:38,760 your programs, whether it's employees, partners, customers, 866 00:47:38,760 --> 00:47:41,880 whatever may be, really pay attention to that user 867 00:47:41,880 --> 00:47:44,200 experience. Nail it because that's going to 868 00:47:44,200 --> 00:47:46,640 be the first impression that your IM program makes for a lot 869 00:47:46,640 --> 00:47:48,960 of people. The first time you have to go in 870 00:47:48,960 --> 00:47:51,520 and reset your own password if it's a total hassle. 871 00:47:51,920 --> 00:47:54,480 This thing stinks. What do you mean I have to call 872 00:47:54,480 --> 00:47:57,360 somebody? Can I just do this on my own 873 00:47:57,800 --> 00:47:59,560 right? A lot more self-service, a lot 874 00:47:59,560 --> 00:48:02,120 more agency. Where the where the Amazon 875 00:48:02,280 --> 00:48:04,920 points of things where it's self-service. 876 00:48:04,920 --> 00:48:08,440 I want to go to a portal, buy the thing that I need or request 877 00:48:08,440 --> 00:48:11,280 it and never talk to a person and just have it magically 878 00:48:11,280 --> 00:48:14,440 appear on my doorstep in two days or even better yet, same 879 00:48:14,440 --> 00:48:16,480 day. If I live next to a Prime, you 880 00:48:16,480 --> 00:48:17,720 know, warehouse or something like that. 881 00:48:18,400 --> 00:48:21,320 That's the sort of mentality I think is if you treat I am like 882 00:48:21,320 --> 00:48:23,440 a product for your organization, think about that. 883 00:48:23,440 --> 00:48:26,440 User experience is such an important part that I feel is 884 00:48:26,440 --> 00:48:28,520 getting better. I feel like a lot of people I'm 885 00:48:28,520 --> 00:48:32,000 talking to recently are thinking about that user experience, but 886 00:48:32,000 --> 00:48:33,720 it hasn't always been that way. And I think it's something that 887 00:48:33,720 --> 00:48:37,840 we should always be vigilant for as identity people is take a 888 00:48:37,840 --> 00:48:40,520 step back, you and I get identity. 889 00:48:40,640 --> 00:48:42,640 Maybe there's somebody out there that's like, yeah, I I'm an 890 00:48:42,640 --> 00:48:44,440 Azure expert. I totally get it. 891 00:48:45,720 --> 00:48:49,680 But we sometimes get lost in this, you know, self delusional 892 00:48:49,680 --> 00:48:50,760 spot where it's like, yeah, I get it. 893 00:48:51,120 --> 00:48:53,440 What do you mean you don't understand why my SAML 894 00:48:53,440 --> 00:48:55,160 connection isn't working? And I gave you an error message 895 00:48:55,160 --> 00:48:57,080 saying open ID connect not configured. 896 00:48:57,920 --> 00:49:00,120 No, normal humans going to be under be able to understand 897 00:49:00,120 --> 00:49:02,120 that. So you've got to think about 898 00:49:02,120 --> 00:49:04,680 that from, you know, Jim's dad's perspective. 899 00:49:05,000 --> 00:49:08,120 Can Jim's dad use it? All right, now we're on to 900 00:49:08,120 --> 00:49:09,680 something. What do you think? 901 00:49:09,680 --> 00:49:12,520 Yeah. Well, I, we had an interesting 902 00:49:12,520 --> 00:49:17,200 conversation about this today and I'm going to answer this 903 00:49:17,200 --> 00:49:21,520 question off of you. So I think customer identity and 904 00:49:21,520 --> 00:49:27,680 workforce identity, this topic needs to be treated differently. 905 00:49:28,120 --> 00:49:32,400 But I want to ask this first question is from an executive 906 00:49:32,480 --> 00:49:37,640 owner perspective, workforce identity and customer identity 907 00:49:37,640 --> 00:49:43,600 generally owned by different executives CX OS within the 908 00:49:43,600 --> 00:49:45,320 organization. What? 909 00:49:45,360 --> 00:49:49,280 What have you seen mostly? I think typically they are, they 910 00:49:49,280 --> 00:49:53,880 may have some shared teams. I think historically marketing 911 00:49:53,880 --> 00:49:57,120 or some other customer kind of facing department might have 912 00:49:57,120 --> 00:50:00,920 been in charge of it, e-commerce, whatever that looks 913 00:50:00,920 --> 00:50:04,680 like for whatever position. I think it's two different 914 00:50:04,680 --> 00:50:06,680 mindsets. And I think now you get into, 915 00:50:06,960 --> 00:50:09,280 you're trying to find an IM program manager that knows how 916 00:50:09,280 --> 00:50:13,760 to do talking and talk tech. And now you want them to talk 917 00:50:13,760 --> 00:50:16,360 both on the enterprise workforce side as well as the customer 918 00:50:16,360 --> 00:50:19,040 side. Yeah, that Unicorn just became a 919 00:50:19,040 --> 00:50:22,040 lot harder to find. So maybe it does make sense to 920 00:50:22,040 --> 00:50:26,120 have a couple of people. Maybe my focus is enterprise and 921 00:50:26,120 --> 00:50:28,840 your focus is customer or vice versa, right? 922 00:50:28,840 --> 00:50:32,560 Whatever it may be. I, I guess it's, it's the 923 00:50:32,560 --> 00:50:35,280 consulting answer of depends, which I kind of hate to say, but 924 00:50:35,720 --> 00:50:39,160 I think it's difficult to find one person who really 925 00:50:39,160 --> 00:50:44,240 understands everything about both sides and can talk all that 926 00:50:44,240 --> 00:50:47,600 technology and be that good. And I'm sure there are people 927 00:50:47,600 --> 00:50:49,160 out there who are like, yeah, I can do that no problem. 928 00:50:49,160 --> 00:50:51,880 Great, cool. I think it's a unique skill set 929 00:50:51,880 --> 00:50:55,480 and it becomes more unique the more requirements you pile on 930 00:50:55,480 --> 00:50:57,240 that role. And that's just another set of 931 00:50:57,240 --> 00:50:59,560 requirements. So I can certainly see 932 00:50:59,720 --> 00:51:01,840 information security, for example, owning the enterprise 933 00:51:01,840 --> 00:51:06,640 workshop or the enterprise IM program, but I can also see the 934 00:51:06,640 --> 00:51:11,800 the information security team telling or advising some other 935 00:51:11,800 --> 00:51:14,280 group to say, hey, we know you're working on customer 936 00:51:14,280 --> 00:51:16,240 identity. Here are some services that we 937 00:51:16,240 --> 00:51:17,200 have that you might be able to use. 938 00:51:17,200 --> 00:51:20,560 But more importantly, here are the guidelines or the governance 939 00:51:20,560 --> 00:51:23,920 or the policies that you need to make sure are in place so that 940 00:51:23,920 --> 00:51:27,480 the risk is at the level that our organization is willing to 941 00:51:27,480 --> 00:51:29,600 tolerate. I don't have to own it, just 942 00:51:29,600 --> 00:51:31,720 make sure you put MFA on every account, right? 943 00:51:31,720 --> 00:51:34,880 Or something along those lines. I think everything you said 944 00:51:35,200 --> 00:51:39,880 there was spot on. So I think what you normally see 945 00:51:39,880 --> 00:51:45,360 is that the C so is responsible for workforce I am and then the 946 00:51:45,360 --> 00:51:49,800 question or then this statement doesn't become prioritized user 947 00:51:49,800 --> 00:51:51,480 experience. In other words, it's more 948 00:51:51,480 --> 00:51:54,880 important than security. It's don't forget the user 949 00:51:54,880 --> 00:51:57,920 experience. So in other words, like 10 years 950 00:51:57,920 --> 00:52:03,520 ago, or maybe it was longer, but it was like the user experience 951 00:52:03,520 --> 00:52:05,840 for workforce I am doesn't matter. 952 00:52:06,040 --> 00:52:09,240 These people work here. I don't do what we tell them to 953 00:52:09,240 --> 00:52:12,760 do. I think companies and that was a 954 00:52:12,760 --> 00:52:16,480 terrible mindset, but they, I think it was the predominant 955 00:52:16,480 --> 00:52:19,360 mindset, at least where I worked at once, right? 956 00:52:19,360 --> 00:52:22,840 I was, you know, going back before I got into consulting. 957 00:52:23,800 --> 00:52:27,840 I think the industry's matured. Companies have matured to say 958 00:52:28,760 --> 00:52:32,320 not only is cybersecurity important, but giving our 959 00:52:32,320 --> 00:52:37,040 employees a good experience with their IT is important so they 960 00:52:37,040 --> 00:52:41,160 can be productive and so they don't hate working here. 961 00:52:42,880 --> 00:52:47,880 On the customer identity side, I think it's kind of important. 962 00:52:48,080 --> 00:52:50,560 I think on the customer identity side, you're right. 963 00:52:50,560 --> 00:52:53,920 It's often times the chief marketing officer or some 964 00:52:54,400 --> 00:53:00,960 business executive, VP, let's say, who owns the customer 965 00:53:00,960 --> 00:53:03,520 portal, let's call it. It could be whatever, but it's 966 00:53:03,520 --> 00:53:08,760 customer I am and I've heard things like and I'm not kidding 967 00:53:08,760 --> 00:53:13,200 about this Jeff, like we need to have 8 character passwords, 968 00:53:13,440 --> 00:53:17,960 preferably would be 6 and ain't no way we're rolling out MFA. 969 00:53:18,480 --> 00:53:23,920 When I hear that I tell whoever I'm talking to they are wrong 970 00:53:24,080 --> 00:53:26,600 and you can tell them that Jim McDonald told them they're 971 00:53:26,600 --> 00:53:30,000 wrong. That is just terrible. 972 00:53:30,280 --> 00:53:35,920 I'm I understand that the user experiences paramount when it 973 00:53:35,920 --> 00:53:40,560 comes to customer IM. And if you're going to put 6 974 00:53:40,560 --> 00:53:43,800 chart capacitors, 8 chart capacitors, you're basically 975 00:53:43,800 --> 00:53:48,320 putting their data at risk and it's your fault. 976 00:53:48,320 --> 00:53:52,840 It's not their fault if those accounts get breached. 977 00:53:53,640 --> 00:53:58,840 And so for them, I'm not going to say prioritize the user 978 00:53:58,840 --> 00:54:00,720 experience. They already are prioritizing 979 00:54:00,720 --> 00:54:03,760 user experience. It's almost like don't forget 980 00:54:03,760 --> 00:54:07,760 about security or don't de prioritize security. 981 00:54:08,240 --> 00:54:13,480 I think you know at least SMSOTP is ubiquitous. 982 00:54:13,480 --> 00:54:21,040 So if you have a low insurance use case, at least do SMSOTP. 983 00:54:21,360 --> 00:54:24,600 Don't rely on 6 and 8 character passwords and if you start 984 00:54:24,600 --> 00:54:27,680 getting longer, there's a passwords or password change 985 00:54:27,680 --> 00:54:32,280 frequency. I mean you're making that user 986 00:54:32,280 --> 00:54:35,240 experience worse. Start using multi factor 987 00:54:35,240 --> 00:54:39,160 authentication. Move to, you know, unfishable 988 00:54:39,600 --> 00:54:42,720 multi factor authentication. I'm not saying you should mail 989 00:54:43,400 --> 00:54:48,720 Ubikeys to all of your customers but have no authenticator apps. 990 00:54:49,280 --> 00:54:52,920 I mean, it's these things aren't that far out anymore. 991 00:54:53,080 --> 00:54:56,160 I feel like yes, you, you kind of said something there about 992 00:54:56,160 --> 00:54:58,320 like they're, they're focused on the user experience versus 993 00:54:58,320 --> 00:55:00,680 security. I'd argue they're not focused on 994 00:55:00,680 --> 00:55:03,360 the user experience because they're not doing a good job of 995 00:55:03,360 --> 00:55:06,400 helping the user protect themselves from themselves. 996 00:55:07,040 --> 00:55:09,760 And I think this is a spot where, again, you know, maybe 997 00:55:09,760 --> 00:55:11,360 it's a program manager, maybe it's executives. 998 00:55:11,360 --> 00:55:14,640 They really need to articulate why that's a bad idea to not 999 00:55:14,640 --> 00:55:17,720 have MFA in place. OK, you don't want MFA in place. 1000 00:55:17,720 --> 00:55:18,960 Well, what if I told you there was easier? 1001 00:55:18,960 --> 00:55:21,080 What if we just didn't have passwords at all and we went 1002 00:55:21,080 --> 00:55:22,960 passwordless? Tell me more. 1003 00:55:23,120 --> 00:55:24,960 Right. I think this is where if you're 1004 00:55:24,960 --> 00:55:29,240 staying current with the market and identity space, hey, 1005 00:55:29,480 --> 00:55:31,600 passkeys might be a solution here that everybody wins. 1006 00:55:32,400 --> 00:55:33,880 So I think there's options there. 1007 00:55:33,880 --> 00:55:36,680 But I think sometimes you're totally right, not sometimes 1008 00:55:37,120 --> 00:55:40,520 you're totally right, but sometimes you do have to draw a 1009 00:55:40,520 --> 00:55:42,000 line in the sand. Like look, that's just not 1010 00:55:42,000 --> 00:55:44,200 acceptable. And I'll flat and I'm with you. 1011 00:55:44,240 --> 00:55:49,960 If you do not have MFA on your IDP today, you are asking for it 1012 00:55:50,520 --> 00:55:54,200 and I want it in writing that I told you this was a bad idea. 1013 00:55:54,440 --> 00:55:57,120 And when you get breached, it's not going to be me that's going 1014 00:55:57,120 --> 00:55:58,480 to, you know, be rolling out the door. 1015 00:55:58,520 --> 00:56:01,040 It's going to be the, you know, someone else. 1016 00:56:01,360 --> 00:56:04,280 Sometimes it's CYAI hate to say it, but there are politics in 1017 00:56:04,280 --> 00:56:06,880 every organization and you're not going to win every battle. 1018 00:56:06,880 --> 00:56:09,840 The best you can do, especially sometimes if you are not at the 1019 00:56:09,840 --> 00:56:12,560 level where you've got the juice right to be able to kind of 1020 00:56:12,880 --> 00:56:18,080 direct policy is look here. This is This is why this is 1021 00:56:18,080 --> 00:56:20,800 important. I want you to real understand 1022 00:56:20,800 --> 00:56:24,600 the risk that you're taking if you do not follow this advice. 1023 00:56:25,000 --> 00:56:28,920 But I think you also have to be able to work with your business 1024 00:56:28,920 --> 00:56:30,760 partners. OK, I get it. 1025 00:56:31,240 --> 00:56:35,760 We don't want to have 16 character totally randomized, 1026 00:56:35,760 --> 00:56:39,160 you know, can't use the same, you know, character more than 1027 00:56:39,160 --> 00:56:40,960 once, right? Some of these, you know, we've 1028 00:56:40,960 --> 00:56:42,600 all been in the end of that password policy. 1029 00:56:42,600 --> 00:56:44,360 It just is like impossible. Like how am I supposed to go 1030 00:56:44,360 --> 00:56:45,920 with the password for this? Like it just doesn't work. 1031 00:56:46,520 --> 00:56:49,920 Come up with alternatives. Look at modern authentication 1032 00:56:49,920 --> 00:56:53,000 ideas, you know, use web auth, then use pass keys. 1033 00:56:53,440 --> 00:56:57,440 I think there are enough options out there now that hopefully 1034 00:56:57,600 --> 00:57:02,440 this trend starts to lessen because it's almost like you 1035 00:57:02,440 --> 00:57:05,040 kind of talk there about the employee experience is like, 1036 00:57:05,040 --> 00:57:07,280 well, they work for us. We can tell them what to do and 1037 00:57:07,280 --> 00:57:10,040 it doesn't matter. I think the products have gotten 1038 00:57:10,040 --> 00:57:14,280 better in that space also. So it's not just that we're 1039 00:57:14,280 --> 00:57:15,840 getting better. The products are getting better 1040 00:57:15,840 --> 00:57:17,320 because we've been asking them to get better. 1041 00:57:17,320 --> 00:57:20,560 Hey, I want a better user experience, even though I'm just 1042 00:57:20,560 --> 00:57:22,360 an employee in quotation marks, right? 1043 00:57:23,000 --> 00:57:26,280 I'm still a customer of the services that my organization's 1044 00:57:26,280 --> 00:57:29,760 providing. And it it can and it should be 1045 00:57:29,760 --> 00:57:33,840 better products have caught up. But yeah, when I I'm with you, I 1046 00:57:33,840 --> 00:57:36,360 will, you know, tell them, tell them Jim and Jeff said you're 1047 00:57:36,360 --> 00:57:38,000 wrong. I'll add my name to that 1048 00:57:38,000 --> 00:57:39,920 petition as part of that process. 1049 00:57:40,560 --> 00:57:44,040 Oh, your slot language? Yeah. 1050 00:57:45,160 --> 00:57:49,640 All right, let's keep it moving. I want to combine this idea of 1051 00:57:49,640 --> 00:57:53,640 like governance and policies and like metrics and measurement 1052 00:57:53,640 --> 00:57:55,600 because I feel like they kind of go together. 1053 00:57:56,080 --> 00:57:59,160 But I think that's what the other part of this program is to 1054 00:57:59,160 --> 00:58:02,040 think about, OK, what are our policies? 1055 00:58:02,040 --> 00:58:03,920 What are our standards? Are they realistic? 1056 00:58:04,280 --> 00:58:07,160 Do you even understand what a policy is versus a standard 1057 00:58:07,280 --> 00:58:10,120 versus a procedure? Maybe it's time to rethink how 1058 00:58:10,120 --> 00:58:12,680 you, you know, define what those things are. 1059 00:58:13,160 --> 00:58:16,920 My mind a policy is, hey, you should have multiple forms of 1060 00:58:16,920 --> 00:58:19,000 authentication. Great. 1061 00:58:20,080 --> 00:58:24,600 How I do that might be an IT standard or a corporate standard 1062 00:58:24,600 --> 00:58:27,680 or a security standard that says, OK, The policy says we 1063 00:58:27,680 --> 00:58:30,880 have to have multiple forms of authentication based on our risk 1064 00:58:30,880 --> 00:58:32,720 tolerance as an organization. And we've talked to the 1065 00:58:32,720 --> 00:58:34,880 executive about it. We've kind of established this 1066 00:58:34,880 --> 00:58:36,520 is the minimum bar that you need to be at. 1067 00:58:37,120 --> 00:58:40,320 We're going to allow SMS, we're going to allow push 1068 00:58:40,320 --> 00:58:42,360 notification, and we're going to allow you the key. 1069 00:58:42,840 --> 00:58:44,760 And maybe that changes on a row. But those are the three we're 1070 00:58:44,760 --> 00:58:47,040 going to do for now. Now you've got your standard, 1071 00:58:47,440 --> 00:58:50,760 here's our standard process for that, or sorry, our standard for 1072 00:58:50,760 --> 00:58:53,920 the implementation or application of that policy. 1073 00:58:54,600 --> 00:58:56,960 And then the procedure is how you do those types of things. 1074 00:58:56,960 --> 00:59:00,240 I think sometimes I see a lot of policies that are like trying to 1075 00:59:00,240 --> 00:59:02,960 jam standards into it. And depending on the 1076 00:59:02,960 --> 00:59:06,240 organization, maybe you can change policies really easy, 1077 00:59:06,480 --> 00:59:09,400 maybe you can't. Maybe it requires a board 1078 00:59:09,400 --> 00:59:12,400 approval or something that doesn't happen very often and 1079 00:59:12,400 --> 00:59:15,800 you get stuck kind of behind the times and you're not able to 1080 00:59:15,800 --> 00:59:20,680 really kind of push, yeah, the security of a certain policy or 1081 00:59:20,880 --> 00:59:22,480 a certain standard that you want to put in place. 1082 00:59:22,480 --> 00:59:26,520 So I feel like the governance, the policies that go around 1083 00:59:26,520 --> 00:59:29,280 that, the standards, but then also the monitoring, the measure 1084 00:59:29,320 --> 00:59:31,680 goes with that as well as OK, well, OK, we got this. 1085 00:59:31,680 --> 00:59:33,080 I am program. How do we know if it's 1086 00:59:33,080 --> 00:59:35,480 successful? What are some of the metrics? 1087 00:59:36,040 --> 00:59:38,840 You know, can you just stick your head out the window and 1088 00:59:38,840 --> 00:59:40,920 say, well, it feels a little bit warmer today. 1089 00:59:40,920 --> 00:59:44,840 So I think we're doing good, you know, yeah, customer 1090 00:59:44,840 --> 00:59:46,920 satisfaction surveys will certainly be important. 1091 00:59:46,920 --> 00:59:49,400 It's like, hey, our people, you know, they think this is a good 1092 00:59:49,400 --> 00:59:52,080 experience, but there should be hard metrics as well, right, 1093 00:59:52,080 --> 00:59:54,440 Jim? It's like how many automations 1094 00:59:54,640 --> 00:59:57,320 did we are we able to do for onboarding, for off boarding? 1095 00:59:57,680 --> 01:00:02,360 How many, you know, bad sessions were we able to block from 1096 01:00:02,360 --> 01:00:04,160 authenticating entire environment, right. 1097 01:00:04,880 --> 01:00:08,280 There should be some ability to drive some metrics that makes 1098 01:00:08,280 --> 01:00:10,080 sense to your organization to kind of demonstrate it because 1099 01:00:10,080 --> 01:00:12,560 at the end of the day you need to show value and a lot of 1100 01:00:12,560 --> 01:00:14,960 times. Especially in the IM world, that 1101 01:00:14,960 --> 01:00:17,240 value is almost invisible because it's like, well, I just 1102 01:00:17,240 --> 01:00:20,000 typed my ID and password or I did a prompt on my phone and I 1103 01:00:20,000 --> 01:00:23,120 was in like, what's security? You're right. 1104 01:00:23,160 --> 01:00:25,520 OK, Well you know, I've said this before, like look in your 1105 01:00:25,520 --> 01:00:28,480 Microsoft account and go and look at your access history and 1106 01:00:28,480 --> 01:00:32,840 I'm sure you will see tons and tons of things where people were 1107 01:00:32,840 --> 01:00:35,120 trying to get into your Microsoft account and Microsoft 1108 01:00:35,280 --> 01:00:37,680 to their credit, blocked it. They're giving you a log and 1109 01:00:37,680 --> 01:00:40,320 say, hey, these roads again, but they didn't service it to me 1110 01:00:40,840 --> 01:00:43,040 because it never rose to the level where they felt confident 1111 01:00:43,040 --> 01:00:45,280 it was me logging in, right? You need to be able to 1112 01:00:45,280 --> 01:00:49,960 demonstrate those sorts of wins and publicize those wins, make 1113 01:00:49,960 --> 01:00:52,240 people aware of it. Continuing about what the value 1114 01:00:52,240 --> 01:00:54,000 is that you're bringing to your organization, whether it's 1115 01:00:54,240 --> 01:00:58,440 efficiency, risk reduction, you know, hey, we saved X percent on 1116 01:00:58,440 --> 01:01:01,040 our premium this year because we had our strong privilege access 1117 01:01:01,040 --> 01:01:03,280 management, you know, platform in place. 1118 01:01:04,160 --> 01:01:06,520 Hooray win. You know, maybe it paid for the 1119 01:01:06,520 --> 01:01:09,200 privilege access management, investment always be looking for 1120 01:01:09,200 --> 01:01:11,760 those things to to promote the wins and to measure the success 1121 01:01:11,760 --> 01:01:13,680 of the organization. What do you think? 1122 01:01:14,800 --> 01:01:18,120 I think you you know that there were a few points I wanted to 1123 01:01:18,360 --> 01:01:21,840 add on to. I think when you have Carl's you 1124 01:01:21,840 --> 01:01:28,920 framework and you say you shall have every access shall require 1125 01:01:29,160 --> 01:01:31,640 multi factor authentication. It's Cuba simple. 1126 01:01:33,200 --> 01:01:35,080 What are you doing to monitor that? 1127 01:01:35,520 --> 01:01:42,760 So let's say you have 700 entry points and 500 of them are 1128 01:01:42,760 --> 01:01:49,160 connected into your IDP that has multi factor authentication. 1129 01:01:49,520 --> 01:01:53,240 Maybe you're doing adaptive, so that's green check box for those 1130 01:01:53,240 --> 01:01:55,280 500. What about the other 200? 1131 01:01:55,640 --> 01:01:58,640 Are you? Are you keeping track of whether 1132 01:01:58,640 --> 01:02:01,440 or not they have met all the policies? 1133 01:02:01,480 --> 01:02:05,640 If not, you don't know whether or not you're complying with 1134 01:02:05,640 --> 01:02:09,040 your own policies as an organization. 1135 01:02:09,520 --> 01:02:11,280 And so I think that's very important. 1136 01:02:11,560 --> 01:02:16,480 I think also having a very formal exception process because 1137 01:02:16,840 --> 01:02:21,400 you'll have legacy applications that say our application is like 1138 01:02:21,920 --> 01:02:28,720 dumb tube, you know, in other words, it's a telnet section and 1139 01:02:29,720 --> 01:02:34,360 MFA is not possible. OK, maybe it is, maybe it isn't, 1140 01:02:34,360 --> 01:02:37,920 but let's just say it isn't and they have a a technical reason 1141 01:02:37,920 --> 01:02:40,520 why it won't work. Whatever software they're 1142 01:02:40,520 --> 01:02:45,000 running won't integrate with whatever solutions you can come 1143 01:02:45,000 --> 01:02:46,840 up with. That's fine. 1144 01:02:46,840 --> 01:02:50,560 You have to file a formal exception and somebody in the 1145 01:02:50,560 --> 01:02:56,080 business, some business person, even if it's an IT executive has 1146 01:02:56,080 --> 01:02:59,800 to own that risk. That's to me. 1147 01:03:00,080 --> 01:03:03,200 And, and by the way, this has nothing to do with identity. 1148 01:03:03,200 --> 01:03:07,720 This is how you run a good cybersecurity department is 1149 01:03:08,160 --> 01:03:12,200 yeah, policies the organization has to policies and standards 1150 01:03:12,200 --> 01:03:14,360 they are. They're not optional. 1151 01:03:14,640 --> 01:03:16,720 It must be complied with by everyone. 1152 01:03:16,960 --> 01:03:21,280 And if they can't be complied with, a formal exception needs 1153 01:03:21,280 --> 01:03:27,320 to be applied for and approved. And in order for that to happen, 1154 01:03:27,920 --> 01:03:30,440 a senior executive needs to sign off on it. 1155 01:03:30,440 --> 01:03:33,920 And usually it's an ink signature, but you know, a 1156 01:03:33,920 --> 01:03:36,200 workload tool would probably be fine as well. 1157 01:03:36,200 --> 01:03:40,480 But what I'm getting at is that, you know, that's a risk 1158 01:03:40,480 --> 01:03:44,280 management exercise that's above and beyond identity. 1159 01:03:44,560 --> 01:03:48,440 I should include really all of your cybersecurity policies and 1160 01:03:48,440 --> 01:03:50,920 standards. So I think that's important. 1161 01:03:52,080 --> 01:03:59,600 We also talked about, you know, clear roles and responsibilities 1162 01:03:59,600 --> 01:04:02,640 for your program. I, I, I think you may be into 1163 01:04:02,640 --> 01:04:07,560 that, that I think that, you know, identifying those up front 1164 01:04:07,560 --> 01:04:11,320 is going to be very important, evolving those overtime who's 1165 01:04:11,320 --> 01:04:15,880 responsible for what decisions within your program, spending 1166 01:04:15,880 --> 01:04:19,840 money or changing policies, things like that. 1167 01:04:20,160 --> 01:04:23,240 Who, who's got that responsibility within your 1168 01:04:23,240 --> 01:04:26,080 program? Yeah. 1169 01:04:26,200 --> 01:04:28,000 So I think those things are very important. 1170 01:04:28,000 --> 01:04:32,560 I think that the basis of your IM program is your policies, 1171 01:04:33,040 --> 01:04:36,480 your shared services should be called your easy button to 1172 01:04:36,480 --> 01:04:41,000 comply with those policies. So, you know, teams that are, 1173 01:04:41,440 --> 01:04:46,600 you know, maybe have some autonomy over their application 1174 01:04:46,600 --> 01:04:50,040 or they're saying, hey, our application is too important to 1175 01:04:50,040 --> 01:04:54,400 rely on your creaky IM system, so we're just going to do our 1176 01:04:54,400 --> 01:04:57,640 own IM. That's fine, whatever you know, 1177 01:04:57,640 --> 01:05:01,400 maybe executives have said just leave them alone, that's fine. 1178 01:05:01,400 --> 01:05:04,480 They still need to comply with the policies or if they're not 1179 01:05:04,480 --> 01:05:08,360 going to apply someone you're saying the race as to see. 1180 01:05:08,360 --> 01:05:11,000 So that's the personality. Yeah, I agree with that. 1181 01:05:11,040 --> 01:05:15,000 I think that idea of, you know, basically conducting a 1182 01:05:15,000 --> 01:05:19,000 certification campaign right against things that are not 1183 01:05:19,000 --> 01:05:21,920 within compliance of whatever policies you set out makes 1184 01:05:21,920 --> 01:05:25,080 sense. Maybe it's OK, Yeah, telnet 1185 01:05:25,080 --> 01:05:26,400 example for example, that you mentioned. 1186 01:05:26,400 --> 01:05:28,680 OK, yeah, they, they can't comply. 1187 01:05:28,680 --> 01:05:30,600 All right, let's check back again in a year and see if 1188 01:05:30,600 --> 01:05:32,720 things changed or six months or whatever the right time frame 1189 01:05:32,720 --> 01:05:34,760 is. Yeah, maybe it's time to move on 1190 01:05:34,760 --> 01:05:37,000 from a technology that doesn't meet modern standards. 1191 01:05:37,400 --> 01:05:39,960 You know, maybe there's a company out there, and I think 1192 01:05:39,960 --> 01:05:41,480 we've mentioned this in prior episodes, like there's this 1193 01:05:41,480 --> 01:05:45,400 website, right, SSO tax or SSO dot tax or something like that, 1194 01:05:45,400 --> 01:05:49,200 where companies charge for basic security things like enabling 1195 01:05:49,200 --> 01:05:51,760 SSO. Maybe they're not the right 1196 01:05:51,760 --> 01:05:54,080 choice if they're going to charge for basic security 1197 01:05:54,080 --> 01:05:56,680 concepts like that. Yeah, maybe they're a good 1198 01:05:56,680 --> 01:06:00,080 product and you know, maybe, you know, they, they, there are no 1199 01:06:00,080 --> 01:06:02,760 other choices, but I think that's part of that same, same 1200 01:06:02,760 --> 01:06:05,360 ideas like, hey, what are we doing to get better? 1201 01:06:05,360 --> 01:06:07,160 Track what you've got, measure it. 1202 01:06:07,760 --> 01:06:10,560 And yeah, some things are going to be a compliance, especially 1203 01:06:10,560 --> 01:06:14,920 when you're just starting out. Nobody is 100% compliant 100% of 1204 01:06:14,920 --> 01:06:17,560 the time. There are always accepted risk 1205 01:06:17,560 --> 01:06:21,960 somewhere that someone of the appropriate authority level or, 1206 01:06:22,360 --> 01:06:25,680 you know, signing authority has said, OK, I'm willing to accept 1207 01:06:25,680 --> 01:06:27,200 that risk. If something happens, then we'll 1208 01:06:27,200 --> 01:06:29,920 deal with it. That exists. 1209 01:06:30,200 --> 01:06:32,120 Plan for it and you won't be surprised. 1210 01:06:33,560 --> 01:06:36,960 You also mentioned one of the thing that I've got to cover 1211 01:06:36,960 --> 01:06:46,280 which was around monitoring or measuring user experience and 1212 01:06:46,640 --> 01:06:51,520 how much of your ROI they committed to you're achieving. 1213 01:06:51,520 --> 01:06:55,680 So you're asking the company to invest in identity. 1214 01:06:56,320 --> 01:06:59,840 I think the thing you should do with being a program is really 1215 01:06:59,840 --> 01:07:03,880 have a well thought out plan of what are the dials that you're 1216 01:07:03,880 --> 01:07:07,840 going to improve. Snap a line, where does those 1217 01:07:07,840 --> 01:07:11,600 dials exist today? Whether it's in terms of things 1218 01:07:11,600 --> 01:07:16,120 that are easily measured within the tools that you have, you 1219 01:07:16,120 --> 01:07:20,120 know, longer password resets, things like that, or things that 1220 01:07:20,120 --> 01:07:23,320 you have to go out to the business to measure with survey 1221 01:07:23,320 --> 01:07:25,960 data, for example, like user experience. 1222 01:07:26,480 --> 01:07:29,680 But either way, you need to be able to show improvement over 1223 01:07:29,680 --> 01:07:32,400 time. Six months, a year, year and a 1224 01:07:32,400 --> 01:07:36,360 half, two years to show, hey, remember I asked you for 1225 01:07:36,360 --> 01:07:39,720 $1,000,000. I said I could do all these 1226 01:07:39,720 --> 01:07:41,680 great things. I did all these great things. 1227 01:07:41,680 --> 01:07:47,000 User experience improved by 50%. That's huge. 1228 01:07:47,240 --> 01:07:48,800 This shows you're a good bet, right? 1229 01:07:48,800 --> 01:07:51,520 And if you can deliver on that, you're guess what? 1230 01:07:51,520 --> 01:07:53,920 You're probably going to be more apt to find funding for future 1231 01:07:53,920 --> 01:07:56,760 projects that you want to work on as well or to keep things 1232 01:07:56,760 --> 01:07:58,040 going. And I think This is why it's so 1233 01:07:58,040 --> 01:08:00,400 important to be communicating. You know, throughout this entire 1234 01:08:00,400 --> 01:08:02,600 process. I don't think you can 1235 01:08:02,600 --> 01:08:05,400 communicate enough. I do think you need to give some 1236 01:08:05,400 --> 01:08:07,480 thought into the communications that you are doing. 1237 01:08:07,680 --> 01:08:10,000 Know your audience. Who are you talking to? 1238 01:08:10,440 --> 01:08:13,240 What is relevant to them and what do they care about? 1239 01:08:13,240 --> 01:08:16,000 Try to think about it from their perspective and tailor that 1240 01:08:16,000 --> 01:08:19,560 communication to them, but always be thinking about, OK, 1241 01:08:20,040 --> 01:08:22,479 how do I explain this? I get stuck in an elevator, you 1242 01:08:22,479 --> 01:08:26,040 know, with somebody. Can I explain what my IM program 1243 01:08:26,040 --> 01:08:28,479 is doing on the 15 second write up? 1244 01:08:28,479 --> 01:08:31,479 Or can I, hey, you know what? We just rolled this thing out 1245 01:08:31,520 --> 01:08:34,680 and you should check it out, you know, and and and and have that 1246 01:08:34,680 --> 01:08:39,319 dialogue going with people, both part of your program, but also 1247 01:08:39,319 --> 01:08:42,920 to your customers of your IM program, whether it's workforce 1248 01:08:43,240 --> 01:08:45,920 or, you know, customers in AB to C type scenario. 1249 01:08:46,279 --> 01:08:49,439 So the communication is super important throughout any time 1250 01:08:49,439 --> 01:08:51,600 you get to celebrate a win, celebrate the win. 1251 01:08:52,359 --> 01:08:54,200 Draw attention to it, highlight it. 1252 01:08:54,760 --> 01:08:56,920 If there are issues, address them as well. 1253 01:08:56,920 --> 01:09:00,399 Hey, this is not working and let's not be afraid to go back 1254 01:09:00,399 --> 01:09:05,240 and rethink how this is implemented or the business 1255 01:09:05,240 --> 01:09:06,880 process is designed or whatever it may be. 1256 01:09:07,160 --> 01:09:09,160 It's OK to be wrong. And I think sometimes we 1257 01:09:09,160 --> 01:09:11,120 struggle with what we have to be perfect every single time. 1258 01:09:12,200 --> 01:09:13,960 It's just not realistic, right? We're humans, we're going to 1259 01:09:13,960 --> 01:09:18,200 make mistakes, but be willing to admit the mistakes and think 1260 01:09:18,200 --> 01:09:21,600 about it and maybe you think it's great, but your customers 1261 01:09:21,600 --> 01:09:24,040 hate it. Hey, I'm sorry, as much as I 1262 01:09:24,040 --> 01:09:26,479 love it, I'm going to have to redo that and and come at it 1263 01:09:26,479 --> 01:09:28,399 from a different angle. And that's fine. 1264 01:09:28,560 --> 01:09:30,800 It's OK to get smarter. And I think sometimes we lose 1265 01:09:30,800 --> 01:09:33,560 that as well. I think lastly, the most 1266 01:09:33,560 --> 01:09:35,240 important thing I think is to stay current. 1267 01:09:35,800 --> 01:09:39,000 A lot of times we see investments in, hey, we're going 1268 01:09:39,000 --> 01:09:40,800 to stand up on IM programs could be awesome. 1269 01:09:41,240 --> 01:09:43,880 We gave it like 2-3 years and we were really kicking butt. 1270 01:09:44,279 --> 01:09:47,880 And then it just kind of like died on the vine and just kind 1271 01:09:47,880 --> 01:09:50,800 of coasted and didn't keep up with the world and the 1272 01:09:50,800 --> 01:09:55,000 environment. And now here you are four years 1273 01:09:55,000 --> 01:09:57,880 later, five years later, six years later, and it's like, wow, 1274 01:09:57,880 --> 01:09:59,640 what happened? Like we used to have a really 1275 01:09:59,640 --> 01:10:03,240 kick butt IM program and services, but we didn't keep up 1276 01:10:03,240 --> 01:10:04,400 with things. We didn't stay current. 1277 01:10:04,760 --> 01:10:07,520 And I think it's really important, you know, we had, I 1278 01:10:07,960 --> 01:10:10,640 kind of had this conversation earlier today was there's peaks 1279 01:10:10,640 --> 01:10:13,600 and valleys in an IM program. If you're not doing it right, 1280 01:10:14,360 --> 01:10:16,720 you want to smooth those peaks and valleys out as much as 1281 01:10:16,720 --> 01:10:19,960 possible. If you're behind, you're going 1282 01:10:19,960 --> 01:10:23,200 to have to invest to catch up. And invest means money, people, 1283 01:10:23,200 --> 01:10:25,960 time, whatever that is. But there's going to be a spike 1284 01:10:26,240 --> 01:10:30,160 to get up to a certain level and then you're going to have to 1285 01:10:30,400 --> 01:10:34,080 keep a certain level of investment going to maintain and 1286 01:10:34,080 --> 01:10:36,920 to keep current with things. What typically happens is if you 1287 01:10:36,920 --> 01:10:40,880 look at, you know, a budget for an IM program over 10 years, if 1288 01:10:40,880 --> 01:10:44,640 you're not doing it right, is you'll see a spike in year 1 and 1289 01:10:44,640 --> 01:10:47,840 then it drips down to like, you know, year three-year 4 and then 1290 01:10:47,840 --> 01:10:49,760 another spike and it kind of drips down. 1291 01:10:50,200 --> 01:10:53,080 If you had just kept current, it would have been a lot cheaper 1292 01:10:53,080 --> 01:10:55,120 and you would have been a lot better positioned from a risk 1293 01:10:55,120 --> 01:10:57,960 and a usability standpoint, most likely, if you had just 1294 01:10:57,960 --> 01:11:00,360 maintained and kept current with where the market is. 1295 01:11:00,920 --> 01:11:02,840 And I think that's really important for people who's like, 1296 01:11:03,520 --> 01:11:05,760 great you put in technology and what's next? 1297 01:11:05,840 --> 01:11:08,280 What should I be thinking about? What did I see at a conference? 1298 01:11:08,280 --> 01:11:11,240 What did I hear on the world famous Identity at the Center 1299 01:11:11,240 --> 01:11:13,960 podcast, right? What are the things that I need 1300 01:11:13,960 --> 01:11:17,440 to be thinking about for, you know, skating to the puck and 1301 01:11:17,440 --> 01:11:18,440 hockey. You don't skate to where the 1302 01:11:18,440 --> 01:11:19,840 puck is, you skate to where it's going. 1303 01:11:20,120 --> 01:11:22,520 The business is like that. Your IM program should be like 1304 01:11:22,520 --> 01:11:25,400 that. And if you're not doing it, 1305 01:11:25,400 --> 01:11:27,560 guess what? The puck is still going, you're 1306 01:11:27,560 --> 01:11:29,080 just going to be further and further behind. 1307 01:11:29,280 --> 01:11:32,200 So you want to make maintain your cadence and your ability to 1308 01:11:32,200 --> 01:11:35,960 keep up with the world from an IM perspective as well as the 1309 01:11:35,960 --> 01:11:39,560 business side of things. Yeah, I think, I think 1310 01:11:39,560 --> 01:11:43,240 organization can fall back, fall behind for a few reasons. 1311 01:11:43,640 --> 01:11:49,080 One is they have to shake up people and maybe the people who 1312 01:11:49,640 --> 01:11:54,000 were responsible for the IM road map moved into all through 1313 01:11:54,000 --> 01:11:57,640 things. Priority shifted and that role 1314 01:11:57,640 --> 01:12:01,840 never got back filled. So it just became continue to 1315 01:12:01,840 --> 01:12:03,720 operate. And that's something that we say 1316 01:12:03,960 --> 01:12:05,600 I am. It's not a project that's 1317 01:12:05,680 --> 01:12:08,480 program. So you take your eye off the 1318 01:12:08,480 --> 01:12:11,080 road. We just you have the things the 1319 01:12:11,080 --> 01:12:16,480 car keeps moving, but you're not paying it to to the road and bad 1320 01:12:16,480 --> 01:12:20,440 things can happen. I think the other thing is I've 1321 01:12:20,440 --> 01:12:23,280 seen this happen for a few clients over the years. 1322 01:12:24,080 --> 01:12:30,240 They get signed up in the MSSP doing indemnity as a service, 1323 01:12:30,640 --> 01:12:36,640 but they build that MSSP around what we do today. 1324 01:12:37,120 --> 01:12:40,960 They have to take into account that they're going to want this 1325 01:12:40,960 --> 01:12:45,000 system enhanced, but I think probably the best way is to set 1326 01:12:45,000 --> 01:12:49,800 some money aside or have some flexibility to be able to 1327 01:12:49,800 --> 01:12:53,560 perform enhancements in the system themselves, one or the 1328 01:12:53,560 --> 01:12:55,040 other. Usually they don't have any 1329 01:12:55,040 --> 01:12:58,080 staff left, right? They outsource the management of 1330 01:12:58,080 --> 01:13:00,120 their IM. They need to put some money 1331 01:13:00,120 --> 01:13:04,840 aside for enhancements because what you have today is not going 1332 01:13:04,840 --> 01:13:06,880 to serve you three years on the rig. 1333 01:13:07,840 --> 01:13:11,400 I don't care who you are, I can almost guarantee three years on 1334 01:13:11,400 --> 01:13:12,880 the rig. You're going to require 1335 01:13:12,880 --> 01:13:16,360 enhancements along the way because if it's going to change, 1336 01:13:16,560 --> 01:13:20,000 you're going to have new applications, a new HR system, 1337 01:13:20,440 --> 01:13:24,080 say it's there. So you need to take that into 1338 01:13:24,080 --> 01:13:26,800 account. Even if you're outsourcing the 1339 01:13:26,800 --> 01:13:30,920 maintenance of your IM system, which may make total sense to 1340 01:13:30,920 --> 01:13:33,320 your organization, may make total sense for you. 1341 01:13:33,640 --> 01:13:38,400 Just remember to put some money aside or build it into your 1342 01:13:38,400 --> 01:13:43,280 budget, build it into your bill to get that system to have 1343 01:13:43,800 --> 01:13:47,920 tickets or whatever their process is for enhancing that 1344 01:13:47,920 --> 01:13:49,360 system. Yeah, I think that's a really 1345 01:13:49,360 --> 01:13:50,760 good tip. I think the other thing I'll add 1346 01:13:50,760 --> 01:13:54,920 to that is there's a lot of vendors out there and fewer 1347 01:13:54,920 --> 01:13:58,040 partners. If you are working with, you 1348 01:13:58,040 --> 01:14:01,720 know, an MSSP or or something on those lines, whatever managed 1349 01:14:01,720 --> 01:14:04,960 service, look for a partner, look for somebody who's you 1350 01:14:04,960 --> 01:14:08,440 know, got your, is interested in helping you involve in helping 1351 01:14:08,440 --> 01:14:12,000 you get the most out of things and has a plan to say, hey, you 1352 01:14:12,000 --> 01:14:13,680 know, this thing is what it looks like right now. 1353 01:14:13,720 --> 01:14:15,640 It's going to change and that's OK, that's fine. 1354 01:14:15,640 --> 01:14:17,600 That's natural. Here's how we're going to keep 1355 01:14:17,600 --> 01:14:20,360 up with that, right? And maybe it's as simple as, 1356 01:14:20,360 --> 01:14:22,600 hey, there's going to be a version upgrade because we're a 1357 01:14:22,600 --> 01:14:25,120 partner with so and so company and we're using our technology. 1358 01:14:25,120 --> 01:14:27,480 We know this is coming. This is something you want to 1359 01:14:27,480 --> 01:14:31,960 plan for or hey, I saw this neat thing called pass Keys at a 1360 01:14:31,960 --> 01:14:33,880 conference last year. Have you guys thought about 1361 01:14:33,880 --> 01:14:36,920 that? If you have a good partner, it 1362 01:14:36,920 --> 01:14:40,800 makes a world of difference for your experience with any type of 1363 01:14:40,800 --> 01:14:43,000 managed service. And I think a lot of times, you 1364 01:14:43,000 --> 01:14:46,120 know, it's unfortunate, but money rules sometimes. 1365 01:14:46,120 --> 01:14:50,480 And those partners tend to be a little bit more expensive 1366 01:14:51,080 --> 01:14:54,040 upfront, but maybe they pay off in the long run because you're 1367 01:14:54,040 --> 01:14:56,440 in a much better position and, you know, maybe you've developed 1368 01:14:56,440 --> 01:14:58,560 a better relationship with those partners. 1369 01:14:58,560 --> 01:15:01,640 So I think it's also something to think about as, you know, if 1370 01:15:01,640 --> 01:15:03,480 you're going to outsource, really consider who you're 1371 01:15:03,480 --> 01:15:06,080 working with and make sure that you had a really good 1372 01:15:06,080 --> 01:15:08,600 comfortable feeling with it. People are going to change, 1373 01:15:08,640 --> 01:15:11,440 right? I mean, you and I might go from 1374 01:15:11,440 --> 01:15:14,880 one company to another like we have, and those relationships, 1375 01:15:14,880 --> 01:15:16,800 you know, will probably carry along from there. 1376 01:15:16,800 --> 01:15:19,600 But you really want to make sure you understand the company that 1377 01:15:19,600 --> 01:15:22,520 you're getting, you know, to partner with and making sure 1378 01:15:22,520 --> 01:15:24,280 that they're the right fit for you strategically. 1379 01:15:24,920 --> 01:15:27,640 Because hopefully you hope that. It's a long term relationship. 1380 01:15:28,800 --> 01:15:32,280 Thank goodness it any better believe you they're I keep 1381 01:15:32,280 --> 01:15:34,560 hearing the same company names also working. 1382 01:15:34,640 --> 01:15:39,040 I'm not not going to repeat them on the podcast, but you know, 1383 01:15:39,360 --> 01:15:44,560 they leave a Trail of Tears that they go in off at the lowest 1384 01:15:44,560 --> 01:15:47,560 price and then change order you to death. 1385 01:15:48,880 --> 01:15:53,880 And and to avoid all the change order issues, basically sit pad 1386 01:15:54,320 --> 01:15:57,560 and have a system that gets older and older. 1387 01:15:58,520 --> 01:16:01,760 It's not a good situation. Yeah. 1388 01:16:02,800 --> 01:16:04,400 OK. I think this might be a record 1389 01:16:04,400 --> 01:16:06,760 for our longest episode ever, so why don't we leave it there? 1390 01:16:06,800 --> 01:16:08,440 I'll just kind of recap real quickly. 1391 01:16:08,720 --> 01:16:10,480 I just realized we have 10 steps here. 1392 01:16:11,880 --> 01:16:15,480 One, define your goals in the scope. 2, conduct an assessment. 1393 01:16:15,480 --> 01:16:20,520 3, get that executive buy in. Four, put together your your IM 1394 01:16:20,520 --> 01:16:23,040 team and it should be a cross functional kind of core team. 1395 01:16:23,040 --> 01:16:27,680 Not everybody a core team. Make sure you're picking the 1396 01:16:27,680 --> 01:16:31,320 right technologies. Number six, think about what 1397 01:16:31,320 --> 01:16:34,880 your deployment is going to look like, whether it's phased, some 1398 01:16:34,880 --> 01:16:37,560 sort of implementation plan. How are you going to make this 1399 01:16:37,560 --> 01:16:39,640 thing digestible for the organization? 1400 01:16:40,920 --> 01:16:42,320 Don't forget about the user experience. 1401 01:16:42,320 --> 01:16:43,720 Make sure that that's a priority. 1402 01:16:43,960 --> 01:16:47,440 Think about your governance and your policies and your standards 1403 01:16:47,440 --> 01:16:50,840 and your measurements and how you're going to monitor all that 1404 01:16:51,280 --> 01:16:54,240 and then stay current and communicate this sort of like 1405 01:16:54,520 --> 01:16:57,440 weaved kind of threw out there. So but it's 10 if we don't count 1406 01:16:57,440 --> 01:16:59,800 communicate because you should be doing that the whole time. 1407 01:16:59,800 --> 01:17:04,240 So that's the kind of sum it up. You know, I didn't really think 1408 01:17:04,240 --> 01:17:05,920 of a lighter note question. You got any ideas? 1409 01:17:07,240 --> 01:17:08,280 Have you done? Anything. 1410 01:17:08,280 --> 01:17:13,000 What was your last trip? My last work trip was DC. 1411 01:17:13,120 --> 01:17:17,040 You were there. I mean, we were in DCI think 1412 01:17:17,040 --> 01:17:19,000 before that. Or was I? 1413 01:17:19,560 --> 01:17:22,200 You know, someone said to me the other day, it was like, you 1414 01:17:22,200 --> 01:17:24,040 know, you travel a lot, but you don't remember where you've 1415 01:17:24,040 --> 01:17:25,320 been. And I feel like that's where I'm 1416 01:17:25,320 --> 01:17:27,360 at. I guess my last personal trip 1417 01:17:27,360 --> 01:17:31,880 was that trip I took to Texas for my friend's 50th surprise 1418 01:17:31,880 --> 01:17:33,400 birthday party, which was a lot of fun. 1419 01:17:33,920 --> 01:17:36,800 And that was good times. You know, that was it was a 1420 01:17:36,800 --> 01:17:39,560 great time to reconnect with some folks I hadn't seen in a 1421 01:17:39,560 --> 01:17:41,400 long time. And it was great to just kind 1422 01:17:41,400 --> 01:17:44,640 of, you know, do a nice thing for somebody who, you know, as a 1423 01:17:44,640 --> 01:17:47,040 friend of mine and, and kind of bring joy to their life. 1424 01:17:47,040 --> 01:17:48,840 And I think more people should do that. 1425 01:17:49,600 --> 01:17:51,720 What about you? What's the last personal trip 1426 01:17:51,720 --> 01:17:57,960 you've taken? Personal trip I've I'm in 1427 01:17:57,960 --> 01:18:01,680 Austin, TX right now. One thing I've noticed is like 1428 01:18:01,680 --> 01:18:04,960 everybody I talk to is like it's great here. 1429 01:18:05,080 --> 01:18:07,400 They love living here. It's too hot. 1430 01:18:07,840 --> 01:18:13,400 I mean, it, it's mid-september and it went up to 100° today. 1431 01:18:13,400 --> 01:18:16,960 So I'm assuming that's too high. I can't do that, way too high. 1432 01:18:18,600 --> 01:18:22,360 But everybody seems to love it. But everybody complaints about 1433 01:18:22,600 --> 01:18:24,520 how expensive it is to live here. 1434 01:18:24,640 --> 01:18:27,680 And I think that's the thing. It's like if some place becomes 1435 01:18:27,720 --> 01:18:32,600 awesome to live, other people find out about it and everybody 1436 01:18:32,600 --> 01:18:35,400 wants to live there. They jacked up the real estate 1437 01:18:35,400 --> 01:18:38,760 cost and then you can't afford to live here anymore. 1438 01:18:39,720 --> 01:18:45,120 So I don't think many people who live here, like living here, are 1439 01:18:45,120 --> 01:18:49,040 planning to sell their homes and move to a new house anytime 1440 01:18:49,040 --> 01:18:51,000 soon. They're they're kind of stuck 1441 01:18:51,000 --> 01:18:56,040 until 20 forever. Well, that's a real positive 1442 01:18:56,040 --> 01:18:59,120 story, so thanks for that. Well, no, I mean it's supposed 1443 01:18:59,120 --> 01:19:00,640 to be lighter. Come on man. 1444 01:19:00,800 --> 01:19:02,760 It's a cool city, people. Love, it's a cool. 1445 01:19:02,760 --> 01:19:06,720 City and the only downside is the cost of rules leader thing 1446 01:19:07,760 --> 01:19:09,880 and the heat. Yeah, well, I just read the 1447 01:19:09,880 --> 01:19:13,640 other day, you know, I'm in the Asheville, NC area and we're no 1448 01:19:13,640 --> 01:19:16,880 longer the most expensive place to rent in for the state. 1449 01:19:16,880 --> 01:19:18,360 That honor now goes to Charlotte. 1450 01:19:18,360 --> 01:19:21,320 So Asheville has typically been one of the more expensive places 1451 01:19:21,320 --> 01:19:24,200 because it's a very desirable location, very touristy and the 1452 01:19:24,200 --> 01:19:25,800 weather is great pretty much year round. 1453 01:19:26,520 --> 01:19:29,920 But now we're #2 and that's, I think that's a good thing. 1454 01:19:30,440 --> 01:19:33,680 So I'm I'm happy about that. Yeah, that's really good sign. 1455 01:19:33,880 --> 01:19:37,920 All right, Jeff, we do against the hours to be like a 15 minute 1456 01:19:38,160 --> 01:19:42,440 episode, but no advice. Yeah, we try, We try, but we 1457 01:19:42,440 --> 01:19:45,840 just talk and talk and talk and we have so many Nuggets of 1458 01:19:45,840 --> 01:19:47,240 wisdom that we want to share with people. 1459 01:19:47,240 --> 01:19:49,600 So hopefully people get it and understand it and they're able 1460 01:19:49,600 --> 01:19:53,600 to put up with our our weird delays with, you know, cell 1461 01:19:53,600 --> 01:19:56,800 phone connections and and bad hotel Wi-Fi. 1462 01:19:56,800 --> 01:19:58,680 But I think it was good episodes. 1463 01:19:58,760 --> 01:20:00,080 I've got a challenge. Yeah. 1464 01:20:00,560 --> 01:20:03,640 We've been recording this long. If anybody is still listening, 1465 01:20:04,000 --> 01:20:09,880 comment on Jeff's YouTube or I'm sorry, LinkedIn post about this 1466 01:20:09,880 --> 01:20:14,200 episode and say where you were on your last trip. 1467 01:20:14,200 --> 01:20:17,120 That'll be interesting. That way we'll know where our 1468 01:20:17,120 --> 01:20:20,640 last five minute Drew is. Yeah, on LinkedIn or on the 1469 01:20:20,640 --> 01:20:22,080 YouTube video, either one's fine. 1470 01:20:22,120 --> 01:20:23,880 Yeah, give us a like and subscribe wherever you're 1471 01:20:23,880 --> 01:20:29,720 listening. idacpodcast.com is our website, idacpodcast.tv. 1472 01:20:29,720 --> 01:20:32,600 We'll take you to our YouTube channel and yeah, connect us to 1473 01:20:32,600 --> 01:20:34,280 LinkedIn. If you were listening this long, 1474 01:20:34,280 --> 01:20:37,520 thank you very much. Tell us your last personal 1475 01:20:37,520 --> 01:20:40,040 place, personal travel, not business travel that you went 1476 01:20:40,040 --> 01:20:42,200 on. And yeah, we'll keep the 1477 01:20:42,200 --> 01:20:45,000 conversation going. So with that, we'll leave it for 1478 01:20:45,000 --> 01:20:47,280 this week. Thanks everyone for watching or 1479 01:20:47,280 --> 01:20:49,240 listening and we'll talk with you all in the next one. 1480 01:20:51,560 --> 01:20:54,560 You've been listening to Identity at the Center. 1481 01:20:54,920 --> 01:20:59,000 We hope you've enjoyed the show. Make sure to like, rate and 1482 01:20:59,000 --> 01:21:02,640 review, and we'll be back soon. But in the meantime, hit the 1483 01:21:02,640 --> 01:21:06,040 website at identity@thecenter.com. 1484 01:21:06,640 --> 01:21:10,720 See you next time on Identity at the Center.