1
00:00:00,040 --> 00:00:04,000
Cybersecurity has always been an
apprenticeship, OK? 

2
00:00:04,240 --> 00:00:05,680
It's always been an 
apprenticeship. 

3
00:00:06,080 --> 00:00:12,520
It's not a a skill that is just 
kind of like learned off of 

4
00:00:12,520 --> 00:00:13,880
books. 
Like you work with a lot of 

5
00:00:13,880 --> 00:00:15,560
people. 
I've learned a lot of stuff from

6
00:00:15,560 --> 00:00:19,200
other people. 
And there's a lot of repeat work

7
00:00:19,440 --> 00:00:22,320
that you do over and over and 
over again. 

8
00:00:22,320 --> 00:00:25,440
And it gets better every time 
you do it right. 

9
00:00:26,080 --> 00:00:30,880
But we don't have but people 
that are sticking around long 

10
00:00:30,880 --> 00:00:35,600
term to be able to cultivate 
that apprenticeship models 

11
00:00:35,800 --> 00:00:37,760
anymore the way that it used to 
be. 

12
00:00:38,040 --> 00:00:40,720
So if we get 2 years here and 
you've got another year here and

13
00:00:40,720 --> 00:00:44,600
two years over there, it looks 
like you've got good experience 

14
00:00:44,600 --> 00:00:47,920
at very large, reputable firms 
and you were part of, you know, 

15
00:00:47,920 --> 00:00:52,240
their, their cyber team. 
But if you took that person as 

16
00:00:52,240 --> 00:00:55,200
an individual and you said, OK, 
let's look at your own personal 

17
00:00:55,200 --> 00:01:01,680
depth on something, right, 
related to these topics, I find 

18
00:01:01,680 --> 00:01:03,760
it sometimes lacking. 
And I think that that's the 

19
00:01:03,760 --> 00:01:07,520
shift that that needs to be made
is that we've got to bring back 

20
00:01:07,560 --> 00:01:09,880
the apprenticeship model a bit 
more. 

21
00:01:11,040 --> 00:01:13,920
We've seen that apprenticeship 
model like if you if you look at

22
00:01:13,920 --> 00:01:17,800
some of the other countries that
are ahead of us in in tech 

23
00:01:17,800 --> 00:01:22,240
development and they're moving 
faster than we are, everywhere 

24
00:01:22,240 --> 00:01:25,520
you look, the apprenticeship 
model is intact. 

25
00:01:31,720 --> 00:01:36,880
This is identity at the center 
if it has anything to do with 

26
00:01:36,920 --> 00:01:41,520
IAM. 
This is the go to podcast now 

27
00:01:41,520 --> 00:01:45,400
your hosts Jim McDonald and Jeff
Stedman. 

28
00:01:51,800 --> 00:01:53,480
Welcome to the Identity at the 
Center podcast. 

29
00:01:53,480 --> 00:01:54,880
I'm Jeff, and that's Jim. 
Hey, Jim. 

30
00:01:55,080 --> 00:01:57,000
Hey, Jeff, how are you? 
It's a bad cowboy. 

31
00:01:57,000 --> 00:01:59,400
How are you I? 
Was wondering because I was 

32
00:01:59,400 --> 00:02:02,040
going to scold you if you didn't
say anything about my hat. 

33
00:02:02,040 --> 00:02:04,120
How could I not? 
How could you not? 

34
00:02:04,120 --> 00:02:07,080
I mean, you know. 
OK, so we're at Gartner, I am 

35
00:02:07,080 --> 00:02:10,759
Grapevine, TX, and I'm the only 
one wearing a cowboy hat. 

36
00:02:10,960 --> 00:02:13,720
A little disappointed. 
OK, Mom, you sticking out like a

37
00:02:13,720 --> 00:02:15,760
sore thumb. 
You've got the you've got the 

38
00:02:15,760 --> 00:02:18,480
cowboy hat and you've got the 
Hugh Hefner sort of crushed 

39
00:02:18,480 --> 00:02:20,960
velvet jacket. 
You definitely look like a 

40
00:02:20,960 --> 00:02:23,360
smoking jacket, right? 
But out of Deadwood or something

41
00:02:23,360 --> 00:02:26,600
like that. 
Yeah, well, that's that's my 

42
00:02:26,640 --> 00:02:28,840
jam, you know? 
We did talk about it with Head 

43
00:02:28,840 --> 00:02:30,320
last year. 
By the time people were hearing 

44
00:02:30,320 --> 00:02:33,240
this, I mentioned that because 
you looked like a like a dealer 

45
00:02:33,240 --> 00:02:34,840
in that one and we got a little 
bit of that in the very 

46
00:02:34,840 --> 00:02:36,600
beginning. 
I always say I just want to 

47
00:02:36,600 --> 00:02:39,200
blend in. 
You're doing a terrible job of 

48
00:02:39,200 --> 00:02:43,920
blending in exactly. 
So I want to say thank you for 

49
00:02:43,920 --> 00:02:46,520
Gartner for having us. 
We're going to be speaking 

50
00:02:46,520 --> 00:02:48,800
tomorrow, so it'll be in the 
past at this point. 

51
00:02:49,640 --> 00:02:52,480
But they've hooked us up with a 
room. 

52
00:02:52,480 --> 00:02:56,280
They've done a really nice job. 
RSM has paid our expenses to be 

53
00:02:56,280 --> 00:02:57,960
here. 
So thank you to them as well 

54
00:02:57,960 --> 00:03:03,600
for, you know, making this 
possible to be here and to put 

55
00:03:03,600 --> 00:03:05,560
this podcast together for the 
community. 

56
00:03:05,560 --> 00:03:08,280
So thank you. 
So thank you to Gartner, thank 

57
00:03:08,280 --> 00:03:10,160
you to RSM. 
Why don't we jump into it 

58
00:03:10,160 --> 00:03:12,400
because this is really the start
of a series that we're going to 

59
00:03:12,400 --> 00:03:16,680
be working on throughout 2025. 
And this whole idea of identity 

60
00:03:16,680 --> 00:03:18,640
at the center, right, That's 
what we named this podcast. 

61
00:03:18,640 --> 00:03:22,400
And it is all about the 
intersection of cybersecurity 

62
00:03:22,400 --> 00:03:24,440
and digital identity. 
And one of the things that I 

63
00:03:24,440 --> 00:03:28,480
think about here is as identity 
people, we sort of get into our 

64
00:03:28,480 --> 00:03:31,160
silos sometimes like, oh, it's 
identity thing, but we really 

65
00:03:31,160 --> 00:03:34,560
need to understand how identity 
plays in other parts of 

66
00:03:34,560 --> 00:03:37,800
organizations, security, 
privacy, because we cannot be 

67
00:03:37,800 --> 00:03:41,120
successful as an identity 
individual within an 

68
00:03:41,120 --> 00:03:43,120
organization that needs to be 
organizational buy in. 

69
00:03:43,120 --> 00:03:46,320
So a lot of these conversations 
that we have, sometimes you're 

70
00:03:46,320 --> 00:03:49,120
reaching outside of the identity
team a lot of times, most of the

71
00:03:49,120 --> 00:03:51,720
time I would say, and you really
need to kind of understand, OK, 

72
00:03:51,720 --> 00:03:54,960
well, what are the, you know, 
the, the tricks, the, the, the 

73
00:03:54,960 --> 00:03:57,560
tie insurance, right? 
To how does this affect maybe 

74
00:03:57,560 --> 00:04:01,880
somebody who is in application 
security or attack penetration 

75
00:04:01,880 --> 00:04:04,400
or maybe even the business or 
strategy or risk, right? 

76
00:04:04,840 --> 00:04:06,920
So the whole idea here is we're 
going to put together over the 

77
00:04:06,920 --> 00:04:10,480
course of 2025, about 10 
episodes where we kind of pull 

78
00:04:10,480 --> 00:04:13,400
together these ideas and say, 
OK, so this is the Identity 

79
00:04:13,400 --> 00:04:15,920
Center podcast. 
What does that mean when it 

80
00:04:15,920 --> 00:04:18,839
comes to X? 
And today we're kind of setting 

81
00:04:18,839 --> 00:04:20,920
the stage with it, so we'll kind
of go with that. 

82
00:04:20,920 --> 00:04:22,680
We're going to talk obviously 
about digital identity and all 

83
00:04:22,680 --> 00:04:24,800
these, but hopefully that makes 
sense. 

84
00:04:24,800 --> 00:04:27,000
Anything going to add? 
I mean, what I'd like to add to 

85
00:04:27,000 --> 00:04:29,160
that is like the biggest theme 
that's happening at the 

86
00:04:29,160 --> 00:04:32,640
conference and in the industry 
overall is this idea of identity

87
00:04:32,640 --> 00:04:35,640
security. 
So it's that identity is moving 

88
00:04:35,640 --> 00:04:39,440
into a larger role within 
cybersecurity overall. 

89
00:04:39,760 --> 00:04:44,160
And so I had an interesting 
conversation with a few folks 

90
00:04:44,160 --> 00:04:47,360
yesterday where it's like, all 
right, the industry is kind of 

91
00:04:47,360 --> 00:04:49,360
heading to this identity 
security route. 

92
00:04:49,600 --> 00:04:53,360
A lot of clients are still 
fighting the, the AB, CS and 

93
00:04:53,360 --> 00:04:56,840
123's of role based access 
control gave their 

94
00:04:56,840 --> 00:04:59,520
authentication house in order 
giving privilege access 

95
00:04:59,520 --> 00:05:01,040
management. 
And that's great. 

96
00:05:01,080 --> 00:05:04,200
Like if you have to, if that's 
where you are, that's where you 

97
00:05:04,200 --> 00:05:07,840
are and get those things fixed. 
But this is where the industry's

98
00:05:07,840 --> 00:05:10,280
heading. 
So even if that's where you are,

99
00:05:10,480 --> 00:05:14,320
pay attention to this because a 
year, 2 years down the road, 

100
00:05:14,480 --> 00:05:16,520
this is where you and your 
organization are going to be. 

101
00:05:16,520 --> 00:05:18,800
This is where you're going to be
making your investments. 

102
00:05:19,000 --> 00:05:21,440
So start boning up on it now. 
Yep. 

103
00:05:21,840 --> 00:05:23,880
Important to be well-rounded and
that's kind of what we're trying

104
00:05:23,880 --> 00:05:26,240
to do here. 
So we have partnered up and 

105
00:05:26,240 --> 00:05:27,960
buddied up with our friends at 
RSM. 

106
00:05:27,960 --> 00:05:29,800
We have a lot of really smart 
people that we work with. 

107
00:05:29,800 --> 00:05:31,240
So we're going to talk with some
people from RSM. 

108
00:05:31,240 --> 00:05:33,440
We're going to talk with maybe 
some clients that you and I work

109
00:05:33,440 --> 00:05:36,040
with throughout the year and 
probably others and experts in 

110
00:05:36,040 --> 00:05:38,000
specific domains kind of help 
tie us all together. 

111
00:05:38,000 --> 00:05:41,080
So hopefully by the end of 2025,
we'll kind of have this 

112
00:05:41,080 --> 00:05:43,880
curriculum where people can kind
of go back and look and say OK, 

113
00:05:43,880 --> 00:05:46,160
identities at centre. 
What does that mean and how does

114
00:05:46,160 --> 00:05:47,520
that relate to some of these 
other topics? 

115
00:05:47,520 --> 00:05:51,320
So let's kick it off with the 
man, the myth, the legend. 

116
00:05:51,560 --> 00:05:55,040
He leads our security and 
privacy and consulting practice 

117
00:05:55,040 --> 00:05:57,920
here for RSM. 
I want to welcome Tasif Ghazi. 

118
00:05:57,920 --> 00:06:00,120
Everyone just calls him Ghazi. 
So welcome to the show, Ghazi. 

119
00:06:00,280 --> 00:06:03,440
Thank you guys. 
It's such an honor to be here on

120
00:06:03,440 --> 00:06:06,120
the podcast. 
You know, I'd say that it's, 

121
00:06:06,960 --> 00:06:09,960
it's not my first time. 
I, you know, I've been behind 

122
00:06:09,960 --> 00:06:12,440
the scenes probably at least 
three or four times. 

123
00:06:12,840 --> 00:06:16,560
So I was really privileged and 
honoured this time around to, to

124
00:06:16,560 --> 00:06:18,800
get to come and actually speak 
to both of you. 

125
00:06:18,920 --> 00:06:22,920
So thank you for inviting me. 
So the first time technically, I

126
00:06:22,920 --> 00:06:26,000
think that you saw us do our 
thing was at a Gartner 

127
00:06:26,160 --> 00:06:29,040
conference a couple years ago 
and we were doing some things 

128
00:06:29,040 --> 00:06:31,360
and I, I, I think it was 
probably in Vegas when we were 

129
00:06:31,360 --> 00:06:33,440
doing that. 
And so, all right, who the heck 

130
00:06:33,440 --> 00:06:34,800
are these guys? 
What are these podcasts all 

131
00:06:34,800 --> 00:06:35,960
about? 
What's going on? 

132
00:06:36,840 --> 00:06:38,920
And then I think you hopefully 
started to see it was like, oh, 

133
00:06:38,960 --> 00:06:42,200
you know, we're talking to, you 
know, really intelligent, smart 

134
00:06:42,200 --> 00:06:45,160
people in the business. 
We're having conversations, not 

135
00:06:45,160 --> 00:06:48,640
presentations and really kind of
getting to the the crux of 

136
00:06:48,640 --> 00:06:50,640
things. 
So hopefully that made a good 

137
00:06:50,640 --> 00:06:51,800
impression. 
It must have because we're still

138
00:06:51,800 --> 00:06:53,840
doing it two years later. 
And you've been very supportive 

139
00:06:53,840 --> 00:06:56,240
of what we do. 
No, it was, it was definitely a 

140
00:06:56,240 --> 00:06:59,840
really, really good impression. 
And, you know, I was really 

141
00:06:59,920 --> 00:07:01,480
floored. 
I mean, I had listened to the 

142
00:07:01,480 --> 00:07:07,920
podcast before, but you know, 
just the guests that we're on 

143
00:07:07,920 --> 00:07:11,160
and their perspectives, you 
know, there was so much learning

144
00:07:11,480 --> 00:07:14,360
just, you know, I, I just find 
that really, really intriguing 

145
00:07:14,920 --> 00:07:17,280
because you know, cybersecurity,
we're going to get into this 

146
00:07:17,280 --> 00:07:20,600
today. 
It's not a topic that's can be 

147
00:07:20,600 --> 00:07:23,840
solved by one 2-3 people in an 
organization. 

148
00:07:23,880 --> 00:07:26,080
It's an organization wide 
activity, right? 

149
00:07:26,360 --> 00:07:28,520
And there's a lot of lessons 
that we got to learn from other 

150
00:07:28,520 --> 00:07:33,840
organizations, other colleagues,
you know, third parties that are

151
00:07:33,840 --> 00:07:37,040
helping support one another. 
You know, there's such a huge 

152
00:07:37,040 --> 00:07:39,920
vendor ecosystem now around 
cyber. 

153
00:07:39,920 --> 00:07:42,920
So bringing all that together, 
you know, and getting that 

154
00:07:42,920 --> 00:07:45,160
perspective, I think it's you 
guys have done a really good job

155
00:07:45,160 --> 00:07:47,400
at this podcast. 
And, and I was really impressed 

156
00:07:47,400 --> 00:07:49,280
with the the guests that come 
on. 

157
00:07:49,920 --> 00:07:51,600
This is going to be the downfall
probably. 

158
00:07:53,080 --> 00:07:54,880
Well, flattery will get you 
everywhere on this podcast. 

159
00:07:54,880 --> 00:07:57,680
I'm very fond of saying that. 
And now you're in the hot seat. 

160
00:07:57,680 --> 00:07:59,120
So we've got you here for the 
first time. 

161
00:07:59,160 --> 00:08:01,520
Tradition, when you come on our 
show that we talk about origin 

162
00:08:01,520 --> 00:08:04,040
stories. 
So give us the Ghazi origin 

163
00:08:04,040 --> 00:08:05,840
story. 
How did you get into 

164
00:08:06,000 --> 00:08:09,640
cybersecurity at large? 
You know, it was really by 

165
00:08:09,640 --> 00:08:13,280
accident. 
You know, I was a young boy. 

166
00:08:13,280 --> 00:08:20,800
I, you know, really didn't know 
much about technology, but you 

167
00:08:20,800 --> 00:08:23,240
know, my father was very good 
about making sure that 

168
00:08:23,240 --> 00:08:27,280
technology was around me always.
I used to have AZX Sinclair 

169
00:08:27,280 --> 00:08:30,800
Spectrum plus computer that, you
know, most people probably don't

170
00:08:30,800 --> 00:08:33,360
know what that is, but you know,
it was a pain in the neck to 

171
00:08:33,360 --> 00:08:36,600
boot up and, and work on and, 
you know, I was resilient on on 

172
00:08:36,600 --> 00:08:40,080
making sure that it worked. 
So it kind of, you know, having 

173
00:08:40,080 --> 00:08:43,440
access to it. 
One was, was really good, but in

174
00:08:43,440 --> 00:08:50,840
my, you know, teens, you know, 
1718, one of my first jobs was 

175
00:08:50,840 --> 00:08:54,400
actually at a Internet service 
provider and it was really doing

176
00:08:54,400 --> 00:08:57,280
customer service work. 
However, the customer service 

177
00:08:57,280 --> 00:09:00,440
call center was right next to 
the server room and I was 

178
00:09:00,440 --> 00:09:03,040
fascinated by what was going on 
in that room, right? 

179
00:09:03,040 --> 00:09:07,400
So I made friends with the the 
server engineer and I used to 

180
00:09:07,400 --> 00:09:10,640
work the night shift. 
So, you know, after customer 

181
00:09:10,640 --> 00:09:14,800
service calls died down, after 
all the kids were offline, mirc 

182
00:09:15,000 --> 00:09:18,560
and all of that, right? 
him and I would, would sit there

183
00:09:18,560 --> 00:09:20,400
and, you know, we would talk 
about routing, we would talk 

184
00:09:20,400 --> 00:09:23,280
about some Microsystems, all 
kinds of other things that were,

185
00:09:23,280 --> 00:09:27,200
that were going on. 
So I got fascinated by that and 

186
00:09:27,200 --> 00:09:28,720
that's how I kind of stepped 
into it. 

187
00:09:29,960 --> 00:09:33,120
Learned a lot of infrastructure,
learned a lot of Windows, a lot 

188
00:09:33,120 --> 00:09:37,480
of Microsoft tech and really 
started on the infrastructure 

189
00:09:37,480 --> 00:09:41,400
side. 
And that was really fortunate to

190
00:09:41,400 --> 00:09:44,760
to, you know, step into the 
security and privacy and the 

191
00:09:44,760 --> 00:09:47,280
realm. 
It came through a public 

192
00:09:47,280 --> 00:09:52,280
accounting angle with a big 4. 
But that gave me an opportunity 

193
00:09:52,280 --> 00:09:54,360
to actually go and build a cyber
practice. 

194
00:09:54,360 --> 00:09:59,120
And, you know, that gave me, 
while I understood the tech, you

195
00:09:59,120 --> 00:10:03,400
know, it gave me new aspects of 
what application security means,

196
00:10:03,400 --> 00:10:06,680
right, what penetration testing 
means and how do you bring that 

197
00:10:06,680 --> 00:10:10,680
back together. 
And then that extended beyond 

198
00:10:10,680 --> 00:10:14,880
even enterprise systems into 
operational technology systems 

199
00:10:14,880 --> 00:10:18,880
do a lot of IT and OT 
convergence work in my career. 

200
00:10:19,920 --> 00:10:22,160
And little by little that's just
kind of grown. 

201
00:10:22,160 --> 00:10:27,680
And I've always been fascinated 
by cyber security and just tech 

202
00:10:27,680 --> 00:10:30,200
in general. 
So it's constantly kind of fed 

203
00:10:30,200 --> 00:10:32,840
itself. 
I have a finance degree. 

204
00:10:32,840 --> 00:10:36,120
So, you know, I, I don't really 
have any. 

205
00:10:36,160 --> 00:10:38,880
I've never had, I've never felt 
the need to actually go and 

206
00:10:38,880 --> 00:10:42,160
study it in, in the university 
and such. 

207
00:10:42,160 --> 00:10:44,400
So, so that's kind of my origin 
story. 

208
00:10:44,760 --> 00:10:46,760
I've been with RSM about 10 
years now. 

209
00:10:47,560 --> 00:10:51,040
I lead our security and privacy 
practice for North America. 

210
00:10:52,240 --> 00:10:55,200
But my day job is, you know, 
obviously I, I'm the practice 

211
00:10:55,200 --> 00:10:57,040
team, but I'm a client service 
professional. 

212
00:10:57,840 --> 00:11:01,240
I'm really helping organizations
build their cyber programs to 

213
00:11:01,240 --> 00:11:05,240
help them mitigate against the 
wide array of risks that that 

214
00:11:05,240 --> 00:11:09,240
our clients face today. 
And that cuts around identity, 

215
00:11:09,240 --> 00:11:13,560
that cuts around perimeter 
endpoints, you know, user 

216
00:11:13,560 --> 00:11:15,960
awareness. 
I mean, you, you pick a cyber 

217
00:11:15,960 --> 00:11:19,680
concept and it's there and then,
you know, there's, there's 

218
00:11:19,680 --> 00:11:22,840
industry specialities that you 
have to have within that realm 

219
00:11:22,840 --> 00:11:24,240
that you have to bring up as 
well. 

220
00:11:24,240 --> 00:11:28,400
So it's been a very, very good 
journey over the last 25 years 

221
00:11:28,400 --> 00:11:31,120
in this space and, and just 
learning from our clients and 

222
00:11:31,120 --> 00:11:34,680
giving back, you know, those 
learnings to others that don't 

223
00:11:34,680 --> 00:11:35,360
know it. 
So. 

224
00:11:35,680 --> 00:11:38,880
Gazi, I love that that curiosity
angle injector. 

225
00:11:38,880 --> 00:11:41,360
You saw the server room, you got
excited. 

226
00:11:41,440 --> 00:11:43,800
You know what's going on in 
there. 

227
00:11:43,800 --> 00:11:45,680
Let's stay curious, man. 
You got to stay. 

228
00:11:45,680 --> 00:11:48,840
Curious, you know, and I talked 
to folks who listen to podcasts.

229
00:11:48,840 --> 00:11:52,280
I don't think there's anybody's 
job description that says listen

230
00:11:52,280 --> 00:11:54,520
to this podcast. 
If you listen to the podcast, 

231
00:11:54,520 --> 00:11:56,760
they're trying to to expand 
themselves. 

232
00:11:56,760 --> 00:12:01,120
But I would say that's a key for
anybody is to you've got to be 

233
00:12:01,120 --> 00:12:03,160
curious. 
You've got to put in the extra 

234
00:12:03,160 --> 00:12:06,120
hours to learn. 
If it's not what you want to 

235
00:12:06,120 --> 00:12:08,800
learn, figure out what it is in 
this world that you want to 

236
00:12:08,800 --> 00:12:11,280
learn and what you're passionate
about, do that. 

237
00:12:11,640 --> 00:12:14,440
But if you want to be in this 
space, I mean, there's endless 

238
00:12:14,440 --> 00:12:16,160
amounts that you can learn. 
Absolutely. 

239
00:12:16,160 --> 00:12:19,680
I mean, I tell people that I'm 
coaching all the time that, you 

240
00:12:19,680 --> 00:12:23,320
know, those learnings don't stay
with an organization, right? 

241
00:12:23,560 --> 00:12:26,040
That's investment in your own 
self, right? 

242
00:12:26,040 --> 00:12:27,960
And you're going to carry that 
wherever you go. 

243
00:12:28,360 --> 00:12:30,960
So a lot of times people say, 
well, like, you know, I don't 

244
00:12:30,960 --> 00:12:33,320
want to work 40 hours or I don't
want to work 50 hours. 

245
00:12:33,320 --> 00:12:35,320
I'm like, you know, I'm going to
do my job and I'm going to go 

246
00:12:35,320 --> 00:12:38,640
home. 
That's a disservice to yourself,

247
00:12:38,840 --> 00:12:40,440
right? 
And I'm not saying that you 

248
00:12:40,440 --> 00:12:43,640
should do your your job in a, in
a way that you're overextending.

249
00:12:43,640 --> 00:12:45,520
I mean, your personal time is 
very important. 

250
00:12:45,520 --> 00:12:48,120
We'll talk about what I do for 
my personal time maybe today as 

251
00:12:48,120 --> 00:12:51,240
well. 
But I do think that there's 

252
00:12:51,240 --> 00:12:52,880
investment that's required, 
right? 

253
00:12:53,840 --> 00:12:55,920
And bring it back to yourself 
always. 

254
00:12:56,040 --> 00:12:58,520
So stay curious and invest in 
yourself. 

255
00:12:58,760 --> 00:13:00,760
Stay curious and then you'll hit
the pinnacle of your career 

256
00:13:00,760 --> 00:13:02,120
being on the Identity Center 
podcast. 

257
00:13:02,120 --> 00:13:04,760
So there you go. 
Made it. 

258
00:13:05,920 --> 00:13:08,960
So let's talk a little bit about
some of these planned episodes 

259
00:13:08,960 --> 00:13:10,200
we've got coming up over the 
year. 

260
00:13:10,520 --> 00:13:12,320
We're kind of starting this 
overview with the digital 

261
00:13:12,320 --> 00:13:15,280
identity level and sort of the 
the overarching kind of vision 

262
00:13:15,280 --> 00:13:16,800
of that. 
But we're also going to talk 

263
00:13:16,800 --> 00:13:19,680
about things like strategy and 
risk, compliance and governance,

264
00:13:19,680 --> 00:13:23,480
architecture and engineering, 
application security, attack and

265
00:13:23,480 --> 00:13:26,600
surface management, secure 
cloud, detect and respond, 

266
00:13:26,600 --> 00:13:28,920
resilience and recovery. 
Resilience is a big one that 

267
00:13:28,920 --> 00:13:30,400
we're hearing here at the 
Gartner conference. 

268
00:13:30,760 --> 00:13:32,080
And then of course, emerging 
technologies. 

269
00:13:32,080 --> 00:13:33,640
There's always something new on 
the horizon. 

270
00:13:34,080 --> 00:13:36,160
I know I just kind of threw an 
awful lot out there. 

271
00:13:36,600 --> 00:13:38,360
Are there any things that kind 
of jump out of your mind? 

272
00:13:38,360 --> 00:13:40,200
It's like, OK, these are things 
that are really kind of top of 

273
00:13:40,200 --> 00:13:42,760
mind for you right now. 
I mean, they all are top of 

274
00:13:42,760 --> 00:13:46,960
mind, you know, now, some more 
so than others, right? 

275
00:13:48,280 --> 00:13:51,960
But I think the important part 
is that the, the reason that, 

276
00:13:51,960 --> 00:13:54,400
you know, when we were kind of 
orchestrating this with UVI is 

277
00:13:54,400 --> 00:13:59,200
about the, the, the episodes is 
because you need every single 

278
00:13:59,200 --> 00:14:02,280
one of these things to kind of 
work together, right? 

279
00:14:02,520 --> 00:14:05,680
And identity ultimately is that 
the, the core of everything 

280
00:14:05,680 --> 00:14:08,080
because you can't do strategy 
and risk if you don't, you know,

281
00:14:08,080 --> 00:14:10,440
manage identity workflows 
properly. 

282
00:14:11,120 --> 00:14:13,720
You can't do governance and 
compliance if you don't manage 

283
00:14:13,720 --> 00:14:16,040
identity workflows properly. 
You can't do application 

284
00:14:16,040 --> 00:14:19,560
security if you don't manage 
identity workflows properly, 

285
00:14:19,600 --> 00:14:22,520
right? 
So whether it's cloud, whether 

286
00:14:22,520 --> 00:14:24,720
it's attack surface management, 
you know, whether it's threat 

287
00:14:24,720 --> 00:14:29,640
management, emerging tech, we 
talked about AI now or you know,

288
00:14:30,160 --> 00:14:32,480
people were talking about 
blockchain forever, right? 

289
00:14:34,280 --> 00:14:38,520
Tomorrow it's going to be about 
agents in in, in the space of 

290
00:14:38,520 --> 00:14:41,560
AI, right, And how they're, 
there's needs to be rigor around

291
00:14:41,560 --> 00:14:43,960
that. 
That's going to be another ID 

292
00:14:43,960 --> 00:14:45,840
that we're going to talk about 
at some point, right? 

293
00:14:46,640 --> 00:14:52,000
All of that cohesively, right? 
Has to be on top of mind for 

294
00:14:52,000 --> 00:14:55,200
every seesaw like they're 
contending with all of these. 

295
00:14:55,200 --> 00:14:58,200
A lot of times, you know, you 
talk to seesaw and you're 

296
00:14:58,200 --> 00:15:00,760
talking to them about identity. 
But you know, if you think 

297
00:15:00,760 --> 00:15:02,680
about, you know what seesaw 
thinks about when they're 

298
00:15:02,680 --> 00:15:04,440
sleeping at night. 
They sleep. 

299
00:15:05,760 --> 00:15:07,840
One, they don't sleep, but when 
that is what, what are they 

300
00:15:07,840 --> 00:15:09,240
thinking about? 
I mean, they're thinking about 

301
00:15:09,240 --> 00:15:11,120
compliance and governance and 
they're talking about 

302
00:15:11,120 --> 00:15:12,720
architectural engineering, 
right? 

303
00:15:12,920 --> 00:15:15,120
They're talking about resiliency
and they're thinking about 

304
00:15:15,120 --> 00:15:16,640
resiliency of their 
organization. 

305
00:15:16,640 --> 00:15:18,680
That's why they do sleep 
because, you know, are they 

306
00:15:18,680 --> 00:15:22,400
resilient or not? 
So you kind of bring all that 

307
00:15:22,400 --> 00:15:26,800
together and it's very hard to 
dissect this in one go. 

308
00:15:26,920 --> 00:15:31,040
And I think giving it some time 
and understanding that there's 

309
00:15:31,040 --> 00:15:34,240
all these different pieces, but 
they all have to come together. 

310
00:15:34,280 --> 00:15:37,360
They have to work together. 
That's how I think about my 

311
00:15:37,680 --> 00:15:44,040
cyber team here at RSM as well, 
that we have specialists in each

312
00:15:44,040 --> 00:15:47,120
one of those areas, right? 
I'm not an identity specialist 

313
00:15:47,120 --> 00:15:50,040
by any means, right? 
I'm a operational technology 

314
00:15:50,040 --> 00:15:52,360
specialist. 
That's what my bread and butter 

315
00:15:52,360 --> 00:15:56,440
was. 
But you need engineers, right? 

316
00:15:56,560 --> 00:15:59,800
You need identity professionals,
you need penetration testers, 

317
00:15:59,800 --> 00:16:03,520
you need, you know, operations 
managers, right? 

318
00:16:03,600 --> 00:16:06,920
You need governance and 
compliance specialists and 

319
00:16:06,920 --> 00:16:11,320
strategy specialists. 
So all of that, you know, has to

320
00:16:11,320 --> 00:16:15,520
come together. 
And I, I think that that's the, 

321
00:16:15,720 --> 00:16:18,920
the big hill that everybody has 
to climb right now is that, and 

322
00:16:18,920 --> 00:16:21,200
it's not one thing. 
It's which people talk about 

323
00:16:21,200 --> 00:16:23,400
vacuum, all right, or what what 
that is. 

324
00:16:23,400 --> 00:16:27,400
It's it's always because it's so
many of these things, but I 

325
00:16:27,400 --> 00:16:31,240
think that if you're organized 
about it, you can take credit 

326
00:16:31,240 --> 00:16:33,760
for multiple things, right? 
If you engineer things 

327
00:16:33,760 --> 00:16:38,040
correctly, right, if you 
structure your applications 

328
00:16:38,040 --> 00:16:42,200
correctly, then you know you've 
got benefits on on other sides 

329
00:16:42,280 --> 00:16:45,160
that you can take. 
Governance compliance is a great

330
00:16:45,160 --> 00:16:48,480
example of that. 
If you know you've got to comply

331
00:16:48,480 --> 00:16:51,120
with this on one side, you can 
comply with the plethora of 

332
00:16:51,120 --> 00:16:56,320
other requirements, you know, 
that might be required for our 

333
00:16:56,320 --> 00:16:59,600
organization. 
PCI compliance or CMMC 

334
00:16:59,600 --> 00:17:01,320
compliance or whatever that is, 
right? 

335
00:17:02,080 --> 00:17:06,040
Healthcare compliance, you do it
one time, you should be able to 

336
00:17:06,040 --> 00:17:08,640
take credit for that because 
access control is everywhere, 

337
00:17:08,760 --> 00:17:10,359
right? 
Change control is everywhere. 

338
00:17:10,599 --> 00:17:13,200
And I know that we'll talk about
that in more detail, but, you 

339
00:17:13,200 --> 00:17:17,160
know, I think about these these 
episodes and the structure of 

340
00:17:17,160 --> 00:17:20,319
some of these topics that you 
just talked about, Jeff, as 

341
00:17:20,599 --> 00:17:24,359
something that is really 
interrelated, but at the same 

342
00:17:24,359 --> 00:17:30,560
time needs enough time and 
attention to be kind of 

343
00:17:30,560 --> 00:17:33,000
dissected by themselves, right? 
So they have to stand on their 

344
00:17:33,000 --> 00:17:34,800
own, but then they have to come 
together as well. 

345
00:17:35,360 --> 00:17:38,240
So we're hot right now. 
When I say we're, I mean digital

346
00:17:38,240 --> 00:17:40,520
identity and sort of this 
business that we're in this, 

347
00:17:40,520 --> 00:17:42,640
this vertical or industry, 
whatever we're going to call it.

348
00:17:43,320 --> 00:17:46,400
Why do you think that is and 
why, why is it getting heat now?

349
00:17:46,400 --> 00:17:49,640
You mentioned some things like 
compliance and security and 

350
00:17:49,640 --> 00:17:51,920
risk, but identity has been 
around for a long time. 

351
00:17:52,160 --> 00:17:54,440
But now we're starting to see, 
you know, it's getting a lot 

352
00:17:54,440 --> 00:17:57,080
more top of mind, it's being 
paid more attention. 

353
00:17:57,080 --> 00:17:58,320
We're seeing more investments in
it. 

354
00:17:58,960 --> 00:18:01,320
Why do you think it is now? 
Is there something that's maybe 

355
00:18:01,320 --> 00:18:04,320
changed within the last couple 
years or is it just this is the 

356
00:18:04,320 --> 00:18:07,600
normal evolution of kind of how 
you've seen maybe waves come 

357
00:18:07,600 --> 00:18:11,600
through cybersecurity at large? 
Well, I think that the change 

358
00:18:11,600 --> 00:18:14,600
happened 10 years ago, maybe 
maybe even more. 

359
00:18:15,720 --> 00:18:21,200
What's done over the last two or
three years is the, I think 

360
00:18:21,200 --> 00:18:23,600
acceleration, right? 
And I'll talk about that in a 

361
00:18:23,600 --> 00:18:26,040
minute. 
But I think before that, why is 

362
00:18:26,040 --> 00:18:28,360
identity hot? 
I think that's, that's a really 

363
00:18:28,360 --> 00:18:30,200
critical question. 
And I think we've started this 

364
00:18:30,200 --> 00:18:34,480
conversation about why are we 
talking about identity and 

365
00:18:34,480 --> 00:18:38,680
cybersecurity together, right? 
They've always been together. 

366
00:18:38,960 --> 00:18:41,400
There's never been cybersecurity
without identity. 

367
00:18:43,640 --> 00:18:46,160
There have been times where 
identity has been carved out 

368
00:18:46,640 --> 00:18:49,160
from cybersecurity because it's 
it's a massive endeavor. 

369
00:18:49,160 --> 00:18:52,240
And and you know, there's a 
business enablement component to

370
00:18:52,240 --> 00:18:53,600
it that you've got to work 
through. 

371
00:18:54,040 --> 00:18:58,400
But why is it hot? 
Think about what, you know, what

372
00:18:58,400 --> 00:19:02,960
hackers do today, right? 
It's credential theft, right? 

373
00:19:03,520 --> 00:19:07,000
And it's bypassing 
authentication, right? 

374
00:19:07,200 --> 00:19:10,800
It's impersonation, it's session
hijacking. 

375
00:19:10,800 --> 00:19:12,560
It's man in the middle attacks, 
right? 

376
00:19:13,200 --> 00:19:17,600
Exploitation of token systems. 
Everything that I just said is 

377
00:19:17,600 --> 00:19:19,560
related to identity one way or 
the other. 

378
00:19:19,920 --> 00:19:25,440
OK, so I don't know if you've 
ever played this game, Call of 

379
00:19:25,440 --> 00:19:27,600
Duty. 
If you play Call of Duty, 

380
00:19:27,600 --> 00:19:31,600
there's a there's a mode of play
mode called War Zone, right? 

381
00:19:32,200 --> 00:19:34,720
And in war zone, you kind of see
this perimeter, right? 

382
00:19:35,120 --> 00:19:37,800
And then over a period of time, 
that perimeter shrinks and 

383
00:19:37,800 --> 00:19:39,280
shrinks and shrinks and shrinks,
right? 

384
00:19:40,120 --> 00:19:43,000
And it gets to a very, very 
confined spot till the time the 

385
00:19:43,080 --> 00:19:46,040
the last man is standing. 
That's how I think about 

386
00:19:46,040 --> 00:19:48,760
identity is because that 
perimeter has been shifting, 

387
00:19:48,840 --> 00:19:50,120
right? 
We used to have perimeters. 

388
00:19:50,120 --> 00:19:52,360
We had defined perimeters, we 
knew what they were. 

389
00:19:53,640 --> 00:19:55,400
And then we went to cloud, 
right? 

390
00:19:55,840 --> 00:19:58,640
And as we went into into SAS 
applications and cloud 

391
00:19:58,640 --> 00:20:01,280
environments, we lost the 
control of the perimeter, right?

392
00:20:01,280 --> 00:20:04,440
So it started coming in. 
So then you have to go to the 

393
00:20:04,440 --> 00:20:05,760
next thing. 
What's the next thing? 

394
00:20:05,800 --> 00:20:06,920
Well, how are you going to 
protect it? 

395
00:20:06,920 --> 00:20:09,920
Well, identity becomes naturally
the place. 

396
00:20:10,360 --> 00:20:13,440
Well, then we added remote 
workforce right through COVID. 

397
00:20:13,960 --> 00:20:16,480
Well, that accelerated. 
We also added bring your own 

398
00:20:16,480 --> 00:20:18,600
device, right? 
So that's accelerated. 

399
00:20:19,000 --> 00:20:21,560
So you have to kind of start 
seeing all of these things that 

400
00:20:21,560 --> 00:20:23,560
happened in the last and all 
these things happened in the 

401
00:20:23,560 --> 00:20:27,000
last 10 years. 
And that's accelerated the 

402
00:20:27,000 --> 00:20:30,040
conversation and really put 
identity at the forefront 

403
00:20:30,040 --> 00:20:32,840
because honestly, what what else
are you going to do? 

404
00:20:33,520 --> 00:20:35,440
How else are you going to 
protect your environment, right,

405
00:20:35,440 --> 00:20:39,680
if you can't protect it by by 
making sure that identity is at 

406
00:20:39,680 --> 00:20:43,920
the centre of it. 
So I think that's what's changed

407
00:20:43,920 --> 00:20:46,520
in my mind. 
I don't think identity has 

408
00:20:46,520 --> 00:20:50,080
become more important. 
I think it's just become more 

409
00:20:50,080 --> 00:20:54,040
visible to people clearly on 
what that is. 

410
00:20:54,440 --> 00:20:57,040
And then the technology stack 
has changed, like what you could

411
00:20:57,040 --> 00:20:58,960
do with identity 10 years ago, 
right? 

412
00:21:00,400 --> 00:21:02,640
You, you can do so much more 
today, right? 

413
00:21:03,040 --> 00:21:05,840
Whether it's role based access 
control or, you know, secrets 

414
00:21:05,840 --> 00:21:09,880
management and things like that.
There's so much more there to 

415
00:21:09,880 --> 00:21:16,680
dive into to, to get a better, 
you know, security profile of 

416
00:21:16,880 --> 00:21:19,040
your organization and get better
protections. 

417
00:21:19,760 --> 00:21:22,920
Yeah, you touched on this a 
little bit, but so when Jeff and

418
00:21:22,920 --> 00:21:26,040
I came up with the name of this 
podcast, it was a 2019. 

419
00:21:26,280 --> 00:21:30,400
So the idea of identity security
hadn't even been thought of at 

420
00:21:30,400 --> 00:21:33,560
that point. 
But in terms of, you know, what 

421
00:21:33,560 --> 00:21:36,920
we were thinking with identity 
at the center's, identity should

422
00:21:36,920 --> 00:21:39,920
be at the center. 
I think right now or back in 

423
00:21:39,920 --> 00:21:44,560
2019, it was silo, silo silo's. 
Now what you're hearing more and

424
00:21:44,560 --> 00:21:48,080
more folks come on our podcast 
and they're like, because 

425
00:21:48,080 --> 00:21:50,120
identity is at the center and 
they're like, oh, that's kind of

426
00:21:50,120 --> 00:21:51,280
funny. 
I'm on the identity at the 

427
00:21:51,280 --> 00:21:55,960
center podcast. 
But I also think our industry 

428
00:21:55,960 --> 00:21:58,920
can be a bit of an echo chamber.
Like it's identity at the 

429
00:21:58,920 --> 00:22:02,160
center. 
We're in identity, go identity, 

430
00:22:02,800 --> 00:22:07,720
everything's identity. 
And you know, I hear terms like 

431
00:22:07,960 --> 00:22:10,520
identity is the new perimeter. 
People are saying that a little 

432
00:22:10,520 --> 00:22:14,720
bit less, but I wonder when I 
when you hear that that term 

433
00:22:14,720 --> 00:22:16,840
identity is new perimeter, and 
maybe you just touched on it 

434
00:22:16,840 --> 00:22:21,080
there with like that analogy of 
the shrinking perimeter. 

435
00:22:21,920 --> 00:22:23,960
What is that? 
Is that what you're kind of 

436
00:22:23,960 --> 00:22:26,080
getting out with the identity as
the new perimeter? 

437
00:22:26,080 --> 00:22:29,440
In other words, you can't trust,
I think that the old perimeter, 

438
00:22:29,440 --> 00:22:33,080
the idea was, you know, you have
this crunchy shell and the soft 

439
00:22:33,080 --> 00:22:34,800
inside. 
That was what produced the sale 

440
00:22:34,800 --> 00:22:38,000
time, right? 
And that doesn't work anymore. 

441
00:22:38,000 --> 00:22:41,320
Like the crunchy shell is just 
almost might as well not even 

442
00:22:41,320 --> 00:22:44,920
have, even though I'm more in 
favor of layers of defense. 

443
00:22:44,920 --> 00:22:47,640
In other words, like, you know, 
get past the crunchy shell. 

444
00:22:47,640 --> 00:22:50,800
Now I get past this, now I get 
past this and then, you know, 

445
00:22:50,800 --> 00:22:53,280
we're going to instantiate the 
identity check. 

446
00:22:53,720 --> 00:22:56,520
But I also kind of feel like I 
have this. 

447
00:22:56,560 --> 00:22:59,920
This is like a a spider web that
reaches out into so many areas 

448
00:22:59,920 --> 00:23:05,720
where identity is now part of 
your your logging mechanism 

449
00:23:05,720 --> 00:23:10,160
where you can start to use 
behavioral analytics where 

450
00:23:10,440 --> 00:23:14,200
you're watching who's coming in 
and you're tying it all all back

451
00:23:14,200 --> 00:23:17,200
to an identity. 
Or it looks like somebody's been

452
00:23:17,200 --> 00:23:19,640
compromised. 
Maybe somebody's laptop has been

453
00:23:19,640 --> 00:23:23,400
compromised and that shows up an
X number of vectors, but a lot 

454
00:23:23,400 --> 00:23:27,240
of them are identity based. 
So when you hear identity as a 

455
00:23:27,240 --> 00:23:30,800
new perimeter, what what of that
resonates or kind of what comes 

456
00:23:30,800 --> 00:23:31,800
top of mind to you? 
Yeah. 

457
00:23:32,120 --> 00:23:33,840
I mean, it's, it's all of that, 
right? 

458
00:23:34,400 --> 00:23:39,200
For me, you know, it's, it's 
really challenging to figure out

459
00:23:39,200 --> 00:23:41,320
where to put the controls, 
right? 

460
00:23:41,320 --> 00:23:44,840
As a cyber professional, that's 
the fundamental job, right? 

461
00:23:45,040 --> 00:23:47,080
Is that where are you going to 
put the controls? 

462
00:23:47,720 --> 00:23:52,000
So the analogy that I was 
sharing from this game, right, 

463
00:23:52,000 --> 00:23:54,560
where the perimeter is 
shrinking, that's what's 

464
00:23:54,560 --> 00:23:56,480
happening. 
Over the last 15 years, we've 

465
00:23:56,480 --> 00:23:58,640
seen that perimeter shrink, 
right? 

466
00:23:59,000 --> 00:24:03,760
You, you, you had edge computing
and edge protections, they're 

467
00:24:04,000 --> 00:24:07,640
kind of dissipated, right? 
Then you go inside and you say, 

468
00:24:07,640 --> 00:24:10,160
OK, well, maybe it's on the 
application level, right? 

469
00:24:10,240 --> 00:24:13,880
I need to put that, well, that 
didn't work out really well, 

470
00:24:14,000 --> 00:24:16,560
right? 
So much compromise happened in 

471
00:24:16,560 --> 00:24:21,000
the application security space. 
Then you can go on the endpoint 

472
00:24:21,000 --> 00:24:23,520
level, right? 
But endpoint still has the 

473
00:24:23,520 --> 00:24:25,560
challenges of what you said, 
right? 

474
00:24:25,560 --> 00:24:28,080
What access should you have, 
right? 

475
00:24:28,240 --> 00:24:31,640
And what is you, you as a 
person, what should you be 

476
00:24:31,640 --> 00:24:35,320
granted access to? 
So you start looking at all of 

477
00:24:35,320 --> 00:24:37,480
those challenges. 
I mean, we've had PKI 

478
00:24:37,480 --> 00:24:40,800
infrastructure used and, you 
know, public private key 

479
00:24:40,800 --> 00:24:42,760
infrastructure used forever, 
right? 

480
00:24:42,840 --> 00:24:46,200
It wasn't easy to use. 
So it's shrinking, shrinking, 

481
00:24:46,200 --> 00:24:49,440
shrinking, becoming more and 
more difficult to manage and 

482
00:24:49,440 --> 00:24:50,840
ultimately where you settle 
down. 

483
00:24:50,840 --> 00:24:52,520
Is that OK? 
Well, I think it's the 

484
00:24:52,520 --> 00:24:55,080
individual. 
What is the access that you need

485
00:24:55,360 --> 00:24:58,080
to do your job right? 
What are the resources that you 

486
00:24:58,080 --> 00:25:00,760
need access to? 
What are the two or three things

487
00:25:00,760 --> 00:25:03,960
that you need to have to 
validate or verify that identity

488
00:25:03,960 --> 00:25:09,680
that it is you, right? 
And you know, is it going to be 

489
00:25:09,680 --> 00:25:11,560
multi factor authentication and 
all of that? 

490
00:25:11,560 --> 00:25:15,680
And you know, or it's going to 
be a, you know, UB key and you 

491
00:25:15,680 --> 00:25:18,520
know, you're going to have 
tokens and and other things to 

492
00:25:18,520 --> 00:25:20,560
to support that. 
Or, you know, it's going to be a

493
00:25:21,440 --> 00:25:24,680
text message. 
Whatever the the vector is that 

494
00:25:24,680 --> 00:25:27,480
you're going to use, it's still 
coming back to the person, 

495
00:25:27,920 --> 00:25:31,480
right? 
Or the non all the non human 

496
00:25:31,480 --> 00:25:33,640
stuff, right? 
It's my phone, it's my laptop, 

497
00:25:33,640 --> 00:25:37,840
it's my IoT device that's 
sitting out there, right? 

498
00:25:38,720 --> 00:25:43,560
But you have to take that in 
connection with the 

499
00:25:43,560 --> 00:25:47,400
proliferation of those devices. 
I can't tell you how many people

500
00:25:47,400 --> 00:25:49,960
I know that walk around with two
phones, right? 

501
00:25:51,600 --> 00:25:54,080
They've got a laptop, they've 
got an iPad. 

502
00:25:54,280 --> 00:25:57,560
So each person, if they're 
walking around with four 

503
00:25:57,560 --> 00:26:01,760
devices, right? 
I mean, that's, that's a lot, 

504
00:26:02,040 --> 00:26:06,040
right, to, to work through. 
So for every single human ID you

505
00:26:06,040 --> 00:26:10,160
have, you know, fourfold, I 
would say even probably more 

506
00:26:10,160 --> 00:26:13,120
once you get servers and 
desktops and all kinds of other 

507
00:26:13,400 --> 00:26:17,160
peripherals accounted for. 
It's, it's a massive endeavour 

508
00:26:17,200 --> 00:26:20,000
to, to work through. 
And there is no control point 

509
00:26:20,520 --> 00:26:26,480
other than the identity of that 
device of that person for you to

510
00:26:26,480 --> 00:26:30,640
put any, any sort of control on.
And that's where it's been very 

511
00:26:30,640 --> 00:26:34,280
difficult actually that's that's
been challenging for Cisos in in

512
00:26:34,280 --> 00:26:36,920
general for for our clients as 
where does that start? 

513
00:26:37,280 --> 00:26:39,560
Yeah, You're hitting on a very 
interesting point about the 

514
00:26:39,560 --> 00:26:44,320
control point and understanding 
access control and what it 

515
00:26:44,320 --> 00:26:47,440
means. 
Because, you know, you can say, 

516
00:26:47,440 --> 00:26:50,920
all right, we're going to rely 
on identity as the kind of the 

517
00:26:50,920 --> 00:26:56,000
final perimeter to whatever our 
data or application, but what 

518
00:26:56,000 --> 00:26:57,400
does that mean? 
Identity is? 

519
00:26:57,600 --> 00:26:59,360
How did that identity get 
created? 

520
00:27:00,880 --> 00:27:05,080
How's it authenticating? 
You know, how's it being 

521
00:27:05,080 --> 00:27:07,520
monitored? 
So there's all these controls in

522
00:27:07,840 --> 00:27:11,800
on top of like identity is just 
one word, but it means all these

523
00:27:11,800 --> 00:27:14,120
different things. 
One of the things that I'm, I'm 

524
00:27:14,120 --> 00:27:19,200
really interested in with this 
series that Jeff and I are 

525
00:27:19,200 --> 00:27:22,160
starting up around the 
intersection of identity 

526
00:27:22,160 --> 00:27:27,320
security and cyber security is 
the conversations that we're 

527
00:27:27,320 --> 00:27:31,000
going to get into. 
So for example, one is secure 

528
00:27:31,000 --> 00:27:33,000
cloud. 
I mean when I think about secure

529
00:27:33,000 --> 00:27:35,800
cloud, there's, you know, I 
think of two types of clouds 

530
00:27:35,800 --> 00:27:39,400
primarily. 1 is your SAS 
applications and one is your 

531
00:27:39,400 --> 00:27:44,640
platforms or your 
infrastructures as, as a 

532
00:27:44,640 --> 00:27:50,360
service, really what, what can 
you manage as an organization 

533
00:27:50,440 --> 00:27:53,320
from a security perspective with
those applications? 

534
00:27:53,320 --> 00:27:56,400
Primarily when it comes to SAS 
applications, all you can 

535
00:27:56,400 --> 00:27:59,360
control, there might be some 
configurations, but it's your 

536
00:27:59,360 --> 00:28:03,360
identities, you know who gets 
access to what and then what 

537
00:28:03,360 --> 00:28:04,720
authentication do they go 
through. 

538
00:28:04,720 --> 00:28:07,360
If you're setting up your IDP, 
if you're talking about 

539
00:28:07,360 --> 00:28:10,280
platforms, there's more, you 
know, infrastructural service, 

540
00:28:10,280 --> 00:28:13,080
there's more that you can 
manage, but identity is probably

541
00:28:13,080 --> 00:28:15,800
still the key one. 
When you talk about resilience 

542
00:28:15,800 --> 00:28:17,960
and recovery, that's another 
conversation. 

543
00:28:17,960 --> 00:28:21,120
One of the things that gets me 
jazzed up about that is, you 

544
00:28:21,120 --> 00:28:24,400
know, I kind of feel like I did 
a disaster recovery plan a long 

545
00:28:24,400 --> 00:28:28,600
time ago and you know, it's like
the Active Directory on Prem 

546
00:28:28,600 --> 00:28:30,480
Active Directory was like, can 
we restore that? 

547
00:28:30,480 --> 00:28:33,680
Well, OK, well, you know, check,
move on to the next thing. 

548
00:28:34,040 --> 00:28:38,480
Now it's just such a complex web
that needs to be up and active 

549
00:28:38,480 --> 00:28:41,920
before you can access anything. 
So these conversations, I think 

550
00:28:41,920 --> 00:28:43,880
are going to get really 
interesting. 

551
00:28:44,080 --> 00:28:46,200
For sure. 
I mean resilience 1 is, is, I'll

552
00:28:46,200 --> 00:28:49,760
just pick on that one. 
You know, it's not about the 

553
00:28:49,760 --> 00:28:52,840
business continuity plan anymore
or it's not about Emergency 

554
00:28:52,840 --> 00:28:56,000
Management. 
It's how quickly can you 

555
00:28:56,000 --> 00:28:59,840
recover, right? 
How quickly are you going to get

556
00:28:59,840 --> 00:29:04,080
back on your feet and what's the
loss right, associated with it? 

557
00:29:04,720 --> 00:29:08,200
So, you know, you start thinking
about resiliency very 

558
00:29:08,200 --> 00:29:10,280
differently. 
In order for you to accomplish 

559
00:29:10,280 --> 00:29:13,080
that, yes, you need a business 
continuity plan, right? 

560
00:29:13,640 --> 00:29:16,760
But you need to make sure that 
your vendor ecosystem is just as

561
00:29:16,800 --> 00:29:21,680
as tightly knit because when an 
issue happens, it's it's 

562
00:29:21,760 --> 00:29:24,200
especially if it's related 
identities and those identities 

563
00:29:24,200 --> 00:29:27,400
are cutting across multi cloud, 
Those identities are cutting 

564
00:29:27,400 --> 00:29:29,720
across multiple SAS 
applications. 

565
00:29:30,080 --> 00:29:32,400
Well, you got to have all those 
people in the huddle with you, 

566
00:29:32,680 --> 00:29:38,200
right, to solve for it. 
Your security operation centres 

567
00:29:38,200 --> 00:29:43,240
need to be be read into it. 
You've got to have better 

568
00:29:43,240 --> 00:29:46,120
monitoring and, and all of that.
I mean, you talked about even 

569
00:29:46,560 --> 00:29:48,560
identity based threat monitoring
earlier. 

570
00:29:49,400 --> 00:29:51,960
I think identity based threat 
modelling is going to be like 

571
00:29:51,960 --> 00:29:56,160
almost a necessity. 
You can't flip things back on 

572
00:29:56,160 --> 00:29:59,000
until that's working. 
If you do, it'll be down in five

573
00:29:59,000 --> 00:30:00,560
seconds. 
Exactly right. 

574
00:30:00,560 --> 00:30:04,720
So you have to rely on the 
heuristics and the behaviours of

575
00:30:04,720 --> 00:30:08,920
people. 
Ghazi connects from this device 

576
00:30:09,320 --> 00:30:14,160
from this geographic location 
95% of the time. 

577
00:30:15,080 --> 00:30:18,120
If he's outside of that, this 
probably should be a flag. 

578
00:30:18,120 --> 00:30:20,800
Somewhere I'm really excited for
that conversation because I 

579
00:30:20,800 --> 00:30:24,560
think another thing when it 
comes to disasters is the nature

580
00:30:24,560 --> 00:30:28,960
of disasters is different. 
You know, OK, you could still 

581
00:30:28,960 --> 00:30:34,040
have an earthquake and your 
primary data center that you 

582
00:30:34,040 --> 00:30:37,200
manage goes down and then you 
fell over to Sun Guard or 

583
00:30:37,200 --> 00:30:41,040
something. 
The new disaster is a hacker 

584
00:30:41,040 --> 00:30:43,120
comes in and encrypts all your 
data. 

585
00:30:43,480 --> 00:30:46,560
It's an intentional disaster. 
There's no failing over to 

586
00:30:46,560 --> 00:30:48,600
another data centre. 
Yeah. 

587
00:30:48,600 --> 00:30:53,000
And we, we consciously you know 
at RSM, we moved our business 

588
00:30:53,000 --> 00:30:57,400
card community team and you know
our disaster recovery teams 

589
00:30:57,520 --> 00:31:00,480
alongside our cyber teams 
because a lot of those events 

590
00:31:00,480 --> 00:31:03,040
now are, are actual cyber 
related events, right. 

591
00:31:03,400 --> 00:31:08,680
So you have to be integrated in 
delivery of that service. 

592
00:31:09,080 --> 00:31:12,800
And it's not just for us to 
integrate and, and be be able to

593
00:31:12,800 --> 00:31:15,400
deliver that service, but it's 
also for our clients. 

594
00:31:15,800 --> 00:31:17,840
They have to think about it the 
same way, right? 

595
00:31:18,160 --> 00:31:21,680
Because they can't. 
You, you have to have all of 

596
00:31:21,680 --> 00:31:24,200
these pieces together to be able
to solve that problem. 

597
00:31:24,280 --> 00:31:27,880
And it's very difficult when 
when you know you're in that 

598
00:31:27,880 --> 00:31:30,720
boat where you know you, you, 
your data is encrypted. 

599
00:31:31,640 --> 00:31:34,480
Yeah, guys, you one thing I want
to talk to you about while, you 

600
00:31:34,480 --> 00:31:36,720
know, I don't want to shift 
completely away from this 

601
00:31:36,720 --> 00:31:39,840
technology conversation so 
exciting, but you manage a large

602
00:31:39,840 --> 00:31:43,440
organization of cybersecurity 
professionals. 

603
00:31:43,440 --> 00:31:47,280
There's a huge skills gap out 
there and it gets worse every 

604
00:31:47,280 --> 00:31:51,000
year, right, Even though we're 
starting to build many more or 

605
00:31:51,000 --> 00:31:54,720
create many more opportunities 
for people coming out to college

606
00:31:54,720 --> 00:31:58,800
or coming into the industry. 
However, the gap gets wider and 

607
00:31:58,800 --> 00:32:01,560
wider between the need and 
what's available. 

608
00:32:01,800 --> 00:32:07,240
And so you had some ideas in 
terms of some of the, I mean, 

609
00:32:07,240 --> 00:32:10,360
you talked about being from 
public accounting firm and that 

610
00:32:10,360 --> 00:32:15,760
being a a great opportunity for 
folks to kind of learn the base 

611
00:32:15,760 --> 00:32:18,360
skills and turn into cyber 
professionals. 

612
00:32:18,600 --> 00:32:20,760
I was wondering if you could 
explain why that is? 

613
00:32:20,840 --> 00:32:24,080
Yeah. 
You know, I, I, I'm a techie, 

614
00:32:24,400 --> 00:32:27,640
right? 
And I believe in engineering and

615
00:32:27,640 --> 00:32:32,000
I believe in the bits and bytes 
of, of everything that that we 

616
00:32:32,000 --> 00:32:35,000
do. 
However, over the last 25 years 

617
00:32:35,000 --> 00:32:38,480
of, of being part of cyber 
practices and running cyber 

618
00:32:38,480 --> 00:32:41,760
practices and, and really 
helping clients stand up there, 

619
00:32:41,920 --> 00:32:44,440
you know, operations and, and 
programs. 

620
00:32:45,520 --> 00:32:50,560
You need, you know, people that 
can do penetration testing and 

621
00:32:50,560 --> 00:32:52,720
people that can do cloud 
engineering and somebody that 

622
00:32:52,720 --> 00:32:55,520
can do, you know, infrastructure
as code and somebody that does 

623
00:32:55,520 --> 00:32:58,200
CID to CD pipelining and all of 
those right, They're all 

624
00:32:58,200 --> 00:33:05,160
required, But there's also a 
general lack of, you know, kind 

625
00:33:05,160 --> 00:33:09,960
of lifting and shifting. 
So one of the things that, you 

626
00:33:09,960 --> 00:33:14,880
know, I've found very helpful 
throughout my career, and this 

627
00:33:14,880 --> 00:33:18,480
wasn't really, this is again, by
by accident that that you know, 

628
00:33:18,480 --> 00:33:22,040
this happened when I joined a 
public accounting firm. 

629
00:33:22,200 --> 00:33:25,280
I actually didn't understand 
what I was doing right 

630
00:33:25,400 --> 00:33:27,880
holistically. 
Like I, I joined a cybersecurity

631
00:33:27,880 --> 00:33:31,200
practice, but a lot of the work 
that I actually did wasn't 

632
00:33:31,200 --> 00:33:34,280
really cyber security. 
It was really controls work. 

633
00:33:34,720 --> 00:33:37,520
And that was just the nature of 
the, the market at that time, 

634
00:33:37,520 --> 00:33:39,920
right? 
Sarbanes-Oxley was new. 

635
00:33:39,920 --> 00:33:42,400
Everybody wanted to talk about 
Sarbanes-Oxley, right? 

636
00:33:43,000 --> 00:33:45,160
But if you think about those 
type of compliance requirement, 

637
00:33:45,160 --> 00:33:46,880
what, what, what is it talking 
about? 

638
00:33:47,520 --> 00:33:50,040
The fundamental very first thing
it talks about is access 

639
00:33:50,040 --> 00:33:53,480
control, right? 
So you have people that are 

640
00:33:53,480 --> 00:33:57,240
getting schooled and trained in 
the basics of access control, 

641
00:33:58,000 --> 00:34:01,840
basics of program management, 
basics of change control, right,

642
00:34:02,200 --> 00:34:06,000
basics of resiliency like 
backups and operations and how 

643
00:34:06,000 --> 00:34:08,679
you're going to make sure that 
your environment is resilient. 

644
00:34:09,880 --> 00:34:11,960
So is there a skill gap? 
Yeah. 

645
00:34:12,600 --> 00:34:16,880
But there's also people that can
shift right and can be skilled 

646
00:34:16,880 --> 00:34:19,719
up. 
Not everybody needs to be your, 

647
00:34:19,880 --> 00:34:24,199
you know, high end engineer in 
this space. 

648
00:34:24,719 --> 00:34:28,080
There's a lot of work that needs
to be done and it's everything 

649
00:34:28,080 --> 00:34:31,360
from policy writing to making 
sure that compliance and 

650
00:34:31,360 --> 00:34:36,280
governance is in place, right, 
to making sure that, you know, 

651
00:34:36,320 --> 00:34:39,480
the programs are being managed 
appropriately and orchestrated. 

652
00:34:40,440 --> 00:34:42,400
Cost management is a huge 
portion of it. 

653
00:34:42,480 --> 00:34:44,960
Like you, you know, I mean, 
there's a lot of cost to cyber 

654
00:34:44,960 --> 00:34:47,719
tools. 
There's a lot of FDE cost 

655
00:34:47,880 --> 00:34:51,560
associated with cyber management
of cyber operations, right? 

656
00:34:52,080 --> 00:34:57,880
So management becomes just as 
important as the the skill set. 

657
00:34:58,640 --> 00:35:04,080
So I think that there is, there 
is definitely places you can 

658
00:35:04,080 --> 00:35:09,120
pull from to holistically build 
a team, right, and orchestrate 

659
00:35:09,120 --> 00:35:11,440
this. 
It's been really successful for 

660
00:35:11,440 --> 00:35:16,560
me right, to upskill people. 
It's been really successful for 

661
00:35:16,640 --> 00:35:21,840
for me to actually invest time 
in the university systems and 

662
00:35:21,840 --> 00:35:25,720
actually help them kind of 
develop the program that we 

663
00:35:25,720 --> 00:35:28,120
need. 
Because the biggest issue is not

664
00:35:28,120 --> 00:35:30,760
that you're not getting people 
that have a cybersecurity 

665
00:35:30,760 --> 00:35:32,560
degree. 
I mean, most universities now 

666
00:35:32,560 --> 00:35:35,440
offer a cybersecurity degree. 
That wasn't a thing 20 years 

667
00:35:35,440 --> 00:35:38,600
ago, right? 
There was barely an IT was a 

668
00:35:38,600 --> 00:35:43,080
thing 20 years ago. 
So most whatever they're 

669
00:35:43,080 --> 00:35:46,560
learning in school is better 
right, from a cyber perspective 

670
00:35:46,560 --> 00:35:51,960
than it was 20 years ago. 
However, are they coming in 

671
00:35:52,680 --> 00:35:58,680
ready, right, ready to jump in? 
And I think that there's a gap 

672
00:35:58,680 --> 00:36:03,400
there. 
So right now my work with some 

673
00:36:03,400 --> 00:36:07,000
of the universities that I 
recruit at is trying to get 

674
00:36:07,000 --> 00:36:10,760
people more ready for the actual
work that needs to happen. 

675
00:36:10,760 --> 00:36:13,200
And the, you know, the actual 
work is around the, the 10 

676
00:36:13,200 --> 00:36:15,760
things that you Jeff talked 
about at the beginning, right? 

677
00:36:16,160 --> 00:36:18,560
It is around application 
security, it's around secure 

678
00:36:18,560 --> 00:36:21,480
cloud, it's around detect and 
respond, right? 

679
00:36:22,480 --> 00:36:25,440
It's around resiliency and 
recovery, right. 

680
00:36:25,960 --> 00:36:30,400
But are they touching this at a,
at a topical level where they 

681
00:36:30,400 --> 00:36:36,600
just know the the concept or are
they getting any practical 

682
00:36:36,680 --> 00:36:38,440
experience with it? 
Right? 

683
00:36:38,960 --> 00:36:40,520
And that's been the biggest 
challenge. 

684
00:36:40,760 --> 00:36:44,160
The other thing that goes 
alongside with, and this might 

685
00:36:44,160 --> 00:36:47,200
be a little deviation from your 
question, but it's it's skill 

686
00:36:47,200 --> 00:36:51,840
set related, the shortage in the
market then, you know, you, you 

687
00:36:52,200 --> 00:36:56,240
get people to move around. 
But cybersecurity has always 

688
00:36:56,240 --> 00:37:00,120
been an apprenticeship, OK, It's
always been an apprenticeship. 

689
00:37:00,520 --> 00:37:07,000
It's not a, a skill that is just
kind of like learned off of 

690
00:37:07,000 --> 00:37:08,320
books. 
Like you work with a lot of 

691
00:37:08,320 --> 00:37:10,000
people. 
I've learned a lot of stuff from

692
00:37:10,000 --> 00:37:15,160
other people and there's a lot 
of repeat work that you do over 

693
00:37:15,160 --> 00:37:19,280
and over and over again, and it 
gets better every time you do it

694
00:37:19,560 --> 00:37:24,200
right. 
But we don't have people that 

695
00:37:24,200 --> 00:37:28,800
are sticking around long term to
be able to cultivate that 

696
00:37:28,880 --> 00:37:32,160
apprenticeship models anymore 
the way that it used to be. 

697
00:37:32,480 --> 00:37:35,160
So if we get 2 years here and 
we've got another year here and 

698
00:37:35,160 --> 00:37:39,040
two years over there, it looks 
like you've got good experience 

699
00:37:39,040 --> 00:37:42,360
at very large, reputable firms 
and you were part of, you know, 

700
00:37:42,360 --> 00:37:46,720
their, their cyber team. 
But if you took that person as 

701
00:37:46,720 --> 00:37:49,640
an individual and you said, OK, 
let's look at your own personal 

702
00:37:49,640 --> 00:37:56,120
depth on something right, 
related to these topics, I find 

703
00:37:56,120 --> 00:37:58,200
it sometimes lacking. 
And I think that that's the 

704
00:37:58,200 --> 00:38:02,000
shift that that needs to be made
is that we've got to bring back 

705
00:38:02,000 --> 00:38:04,320
the apprenticeship model a bit 
more. 

706
00:38:05,520 --> 00:38:08,200
We've seen that apprenticeship 
model like if you, if you look 

707
00:38:08,200 --> 00:38:12,240
at some of the other countries 
that are ahead of us in, in tech

708
00:38:12,240 --> 00:38:16,680
development and they're moving 
faster than we are, everywhere 

709
00:38:16,680 --> 00:38:20,000
you look, the apprenticeship 
model is intact. 

710
00:38:20,920 --> 00:38:26,800
So that's what my, I guess 
soapbox is that I got I, I 

711
00:38:27,120 --> 00:38:30,520
really, I really struggle with 
that one. 

712
00:38:31,040 --> 00:38:33,880
Yeah. 
But I mean that's a a big part 

713
00:38:33,880 --> 00:38:40,080
of you know, developing people. 
It's not only the long term 

714
00:38:40,080 --> 00:38:43,560
benefit of two through 
organizations that person is 

715
00:38:43,560 --> 00:38:48,840
going to really appreciate and 
start to build their career. 

716
00:38:48,840 --> 00:38:52,680
And I think we have this concept
of at RSM of the boomerang 

717
00:38:52,680 --> 00:38:55,000
people. 
So it's like people who go out 

718
00:38:55,000 --> 00:38:59,120
into industry work 3 or 4 years 
to come back now they've got 

719
00:38:59,120 --> 00:39:03,640
some new skills and experiences.
But I do agree with you, the one

720
00:39:03,640 --> 00:39:06,720
year, 2 year, it's kind of like 
go somewhere time start to get 

721
00:39:06,720 --> 00:39:09,160
rough. 
If you stick it out, that's 

722
00:39:09,160 --> 00:39:12,600
where you really build your 
metal is going through the hard 

723
00:39:12,600 --> 00:39:14,920
times. 
And I think that's a life skill,

724
00:39:14,920 --> 00:39:16,400
right? 
It's you learn more from the 

725
00:39:16,400 --> 00:39:17,920
hard times than from the easy 
times. 

726
00:39:17,920 --> 00:39:21,720
You guys have been doing the 
identity podcast for since 2019,

727
00:39:22,280 --> 00:39:25,040
but you've been doing identity 
work a lot, way longer, right? 

728
00:39:25,800 --> 00:39:29,760
And I, I bet that even in the 
last two or three days, you've 

729
00:39:29,760 --> 00:39:32,600
probably learned a thing or two 
that's new, right? 

730
00:39:33,160 --> 00:39:35,360
And it's always evolving and 
you're probably going to go 

731
00:39:35,360 --> 00:39:37,440
teach that to somebody, whatever
you've learned. 

732
00:39:37,760 --> 00:39:39,280
And that's what it's all about, 
right? 

733
00:39:39,960 --> 00:39:43,240
So keeping teams together and I 
think building that 

734
00:39:43,240 --> 00:39:47,440
apprenticeship model, whether 
it's a consulting business or 

735
00:39:47,440 --> 00:39:50,920
whether it's a, you know, 
you're, you're in the industry 

736
00:39:50,920 --> 00:39:54,320
and you know, you're kind of 
running your own operations, 

737
00:39:54,760 --> 00:39:57,240
it's required either way, so. 
Yeah. 

738
00:39:57,240 --> 00:40:00,320
I mean, one thing I did want to 
kind of pull out of that 

739
00:40:00,320 --> 00:40:04,040
conversation was that, you know,
it's, it's kind of the working 

740
00:40:04,040 --> 00:40:06,360
with the frameworks, 
understanding the frameworks and

741
00:40:06,360 --> 00:40:09,720
the access controls. 
So the access control or I'm 

742
00:40:09,720 --> 00:40:12,200
sorry, the frameworks are 
designed to help you meet the 

743
00:40:12,200 --> 00:40:15,840
access controls, right. 
So it's going in and taking a 

744
00:40:15,840 --> 00:40:20,880
NIST cybersecurity framework. 
Questionnaire and kind of like 

745
00:40:21,080 --> 00:40:23,560
working through that. 
And I think you you mentioned it

746
00:40:23,560 --> 00:40:26,800
gets better the more times 
people end up doing it, they 

747
00:40:26,800 --> 00:40:30,600
understand it more. 
Now when they go to a position 

748
00:40:30,600 --> 00:40:33,800
where they're applying that 
framework and building a program

749
00:40:33,800 --> 00:40:37,320
around that framework, those 
pieces are really coming 

750
00:40:37,320 --> 00:40:40,240
together. 
I think it has additional 

751
00:40:40,240 --> 00:40:45,600
benefits as well, right? 
A lot of cyber stuff still gets 

752
00:40:47,840 --> 00:40:50,800
pushed down because of, you 
know, compliance requirements, 

753
00:40:51,200 --> 00:40:53,520
right, or governance needs and 
things like that. 

754
00:40:54,080 --> 00:40:59,800
So some of that actually helps 
you work out, hey, you know, 

755
00:40:59,800 --> 00:41:02,600
here's what the operational 
things are, right? 

756
00:41:03,160 --> 00:41:06,800
Here's the tactical things I've 
got to do, but why am I doing 

757
00:41:06,800 --> 00:41:10,880
some of these things, right? 
And if you understand the, the, 

758
00:41:12,120 --> 00:41:16,000
the control side of it, you 
understand the auditable side of

759
00:41:16,000 --> 00:41:21,560
it, right, versus the actual, 
the work that needs to be done, 

760
00:41:22,200 --> 00:41:25,920
I think you can be a better 
consultant, you can be a better 

761
00:41:26,000 --> 00:41:30,240
internal specialist because you 
understand both sides of the 

762
00:41:30,240 --> 00:41:33,400
house, right? 
I don't think I had appreciation

763
00:41:33,400 --> 00:41:36,280
of that till much later in my 
career. 

764
00:41:37,560 --> 00:41:40,880
I did not like doing the the 
control work personally. 

765
00:41:41,080 --> 00:41:43,440
I was like, I'm a cyber 
professional, right? 

766
00:41:43,440 --> 00:41:45,600
I can architect and not work for
you, right? 

767
00:41:45,880 --> 00:41:49,680
And do a pen test for you. 
Why am I doing this other stuff?

768
00:41:50,200 --> 00:41:54,640
But you realize over a period of
time that you still have to at 

769
00:41:54,640 --> 00:41:58,400
some point justify those things,
right? 

770
00:41:58,400 --> 00:42:01,000
You still have to be compliant 
with certain regulations and so 

771
00:42:01,000 --> 00:42:04,120
forth. 
And by understanding the 

772
00:42:04,120 --> 00:42:07,560
infrastructure side of it, you 
know what that difficulty is, 

773
00:42:07,800 --> 00:42:10,960
You come up with newer ways or 
better ways to solve for the 

774
00:42:10,960 --> 00:42:14,560
compliance challenges you have 
because now you understand both 

775
00:42:14,560 --> 00:42:17,920
sides of the world, right? 
So you bringing those two things

776
00:42:17,920 --> 00:42:21,440
together, it's, it's really hard
for people because you know, the

777
00:42:21,480 --> 00:42:24,560
compliance is boring. 
It's really boring, right? 

778
00:42:24,960 --> 00:42:30,360
But it drives a lot of like 
budgets for security, right, for

779
00:42:30,360 --> 00:42:35,160
organization, even for identity,
like a lot of big companies, 

780
00:42:35,600 --> 00:42:38,120
they, they do what they do 
because there are compliance 

781
00:42:38,120 --> 00:42:39,360
requirements that they need to 
fund. 

782
00:42:39,640 --> 00:42:41,080
Especially in certain 
industries. 

783
00:42:41,080 --> 00:42:44,440
I mean, that is so that that was
my background was I was in 

784
00:42:44,440 --> 00:42:48,080
identity doing a lot of 
engineering program management, 

785
00:42:48,440 --> 00:42:51,480
but in the manufacturing 
industry where it wasn't as 

786
00:42:51,480 --> 00:42:55,080
heavily regulated, especially 
working on a lot of CIA and 

787
00:42:55,080 --> 00:42:57,480
stuff. 
I ended up in the financial 

788
00:42:57,480 --> 00:43:05,000
services industry doing internal
as well as banking and and the 

789
00:43:05,000 --> 00:43:08,920
loan operations. 
What I found out, especially on 

790
00:43:08,920 --> 00:43:14,280
the workforce side of the House 
was the regulatory framework or 

791
00:43:14,440 --> 00:43:17,640
regulatory oversight, which led 
to all the frameworks and having

792
00:43:17,640 --> 00:43:23,080
the GRC controls in place tested
on a frequent basis and making 

793
00:43:23,080 --> 00:43:27,920
sure it's a lot more rigid and 
demanding. 

794
00:43:28,280 --> 00:43:31,560
And if you don't take the time 
to understand that and I had to 

795
00:43:31,600 --> 00:43:35,920
kind of learn trial by fire, if 
you will, but I mean that was 

796
00:43:36,720 --> 00:43:42,840
it's foundational I think for 
identity as you move up into 

797
00:43:42,880 --> 00:43:45,800
more advanced leadership roles. 
And it, it's only going to get 

798
00:43:45,800 --> 00:43:48,560
complicated with hybrid cloud 
environments, right? 

799
00:43:48,960 --> 00:43:53,080
Because what is inherent in the 
cloud environment that gives you

800
00:43:53,280 --> 00:43:56,040
those controls, right? 
What is it that you need to 

801
00:43:56,040 --> 00:43:58,960
build on top of that? 
Because just by putting your 

802
00:43:58,960 --> 00:44:03,920
stuff in in the cloud, you're, 
you're not, it's, it's still 

803
00:44:03,920 --> 00:44:07,040
your risk, right? 
It's still your data, it's still

804
00:44:07,040 --> 00:44:09,760
your problem, right? 
Ultimately. 

805
00:44:09,760 --> 00:44:15,160
So sometimes I find it naive for
people to say, OK, well, yeah, 

806
00:44:15,160 --> 00:44:18,000
what was in Azure? 
And Azure's giving me these 

807
00:44:18,000 --> 00:44:21,480
control points, right? 
What was it configured for that,

808
00:44:21,640 --> 00:44:23,560
right? 
If it's not configured for that,

809
00:44:23,560 --> 00:44:27,080
then you're you're not going to 
get those control points and the

810
00:44:27,120 --> 00:44:30,280
auditor will come and and we'll 
find you weaken those, right. 

811
00:44:30,680 --> 00:44:34,520
We'll talk a little bit more 
about AI, but I, I kind of feel 

812
00:44:34,520 --> 00:44:39,160
like this is 1 area where if we 
put AI in charge of making 

813
00:44:39,160 --> 00:44:43,480
decisions about our access, we 
may have a harder time tracing 

814
00:44:43,480 --> 00:44:48,120
it back to, OK, you know, was 
the right decision made, was the

815
00:44:48,120 --> 00:44:51,120
right information provided in 
order for that decision to be 

816
00:44:51,120 --> 00:44:54,280
made. 
But I don't want to divert us 

817
00:44:54,280 --> 00:44:57,400
into the. 
I didn't want to add 1 one thing

818
00:44:57,400 --> 00:45:00,800
real, real quick because I think
it's, it's related to what we 

819
00:45:00,800 --> 00:45:05,680
were just speaking to. 
One of the things that I've, you

820
00:45:05,680 --> 00:45:11,560
know, been really contemplating 
is so the large companies, 

821
00:45:11,800 --> 00:45:13,560
right? 
Generally, there's a lot of 

822
00:45:13,560 --> 00:45:16,760
conversation around identity at 
those companies, right? 

823
00:45:17,520 --> 00:45:19,520
We deal with those clients all 
the time. 

824
00:45:19,520 --> 00:45:21,600
You guys deal with them, I deal 
with them, right. 

825
00:45:22,800 --> 00:45:27,520
But we have about 30,000 
companies that are in the 500 

826
00:45:27,520 --> 00:45:30,000
million to $5 billion range, 
right? 

827
00:45:30,400 --> 00:45:36,320
In the United States. 
They don't have the resource 

828
00:45:37,600 --> 00:45:40,360
leverage that that some of these
larger companies have. 

829
00:45:40,480 --> 00:45:42,280
They don't have the budgets, 
right? 

830
00:45:42,840 --> 00:45:46,320
They're still contending with 
the same proliferation, right? 

831
00:45:47,560 --> 00:45:51,040
They, they have scaling issues, 
They're still running hybrid 

832
00:45:51,040 --> 00:45:54,400
environments in most cases. 
They're still kind of on prime 

833
00:45:54,400 --> 00:45:56,000
and then they've got some stuff 
in the cloud. 

834
00:45:56,000 --> 00:46:01,000
It's not very cohesive, right? 
They still need to be compliant 

835
00:46:02,000 --> 00:46:03,760
with, with different 
requirements, right? 

836
00:46:05,360 --> 00:46:11,000
So you kind of think about that 
demographic and I think that 

837
00:46:11,160 --> 00:46:15,440
we've seen over the course of 
last so predominantly in the 

838
00:46:15,440 --> 00:46:19,120
last five years that the attack 
vectors have shifted from large 

839
00:46:19,480 --> 00:46:23,560
corporations right to some of 
these middle market companies or

840
00:46:23,560 --> 00:46:25,080
upper middle market companies, 
right? 

841
00:46:25,800 --> 00:46:28,400
And it's because of that reason,
it's because hackers are 

842
00:46:28,400 --> 00:46:31,280
generally lazy, right? 
They're going to go after what's

843
00:46:31,280 --> 00:46:34,920
what's easier. 
And I think within the identity 

844
00:46:34,920 --> 00:46:38,160
space and generally within 
broadly in the cybersecurity 

845
00:46:38,160 --> 00:46:45,160
space, you can't functionally 
deal with those companies the 

846
00:46:45,160 --> 00:46:48,800
same way that as the larger 
companies are because they don't

847
00:46:48,800 --> 00:46:52,160
have big programs that they that
you can tap into. 

848
00:46:52,240 --> 00:46:55,880
They don't have 10 resources to,
to go pull on, right? 

849
00:46:57,160 --> 00:47:00,880
They might have a total of five,
they might have a total of 2 

850
00:47:01,240 --> 00:47:04,040
cyber professionals that are in 
that organization, right? 

851
00:47:04,400 --> 00:47:08,160
But they're still rotating 
through, you know, $2 billion. 

852
00:47:09,000 --> 00:47:12,400
So there are, they need a lot, a
lot of help as well. 

853
00:47:12,680 --> 00:47:15,520
And you know, I think there's 
going to be some changes that, 

854
00:47:15,520 --> 00:47:18,840
that are going to be required on
how identities are administered,

855
00:47:18,880 --> 00:47:23,360
built, managed, operated for 
that demographic of client. 

856
00:47:23,360 --> 00:47:26,240
And we've been, we've been 
thinking about that a lot in RSM

857
00:47:26,960 --> 00:47:30,560
on how we can make that 
mechanical and mechanise that 

858
00:47:31,160 --> 00:47:33,760
holistically for those that 
demographic of client. 

859
00:47:34,360 --> 00:47:38,760
But that's, that's huge. 
That's where most of the attacks

860
00:47:38,760 --> 00:47:42,320
are right now, and that's. 
Getting scanned just as much as 

861
00:47:42,320 --> 00:47:45,040
the big companies. 
And it's kind of like the point 

862
00:47:45,040 --> 00:47:47,920
that you were like, I was 
thinking like a safari example. 

863
00:47:48,640 --> 00:47:53,440
The lion scans the herd and 
looks for what the weakest, the 

864
00:47:53,440 --> 00:47:56,400
youngest, whatever, the easiest 
target. 

865
00:47:57,160 --> 00:48:00,400
And so if we're scanning 
everybody and somebody's under 

866
00:48:00,400 --> 00:48:03,320
invested and has some weakness 
like that's the target. 

867
00:48:05,520 --> 00:48:08,880
So I thought I'd I'd mention 
that a little bit because it's 

868
00:48:08,880 --> 00:48:10,680
been, it's been on my mind 
lately. 

869
00:48:11,440 --> 00:48:13,040
AI is on the top of everyone's 
mind right now. 

870
00:48:13,920 --> 00:48:16,800
I think I'd like to do a little 
bit of a lightning round, maybe 

871
00:48:16,800 --> 00:48:19,360
an identity or security 
Rorschach test for you. 

872
00:48:19,360 --> 00:48:22,440
So I'm going to throw out some 
terms and just tell me what 

873
00:48:22,440 --> 00:48:25,680
comes to mind when you hear the 
term zero trust. 

874
00:48:31,000 --> 00:48:32,080
I don't think there's anything 
else. 

875
00:48:32,080 --> 00:48:34,880
Zero trust. 
I think it's a great concept 

876
00:48:36,160 --> 00:48:37,440
like, hey, I don't trust 
anybody. 

877
00:48:38,080 --> 00:48:42,040
OK? 
So you have to prove to me every

878
00:48:42,040 --> 00:48:44,600
single time that you're going to
get access to a resource that 

879
00:48:44,680 --> 00:48:48,200
you know you are who you are and
you are connecting from where 

880
00:48:48,200 --> 00:48:50,560
you're connecting. 
Otherwise, no. 

881
00:48:51,520 --> 00:48:58,560
But reality is that it's, it's 
not been implemented at at an 

882
00:48:58,560 --> 00:49:02,440
appropriate level and it is 
extremely cumbersome to manage. 

883
00:49:04,520 --> 00:49:07,200
It requires a lot of manual 
intervention. 

884
00:49:08,120 --> 00:49:15,240
So I feel it's more, you know, 
I'm not going to throw it as 

885
00:49:15,240 --> 00:49:18,760
that it's not a good concept. 
It's a great concept, but it's 

886
00:49:18,760 --> 00:49:20,840
hard to implement. 
It's really, really hard to 

887
00:49:20,840 --> 00:49:23,640
implement. 
Real world execution is is the 

888
00:49:23,640 --> 00:49:25,880
trick, right? 
Because it's not just why I 

889
00:49:25,880 --> 00:49:27,240
bought it in a zero trust 
product. 

890
00:49:27,240 --> 00:49:29,640
Now I'm zero trust. 
It's it's a combination of 

891
00:49:29,640 --> 00:49:31,240
things. 
And there's a lot of, you know, 

892
00:49:31,280 --> 00:49:33,240
product conversation around it, 
right? 

893
00:49:33,240 --> 00:49:36,160
Well, you get this product and 
you get that in and you know 

894
00:49:36,200 --> 00:49:38,200
it's going to solve the world's 
problems, right? 

895
00:49:38,920 --> 00:49:41,600
But it's about how it's 
implemented. 

896
00:49:41,640 --> 00:49:44,960
It's about how it's used. 
It's also very important. 

897
00:49:44,960 --> 00:49:47,480
The one thing that I find 
missing in zero trust 

898
00:49:47,480 --> 00:49:53,360
conversation is the, the 
business acumen within that 

899
00:49:53,360 --> 00:49:55,800
conversation. 
There's no two businesses are 

900
00:49:55,800 --> 00:49:59,400
alike, right? 
So what this business needs is 

901
00:49:59,400 --> 00:50:01,520
very different than what this 
business needs, right? 

902
00:50:01,920 --> 00:50:04,480
And the way that they access 
things is very different than 

903
00:50:04,480 --> 00:50:06,000
the way that they access things,
right? 

904
00:50:06,160 --> 00:50:09,560
And the frequency of the, the 
the access is very different 

905
00:50:09,560 --> 00:50:10,920
than the frequency of the 
access. 

906
00:50:11,280 --> 00:50:16,400
So I think that it has to be 
business centric. 

907
00:50:16,400 --> 00:50:19,400
Does it work? 
And I don't think that you need 

908
00:50:19,400 --> 00:50:21,160
to have zero trust deployed 
everywhere. 

909
00:50:21,960 --> 00:50:24,520
I think you need to know what 
you're trying to protect in the 

910
00:50:24,520 --> 00:50:28,920
1st place and then define, you 
know, your zero trust 

911
00:50:28,920 --> 00:50:32,400
architecture around that. 
A lot of companies just think, 

912
00:50:32,400 --> 00:50:34,480
OK, well, that's by default. 
That's what we're going to go 

913
00:50:34,480 --> 00:50:37,720
do. 
It's a very, very costly 

914
00:50:37,720 --> 00:50:41,280
proposition to get that through 
and manage it. 

915
00:50:41,400 --> 00:50:44,520
No, I wanted to throw one thing 
into zero trust conversation. 

916
00:50:44,520 --> 00:50:48,440
I'm sure you've heard this your 
entire career of doing 

917
00:50:49,120 --> 00:50:54,240
consulting in the cyberspace, 
which is you talk to a client 

918
00:50:54,240 --> 00:50:57,720
and they'll say, well, only 
people who are plugged into a 

919
00:50:57,720 --> 00:51:01,640
network slot can access this. 
They can get it. 

920
00:51:01,640 --> 00:51:06,880
No password or no MSA. 
It's like, so as a consultant, 

921
00:51:06,880 --> 00:51:09,320
you just nod your head. 
It's like, yes, that is better 

922
00:51:09,320 --> 00:51:11,400
than if the outside Internet 
could come in. 

923
00:51:11,400 --> 00:51:15,720
No, MFAI grant you that. 
But if you're asking me to say 

924
00:51:15,720 --> 00:51:20,360
that's OK, I'm not going to or 
the the example we see all the 

925
00:51:20,360 --> 00:51:23,040
time is, but there's only seven 
people in the domain 

926
00:51:23,040 --> 00:51:26,160
administrators and we know them 
all, so it's OK. 

927
00:51:26,760 --> 00:51:30,240
It's like if you're asking me to
tell you whether or not that's 

928
00:51:30,240 --> 00:51:33,080
OK, the answer is no, it's not 
OK. 

929
00:51:33,200 --> 00:51:35,640
You can't be. 
Familiarity isn't security. 

930
00:51:36,240 --> 00:51:40,320
Exactly, that's spot on. 
So you know, I feel like that's 

931
00:51:40,320 --> 00:51:43,920
a important part of 0 trust. 
Like the implementation of it is

932
00:51:44,240 --> 00:51:51,360
like, OK, you may not get 10 out
of 10, but let's not just like 

933
00:51:52,720 --> 00:51:55,840
because we, you know, getting 
from 9 out of 10 to 10 out of 10

934
00:51:55,840 --> 00:51:58,200
is just so difficult. 
We're just not going to do it 

935
00:51:58,200 --> 00:52:01,440
fine. 9 out of 10, not ten out 
of 10. 

936
00:52:02,120 --> 00:52:06,400
No, I, I agree. 
I I do though, think that the 

937
00:52:06,400 --> 00:52:09,440
zero trust conversation should 
be uncoupled from least 

938
00:52:09,440 --> 00:52:11,920
privilege. 
They're two different things, 

939
00:52:12,320 --> 00:52:14,600
right? 
A lot of times people would just

940
00:52:14,600 --> 00:52:16,520
kind of combine them together. 
It's like, well it's least 

941
00:52:16,520 --> 00:52:19,240
privilege. 
OK, Least privilege should be by

942
00:52:19,480 --> 00:52:25,520
by DNA right? 
That do you need 7 domain admins

943
00:52:25,520 --> 00:52:28,400
or did you need like 3 in the 
1st place? 

944
00:52:28,400 --> 00:52:30,240
Does their job actually require 
them? 

945
00:52:31,200 --> 00:52:33,000
But what if? 
What if? 

946
00:52:33,400 --> 00:52:35,680
What if that? 
Then that's how that circle 

947
00:52:35,680 --> 00:52:37,400
expands. 
Exactly. 

948
00:52:37,560 --> 00:52:40,080
Well, I think. 
There's also even vendors in 

949
00:52:40,080 --> 00:52:43,600
this technology, vendors in the 
space that will actually 

950
00:52:43,600 --> 00:52:48,720
encourage organizations to grant
people access that they don't 

951
00:52:48,720 --> 00:52:54,560
need by saying, oh, this role is
80% of the people who are in the

952
00:52:54,560 --> 00:52:57,720
accounting department have 
access to this application. 

953
00:52:57,720 --> 00:52:59,160
So why don't I just give it to 
100. 

954
00:52:59,400 --> 00:53:00,760
It's going to be simpler to 
manage. 

955
00:53:00,760 --> 00:53:05,080
There is a benefit to simpler to
manage this. 20% of people don't

956
00:53:05,080 --> 00:53:08,400
need the access. 
By definition of what least 

957
00:53:08,400 --> 00:53:10,640
privilege is, they should not 
have the access. 

958
00:53:10,920 --> 00:53:15,280
So I don't know, maybe I'm just 
fighting over principle, but I 

959
00:53:15,280 --> 00:53:18,120
think that's I think that's what
it comes down to. 

960
00:53:18,120 --> 00:53:21,080
A lot of times it's like, hey, 
there's just so much to manage 

961
00:53:21,400 --> 00:53:24,680
that you have that these 
trade-offs to say. 

962
00:53:25,000 --> 00:53:27,920
All right, well, some, you know,
bundling this into roles and 

963
00:53:27,920 --> 00:53:31,640
maybe people get more access 
than they need becomes more 

964
00:53:31,640 --> 00:53:35,000
secure become because it makes 
it more manageable. 

965
00:53:35,440 --> 00:53:37,080
I mean, you always have to hedge
risk, right? 

966
00:53:37,280 --> 00:53:40,920
This that's that's basically the
bottom line is that you have to,

967
00:53:41,240 --> 00:53:44,280
you may have to make smart 
choices based off of the cards 

968
00:53:44,280 --> 00:53:49,280
that that are in your hand, 
right, But you also have to 

969
00:53:49,520 --> 00:53:54,200
learn from what good looks like,
right, and what best looks like 

970
00:53:54,600 --> 00:53:57,440
and try to achieve that at the 
lowest cost point that you that 

971
00:53:57,440 --> 00:53:59,160
you can. 
That's the name of the game, to 

972
00:53:59,160 --> 00:54:02,400
be honest. 
All right, next one pass 

973
00:54:02,440 --> 00:54:04,040
password less. 
What do you think of? 

974
00:54:07,640 --> 00:54:13,040
That excites me password less. 
Yes, I mean who, who, why, why, 

975
00:54:13,120 --> 00:54:17,200
why are we remembering passwords
like it, you know, 2025? 

976
00:54:17,360 --> 00:54:20,320
I wanna have 48 different 
passwords for things said nobody

977
00:54:20,320 --> 00:54:22,800
ever. 
It's like it's, it's just the, 

978
00:54:22,960 --> 00:54:25,760
it's the oldest thing that we've
had, right? 

979
00:54:26,280 --> 00:54:29,080
This password less Yes, all the 
way. 

980
00:54:29,280 --> 00:54:33,200
What do you think stops or maybe
slows organizations from 

981
00:54:33,200 --> 00:54:35,960
adopting it 'cause this is a a 
standard that the Fight Alliance

982
00:54:35,960 --> 00:54:38,520
has, has really helped kind of 
put forward over the last couple

983
00:54:38,520 --> 00:54:42,040
years and it's there, it works, 
people are using it. 

984
00:54:42,440 --> 00:54:46,040
What is the what is the driver 
that a CSO needs to say is like,

985
00:54:46,040 --> 00:54:50,440
we're going to do this? 
I think Cecil's are pushing. 

986
00:54:50,920 --> 00:54:54,000
I've, I've had a lot of 
conversations with CSO's where 

987
00:54:54,000 --> 00:54:57,160
they're driving that it's, it's 
getting comfortable with the 

988
00:54:57,160 --> 00:55:00,200
technology, right, that you're 
employing. 

989
00:55:00,200 --> 00:55:03,720
It's getting comfortable, it 
gets getting the the board 

990
00:55:03,720 --> 00:55:05,280
comfortable. 
It's getting the executive 

991
00:55:05,280 --> 00:55:08,240
management comfortable. 
It's getting the regulators 

992
00:55:08,240 --> 00:55:14,280
comfortable because how are you 
going to audit that, right, in a

993
00:55:14,280 --> 00:55:17,200
regulated environment? 
So if if you don't have the 

994
00:55:17,200 --> 00:55:20,600
standards for it today, you're 
going to create one, right? 

995
00:55:22,120 --> 00:55:24,560
So it's it's all of those 
things, right? 

996
00:55:24,920 --> 00:55:28,440
And people get gun shy because 
they're like, OK, well, it's 

997
00:55:28,440 --> 00:55:30,600
new. 
Well, I don't want to be 

998
00:55:30,600 --> 00:55:33,680
bleeding edge, but you know, and
it's not, this is not a bleeding

999
00:55:33,680 --> 00:55:35,920
edge concept. 
I mean, it's been around for a 

1000
00:55:35,920 --> 00:55:43,640
while, but I think the adoption 
of it is really getting people 

1001
00:55:44,000 --> 00:55:46,640
comfortable with the idea that 
they don't, they don't need to 

1002
00:55:46,640 --> 00:55:50,720
know their password, right? 
And how they're going to 

1003
00:55:50,720 --> 00:55:53,480
mechanize their processes are 
completely different, right? 

1004
00:55:53,880 --> 00:55:57,320
It's very much a possession 
based authentication scheme and 

1005
00:55:57,320 --> 00:56:00,680
not everybody has something that
they're comfortable using for 

1006
00:56:00,680 --> 00:56:02,880
possession based. 
And there are challenges, right 

1007
00:56:02,880 --> 00:56:05,680
field services and other types 
like, you know, not No2 business

1008
00:56:05,680 --> 00:56:07,720
or alike. 
It's it's easy where you know, 

1009
00:56:07,760 --> 00:56:09,960
if you're connected to the 
Internet all the time and you're

1010
00:56:10,080 --> 00:56:12,080
connected to a device all the 
time, OK, great. 

1011
00:56:12,600 --> 00:56:14,360
But you know, there's a lot of 
business. 

1012
00:56:14,360 --> 00:56:17,360
It's the edge cases, and I think
that's the excuse that people 

1013
00:56:17,360 --> 00:56:19,960
give the most on why it won't 
work here. 

1014
00:56:20,160 --> 00:56:24,640
It's that legacy system or the 
field engineer. 

1015
00:56:25,160 --> 00:56:29,680
But I say then carve those out, 
do password lists everywhere you

1016
00:56:29,680 --> 00:56:35,080
can, and do some other mechanism
for the edge case. 

1017
00:56:35,600 --> 00:56:38,640
I agree. 
I mean, I I that one excites me.

1018
00:56:38,840 --> 00:56:42,680
Yeah, like I can't get rid of. 
So your team password list, I'm 

1019
00:56:42,680 --> 00:56:44,440
with you on that. 
One I'm I'm definitely team 

1020
00:56:44,440 --> 00:56:46,320
password. 
List, how about I'm going to 

1021
00:56:46,320 --> 00:56:48,320
call an audible here because I 
had a couple of different ones 

1022
00:56:48,320 --> 00:56:50,600
who were kind of picked through,
but you mentioned blockchain 

1023
00:56:50,600 --> 00:56:53,600
earlier. 
So when it comes to blockchain 

1024
00:56:53,600 --> 00:56:56,600
and decentralized identity, what
it comes to mind? 

1025
00:57:01,000 --> 00:57:03,040
You could do a full podcast. 
On that and we have in. 

1026
00:57:03,640 --> 00:57:06,040
My Bitcoin wallet, What's it 
doing today? 

1027
00:57:06,120 --> 00:57:10,000
Yeah. 
Do you know anybody who's using 

1028
00:57:10,000 --> 00:57:12,240
it today out of all your clients
and people that you're working 

1029
00:57:12,240 --> 00:57:12,960
with? 
I do not. 

1030
00:57:13,640 --> 00:57:17,800
In fact, I, I would say there's 
a lot of innovation that is 

1031
00:57:17,800 --> 00:57:23,240
coming with blockchain, but it 
hasn't moved as fast as 

1032
00:57:23,480 --> 00:57:24,880
everybody thought it was going 
to move. 

1033
00:57:25,360 --> 00:57:27,000
At least that's my impression. 
OK. 

1034
00:57:27,240 --> 00:57:31,760
I, I, I won't speak for 
companies that are actively 

1035
00:57:32,520 --> 00:57:36,920
doing building tools technology 
on, on blockchain, right? 

1036
00:57:38,440 --> 00:57:42,400
But I'm a cyber professional and
I've, I've evaluated based off 

1037
00:57:42,400 --> 00:57:46,440
of the number of requests that, 
that you know, are coming to us 

1038
00:57:46,440 --> 00:57:49,040
to say, hey, we're implementing 
this new technology. 

1039
00:57:49,760 --> 00:57:51,600
I don't know if this is going to
work for us. 

1040
00:57:51,600 --> 00:57:55,080
Can you come in and test it out?
So far there have been zero 

1041
00:57:55,080 --> 00:57:58,720
those requests, right? 
So it's, you know, it's not like

1042
00:57:58,840 --> 00:58:03,040
there's a ton of them. 
There are some and there's some 

1043
00:58:03,040 --> 00:58:05,720
some really, really creative 
ones that you go into like, oh, 

1044
00:58:05,720 --> 00:58:11,520
shoosh, this is going to, this 
is tough and it's hard both from

1045
00:58:11,520 --> 00:58:14,920
a, it is, it is well 
orchestrated from a security 

1046
00:58:14,920 --> 00:58:19,440
perspective, right. 
But then in, in general, I think

1047
00:58:21,600 --> 00:58:24,640
your, your question is more 
identity and distribution of 

1048
00:58:24,640 --> 00:58:29,360
that. 
It's, it's very hard in a, in an

1049
00:58:29,360 --> 00:58:32,640
environment where you know, you 
don't have you, you have 

1050
00:58:32,680 --> 00:58:35,000
obscurity, like how are you 
going to regulate that? 

1051
00:58:36,440 --> 00:58:39,240
There's this trouble already in 
regulating blockchain right now 

1052
00:58:39,240 --> 00:58:42,800
where you're going to go and, 
and say a public, public company

1053
00:58:43,120 --> 00:58:47,960
that is a SEC registered that 
that is going to come and deal 

1054
00:58:47,960 --> 00:58:52,920
with identity through obscurity 
and you can't really manage that

1055
00:58:52,920 --> 00:58:55,720
appropriately. 
I think it's a really tough sell

1056
00:58:55,920 --> 00:58:58,200
right now. 
I think it's a great concept, 

1057
00:58:59,480 --> 00:59:03,240
but I think blockchain and 
crypto in general has to kind of

1058
00:59:03,240 --> 00:59:06,280
flush itself out for the masses,
for the masses. 

1059
00:59:06,560 --> 00:59:08,800
Yeah, I feel the same because I 
think like it's the solution 

1060
00:59:08,800 --> 00:59:11,240
that's been out there now for a 
while, but I don't know anybody 

1061
00:59:11,240 --> 00:59:13,640
who's using it not in the in 
what I'll call the real world, 

1062
00:59:13,920 --> 00:59:15,360
right? 
I'm sure there are some 

1063
00:59:16,000 --> 00:59:18,760
excellent use cases for it. 
When it comes to decentralized 

1064
00:59:18,760 --> 00:59:22,760
identity, I think we have to 
figure out, OK, well, who's 

1065
00:59:22,760 --> 00:59:25,320
blockchain, who's running that 
blockchain and how are we making

1066
00:59:25,320 --> 00:59:28,960
that interoperable with others? 
And do you trust the blockchain 

1067
00:59:28,960 --> 00:59:31,480
that it's on? 
I mean, at any given point, half

1068
00:59:31,480 --> 00:59:33,320
the population is for or against
government. 

1069
00:59:33,960 --> 00:59:36,560
There's healthcare, there's 
education, there's finance, and 

1070
00:59:36,560 --> 00:59:38,520
then you've got social media 
networks. 

1071
00:59:39,040 --> 00:59:41,680
You know, I, I think it's a 
really interesting, almost like 

1072
00:59:41,680 --> 00:59:42,760
a social experiment. 
It's OK. 

1073
00:59:42,760 --> 00:59:46,160
Well, when does this come? 
Because I've been hearing about 

1074
00:59:46,160 --> 00:59:48,240
it now for, I don't know, almost
a decade I feel like. 

1075
00:59:48,720 --> 00:59:53,800
But I've yet to see a I'll call 
a normal company adopt 

1076
00:59:54,240 --> 00:59:58,120
decentralized identity as part 
of their identity apparatus. 

1077
00:59:58,320 --> 01:00:00,720
I I haven't seen much of that 
either, so. 

1078
01:00:01,560 --> 01:00:05,080
I think the interesting thing 
about blockchain is this 

1079
01:00:05,800 --> 01:00:10,320
uneditable Ledger idea. 
I don't know the exact use case 

1080
01:00:10,320 --> 01:00:13,200
that it's going to be used for 
from an identity perspective, 

1081
01:00:13,480 --> 01:00:16,720
but I can tell you this where at
Gartner I am it's not being 

1082
01:00:16,720 --> 01:00:19,920
talked about. 
So it there's probably somebody 

1083
01:00:19,920 --> 01:00:24,040
listening to this podcast right 
now like you dummies, you this 

1084
01:00:24,200 --> 01:00:27,960
is the this is the future. 
Yeah, they're probably lighting 

1085
01:00:27,960 --> 01:00:31,080
up right now, but. 
I mean, I, I think the the fact 

1086
01:00:31,080 --> 01:00:34,280
is not like blockchain as a 
technology, it's fantastic. 

1087
01:00:34,800 --> 01:00:37,960
OK, So this is not a dig on 
blockchain in itself. 

1088
01:00:38,480 --> 01:00:41,920
Is your question is, is it being
used today? 

1089
01:00:42,480 --> 01:00:45,120
I don't see it being used. 
Are there solutions out there? 

1090
01:00:45,120 --> 01:00:48,280
Yeah. 
Are they implemented solutions 

1091
01:00:48,280 --> 01:00:49,960
where they're working? 
No. 

1092
01:00:49,960 --> 01:00:53,480
And just with any technology, it
comes with its risks. 

1093
01:00:53,480 --> 01:00:55,040
You got to still figure out how 
you're going to make it 

1094
01:00:55,040 --> 01:00:57,200
resilient, right? 
How are you going to test it? 

1095
01:00:57,560 --> 01:01:00,480
How are you going to make it 
auditably compliant, right. 

1096
01:01:00,480 --> 01:01:02,920
All of those questions still 
have to be be answered. 

1097
01:01:02,920 --> 01:01:05,320
So I think there's work to be 
done there. 

1098
01:01:06,240 --> 01:01:08,880
OK. 
Last one we kind of touched on 

1099
01:01:08,880 --> 01:01:12,960
earlier, but AI, where do you 
see AI taking us in 2025? 

1100
01:01:12,960 --> 01:01:15,120
Let's just do kind of 
predictions. 

1101
01:01:15,120 --> 01:01:17,240
It's it's January when people 
listen to this. 

1102
01:01:17,760 --> 01:01:21,800
Where do you see AI taking both 
cybersecurity and identity? 

1103
01:01:21,800 --> 01:01:23,200
And maybe there's any linkage 
between the two? 

1104
01:01:24,520 --> 01:01:29,760
No, I, I think that wherever 
we're going to go, it's going to

1105
01:01:29,760 --> 01:01:34,280
be much, much better. 
I am really positive on on AI 

1106
01:01:36,120 --> 01:01:40,520
simple things, right, security 
operations, there's so much 

1107
01:01:40,520 --> 01:01:43,000
potential to automate things, 
right? 

1108
01:01:44,480 --> 01:01:49,680
I think that there are certain 
cases that I personally believe 

1109
01:01:49,720 --> 01:01:55,560
again, it's my belief system. 
So take it for what it is that 

1110
01:01:55,560 --> 01:02:01,280
there is accuracy in decision 
making for for AI because this 

1111
01:02:01,400 --> 01:02:05,000
it doesn't have the emotion. 
I don't know if you saw this 

1112
01:02:05,000 --> 01:02:10,840
report, I might misquote it a 
little bit, but I think they ran

1113
01:02:10,840 --> 01:02:14,240
some experiment where with 
doctors and they said, OK, 

1114
01:02:14,280 --> 01:02:19,480
doctors, you know, diagnosing a 
complex problem for for a 

1115
01:02:19,480 --> 01:02:24,920
patient and they're, you know, 
and they are going to do it by 

1116
01:02:24,920 --> 01:02:27,960
themselves. 
They're going to diagnose that 

1117
01:02:28,040 --> 01:02:32,800
problem with the assistance of 
AI and AI will diagnose the 

1118
01:02:32,800 --> 01:02:36,360
problem by itself. 
And I think the AI diagnosed the

1119
01:02:36,360 --> 01:02:40,600
problem 95% of the time or 93% 
of the time correctly. 

1120
01:02:43,160 --> 01:02:49,280
The doctors identified the the 
problem like 70% of the time, or

1121
01:02:49,280 --> 01:02:51,600
maybe it was 75% of the time. 
OK. 

1122
01:02:52,800 --> 01:02:57,840
And doctors using AI actually 
reduced their competence in 

1123
01:02:57,840 --> 01:03:01,400
their own ability to to, you 
know. 

1124
01:03:01,520 --> 01:03:04,080
Meaning they became more reliant
on the AI to make. 

1125
01:03:04,080 --> 01:03:06,280
The No, they didn't. 
They didn't trust the. 

1126
01:03:06,280 --> 01:03:07,600
Game they didn't trust the AI, 
OK. 

1127
01:03:07,920 --> 01:03:11,280
So I think it was 65% where 
where it was. 

1128
01:03:12,880 --> 01:03:17,120
And so you take that, OK, we 
take it with a grain of salt, 

1129
01:03:17,320 --> 01:03:19,800
right, Because I don't know what
the experiment parameters were 

1130
01:03:19,800 --> 01:03:23,760
and all that. 
But I do think that there are 

1131
01:03:24,280 --> 01:03:29,400
ample scenarios within 
cybersecurity, in the construct 

1132
01:03:29,400 --> 01:03:33,840
of cybersecurity in a broad 
sense where AI can be used to 

1133
01:03:33,840 --> 01:03:37,920
automate a lot of those decision
making points, OK? 

1134
01:03:39,800 --> 01:03:41,920
I've seen that within our 
practice and our security 

1135
01:03:41,920 --> 01:03:47,080
operation centers already in the
amount of alerts that we are 

1136
01:03:47,080 --> 01:03:53,800
generating now that we can use 
AI to, to cleanse through what 

1137
01:03:53,800 --> 01:03:56,040
false positives are and so 
forth, right. 

1138
01:03:57,360 --> 01:04:02,400
I think workflows will become 
really, really big in 2025. 

1139
01:04:02,400 --> 01:04:06,440
What does that mean? 
That means in in doing your 

1140
01:04:06,440 --> 01:04:09,720
day-to-day activities, right? 
I'm a consultant, so I do a lot 

1141
01:04:09,720 --> 01:04:13,600
of consulting engagements which 
require writing reports and 

1142
01:04:13,600 --> 01:04:19,520
making presentations and, you 
know, evaluating controls and 

1143
01:04:19,520 --> 01:04:22,680
evaluating configurations and 
things like that. 

1144
01:04:24,240 --> 01:04:30,480
There's very, very simplistic 
ways of, of using AI to evaluate

1145
01:04:30,480 --> 01:04:34,200
those to make the process more 
efficient and actually increase 

1146
01:04:34,200 --> 01:04:36,440
the quality in the in, in that 
right. 

1147
01:04:38,000 --> 01:04:42,040
But you have to what AI is not, 
it's not a silver bullet, right?

1148
01:04:42,280 --> 01:04:44,520
You still have to, to give it 
the parameters. 

1149
01:04:45,640 --> 01:04:50,800
And I, the thing I think that I 
don't think this will happen in 

1150
01:04:50,800 --> 01:04:58,520
2025, but it's very soon after 
it's going to be the ability for

1151
01:04:58,560 --> 01:05:02,320
AI to use agents on devices and 
do different things where, you 

1152
01:05:02,320 --> 01:05:09,120
know, it can simplify the tasks.
And I know people are, are 

1153
01:05:09,360 --> 01:05:14,640
afraid of that, right? 
That if, if you've got AAI agent

1154
01:05:14,640 --> 01:05:17,800
running on your laptop and it's 
monitoring for two months of 

1155
01:05:17,800 --> 01:05:20,400
what activity you do and it's 
kind of figures out, here's the 

1156
01:05:20,400 --> 01:05:23,360
patterns, here's what you do, 
e-mail comes in, you respond to 

1157
01:05:23,360 --> 01:05:26,160
it this way and then you go do 
this task, right? 

1158
01:05:27,240 --> 01:05:29,200
If it can compress that and 
predict that. 

1159
01:05:29,960 --> 01:05:32,280
Just to you, it could be you. 
Right. 

1160
01:05:32,480 --> 01:05:35,160
But then people take that 
immediately and say, OK, well, 

1161
01:05:35,160 --> 01:05:43,560
that means I'm out of a job. 
OK, well, no, it's it's not 

1162
01:05:43,560 --> 01:05:47,240
going to happen that way, right?
You just have to stay abreast of

1163
01:05:47,240 --> 01:05:49,760
it. 
But at one point we used to have

1164
01:05:49,760 --> 01:05:52,480
a Ledger, right? 
We used to take all the, this 

1165
01:05:52,480 --> 01:05:54,760
was the accounting spreadsheet. 
Somebody would like debit some 

1166
01:05:54,760 --> 01:05:57,240
credits and write it down. 
And then spreadsheets came in, 

1167
01:05:57,560 --> 01:05:59,240
right? 
And you don't see people walking

1168
01:05:59,240 --> 01:06:01,800
around with a register 
underneath their arm, right? 

1169
01:06:02,080 --> 01:06:05,120
That has all that information, 
like it's readily available. 

1170
01:06:05,520 --> 01:06:08,720
And then spreadsheets turn into 
ERPS and you know those like all

1171
01:06:08,720 --> 01:06:10,800
that information is available. 
Yeah, when's the last time you 

1172
01:06:10,800 --> 01:06:13,040
bought an encyclopedica for 
Canada, right? 

1173
01:06:13,760 --> 01:06:18,200
To that point, but are you are, 
is the accounting professional 

1174
01:06:18,520 --> 01:06:21,600
profession done? 
No, you still need accountants, 

1175
01:06:22,000 --> 01:06:24,440
right? 
So it's, I think that you have 

1176
01:06:24,440 --> 01:06:29,560
to separate the technology and 
what it can provide you from the

1177
01:06:29,680 --> 01:06:31,960
actual, you know, job that you 
have. 

1178
01:06:32,120 --> 01:06:34,800
Your job is going to evolve. 
The people that are going to 

1179
01:06:34,800 --> 01:06:37,040
lose their jobs are the ones 
that don't keep abreast of it, 

1180
01:06:37,280 --> 01:06:38,800
right? 
You got to make sure that you're

1181
01:06:38,800 --> 01:06:42,120
abreast of it, you understand it
and utilize it for what that is.

1182
01:06:42,560 --> 01:06:45,960
But something that used to take 
40 hours can take like, you 

1183
01:06:45,960 --> 01:06:49,480
know, 10 minutes to do. 
Yeah, why not? 

1184
01:06:49,480 --> 01:06:52,120
Why wouldn't we do that? 
Why wouldn't we take that 

1185
01:06:52,120 --> 01:06:54,720
efficiency, Right? 
Why wouldn't a business take 

1186
01:06:54,720 --> 01:06:56,880
that efficiency? 
Absolutely we would. 

1187
01:06:57,280 --> 01:07:01,880
Yeah, I think that there's a lot
of thinking that the upcoming 

1188
01:07:01,880 --> 01:07:04,200
generation, they're the ones 
that are going to lose their 

1189
01:07:04,200 --> 01:07:07,600
jobs, say AI, and I think the 
exact opposite is true. 

1190
01:07:07,840 --> 01:07:12,840
They're going to be so much more
efficient than our generation 

1191
01:07:12,840 --> 01:07:15,360
was because they're going to be 
able to use technology and have 

1192
01:07:15,360 --> 01:07:19,600
technology do all these menial 
tasks, things we don't think of 

1193
01:07:19,600 --> 01:07:22,200
as menial tasks right now, but 
we do them. 

1194
01:07:22,200 --> 01:07:25,400
They take a lot of our time to 
write reports or analyze 

1195
01:07:25,400 --> 01:07:29,400
reports, and they'll just be 
able to expand the amount that 

1196
01:07:29,400 --> 01:07:35,120
they get done putting in less 
time using the technology so. 

1197
01:07:35,320 --> 01:07:39,280
And, and we'll have to 
completely update the controls 

1198
01:07:39,960 --> 01:07:43,480
and the protections and the 
mechanisms of, of authentication

1199
01:07:43,480 --> 01:07:45,800
that we have as that 
proliferates. 

1200
01:07:46,280 --> 01:07:47,480
Why? 
Because the bad guys are going 

1201
01:07:47,480 --> 01:07:50,800
to have it as well, right? 
They're going to make their 

1202
01:07:50,800 --> 01:07:53,000
workflows just as more 
efficient, right? 

1203
01:07:54,280 --> 01:07:58,680
So it's not just for, hey, if 
you use it for, for, for the 

1204
01:07:58,680 --> 01:08:02,000
good, right? 
Everything has two sides to it. 

1205
01:08:02,080 --> 01:08:05,360
And that comes with risks. 
That means that the security 

1206
01:08:05,360 --> 01:08:09,560
profession of the future, we'll 
have to account for that to 

1207
01:08:09,560 --> 01:08:15,360
understand how how those risks, 
risks, you know, propagate and 

1208
01:08:15,360 --> 01:08:18,240
manifest themselves in our 
clients environments and how 

1209
01:08:18,240 --> 01:08:19,840
we're going to protect against 
that, right? 

1210
01:08:20,200 --> 01:08:24,720
Are their pro, are their 
programs, you know, ready and 

1211
01:08:24,720 --> 01:08:27,120
set. 
And it's, you know, with any new

1212
01:08:27,120 --> 01:08:30,640
technology when you roll out, 
you know, it comes with 

1213
01:08:30,720 --> 01:08:32,800
learning. 
A lot of companies are 

1214
01:08:32,800 --> 01:08:36,040
experimenting with this, right? 
And there's so many, some 

1215
01:08:36,040 --> 01:08:39,760
companies have the stance of 
saying, OK, their acceptable use

1216
01:08:39,760 --> 01:08:44,200
policy is that that should not 
use AI, right, for any work 

1217
01:08:44,200 --> 01:08:46,319
purposes. 
There's others that are like, 

1218
01:08:46,319 --> 01:08:48,720
OK, well, we're going to segment
this portion off. 

1219
01:08:48,800 --> 01:08:49,960
That's where we're going to do 
it, right? 

1220
01:08:50,359 --> 01:08:53,560
And there's others that are like
absolutely 100% we're going all 

1221
01:08:53,560 --> 01:08:58,560
that, right? 
And if the all insurance don't, 

1222
01:08:59,000 --> 01:09:03,399
I mean, there's a risk, right 
with AI like you know, what if 

1223
01:09:04,120 --> 01:09:08,720
it's not secure enough, what if 
our crown jewels data goes into 

1224
01:09:08,720 --> 01:09:12,279
our AI model and somehow it's. 
I mean, there's a lot of 

1225
01:09:12,319 --> 01:09:14,240
acceptable use conversations 
around that. 

1226
01:09:14,240 --> 01:09:16,439
If that doesn't happen, though, 
they're going to leave their 

1227
01:09:16,439 --> 01:09:18,920
competitors in the dust. 
I mean, they're going to get so 

1228
01:09:18,920 --> 01:09:21,439
much more done. 
The competitors could go out of 

1229
01:09:21,439 --> 01:09:24,000
business if they don't. 
I think you'll see this 

1230
01:09:24,000 --> 01:09:28,080
happening over the next few 
years where companies will cease

1231
01:09:28,080 --> 01:09:30,160
to exist because they didn't. 
They didn't transform. 

1232
01:09:30,160 --> 01:09:33,120
That will transform themselves. 
And I think that that's going to

1233
01:09:33,120 --> 01:09:38,680
be very, very prominent in the 
cyberspace because we started 

1234
01:09:38,680 --> 01:09:44,080
this conversation about skills 
and we talked about gap as well 

1235
01:09:44,080 --> 01:09:48,600
of people lack of lack of talent
that's available, right? 

1236
01:09:49,120 --> 01:09:52,720
Well, the solution to the talent
problem is twofold, right? 

1237
01:09:53,319 --> 01:09:57,520
1 is OK, Well, upskill other 
people, train more people, get 

1238
01:09:57,520 --> 01:10:00,160
more people interested in 
cybersecurity, right? 

1239
01:10:00,880 --> 01:10:03,040
Like I'm, I've got a 17 year old
daughter. 

1240
01:10:03,040 --> 01:10:06,640
I'm really passionate about, you
know, young girls being in the 

1241
01:10:06,640 --> 01:10:08,880
cyber field. 
I think it's a hugely rewarding 

1242
01:10:08,880 --> 01:10:10,600
field. 
I mean, it's three of us here, 

1243
01:10:10,600 --> 01:10:12,440
right? 
I mean, career wise it's been 

1244
01:10:12,480 --> 01:10:13,560
it's been fantastic. 
This is. 

1245
01:10:13,560 --> 01:10:15,400
Work. 
This is what I always think. 

1246
01:10:15,400 --> 01:10:18,720
Feel like this is our job? 
And this is, I mean, I love it. 

1247
01:10:19,160 --> 01:10:23,520
So other people should have 
that, you know, satisfaction in 

1248
01:10:23,520 --> 01:10:26,360
life that, you know, you can, 
you can do that something that's

1249
01:10:26,360 --> 01:10:29,000
that's going to, you know, take 
you somewhere and you're going 

1250
01:10:29,000 --> 01:10:32,680
to enjoy it. 
But, you know, we nearly don't 

1251
01:10:32,680 --> 01:10:36,560
have enough, you know, women 
joining the cybersecurity 

1252
01:10:36,560 --> 01:10:38,120
professional. 
I mean, it's better than what it

1253
01:10:38,120 --> 01:10:41,480
was, but it's not anywhere close
to what it needs to be. 

1254
01:10:42,240 --> 01:10:46,480
And I find that every time that 
I have, you know, women in my 

1255
01:10:46,480 --> 01:10:48,960
team, the perspective is 
different. 

1256
01:10:48,960 --> 01:10:52,160
And it's, it's so much, you 
know, there's diversity of 

1257
01:10:52,160 --> 01:10:55,560
thought there, right? 
That that allows you to be be a 

1258
01:10:55,560 --> 01:10:58,240
little bit richer. 
But the point on this was the 

1259
01:10:58,240 --> 01:11:01,880
skill gap is either you, you 
train people up, right? 

1260
01:11:02,120 --> 01:11:07,800
And you add more, or you solve 
it by technology by taking out 

1261
01:11:08,080 --> 01:11:11,640
the manual work, right? 
And you transform that with 

1262
01:11:11,640 --> 01:11:15,280
tech. 
And that's, that's the work. 

1263
01:11:15,840 --> 01:11:20,440
And if that's the work, now, if 
you look at everybody, because 

1264
01:11:20,440 --> 01:11:24,160
they're all short staffed, if 
that's the work, well, AI is the

1265
01:11:24,160 --> 01:11:25,600
one that's going to help you 
solve it. 

1266
01:11:26,200 --> 01:11:31,600
But you, you, you also mentioned
we, the, the risk portion of it 

1267
01:11:31,600 --> 01:11:35,720
is that you can't have publicly 
available models, right? 

1268
01:11:35,720 --> 01:11:38,440
You're not feeding all the like,
you know, corporations have to 

1269
01:11:38,440 --> 01:11:42,600
be very careful that they're 
most organizations in the future

1270
01:11:42,600 --> 01:11:45,880
will have their own large 
language models, right, That 

1271
01:11:45,880 --> 01:11:48,840
that are supportive for, for 
their own needs, so that their 

1272
01:11:48,960 --> 01:11:51,640
their data, their, their stuff 
is in their own. 

1273
01:11:51,680 --> 01:11:55,480
Their data center and then 
eventually it will all be a 

1274
01:11:55,480 --> 01:11:58,360
software as a service, right? 
And then you will still need 

1275
01:11:58,360 --> 01:12:00,320
identity around all of that to 
manage that. 

1276
01:12:00,720 --> 01:12:04,000
So identity will stay at the 
center I think for for a good 

1277
01:12:04,000 --> 01:12:04,960
bit of time. 
So. 

1278
01:12:06,000 --> 01:12:07,520
That was quite the lightning 
round, Jeff. 

1279
01:12:07,520 --> 01:12:10,080
No kidding, right? 
Well, let's go ahead and and 

1280
01:12:11,040 --> 01:12:12,240
let's let's shift gears a little
bit. 

1281
01:12:12,240 --> 01:12:15,400
I want to talk some music 
because I know that you're into 

1282
01:12:15,400 --> 01:12:17,560
music. 
We've traded some stories around

1283
01:12:17,560 --> 01:12:21,120
it. 
Tell me about your inspirations,

1284
01:12:21,120 --> 01:12:23,920
the music you create, your 
process. 

1285
01:12:23,920 --> 01:12:25,760
Are you available to edit 
podcasts? 

1286
01:12:25,840 --> 01:12:29,600
Tell me all that kind of stuff. 
I I will I will gladly lend a 

1287
01:12:29,600 --> 01:12:33,880
hand in editing a podcast, 
probably do a good job. 

1288
01:12:34,520 --> 01:12:36,600
What's your inspiration when it 
comes to making music? 

1289
01:12:37,280 --> 01:12:41,360
You know, it's, it comes from a 
lot of different places It comes

1290
01:12:41,360 --> 01:12:44,440
from it generally comes from 
life, right? 

1291
01:12:46,240 --> 01:12:50,760
But it comes from sad times, it 
comes from happy times, it comes

1292
01:12:50,760 --> 01:12:53,840
from fun times, it comes from 
stress times. 

1293
01:12:57,080 --> 01:13:02,440
And it's I've I've I've noticed 
that the inspiration arrives 

1294
01:13:02,960 --> 01:13:05,800
weirdly. 
It's not like I'm actively 

1295
01:13:06,120 --> 01:13:07,600
sitting down to create 
something. 

1296
01:13:07,840 --> 01:13:10,280
In fact, most times I'll 
actively sit down and create 

1297
01:13:10,280 --> 01:13:13,280
something, it doesn't happen. 
You're trying to force the 

1298
01:13:13,280 --> 01:13:16,160
creativity. 
But then I'd be on a plane, you 

1299
01:13:16,160 --> 01:13:19,960
know, going from Houston to 
Chicago and, you know, something

1300
01:13:19,960 --> 01:13:22,640
pops in my mind and, you know, 
then I then I need to do 

1301
01:13:22,640 --> 01:13:26,840
something about it, right? 
So I'll, I'll sketch out ideas 

1302
01:13:26,840 --> 01:13:31,120
when whenever that happens. 
So, but yeah, I've been at it 

1303
01:13:31,120 --> 01:13:38,040
for about 20, five years. 
I think mostly electronic music 

1304
01:13:38,280 --> 01:13:42,600
kind of it's a good, you know, 
way to blow off steam. 

1305
01:13:43,520 --> 01:13:46,080
There's a lot of learning in 
that that space as well. 

1306
01:13:47,520 --> 01:13:51,040
I find, you know, the 
intricacies of chord structures 

1307
01:13:51,040 --> 01:13:55,840
and, you know, different genres 
of music and their intersection 

1308
01:13:56,000 --> 01:13:59,400
really, really fascinating. 
So there's a lot of learning 

1309
01:13:59,400 --> 01:14:01,640
there. 
I'm I'm a geek when it comes to 

1310
01:14:02,680 --> 01:14:05,680
audio production. 
We were learning about our about

1311
01:14:05,680 --> 01:14:09,680
our rack deck 4 it's. 
Got my, my new Mac so yeah, 

1312
01:14:09,720 --> 01:14:13,880
I've, I've been like, I've 
revved it up to, to make sure 

1313
01:14:13,880 --> 01:14:16,080
that it's going to work. 
But yeah, I've got a full 

1314
01:14:16,080 --> 01:14:20,360
recording studio. 
You know, I'll do it for myself.

1315
01:14:20,360 --> 01:14:22,920
I'll, I'll have friends come in 
and you know, they, they want to

1316
01:14:22,920 --> 01:14:25,520
record a song or or two, I'll do
it. 

1317
01:14:25,520 --> 01:14:30,440
Got about 120,000 people 
following me on Facebook so. 

1318
01:14:31,560 --> 01:14:33,640
Maybe we'll get we'll call a 
couple more thousand maybe after

1319
01:14:33,640 --> 01:14:36,080
listening that's. 
That's been, that's been fun, 

1320
01:14:37,400 --> 01:14:45,080
but you know, it's, I think for 
me having passions outside of 

1321
01:14:45,080 --> 01:14:46,880
your, your work. 
It's not like I don't love my 

1322
01:14:46,880 --> 01:14:50,840
job. 
I love my job, but you have 

1323
01:14:50,840 --> 01:14:54,720
three parts to you. 
It's the, the piece that you do 

1324
01:14:54,720 --> 01:14:57,360
for yourself, the piece that you
do for your family and the piece

1325
01:14:57,360 --> 01:14:58,720
that you do for your work, 
right? 

1326
01:14:59,520 --> 01:15:05,840
And it's very hard to juggle, 
but I've noticed that anytime 

1327
01:15:06,400 --> 01:15:09,800
the cup is empty in one of those
three, right? 

1328
01:15:10,720 --> 01:15:16,400
Life is not stable and you need 
to do a good job at work and you

1329
01:15:16,400 --> 01:15:19,840
need to make sure that you're, 
you know, you're, you're, you're

1330
01:15:19,840 --> 01:15:23,200
creating something valuable. 
And just like I started this 

1331
01:15:23,200 --> 01:15:26,040
conversation, you have to 
continue to invest in yourself 

1332
01:15:26,040 --> 01:15:29,000
because it's not really who 
you're working for or what 

1333
01:15:29,000 --> 01:15:33,000
you're doing, but it's really 
what are you getting back out of

1334
01:15:33,000 --> 01:15:39,760
it personally, The family is, 
is, is head and shoulders above 

1335
01:15:39,880 --> 01:15:41,640
all the rest. 
And then you know your personal 

1336
01:15:41,640 --> 01:15:43,280
things and it could be anything,
right? 

1337
01:15:43,280 --> 01:15:46,120
Your music or you like 
travelling or whatever that is. 

1338
01:15:46,360 --> 01:15:48,760
A podcast. 
Podcast, whatever that is, 

1339
01:15:48,800 --> 01:15:50,960
right? 
You got to have those three 

1340
01:15:50,960 --> 01:15:54,760
things in check all the times. 
It's that balance, right? 

1341
01:15:54,760 --> 01:15:57,360
I think what you're looking for 
in, you know, the the great 

1342
01:15:57,360 --> 01:16:01,280
warrior poet Thanos once said 
balance in all things, and then 

1343
01:16:01,280 --> 01:16:02,640
he snapped and half the universe
disappeared. 

1344
01:16:04,360 --> 01:16:08,200
He was a badass though I think. 
It's probably a good spot where 

1345
01:16:08,200 --> 01:16:09,920
we can leave it. 
This has been a really good 

1346
01:16:09,920 --> 01:16:11,640
conversation. 
I'm really excited for this 

1347
01:16:11,640 --> 01:16:13,640
series that we're going to put 
together throughout the year. 

1348
01:16:14,040 --> 01:16:16,600
And I think this is kind of a 
great starter, right intro. 

1349
01:16:17,120 --> 01:16:20,640
It's always, I always enjoy 
listening to you and hearing 

1350
01:16:20,640 --> 01:16:22,240
your thoughts and perspective on
things. 

1351
01:16:22,560 --> 01:16:25,120
You know, we're always kind of 
synthesizing data that we get 

1352
01:16:25,120 --> 01:16:27,960
from our different sources. 
And I think this is going to be 

1353
01:16:28,200 --> 01:16:29,640
a fun run that we're going to 
have here. 

1354
01:16:29,680 --> 01:16:32,120
So and, and thank you for the 
support for the pockets that 

1355
01:16:32,120 --> 01:16:33,480
you've shown over the last 
couple years. 

1356
01:16:33,760 --> 01:16:38,600
I again, you know, I know you 
all are passionate about it and 

1357
01:16:38,600 --> 01:16:43,320
we are passionate with you about
it because I, I think it, it's 

1358
01:16:43,320 --> 01:16:46,960
such a good service to the 
community, the identity 

1359
01:16:46,960 --> 01:16:49,360
community and then broadly to 
the, the cybersecurity 

1360
01:16:49,360 --> 01:16:54,160
community, such a good resource 
for people to go and listen to. 

1361
01:16:54,160 --> 01:16:59,360
And you know, it's, it's easy to
listen to, right? 

1362
01:16:59,920 --> 01:17:01,800
And we try. 
Yeah, a lot of people have 

1363
01:17:01,880 --> 01:17:04,480
identified with those problems 
and and you know, I think they 

1364
01:17:04,480 --> 01:17:07,440
could probably find some 
solutions through through this 

1365
01:17:07,440 --> 01:17:11,000
or or at least a a different 
thought process than than what 

1366
01:17:11,000 --> 01:17:13,080
they've had. 
But I think the series that 

1367
01:17:13,080 --> 01:17:17,240
we've talked about and just 
generally talking about how the 

1368
01:17:17,240 --> 01:17:20,800
intersection of cybersecurity 
identity happened and how, 

1369
01:17:21,440 --> 01:17:24,720
whether it's risk governance, 
engineering, you know, all these

1370
01:17:24,720 --> 01:17:27,840
concepts, resilience, how they 
interplay. 

1371
01:17:28,520 --> 01:17:32,120
I think it's going to be really 
fun here for you all to to 

1372
01:17:32,120 --> 01:17:34,360
dissect that and I'm happy to 
support it. 

1373
01:17:35,040 --> 01:17:36,400
Well, this is what we do for 
fun, Jim. 

1374
01:17:36,400 --> 01:17:39,000
Our day job is identity 
consulting. 

1375
01:17:39,000 --> 01:17:40,760
I think we've done a good job 
with the podcast, people not 

1376
01:17:40,760 --> 01:17:42,200
realizing that we actually have 
day jobs. 

1377
01:17:43,520 --> 01:17:47,360
Well, I always say, people say, 
oh, Jim, you've, you work really

1378
01:17:47,360 --> 01:17:49,320
hard. 
I'm like, well, it's not quite 

1379
01:17:49,320 --> 01:17:51,680
like going into a coal mine or 
something, right? 

1380
01:17:52,040 --> 01:17:53,560
It's. 
Oh, we got to pump that up. 

1381
01:17:53,560 --> 01:17:55,320
Like, yeah, it is. 
It's terrible. 

1382
01:17:55,320 --> 01:17:57,080
It is like my. 
Back all right. 

1383
01:17:59,000 --> 01:18:00,480
Let's go ahead and leave it 
there for this week. 

1384
01:18:00,800 --> 01:18:02,080
Thank you so much, Ghazi, for 
joining us. 

1385
01:18:02,080 --> 01:18:05,040
I'm going to have a link in our 
show notes to your LinkedIn 

1386
01:18:05,040 --> 01:18:07,480
profile for people to reach out.
Maybe if I can convince you to 

1387
01:18:07,480 --> 01:18:09,600
get your Facebook link for the 
music stuff so people could 

1388
01:18:09,600 --> 01:18:11,440
check that out as well. 
It's it's interesting. 

1389
01:18:11,440 --> 01:18:13,800
We have such a diverse 
population of people, not only 

1390
01:18:13,800 --> 01:18:15,080
in identity, but in 
cybersecurity. 

1391
01:18:15,760 --> 01:18:18,360
A lot of musicians we've 
actually had on the show and, 

1392
01:18:18,360 --> 01:18:19,960
and, and things like that. 
So it's, it's very cool. 

1393
01:18:21,480 --> 01:18:23,000
We'll leave it there. 
We're on the web, 

1394
01:18:23,000 --> 01:18:26,280
idacpodcast.com. 
If you're watching this on 

1395
01:18:26,280 --> 01:18:27,720
YouTube, thank you. 
Like and subscribe. 

1396
01:18:27,720 --> 01:18:29,680
If you're not watching it on 
YouTube, check it out. 

1397
01:18:29,680 --> 01:18:32,360
idacpodcast.tv. 
Connect with any of us on 

1398
01:18:32,360 --> 01:18:33,400
LinkedIn. 
We're always happy to have 

1399
01:18:33,400 --> 01:18:36,160
conversations with folks and, 
and just kind of engage that 

1400
01:18:36,160 --> 01:18:38,120
way. 
And yeah, so we'll leave it 

1401
01:18:38,120 --> 01:18:39,880
there. 
Thanks everyone for watching and

1402
01:18:39,880 --> 01:18:42,600
or listening and we'll talk with
you all in the next one. 

1403
01:18:43,280 --> 01:18:47,520
Thank you all. 
You've been listening to 

1404
01:18:47,520 --> 01:18:51,440
Identity at the Center. 
We hope you've enjoyed the show.

1405
01:18:51,640 --> 01:18:55,720
Make sure to like, rate and 
review, and we'll be back soon. 

1406
01:18:56,000 --> 01:18:58,280
But in the meantime, hit the 
website at 

1407
01:18:58,280 --> 01:19:04,640
identity@thecenter.com. 
See you next time on Identity at

1408
01:19:04,640 --> 01:19:05,560
the Center.
