You're listening to the identity at the center podcast. This is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? I'm good yourself. Good. How about running into Eric Anderson over lunch today? Yeah, that was pretty cool.
I had to, I had a major bone to pick with him now is because he put the struts earwig into me like a year and a half ago and totally went down a rabbit hole of listening to all things the struts. So thanks Eric for that. Yeah, thanks Eric for that. And I mean, the guy is very knowledgeable about the Seattle, grunge scene. So he's going to join us tomorrow night. I think for the happy hour at the mo pop Museum. Yeah, that'd be cool. Maybe he can give us a tour of
all the things that he has seen. Probably where? I think it didn't say he was like a radio DJ here during sort of like that Grunge era. Yeah. Right in the early 90s. Yeah, that's kind of cool. Very cool. Very cool. But I think that's one of the great things about conferences. Overall running into people catching up with old friends, making new AIDS and we run into a few friends for this podcast
episode. So when we jump right into it, yeah, we've got you in Glaser, he's SVP product management at Salesforce, and a co-founder of ID Pro. Welcome Ian, thank you. Abby, was that polite? It was very polite. Okay, I specifically listener, I specifically asked for a polite introduction. He did, I did, I did my best. We've also got Andy hindle. He's a Content chair for identi verse and board member at Ida Pro. Welcome, Andy. I'm delighted to be here, but that introduction was not as
polite. And I'm disappointed as well. Well, you know, one of the two ain't bad and I think 50% for a success rate is probably okay as a first cut of things, you can fix it in post. Sure. I will add, I don't know what I could do in post, I can maybe add some sound effects, or sparkling sound, something like that. So, you guys are both here and one of the things we want to sort of on a leadoff, the conversation with is around ID Pro.
It's an organization that I happen to be a member of no Ian, we talked about you being a co-founder of it and Andy, Your board member with it. Now, I guess, for folks who are not familiar with ID Pro, what is it? And why do I want to be part of it? So are you Pro is the professional association for digital identity, practitioners and professionals.
We found it about seven years ago and it came from a place where I noticed that our security peers, have a profession certification, they have communities in which they can learn from, there's bodies of knowledge, And our privacy peers have the same thing too. But we didn't. And I coupled that with observation, not as I talk to
people around the industry. Most people That I've met have learned or gotten into identity management by learning a single product and then they learned another one and then they learned another one, and all of a sudden, I like, wait a minute, there's like a thing here, right?
And so, the desire I had was to move identity management from essentially being a dark art one that you only learn through some weird sort of suffering process of product specific, sort of implementations and challenges into one that could become a profession that could have a body of knowledge. You could have a community where people could get back. To one another and to learn from one another. And I think if I had to pick a single reason and and you might
fight me on this one. I'm a why someone should be a member is get access to that Community. There's a lot of ways that that benefits you. I my day job is, I'm a product manager. I look after a team of product managers and when we have a question about identity things about, hey, how are people really using this or that like, what's a real use case for this? Kind of Technology. We can actually ask it in a safe space and learn from other people.
I mean, I've been doing identity for some Mumble, Mumble number of years and there's definitely things, I still don't know and that's good and it's a safe space for me to ask a question. Say, like, do people really do use this like, so off profile. I've never really seen it. What, what's a use case? Help me out here and the same time, in the next moment I can turn around say like, oh, hey I saw you had this problem here. This is what I did in the past. And If that doesn't work and
then I'll take somebody else. I hate Lance's knows, maybe the answer he's done this to right. So for me that community and the ability to both give back and take from the collective knowledge, that's really powerful. Yeah, the the give back part I think is is really important and I think it's beyond yet like all of the things that you described are absolutely accurate. So I'm going to fight you on
them. I'm just going to extend my little bit which is to say that there's technical value their, right. How do I do this? I'm on site at Giant Axe. And I'm trying to integrate product a and product B and both of vendors told me I can do this and I've tried and it doesn't work. And has anybody done it answer? Yeah. That's all great. The soft skills that go along with developing a career in any industry, but I think it's particularly relevant in the identity industry.
You know, how do I go pitch? My idea to Executive management, right. How do I get budget for this? I'm trying to hire somebody and I haven't done this before. How should? I interview them? I've got a difficult, you know. HR situation with one of my staff. How do I like those things and having contextual support like industry? Contextual support for those things, I think is tremendously
important. The other thing I'd say, and I know this was something that you talked about a lot in the early
days. The end was it's tremendously difficult for hiring organizations to identify to nurture and to To I guess grow as distinct from nurturing, those two things, a little different talent in the space when there's when there's no reference material right, when there's there's nothing to go around that and we're at a point in the industry where that's, you know, identity is completely foundational to everything that happens in the digital world and
we need those things to be to be happening. So that we have a body of experienced. Ethically, minded people. You two values driven people, I should better say to help us build stuff. I think the correct answer though for me was the slack Channel, I guess, you know, Ian from your perspective, you're probably the one that hit it close as for me was the that
that Community, right? It's all the people who are part of it and outside and I'll give a Shameless plug, you know, not only am I a member but a participant. Right? Is that the ID Pro slack channel has like the smartest people and you can like, asked any question. It doesn't matter. About identity. But usually it is and you'll get answers back. Yeah, exactly. Is a variety of the topics we cover. Yeah, I think there's like, there's a cat one dog.
There's a dog one, but it is invaluable to me. As someone in the identity space to be able to say, hey, has anybody seen this before or what are you working on or help me articulate? This thing that I know is wrong to a customer, right? Give me another reason. Why there's something what you just said, triggered a thought, which is and I had Put it together until actually right now, which is we're here at this conference.
And when I was starting out go to a conference and you see someone like a Lori Robinson or a Darren rolls, you like I can't go talk to them. They just got off. Stay, I can't go to. Are you kidding me? It's really imposing. and one of the funny things about slack is, Ideas is such a names and an end and Avatar picture.
Right? You don't happen to know that like I'm trying to think about who I can call it, like the torrio is who he is, unless you're really in it and that maybe someone could be really intimidated, go talk to. But in that space, you can be like, hey, um, I think he might know something about this, could you help? I've never seen anyone respond know, even if they don't know the answer, right? So, it takes away a certain kind of in person. Action.
And and this is one of the reasons why I did start. This was not everyone has the luxury of coming to a conference like this. Not everyone has the budget. Not everyone has the awareness of these things and so how do you democratize some of that access to knowledge? Because We're not went to be Wizards, right? This is not meant to be something that you have to really suffer to learn. It's far too valuable and there is so not enough Talent worked Force out there.
So the more we can get the better and no one is diminished by giving back, and I think that's like environment. And the community is large, the newsletter the body of knowledge. Everybody benefits from that. I think one thing I've noticed about the community Beavis like channel is that its place for not just for program managers or just for analysts or just for engineers. It's everybody. Everybody kind of fits into the
soup. Yeah. Yeah. And I think it's increasingly important that we attract that that breadth of perspective, right? Like like people come to the industry with very, very different backgrounds. Very different I guess needs requirements. And in whatever particular job it is that they're doing at that time. The more we understand what those drivers are, and the fact that they are different, the better, the products are the solutions, are that we build. Yeah. What, you're one of the things
we saw. We run a skill survey every year where we ask people, hey, what are the, what are the technical and non-technical skills that have made you a better identity practitioner? What what is of interest to you to learn about what is interest to priority to your Enterprise and one of the things we think we are seeing is two different kinds of identity practitioner people that operate the
Machinery, right? I run a ginormous IDP infrastructure for a big pharmaceutical company and I own a provisioning product and you know, and they operated but we think we're seeing in this year's data and it actually kind of pans out to historical is another. Kind of practitioner says, I am applying identity stuff to other problems too. Privacy issues to sort of marketing consent, to mobile applications to API surfaces and
full disclosure any. And I write the report we could be dramatically off on this, but I think there's a day or their of, we're starting to see different flavors of practitioners. And so, to Andy's point Not having like, oh, this is just for a flavor, right? There's this, you know, that of how you do what you do.
Also to me, reflects the fact that this problem dealing with digital identity is super complex, it has so many different facets and those all have different relationships, different parts of the business in the mission in this and what you do. And so we can't just say, like, oh no, and identity practitioner, you know, has to be like this because Not that the nature of the discipline requires a multidisciplinary approach.
Actually. Yeah. No, I agree and I think there's another thing that's happening as the industry grows, which is we're running into this problem, which I guess within the industry, we used to disambiguate very easily about the way that terms get overloaded, right? So we talk about identity, we talk about four of us here. Yeah, we asked a definition of any term, we will get. I'm going to go with no less than six definition. I I think it's highly likely and
this goes back to the episode. We ran a few months back. Now, what is the difference between what is it? Yeah, digital identity. And right hand, and I remember hearing where he's and I was like, oh yeah. What's you like you think he thought it was an easy question to answer and then I was like, oh God, whoa, this goes deep,
right? Yeah. So that definition of that terminology is totally different everybody and it's becoming problematic because it used to be that you were across enough of the things that were happening in the space that you could design the, you ate, and even conversation And even this week I've had, you know, discussions with people who've been the entry for a long time who are suddenly like wait. So, you know, when you talked about identity in this context, did you mean x or y?
I alright, when you talked about authentication, were you talking about specifically in an sc, a kind of Highly regulated contacts, that was a different, you know, that knowledge sharing that has to happen to help us all this Ambu and to help us understand that we have to explain Better, especially outside of the industry. What we mean is another value I think that we get from from those conversations I had like
an elsewhere. I had a conversation this morning with salty Veterans of the industry her like you do you realize that in this Kim's back like we don't really Define this term and this term and this term like Oh yeah, oh crap, it's like and also there's like super vagueness here here and here and so it's important for listeners who are maybe newer the industry. Like don't let the terminology
scare you off. If only because a salty veteran, still screw things up and don't necessarily see our blind spots but I think the thing for practitioners to be able to describe the outcome, the application of the identity technology and whatever it is. As the first order and then you know whether you call it an SP or an RP May reveal some religious stripes or cultural upbringing but it doesn't really
matter. At the end of the day, what it is all we're going to do over the seamless experience to all of our customers and XYZ is going to happen. It's gonna be great and we're going to increase conversion by 50%. That's the outcome. We want to be able to express, I think so, you mentioned, two different sorts of populations. Again, I think there's a third population that sort of sits in between the identity practitioner, the super technical IDP genius, right?
Or the person who is taking identity principles and using than elsewhere privacy consent, which you mentioned. I think there's a third population, it sits in the middle of that. I am program. Managers project managers business analysts business analysts, those types of folks who are not technical, Maybe by Nature, they're not configuring an IDP to use sam'l oauth stuff.
Up MFA. But what they are doing is getting the message, you know, from the engineers to the business, to the executives, to the public etcetera. You know, I kind of liken is an IM program manager, you're out there, shaking hands and kissing babies. You don't need to be the smartest person in the world, but you need to be a good communicator. You need to be able to understand it at least and be able to communicate it to other folks out there.
I think sometimes when I see missing in a lot of organizations is what are we doing to help those folks? Because there is such a broad spread across people in the identity space. You don't need to know all the things of skim right or all the things of oauth or sam'l or you know XYZ Fido, right? Whatever the the real thing is behind, passkeys, do you need to know how it works? People that does a real thing by passkeys. Right, what? Yeah, that's there's this thing,
right? That's not, we're all friends here but it's that. It's that glue. That, you know, basically takes the specs from Engineers and works with the customers, right? To quote unquote office space and of course, you know, my own, what are we being attacked by?
But so, as just to know that this is a live recording, we are now seeing Window Washers attack the windows in our room here and hopefully, it doesn't cause too much of a distraction for us too late, but that third population is really one that concerns me because that's the population that I feel like I have the most
Affinity towards. You know, I've rolled out identity platforms, of course before, But I'm more on the business side of identity now and working with boards, you know, other Executives soliciting and getting feedback and trying to drive the message forward. You know, what are we doing to help that role? Because I see that as critical to getting anything done with that organization. How are you going to go get budget? You need to be able to sell it.
If you don't, people sell it. It's never going to happen or is going to happen too late, and you're continuously in this Rat Race where you're always behind, if I could turn my two sons so near, I think, The role of I am program manager or whatever the role from company to company is going to vary. This is where I think we kind of can transition into the conversation around CID Pro, which is it can help establish.
What that Baseline of identity management best practices basic knowledge and make that consistent across the industry. So kind of throwing it 2nd, you know, CID Pro, maybe give it back Around on what it is and what it's meant to accomplish. Yeah, so that the Cipro again, when it Pros, originally set up, one of the things that we very much had in mind, we're all trying to cope with the window washers, it's nothing. One of the things we had in mind was that there was no vendor
independent training, right? No, vendor Independent Learning material. Now, I want to be clear a lot of the vendors and particularly in the earlier days of the Rewrite, some of the boutique the niche vendors as were then really did an excellent job at putting material out for the community. That was valuable that was well written. It was well-constructed, it was necessarily biased rate and I don't say that in a pejorative sense at all.
It just is it's naturally, you're going to write about your own products, right? And we learned very early on actually in the skill survey, supported the hypothesis that we had the practitioners were really looking for, you know,
some independent vendor-neutral. All knowledge and both they and their employers were starting to look for a mechanism for them to be able to demonstrate that they had that basic level of knowledge and really nothing existed, the industry in the industry, at that time to do that. So we yes last year, right? Am I out by you? You're a party here. I'm at by. Yeah. Earlier this year. No, two years ago correct? I'm at by ear in the other direction. Yes, this is the whole left, right? Thing.
That's been very complicated this week. You drive on the wrong side of the road. I know what can I say? Um, we invented driving now that's a look. I haven't seen how the English invented driving. If it was a gift right now, it would be the one of the brain exploding with Ian right now.
Yeah, well I'm gonna go with. Do you have a flag and then I'm going to move on. Um, so we a couple of years ago, we finally got around to building out the first version of a certification program for digital identity professionals, right? So that's what the Cipro is.
You can go take it today. It's designed for practitioners who've got a couple of years of experience in the industry and it validates a broad set of Baseline knowledge that we would expect the industry would expect that employers would expect T' that practitioner to have there's a set of supporting materials that go along with that yes in the form of the body of knowledge which is all peer-reviewed and practitioner
written. But also we point to a set of other publicly available non-biased vendor-neutral reference material that people can go use. Now, one of the things that you started to point out a minute ago, is that yeah that's great for the technical professional. And I think we'll start to look at some ways that we can expand the Cipro offering over the next few years and whether that's more Technical and more depth or whatever.
But you look at some of the other organizations that Ian spoke to earlier on and the security space and the Privacy space. And you start to see that they've rolled out programs for managers, right? So, I happen to hold some certifications in privacy from the IEP and one of those is a cipm, right? So certified The Privacy program manager, certification. And I think, you know, that's one of the things that we might want to look at is okay. Yet we can serve the technical
community. That's great. How do we also help people grow and develop in that, you know, oversight, governance kind of role. So I might want to push back on something. You said, which was about the sort of program managers and the need for them to be More identity, where so yesterday, I had the privilege of talking about sales forces MFA requirements, at our rollout for essentially requiring, all of our customers to use strong MFA, when they access their products.
And one of the points I make is that the program team that is continuing to operate. This program are not identity experts or even that familiar. They were also. Some of them non-technical. In fact a lot that was an intentional decision guests and know. It was intentional in that we needed a program staff. There was a notion within Salesforce of adoption programs. So like large-scale change in the products and sometimes came with these adoption programs. For example, we changed our UI
layer across. Whole app that meant. How you built components to extend the platform because we earlier platform as a service, as well as a SASS. And so when we change that technology was a real sea change. So there's an adoption program on that to get people to use the new ux and then to start building it and the experiments. So, we knew we needed an
adoption program for this. However, those people were experts in, if you want to touch the entire customer base and affect change, these are practices to go do that. And we know who to go talk to to enlist the next set of people are going to need to help us do that. Now, I will not first decision was made and it was not my decision to make, right? So I was at this point, a the subject matter expert and product lead for the the largest of the sort of surface Is in the products.
I like it. Right? And and this was a good moment for me professionally, like I was like, nope, this is going to work. I really was a bit opposite about it and it turns out and the reason why I was not pleased about it was that I felt like gosh, my folks who should be focusing on Building Product and figuring out, roadmaps are how we can deliver. These things are gonna spend a ton of time, do an identity 101. Getting this program team up to speed and, you know, we're not
going to be doing the work. I was right in that we did spend a lot of time to do the identity 101, but I was very much wrong in that. I didn't think that was the work, but it was the work because all of those conversations that we have with our program team, we then had to go have with our customers. Our customers are not identity practitioners. Our customers, especially their admins are not deeply steeped in MFA.
Absolutely. Not like they're just trying to complete the mission of their business. You know, whether there are nonprofit, public sector private sector in the matter, what year it is. They're just trying to get on with their day and do it as safely as possible to protect themselves and their customers information. And so all the conversations we had internally, we replayed externally. So that was the work we needed to do.
So I am of mixed Minds about saying, hey look, these big kind of identity programs, should you stop it with more identity, SME types, or people that really know how to make the trains run.
Run and I think there's a healthy blend their we backed into it. I would say I mean I don't want to say like there's some grand plan but a healthy mix is really good because what you end up with is a diverse set of folks around the work that needs to be done or the hey, this is the email blast is going to go out and all the my team looks at it as like, Yeah. Oh change that because that's
not exactly how the flow works. Then were guaranteed comes and goes I can't even make sense of the first sentence.
Let alone get to whatever the hell you just pointed at right and so if you didn't have that we wondered how the same response because people died, literally don't know how to process what you're telling me to do that made a lot of sense to me when you were talking about that because I thought about how many times the identity Matrix, Management team doesn't include non-identity people and identity. People are tend to be more technical, right?
And they know how to change their password deal with all the issues that you might run into. Oh, you know, figure out your own problems and users don't necessarily even in the Enterprise especially when you're talking about customers. They can be very low Tech folks. Oh yeah, that really made a lot of sense to me. Yeah. And it's interesting, this is come up a lot. Not actually in the context of this week, right? So a number of the things we've seen presented have been around
some of the new password list. The passkeys, those kinds of things and the challenge of effectively, retraining a global user base in how not to use a password, which is what we've been training them to do for the last 30. 40, 50 years is an interesting one and you can see from a lot of the work that's
been presented this week. The people have been thinking about that more from a Not more from but very much in a how do we bake that in at the technical design level rather than having to come back around later and say, okay, we made this thing, let me explain how it works, right? Because it's very difficult to do that. So I agree with you and I think we have to be very mindful of the non-technical end-user that we're trying to enable. So, really relevant to this week.
I believe, what you say is true. However, here's the challenge. Passkeys, things like that. Pastoralists in general. But specific to pass Keys. The the good work that people like Apple and Google and Microsoft are doing to facilitate the common operating systems, the common browsers to
support. This is amazing. but there's an interesting rub and it's gonna it's gonna sort of chief us as an industry for about 18 months to maybe three years depending on how things go, which is while Google and apple and Microsoft can document like, hey, this is the passkey experience, it's going to the responsibility is going to fall on those who adopt the technology to actually explain it to the, in the context of their customers, or their citizens, or their
students, and Those people are not necessarily in the place to do that. I don't have an infinite Supply dark Riders. I don't have a name from supply of these Yaks things, and it's hard for me to say, oh, well, this is what you're going to see on this device with this browser at Amy change the browser, it looks likely different school like this. I know there's still work to be
done there. So I do think a challenge of yes, we as identity, practitioners need to be formal cards and explain these Technologies to non-identity folk. We also, there is also another order of that, which is to say, I think we have to also start giving our customers those of us who provide identity technology is giving her customers language to talk about this with their customers. Yeah, that's a fair point. I I do think in the case of at least.
So it was funny a little earlier on Ian was gesturing as he said, SME subject matter expert and pointed at me which is hysterical and I'm not particularly in this in this realm, but I do think that some of the work that's gone on with persky's is really so simple for the end user to adopt that we
may not have to do that. Here's hoping but yeah, I mean I like, I'm not sure that I'm optimistic, but I do think that there are some other things that are emerging where I agree with you, like enabling the customer-facing Enterprise to do, what they need to do is going to be a really, really big piece of this puzzle. Do you think the success of passkeys could further drive people to be tied to an existing
ecosystem? So, if you're using Apple devices, you're just going to be that much more locked into it or and maybe that's just the case. Anyway, I mean, I'm I've used Apple for all of my personal devices and it's because every service they pay for, goes across all the services. I'm just wondering in your Passkeys is just going to further drive that if that's a good thing overall or not. So good. So full disclosure, I have no magic inside a knowledge other than the stuff that I've seen
presented here this week. And I absolutely understand where that concern comes from. There was an eyesore at literally this morning a presentation I want to say it was Christian Brown from Google that gave it, but I wouldn't swear to it and he walked through an explanation and demonstrated the sharing of a passkey across two different platforms. It was an Android device and a Macbook. I think. Is it beautiful clean completely drop dead simple.
My grandmother should do it experience today. No, then again, it was in beta or Sir, for those of you that are fun, but was it reassuring in terms of? Yeah, no, we get this. And it has to work seamlessly in the same way. That frankly, a password today, work seamlessly across seamlessly air quotes, across
multiple devices, right? And I've heard a lot of noise from, you know, the folks that are deeply engaged in, these efforts, both on the vendor side and just in the standards for see that, that's a well-understood challenge and not the corner that they all want to paint themselves into. So the I share the concern but I'm optimistic that we're not going to end up in that particular space. The other thing that I've seen today is and I haven't laid Hive hands on it directly, but it's War me.
It's heartwarming to see that there's thought there is not only. Is it working across echo system at the check the moment of the challenge but actually, Away to see that other echo system with that credential. So that you don't have to do that awkward or somewhat awkward or to be determined less awkward motion, right? So it's one thing to say like oh yeah, you can kind of like Bluetooth your phone to the thing to do. The thing for that challenge was to make you be like I never want
to do that again. It's another thing to say, once you do that, you've actually cross-pollinated if you will and you've done it securely. Lee. And so now, when you're in that, okay system, you can take care of that into that echo system and you don't have to do, that awkward gesture again. I want to see that come to fruition, you know, and I think people are working towards that but it was good to see that explicitly call that. I like it's not just a like oh it's a one-time thing.
It's no this is actually a moment when we can actually Bridge those ecosystems. I think that's powerful if it comes to if it really comes to pass I think I hear anything else. That's iterative right? I think this is really just sort of the first version of passkey
and my mind. The next version will probably have and I don't want to put words in Fido Mouse but the cross-platform thing I think is extremely important, not everyone is working with in one ecosystem so they need a way to be able to transport these across different platforms. It needs to be easy enough, though that your grandmother can
do it, right. I think this is where I appreciate what Apple has done for Biometrics when it comes to face ID and with the, you know, Touch ID, they made it a simple where everyone gets it, right? It's no longer foreign.
You to receive a prompt on your iPhone that you have a second Factor authentication to do. I think the thing I've talked about this, I guess it was a couple of years ago, maybe virtual identity versus I can't quite remember something that's sort of like what is the next ten years look like in one of the things that I may dig into this little bit more next year is there's a, there's a change happening in the way, we
identify ourselves. Just things that ceremony is now Inconsistent. Because it's in transition, right? For a time it was there's a box here. What goes? They're using it. There's a box here. What goes there? Password, two boxes. There should only be two boxes and then Eric Google's like what if there was one box and like everyone lost their damn mind.
Flash Forward. Apple has done what they've done with Biometrics. Google has done what they've done an Android. And now the way I get to things is Replete. Right? There's all of these different ways to do this and then you get coffee when you're like smart TV. It's me. Do I want the app that app? No, not that, that app. No, I don't want enter my password there. Please don't make me enter my password there because it's like 65 characters could take all
week and the show will be over. So the fight is on right now, sorry, that's not the right word, the transition is on right now of what are those new ceremonies? Is? There one to rule them all? Is there multiple? That is causing the knees. It's causing us using us as practitioners. And so, I think there's a knee-jerk reaction says, oh, that implementation of passkeys, not perfect. Well, of course, not, things are still in motion.
But the next couple of years are going to be, I think uncomfortable because there won't be one ceremony and because of that, that means if you're rolling out services to citizens to students to customers, you're going to need to accommodate for that or at least explain that. And when you're dealing with your parents gave you like, okay what do I see on? All right. Yeah, that one. Okay, so this is what's gonna
happen. We'll get through it, but I think as practitioners especially roaming the Halls are similar. She like, oh boy. Yeah. Could be a thing but I know that where we're going is going to be better than the two box experience. But if we're constantly in this state of change, when do you jump in and bite the bullet and say, okay, I'm along for the ride. If we know with that, there's going to be a next version of something. Right?
When do I jump in the water? You might not have a choice because the ways in which you're accessing those Services, the designers of those systems, the vendors of those Technologies are going to be Make decisions and good, bad or indifferent. You're kind of along for the ride and in some ways, and that's not necessarily a good thing, and it is important to note, it may not work for everybody.
There are still going to be plenty of challenges of different populations in different use cases and different geographies. Where passkey isn't the right thing. That's okay too. We just have to acknowledge it like There is going to be no one. Probably most likely not going to be one ring to rule them all, but losing sight of the fact,
right? If forgetting the fact that yes, well, this addresses Western population to the tune of 80 90 percent agree, but it doesn't work well, in a Multi-Device mobile-only sub-Saharan Africa scenario, we lose sight of that, then we get in trouble, right? This is why things like, what the women and identities. Study of inclusive. I'm gonna get the name wrong engine to diversity increase. No, it's not well inclusively study.
They did about essentially why you need why it's imperative that you have diverse groups, building an energy solutions is because without those voices and those eyes on things you're going to miss things and identity things, especially when it comes to, how you prove your citizenship, how you express your citizenship, how you express your legal personhood are Our so crucial that. We've got to always keep that
inside. Yeah, and I think to come back to the original question there but from the implementer side rather than the user side, right? So this is one of those things we look at in the skill survey in terms of asking practitioners what are you interested in learning and working on over the next three years and practitioners what are your Enterprises Looking at him, working on over the next three years and we typically see an interesting Gap in those answers, right?
Like consistently your every year, there's a gap between between those things, right? The things that practitioners are interested in, not necessarily the same things that are no prizes are interested in are some of, that's probably natural. But I think my sense is that as with all of these new things that come up, right? Practitioners are going to be interested in understanding.
What they are taking that back and thinking about The the project or Enterprise or business or sectoral context to that they operate in and saying. Right, this is either a, a thing that we're definitely going to need to do at some point. We just got to figure out how and when or be mmm watching brief. Let's wait and see where it goes. My sense is to Ians point. This is probably one of those things where it's going to happen. It's really now going to be a
case of working out, okay? How and when for the given user community? That I serve. Some of the edge cases that Ian talks about on not edge cases. They are. And I'm not suggesting. I know you in. Did not say that they were. I'm just trying to clarify for The Listener that then knowledge cases, right? These are huge. Global populations that operate in very different ways to how we operate. And we really need to start very
carefully. Thinking about every single solution that we put out in the market, whether it's a vendor Product in the space or, you know, a service that we're offering commercially, whatever has to account for those for those populations. And frankly, in many cases, I think we'll end up making better products because of it from a skill survey standpoint. Was there, anything else that
jumped out? As far as you mentioned, this gap between what, you know, what individuals want to learn versus what really organization should be focusing on or what they say. At least what those individuals think their organizations focusing on what? I think is probably where the distinction, I want to draw it in is because I think about it from a board perspective as part of an organization, right? Or the c-suite or Executives, whatever, you know, group is
making decisions. What are they, what are they looking at from a data perspective? Because I know it's important to them, I'm seeing a lot more boards that are focused on what is their identity, access management program. Look like it.
There are specific organization, but if I went and asked, you know, a bunch of seashells, something like passkeys would not even be. Would be like something else they would be like, oh, we need to do IGA or access reviews or we need to get MFA in place, right? They're not thinking about it in those very specific terms, they're thinking it more at a macro level and saying, we need to be better at knowing who has access to what let me. Let me take a swing at this year's results by the way.
Lester up. These are all freely available. Good idea. Pro dorky can get the skill survey number one response, So the question we ask is to the practice we ask, okay? So what are the top related identity? Related priorities for your organization when you work with over the next 18 months and sort of 123 are IGA, a dirty government Administration and Fa and then I dasn't clutter identity management. Now I'm at that was number one last year. We think it basically was a straight response.
And actually number one, to two years in a row, straight response to the pandemic, right? I need a control because I got Course everywhere and if I want to do this a zero trust thingamabob or whatever the hell that is like I need some if I go right, people ran fine great. So let's move down and I think what we're seeing is a return to more classic risk management on the part of boards and on and it shop saying let's we upped our governance game, maybe a little bit, this pandemic is more
important. Let's not lose sight of the fact that maybe we did have a material finding maybe we aren't as good about some of these things. It's not lose sight of that. And then, I'd as which, I think dropped two positions and I'm doing that for memory on the previous ones to me is about the normal Cadence, of when identity infrastructure gets replaced out and people saying, look what we
got. Okay, but we don't have the kind of agility that we need and so I think people are really going towards, I'd as as an agility seeking exercise. Now, this is in Ask to what the individuals responded individuals top three decentralized and or self Sovereign identity. I'd as an identity standards and verified credentials actually tied for third there. So I'd as in the second position to we think is a response to the
market. It was very, very popular for a couple years in a row and I think people just said, look, I've been doing On-prem IBM, Tivoli access manager. Deployments, I know there's that product. Does it exist anymore? Like I'm a Tim Tam guy and I'm just living on on-prem. I gotta I gotta okay, right. Because the clearly people are hiring for in certain ideas, vendor here. Okay, fine. That's a reasonable response. The sort of decentralized
verified credential thing. I think is a in that community in our community. People are curious like, hey, there's there's a lot going on here. I don't know, I don't know where to begin life. So I want to go like, really dig into that. Like we are a curious punch. That's a really, really important. Thing is a personally seeing identity standards development as third. I have no good explanation for that one and and I am so many conflicting thoughts of like, that would be awesome.
If we got more people to do the work, we really do. Need it cross the board. Other kind of like are you are you sure? You know what you're getting into? Look at all these beautiful people that were once beautiful and be. And now look at them because they just do nothing but standards and they're so crotchety and I'm presuming that Victoria is the exception that proves The rule here in. Yes. Yes of course. And others that will come and find me later today but I the
standard sing. I feel like if that's true, right people? Like no, I want to get more involved in standards that represents an amazing opportunity to bring those diversities cases back into bodies that maybe didn't have the most diverse representation when we were building those standards. That's what we need, right? We need the next generation of people who are going to work on those things.
The next generation of I generati, who don't even know who they We don't even know who they are yet. Maybe they don't know themselves and who they all probably aren't even in the industry yet. And and may come at this from a really, really different background and perspective. Right. And I hope that that's true because they'll say a lot of good things about, you know, how
things are developing. So case simply last week, I was taking some folks on my team through some things I would to doing with our skill implementation and someone who's a little bit younger said, Skip just feel so heavy. And like, what is like? You're feels like it was made by
XML people. I like, I'm gonna let that slide for a minute because the person in question happened ahead of the exact Mo background, I'm like, well, okay, pot you want to talk about the kettle being black, but then, we're going to toast of Eve was probably like, just like that's not cool, not cool. In skim you can filter for attributes and basically it's just straight up ldap and He's like see. See, look and those are like ldap people in there like Kai, you're not wrong.
But there was that moment of like, whoa, I've been sitting way too close to this to not even like see that or find it funny. I can't now a little time and alcohol. But new folks coming into this who are going to. Look at the way we do things and say, like gosh, why did we do this? I mean, I think a lot of Us kid about the transition from angle. Brackets two curly braces, the XML to Json. Migration of all of our standards. Yeah, a little Being here and there.
But in that process, in that reinvention of the wheel, we're bringing new voices into the process, which means we're gonna get a better product. Yeah, I agree. I also think there's always a caution about just because we used to do it a way before, doesn't mean we have to do it
differently tomorrow, right? Like sometimes there were good design reasons why things were done a certain way and there's a risk in forgetting that history, but it's important to question it. And that brings me a little bit to some observations that you made a second ago about boards and she sews and Executives. I think there are some really interesting questions to start to ask about the way that the c-suite and the way that boards and I distinguish those two
things very, very carefully. Think about where Sits in their landscape, right? Generally speaking historically, I think it's been something that typically sets in the security realm, right? It tends to be more about risk, mitigation compliance, you know, security things. I think we're getting to a point where the question boards particularly need to be asking is how is this enabling our strategy for the next and years. And Yeah.
How is it helping us? Mitigate some of the risks around that strategy but those are business risks. Not technical risks, not compliance risks there. If we don't do this, our top-line business objectives, we're not going to hit him, right? I don't see boards asking that question and it's high time but they should, they made me aware of those questions undoubtedly. Yeah, I mean there's a massive education exercise to do that.
In the same way the Privacy, like the Privacy industry had to go. Oh, through this now. They were helped by regulation frankly, but you know that the shift from there was no privacy representation on the board at all, to every board has a DP 0, right? Where's extremely rapid? But interestingly, most of those certainly that I've observed are still acting in a Regulatory Compliance risk, mitigation kind of mode. It's very rare that you get A conversation, particularly at
board level around. Hey, how does privacy actually make my business unique and better? You know, I suspect that that, you know if this was privacy at the center then we could talk about that for a while. But that's our next venture you need to have you back for that one? Yeah, you know. It's the reason I bring it up is because those are the folks that control the funding. And you can have the best team in the world. The smartest people in the room,
the best tools. But unless there's resources made available to actually put it in place, it's not happening. So I would argue, those are the people that control priority. Resource flows after that. And there is a subtle difference. In my mind, have going to a c-suite, going to the executive ranks and saying, I want you to bless this as a priority. Versus IE 15 headcount to do a
thing. And one of the things that's in the skill survey is about the needs around oral and written communication, the kind of middle of the pack responses if you will, but in my own experience, I'm writing more. Now documents now artifacts almost that I did in any other point in my career, except when I was an analyst and I wrote for a living essentially, but it's around justifying priority. And the ancillary part is that and this is the the resource
that I need. And so, what is the priority at the board level of identity isn't a question? I think that's being asked. I think we're getting different forms of Application of identity. What is the value of digital terms formation? What is the value of US, mitigating certain kinds of risks? And so I'm at peace with that in some regards but I want or should there be more identity questions being asked at those tears around bless this as a
priority. I think it's really time all the prior to zation is really the goal right.
I do you bump something up the list when it comes time to move things forward I know we've I think you also put it in terms of business objectives because a lot of these topics are So difficult that we have a hard time understanding them or explain them to the next level up and then getting it to the the board which doesn't have any contacts on why you should care about investing in Identity or some of the specific areas of
identity. It's like they don't even want to know the details, was it business objective that I'm going after? Yeah, and I think that's, that's why I was kind of talking earlier about that third population, the glue, right? Who is going to the board and helping them set, those priorities or advise them on
that. Can't you know it's it's a bunch of I am Heroes that are typically running an organization throat, identity standpoint, and they're doing their best and sometimes it's a challenge to get things moving forward. I know where you have been waxing, poetic you're around a bunch of different stuff when I start to let you guys go so you can enjoy the actual conference itself. But before we go, we probably want to end on a lighter note. So I'll throw a couple options out there. I guess.
The first one is What is the weirdest thing you have eaten sea cucumber Taiwanese, banquet for a friend of mines wedding? One of the later courses and any attempts to actually chew it. Just cost it to squirt to the other side of your mouth. It was like a lovely sauce. It was really fun, but I'm like, do you actually eat this thing? Or is it more like a Chase? I'm not entirely sure. What that what they use case was
there. Yeah, I think I think mine's going to be on a trip to Japan and it was late in the evening we'd been out. It was End of the week, very successful, everyone was super happy and and for those that don't know, I speak Japanese, right? So it was, I was in a kind of happy comfortable environment and somebody goes, we're playing the game. That always gets played which is let's see what we can get the Foreigner to eat, right? And so we'd been through all the
usual things like tofu. Yeah, that's fine. 12, a goal when you eat hamburgers all the time and it's very strange. I know. Yeah. And that fish and chips thing, you know, we done that the, which is Fermented soybeans, which if you've never had it as an experience and there is an eating technique, which you have to know to you and then somebody says, hey, how about raw chicken? Listen to the correct answer to this question is, no, I think it's time for bed.
Do not say yes to the raw chicken, very bad plan. I got to ask raw chicken. Okay. What is the context for? I think that's what it tastes like. It's like, literally It's like just pluck, it yourself and know, it came in a bowl, I think it was some kind of marinade, but it was entirely uncooked and it wasn't like a Ceviche where you've got, you know, like lemon and stuff. It was, it was, I mean, it tasted great, the flight home the next day was bad.
But you know, I don't think that's a meal before a fight. No, that's not a meal at all. I mean, just no, no, no, not good. Jill about yourself. There was a fusion restaurant in the cosmo in Las Vegas. And it's a fusion of Chinese food and Mexican food. And I got the fried oyster Taco, which I thought sounded wonderful but they had some kind of sauce on it and it was the most acidic thing I've ever eaten. And as I was eating it, I kept thinking.
What is this doing to my teeth? I got about halfway through and I stopped eating it. So Eight dollar Taco into the trash can. Yeah, I remember that meal. That was one of our see ya there. I, you know, I can't think. Anything that I just haven't been, super isn't a terrible question for me to answer, because I just haven't been super adventurous on eating things like that. I would say maybe a shrimp with the head still on which you guys start some work.
Yeah, I mean that was a stretch for me. I'm definitely not that courageous when it comes to our things, but I'm willing to try things bone marrow. I don't know if that's exotic, but sure, I'm getting nods curtain, courtesy knobs in the room, so I'll take it. All right, we'll go ahead and wrap it up for this episode.
Oh, thank God. The window washers here for keeping it to a dull Roar. As we're having conversations that we want to give a shout-out to Andrew and Adrienne and others here at Fido for setting aside some space for us to podcast that which is very cool. And then, definitely for Ian and Andy joining us and waxing, poetic around a whole bunch of
different identity topics. If you're not familiar with ID Pro, hopefully this helped, I definitely a big believer of the mission of it. ID Pro dot-org go out. Join the membership fee for just a slack Channel alone is With it. So I totally would encourage that. So with that, we'll go ahead and leave it for this week. You find us on the web identity of the center.com. We're on Twitter at idac podcast and we'll talk with everyone in the next one.
Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.