1 00:00:00,040 --> 00:00:03,960 The only reason financial services is doing it is because 2 00:00:04,160 --> 00:00:06,280 they've regulators making them do that. 3 00:00:06,520 --> 00:00:11,440 So 1, is that true? And you know, 2 like where is 4 00:00:11,440 --> 00:00:13,880 the value? Is it just to be compliant with 5 00:00:13,880 --> 00:00:16,239 regulation or is there something more? 6 00:00:16,520 --> 00:00:19,960 Really good question and I'm thinking now don't want to 7 00:00:19,960 --> 00:00:23,320 answer it positive or the way I already feel. 8 00:00:23,840 --> 00:00:27,520 Let's go positive first. So you are absolutely correct in 9 00:00:27,520 --> 00:00:30,480 terms of regulatory just environments, which has cost 10 00:00:30,480 --> 00:00:33,960 multiple industries. There's a ton of value in use 11 00:00:33,960 --> 00:00:37,280 access reviews because it is both a detective and really a 12 00:00:37,280 --> 00:00:40,720 corrective type of control. The end of the day it's done to 13 00:00:40,720 --> 00:00:43,560 say, hey, should Jeff and Jam still maintain this access? 14 00:00:44,000 --> 00:00:48,280 And if they shouldn't let me create an action where I do an 15 00:00:48,280 --> 00:00:51,280 attestation and say Nope, I want them out and then some 16 00:00:51,280 --> 00:00:54,720 technology, some tool goes and remove them from that access. 17 00:00:55,400 --> 00:00:58,720 And for small and mid sized companies, it works really well 18 00:00:59,160 --> 00:01:03,480 because there's not a lot of bloat in small and mid sized 19 00:01:03,480 --> 00:01:06,520 businesses. The larger the company is, the 20 00:01:06,520 --> 00:01:09,000 more job roles of companies are really strong. 21 00:01:09,000 --> 00:01:12,720 When I say on our back, you know Rd. based access control, the 22 00:01:12,720 --> 00:01:17,800 more our back you use the larger your access role environment is 23 00:01:17,800 --> 00:01:21,240 going to be, the more access certification use access reviews 24 00:01:21,240 --> 00:01:25,560 you have. Once you hit that threshold, now 25 00:01:25,560 --> 00:01:28,200 it becomes more of. Is there value in this or is it 26 00:01:28,200 --> 00:01:37,640 just a checkbox activity? This is identity at the center 27 00:01:38,320 --> 00:01:41,400 if it has anything to do with IAM. 28 00:01:41,400 --> 00:01:47,960 This is the go to podcast now your hosts Jim McDonald and Jeff 29 00:01:47,960 --> 00:01:55,680 Stedman. Welcome to the Identity at the 30 00:01:55,680 --> 00:01:57,440 Center podcast. I'm Jeff, and that's Jim. 31 00:01:57,440 --> 00:01:59,480 Hey, Jim. Hey, Jeff, how are you? 32 00:01:59,760 --> 00:02:02,160 Oh, not so bad yourself. Doing good. 33 00:02:02,400 --> 00:02:05,000 You know, obviously we always start every show off with 34 00:02:05,000 --> 00:02:06,640 banter. So I was like, OK, what am I 35 00:02:06,640 --> 00:02:07,880 going to hate you with this time? 36 00:02:07,880 --> 00:02:11,920 And I was kind of thinking back to, you know, one of the areas 37 00:02:11,920 --> 00:02:16,920 where I've really been wanting to put together an episode and 38 00:02:17,080 --> 00:02:22,200 the topic is device identity. And So what I did this week on 39 00:02:22,200 --> 00:02:28,080 Monday was I launched a, a poll question on LinkedIn. 40 00:02:28,240 --> 00:02:33,960 So it was in your mind is device identity the discipline focused 41 00:02:33,960 --> 00:02:35,760 on? And then I put a couple of 42 00:02:35,760 --> 00:02:40,320 options like a device, a device's role in authentication, 43 00:02:40,720 --> 00:02:44,880 the accounts local to a device, both or something else. 44 00:02:45,560 --> 00:02:49,880 And it got 55 responses, they got 3 reactions. 45 00:02:49,880 --> 00:02:55,240 So basically 3 thumbs up and they got over 1200 impressions. 46 00:02:56,040 --> 00:02:59,800 I'm wondering what it was about how I put that poll question 47 00:02:59,800 --> 00:03:04,400 together that didn't make it very popular to respond to do. 48 00:03:04,680 --> 00:03:07,600 You think, did I respond to it? I feel I know I saw it and then 49 00:03:07,600 --> 00:03:09,840 I don't remember if I clicked my answer or not. 50 00:03:10,760 --> 00:03:12,880 Well, I don't know. I don't know if you did. 51 00:03:13,120 --> 00:03:15,640 I don't have that data point. We'll just say I did because I'm 52 00:03:15,640 --> 00:03:18,480 a, I'm a, I'm a good, you know, partner in crime on this type of 53 00:03:18,480 --> 00:03:20,000 stuff. Yeah, yeah. 54 00:03:20,000 --> 00:03:26,520 So, you know, I think with the whole non human identity topic, 55 00:03:26,520 --> 00:03:28,640 right, that's getting all the attention. 56 00:03:28,920 --> 00:03:32,480 But then we talked about device identity a lot and you know, 57 00:03:32,480 --> 00:03:37,400 like my perspective has been, I don't really think a device has 58 00:03:37,400 --> 00:03:41,240 identity and I'm starting to change that opinion. 59 00:03:41,240 --> 00:03:45,000 So I'm, I think within the whole non human identity realm, you've 60 00:03:45,000 --> 00:03:50,160 got workload identities and then you have device identities. 61 00:03:50,520 --> 00:03:54,120 And really it's this whole, I think at the core of why a 62 00:03:54,120 --> 00:03:58,680 device identity is even important is this whole shift of 63 00:03:59,000 --> 00:04:02,080 identity is at the center. Identity at the center, of 64 00:04:02,080 --> 00:04:03,840 course, is the name of our podcast. 65 00:04:04,080 --> 00:04:07,480 We could take full credit for that from, you know, six years 66 00:04:07,480 --> 00:04:12,800 ago, but the idea that, you know, firewalls used to 67 00:04:13,960 --> 00:04:17,720 basically say, all right, you can either come in or not come 68 00:04:17,720 --> 00:04:21,760 in based on IP address and port and things like that. 69 00:04:22,160 --> 00:04:26,520 And now they're getting smarter where, you know, they can 70 00:04:26,520 --> 00:04:30,640 actually use authentication. And then when you think about 71 00:04:30,640 --> 00:04:33,240 zero trust, you're not just talking about the firewall, but 72 00:04:33,240 --> 00:04:36,760 you're talking about the infrastructure layers below the 73 00:04:36,760 --> 00:04:39,760 firewall and you're talking about traversing from one 74 00:04:39,760 --> 00:04:44,160 network segment to the other. And should you simply do that 75 00:04:44,160 --> 00:04:49,400 based on IP address and port? Like, no, some devices and some 76 00:04:49,400 --> 00:04:53,440 identities should have access to certain network segments than 77 00:04:53,440 --> 00:04:57,280 others. So to me, like there's where 78 00:04:57,280 --> 00:05:02,200 we're kind of like circling in, but I'm still trying to wrap my 79 00:05:02,200 --> 00:05:04,920 brain around this. And I would say basically the 80 00:05:04,920 --> 00:05:10,280 community either, you know, is kind of like where I have been, 81 00:05:10,280 --> 00:05:17,560 which is like, I don't even know what that definition is, or you 82 00:05:17,560 --> 00:05:20,800 know, there's a mix of answers. I think most people came to a 83 00:05:20,800 --> 00:05:24,440 divisive role in authentication, which kind of makes sense. 84 00:05:25,920 --> 00:05:31,600 A few, only 5 people out of the 55 said the accounts local to a 85 00:05:31,600 --> 00:05:36,880 device, which I think is this non human identity piece like 86 00:05:36,880 --> 00:05:40,920 25% said something else. So anyway, you know, I think 87 00:05:40,920 --> 00:05:44,840 that there's confusion on the topic out there and what I want 88 00:05:44,840 --> 00:05:50,000 to do is have some podcast episodes where we talk about 89 00:05:50,000 --> 00:05:55,920 this and kind of start to solve or at least put an answer behind 90 00:05:55,920 --> 00:05:57,320 it. The official identity at the 91 00:05:57,320 --> 00:06:01,000 center answer behind What is the vice identity? 92 00:06:01,840 --> 00:06:03,840 Got it. Well, I just looked it up and I 93 00:06:03,840 --> 00:06:05,440 didn't vote, but I just voted now. 94 00:06:05,440 --> 00:06:08,840 And I think it, I, I tend to think of device identity as the 95 00:06:08,840 --> 00:06:11,800 device's role in authentication because the other options were 96 00:06:11,960 --> 00:06:14,440 the accounts local to a device. I feel like that's more like 97 00:06:15,280 --> 00:06:18,120 local, local account management or something like that. 98 00:06:18,280 --> 00:06:21,440 But I think this is an area where context matters maybe and 99 00:06:21,440 --> 00:06:24,440 who you're talking to, because maybe I'm approaching, OK, well, 100 00:06:24,440 --> 00:06:26,360 that's what makes sense to me from authentication standpoint. 101 00:06:26,400 --> 00:06:29,520 You know, while somebody who maybe does like, you know, MDM 102 00:06:29,520 --> 00:06:32,840 work all the time or, you know, endpoint management might be 103 00:06:32,840 --> 00:06:35,000 thinking of a different way. I mean, IM community is really 104 00:06:35,000 --> 00:06:38,000 good at having multiple definitions for the same thing. 105 00:06:38,520 --> 00:06:41,720 So you kind of have to know who you're talking to and making 106 00:06:41,720 --> 00:06:43,960 sure that you're communicating effectively to make sure you're 107 00:06:43,960 --> 00:06:46,720 on the same page. That's, you know, I don't want 108 00:06:46,720 --> 00:06:50,760 to one up you man, but you know, 1000, you know, impressions. 109 00:06:51,960 --> 00:06:54,480 I had 5000 on when I asked this week. 110 00:06:54,960 --> 00:06:59,040 I got a lot of really good answers to a question that I 111 00:06:59,040 --> 00:07:03,000 posed on LinkedIn and I got to tell you that I am brain trusts. 112 00:07:03,000 --> 00:07:06,240 The hive mind of people on LinkedIn came through. 113 00:07:06,240 --> 00:07:10,880 I was asking a relatively vague question around device identity 114 00:07:10,880 --> 00:07:13,880 essentially. So this idea of tap and go, but 115 00:07:13,880 --> 00:07:17,440 without the tap part, almost kind of like an ultra wide band 116 00:07:17,440 --> 00:07:19,960 key or some sort of proximity authentication. 117 00:07:20,600 --> 00:07:23,880 The challenge being what if you have multiple people in the same 118 00:07:23,880 --> 00:07:25,480 room? How do you identify the right 119 00:07:25,480 --> 00:07:30,480 person as part of that? I gotta tell you, after 5300 120 00:07:30,480 --> 00:07:33,920 impressions and a whole bunch of views and like 30 or some 40 121 00:07:33,920 --> 00:07:37,040 comments so far and counting, I had so many good people like 122 00:07:37,040 --> 00:07:38,600 reach out, put their thoughts into it. 123 00:07:38,600 --> 00:07:41,200 So there's no way I can reach out to everybody and thank them. 124 00:07:41,200 --> 00:07:43,280 So I'm just going to like as many comments as I can. 125 00:07:43,280 --> 00:07:46,000 But if you're listening to this and you posted, thank you so 126 00:07:46,000 --> 00:07:48,400 much. If you reached out to me on D, 127 00:07:48,400 --> 00:07:50,760 you know, DMS or whatever, maybe I know I've got a couple 128 00:07:50,760 --> 00:07:52,480 meetings already set for next week to kind of talk through 129 00:07:52,480 --> 00:07:55,680 options, but it's something that's, you know, it's called 130 00:07:55,680 --> 00:07:58,000 like AI don't call it a pet project, but it's something that 131 00:07:58,000 --> 00:08:00,080 I've been thinking about. It was like, OK, is there an 132 00:08:00,080 --> 00:08:07,680 option in this space where tap to go can be just go or be and 133 00:08:07,680 --> 00:08:11,680 go or something like that? So shout out to the I am experts 134 00:08:11,680 --> 00:08:14,400 on LinkedIn for, you know, for taking a look at that and taking 135 00:08:14,400 --> 00:08:16,160 the time to to respond. So I appreciate that. 136 00:08:16,680 --> 00:08:19,800 I think LinkedIn, like any social media platform, has 137 00:08:19,800 --> 00:08:23,560 algorithms, right? So you posted that you started 138 00:08:23,560 --> 00:08:26,880 getting comments. LinkedIn picked up, hey, this is 139 00:08:26,880 --> 00:08:30,360 a really popular thread. We're going to show it to more 140 00:08:30,360 --> 00:08:32,760 people. More people see a more people 141 00:08:32,760 --> 00:08:37,600 comment becomes viral. Obviously I posted mine my poll 142 00:08:37,600 --> 00:08:40,159 in it, but was not a very popular topic. 143 00:08:40,320 --> 00:08:45,040 So maybe we should have a bunch of we should not have a bunch of 144 00:08:45,040 --> 00:08:48,040 episodes on this. But I still think it's something 145 00:08:48,040 --> 00:08:51,120 that we need some clarity around. 146 00:08:51,120 --> 00:08:54,520 But maybe we should have something on top and go. 147 00:08:55,240 --> 00:08:56,920 Yeah. Well, I mean, I don't, I don't 148 00:08:56,920 --> 00:08:59,680 know what's there yet and what's realistic because I think some 149 00:08:59,680 --> 00:09:02,640 of the caveats I throughout were like, OK, not proprietary, give 150 00:09:02,640 --> 00:09:04,240 me something that's built off open standards. 151 00:09:04,240 --> 00:09:06,640 You know, maybe it's something that we can use Fido 152 00:09:06,800 --> 00:09:08,640 authentication for. Maybe it's something already 153 00:09:08,640 --> 00:09:11,760 exists elsewhere, SAML open ID and it's just putting the pieces 154 00:09:11,760 --> 00:09:16,200 together. But yeah, I mean, this is the 155 00:09:16,200 --> 00:09:17,400 great part of running this podcast. 156 00:09:17,400 --> 00:09:19,040 Like I don't have valid answers. You don't have answers. 157 00:09:19,040 --> 00:09:21,480 Let's find smart people who do and get them on and, and ask 158 00:09:21,480 --> 00:09:23,200 them about it because I'm sure other people have, you know, 159 00:09:23,200 --> 00:09:26,640 somewhere or questions or, or things that they can contribute 160 00:09:26,640 --> 00:09:28,920 to. So it's not a, it's, it's not a 161 00:09:28,920 --> 00:09:30,640 race. I, I'm not, you know, it's, it's 162 00:09:30,640 --> 00:09:32,480 not that I got five times as many impressions of you. 163 00:09:32,480 --> 00:09:34,920 That's not what it's about, Jim. I've only said it like five 164 00:09:34,920 --> 00:09:37,440 times. Hey, by the way, I did one post 165 00:09:37,440 --> 00:09:39,600 one time and it got over 10,000. That's. 166 00:09:39,600 --> 00:09:42,280 Great, I, I, I only, I only bring it up because like I've 167 00:09:42,280 --> 00:09:44,280 never, I don't think I've ever had a post that had that much 168 00:09:44,280 --> 00:09:45,920 traction. Like even when I do the podcast 169 00:09:45,920 --> 00:09:48,480 weekly that's, you know, maybe a couple 1000 something like that. 170 00:09:48,480 --> 00:09:50,480 That's just people, you know, checking out our new show. 171 00:09:50,480 --> 00:09:55,440 So for whatever reason, this idea of non human identity and 172 00:09:55,960 --> 00:09:59,160 password, more user friendly, password less right, 173 00:09:59,320 --> 00:10:02,080 frictionless or friction, less friction I should say, from 174 00:10:02,080 --> 00:10:03,840 authentication seems to strike a chord. 175 00:10:04,360 --> 00:10:07,680 And I'm wondering if we can I, I let's put something up around 176 00:10:07,680 --> 00:10:08,600 that. I think we should just show 177 00:10:08,600 --> 00:10:10,000 about it. Absolutely. 178 00:10:10,000 --> 00:10:14,560 So hey, if anybody's listening who has a strong opinion, vendor 179 00:10:14,560 --> 00:10:19,880 agnostic, strong opinion, reach out to us questions at idac.com. 180 00:10:20,360 --> 00:10:24,160 It'll get to Jeff and I and we'll try to do something. 181 00:10:24,560 --> 00:10:26,640 Or if you're a vendor with a strong opinion, come on, we're 182 00:10:26,640 --> 00:10:28,960 on a sponsored episode and we'll get your, we'll ask you 183 00:10:28,960 --> 00:10:30,000 questions about it and get out there. 184 00:10:30,000 --> 00:10:33,640 So absolutely, yeah, we got a couple conferences that we're 185 00:10:33,640 --> 00:10:36,320 going to be at later this year. One that we're not going to be 186 00:10:36,320 --> 00:10:39,240 at, but we do have a discount code for is the Gartner IM 187 00:10:39,240 --> 00:10:42,720 Summit taking place in London this March 24th and 25th. 188 00:10:43,200 --> 00:10:48,400 If you use the code ID AC425 you save and I'm not sure if it's 189 00:10:48,400 --> 00:10:55,120 €425 or pounds, you will save 425 of some currency for that 190 00:10:55,120 --> 00:10:57,320 region which is better than nothing for sure. 191 00:10:57,320 --> 00:11:00,040 It might be rupees it. Could you know? 192 00:11:00,080 --> 00:11:02,440 Who knows? Maybe it's, you know, League of 193 00:11:02,440 --> 00:11:05,920 Legend gold coins. Who knows, You will say 425 of 194 00:11:05,920 --> 00:11:08,640 those. It's not 425 bitcoins, I can 195 00:11:08,640 --> 00:11:09,800 tell you that. No. 196 00:11:09,960 --> 00:11:12,000 Yeah, if you got 425 bitcoins, you're probably doing right. 197 00:11:13,000 --> 00:11:16,000 But that's a conference that has been nice to have to extend out 198 00:11:16,000 --> 00:11:18,000 a conference code for people to take advantage of. 199 00:11:18,320 --> 00:11:20,920 I'll have it on our, it's already on our web page, 200 00:11:20,920 --> 00:11:23,640 idacpodcast.com. I try to keep all of our current 201 00:11:23,640 --> 00:11:26,720 discount codes on that. So we've got the Gartner IM 202 00:11:26,720 --> 00:11:29,080 Summit in London again, March 24th and 25th. 203 00:11:29,600 --> 00:11:31,680 One that you and I are very excited to go out, we've talked 204 00:11:31,680 --> 00:11:34,360 about a couple Times Now at this point is the European Identity 205 00:11:34,360 --> 00:11:37,920 and Cloud Conference in Berlin, May 6th through 9th. 206 00:11:38,400 --> 00:11:43,800 If you use the code ID AC25 MKO, you get 25% off. 207 00:11:44,400 --> 00:11:47,600 And so you and I are going to be out in Berlin for a week 208 00:11:47,600 --> 00:11:50,000 roughly. I think we're putting together 209 00:11:50,000 --> 00:11:53,120 what some podcasts might look like and hopefully we even have 210 00:11:53,120 --> 00:11:55,080 time to actually attend the conference and not just be in 211 00:11:55,080 --> 00:11:57,520 recording room the whole time. Yeah, it's going to be so 212 00:11:57,520 --> 00:11:59,280 exciting. I mean, I've never been to 213 00:11:59,280 --> 00:12:03,920 Berlin for great things about the city and I've heard great 214 00:12:03,920 --> 00:12:05,920 things about this conference. Heard that. 215 00:12:05,920 --> 00:12:10,600 It's like information you know will be coming out of your ears 216 00:12:10,600 --> 00:12:14,520 by the end. And I can say the organizers, 217 00:12:14,720 --> 00:12:18,360 obviously, we've had Martin on the show, He's had us working 218 00:12:18,360 --> 00:12:23,840 with this conference team. Marina has been super fantastic 219 00:12:23,840 --> 00:12:26,880 about, you know, helping us coordinate our activities while 220 00:12:26,880 --> 00:12:29,080 we're there. So yeah, we're going to record a 221 00:12:29,080 --> 00:12:32,600 few podcasts on site and like you said, get to enjoy the 222 00:12:32,600 --> 00:12:35,280 conference a little bit. So hopefully we'll get to meet a 223 00:12:35,280 --> 00:12:37,360 lot of you there. And the conference code, 224 00:12:38,160 --> 00:12:40,960 discount code will help you save a couple bucks. 225 00:12:41,360 --> 00:12:43,800 Yeah. And then hot off the presses, we 226 00:12:43,800 --> 00:12:48,120 have Ideniverse 2025 that is in Las Vegas, so June 3rd to the 227 00:12:48,120 --> 00:12:52,360 6th. If you use the code IDV 25-I D 228 00:12:52,360 --> 00:12:55,760 AC25, you get 25% off. I know that's a mouthful. 229 00:12:55,760 --> 00:12:57,480 Again, the links will be in our show notes. 230 00:12:57,480 --> 00:13:00,120 They'll be on our website and you can check it out there. 231 00:13:00,120 --> 00:13:01,680 But that's another one we're looking forward to. 232 00:13:02,040 --> 00:13:04,480 We've got some exciting plans that we probably shouldn't 233 00:13:04,480 --> 00:13:08,320 announce quite yet until we have things kind of sign sealed and 234 00:13:08,320 --> 00:13:10,920 figured out and, and well say delivered, but planned and ready 235 00:13:10,920 --> 00:13:16,200 to go. But if you like prior conference 236 00:13:16,200 --> 00:13:19,360 activities that we have done, we may be doing something similar 237 00:13:19,360 --> 00:13:21,720 at ideniverse. Is that vague enough, Jim? 238 00:13:23,720 --> 00:13:25,600 Yeah, I don't know. Anybody's going to figure it out 239 00:13:25,600 --> 00:13:28,720 based on that? But two fives wild. 240 00:13:28,720 --> 00:13:37,400 So that 25% off for ideniverse 25 IDV 25 dash IDAC 25 code. 241 00:13:38,160 --> 00:13:42,440 I mean, look, it's if you, if you can get to a conference this 242 00:13:42,440 --> 00:13:48,360 year, if you're US based, do it. It's a fun conference too. 243 00:13:48,440 --> 00:13:51,000 There's a lot of really smart people that'll be there and you 244 00:13:51,000 --> 00:13:52,760 learn something. So I'm a fan of it. 245 00:13:52,800 --> 00:13:54,920 Obviously, hats off to them and thanks for them for their 246 00:13:54,920 --> 00:13:57,800 partnership on it. All right, why don't we turn to 247 00:13:57,800 --> 00:14:00,000 our guest because he's been patiently waiting in the wings 248 00:14:00,000 --> 00:14:03,000 here for wow, over 10 minutes. I promised 5 to 10 minutes. 249 00:14:03,000 --> 00:14:05,120 Over at 12 minutes. Let me welcome to the show, 250 00:14:05,120 --> 00:14:07,720 Steven Washington. He's the head of IAM at Discover 251 00:14:07,720 --> 00:14:09,240 Financial. Welcome, Steven. 252 00:14:10,280 --> 00:14:12,400 Hey Jeff, Jim, pleasure to be here. 253 00:14:12,800 --> 00:14:15,400 Looking forward to to a wonderful show you guys have. 254 00:14:16,120 --> 00:14:17,560 Well, thanks so much for taking the time. 255 00:14:17,600 --> 00:14:20,960 And is this your first time being on the show and hopefully 256 00:14:20,960 --> 00:14:22,440 not the last. We'll find out at the end if you 257 00:14:22,440 --> 00:14:25,360 still like us or not. But tell us about your I AM 258 00:14:25,360 --> 00:14:27,840 Orange story. How did you get started in I Am? 259 00:14:27,840 --> 00:14:30,600 Is it something that you chose or did it choose you? 260 00:14:32,000 --> 00:14:34,880 It shows me, I went to college, I got my degree in computer 261 00:14:34,880 --> 00:14:36,880 engineering. I wanted to be the best Java 262 00:14:36,880 --> 00:14:40,360 program in the world. I'm like, yes, go Java 2, Struts 263 00:14:40,400 --> 00:14:42,800 all the way. My first job out of college. 264 00:14:42,800 --> 00:14:46,040 And they said, yeah, you going to start managing, you know, web 265 00:14:46,040 --> 00:14:48,680 service like, OK. And then they said you need to 266 00:14:48,680 --> 00:14:52,000 manage LDAP directories like LDAP. 267 00:14:52,000 --> 00:14:55,920 What is a LDAP? And until this day, you know, I 268 00:14:56,040 --> 00:15:01,240 I realized how the godfathers of I am basically was Novell, you 269 00:15:01,360 --> 00:15:06,120 know audio dev directories and I still use it's called LBE dot 270 00:15:06,120 --> 00:15:10,200 jar is why it was the greatest LDAP browser utility ever 271 00:15:10,200 --> 00:15:14,640 created as I started using it in 2001 and I still have it on my 272 00:15:14,640 --> 00:15:18,720 computer today. It can do wonders and it's a 25 273 00:15:18,720 --> 00:15:22,720 plus year old Java Java. So I'm not familiar with this. 274 00:15:23,400 --> 00:15:26,640 I guess what makes it timeless in your mind that it's held the 275 00:15:26,640 --> 00:15:30,800 test of 25 years on your? And about two, about 2010 I 276 00:15:30,800 --> 00:15:34,920 think Soft Terra must have found no way to take it because they 277 00:15:34,920 --> 00:15:37,120 had the same exact interface. It was just modern. 278 00:15:37,640 --> 00:15:41,880 But the thing about it is you was able to use every feature 279 00:15:41,880 --> 00:15:45,520 possible in terms of certificates, you know, and do 280 00:15:45,520 --> 00:15:49,040 things that you couldn't do with modern security controls. 281 00:15:49,280 --> 00:15:53,120 So I was able to connect to almost any Active Directory 282 00:15:53,120 --> 00:15:56,960 domain, you know, Oracle directory, I mean, almost 283 00:15:56,960 --> 00:15:58,160 anything. And then I love virtual 284 00:15:58,160 --> 00:16:00,760 directories. So I was able to actually use it 285 00:16:01,120 --> 00:16:04,200 and kind of play around with, you know, multiple directories 286 00:16:04,200 --> 00:16:07,560 or through one proxy, you know, way back in the early 2000s. 287 00:16:09,040 --> 00:16:10,520 I remember Softerra, that was the. 288 00:16:10,520 --> 00:16:13,120 I used their LDAP browser as well, but probably not to the 289 00:16:13,120 --> 00:16:15,880 level you were. I was looking at maybe 1 or 280 290 00:16:15,880 --> 00:16:18,760 domains and then I think I was using it all for. 291 00:16:18,760 --> 00:16:22,600 Also maybe some sequel stuff. I don't remember, but I was 292 00:16:22,600 --> 00:16:24,480 definitely not a pro with it. But you mentioned the word 293 00:16:24,480 --> 00:16:25,840 software. I was like, oh, I just had a 294 00:16:25,840 --> 00:16:28,040 flashback. No. 295 00:16:28,200 --> 00:16:30,920 And I mean that interface was exactly the same thing. 296 00:16:31,240 --> 00:16:32,680 It's just that this was a matter of fact. 297 00:16:32,680 --> 00:16:35,520 It was Java Swing, you know, user interface. 298 00:16:35,520 --> 00:16:40,200 So it was old school. So tell me about your role as 299 00:16:40,200 --> 00:16:43,400 the head of IM at discover Financial. 300 00:16:43,400 --> 00:16:45,640 What does that mean? You know, tell me, like, what 301 00:16:45,640 --> 00:16:47,040 does your like day-to-day look like? 302 00:16:48,920 --> 00:16:53,520 Managing the largest team in cybersecurity at Discover 303 00:16:54,040 --> 00:16:59,720 because as you all know well, I am has the most challenges and 304 00:16:59,720 --> 00:17:03,080 also the most opportunities. But we are deployment and I tend 305 00:17:03,080 --> 00:17:06,400 to call I am cyber adjacent. Some people like it when I do, 306 00:17:06,400 --> 00:17:10,200 some people don't, but I call it cyber adjacent because identity 307 00:17:10,200 --> 00:17:13,520 is really a combination of infrastructure, services, 308 00:17:13,960 --> 00:17:18,520 cybersecurity and risk. GRC like risk management, it's a 309 00:17:18,520 --> 00:17:20,280 combination of both of all three. 310 00:17:20,280 --> 00:17:25,119 So it is that it cannot fit in just one specific space, but 311 00:17:25,119 --> 00:17:28,079 most times it's either infrastructure or cybersecurity 312 00:17:28,480 --> 00:17:32,320 and that discover we are withstand cybersecurity so. 313 00:17:32,320 --> 00:17:35,240 Cybersecurity adjacent? I guess I've always thought of 314 00:17:35,240 --> 00:17:38,760 IM as in cybersecurity. What makes it adjacent for you? 315 00:17:39,440 --> 00:17:44,360 So if you think about what the the major utilities, the Igas, 316 00:17:44,360 --> 00:17:47,760 the IDM, the the vaulting solutions, they all are 317 00:17:47,760 --> 00:17:50,680 basically shared services, which means they have a large 318 00:17:50,920 --> 00:17:52,760 component, which is infrastructure base. 319 00:17:53,200 --> 00:17:56,000 And you think about it gives more focus on resiliency, 320 00:17:56,320 --> 00:17:59,640 operational overhead, consumption, you know, and those 321 00:17:59,640 --> 00:18:01,640 are more infrastructure services. 322 00:18:02,200 --> 00:18:03,840 When you think about cybersecurity, you're not 323 00:18:03,840 --> 00:18:06,040 thinking about that. You're thinking about sometimes, 324 00:18:06,040 --> 00:18:08,520 you know, governance risk, thinking about, you know, 325 00:18:08,760 --> 00:18:11,960 security incident, response to tech, you know, response. 326 00:18:12,040 --> 00:18:15,080 Those are kind of the areas of cybersecurity that most people 327 00:18:15,080 --> 00:18:17,640 think about. But identity is kind of like the 328 00:18:17,800 --> 00:18:20,280 that mixture of it has more products within it. 329 00:18:20,640 --> 00:18:24,600 So managing a product life cycle you are already doing more 330 00:18:24,640 --> 00:18:27,720 infrastructure based services than strictly cyber. 331 00:18:27,800 --> 00:18:30,400 I was looking through your LinkedIn profile, doing a little 332 00:18:30,400 --> 00:18:31,640 soothing and saying who is this guy? 333 00:18:31,640 --> 00:18:34,080 Steven? I noticed you've spent some time 334 00:18:34,080 --> 00:18:36,080 consulting and we have a lot of consultants. 335 00:18:36,080 --> 00:18:38,520 Jim and I are consultants ourselves, you know, that are 336 00:18:38,520 --> 00:18:42,920 listening and I'm curious what are some of the things that 337 00:18:42,920 --> 00:18:44,880 prepared you for your role? Because y'all still work at 338 00:18:44,880 --> 00:18:47,520 Freddie Mac and you would discover now, but what are some 339 00:18:47,520 --> 00:18:49,600 of the things that you did as a consultant that really kind of 340 00:18:49,600 --> 00:18:52,880 prepared you for roles, we'll call it in industry, right? 341 00:18:52,880 --> 00:18:54,760 Or civilian lifes maybe I might call it. 342 00:18:55,680 --> 00:18:57,800 No, no, I have a really good story about that. 343 00:18:57,800 --> 00:19:01,920 I actually went from engineer, developer, architect, but I 344 00:19:01,920 --> 00:19:04,240 wanted to learn more about, you know, how to run a business. 345 00:19:04,560 --> 00:19:08,720 So if you look at it, my pathway went from big pharma, big 346 00:19:08,720 --> 00:19:10,360 retail. Then I jumped to a startup. 347 00:19:11,160 --> 00:19:14,760 After the startup, I spent a few years there and I understood how 348 00:19:14,760 --> 00:19:16,760 to run a business when there's less than 10 employees. 349 00:19:17,240 --> 00:19:19,760 You have to basically wear every hat when there's less than 10 350 00:19:19,760 --> 00:19:22,360 employees. But then I went to Deloitte 351 00:19:22,360 --> 00:19:24,720 after that because I said, OK, I know I don't run a business, I'm 352 00:19:24,720 --> 00:19:29,040 learning it, but how do I articulate what it is that we 353 00:19:29,040 --> 00:19:31,200 need? Like, how do I get people to 354 00:19:31,200 --> 00:19:34,040 yes? My biggest mantra is I'm going 355 00:19:34,040 --> 00:19:36,680 to get you to yes. People say no by default. 356 00:19:37,040 --> 00:19:41,320 So as a consultant, the job is to understand how to do 357 00:19:41,320 --> 00:19:45,640 PowerPoints, how to do decks, and how to communicate the 358 00:19:45,640 --> 00:19:48,560 vision, the operator model to the right audience. 359 00:19:48,560 --> 00:19:51,400 That's the most important part is to the right audience. 360 00:19:51,720 --> 00:19:54,640 And when you focus on that, you can basically sell anything. 361 00:19:55,400 --> 00:20:00,960 And I leverage that because now in financial services, everyone 362 00:20:00,960 --> 00:20:02,640 wants to say no. It's just, I mean, it's 363 00:20:02,640 --> 00:20:05,480 corporate America. It's easier to say no than to 364 00:20:05,480 --> 00:20:09,080 say yes, so. I kick them to to yes by doing 365 00:20:09,080 --> 00:20:12,720 one thing. If you tell me no, I say why you 366 00:20:12,720 --> 00:20:16,480 give me data, I'll go back and use my consultant net and craft 367 00:20:16,480 --> 00:20:19,360 another or a better story to come back to me and say, well, 368 00:20:19,360 --> 00:20:23,320 you say no because of ABCI saw it for that and then here's more 369 00:20:23,320 --> 00:20:26,400 data. Now do you say yes and at some 370 00:20:26,400 --> 00:20:29,280 point in time that iterative process, they are going to say 371 00:20:29,280 --> 00:20:31,080 yes or say, Steven, get the hell out of here. 372 00:20:31,320 --> 00:20:33,640 So. Stop bothering me, Here you go. 373 00:20:33,720 --> 00:20:37,960 Just get it done. One more question I want to ask 374 00:20:37,960 --> 00:20:38,880 you. I know we're going to talk about 375 00:20:38,880 --> 00:20:41,600 like user access reviews and, and maybe get some of that, but 376 00:20:42,040 --> 00:20:45,360 so there's a lot of people that I've known as wanting to get 377 00:20:45,360 --> 00:20:47,920 into IAM. What would be a word of advice 378 00:20:47,920 --> 00:20:52,280 that you have for people who are looking to get into IAM as just 379 00:20:52,280 --> 00:20:54,120 the start of their journey? Or maybe they're looking to 380 00:20:54,120 --> 00:20:56,120 pivot into IAM from some other field? 381 00:20:57,040 --> 00:20:59,000 That is one of my favorite questions, Jeff. 382 00:20:59,640 --> 00:21:03,760 Let me tell you why is you can learn almost every other aspect 383 00:21:03,760 --> 00:21:07,760 of cybersecurity through a class, through a course, through 384 00:21:07,760 --> 00:21:12,480 some training, but you cannot learn I am through a single 385 00:21:12,480 --> 00:21:16,560 entity at all. You have to be broad in your 386 00:21:16,560 --> 00:21:19,960 skills to do I am. You have to know a little bit 387 00:21:19,960 --> 00:21:22,520 of, you know, operating systems, you have to know about 388 00:21:22,520 --> 00:21:25,360 directories, you have to know about networking, you have to 389 00:21:25,360 --> 00:21:28,000 know about firewalls. I mean, especially today, 390 00:21:28,000 --> 00:21:30,400 everything is cloud based. If you don't understand the 391 00:21:30,400 --> 00:21:34,560 simple proxy, reverse proxy, how to open up a point, you're not 392 00:21:34,560 --> 00:21:37,920 going to do well here. Even things as simple as IDP 393 00:21:37,920 --> 00:21:42,720 configurations now from cloud to cloud, SAS to SAS, you have to 394 00:21:42,720 --> 00:21:46,400 be well versed in everything. So one of my favorite sayings is 395 00:21:47,640 --> 00:21:51,400 Jack O or trades master of none, but oftentimes better than a 396 00:21:51,400 --> 00:21:55,680 master of one that that creates an iron professional. 397 00:21:56,120 --> 00:21:59,360 You have to know a lot about a lot, but you don't got to be 398 00:21:59,360 --> 00:22:03,320 super deep in any one thing to be amazing in this field. 399 00:22:04,800 --> 00:22:08,760 Yeah, I really love that answer. I think what I would add to it 400 00:22:08,800 --> 00:22:12,560 is you mentioned a lot of the technical skills you need, but 401 00:22:12,560 --> 00:22:14,600 you also need to have business skills. 402 00:22:14,600 --> 00:22:19,520 You need to know things about human resources and how the 403 00:22:19,520 --> 00:22:22,240 business works. You have to at least be geared 404 00:22:22,240 --> 00:22:25,040 toward that to be really great as I am. 405 00:22:26,400 --> 00:22:28,920 I also thought it was funny when you're talking about consulting, 406 00:22:28,920 --> 00:22:31,840 you brought it back to how do you sell things? 407 00:22:33,680 --> 00:22:37,920 But no, how do you sell an idea? So that is pretty funny. 408 00:22:38,120 --> 00:22:41,800 And as Jeff mentioned, I'm going to drag you down the route of 409 00:22:41,800 --> 00:22:44,800 talking about user access reviews. 410 00:22:44,800 --> 00:22:49,640 But before that, when we're talking in the beginning of the 411 00:22:49,640 --> 00:22:54,560 show about the idea around device identity, it almost 412 00:22:54,560 --> 00:22:57,160 looked like you wanted to jump right into the conversation at 413 00:22:57,160 --> 00:22:59,560 that point. So I was wondering, did I, did I 414 00:22:59,560 --> 00:23:02,400 see that right? And is there anything that you 415 00:23:02,600 --> 00:23:05,720 you wanted to say or that you were chomping at the bit to say? 416 00:23:07,240 --> 00:23:11,400 Absolutely, I said this is their show, so let me be quiet and 417 00:23:11,400 --> 00:23:13,440 stay on mute until my time is up. 418 00:23:13,720 --> 00:23:16,600 However, Matt Atkins, I'm going to have the floor. 419 00:23:17,000 --> 00:23:20,000 I'll take it. But I think of device identity. 420 00:23:20,000 --> 00:23:24,760 It's, it's so important that we think about every device we 421 00:23:24,760 --> 00:23:26,720 have. I mean in my house alone, 422 00:23:26,720 --> 00:23:30,640 there's probably 6-7 Alexis 810 series. 423 00:23:30,920 --> 00:23:34,360 I mean every device has some type of access management 424 00:23:34,360 --> 00:23:36,480 component to it. But I like what you said Jeff, 425 00:23:36,480 --> 00:23:39,000 about when you think of it, you think about the authentication 426 00:23:39,000 --> 00:23:41,040 piece. Well, what folks don't realize 427 00:23:41,040 --> 00:23:45,080 is every device is doing a form of authentication, a lot of it 428 00:23:45,080 --> 00:23:49,160 sometimes anonymous, a lot of it is some form of PKI, but is 429 00:23:49,160 --> 00:23:52,760 doing something or phoning home. And that's the part where it's 430 00:23:52,760 --> 00:23:56,760 tricky because most, most cyber professionals don't even use 431 00:23:56,760 --> 00:24:00,560 those, you know, home utilities, like they say Alexa is disabled 432 00:24:00,920 --> 00:24:03,040 anything else. But in general, Jim, I think 433 00:24:03,040 --> 00:24:04,800 it's just device identity exists. 434 00:24:05,080 --> 00:24:08,360 We need to find a way to actually manage the life cycle 435 00:24:08,360 --> 00:24:11,640 just like we do human accounts and not human accounts, you 436 00:24:11,640 --> 00:24:15,120 know, And it's only get to a point sooner than later where we 437 00:24:15,120 --> 00:24:18,040 just have objects, identity, objects. 438 00:24:18,520 --> 00:24:21,800 Everything is looked at through the lens of identity. 439 00:24:22,240 --> 00:24:25,680 And ironically, I'm going to use your pun, but yes, identity is 440 00:24:25,680 --> 00:24:28,360 at the center, the center of everything. 441 00:24:28,360 --> 00:24:30,440 I mean, identity is the front door. 442 00:24:30,640 --> 00:24:33,040 And what I say is to a house, identity is the front door. 443 00:24:33,360 --> 00:24:37,480 But also when you go to each room, each lock on the door is 444 00:24:37,480 --> 00:24:40,240 another layer of identity. And then over time we get to the 445 00:24:40,240 --> 00:24:43,640 point where as you in your kitchen and just hanging around, 446 00:24:43,640 --> 00:24:46,360 you would have something doing a check on should you still be 447 00:24:46,360 --> 00:24:48,400 here? And is it still your own, which 448 00:24:48,400 --> 00:24:52,200 is a deeper layer of identity. So it's it's definitely at the 449 00:24:52,200 --> 00:24:54,120 center. Yeah, it's crazy. 450 00:24:54,120 --> 00:24:57,920 You hear identity is the new perimeter, then someone will say 451 00:24:57,920 --> 00:25:00,240 the next sentence. Identity is the center. 452 00:25:00,240 --> 00:25:02,120 So it's like identity is everywhere. 453 00:25:03,040 --> 00:25:05,840 Identity is the the whole kit and kaboodle. 454 00:25:06,520 --> 00:25:08,720 This could have been that could have been the name of the 455 00:25:08,720 --> 00:25:10,760 podcast. That's too long for that's too 456 00:25:10,760 --> 00:25:13,360 long for a URL, so just keep it at IDAC podcast. 457 00:25:13,480 --> 00:25:15,160 You can. You can use a TinyURL Jeff. 458 00:25:15,160 --> 00:25:17,360 And you can use a TinyURL Sir. So. 459 00:25:17,880 --> 00:25:20,080 Security people don't like tiny URLs because you don't know 460 00:25:20,080 --> 00:25:22,040 where you're clicking on. We found that out early on where 461 00:25:22,040 --> 00:25:23,080 I was like, all right, we had to think. 462 00:25:23,080 --> 00:25:27,800 A sponsor gave us a TinyURL and I got so many emails about. 463 00:25:27,800 --> 00:25:29,880 Secured. Yeah, you should not use tiny 464 00:25:29,880 --> 00:25:32,040 URLs like I understand. I get it OK. 465 00:25:32,440 --> 00:25:38,080 Yeah, OK, here's a QR code. So OK, let's talk about user 466 00:25:38,080 --> 00:25:43,000 access reviews or what I've used traditionally called 467 00:25:43,960 --> 00:25:47,160 recertification. I don't know if you even use 468 00:25:47,160 --> 00:25:51,600 that term, but you would user access reviews, you know, you 469 00:25:51,600 --> 00:25:55,520 see them used a lot in financial services and heavy heavily 470 00:25:55,520 --> 00:26:02,080 regulated industries. I say 5-10 years ago outside of 471 00:26:02,080 --> 00:26:07,480 heavily regulated industries, people question should I even do 472 00:26:07,480 --> 00:26:10,760 this thing right? The only reason financial 473 00:26:10,760 --> 00:26:14,680 services is doing it is because they have regulators making them 474 00:26:14,680 --> 00:26:17,280 do that. So 1, is that true? 475 00:26:17,640 --> 00:26:21,120 And you know 2 like where is the value? 476 00:26:21,280 --> 00:26:24,760 Is it just to be compliant with regulation or is there something 477 00:26:24,760 --> 00:26:28,120 more? We have a good question and I'm 478 00:26:28,120 --> 00:26:32,960 thinking now don't want to answer it positive or the way I 479 00:26:32,960 --> 00:26:35,280 already feel, let's go positive first. 480 00:26:35,400 --> 00:26:38,920 So you are absolutely correct in terms of regulatory just 481 00:26:38,920 --> 00:26:41,680 environments which is course multiple industries. 482 00:26:42,200 --> 00:26:45,520 There's a ton of value in use access reviews because it is 483 00:26:45,520 --> 00:26:48,960 both a detective and really a corrective type of control. 484 00:26:49,440 --> 00:26:52,480 The end of the day is done to say, hey, should Jeff and Jim 485 00:26:52,480 --> 00:26:56,240 still maintain his access? And if they shouldn't let me 486 00:26:56,240 --> 00:27:00,040 create an action where I do an attestation and say Nope, I want 487 00:27:00,040 --> 00:27:03,600 them out and then some technology, some tool goes and 488 00:27:03,600 --> 00:27:07,240 remove them from that access. And for small and mid sized 489 00:27:07,240 --> 00:27:10,920 companies, it works really well because there's not a lot of 490 00:27:11,080 --> 00:27:13,720 bloat. And small and mid sized 491 00:27:13,720 --> 00:27:18,240 businesses, the larger the company is, the more job roles 492 00:27:18,240 --> 00:27:20,520 of companies are really strong. When I say on our back, you 493 00:27:20,520 --> 00:27:25,320 know, Rd. based access control, the more our back you use, the 494 00:27:25,320 --> 00:27:29,240 larger your access role environment is going to be, the 495 00:27:29,240 --> 00:27:32,000 more access certification use access reviews you have. 496 00:27:32,880 --> 00:27:37,520 Once you hit that threshold, now it becomes more of is there 497 00:27:37,520 --> 00:27:39,720 value in this or is it just a check box activity? 498 00:27:40,120 --> 00:27:43,280 So I have a person who I have people in multiple companies 499 00:27:43,640 --> 00:27:49,400 that they have to attest or certify over 1002 thousand 500 00:27:49,400 --> 00:27:52,040 users. And sometimes it's twice a year, 501 00:27:52,160 --> 00:27:54,720 sometimes it's once a year, saying things like privilege 502 00:27:54,720 --> 00:27:57,960 access, maybe every quarter, depending on the standards or 503 00:27:57,960 --> 00:28:01,120 the requirements of the company. When you have to do something 504 00:28:01,120 --> 00:28:06,440 this frequently, if the user interface isn't smart, most 505 00:28:06,440 --> 00:28:08,640 people tend to just do a check box activity. 506 00:28:09,000 --> 00:28:12,040 They say, you know what, we just got a blindly check it all 507 00:28:12,040 --> 00:28:14,840 because I don't have the time, the bandwidth or the 508 00:28:14,840 --> 00:28:18,400 understanding of what's needed. And when you think about that or 509 00:28:18,400 --> 00:28:20,800 kind of, you know, like traveling that out, if that's 510 00:28:20,800 --> 00:28:25,320 being done, let's say 50% of the time, where's their value in it? 511 00:28:25,640 --> 00:28:28,920 But their value does come from the auditors, the regulators, 512 00:28:29,520 --> 00:28:32,400 because that's something that they can say, how do I trust 513 00:28:32,760 --> 00:28:36,200 that you're doing something? Something is always better than 514 00:28:36,200 --> 00:28:37,640 nothing. I mean, we can all agree to 515 00:28:37,640 --> 00:28:41,840 that, but at least I have a name associated to a decision. 516 00:28:42,560 --> 00:28:46,480 And that's why the biggest value of use Access reviews is you 517 00:28:46,480 --> 00:28:50,760 have a named resource making a decision on access. 518 00:28:51,480 --> 00:28:55,520 Regardless of how they made that decision, that certification is 519 00:28:55,520 --> 00:28:58,200 important. And that's needed because for a 520 00:28:58,200 --> 00:29:03,720 regulatory body, they can say, OK, 99% of these folks attested 521 00:29:03,720 --> 00:29:06,320 in the positive, great, 1% they're not. 522 00:29:06,760 --> 00:29:08,920 But all the access has been certified. 523 00:29:09,720 --> 00:29:13,640 I can take that and support any action or decision the company 524 00:29:13,640 --> 00:29:14,960 needs to make. So it is. 525 00:29:14,960 --> 00:29:17,400 So that's the value in that just overall. 526 00:29:18,800 --> 00:29:21,320 So you're kind enough and diplomatic enough to take the 527 00:29:21,320 --> 00:29:23,960 positive side, I'm going to take it down the negative side a 528 00:29:23,960 --> 00:29:25,280 little bit and see if you agree with me. 529 00:29:25,840 --> 00:29:30,200 Are user access reviews a reaction to poor life cycle 530 00:29:30,200 --> 00:29:33,240 management? Meaning we have to do user 531 00:29:33,240 --> 00:29:36,120 access reviews because we just don't do a good job of cleaning 532 00:29:36,120 --> 00:29:39,680 up accounts and accesses that shouldn't be there after they're 533 00:29:39,680 --> 00:29:43,000 no longer needed. I did not know that question was 534 00:29:43,000 --> 00:29:47,280 coming, but I would say that that's a perfect segue to, to to 535 00:29:47,280 --> 00:29:50,520 what my vision is in terms of what I've been designing for 536 00:29:50,520 --> 00:29:53,600 user access reviews. You are absolutely correct, 537 00:29:53,600 --> 00:29:56,640 Jeff, and I'll take the steps further. 538 00:29:57,120 --> 00:30:00,880 The way that I think about this is the reason why they exist in 539 00:30:00,880 --> 00:30:04,840 general is because now your life cycle management is really the 540 00:30:04,840 --> 00:30:09,000 access chain is how do I know that Jeff is using his access? 541 00:30:09,440 --> 00:30:11,840 So if you really think about it, let's give an example. 542 00:30:12,480 --> 00:30:17,200 If I say, hey Jim, you have access to application A, but I 543 00:30:17,200 --> 00:30:21,160 modified my standards, my requirements to say a user 544 00:30:21,160 --> 00:30:23,720 should only have access to an application for 30 days. 545 00:30:24,280 --> 00:30:26,800 After 30 days, the access is automatically removed. 546 00:30:27,680 --> 00:30:30,480 That means that Jim access the application day one. 547 00:30:30,640 --> 00:30:34,120 He gets in just fine. On day 32, he tries to access 548 00:30:34,120 --> 00:30:38,880 it, he says access denied. But so that alone is great. 549 00:30:39,120 --> 00:30:41,920 But then it becomes a really poor user experience because now 550 00:30:41,920 --> 00:30:44,000 Jim has to go through a whole access request again. 551 00:30:44,600 --> 00:30:47,080 No one wants that. But in terms of, I mean, we in 552 00:30:47,080 --> 00:30:50,440 2025, we have so much tools out, so many tools out there that are 553 00:30:50,440 --> 00:30:53,640 great. So let's add some orchestration, 554 00:30:53,840 --> 00:30:57,200 some ID PS into it and say on day 32, Jim goes to the 555 00:30:57,200 --> 00:31:01,080 application, the IDP says, Nope, you don't have the right claim, 556 00:31:01,080 --> 00:31:04,280 the right access. However, it makes a call, was 557 00:31:04,280 --> 00:31:06,400 Jim approved to have his access previous? 558 00:31:07,240 --> 00:31:11,880 If that answer is yes, then they can actually go ahead and give 559 00:31:11,880 --> 00:31:14,960 Jim the access again, because the standard states is only 560 00:31:14,960 --> 00:31:18,120 going to be good for 30 days because of that. 561 00:31:18,640 --> 00:31:20,960 That process makes it a great music experience. 562 00:31:21,280 --> 00:31:24,320 Jim doesn't have to lose his access, but there's no standing 563 00:31:24,320 --> 00:31:27,160 permissions. Jim doesn't have the access more 564 00:31:27,160 --> 00:31:30,120 than he's needed. And if there's a need for a 565 00:31:30,120 --> 00:31:32,440 certification, then it's probably going to be empty 566 00:31:32,440 --> 00:31:35,680 because most people don't use applications, you know, day in 567 00:31:35,680 --> 00:31:37,120 and day out. They already don't. 568 00:31:37,600 --> 00:31:40,920 I didn't give you, I mean even AHR tool like a work day which 569 00:31:40,920 --> 00:31:43,280 is really generic. Almost every company has it. 570 00:31:43,720 --> 00:31:46,880 You use it maybe to do your goals or a check in right? 571 00:31:46,880 --> 00:31:49,400 Like you're not using tools all the time. 572 00:31:50,640 --> 00:31:56,360 Steven, I wanted to ask you what you meant about UI, but I think 573 00:31:56,560 --> 00:32:00,520 that's going to be part of your answer to my different question, 574 00:32:00,520 --> 00:32:04,600 which is, you know, so Jeff and I are very fortunate. 575 00:32:04,600 --> 00:32:08,560 We get to go to a lot of conferences doing the podcast, a 576 00:32:08,560 --> 00:32:12,320 lot of vendors reach out to us. We see a lot of demonstrations 577 00:32:12,320 --> 00:32:17,640 of IGA products and the amount of innovation that's still 578 00:32:17,640 --> 00:32:22,080 happening in the space. IGAI mean it's it's been around 579 00:32:22,080 --> 00:32:25,480 for quite a long time, right, But people are continuing to 580 00:32:25,480 --> 00:32:29,440 innovate. I'd say why is that? 581 00:32:29,440 --> 00:32:34,280 What are the innovations that to you are exciting without getting 582 00:32:34,280 --> 00:32:38,280 into specific vendor names, right, Yeah. 583 00:32:38,720 --> 00:32:39,760 Yeah. No, no, no, no. 584 00:32:40,000 --> 00:32:44,160 I think that the biggest one is the use of AI of causing ML 585 00:32:44,400 --> 00:32:46,880 right the end of the day. Let's go back to the example I 586 00:32:46,880 --> 00:32:51,040 said of the individual that had 1000 access request. 587 00:32:51,040 --> 00:32:55,600 He had the test. Well, AIML now has the ability 588 00:32:55,600 --> 00:32:58,360 to go look at it and do some of the things I mentioned. 589 00:32:58,720 --> 00:33:00,800 Hey, when was the last time they used this access? 590 00:33:01,200 --> 00:33:03,600 Hey, did all their team members use the same access? 591 00:33:04,000 --> 00:33:08,840 So now we can have more smart IGA, more smart services to say, 592 00:33:09,120 --> 00:33:15,440 hey, Jeff out there 1750 are because of the team name, the 593 00:33:15,440 --> 00:33:18,280 team description and they're all operation and support. 594 00:33:18,560 --> 00:33:21,240 They should have that. You can then say, OK, I'm going 595 00:33:21,240 --> 00:33:24,360 to blanket approve that because those 750 I don't have to look 596 00:33:24,360 --> 00:33:27,280 at now you're down to 250, which is much more manageable. 597 00:33:27,800 --> 00:33:31,160 But then the AIML can do even more stuff and say, hey, only 598 00:33:31,160 --> 00:33:32,800 about 25 of these are privileged. 599 00:33:33,400 --> 00:33:37,120 So now that 1000 goes down to 25 and what you're doing now 600 00:33:37,280 --> 00:33:41,120 hopefully is saying, let me, you know, you use a fine tooth comb 601 00:33:41,480 --> 00:33:44,800 and go through those 25 each and hopefully remove actions that 602 00:33:44,800 --> 00:33:47,440 shouldn't exist or just say, yes, they all should be 603 00:33:47,440 --> 00:33:49,240 maintained. So that's really where the 604 00:33:49,240 --> 00:33:53,360 innovation is coming from, Jim. Yeah, I think, I think that's a 605 00:33:53,680 --> 00:33:59,520 a huge innovation is the AII also see back end changes that 606 00:33:59,520 --> 00:34:04,400 are happening where it's like no longer are these IGA systems 607 00:34:04,400 --> 00:34:07,640 running on a relational sequel database, right. 608 00:34:07,640 --> 00:34:11,520 They're running big data platforms and allowing 609 00:34:11,880 --> 00:34:16,320 organizations to identify what is identity data to them, what 610 00:34:16,320 --> 00:34:20,360 is risk data to them or data that can be part of the risk 611 00:34:20,360 --> 00:34:22,880 story. So if you start to say what is 612 00:34:23,360 --> 00:34:29,080 not only what am I using, but what am I not using, that is of 613 00:34:29,080 --> 00:34:31,080 relevance, right? So if I don't look at the 614 00:34:31,080 --> 00:34:34,040 cafeteria menu or are you going to take the cafeteria menu away 615 00:34:34,040 --> 00:34:37,440 from me? Like what's the point is 0 616 00:34:37,440 --> 00:34:41,239 value? The value is I've got a very 617 00:34:41,239 --> 00:34:44,679 powerful role in a very important risky system. 618 00:34:45,199 --> 00:34:48,600 Now let's challenge on something like that. 619 00:34:48,600 --> 00:34:53,960 Well, you know, I've got to be able to draw the connectivity to 620 00:34:53,960 --> 00:34:58,720 that, that risk level and that might be very specific to my 621 00:34:58,720 --> 00:35:03,080 organization. No, no. 622 00:35:03,120 --> 00:35:06,160 I would say it is, Jim. I like it is really well around. 623 00:35:06,440 --> 00:35:08,960 I love the construct of an identity data lake. 624 00:35:08,960 --> 00:35:12,840 And what I mean by that is we need to basically put all our 625 00:35:12,840 --> 00:35:17,600 identity data access management, data access row data request 626 00:35:17,600 --> 00:35:22,040 data access chain and data. And you're right, seek SQL 627 00:35:22,040 --> 00:35:24,000 databases aren't always the best for that. 628 00:35:24,000 --> 00:35:27,000 Some of the new graph kind of DBS already good. 629 00:35:27,000 --> 00:35:30,440 But the whole point of this is now if I have to do something 630 00:35:30,440 --> 00:35:33,720 like give to a regulator one order, they say, hey Steve, I 631 00:35:33,720 --> 00:35:36,480 want to know all the access that was provisioned for this 632 00:35:36,480 --> 00:35:38,160 application over the last six months. 633 00:35:38,720 --> 00:35:42,040 Well, right now I'm going through my tools and extracting 634 00:35:42,040 --> 00:35:45,560 reports and doing some pivot tables or some V look UPS. 635 00:35:46,400 --> 00:35:49,200 That's a lot of work. If we have orders in like a data 636 00:35:49,200 --> 00:35:53,520 lake, I can easily create a query to pull that data, but now 637 00:35:53,520 --> 00:35:57,240 I can also align and correlate it to an access request number, 638 00:35:57,440 --> 00:36:00,840 let's say a service now that ServiceNow request and then they 639 00:36:00,840 --> 00:36:03,600 can actually see that it was actually done and they can give 640 00:36:03,600 --> 00:36:05,680 the reason and the description or in place. 641 00:36:06,160 --> 00:36:09,720 So using that data from let's say a data lake, you can now 642 00:36:10,160 --> 00:36:13,560 pull from now only the access request data, the life cycle 643 00:36:13,560 --> 00:36:17,160 management data, any friendlers access as well as any 644 00:36:17,400 --> 00:36:22,600 pre-existing certification data. All that is now combined in one 645 00:36:22,600 --> 00:36:26,360 location where you can do easy queries to extract that and make 646 00:36:26,520 --> 00:36:30,320 better fine grained decisions on the actual real data. 647 00:36:31,840 --> 00:36:37,080 Yeah. So let me let me ask this 648 00:36:37,080 --> 00:36:39,040 question. So obviously we talked about the 649 00:36:39,240 --> 00:36:44,200 AI and kind of like narrowing the focus on the important 650 00:36:44,200 --> 00:36:47,800 decisions. Is that really also being driven 651 00:36:47,800 --> 00:36:51,080 in part by what we call identity fatigue? 652 00:36:51,080 --> 00:36:55,840 Just, you know, it winds up in a large organization where there's 653 00:36:55,840 --> 00:36:59,200 a few people who become I, I don't want to use the term 654 00:36:59,200 --> 00:37:03,320 bottlenecks because it sounds so negative, but the idea that they 655 00:37:03,320 --> 00:37:07,400 wind up becoming the person who approves or disapproves a large 656 00:37:07,400 --> 00:37:12,280 amount of access and really trying to tailor identity 657 00:37:12,280 --> 00:37:17,800 becomes an exercise so that they don't get overwhelmed and start 658 00:37:17,800 --> 00:37:21,160 rubber stamping access. Is that kind of the driver in 659 00:37:21,160 --> 00:37:24,440 your mind? That's the largest driver. 660 00:37:24,440 --> 00:37:29,280 But I guess in addition to that, you also have identity. 661 00:37:30,000 --> 00:37:32,400 I call it identity hygiene. Most people do it now. 662 00:37:32,760 --> 00:37:36,600 It's the hygiene part has been what's been missing over the 663 00:37:36,600 --> 00:37:39,800 last decade. We all, even tools, products, 664 00:37:39,800 --> 00:37:43,080 vendors, startups, they all want to do the action. 665 00:37:43,440 --> 00:37:46,480 Let's make a better IGA. Let's make a better LC and life 666 00:37:46,480 --> 00:37:48,840 cycle management. Let's make better tools to 667 00:37:48,840 --> 00:37:51,840 actually and better products so we can sell the product. 668 00:37:52,360 --> 00:37:55,560 But what if we get is the cleanup is actually more 669 00:37:55,560 --> 00:37:58,720 important because you can have one of the best products in the 670 00:37:58,720 --> 00:38:01,880 world if you keep on provisioning, keep on adding and 671 00:38:02,160 --> 00:38:06,840 never clean up or remove your actual audit data is poor 672 00:38:07,400 --> 00:38:10,320 because the hygiene is poor. And that means that now more 673 00:38:10,320 --> 00:38:12,560 people are doing request and guess what? 674 00:38:12,560 --> 00:38:16,400 That leads to the fatigue because now it's saying, I don't 675 00:38:16,400 --> 00:38:18,320 know why I'm improving this, but I've been doing it for seven 676 00:38:18,320 --> 00:38:21,160 years. They could be no one even use 677 00:38:21,160 --> 00:38:24,080 the application can be gone in the environment where people can 678 00:38:24,080 --> 00:38:27,640 still be potentially approving that access because it's the 679 00:38:27,640 --> 00:38:31,080 name you know isn't on the sheet that comes across every six 680 00:38:31,080 --> 00:38:34,400 months. You know, I've, I've seen some 681 00:38:34,440 --> 00:38:39,480 scenarios where the access review with AI looks like this. 682 00:38:39,680 --> 00:38:42,040 So Steven, Jeff works for Steven. 683 00:38:42,200 --> 00:38:44,960 Steven, here's the access that Jeff has. 684 00:38:44,960 --> 00:38:49,880 And then AI highlights 3 or 4 entitlements that, hey, you may 685 00:38:49,880 --> 00:38:53,000 really want to look at this. So if you're Steven, you're only 686 00:38:53,000 --> 00:38:55,400 going to look at those three and ignore the rest, right? 687 00:38:55,560 --> 00:39:00,000 So why even show the rest? Is it because some organizations 688 00:39:00,000 --> 00:39:04,040 just say, hey, we have to, we have to check this box from a 689 00:39:04,040 --> 00:39:06,440 regulation and compliance standpoint. 690 00:39:07,480 --> 00:39:11,720 So we're going to show all 25, We all probably agree it's only 691 00:39:11,720 --> 00:39:15,280 the three that matter. So it's, and I, I know I'm 692 00:39:15,280 --> 00:39:17,200 asking a super generalized question. 693 00:39:17,200 --> 00:39:20,640 It probably depends a little bit on the situation, but do you 694 00:39:20,640 --> 00:39:23,520 feel like that's something that regulators are going to push 695 00:39:23,520 --> 00:39:28,520 back on and say, no, sorry, the rule says you got to review the 696 00:39:28,520 --> 00:39:31,200 access. So you need to look at all 25 697 00:39:31,680 --> 00:39:35,000 and you can use AI, they kind of point people, but you can't 698 00:39:35,000 --> 00:39:40,160 eliminate 22 of them. So really good question and I 699 00:39:40,160 --> 00:39:44,560 have a great answer for that. If you think about this, Jim, if 700 00:39:44,560 --> 00:39:48,080 he didn't change anything in the organization and you brought in 701 00:39:48,080 --> 00:39:52,920 a tool to do that, that would not pass an audit exam, it would 702 00:39:52,920 --> 00:39:56,560 not pass a regulatory exam, because even though it's better 703 00:39:56,560 --> 00:39:59,920 and it's actually reducing more risk and it's actually a better 704 00:39:59,920 --> 00:40:03,840 hygiene. Most companies, the auditors, 705 00:40:03,840 --> 00:40:07,840 the regulators, their job is to validate what you have written 706 00:40:07,840 --> 00:40:09,560 in your standards and your requirements. 707 00:40:10,280 --> 00:40:12,040 Think about it as like a soft skills. 708 00:40:12,400 --> 00:40:16,000 A lot of engineers like working and consultants like the hard 709 00:40:16,000 --> 00:40:18,200 skills, the hands on, the tangible skills. 710 00:40:18,720 --> 00:40:21,800 But even when it comes to things like access reviews or just 711 00:40:21,800 --> 00:40:25,560 anything that's audit related, you have to focus on changing 712 00:40:25,720 --> 00:40:28,960 your actual requirements and your standards and your policies 713 00:40:29,520 --> 00:40:31,840 by changing that. If I just change the line, Jim, 714 00:40:31,840 --> 00:40:37,680 and say we're going to certify multiple times a year, access 715 00:40:37,680 --> 00:40:42,360 that is determined through a systematic slash AI generated 716 00:40:42,360 --> 00:40:46,840 method, the ones that need to be reviewed, then I can now use 717 00:40:46,840 --> 00:40:50,600 that because the auditor, the regulator has to look at what 718 00:40:50,600 --> 00:40:53,040 the requirement is for our organization. 719 00:40:54,000 --> 00:40:55,680 OK. So you have to kind of take that 720 00:40:55,680 --> 00:41:01,360 step wise approach where you first change the policy and then 721 00:41:01,360 --> 00:41:05,040 you comply with your own policy. That makes sense to me. 722 00:41:05,120 --> 00:41:07,920 You got it. Last thing I want to kind of 723 00:41:07,920 --> 00:41:12,640 explore when it comes to access reviews is what is your advice 724 00:41:12,640 --> 00:41:17,080 for the practitioners out there who are maybe doing access 725 00:41:17,080 --> 00:41:22,480 reviews the old fashioned way or let's call it IGA Gen. 1? 726 00:41:22,880 --> 00:41:28,400 Are we really now at IGA Gen. 2? Do you think if I wait a couple 727 00:41:28,400 --> 00:41:31,760 years, it's going to be dramatically better and I should 728 00:41:31,760 --> 00:41:37,240 sit around and, you know, watch what happens in the market or 729 00:41:37,640 --> 00:41:40,280 Yeah, what are? Your thoughts are, I would 730 00:41:40,280 --> 00:41:42,720 think, I would say the last conference I went to a few 731 00:41:42,720 --> 00:41:47,920 months ago, there was two complete rows of just IGA 732 00:41:47,920 --> 00:41:52,120 startups and vendors. And even though to me that seems 733 00:41:52,120 --> 00:41:55,640 like it's overkill, it actually gives us hope because that means 734 00:41:55,640 --> 00:41:59,680 people are now invested heavily in doing this. 735 00:41:59,840 --> 00:42:04,600 Not not the best, but doing it in a way that is modernized and 736 00:42:04,600 --> 00:42:09,160 that's more efficient. So at some point in time having 737 00:42:09,160 --> 00:42:13,200 access to the data is going to translate into leveraging tools, 738 00:42:13,200 --> 00:42:15,960 slash processes to be able to make better decisions. 739 00:42:16,320 --> 00:42:21,080 So right now we say IGA one is the normal HEXA certifications. 740 00:42:21,080 --> 00:42:28,240 Do IGA two, we going to skip Gen. 2V2 because right now V2 is 741 00:42:28,240 --> 00:42:32,640 now adding AIML into it, but it's still in its early states. 742 00:42:33,120 --> 00:42:36,800 The next generation is going to have that more hard and fast. 743 00:42:36,800 --> 00:42:38,600 I guess it's going to be modernized, it's going to be 744 00:42:38,880 --> 00:42:41,400 tested. But even the vendors have to 745 00:42:41,400 --> 00:42:44,080 understand it can't just be by the technology. 746 00:42:44,160 --> 00:42:47,160 You have to look at it as how can you approach some of these 747 00:42:47,160 --> 00:42:51,240 regulatory bodies and these compliance bodies and say, hey, 748 00:42:51,320 --> 00:42:54,840 will you be OK if our solution shows you this? 749 00:42:55,480 --> 00:42:59,000 Because that's how you really get to the next level is 750 00:42:59,160 --> 00:43:02,560 companies can just say let's have the best product because it 751 00:43:02,560 --> 00:43:05,720 does have the best product that can comply with water 752 00:43:05,720 --> 00:43:09,240 regulations out there. Well, I think the best product 753 00:43:09,240 --> 00:43:11,400 is what you can afford. Also, I think there's an 754 00:43:11,400 --> 00:43:14,760 underserved market for IGA. Where you've got the big 755 00:43:14,760 --> 00:43:16,800 behemoths and we all know who those people are. 756 00:43:17,120 --> 00:43:19,800 Those companies, there's a lot of companies that can't afford 757 00:43:19,800 --> 00:43:24,480 those types of things and there's a lot of good IGA or you 758 00:43:24,480 --> 00:43:28,440 know, sometimes they're called IGA light vendors that are also 759 00:43:28,520 --> 00:43:30,280 helpful. But even those vendors I'm 760 00:43:30,280 --> 00:43:33,360 seeing kind of what their pricing has been and it's there. 761 00:43:33,400 --> 00:43:35,920 There isn't a fine, there isn't much of A financial benefit to 762 00:43:35,920 --> 00:43:39,120 just say, OK, well, for, you know, 10% more, 15% more, 763 00:43:39,120 --> 00:43:40,640 whatever the number is, right? I'm just making them up. 764 00:43:41,000 --> 00:43:44,280 I can go with a tried and true, you know, established, you know, 765 00:43:44,280 --> 00:43:46,840 world class, you know, partner of this. 766 00:43:47,120 --> 00:43:51,840 Or do I gamble on something that is nobody's ever used before and 767 00:43:51,840 --> 00:43:55,360 they might have a great product, but trying to get in the door 768 00:43:55,800 --> 00:43:59,080 without references, without a track record. 769 00:43:59,880 --> 00:44:03,240 I feel like in that case, and I'm focused mostly on small mid 770 00:44:03,240 --> 00:44:06,280 sized businesses, they don't have the money to afford, you 771 00:44:06,280 --> 00:44:08,320 know, an upper right garden or quadrant for the most part, 772 00:44:08,320 --> 00:44:12,560 unless they are heavily regulated or maybe they've had 773 00:44:12,560 --> 00:44:14,880 an impact, you know, an incident or something like that, right 774 00:44:14,880 --> 00:44:16,200 where they have to do something about it. 775 00:44:16,600 --> 00:44:18,040 Do you have? Does that make sense? 776 00:44:18,640 --> 00:44:21,040 It makes sense if I want to chime in on something from Even 777 00:44:21,040 --> 00:44:23,360 Jim Said, how did the Kermit practitioners do this? 778 00:44:23,840 --> 00:44:27,280 In most SM DS? A lot of people do. 779 00:44:27,280 --> 00:44:28,520 This was just spreadsheets today. 780 00:44:28,840 --> 00:44:32,840 So let's talk about tools. Spreadsheets today are easy. 781 00:44:32,840 --> 00:44:37,320 Some of the easiest ways to go ahead and say, hey, I've done my 782 00:44:37,320 --> 00:44:41,160 Access certification because depending on the volume, if it's 783 00:44:41,160 --> 00:44:44,400 only to say 50 people in a company, you can do that for 784 00:44:44,400 --> 00:44:46,760 these. Now most, let's say financial 785 00:44:46,760 --> 00:44:50,280 companies or companies have the alliances, say PCI as an 786 00:44:50,280 --> 00:44:53,720 example, PCI 4 point O, you know, rig was published and came 787 00:44:53,720 --> 00:44:56,680 out truly like last year, but it goes into effect starting this 788 00:44:56,680 --> 00:44:59,560 year. There's a requirement about 789 00:44:59,840 --> 00:45:03,000 service accounts, not only my identities having to be kind of 790 00:45:03,000 --> 00:45:07,560 certified. Most IGA tools today don't 791 00:45:07,560 --> 00:45:09,640 really do service account or not humanities. 792 00:45:09,640 --> 00:45:12,440 Well, like they're not because it's not as simple as just 793 00:45:12,600 --> 00:45:15,800 pulling from an existing, you know, life cycle management tool 794 00:45:16,000 --> 00:45:19,680 and it's showing on the screen, hey, accounts entitlements. 795 00:45:20,000 --> 00:45:23,960 So because at PCI, four more companies are trying to not get 796 00:45:23,960 --> 00:45:27,960 into service accounts or non human identities certifications. 797 00:45:28,360 --> 00:45:33,560 And it's driven because now PCI is saying you have to do this. 798 00:45:33,880 --> 00:45:37,480 So sometimes the regulations and the and the regulators kind of 799 00:45:37,480 --> 00:45:40,480 help lead and define where the industry is going. 800 00:45:40,800 --> 00:45:42,160 And that's a very positive thing. 801 00:45:43,640 --> 00:45:47,200 That's a great point. Yeah, I mean, there's a lot to 802 00:45:47,200 --> 00:45:50,080 unpack there and I think I want to try and take advantage of 803 00:45:50,080 --> 00:45:52,080 your big brain when it comes to the stuff. 804 00:45:52,920 --> 00:45:57,280 I, So we have a listener out in the western part of the US, Bert 805 00:45:57,800 --> 00:46:00,000 and he and I were trading a couple of messages on LinkedIn 806 00:46:00,000 --> 00:46:04,600 and he wanted us to do a podcast on how in scope companies can 807 00:46:04,600 --> 00:46:08,000 comply with NYDFS. And I'll explain in a second 808 00:46:08,360 --> 00:46:11,800 because one of their IM requirements is periodically, 809 00:46:11,800 --> 00:46:14,600 but at a minimum, annually review all user access 810 00:46:14,600 --> 00:46:17,880 privileges and remove or disable accounts and access that are no 811 00:46:17,880 --> 00:46:20,480 longer necessary. So first of all, let me explain 812 00:46:20,480 --> 00:46:22,840 NYDFS because we have people around the world and people not 813 00:46:22,840 --> 00:46:25,760 being familiar with that. NYDFS is the New York Department 814 00:46:25,760 --> 00:46:29,680 of Financial Services, and they have a cybersecurity requirement 815 00:46:29,680 --> 00:46:34,480 for financial services companies that operate in the state of New 816 00:46:34,480 --> 00:46:38,680 York where they have to have a cybersecurity program and 817 00:46:38,680 --> 00:46:42,000 certain controls to, you know, maintain confidentiality, 818 00:46:42,000 --> 00:46:44,000 integrity, availability, right, all those types of stuff. 819 00:46:44,360 --> 00:46:47,120 And of course, if there are cybersecurity regulation, there 820 00:46:47,120 --> 00:46:51,600 are IM components, and one of those is this idea of doing user 821 00:46:51,600 --> 00:46:55,360 access reviews. So I want to bring this back to 822 00:46:55,360 --> 00:46:57,160 you because obviously, you know, this is something that's 823 00:46:57,160 --> 00:46:59,880 probably near and dear to your heart is can you talk about 824 00:46:59,880 --> 00:47:05,800 NYDDFS and specifically the user access review component of that? 825 00:47:05,840 --> 00:47:09,720 How should financial services firms be looking at how to 826 00:47:09,720 --> 00:47:11,880 comply with that? What should we be looking at? 827 00:47:12,120 --> 00:47:14,040 What should we be certifying? What should we not be 828 00:47:14,040 --> 00:47:16,680 certifying? And are there any gotchas or 829 00:47:16,680 --> 00:47:18,320 things or tips and tricks that you might have? 830 00:47:19,480 --> 00:47:23,960 No, absolutely. So NYDFS, I've worked for a few 831 00:47:23,960 --> 00:47:26,520 companies that have been in scope for that, but I'll make it 832 00:47:26,520 --> 00:47:29,200 a little bit more broader for like the entire audience. 833 00:47:29,560 --> 00:47:33,040 I mean, think about NYDFS, think about the Federal Reserve Board, 834 00:47:33,160 --> 00:47:36,720 FDIC, you can think about even socks, you know, socks 835 00:47:36,720 --> 00:47:40,240 compliance, sock one compliance. They all have these similar 836 00:47:40,240 --> 00:47:42,920 requirements. And sometimes the best way that 837 00:47:42,920 --> 00:47:46,320 tell people to kind of point them to is if you have a 838 00:47:46,320 --> 00:47:49,440 security program alliance with the NIST cybersecurity 839 00:47:49,440 --> 00:47:53,880 framework, you go into naturally 99% align to everything else, to 840 00:47:53,880 --> 00:47:57,560 whatever it's already bodies because most of the bodies pull 841 00:47:57,840 --> 00:48:00,720 from things like NIST, I mean, other frameworks as well. 842 00:48:01,120 --> 00:48:05,360 But the NIST CSF Cybersecurity framework, especially that 2.0 843 00:48:05,960 --> 00:48:09,760 is where a lot of the government cybersecurity programs, the 844 00:48:09,760 --> 00:48:11,680 NYDFS and others are pulling from. 845 00:48:12,320 --> 00:48:18,800 And they're really important of access reviews from NYDFS or 846 00:48:18,800 --> 00:48:24,200 anyone else is really defining what is the scope of the access 847 00:48:24,200 --> 00:48:28,440 video meaning newer heading Jim mentioned earlier or something 848 00:48:28,440 --> 00:48:30,400 like Adobe or something like that. 849 00:48:30,720 --> 00:48:34,240 Do I want to a test or certified Adobe Acrobat Reader? 850 00:48:34,560 --> 00:48:36,120 What's the value of something like that? 851 00:48:36,240 --> 00:48:38,920 You know, it's just a it's a product that most people have 852 00:48:39,280 --> 00:48:43,160 Chrome, I mean web browsers though, is there really value in 853 00:48:43,160 --> 00:48:45,320 it? Now there's a financial Sox 854 00:48:45,320 --> 00:48:48,840 tool, there's a ton of value in a testing there. 855 00:48:48,840 --> 00:48:54,440 The problem in the industry is this everyone have not scoped 856 00:48:54,440 --> 00:48:58,480 out the applications or the access that truly require it. 857 00:48:58,760 --> 00:49:03,040 So a regulatory body or an internal auditor or they can do 858 00:49:03,040 --> 00:49:05,440 is say show me everything. And that's the. 859 00:49:05,440 --> 00:49:08,160 That's the biggest issue. Without having that scope 860 00:49:08,440 --> 00:49:12,720 clearly defined, you have to produce everything for because, 861 00:49:12,720 --> 00:49:15,440 and it does make sense. It's like if you can't tell me 862 00:49:15,440 --> 00:49:18,120 exactly what's in scope, I have to see everything. 863 00:49:20,240 --> 00:49:22,160 I like that idea of scoping because I do see that as an 864 00:49:22,160 --> 00:49:24,520 issue. I think one of the main things 865 00:49:24,520 --> 00:49:28,280 to consider in this might be non public information, right? 866 00:49:28,280 --> 00:49:30,400 Who cares about the stuff that is public? 867 00:49:30,480 --> 00:49:33,360 It's public while you're reviewing that access. 868 00:49:33,920 --> 00:49:37,720 But I think one of the areas that maybe helps fine tune, 869 00:49:37,960 --> 00:49:39,440 right, what you should be looking at are what are the 870 00:49:39,440 --> 00:49:42,520 things that are not public? And then from the non public 871 00:49:42,520 --> 00:49:45,760 information, what are things that do carry the risk factors 872 00:49:45,760 --> 00:49:48,720 that might be associated with either data breach or, you know, 873 00:49:48,720 --> 00:49:52,160 maybe it's transmission of that data, obviously customer data or 874 00:49:52,200 --> 00:49:55,680 you know, things like that. I love that idea of getting your 875 00:49:55,680 --> 00:49:58,800 scope right because if you don't have the scope right, it's like 876 00:49:58,800 --> 00:50:00,840 you said before, you know, my experience, auditors, they're 877 00:50:00,840 --> 00:50:03,000 just checking what you're said you're going to do. 878 00:50:03,520 --> 00:50:06,000 And if you haven't written your policy or your standard or 879 00:50:06,000 --> 00:50:10,240 whatever it is that you do, you know, to to articulate that and 880 00:50:10,240 --> 00:50:12,920 you leave it open to interpretation, that's where you 881 00:50:12,920 --> 00:50:15,560 get into trouble. So I think if you craft very 882 00:50:15,560 --> 00:50:19,920 well defined policy standards and processes around what are we 883 00:50:19,920 --> 00:50:25,200 looking at, you know, and try to leave as few argument points as 884 00:50:25,200 --> 00:50:28,200 possible that someone can go against, you'll be in a much 885 00:50:28,200 --> 00:50:29,960 better position. Does that make sense? 886 00:50:30,600 --> 00:50:35,720 No, it makes a lot of sense and, and even more so, there is so 887 00:50:35,720 --> 00:50:39,840 much value in taking the time to architect and design the 888 00:50:39,840 --> 00:50:43,040 processes for a program, for an identity program. 889 00:50:43,040 --> 00:50:46,800 And what I mean by that is I'm teaching my own organization, my 890 00:50:46,800 --> 00:50:49,400 team. Don't just look for technology 891 00:50:49,400 --> 00:50:52,840 to solve the problem. Create a process that you want 892 00:50:52,840 --> 00:50:56,600 to solve for and then you can look to see, do you mean 893 00:50:56,640 --> 00:51:00,480 technology or do you just need, you know, people like not 894 00:51:00,480 --> 00:51:04,600 everything is solved by having a just a big as hammer, you know, 895 00:51:04,680 --> 00:51:06,280 and. But we bought IGA, it's going to 896 00:51:06,280 --> 00:51:09,160 solve all our problems. If that was the case, the world 897 00:51:09,160 --> 00:51:10,960 be in a better place. And I don't haven't talked to 898 00:51:10,960 --> 00:51:12,640 any regulators or auditors in my life. 899 00:51:13,160 --> 00:51:15,880 Unfortunately, even they don't like automation. 900 00:51:16,240 --> 00:51:18,880 I mean, I mean we always have some automation and we got 901 00:51:18,880 --> 00:51:21,320 scripting languages and we can do all these wonderful things. 902 00:51:21,880 --> 00:51:24,200 Even when you give it to them, they are saying the next 903 00:51:24,200 --> 00:51:27,040 question is, well, how do I know this is complete and accurate? 904 00:51:27,720 --> 00:51:31,680 And it's like, oh, so the end of the day is trying to be fancy 905 00:51:32,240 --> 00:51:34,880 with the regulators and the ordinance does not work. 906 00:51:35,000 --> 00:51:38,080 It's. It's simply giving them your 907 00:51:38,080 --> 00:51:40,640 scope and saying. This is what we're doing for our 908 00:51:40,640 --> 00:51:43,680 scope. Now they could always argue all 909 00:51:43,680 --> 00:51:45,400 their points, right? You should be looking to start 910 00:51:45,400 --> 00:51:47,800 thinking, OK, well, that's a different discussion now. 911 00:51:47,800 --> 00:51:50,240 It's not what we're looking at is what else should we be 912 00:51:50,240 --> 00:51:51,320 looking at? Which is probably a better 913 00:51:51,320 --> 00:51:53,240 position to be in. I guess I've, I've had the right 914 00:51:53,240 --> 00:51:54,320 management responses in the past. 915 00:51:54,320 --> 00:51:58,080 They're not fun. Oh no, no, they are not at all. 916 00:52:00,040 --> 00:52:03,600 And at some point the, the world and the industry and everyone is 917 00:52:03,600 --> 00:52:08,200 going to start shifting to automation and AI and all these, 918 00:52:08,200 --> 00:52:11,240 you know, cool tools that are still relatively cutting edge 919 00:52:11,240 --> 00:52:14,080 for a lot of organizations. And auditors are going to be 920 00:52:14,080 --> 00:52:16,680 like, you know, that the policy or the configuration is going to 921 00:52:16,680 --> 00:52:18,240 be all right. Well, we do this through our IJ 922 00:52:18,240 --> 00:52:21,080 platform and it's all automated. At some point, the others are 923 00:52:21,080 --> 00:52:24,240 probably going to ask more questions around the how is the 924 00:52:24,240 --> 00:52:27,840 product configured? What are the configurations or 925 00:52:27,840 --> 00:52:31,240 policies that you've set up within the actual tools? 926 00:52:31,560 --> 00:52:33,680 Do you have any thoughts or guidance on how you might want 927 00:52:33,680 --> 00:52:35,440 to address that in the future for people who are listening? 928 00:52:36,600 --> 00:52:39,280 Yeah, one of the first things is you have to make sure that you 929 00:52:39,280 --> 00:52:42,320 train your auditors. And I know that sounds kind of 930 00:52:42,320 --> 00:52:44,840 funny, but the end of the day. It's absolutely true. 931 00:52:45,440 --> 00:52:48,320 It's so a choice. How much time do you want to 932 00:52:48,320 --> 00:52:51,720 spend every cycle teaching them about what you're doing? 933 00:52:52,280 --> 00:52:56,200 But even things, I mean, we all know that a policy based access 934 00:52:56,200 --> 00:53:00,240 control is probably the best thing, but it's so challenging 935 00:53:00,240 --> 00:53:03,760 and difficult to get to policy based access control no matter 936 00:53:03,760 --> 00:53:07,680 what tools exist, no matter how much you try, because RBAC is 937 00:53:07,680 --> 00:53:10,880 just easier. I mean, RBAC is just easy, you 938 00:53:10,880 --> 00:53:14,200 know, even attribute based access control, a back, even a 939 00:53:14,200 --> 00:53:16,840 back is a little bit easier, you know, But when it comes to 940 00:53:16,840 --> 00:53:18,920 policy based, that is where it's going. 941 00:53:19,520 --> 00:53:24,640 And once we can tie together that a policy is almost his own 942 00:53:24,640 --> 00:53:29,680 requirement and that requirement can be tied to a standard, then 943 00:53:29,960 --> 00:53:33,480 the auditors can actually start to take that because they can 944 00:53:33,480 --> 00:53:38,240 easily correlate and take and tie this policy here is 945 00:53:38,240 --> 00:53:41,440 referenced in this standard or policy or policy. 946 00:53:41,680 --> 00:53:44,920 And I can actually control and validate that myself. 947 00:53:45,480 --> 00:53:49,640 So we need to get there and doing weed automation is going 948 00:53:49,640 --> 00:53:52,040 to work is that we actually get to the point where they can 949 00:53:52,040 --> 00:53:54,520 trust the policy. But that also requires a lot of 950 00:53:54,520 --> 00:53:58,400 training and teaching to to to let them know how this actually 951 00:53:58,400 --> 00:54:01,760 works. It's interesting you said our 952 00:54:01,760 --> 00:54:04,600 back and a back are easier. I think they're easier to 953 00:54:04,600 --> 00:54:10,560 explain to people, to actually be successful in managing them, 954 00:54:10,560 --> 00:54:12,240 to get the results that you want. 955 00:54:12,480 --> 00:54:16,480 I don't know that it's easier. Yeah, I know I would agree with 956 00:54:16,480 --> 00:54:18,400 that. I would say that it's the, it's, 957 00:54:18,800 --> 00:54:21,320 it's the name, you know, like everyone understands our back. 958 00:54:21,760 --> 00:54:25,560 And when most, most people who call me to do an assessment, 959 00:54:26,240 --> 00:54:28,800 they always say, Oh yeah, we can talk about, you know, the best 960 00:54:28,800 --> 00:54:31,640 our back model to use. And whenever someone says our 961 00:54:31,640 --> 00:54:36,240 back model to me in the last 2-3 years, how they condemn with 962 00:54:36,240 --> 00:54:40,600 trepidation like are you telling me that are back that they use 963 00:54:40,600 --> 00:54:44,880 right now with this whole cloud size base just in time, no 964 00:54:44,880 --> 00:54:47,720 standard permissions, Are you sure you want to go in there? 965 00:54:49,560 --> 00:54:50,800 It's hard. I think there's a lot of 966 00:54:50,800 --> 00:54:54,000 companies who wish they were RBAC and there's a lot of 967 00:54:54,000 --> 00:54:57,120 companies that are RBAC and wish maybe they hadn't gone on the 968 00:54:57,120 --> 00:54:58,880 RBAC route. It's, it's difficult to do. 969 00:54:58,880 --> 00:55:02,120 It's, it's why I typically will encourage organizations that are 970 00:55:02,120 --> 00:55:05,080 starting on that road to maybe focus on attribute based access 971 00:55:05,080 --> 00:55:07,880 control because they feel it's a little bit more of a, of a hill 972 00:55:08,240 --> 00:55:11,160 versus a mountain. It still requires good data, 973 00:55:11,320 --> 00:55:13,280 right? And the, the, the idea is like 974 00:55:13,280 --> 00:55:16,320 throughout any of these back models, whatever they are, is 975 00:55:16,320 --> 00:55:17,920 you still need data to drive that. 976 00:55:17,920 --> 00:55:20,880 And I feel like most organizations, even if it's just 977 00:55:20,880 --> 00:55:23,920 basic attribute based access control is, is the person an 978 00:55:23,920 --> 00:55:27,000 employee or not? That might be, as you know, that 979 00:55:27,000 --> 00:55:28,960 might be as grand or as you can get based on the data, But hey, 980 00:55:28,960 --> 00:55:32,520 at least it's something and you start working with your business 981 00:55:32,520 --> 00:55:35,440 partners on the HR side, right? Hey, if we got this data, we 982 00:55:35,440 --> 00:55:37,760 could do this thing, right? And I think it's funny, you 983 00:55:37,760 --> 00:55:41,880 mentioned training auditors and I think that is the importance 984 00:55:41,880 --> 00:55:44,760 of establishing relationships with other groups, right? 985 00:55:44,760 --> 00:55:47,680 If you are, if you have a good relationship with your auditors, 986 00:55:47,680 --> 00:55:50,280 they can be advocates for you. I think a lot of times they come 987 00:55:50,280 --> 00:55:53,920 in as the enemy to some degree. But if they understand how 988 00:55:53,920 --> 00:55:56,520 you're operating and you've trained them, you've educated 989 00:55:56,520 --> 00:56:00,080 them on, look, here's what we're doing and you actually engage 990 00:56:00,080 --> 00:56:02,800 them in a pro proactive way and say, hey, here's what we're 991 00:56:02,800 --> 00:56:05,120 doing, what am I missing? You're going to audit me, Tell 992 00:56:05,120 --> 00:56:07,600 me what I need to be looking for, help me out here. 993 00:56:08,000 --> 00:56:11,560 Their job isn't really to get you into trouble because most 994 00:56:11,560 --> 00:56:13,400 likely, especially in the bigger organization, and feel free to 995 00:56:13,400 --> 00:56:15,600 correct me, am I wrong? You have an internal audit team 996 00:56:15,600 --> 00:56:18,600 that does like an internal check and then the external auditors 997 00:56:18,600 --> 00:56:20,640 come in and those are the ones you want to be very concerned 998 00:56:20,640 --> 00:56:23,320 about. So almost like a catch before 999 00:56:23,320 --> 00:56:24,960 the real audit comes through. That makes sense. 1000 00:56:24,960 --> 00:56:27,920 Absolutely no. I tell everyone this internal 1001 00:56:27,920 --> 00:56:31,000 audit, which we call the DARE line of defense, their their job 1002 00:56:31,000 --> 00:56:34,800 is to be independent, but their job is the same job as first 1003 00:56:34,800 --> 00:56:38,080 line defense, which is normally us is to protect the company, 1004 00:56:38,520 --> 00:56:41,520 period. You know, when we look at them 1005 00:56:41,600 --> 00:56:45,760 as the bad cops, for example, we're not getting the best out 1006 00:56:45,760 --> 00:56:48,560 of the partnership. Yes, we can't share everything 1007 00:56:48,800 --> 00:56:51,920 because they have to still maintain independence and that's 1008 00:56:51,920 --> 00:56:54,320 important. Now the external auditors just 1009 00:56:54,320 --> 00:56:57,280 come in with industry best practices in the check box and 1010 00:56:57,280 --> 00:57:00,800 say we need to say are you doing ABCDENF? 1011 00:57:01,360 --> 00:57:03,720 And they're showing me that you're doing ABCDEN. 1012 00:57:04,400 --> 00:57:07,520 So you really can't build relationships with external what 1013 00:57:07,520 --> 00:57:11,160 it is as much where your internal audit program is there 1014 00:57:11,160 --> 00:57:13,520 to protect the company the same reason as you are. 1015 00:57:15,200 --> 00:57:16,840 Well, I appreciate you spending time with us. 1016 00:57:16,840 --> 00:57:18,760 I think there's, there's so much going on here. 1017 00:57:18,760 --> 00:57:21,280 And you know, this is one of those things where I wouldn't 1018 00:57:21,280 --> 00:57:24,000 say it's a sexy part of I am, but it's a necessary part. 1019 00:57:24,000 --> 00:57:27,560 It's plumbing, I guess how sexy it is, is based on the UI maybe 1020 00:57:27,560 --> 00:57:29,640 you've created, you know, maybe that can have, you know, some 1021 00:57:29,640 --> 00:57:31,400 bells and whistles on it. But I really appreciate you 1022 00:57:31,400 --> 00:57:33,680 spending time with us. I want to end the show on a 1023 00:57:33,680 --> 00:57:36,360 lighter note. We were talking and I just kind 1024 00:57:36,360 --> 00:57:38,440 of sprung this before we hit record here. 1025 00:57:38,760 --> 00:57:41,440 You mentioned that you are, you know, you're definitely into 1026 00:57:41,440 --> 00:57:42,640 fitness. You mentioned things like Tough 1027 00:57:42,640 --> 00:57:47,000 Mudder, Spartan Races, Pelotons, you know, working out. 1028 00:57:47,280 --> 00:57:49,680 Obviously, you and Jim can probably go on at this for about 1029 00:57:49,680 --> 00:57:51,720 an hour. I'll just kind of plot, you 1030 00:57:51,720 --> 00:57:54,560 know, not politely and stare at my Peloton row that's over here 1031 00:57:54,560 --> 00:57:58,280 that has been collecting dust. Tell me about Tough Mudder and 1032 00:57:58,280 --> 00:58:00,320 Spartan races and all these things that you're doing just to 1033 00:58:00,320 --> 00:58:02,440 sort of stay fit. And I guess explain them in a 1034 00:58:02,440 --> 00:58:04,680 way was like, OK, not everyone may be familiar with what these 1035 00:58:04,680 --> 00:58:07,080 are. Explain for people that aren't 1036 00:58:07,080 --> 00:58:09,600 familiar what a Tough Mudder is, for example. 1037 00:58:10,240 --> 00:58:13,000 So I get there. I want to talk about the why 1038 00:58:13,000 --> 00:58:15,600 behind it. The why is when you run large 1039 00:58:15,600 --> 00:58:18,720 organizations or just have a lot of work, I will work. 1040 00:58:18,720 --> 00:58:22,280 Cybersecurity is stressful. I don't care what anyone says it 1041 00:58:22,280 --> 00:58:26,360 is stressful is a lot of work and we all need a reprieve. 1042 00:58:26,920 --> 00:58:30,240 So if he would do that different ways, you know, health, healthy 1043 00:58:30,240 --> 00:58:33,480 ways are working out like crazy. You know, other ways are 1044 00:58:33,480 --> 00:58:35,640 drinking. I mean, whatever floats your 1045 00:58:35,640 --> 00:58:38,400 boat. But the end of the day, I got 1046 00:58:38,400 --> 00:58:41,640 into just physical fitness about five years ago. 1047 00:58:41,640 --> 00:58:44,080 Doctor was like, you had to want to make a change, Steven, or 1048 00:58:44,080 --> 00:58:47,880 you're not going to be around. So I said let me go all the way 1049 00:58:47,880 --> 00:58:51,000 in and make a change. But the Tough Mudder is an 1050 00:58:51,000 --> 00:58:55,720 afternoon course based race. You know my first one we did 3.1 1051 00:58:55,720 --> 00:58:59,040 miles like a 5K. But next we doing one in April 1052 00:58:59,040 --> 00:59:03,000 which is 15K. So you're close to 10 miles 1053 00:59:03,000 --> 00:59:05,840 roughly and it's about 25 obstacles. 1054 00:59:06,320 --> 00:59:10,000 And when I say that you get it's called Tough Mudder half the 1055 00:59:10,320 --> 00:59:14,840 half the obstacles that require some form of mud or water. 1056 00:59:15,000 --> 00:59:17,560 But when you already have mud and you go into a pool of water, 1057 00:59:17,760 --> 00:59:20,560 it will become muddy. And it's but it's fun because 1058 00:59:20,560 --> 00:59:23,520 it's not just a race. You got to work as a team, as a 1059 00:59:23,520 --> 00:59:25,240 group. And I think the reason I love it 1060 00:59:25,240 --> 00:59:28,960 so much is that it's about 10 to 15 of us who do it together. 1061 00:59:29,440 --> 00:59:33,000 And it's not about who can win. Because some of the races or 1062 00:59:33,000 --> 00:59:35,960 some of the after groups, you have to use 3-4 people to form a 1063 00:59:35,960 --> 00:59:37,600 base. Then two people have to climb on 1064 00:59:37,600 --> 00:59:40,000 top of them, then the one person have to climb on top of all of 1065 00:59:40,000 --> 00:59:42,800 them and then you got to pull each one up as well. 1066 00:59:43,040 --> 00:59:47,960 So it really is more teamwork in building that Comrado and most 1067 00:59:47,960 --> 00:59:51,520 of my workout partners, we all met during COVID 1 pedaton. 1068 00:59:51,960 --> 00:59:54,640 So a new one. COVID, no one was at gyms and we 1069 00:59:54,640 --> 00:59:57,880 just used the pedaton as a way to engage, interact. 1070 00:59:58,160 --> 01:00:01,800 Yeah, you know, Facebook groups. And it was, we said when it was 1071 01:00:01,800 --> 01:00:04,440 over, hey, let's meet up in real life and do some. 1072 01:00:04,440 --> 01:00:07,320 Physical activities, I love that. 1073 01:00:07,320 --> 01:00:10,360 And you mentioned you've got the whole peloton Armada between the 1074 01:00:10,760 --> 01:00:14,760 the row, the bike, the Tread, if somebody, which is your favorite 1075 01:00:14,760 --> 01:00:17,920 of those three because I've only used the the bike and the row. 1076 01:00:18,480 --> 01:00:23,320 So the tread is my favorite, but it's any any of the machines are 1077 01:00:23,320 --> 01:00:27,840 great. But I have such a competitive 1078 01:00:27,840 --> 01:00:31,080 spirit that the reason why I like Peloton is because the one 1079 01:00:31,080 --> 01:00:34,440 thing the leaderboard and some days I wake up and say I'm gonna 1080 01:00:34,440 --> 01:00:36,800 have a low impact day and I'll get on the bike. 1081 01:00:36,800 --> 01:00:39,720 We get on the tread. I do a nice job and if someone 1082 01:00:39,720 --> 01:00:42,680 will high 5 me which and like they're right next to me but 1083 01:00:42,680 --> 01:00:45,160 they below me in terms of like the output, but then they'll 1084 01:00:45,160 --> 01:00:50,480 high 5 me and then pass it. And my gut feeling is, is that 1085 01:00:50,480 --> 01:00:52,080 intentional? Like I'm fine. 1086 01:00:52,080 --> 01:00:54,600 That was like that peace dude, I'm flying past you. 1087 01:00:54,840 --> 01:00:58,080 I'm like, I'm fine too. So when I see that Jeff, it's 1088 01:00:58,080 --> 01:01:02,720 like here we go now turn everything up, take the shirt 1089 01:01:02,720 --> 01:01:05,640 off and now I'm just running. Now it's like now I was like, 1090 01:01:05,640 --> 01:01:08,520 OK, let me get to the six minute mile and let me see how long I 1091 01:01:08,520 --> 01:01:12,040 go with this and we out. I love that. 1092 01:01:12,200 --> 01:01:16,240 What's your What is your favorite and least favorite 1093 01:01:16,320 --> 01:01:20,400 Tough Mudder obstacle? The ice, the ice bucket, or the 1094 01:01:20,400 --> 01:01:22,600 ice pole is probably my least favorite. 1095 01:01:23,120 --> 01:01:24,040 OK, what is? What is that? 1096 01:01:24,560 --> 01:01:28,160 So is we ordered the ice bucket challenge from a few years ago. 1097 01:01:28,160 --> 01:01:30,520 We're basically in a bucket of ice or even going to like ice 1098 01:01:30,520 --> 01:01:35,800 bath is basically 2 ice baths put together and you got to go 1099 01:01:35,920 --> 01:01:39,600 underneath 2 walls or inside inside of the ice bath. 1100 01:01:39,920 --> 01:01:42,680 So you literally got to climb inside and then go under the 1101 01:01:42,680 --> 01:01:44,760 water. So it's all ice now and they got 1102 01:01:44,760 --> 01:01:47,520 to come up and then go under it again and come up. 1103 01:01:47,920 --> 01:01:50,040 And this is normally at the end of the race. 1104 01:01:50,400 --> 01:01:53,520 So it's you're already mighty. I mean it's just some people say 1105 01:01:53,560 --> 01:01:56,560 what is cleaning you up? No, it is still I can. 1106 01:01:56,560 --> 01:02:00,320 Think of better ways to get clean 7. 0° And what happens 1107 01:02:00,320 --> 01:02:02,520 right after that is the electrical shock. 1108 01:02:02,680 --> 01:02:06,200 So it's like a whole lot of strings of just electrified, you 1109 01:02:06,200 --> 01:02:08,600 know, tape and you got then went through that. 1110 01:02:08,640 --> 01:02:10,040 Have you just came out the ice mask? 1111 01:02:10,240 --> 01:02:12,520 So yeah, that is not the best part. 1112 01:02:12,840 --> 01:02:15,200 I think it was one obstacle that was fun. 1113 01:02:15,520 --> 01:02:19,760 It was huge tree logs and they had like little notches in it, 1114 01:02:20,240 --> 01:02:22,800 complete mud. And you have to literally throw 1115 01:02:22,800 --> 01:02:24,880 your body up or try to jump and grab on. 1116 01:02:25,240 --> 01:02:27,040 And it reminded me of when I was young. 1117 01:02:27,040 --> 01:02:32,000 I used to watch what is it American Gladiator and Jazz that 1118 01:02:32,000 --> 01:02:35,120 that show how we wanted to do things like that and you're 1119 01:02:35,120 --> 01:02:37,920 trying to like climb over, you know, like those rollers in 1120 01:02:37,920 --> 01:02:40,520 American Gladiators. So I always send a thing that 1121 01:02:40,560 --> 01:02:44,680 I'm back in the 90s and 2000s watching American Gladiator and 1122 01:02:44,680 --> 01:02:48,400 going crazy. Jim, I know you work out. 1123 01:02:48,920 --> 01:02:51,120 Jim, I've known you for what, nine years, 10 years, some like 1124 01:02:51,120 --> 01:02:52,600 that. And ever since I've known you, 1125 01:02:53,040 --> 01:02:55,560 you are religious about your workouts every day. 1126 01:02:56,720 --> 01:02:58,720 I don't know if you've ever done a Tough Mudder. 1127 01:02:58,920 --> 01:03:05,280 Is that something you would do? It's not so it's it's so funny 1128 01:03:05,280 --> 01:03:09,760 when I was listening to Stephen talk about why he started, how 1129 01:03:09,760 --> 01:03:13,240 he started, it felt like he was telling my story. 1130 01:03:13,520 --> 01:03:15,960 But I've been at this probably 15 years. 1131 01:03:15,960 --> 01:03:19,120 So I exact same thing. You know, I'd be in this 1132 01:03:19,120 --> 01:03:25,040 stressful world of IT and Infosec and I and the day like I 1133 01:03:25,040 --> 01:03:29,480 had to wind down. So it'd be a couple beers or 1134 01:03:29,480 --> 01:03:32,920 something and then you just start to realize like that's not 1135 01:03:32,920 --> 01:03:36,840 good for you. So I started running and you 1136 01:03:36,840 --> 01:03:39,520 know, I worked my way all the way up to doing marathons. 1137 01:03:39,640 --> 01:03:43,680 It didn't take really that long, maybe a year from going from, 1138 01:03:44,000 --> 01:03:48,440 you know, having a few beers after work to just I'm going to 1139 01:03:48,440 --> 01:03:53,400 go run for a couple hours. And what a stress reliever. 1140 01:03:54,840 --> 01:03:58,600 I did wind up hurting my back running and I started doing more 1141 01:03:58,600 --> 01:04:02,360 like cross training and trying to build up strength in my core 1142 01:04:02,360 --> 01:04:06,560 is what I realized was you get these really powerful calves 1143 01:04:06,720 --> 01:04:10,840 from running, but it doesn't necessarily build a strong core. 1144 01:04:11,200 --> 01:04:15,560 So I started building my core that led to more or less like 1145 01:04:15,560 --> 01:04:19,920 bodybuilding style workouts. And I love being strong. 1146 01:04:19,920 --> 01:04:23,800 I love seeing muscle in my body. It makes me eat better. 1147 01:04:25,080 --> 01:04:31,760 And you know, I truly used to do it because like I liked looking 1148 01:04:31,760 --> 01:04:33,640 better made me feel better about myself. 1149 01:04:33,640 --> 01:04:37,240 Now I just do it because it's like it's my stress relief. 1150 01:04:37,240 --> 01:04:41,920 It's my outlet and I don't know how I would deal with stress 1151 01:04:41,920 --> 01:04:46,040 without it. So yeah, that's it's very 1152 01:04:46,040 --> 01:04:49,360 similar story to Steven. But why I couldn't see myself 1153 01:04:49,360 --> 01:04:53,960 doing like Tough Mudder or something similar is like in my 1154 01:04:53,960 --> 01:04:58,320 old age, I've kind of realized like I can only do what I what I 1155 01:04:58,320 --> 01:05:02,240 do if I don't get hurt. So if I do something that's 1156 01:05:02,240 --> 01:05:05,720 going to risk injury, it doesn't mean you're going to get 1157 01:05:05,720 --> 01:05:07,960 injured. But you know, when I hear about 1158 01:05:07,960 --> 01:05:11,600 people doing things that are, you know, prone to injury, like 1159 01:05:11,800 --> 01:05:14,040 doing like dead lifting heavyweight and stuff. 1160 01:05:14,040 --> 01:05:16,600 Like jumping at a muddy tree log and trying to hang on. 1161 01:05:16,800 --> 01:05:19,960 That kind of stuff. I'm like, yeah, well, what if I 1162 01:05:20,080 --> 01:05:24,280 slip a disc or something and I'm, you know, out of the gym 1163 01:05:24,280 --> 01:05:27,680 for six months? I'm, I'm not going to do that. 1164 01:05:27,920 --> 01:05:32,880 So, you know, yeah, it's like super risk averse, but that's 1165 01:05:32,880 --> 01:05:36,400 kind of the reason reason I don't do things that are risky 1166 01:05:36,400 --> 01:05:38,680 like that. But that makes a lot of sense, 1167 01:05:38,680 --> 01:05:40,280 Jim. I mean, one other thing that I 1168 01:05:40,280 --> 01:05:43,120 thought about as you were speaking, Jim, is I also work 1169 01:05:43,120 --> 01:05:47,640 out about two hours a day because my vice is a grilled 1170 01:05:47,640 --> 01:05:52,040 cheese and French fries. So in order for me to maintain 1171 01:05:52,040 --> 01:05:56,040 when I'm traveling to have some fries when I want to pay to make 1172 01:05:56,040 --> 01:05:58,400 sure that I work out, but my 19 year old daughter says this 1173 01:05:58,400 --> 01:06:00,360 about me. She says my dad has two 1174 01:06:00,360 --> 01:06:03,160 explains. He's got the kids menu guy 1175 01:06:03,480 --> 01:06:07,160 grilled cheese and fries or he's like an 85 Wagyu steak guy. 1176 01:06:07,640 --> 01:06:11,680 And I said I mean she's not wrong, but it is like, hey, I 1177 01:06:11,680 --> 01:06:14,760 can go eat at any restaurant. There's a kids menu or I can go 1178 01:06:14,760 --> 01:06:17,480 to a nice steakhouse and enjoy myself as well. 1179 01:06:18,120 --> 01:06:20,640 That's actually. So now you're talking Jeff's 1180 01:06:20,640 --> 01:06:21,920 talk. Yeah, now I would say now you've 1181 01:06:21,920 --> 01:06:24,040 got me, now you've got me interested all. 1182 01:06:24,040 --> 01:06:26,240 Right describe your. Perfect grilled cheese What's 1183 01:06:26,240 --> 01:06:29,720 What's the right cheese for a Steven Washington grilled cheese 1184 01:06:29,720 --> 01:06:34,120 sandwich and the bread? Too So sourdough bread first and 1185 01:06:34,560 --> 01:06:35,280 foremost. I'm with you. 1186 01:06:35,840 --> 01:06:39,040 And now no cheese. Not better than American. 1187 01:06:39,440 --> 01:06:44,320 However, as we get older I realize American probably isn't 1188 01:06:44,320 --> 01:06:46,920 already cheese, but I'm say that for a different show. 1189 01:06:47,000 --> 01:06:54,200 OK so cheddar, white cheddar. I also like Gouda. 1190 01:06:54,840 --> 01:06:57,720 I like some Swiss and mozzarella so it's so it's a crazy 1191 01:06:57,720 --> 01:07:00,680 combination. But if I want to do 1 is like 1192 01:07:00,680 --> 01:07:03,920 the white cheddar. But I also enjoy Gouda cheese, 1193 01:07:03,920 --> 01:07:07,240 which is kind of odd because it's a more smoky flavor as 1194 01:07:07,240 --> 01:07:08,800 well. But sometimes I buy sourdough 1195 01:07:08,800 --> 01:07:12,400 bread and just cheddar cheese combination is great. 1196 01:07:12,480 --> 01:07:16,520 And some restaurants like like Melt is really awesome. 1197 01:07:16,960 --> 01:07:19,600 Even though if I had too much butter, I think they had like a 1198 01:07:19,600 --> 01:07:21,520 whole stick of butter for one sandwich. 1199 01:07:22,440 --> 01:07:24,600 But when you work out for two hours, you can do that guy. 1200 01:07:25,760 --> 01:07:28,240 You got a little leeway there. I'm with you on the sourdough. 1201 01:07:28,240 --> 01:07:32,440 I think sourdough is fantastic. I am a American and pepper Jack 1202 01:07:32,440 --> 01:07:35,200 mix because I want a little bit of a spice to it. 1203 01:07:35,200 --> 01:07:38,680 Not crazy, but enough there. And I'll never turn down ham or 1204 01:07:38,680 --> 01:07:42,040 bacon or something like that. But what I like is when we we 1205 01:07:42,040 --> 01:07:45,840 press the sandwich as thin as possible, like almost in 1206 01:07:45,840 --> 01:07:50,600 between, like not a Panini, but like pressed and man, I can, I 1207 01:07:50,600 --> 01:07:52,280 can put those away. No, no Jeff. 1208 01:07:52,280 --> 01:07:57,040 OK, so so now I got to add this. My my best thing is when I say 1209 01:07:57,320 --> 01:07:59,720 I've been fasting because I went too many fasting as well. 1210 01:07:59,840 --> 01:08:03,840 So when I eat, I eat a ton and sometimes like I want some 1211 01:08:03,840 --> 01:08:07,960 bread, so I get 3 slices of bread, lay a multiple layers of 1212 01:08:07,960 --> 01:08:10,520 cheese between each thing, some ham. 1213 01:08:10,840 --> 01:08:12,960 And then I really will have a press. 1214 01:08:13,200 --> 01:08:16,520 Not not convenient, but it's like a matter like a cast iron 1215 01:08:16,520 --> 01:08:20,200 press that I just put down on top of the skillet and I just 1216 01:08:20,200 --> 01:08:24,160 push that down. And as the best, most 1217 01:08:24,160 --> 01:08:26,399 unhealthiest thing potentially in the world. 1218 01:08:26,399 --> 01:08:28,080 So good. But it's so good. 1219 01:08:29,359 --> 01:08:32,160 All right, we're going to wrap up grilled cheese at the Center 1220 01:08:32,680 --> 01:08:35,359 for this week. Steven, you've been so great 1221 01:08:35,359 --> 01:08:36,560 with your time. Really appreciate it. 1222 01:08:36,560 --> 01:08:38,720 Looking forward to maybe giving you an official fist bump of 1223 01:08:38,720 --> 01:08:41,080 gratitude for being on the show at a conference at sometime in 1224 01:08:41,080 --> 01:08:44,160 the future. I'll have your LinkedIn profile 1225 01:08:44,160 --> 01:08:45,479 as well in our show notes, if that's OK. 1226 01:08:45,479 --> 01:08:48,640 People can reach out with questions or grilled cheese 1227 01:08:48,640 --> 01:08:53,160 recipes or whatever it may be. And then Jim, you and I will be 1228 01:08:53,160 --> 01:08:56,319 on the web as usual. idacpodcast.com, connect with 1229 01:08:56,319 --> 01:08:58,760 us. If you're listening to this, go 1230 01:08:58,760 --> 01:09:00,840 on over to our YouTube channel, hit that like and subscribe 1231 01:09:00,840 --> 01:09:03,640 button that's helping us grow and appreciate you sharing with 1232 01:09:03,640 --> 01:09:05,040 friends or enemies. We don't care. 1233 01:09:05,120 --> 01:09:07,240 Whoever listens as long as they like and subscribe, I don't 1234 01:09:07,240 --> 01:09:09,520 care. So with that, we'll go ahead and 1235 01:09:09,520 --> 01:09:12,040 leave it for this week. Thanks everyone for watching and 1236 01:09:12,040 --> 01:09:14,640 or listening and we'll talk with you all in the next one. 1237 01:09:17,080 --> 01:09:20,120 You've been listening to Identity at the Center. 1238 01:09:20,479 --> 01:09:24,560 We hope you've enjoyed the show. Make sure to like, rate and 1239 01:09:24,560 --> 01:09:28,200 review, and we'll be back soon. But in the meantime, hit the 1240 01:09:28,200 --> 01:09:31,600 website at identity@thecenter.com. 1241 01:09:32,200 --> 01:09:36,319 See you next time on Identity at the Center.