1 00:00:09,680 --> 00:00:12,280 You're listening to the Identity at the Center podcast. 2 00:00:12,720 --> 00:00:14,920 This is the show that talks about identity and access 3 00:00:14,920 --> 00:00:17,800 management and making sure you know who has access to what. 4 00:00:18,120 --> 00:00:26,610 Let's get started. Welcome to the Identity at the 5 00:00:26,610 --> 00:00:28,530 Center podcast. I'm Jeff and that's Jim. 6 00:00:28,530 --> 00:00:29,690 Hey, Jim. Hey, Jeff. 7 00:00:29,690 --> 00:00:31,530 How's it going? Not so bad yourself. 8 00:00:31,690 --> 00:00:33,450 Good. I was listening to our show the 9 00:00:33,450 --> 00:00:35,770 other day for the first time in a while. 10 00:00:35,930 --> 00:00:37,850 I I mean, I don't listen to every episode, right? 11 00:00:37,850 --> 00:00:41,090 I'm on every episode. But I don't like to listen to my 12 00:00:41,090 --> 00:00:42,730 own voice. I think a lot of people have 13 00:00:42,730 --> 00:00:44,970 that aversion, and I've got to say Jeff. 14 00:00:45,170 --> 00:00:48,970 And so for everyone who's listening on a regular basis, 15 00:00:49,010 --> 00:00:52,450 they should know that you are the man behind the scenes who. 16 00:00:53,290 --> 00:00:56,970 Does all the editing work and everything and all the funky 17 00:00:56,970 --> 00:00:59,290 music in the beginning. And that's what really got me. 18 00:00:59,290 --> 00:01:03,090 I was like, whoa, we're like, totally pro here. 19 00:01:03,370 --> 00:01:05,129 I was wondering if I could notice that I kind of slipped 20 00:01:05,129 --> 00:01:07,690 that change in earlier this year. 21 00:01:07,690 --> 00:01:09,890 I figured, yeah, New Year, let's maybe try something look 22 00:01:09,890 --> 00:01:12,530 different. But yeah, I don't listen to our 23 00:01:12,530 --> 00:01:14,450 shows, even even when I'm editing them. 24 00:01:14,450 --> 00:01:16,410 You know, I'm listening to them, but I'm not really listening to 25 00:01:16,410 --> 00:01:17,770 them. You know, I'm looking for like 26 00:01:18,370 --> 00:01:22,490 background noise and like clicks and you know, trying to, you 27 00:01:22,490 --> 00:01:25,290 know make sure that it that it sounds as good as I can in my, 28 00:01:25,290 --> 00:01:28,770 you know, totally amateur and I'm sure totally unprofessional 29 00:01:28,770 --> 00:01:30,810 way. I headed the show. 30 00:01:30,810 --> 00:01:35,050 So it is totally, you know, you know, I've learned a lot over 80 31 00:01:35,050 --> 00:01:38,290 plus episodes at this point. But yeah, I appreciate that. 32 00:01:38,290 --> 00:01:41,130 So it's, you know, it's cool. It's it's a it's a passion 33 00:01:41,130 --> 00:01:42,850 project. I think between the two of us, 34 00:01:43,370 --> 00:01:48,160 it's kind of started and you know, here we are several months 35 00:01:48,160 --> 00:01:50,240 and dozens and dozens of episodes later. 36 00:01:50,440 --> 00:01:53,040 Well, the other day I said to somebody we were on a call 37 00:01:53,040 --> 00:01:55,560 together and I said, yeah, this is my favorite part of the job. 38 00:01:55,560 --> 00:01:57,800 And remind me, it's not really part of the job. 39 00:01:59,040 --> 00:02:02,320 Yeah, it would be cool. Yeah, it's it's definitely, you 40 00:02:02,320 --> 00:02:04,720 know, we we do have day jobs. We don't really talk about it 41 00:02:04,720 --> 00:02:06,640 too much, you know, but but yeah, we do. 42 00:02:06,640 --> 00:02:08,560 You know, I am strategy assessments and things like 43 00:02:08,560 --> 00:02:11,610 that. But yeah, you know, we don't do 44 00:02:11,610 --> 00:02:14,490 sponsors either, so it's going to be kind of hard to turn this 45 00:02:14,490 --> 00:02:18,130 into, you know, a paying gig without sponsorship I guess. 46 00:02:18,130 --> 00:02:20,130 And and I don't know if that's where we want to go with it. 47 00:02:21,010 --> 00:02:23,490 So waiting for that call from Spotify, you know that 48 00:02:23,490 --> 00:02:25,690 $1,000,000 check right? Well I guess if you're 49 00:02:25,690 --> 00:02:27,970 interested in sponsoring, right you know feel free to get in 50 00:02:27,970 --> 00:02:30,490 touch if it makes sense as long as we can keep it, you know 51 00:02:30,490 --> 00:02:32,850 relatively vendor neutral. I'm I'm pretty open to to 52 00:02:32,850 --> 00:02:34,410 anything at this point. I agree. 53 00:02:34,410 --> 00:02:36,130 I agree. You know what's really been 54 00:02:36,130 --> 00:02:40,010 great though has been the feedback from our listeners and 55 00:02:40,010 --> 00:02:43,830 somebody that. We're having on today is a 56 00:02:43,830 --> 00:02:48,190 listener of the show and we've been in contact with and he's 57 00:02:48,190 --> 00:02:50,710 somebody who puts out a lot of content himself. 58 00:02:50,710 --> 00:02:53,870 So Jeff, I'll pass it back to you to do the introduction. 59 00:02:53,870 --> 00:02:56,870 But I think it's really cool that, you know, our listeners 60 00:02:56,870 --> 00:03:00,590 are reaching out and there are people who are active by and 61 00:03:00,590 --> 00:03:03,830 practitioners as well. Yeah, it is super cool and you 62 00:03:03,830 --> 00:03:05,790 know, super pumped. Actually have Carlos on the 63 00:03:05,790 --> 00:03:06,750 show. We'll get to him in a second 64 00:03:06,750 --> 00:03:10,330 here. He wrote an article that touched 65 00:03:10,330 --> 00:03:13,290 around, you know, how to build a successful I M program and it 66 00:03:13,290 --> 00:03:15,410 was on enterprisesecuritymag.com. 67 00:03:16,730 --> 00:03:18,850 I'll wait to the article in our show so you can kind of check 68 00:03:18,850 --> 00:03:21,170 that out. And part of that article touched 69 00:03:21,210 --> 00:03:23,970 on managing organizational change, which I thought was 70 00:03:23,970 --> 00:03:27,170 interesting and it's something that sometimes gets overlooked 71 00:03:27,250 --> 00:03:29,890 right when we're developing programs and kind of getting 72 00:03:29,890 --> 00:03:32,410 things out, out and then the into the real world. 73 00:03:32,450 --> 00:03:36,210 So without further ado, why don't we bring on the author of 74 00:03:36,210 --> 00:03:38,830 that article? His name is Carlos Rodriguez. 75 00:03:38,830 --> 00:03:42,470 He's the director of IT security and Risk at Citizens Property 76 00:03:42,470 --> 00:03:44,190 Insurance. Welcome, Carlos. 77 00:03:44,470 --> 00:03:48,150 Thank you, Jim and Jeff, happy to be here and I and I will 78 00:03:48,150 --> 00:03:52,790 start with not only thanking you for my the opportunity but for 79 00:03:52,790 --> 00:03:56,470 the content that you put out every day or every week. 80 00:03:56,790 --> 00:04:00,110 Been listening for about a year. So I. 81 00:04:00,480 --> 00:04:03,240 I appreciate it on behalf of the of our community. 82 00:04:03,440 --> 00:04:04,680 Oh, well, well, thank you so much. 83 00:04:04,680 --> 00:04:07,480 Hey, I feel like this deserves like a, you know, longtime 84 00:04:07,480 --> 00:04:11,480 listener, first time caller radio tropes. 85 00:04:11,480 --> 00:04:14,880 But yeah, no, that's really cool and excited to have you here 86 00:04:14,880 --> 00:04:18,519 because I really want to get into that, that whole topic of 87 00:04:18,519 --> 00:04:21,120 the change management. But if you've been listening 88 00:04:21,120 --> 00:04:23,280 right, you probably know the first question, which is, you 89 00:04:23,280 --> 00:04:27,240 know, how did you get into the I Am space of the Infosec area? 90 00:04:27,400 --> 00:04:29,880 Is it something that shows you it or did you choose it? 91 00:04:30,140 --> 00:04:33,100 I think we chose each other. Honestly. 92 00:04:33,660 --> 00:04:38,220 I grew up on the help desk rank like many and you know part of 93 00:04:38,220 --> 00:04:41,860 that usually involve provisioning and deprovisioning 94 00:04:41,860 --> 00:04:47,980 user you know from a execution point of view and building a few 95 00:04:47,980 --> 00:04:51,100 processes. But from there I got engaged 96 00:04:51,100 --> 00:04:56,580 with third party access or remote access from a security 97 00:04:56,580 --> 00:04:59,220 point of view, from firewalls and what have you. 98 00:04:59,700 --> 00:05:05,060 Concentrators then kept growing into more of leadership roles, 99 00:05:05,380 --> 00:05:11,380 driving strategies for access as a whole in different 100 00:05:11,380 --> 00:05:16,540 organizations, My passions always being insecurity, and I 101 00:05:16,540 --> 00:05:22,620 discovered a few years ago that access was key to have sound 102 00:05:22,620 --> 00:05:26,100 security for any organization. So Carlos, we we've referenced 103 00:05:26,100 --> 00:05:31,030 this blog already. And the the focus on it was 104 00:05:31,070 --> 00:05:34,230 organizational or managing organizational change, right. 105 00:05:34,230 --> 00:05:39,270 It's such a big part of anytime you roll out I M technology 106 00:05:39,270 --> 00:05:45,030 projects, new processes, you know the the amount of impact 107 00:05:45,030 --> 00:05:51,030 they have on people and managing that impact is really key to the 108 00:05:51,030 --> 00:05:53,390 success of your of your initiative. 109 00:05:53,510 --> 00:05:55,270 So tell us about the blog. Tell us about what your 110 00:05:55,270 --> 00:05:56,950 perspective is on change management. 111 00:05:57,300 --> 00:06:01,060 Sure. So, yeah, so identity and access 112 00:06:01,060 --> 00:06:07,340 management is a broad topic. It's a program, it's not a one 113 00:06:07,340 --> 00:06:10,380 off. We're gonna put MFA here and be 114 00:06:10,380 --> 00:06:15,860 done or single sign on it. It's it's a big business 115 00:06:15,860 --> 00:06:18,660 initiative and that's how I approach it. 116 00:06:19,260 --> 00:06:25,420 And because of who we are, we needed to have a stakeholder 117 00:06:25,820 --> 00:06:28,120 support. All the way to the Board of 118 00:06:28,120 --> 00:06:34,680 Governors of citizens and we all you also have to realize and and 119 00:06:34,720 --> 00:06:38,480 I'm sure you all understand this, but you are changing the 120 00:06:38,480 --> 00:06:41,240 way people work and interact with data and systems. 121 00:06:41,640 --> 00:06:44,400 So usually it's very disruptive, right. 122 00:06:44,920 --> 00:06:48,360 And that's where organizational change management can help you 123 00:06:50,360 --> 00:06:54,360 to to navigate the long journey. Because that's the other point, 124 00:06:54,360 --> 00:06:57,890 this is, this is a long journey. You're probably working on this 125 00:06:57,890 --> 00:07:00,850 piece this year, but next year you're gonna jump, going to jump 126 00:07:00,890 --> 00:07:05,730 on a different project and so on, and they all tie it into 127 00:07:05,770 --> 00:07:08,530 each other. So there are different 128 00:07:08,530 --> 00:07:11,890 techniques for organizational change management that can help 129 00:07:11,890 --> 00:07:15,610 you navigate the journey and get the support from the 130 00:07:15,610 --> 00:07:18,370 stakeholders. You know, I I've always kind of 131 00:07:18,370 --> 00:07:22,890 felt that I am. It may be only second to an ERP 132 00:07:22,890 --> 00:07:26,300 initiative in terms of. How much it impacts and how much 133 00:07:26,300 --> 00:07:32,940 it touches the business, but in a way, in a way I I prioritize I 134 00:07:32,940 --> 00:07:37,580 M because it's usually the 1st place that people have an impact 135 00:07:37,580 --> 00:07:40,420 with the organization. So if you are a customer, it's 136 00:07:40,420 --> 00:07:43,780 obvious, right, there's that whole registration and getting 137 00:07:43,780 --> 00:07:47,100 logged in and things like that. But even on the enterprise side, 138 00:07:47,380 --> 00:07:50,860 your first activity usually onboarding to the organization. 139 00:07:50,860 --> 00:07:54,090 Can you access? All these systems and even more 140 00:07:54,090 --> 00:07:56,130 so with everybody working remotely now. 141 00:07:56,410 --> 00:07:58,450 But it's just that level of touch, right? 142 00:07:58,450 --> 00:08:04,330 It's such an impact on everybody and it's that first impact that 143 00:08:04,330 --> 00:08:06,010 they feel. That is correct. 144 00:08:06,010 --> 00:08:09,330 And then you have you you talk about on board and then you have 145 00:08:09,330 --> 00:08:13,410 to take those accounts down at some point in time or change you 146 00:08:13,410 --> 00:08:16,930 know their access as people move through their through their 147 00:08:16,930 --> 00:08:19,050 organization. So it's it is an ongoing 148 00:08:19,050 --> 00:08:22,850 process. From, you know, the first day, 149 00:08:22,850 --> 00:08:25,890 your first day to your last day, we got to manage these 150 00:08:26,490 --> 00:08:30,170 identities when you're managing change for the organization, 151 00:08:30,170 --> 00:08:31,770 right? No matter what it is, I would 152 00:08:31,770 --> 00:08:34,730 imagine that this is not a one and done type of situation, 153 00:08:34,730 --> 00:08:36,090 right? It's something that's going to 154 00:08:36,090 --> 00:08:39,450 evolve and you're going to identify areas that you want to 155 00:08:39,450 --> 00:08:40,970 improve on just like anything else, right? 156 00:08:40,970 --> 00:08:42,330 Things that maybe got missed the first pass. 157 00:08:42,330 --> 00:08:43,730 OK, let's remember that for next time. 158 00:08:44,650 --> 00:08:49,010 How do you approach that type of situation where you know, 159 00:08:49,390 --> 00:08:51,470 getting it stood up and then getting it ready to go? 160 00:08:51,830 --> 00:08:55,030 Sure. So what we did was we we brought 161 00:08:55,030 --> 00:09:00,110 in stakeholders from the entire organization, from all business 162 00:09:00,110 --> 00:09:02,990 units and and basically interview them what are your 163 00:09:02,990 --> 00:09:08,830 strong points, where are your pain points and based on that we 164 00:09:08,830 --> 00:09:15,990 built a holistic strategy that then we presented to them and. 165 00:09:17,370 --> 00:09:20,010 For feedback, you know part of the idea outside of the house, 166 00:09:20,850 --> 00:09:26,450 but you know there are different techniques for getting started. 167 00:09:26,850 --> 00:09:31,050 I was blessed to have an internal organizational change 168 00:09:31,050 --> 00:09:36,170 management team and one of the as soon as they started and 169 00:09:36,170 --> 00:09:41,730 found that out, I went to them said OK, this is a multiyear, 170 00:09:42,050 --> 00:09:47,170 very impactful initiative. And you helped me and they 171 00:09:47,170 --> 00:09:52,490 brought in some techniques and presented to to me and what they 172 00:09:52,770 --> 00:09:56,330 they usually lead with. And the preferred technique here 173 00:09:56,330 --> 00:10:05,330 for us is is known as at CAR. That's a DKIKAR and it stands 174 00:10:05,330 --> 00:10:11,450 for the awareness, desire, knowledge, ability and 175 00:10:11,450 --> 00:10:13,410 reinforcement. What does that mean? 176 00:10:14,290 --> 00:10:16,650 Well, first you have to be aware that a change is needed. 177 00:10:17,210 --> 00:10:20,090 That's your awareness, right? And that's where communication 178 00:10:20,090 --> 00:10:24,890 starts to drive that desire for that change. 179 00:10:25,370 --> 00:10:27,610 And and that's the most difficult part, right? 180 00:10:27,610 --> 00:10:33,410 You're changing someone's way of working and that that has an 181 00:10:33,410 --> 00:10:35,690 impact. Then you focus on that 182 00:10:35,690 --> 00:10:39,730 knowledge, you know, training, how is the change gonna gonna 183 00:10:39,730 --> 00:10:43,670 impact me and what have you? Again, the training list to 184 00:10:43,670 --> 00:10:46,630 acquire and the abilities that you had that you need to have to 185 00:10:46,630 --> 00:10:51,270 support and sustain the change and then the reinforcement is 186 00:10:51,310 --> 00:10:54,150 ongoing. You probably have heard a lot 187 00:10:54,150 --> 00:10:59,430 that we seen a lot of technology projects everywhere that but we 188 00:10:59,430 --> 00:11:03,590 never capitalize on the promised land, right, because there is 189 00:11:03,590 --> 00:11:06,110 another priority or or whatever reason. 190 00:11:06,740 --> 00:11:09,020 Sometimes we don't finish our projects and that's a 191 00:11:09,020 --> 00:11:13,820 reinforcement piece and also measurement of it of of the. 192 00:11:13,820 --> 00:11:17,660 Change, so it sounds like your organization takes change 193 00:11:17,660 --> 00:11:21,140 management very seriously. You talked a little bit about 194 00:11:21,740 --> 00:11:24,060 you had these internal stakeholders that you worked 195 00:11:24,060 --> 00:11:25,660 with. Talk to us a little bit more 196 00:11:25,660 --> 00:11:28,220 about that. Was that like a, I mean I'm not 197 00:11:28,220 --> 00:11:30,580 sure if it your organization that's kind of formally 198 00:11:30,580 --> 00:11:33,130 established or? You kind of reached into the 199 00:11:33,130 --> 00:11:36,210 organization to find people. I would think that it's kind of 200 00:11:36,210 --> 00:11:40,050 more common that you're really gonna need to identify who are 201 00:11:40,050 --> 00:11:42,930 the people that can assist you in this area. 202 00:11:42,930 --> 00:11:46,330 But maybe talk a little bit about what your approach was in 203 00:11:46,330 --> 00:11:49,490 terms of identifying the people that could help you. 204 00:11:49,490 --> 00:11:52,730 This sounds I I would imagine as a new person in your 205 00:11:52,730 --> 00:11:55,890 organization where you need some kind of mentoring of houses done 206 00:11:55,890 --> 00:11:58,650 successfully in the past, but then also you have to have 207 00:11:58,650 --> 00:12:00,880 people who have. Influence within the 208 00:12:00,880 --> 00:12:03,960 organization and the groups that you're trying to reach out to. 209 00:12:04,320 --> 00:12:07,680 Correct. So you touch on a few items that 210 00:12:07,680 --> 00:12:12,880 I did go by. One I look for look up to my 211 00:12:12,880 --> 00:12:15,160 sponsors, right? Who were the sponsors of the 212 00:12:15,160 --> 00:12:19,280 project, in this case, the two Vps in it. 213 00:12:19,400 --> 00:12:23,080 One is my boss who handles a strategy, architectural 214 00:12:23,080 --> 00:12:27,720 resiliency and security. The other one was the technology 215 00:12:27,840 --> 00:12:31,940 VP. And within those groups and the 216 00:12:31,980 --> 00:12:35,700 first thing was understand, OK, what is the business process 217 00:12:35,700 --> 00:12:38,420 here? Let me follow the money if you 218 00:12:38,420 --> 00:12:41,220 would, right. That's what this is always go by 219 00:12:41,540 --> 00:12:43,900 what are the key processes in the organization. 220 00:12:43,980 --> 00:12:49,020 I partnered closely with our our enterprise architecture team who 221 00:12:49,020 --> 00:12:54,380 is a a sister organization and the resiliency team also a 222 00:12:54,380 --> 00:12:56,540 sister organization. We're all on the same 223 00:12:57,380 --> 00:13:00,500 leadership. On the resiliency side, that was 224 00:13:00,500 --> 00:13:03,460 key because they had conducted business impact analysis 225 00:13:03,460 --> 00:13:05,900 already. So I just went there, look at 226 00:13:05,900 --> 00:13:09,700 it, OK. And then from there I went to 227 00:13:09,700 --> 00:13:13,740 the process owners of those critical processes. 228 00:13:14,300 --> 00:13:19,180 We just as a little bit of background because I didn't 229 00:13:19,180 --> 00:13:24,540 mention this earlier, Citizens is the insurance provider of 230 00:13:24,540 --> 00:13:26,740 last resort in the state of Florida. 231 00:13:27,140 --> 00:13:30,750 That means we provide. Coverage for those who cannot 232 00:13:30,750 --> 00:13:36,630 get it in a commercial from a commercial carrier, well, that 233 00:13:36,630 --> 00:13:40,390 means that a big part of our mission as a company and one of 234 00:13:40,470 --> 00:13:44,590 our bodies is that of service. We have to be there for the 235 00:13:45,230 --> 00:13:49,710 policyholders when a storm hits. We actually have to be on Ground 236 00:13:49,710 --> 00:13:55,110 Zero 48 hours after that of the events, so. 237 00:13:56,170 --> 00:14:00,410 One of the key processes for us is boarding the independent 238 00:14:00,410 --> 00:14:05,090 adjusters that go assess the damage of the storms, right. 239 00:14:05,650 --> 00:14:08,530 And and that's one team I went to. 240 00:14:08,530 --> 00:14:11,650 We also have, we don't have a sales force internally pretty 241 00:14:11,650 --> 00:14:14,810 much we, we work a lot of with brokers and agents, right. 242 00:14:15,210 --> 00:14:18,730 That's another key stakeholders, then we have policyholders and 243 00:14:18,730 --> 00:14:23,850 then our internal users. So though, through all of these 244 00:14:23,850 --> 00:14:26,850 business impact analysis and my partnership with Enterprise 245 00:14:26,850 --> 00:14:30,410 Architecture, identify those key stakeholders and then brought 246 00:14:30,410 --> 00:14:33,210 them in for the conversations. What happens if you're talking 247 00:14:33,210 --> 00:14:36,010 with the stakeholders and you get a real stick in the mud, 248 00:14:36,850 --> 00:14:40,330 someone who might be difficult, Have you encountered that And if 249 00:14:40,330 --> 00:14:42,330 so, you know is that something you know? 250 00:14:42,330 --> 00:14:44,650 What are some of the the tips or tricks you might have for the 251 00:14:44,650 --> 00:14:47,410 folks who are listening? When, when that will happen, not 252 00:14:47,410 --> 00:14:49,520 if when. Right. 253 00:14:49,520 --> 00:14:54,520 So, well, first, understand that change is a long process, right? 254 00:14:55,480 --> 00:15:00,080 Studies have shown that organizational change really 255 00:15:00,720 --> 00:15:04,160 sticks after three years, leave or take. 256 00:15:05,040 --> 00:15:12,160 So there is a concept known as a change change curve, which 257 00:15:12,400 --> 00:15:14,240 visualize how this process goes, right. 258 00:15:14,240 --> 00:15:16,840 So you are a status quo for a while, right? 259 00:15:17,280 --> 00:15:20,080 Everything is going. It's going well, and then 260 00:15:20,440 --> 00:15:22,000 there's change. Reintroduce the change. 261 00:15:22,000 --> 00:15:27,160 Right at that point in time, what happens is exactly what you 262 00:15:27,160 --> 00:15:31,640 described, yet is denial. Why are you doing this to me? 263 00:15:32,680 --> 00:15:40,360 In fact, why is I also usually people also take a self denial 264 00:15:40,360 --> 00:15:41,600 type of the. Why am I? 265 00:15:42,130 --> 00:15:44,050 Not taking on this and that type of deal. 266 00:15:44,090 --> 00:15:49,090 So then you that that sort of was start going down right on 267 00:15:49,090 --> 00:15:51,570 the curve. Then there is a little bit of a 268 00:15:51,570 --> 00:15:57,610 valley at the bottom and that is when there's doubt and confusion 269 00:15:57,650 --> 00:16:03,930 and you know uncertainty and that's where I'm looking for 270 00:16:03,930 --> 00:16:06,530 what's in it. For me, that's a big piece of 271 00:16:06,530 --> 00:16:09,250 the change. Processes. 272 00:16:09,450 --> 00:16:12,530 We're all looking on what's in it for me, and that's me as a 273 00:16:12,530 --> 00:16:13,570 leader. That's what I need to 274 00:16:13,570 --> 00:16:17,970 communicate because what you want to do is on that valley, 275 00:16:18,450 --> 00:16:20,490 you want to get out of that valley as soon as possible. 276 00:16:21,370 --> 00:16:22,690 You don't want to stay there alone. 277 00:16:23,290 --> 00:16:28,530 And one of the books of my favorite books is called Pixon 278 00:16:28,530 --> 00:16:31,130 Valley. Actually, there's a key question 279 00:16:31,130 --> 00:16:36,490 that they ask there in this situation, which is what's the 280 00:16:36,490 --> 00:16:40,600 truth in this situation? And so I help people understand 281 00:16:40,600 --> 00:16:44,520 that if as much as you can, I partner with at that point with 282 00:16:44,520 --> 00:16:48,040 my sponsors and other people that had more time in the 283 00:16:48,040 --> 00:16:50,840 organization to understand the other side because you know, I 284 00:16:50,840 --> 00:16:53,080 was dealing with people I didn't know for the most part. 285 00:16:53,480 --> 00:16:57,320 So before each conversation I would prepare to with with 286 00:16:57,440 --> 00:16:59,120 longer tenure people in the team. 287 00:16:59,810 --> 00:17:02,170 To understand, OK, I'm going to have the conversation with this 288 00:17:02,170 --> 00:17:05,490 stakeholder, Tammy, who is what's what's going on with this 289 00:17:05,490 --> 00:17:07,369 person? What is he looking for? 290 00:17:07,369 --> 00:17:12,410 She's looking for. So then once you start coming 291 00:17:12,410 --> 00:17:16,329 out of the valley, you go start going up to rationalize to 292 00:17:16,329 --> 00:17:20,170 actually accept the change, and then you get to the 293 00:17:20,170 --> 00:17:26,089 reinforcement part of it. So in short, I think. 294 00:17:26,710 --> 00:17:30,710 I wanted to explain that that process, but really you have to 295 00:17:30,710 --> 00:17:34,430 communicate what's in it for, for the person or for the 296 00:17:34,430 --> 00:17:38,310 business unit. Help them understand that and 297 00:17:38,310 --> 00:17:42,910 and part of what I do also is help them understand, uncover 298 00:17:42,910 --> 00:17:46,430 and manage risk so they can make better decisions. 299 00:17:46,670 --> 00:17:49,750 Usually that works well. You mentioned the, you know, 300 00:17:49,950 --> 00:17:52,230 establish you know, using established relationships. 301 00:17:52,230 --> 00:17:55,860 And I'm and I'm curious your thought on this is you know I've 302 00:17:55,860 --> 00:17:58,140 been involved in organizations where I've you know been there 303 00:17:58,140 --> 00:18:01,340 for a while and okay, let's start an I M program And I've 304 00:18:01,340 --> 00:18:04,780 also worked with organizations where it didn't exist and I was 305 00:18:04,780 --> 00:18:08,260 brought in to create that I M program and didn't have the 306 00:18:08,260 --> 00:18:11,140 luxury of knowing anybody really, right. 307 00:18:11,140 --> 00:18:14,980 I'm this this new person coming into the Oregon you don't have 308 00:18:14,980 --> 00:18:19,500 to stand up and I an effective I M program without the benefit of 309 00:18:19,500 --> 00:18:22,700 any relationships. I see good and bad in that 310 00:18:22,780 --> 00:18:26,220 because you're also not carrying baggage potentially from you 311 00:18:26,220 --> 00:18:28,980 know previous previous projects or previous you know 312 00:18:28,980 --> 00:18:30,500 expectations those sorts of things. 313 00:18:30,820 --> 00:18:34,980 What are is your thought around you know you would you think one 314 00:18:34,980 --> 00:18:37,380 is easier than the other. Are they about the same? 315 00:18:37,540 --> 00:18:39,820 You know, what would you do if you were kind of dropped into 316 00:18:39,820 --> 00:18:42,300 and you had a choice? Would you go into a new org or 317 00:18:42,300 --> 00:18:44,820 would you try to start it up, you know, with the current org? 318 00:18:44,980 --> 00:18:49,380 Well the the way I would approach that is you you are 319 00:18:49,380 --> 00:18:51,860 working with someone internally. Right. 320 00:18:51,860 --> 00:18:54,300 I mean, you are a consultant coming in, in your case and 321 00:18:54,660 --> 00:18:57,420 you're working with someone in the team, in the internal 322 00:18:57,420 --> 00:18:59,860 organization. That will be me. 323 00:19:00,260 --> 00:19:07,260 My role, my responsibility is to present those people to you so 324 00:19:07,260 --> 00:19:08,940 you can have those conversations. 325 00:19:09,620 --> 00:19:12,420 And that's what we did, that we work with a with a third party. 326 00:19:12,750 --> 00:19:14,910 Consultant here. And that was my role. 327 00:19:15,030 --> 00:19:18,830 I was the coach at quarterback. You know, let's bring claims, 328 00:19:18,870 --> 00:19:22,990 let's bring vendor management, let's bring legal and I will 329 00:19:22,990 --> 00:19:25,190 brief the team, the consulting team. 330 00:19:25,190 --> 00:19:28,790 We're bringing these folks. We will give them a little bit 331 00:19:28,790 --> 00:19:32,110 of background and then we really let the business guide the 332 00:19:32,110 --> 00:19:34,790 conversation. Tell me about your process. 333 00:19:34,790 --> 00:19:38,380 What matters to you? Let because at the end of the 334 00:19:38,380 --> 00:19:42,420 day as I mentioned earlier, this is a business initiative, this 335 00:19:42,420 --> 00:19:45,740 is not a technology project and that's how we gain support from 336 00:19:45,740 --> 00:19:49,020 the board and everyone. And so you make them feel like 337 00:19:49,020 --> 00:19:54,100 we're listening to them, right. And you know all the techniques 338 00:19:54,100 --> 00:19:56,300 around listening and reinforcement. 339 00:19:56,820 --> 00:20:00,540 And then when you present the results back, make sure they get 340 00:20:00,540 --> 00:20:03,860 feedback again. Go through another iteration and 341 00:20:03,860 --> 00:20:06,420 usually, you know, they felt they were part of it. 342 00:20:06,860 --> 00:20:10,260 This is not it or Security working on Asylum telling us 343 00:20:10,260 --> 00:20:13,980 what to do. They actually are considering my 344 00:20:13,980 --> 00:20:17,260 input, and there's there's a lot of value to that. 345 00:20:17,620 --> 00:20:19,700 That's right. So Jeff, I've got a new analogy 346 00:20:19,700 --> 00:20:22,780 the Carlos just gave me, which is that what makes a good IM 347 00:20:22,780 --> 00:20:26,220 program manager? Is he or she is a quarterback? 348 00:20:26,690 --> 00:20:28,650 Right. They just, they make everybody 349 00:20:28,650 --> 00:20:31,650 else look like bizarre. But Carlos says you're kind of 350 00:20:31,650 --> 00:20:36,170 going through the peaks and valleys of change management. 351 00:20:36,170 --> 00:20:40,650 It couldn't help but draw the analogy to the seven steps of 352 00:20:42,090 --> 00:20:44,610 grief. Yeah, very, very common. 353 00:20:44,770 --> 00:20:46,850 Very. Nile, you know, and now this 354 00:20:46,850 --> 00:20:48,370 can't. Be happening to me, but you know 355 00:20:48,370 --> 00:20:51,170 what it was coming to mind as you're talking about that is, 356 00:20:51,610 --> 00:20:54,860 you know. You're helping people accept 357 00:20:54,860 --> 00:20:56,980 this change. Talk a little bit earlier about 358 00:20:57,460 --> 00:21:02,740 the the trainings that you're you're that you wind up doing 359 00:21:02,740 --> 00:21:06,860 and things like that. And I think that you know what 360 00:21:06,860 --> 00:21:09,500 came to mind or what I was wondering was, you know, what 361 00:21:09,500 --> 00:21:11,460 are like the forms of communication? 362 00:21:11,460 --> 00:21:12,940 How are you getting this out there? 363 00:21:13,220 --> 00:21:18,500 Are you, you know, leveraging corporate e-mail newsletters? 364 00:21:18,500 --> 00:21:21,560 Are you sending? Letter from the desk of the CEO. 365 00:21:21,560 --> 00:21:24,840 What were some of the the techniques that you used to kind 366 00:21:24,840 --> 00:21:26,960 of communicate change to the organization? 367 00:21:27,280 --> 00:21:32,320 Yes, all of them. I mean, so we have different 368 00:21:32,320 --> 00:21:34,680 ways to communicate because people are busy. 369 00:21:34,680 --> 00:21:39,000 So you know, we we gotta put the information out as much as we 370 00:21:39,000 --> 00:21:42,760 can. Obviously there are certain very 371 00:21:42,760 --> 00:21:47,980 formal channels to communicate with the board and the executive 372 00:21:47,980 --> 00:21:50,460 team. We use those forms for that 373 00:21:50,460 --> 00:21:55,340 Ioffer and it was accepted to the executive team to come talk 374 00:21:55,340 --> 00:22:00,060 to their leadership teams and and remember boards executive, 375 00:22:00,460 --> 00:22:03,420 these are 10 minutes conversation, right, 15 minutes, 376 00:22:03,420 --> 00:22:07,700 very shorter to the point and what's in it for me. 377 00:22:07,700 --> 00:22:12,420 So when I went to talk to claims, I modify my message to 378 00:22:12,420 --> 00:22:15,780 talk about the claims process and that how this impacts that. 379 00:22:16,150 --> 00:22:21,750 When I went to talk to HRI talk about you know I GA and how the, 380 00:22:22,470 --> 00:22:27,030 you know HR system plays into provision and the provisioning 381 00:22:27,030 --> 00:22:30,270 potentially right, because I knew that was a change that will 382 00:22:30,270 --> 00:22:33,550 impact them and so on and so forth. 383 00:22:33,910 --> 00:22:39,070 That's at the business and high stakeholders level. 384 00:22:39,070 --> 00:22:46,510 Then we also wrote internal articles that came from our CEO, 385 00:22:46,670 --> 00:22:49,710 who is my line of my line of leadership. 386 00:22:50,030 --> 00:22:54,590 She is our my boss's boss. So she put articles out there. 387 00:22:55,390 --> 00:22:58,550 My boss put articles, my other part of my team put articles. 388 00:22:58,870 --> 00:23:02,550 We also did. And then you, you continue to 389 00:23:02,550 --> 00:23:04,790 adjust based on the project you're working on, right? 390 00:23:05,270 --> 00:23:11,710 So MFA we, when we roll MFA out, we put a lot of a series that we 391 00:23:12,310 --> 00:23:16,200 we call tech talks. It's an open mic conference call 392 00:23:16,760 --> 00:23:21,240 and with the technology people in there to answer questions 393 00:23:21,920 --> 00:23:27,120 really brief 10 minutes overview and then it's a Q&A. 394 00:23:27,560 --> 00:23:30,280 And those were a hit with the organization. 395 00:23:30,280 --> 00:23:35,800 We had somewhere between 5:00 and 10:00 with maybe 60 people 396 00:23:35,800 --> 00:23:42,040 average attending, that's that. We also have another venue which 397 00:23:42,040 --> 00:23:49,270 is our agile. All of our agile ceremonies, one 398 00:23:49,270 --> 00:23:51,790 of them for example is inspect and adapt. 399 00:23:52,150 --> 00:23:56,510 Well, that's when we go and show people what we're doing and they 400 00:23:56,510 --> 00:23:59,430 give us feedback because it's all about feedback. 401 00:23:59,910 --> 00:24:04,710 That's what we try to to do. We collaborate a lot, we provide 402 00:24:04,710 --> 00:24:07,230 information, get feedback, make adjustments. 403 00:24:07,670 --> 00:24:11,490 So a lot of different ways to communicate, but it's about 404 00:24:11,490 --> 00:24:14,970 reinforcing the the message. Well, I'm glad that you gave me 405 00:24:14,970 --> 00:24:17,970 that transition, right? We have enough time to kind of 406 00:24:17,970 --> 00:24:21,130 pick on another topic. And so in another one of your 407 00:24:21,130 --> 00:24:25,490 blog articles, you talked about Agile methodologies in IM 408 00:24:25,490 --> 00:24:28,890 deployments. My question bluntly is do you 409 00:24:28,890 --> 00:24:32,290 find that Agile works better than traditional waterfall 410 00:24:32,290 --> 00:24:37,370 approaches when it comes to IM? I think it's really. 411 00:24:37,730 --> 00:24:40,300 I don't know. I know this is not the the 412 00:24:40,300 --> 00:24:42,300 answer that we all like, but it depends on who you are. 413 00:24:42,660 --> 00:24:48,140 It depends on your organization. For us, we are still growing 414 00:24:48,140 --> 00:24:51,580 into the agile transformation. We've been on the journey for 415 00:24:51,580 --> 00:24:56,700 about 3 to 4 years, which sounds like a long time, but for a 416 00:24:56,700 --> 00:25:00,220 transformation of that magnitude is actually early. 417 00:25:00,580 --> 00:25:09,290 So for us we approach it with an agile mentality, but sometimes 418 00:25:09,290 --> 00:25:12,370 we may apply waterfall techniques depending on the 419 00:25:12,370 --> 00:25:17,530 magnitude of the of the project. For example privilege access. 420 00:25:17,810 --> 00:25:23,370 We did a lot of waterfall there early on as we transition to the 421 00:25:23,570 --> 00:25:26,290 being deployed and and then I gel after that. 422 00:25:28,050 --> 00:25:33,530 But for most, for the most part, we work in the sprints. 2 weeks 423 00:25:33,530 --> 00:25:36,980 of sprints where we try to release some sort of value for 424 00:25:37,260 --> 00:25:40,620 the organization, but you know, while you get the the 425 00:25:40,620 --> 00:25:44,660 infrastructure in place, it's more of a waterfall. 426 00:25:45,020 --> 00:25:49,180 But so it's kind of a scrum fall for us, in some cases a scrum. 427 00:25:49,180 --> 00:25:51,540 Fall I like that, but it sounds like there really is a place 428 00:25:51,540 --> 00:25:56,140 for, you know, a hybrid approach where you're not strictly agile, 429 00:25:56,140 --> 00:25:59,260 you're not strictly waterfall, but you take the right approach 430 00:25:59,860 --> 00:26:03,260 for whatever project or maybe even team right that, that 431 00:26:03,260 --> 00:26:06,980 you're engaging with. Have you found any particular, 432 00:26:06,980 --> 00:26:10,540 you know, mix that works really well or is it truly, you know, 433 00:26:11,260 --> 00:26:14,100 figuring it out as you're kind of going through it with with 434 00:26:14,100 --> 00:26:16,300 different personalities? You know, it could be a project 435 00:26:16,300 --> 00:26:18,980 personality or it could be, you know, a team personality. 436 00:26:18,980 --> 00:26:21,860 That sort of sort of approach. There's a misconception or 437 00:26:21,860 --> 00:26:25,500 misunderstanding about agile and that I found that with my team, 438 00:26:26,780 --> 00:26:30,220 just it's deploy fast. Well, it's not that really. 439 00:26:30,220 --> 00:26:34,060 It really has nothing to do or little to do with the speed. 440 00:26:34,710 --> 00:26:38,190 It has more to do really with delivering value. 441 00:26:38,910 --> 00:26:44,550 So with that said, our approach is in our security team and and 442 00:26:44,550 --> 00:26:50,190 many of the IT organizations here, it's about releasing and 443 00:26:50,190 --> 00:26:53,710 getting feedback, right. Was this what you were looking 444 00:26:53,710 --> 00:26:55,190 for? Is this what you're looking for? 445 00:26:56,110 --> 00:26:59,230 So it's a constant engagement with the stakeholders, with the 446 00:26:59,230 --> 00:27:02,710 product owners to make sure that we're delivering the value they 447 00:27:02,710 --> 00:27:06,490 are looking for and because because the other thing is 448 00:27:06,530 --> 00:27:10,530 there's a lot of competing priorities in any organization 449 00:27:11,050 --> 00:27:14,210 as you know. And so you gotta make sure that 450 00:27:14,450 --> 00:27:17,410 you are delivering value. If not, you know they're either 451 00:27:17,410 --> 00:27:20,890 going to not care much about what you're doing or shut down 452 00:27:20,890 --> 00:27:25,130 the project. So feedback is the key for that. 453 00:27:25,490 --> 00:27:32,660 We we do we lean more towards agile to two weeks of Sprint in 454 00:27:32,740 --> 00:27:35,220 our case. How do you defend the quality 455 00:27:35,900 --> 00:27:38,300 when it comes to moving with speed? 456 00:27:38,300 --> 00:27:40,660 Because they think that's typically one of the areas that 457 00:27:41,100 --> 00:27:44,700 a lot of organizations and, you know, project team struggle with 458 00:27:44,700 --> 00:27:47,540 is when you get into these heads down sprints and you're kind of 459 00:27:47,540 --> 00:27:49,620 running full speed. How do you make sure you don't 460 00:27:49,620 --> 00:27:53,380 you know run through a wall instead of maybe you know making 461 00:27:53,380 --> 00:27:55,460 sure that you ran through the door that was already there and 462 00:27:55,460 --> 00:27:58,580 you're not causing more havoc than than you're creating you 463 00:27:58,580 --> 00:28:02,430 know solutions to We from a script point of view what we do 464 00:28:02,430 --> 00:28:07,310 is we we try to provide the requirements as early on the 465 00:28:07,390 --> 00:28:10,030 Canban portfolio, Canban as possible. 466 00:28:11,350 --> 00:28:17,070 There are different stages. So once what project is about to 467 00:28:17,070 --> 00:28:23,830 take off, we have a pretty solid SDLC checklist and that's where 468 00:28:23,830 --> 00:28:32,190 we inject our our IT security assessment tools that lists. 469 00:28:32,430 --> 00:28:36,270 So it does a a lean risk analysis with what we know at 470 00:28:36,270 --> 00:28:38,670 that time, right. And it gives you an inherent 471 00:28:38,670 --> 00:28:42,470 risk that drives your controls and we look at OK, well based on 472 00:28:42,470 --> 00:28:45,190 what you're telling me we need these controls and that give you 473 00:28:45,190 --> 00:28:50,030 a a residual risk. So that was very well accepted 474 00:28:50,310 --> 00:28:54,270 was another change that was like why are you doing this to me? 475 00:28:54,880 --> 00:28:56,880 Why do I have to now go through these things. 476 00:28:57,200 --> 00:29:02,480 But once people saw the value that we basically are not even 477 00:29:02,680 --> 00:29:07,320 in the conversations sometimes because now what we're doing is 478 00:29:08,000 --> 00:29:12,360 the enterprise architecture team is running with that tool and in 479 00:29:12,360 --> 00:29:15,680 the future we envision we're kicking off our security 480 00:29:15,680 --> 00:29:17,560 champions program here very soon. 481 00:29:18,080 --> 00:29:21,440 We we we did last year but the world changed last year. 482 00:29:21,440 --> 00:29:25,420 So we had to talk about, yeah, we have to people then focus on 483 00:29:25,420 --> 00:29:28,060 other things. So we're about to resume that 484 00:29:28,100 --> 00:29:31,180 and hopefully our security champions can take ownership of 485 00:29:31,180 --> 00:29:32,580 that. And the advantage is that they 486 00:29:32,580 --> 00:29:36,700 are part of the business units and you know we'll be more of 487 00:29:37,180 --> 00:29:42,100 security coaches and they love that we basically provide the 488 00:29:42,140 --> 00:29:45,540 guidance, vision, requirements and get out of the way. 489 00:29:45,740 --> 00:29:48,940 That's actually what the followup question I was thinking 490 00:29:48,940 --> 00:29:51,980 of is, you know, does this kind of. 491 00:29:52,880 --> 00:29:58,160 Change the role of the Seeso in project delivery, especially 492 00:29:58,160 --> 00:30:00,200 when it comes to security projects. 493 00:30:00,560 --> 00:30:03,240 I hear you're saying yes. I don't know if you're saying 494 00:30:03,240 --> 00:30:07,240 that because that's kind of the Changing minds mindset that you 495 00:30:07,240 --> 00:30:10,960 have in terms of what that role ought to be or if it has 496 00:30:10,960 --> 00:30:13,240 anything to do with the agile versus the waterfall. 497 00:30:13,520 --> 00:30:14,600 What do what do you think of that? 498 00:30:14,920 --> 00:30:19,240 I think the main role of the SEESO in any organization is to 499 00:30:19,880 --> 00:30:24,850 build and manage relationships and then provide a vision, 500 00:30:25,050 --> 00:30:29,770 provide guidance on risk management and so. 501 00:30:29,770 --> 00:30:32,450 So our mission statement, I'm going to paraphrase it because 502 00:30:32,450 --> 00:30:37,210 we just redid it, but it's basically we're here to provide 503 00:30:38,810 --> 00:30:43,170 data and educate the business on risk so. 504 00:30:43,410 --> 00:30:47,970 So they make decisions where security doesn't matter on risk. 505 00:30:48,650 --> 00:30:50,570 We manage it for the organization. 506 00:30:50,570 --> 00:30:54,900 We tell them here's the risk here alternative to handling. 507 00:30:55,740 --> 00:30:58,500 And then usually from an IT point of view, especially in 508 00:30:58,500 --> 00:31:01,220 other business units, they come to us say, OK, how can we 509 00:31:01,220 --> 00:31:03,580 remediate this? Is it possible to remediate and 510 00:31:03,580 --> 00:31:06,460 sometimes it isn't. That's one thing. 511 00:31:06,460 --> 00:31:10,140 The other thing that I tried to do is promote experimentation 512 00:31:11,260 --> 00:31:13,660 because that's part of a, yeah, that's part of who we are. 513 00:31:14,140 --> 00:31:16,900 And you know, I had a conversation this morning, hey, 514 00:31:16,980 --> 00:31:22,470 where why are we changing this, the initial guidance that we 515 00:31:22,470 --> 00:31:26,190 provided to the team. This was a conversation amongst 516 00:31:26,190 --> 00:31:29,350 the product owners for I am or project owners. 517 00:31:29,790 --> 00:31:32,590 I'm like, well, we're not saying we're changing direction. 518 00:31:34,030 --> 00:31:37,990 Let me ask you this, should we listen to what they have to say 519 00:31:37,990 --> 00:31:40,590 to see if there is any value and we should pursue that route? 520 00:31:41,110 --> 00:31:43,710 And the answer was yes, we should listen to them like, 521 00:31:43,710 --> 00:31:48,580 well, let's do that, run a small experiment if it makes sense, we 522 00:31:48,620 --> 00:31:53,140 keep going. If not, we just say no And some 523 00:31:53,140 --> 00:31:55,180 people would say, well, you're wasting time. 524 00:31:55,740 --> 00:31:57,620 But really what we're doing is we're learning. 525 00:31:58,460 --> 00:32:03,460 So that's the role of the system to me is to manage relationship 526 00:32:03,460 --> 00:32:07,900 and courage, innovation and and and experimentation. 527 00:32:07,900 --> 00:32:10,020 Obviously managed help the team manage risk. 528 00:32:10,300 --> 00:32:13,460 Reminds me a lot of a piece of relationship advice that I once 529 00:32:13,460 --> 00:32:15,820 heard, and I wish I knew who it was so I could probably give 530 00:32:15,820 --> 00:32:16,660 them credit. But. 531 00:32:17,100 --> 00:32:21,340 You know, it's it's, it's not me versus you, it's us against the 532 00:32:21,340 --> 00:32:24,580 problem, right. And if you can bring in, you 533 00:32:24,580 --> 00:32:26,980 know, other parts of the organization and and have them 534 00:32:26,980 --> 00:32:28,900 have a seat at the table and say okay, well, here's here's what 535 00:32:28,900 --> 00:32:30,100 we're trying to solve for, right? 536 00:32:30,100 --> 00:32:31,460 Here's what we think. What do you think? 537 00:32:32,260 --> 00:32:35,260 Usually, you know, multiple heads are better than one when 538 00:32:35,260 --> 00:32:38,300 it comes to that sort of situation and and empowering the 539 00:32:38,300 --> 00:32:41,540 organization to make those decisions and those changes and 540 00:32:41,540 --> 00:32:43,900 to own things I think is a very important part of that too. 541 00:32:43,900 --> 00:32:47,590 So I I totally agree with that. What are some of the, you know, 542 00:32:48,150 --> 00:32:50,470 we're starting to come towards the the end of our time here, 543 00:32:50,670 --> 00:32:53,270 but I wanted to understand, you know, from your perspective, 544 00:32:54,030 --> 00:32:57,670 what are some of the things that that you use to stay sharp, 545 00:32:57,670 --> 00:32:59,470 right? I mean, we've been in the space 546 00:32:59,470 --> 00:33:02,990 for a while and sometimes there are multiple outlets of 547 00:33:02,990 --> 00:33:05,350 information, especially, you know, in the age that we live in 548 00:33:05,350 --> 00:33:09,070 with, you know, the Internet, it's no longer the, you know, 549 00:33:09,070 --> 00:33:12,270 the security magazine that gets delivered to the office so much, 550 00:33:12,470 --> 00:33:15,670 you know, every week, it seems. What are some of the things that 551 00:33:15,670 --> 00:33:19,830 that you use to try to not only stay sharp, but to really kind 552 00:33:19,830 --> 00:33:22,030 of understand the perspectives of some of the stakeholders 553 00:33:22,030 --> 00:33:23,510 maybe that you're talking with? Yeah. 554 00:33:24,070 --> 00:33:28,350 Well, listening to podcasts like this is one, this one in 555 00:33:28,350 --> 00:33:32,750 particular for anything. Identity, I stay up, stay up 556 00:33:32,750 --> 00:33:37,790 with, keep up with. Then you know I have a number of 557 00:33:37,790 --> 00:33:40,870 podcasts that I listen to from not only on security but 558 00:33:41,150 --> 00:33:45,140 leadership. I recently started listening to 559 00:33:45,140 --> 00:33:49,940 couple on entrepreneurship because that is that helps me a 560 00:33:49,940 --> 00:33:53,660 lot to you know jump into these endeavors. 561 00:33:53,660 --> 00:34:00,140 But you know, books I, I really enjoyed the books from Marion 562 00:34:00,140 --> 00:34:05,700 Hofner on identity attack vectors, privilege attack 563 00:34:05,700 --> 00:34:09,179 vectors, Those are really great books on this area. 564 00:34:10,460 --> 00:34:18,500 Books on leadership also besides conference, I am a big fan of 565 00:34:18,500 --> 00:34:21,739 those. It's very relaxed practitioners. 566 00:34:23,580 --> 00:34:27,139 I favor those now more than the big, big, big ones where you 567 00:34:27,139 --> 00:34:28,780 don't really get to talk to peers. 568 00:34:29,179 --> 00:34:32,260 And that's the last one. It's it's peers, people like you 569 00:34:32,260 --> 00:34:37,780 that I can have a conversation with about anything. 570 00:34:37,780 --> 00:34:42,280 Because at the end of the day we someone has seen the issues that 571 00:34:42,280 --> 00:34:46,120 I have seen and the last thing I do and the hell has helped me 572 00:34:46,120 --> 00:34:53,000 develop a lot is I actually stay up with what my boss and his 573 00:34:53,000 --> 00:34:55,600 boss are reading. And I've been doing this even 574 00:34:55,600 --> 00:34:59,280 before I go to citizens for a while when I went into meetings 575 00:34:59,760 --> 00:35:04,000 in their offices. You know, president, CEO, CEO, 576 00:35:04,280 --> 00:35:08,760 CIO, any chief, oh, look at their shelves and just speak on 577 00:35:08,760 --> 00:35:10,680 it and see what they have been reading. 578 00:35:11,000 --> 00:35:15,200 And I went and got that book and because that helps me understand 579 00:35:15,200 --> 00:35:17,840 where they're coming from, what they're thinking about, it's 580 00:35:18,160 --> 00:35:20,720 been very helpful to me. I think that's a really great 581 00:35:20,720 --> 00:35:23,720 tip for folks that are out there is to be able to understand the 582 00:35:23,720 --> 00:35:27,680 perspective that you know, the folks who are in positions you 583 00:35:27,680 --> 00:35:30,480 know above from a leadership perspective is to understand 584 00:35:30,680 --> 00:35:33,360 what is their point of view because I think it's an 585 00:35:33,360 --> 00:35:36,540 opportunity to. You know, reinforce what they're 586 00:35:36,540 --> 00:35:39,700 hearing or counter what they might be hearing from an 587 00:35:39,700 --> 00:35:42,980 information standpoint, especially, you know, if there's 588 00:35:42,980 --> 00:35:45,580 something that maybe is counter to what you're trying to get 589 00:35:45,580 --> 00:35:47,620 done. So, you know, I, I picture this 590 00:35:47,620 --> 00:35:50,460 back in the old days, right? Is is, you know, sneaking to an 591 00:35:50,460 --> 00:35:53,700 office and like peering through books and magazines on the desk 592 00:35:53,700 --> 00:35:57,620 and things like that to try and get, you know, intelligence on 593 00:35:57,620 --> 00:35:59,780 on what people are looking at so you can kind of better 594 00:35:59,780 --> 00:36:03,780 understand the psychology of of why they, why they are the way 595 00:36:03,780 --> 00:36:06,000 they are. Right. 596 00:36:06,480 --> 00:36:09,720 Well, that's very cool. We're going to have links to the 597 00:36:09,720 --> 00:36:12,920 different articles that you've published out there on our show 598 00:36:12,920 --> 00:36:17,120 notes before we get things wrapped up for this show. 599 00:36:17,600 --> 00:36:20,200 Any final words of wisdom Carlos, that you can kind of 600 00:36:20,200 --> 00:36:23,600 throw up there into I am land for the people who are 601 00:36:23,600 --> 00:36:26,040 listening? Well, from an extra point of 602 00:36:26,040 --> 00:36:28,320 view, when you if you are building the strategy or 603 00:36:28,760 --> 00:36:33,340 reshaping it or what have you, remember it's a business 604 00:36:33,460 --> 00:36:38,700 initiative, it's a business problem and in order to solve it 605 00:36:38,700 --> 00:36:42,020 you need the business stakeholders to help you. 606 00:36:42,100 --> 00:36:46,140 Let them guide that strategy and you will get support. 607 00:36:46,860 --> 00:36:49,980 I've been since I've been here because I took that approach. 608 00:36:50,500 --> 00:36:53,460 I have yet to find push back from the business. 609 00:36:53,870 --> 00:36:55,510 Like that. How about Jim yourself? 610 00:36:55,510 --> 00:36:58,350 Anything you want to close out with before we let these fine 611 00:36:58,350 --> 00:37:01,270 folks go? I'm just so appreciative of 612 00:37:01,390 --> 00:37:04,390 Carlos being on the show and sharing his wisdom and his 613 00:37:04,390 --> 00:37:09,230 experience. It kind of reinforces to me that 614 00:37:10,110 --> 00:37:13,950 we do have a listener base out there and that the folks who are 615 00:37:13,950 --> 00:37:19,670 listening are like us, right? Constantly thinking about how 616 00:37:19,670 --> 00:37:22,050 to. You know, make the business more 617 00:37:22,050 --> 00:37:24,490 secure, how to make the user experience better. 618 00:37:24,810 --> 00:37:29,210 And you know, per the topic we discussed today, how to make it 619 00:37:29,210 --> 00:37:32,930 so that you know the change that we're inflicting on the 620 00:37:32,930 --> 00:37:37,330 organization is accepted as well as possible right there. 621 00:37:37,330 --> 00:37:39,730 These are hard things. Change is hard. 622 00:37:39,730 --> 00:37:42,570 Change is hard to implement, Change is hard to be on the 623 00:37:42,570 --> 00:37:46,410 receiving end of. But it's just, you know, having 624 00:37:46,410 --> 00:37:49,450 Carlos on today reminds me that, you know, our listener based out 625 00:37:49,450 --> 00:37:55,190 there is so strong. And really love interacting with 626 00:37:55,190 --> 00:37:59,230 all of you who listen on a regular basis and please reach 627 00:37:59,230 --> 00:38:02,950 out and connect to Jeff and I on LinkedIn. 628 00:38:02,950 --> 00:38:05,910 And I'm sure Carlos is open to us as well as very prolific in 629 00:38:05,910 --> 00:38:10,830 terms of publishing articles and and sharing information on his 630 00:38:10,830 --> 00:38:15,030 feed. So please feel completely 631 00:38:15,030 --> 00:38:17,630 welcome to reach out and connect to all three of. 632 00:38:18,190 --> 00:38:20,230 Yeah, that's a good point. You know, I do, I do think the 633 00:38:20,310 --> 00:38:24,590 the I M field is very welcoming, is is not a very competitive 634 00:38:24,590 --> 00:38:28,230 field, at least I feel in if you're in the trenches, right. 635 00:38:28,230 --> 00:38:31,590 We're all trying to solve similar problems, maybe not 636 00:38:31,590 --> 00:38:35,430 exactly the same, but there are, you know, communities of people 637 00:38:35,430 --> 00:38:37,750 out there that are struggling with the same problems that you 638 00:38:37,750 --> 00:38:39,310 might be facing on a daily basis. 639 00:38:39,710 --> 00:38:42,710 And you know, if it's been solved elsewhere, there is no 640 00:38:42,710 --> 00:38:46,110 shame in taking what's been learned and applying that to the 641 00:38:46,110 --> 00:38:47,550 problems that that you've already seen. 642 00:38:47,980 --> 00:38:49,820 You may have to tweak it, massage it, whatever it may be 643 00:38:49,820 --> 00:38:52,580 but I think that's a great thing and and one of the things I like 644 00:38:52,620 --> 00:38:56,420 most about the I AM, you know industry itself is, is everyone 645 00:38:56,420 --> 00:38:59,940 is very welcoming and yeah totally echo what Jim said about 646 00:38:59,940 --> 00:39:02,780 connecting with with any of us. I we're always happy to have a 647 00:39:02,780 --> 00:39:05,100 conversation and and this podcast is proof, right. 648 00:39:05,460 --> 00:39:08,820 So you know let's let's you know keep the conversation going. 649 00:39:08,820 --> 00:39:10,660 You know, if there is, you know things that you want to talk 650 00:39:10,660 --> 00:39:13,940 about, reach out. Let's get it on the table and 651 00:39:14,020 --> 00:39:17,850 and have that discussion so. Totally appreciate, Carlos. 652 00:39:17,850 --> 00:39:19,730 Thank you so much. Not only for listening, but for 653 00:39:19,730 --> 00:39:23,010 being part of the show as well and bringing your, your 654 00:39:23,010 --> 00:39:26,330 experience, your knowledge to the table for for folks to drive 655 00:39:26,330 --> 00:39:28,970 benefit from. With that, we're going to go 656 00:39:28,970 --> 00:39:31,970 ahead and call it for this week. You can hit us on the web at 657 00:39:31,970 --> 00:39:35,610 identity@thecenter.com. We're on Twitter at IDAC 658 00:39:35,610 --> 00:39:37,490 Podcast. There's going to be show notes 659 00:39:37,490 --> 00:39:41,330 that have the links to both of Carlos's writings. 660 00:39:41,700 --> 00:39:45,500 And links also should connect to any any three of us from 661 00:39:45,580 --> 00:39:48,060 LinkedIn as well. So with that, we'll go ahead and 662 00:39:48,060 --> 00:39:50,700 close it out for this week. And thanks everyone for 663 00:39:50,700 --> 00:39:53,020 listening and we'll talk with you all in the next one. 664 00:39:58,060 --> 00:40:00,780 Thanks for listening to the Identity at the Center podcast. 665 00:40:01,060 --> 00:40:03,420 If you like what you heard, don't forget to subscribe and 666 00:40:03,420 --> 00:40:06,380 visit us on the web at identity@thecenter.com.