You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff and that's Jim. Hey Jim hey Jeff. How are you not so bad yourself doing great episode 199. Uh, come a long way my man. Yeah, I still don't know what we're doing but we're doing it.
I remember when we did our first episode where like watching the number of downloads and was like 20 down to is we had 20 download, double digits double. You're the smartest people in the world and we knew everybody who downloaded. Oh yeah yeah. I was like eight of them. Testing on different devices. Yeah, yeah. So I had a conversation with somebody who asks a very insightful question which was why do people hire you guys Consultants? Why don't they just do it
themselves? And I had to reflect and think about that but I thought there are kind of three areas. I want to bounce these off of you and see if you agree. So the first one is Kind of lack of experience or capability with what the project or effort is that they're trying to do so, you know, you and I have a lot of experience in building. I am programs. So for an organization that doesn't have someone with that experience.
They bring in quote unquote. The experts I hate calling myself the expert, but, you know, so that's number one. Number two, was they lack the quantity of staff? In order to go at the speed that they want. So, you know, they have a limited number of people in the team. They want to go fast. They want to implement software, they need to burst up. So Consultants are a way to do that. And then the third area, which I kind of feel like happens to
least, but it could happen. More is because maybe Consultants can do it at a lower cost. So those are the three that I came up with is there are certain scenarios. I, you know, I think in that Last one, it's usually not expert Consulting but managed operation. I mean, how many organizations do you see? Outsourcing the operations, the ongoing support of their I am system. I'm seeing it more and more all the time.
Yeah, I see it more and more but I think you get what you pay for sometimes and I don't know if it's necessary, it's been great for like yeah, let's keep the lights on but I don't find those companies that have taken that step as innovating in the ride, any programs they've basically stopped moving forward. We have hit the pause button and everything they're doing. They really don't care about keeping the lights on. I think it's pretty rare that you find a true partner in the.
In the managed service partner area that is actually still continuing to help their customer, their client evolve improve stay current with the trends. The identity space. They're trying to lower their costs as much as possible and especially if they're on a fixed fee, you know, sort of like retainer type thing. They're not going to volunteer additional work. That's going to hurt their margin. Right. Hey this isn't so. Side baseball for Consulting, right?
This is how it works, you mentioned a couple things, right? So experienced speed, the lower cost, I don't know if you get all three necessarily I could get depends how you work with the experience. I think is the most important one. I think you're not your the thing that I think find it is most helpful is that you're bringing in people who have done it before and who have made the mistakes before.
So they can tell you what mistakes not to make so that you can fail and new and novel ways rather than ways that already been done before. So you know, and I think that that's just the reality situation is okay. Well, you and I have done I don't know hundreds Think at this point you know of strategy engagements and advisory and assessments and things like that. So we have the experience of going across a number of different verticals. A number of different companies
of size. Use cases, Etc. We kind of know what works what doesn't work along with their own experience in the Enterprise where we both kind of came from before Consulting? So I think that's the biggest benefit, you know, the reason why you wouldn't want to do it
cost. I mean, why wouldn't you want to get into an ex, you know, get an expert who can do it unless you can't afford it and then - right and budgets are big things, but she right now with the way the economy is going, not everyone has X number of dollars to bring in an expert. So to help solve their problems. And I think that's where things like this podcast ID Pro, you know, conferences, that are out there, things like that, there is a lot of good stuff that's
out there. That people can kind of tap into the accelerator. I think is helping people understand, okay? Here's what you want to be looking for. Here's what I hear the things you need to think about versus trying to figure it out on your own and you may be successful or might Take you longer to get to that successful State compared to someone who's been down that road before I agree. I think conferences are great
way to learn. I think, one of the best things about conferences is when Jim and Geoff, facilitate a session, which I posted to my LinkedIn today, that we are facilitating a session at the Gartner. Some I am Summit, which is in two short months, not even in in Grapevine, Texas. And I put the post out there You see if folks would volunteer questions because we're going to do more or less like a fireside chat and but no fired with no fire, maybe a flamethrower.
Yeah. Anyway I'd love to kind of gather questions but my other question for you. So looking at the agenda for identi verse now and kind of gearing up for us going there. And what I wanted to know is, will you You do the morning yoga session with me? No Sunrise. Yoga. Thank you, though. Appreciate it. I will be somewhere getting trying to find Chicken and Waffles. If I can and carving up. Right. I gotta, you know, be ready to
go for the day. Yeah, well, there's no better way than to start with Sunrise yoga at 6:30 a.m.? Yeah. No, that's going to be a no for me, dog. As I Randy Jackson would, like, to say you mentioned the Garter thing, but definitely get this out there. We're trying to, you know, really come up with good questions that we can ask the Gartner analyst out there. They've been very gracious so
far. If you are concerned at all about what you might want to ask in public, I did reply to your comment on LinkedIn or your post on LinkedIn. Feel free to DM me. I will keep your secret identity secret, and we're going to take the best questions and try Jan them. Only half an hour, and there's a couple of you, and I've already come up with and we want to make sure we try to get, you know, good solid hard questions that we can really Grill, Henry, Kay. And Becky on.
So if they're listening, I hope they are prepared. The intent is to really get to the belly of the Beast as we're calling it for the gardener. I am conference. Yeah. Absolutely, anybody who volunteers to question two, I'm going to make an offer. You DM. Me your mailing address and I will send you an identity to Center sticker, which is like one of those cool vinyl stickers which is whether Proof.
It's also dishwasher proof and yeah, but I think most people will put it on their laptop lid, so that's kind of cool. I don't know, I mean, this is exclusive thing. I don't even have a sticker, so people be a have them. Our friend, Stephen strong has put a sticker on the back of his trailer. So, somewhere in the Seattle area, is and identity at the center sticker on the back of his. I'm not sure what he's toting around in there, but that's the only sticker that I'm aware of
in the wild. But be cool to see more out there. So yeah. DM Jim your address and he will send you all try to remember to put the sticker in the in the letter before he mails it and that is something that's like joke. Yeah. All right. Why don't we get to our topic du jour? Because we've covered a lot of topics that she can certainly
help us with. I'm very happy to have Sarah cicchetti back with us. She is the head of product for AWS Cognito. She's a co-founder and board member of ID Pro and this is her third time. Time on the identity of the sender. Podcast, welcome back, Sarah hola.
So it's been a while. The last time you were with us in person in quotation marks because we're all virtual at this point Rights was episode 101 where we talked about AWS Cognito. And at the time they about to or new re-released CID Pro certification from ID Pro, so I'm sure a lot has happened going to cover that. And then after that, we did a An episode. And by the way, that was like, whatever. I think our most popular episode that we've ever done.
So, if you haven't heard her episode, that's a great one everyone. For whatever reason decides to go right to 101, which is fine with me because episode 1, frankly sucks, because it's literally me on Zoom, with Jim on a echoey basement office. And it's not the best audio. Quality content is good. I think, but the presentation, we will more desired. So there we go. One-on-one Sarah. Why don't we start there real quick? Because if I, if people want to
know their order, Origin story. They can always go back and listen to that. How is, let's start with CID Pro. It's been a couple years. How's that going? It's really exciting. We've had a number of different people take the test and a vast majority of people are passing. They tell us it's a hard test, it's really challenging. It makes them feel like They don't know everything about identity, which is true for
everyone, right? No one knows everything about identity, but at the end of the test, you get scores for each of the five different pillars that are on the test. You actually know like, okay, I passed. But this is how well, I didn't each area. Like this is where I can go and read more of the body of knowledge, which we'll talk about later, and and kind of expand my skills. So, it's, it's been valuable, not just from the point of view of validating. Like, yes, I am an expert in this.
I do know what I'm talking about but also helping you understand where your growth areas are. I think that's super unique and super cool because usually, you take a certification test. This is like, did I pass or fail? How did I do? I don't know. And you don't really know what how you did and what are easy to study on. I could tell you it's not a pushover test for sure. I am fortunate enough to have been involved in the first round of creating questions.
I think I have I don't know if my question is still in there but that is not a pushover test so people who are CDI CID Pro certified. Know their stuff. Yeah, maybe they're not 20 years into it, but they definitely had to, you know, study and have some experience to get this done. I think the target for it is what two years I think of experiences is that roughly kind of what it was looking at, or was it more or less than that. Yeah, so we had a bunch of identity.
Experts yourself excited. Me included, right. Questions for the test, the questions are hard, but when we calibrated the test, we had a bunch of identity experts take it. We knew how long each of them had spent in the field. And so we said, okay, where should we make the cut line? This test, is it? You have to get 70% of the questions, right? Is it have you 90% of the questions right?
And we made the cut line, right? At people who have less than two years of experience, answered fewer than this number and people who had more than two years of experience answered more than this number correctly. So if you have two years of experience in the field on average, you should be able to pass the test. Yeah, I it's a good test. I'm definitely recommend you to folks, to go out and take a look at it. We always talk about ID Pro, I
think hands down. The thing that has mold Most worth it is the slack Channel and just having access to so many smart people. I know that I've asked questions in there and gotten answers, you know, pretty much right away for my daily work, and things like that.
Even if even if you are a lurker, which I tend to be in those types of scenarios, it is so worth it just just for just the slack Channel. Yeah there are a lot of Industry organizations that are just kind of collections of vendors and different ways for vendors to sell it. You and Ida Pro is really just a collection of like doers who are like oh God. Don't do that.
Don't use that products. Like, you'll hear a lot of negative things, which I think makes people feel like, oh, this is an authentic place to be and to hang out and to get honest information. Yeah, it's a cool spot. I mean, I think I just want things I enjoy about. The identity industry is, you know, for the most part I feel like people are very welcoming and sharing and for a lot of folks, this is not Secret Sauce information that they're trying
to hide something like that. Is competitive for other reasons. Almost, obviously you're a vendor or something like that, that might be something. But for the most part, you know, people willing to answer questions. Share opinions, which I find the best part because sometimes we talk with analysts and other things, they won't share an opinion on something. They will give you a fact and not tell you why, something is the way it is, or what they really feel about it, and things
like that. It Pros, totally different, you'll hear from the toriel Sarah, Ian, you know, Eric a whole bunch of people who are out there just answering questions and telling you how they see it. And, you know, it's it's a good spot to kind of collaborate. Commiserate celebrate whatever may be, and there's a whole job
or to there, which is cool. So if you know, for people who are looking for identity work, there is a channel dedicated specifically to finding roles within the identity field. I think that is are all weaving around the world. So it's not just focused on the US, its Global nature, which is pretty neat. The other episode that you were with us. Was episode number 151, another very popular episode where we reached out to a bunch of our identity. Rowdy Friends yourself included.
And we asked Question, what is the difference between digital identity and identity and access management? Now, I would like to play your clip that you sent us that we played on that show, just to refresh people's memories because after you listen to this, and it's about 2 minutes long or so, I'm going to ask you the question.
Has your opinion changed anything having heard from the five or six other folks that we asked and the five or six other different answers that we received from the different people and identity. So let me play that clip now and then we'll keep going here. There is no difference between I a digital identity, and I suspect that's what many experts will tell you, but that's not true. There's a very important and overlooked difference.
There's a division of the US government called the National Institute for standards and technology or nist and their job is to measure things. How long is a meter, ask Nest, how heavy is a Colombian ask missed well in the 21st century, they started measuring not just physical things, but digital things, like, security, and identity.
They wrote a document called special publication 800-53, the publication outlined a way to measure how strong an identity transaction was and it used to measure called level of assurance. How sure can I be that the person at the end of the line is who they say they are. As that document, when into broad use, they found it had
cracks in its armor. It wasn't doing the job that it was intended to do because it was too one-dimensional, and it was one dimensional and exactly, the access that we're focusing on. In this episode, it conflated, I am with digital identity. It said that the strongest transactions have both strong authentication mechanisms and strong identity proofing, meaning that we verified the real-life identity of the person at the end of the line.
But that measure me leaves, no room for a very important use case, strongly authenticated, Anonymous users. Imagine a political dissident who wants to tell the story of what she's experiencing in her country, but she needs to keep her identity hidden so that her government won't find her. Do we need strong authentication for that person? Absolutely. We need to use the strongest technology we have to make sure that her lines of communication
haven't been compromised. Do we need strong identity proofing to make person? No identity proofing. That person could actually compromise her safety. We need strong. I am without strong visual identity. That's when Miss hired a team of identity experts, including myself to rewrite the whole concept of identity verification. We threw out the one-dimensional motor and made it three dimensional now. Stead of one level of assurance.
There are three identity Assurance level authenticator Assurance level and Federation Assurance level because I am and digital identity are, and must remain different. So, Sarah has your opinion changed? No. In fact, I think this has gotten even more important like as we're seeing Wars and Ukraine. And Russia is we're seeing civil unrest in our on like we need to get first-hand accounts of those things.
And at the same Same time. We're seeing a lot of upheaval and Twitter and saying, oh you have to be verified, we have to know your real name. You have to have a credit card, right? Or we're not going to promote your content. We're not going to show you in search. We're not going over going to Shadow ban you. Right? And so I think it's a it's a really important topic.
More that I had that ever to say is this actually a valuable thing to know someone's real name, like it certainly valuable to know they're human it might be valuable to know where their citizenship is and so this isn't An interesting place where we might want some zero, knowledge proof technology to come along and say like, I don't want to know who you are but I do want to know that you're a US citizen. I do want to know that you're a human. I do want to know that you're an adult.
Is there a place for anonymity on the web? I think there has to be, I think if we want people to be honest and have free speech, you have to allow them to say things without using their real names. Right, I agree, I think that's important, but I think there's a danger that comes along with that. I mean, some of the kind of the vitriol, we see in message boards. I mean, it ties back to people's ability to be anonymous and would they say those same things if someone knew it was them
saying them. Sure. But there are other solutions to that like moderation. That doesn't mean that we have to get rid of anonymity altogether. Yeah, good answer. I know what I thought when we were going through it episodes like yeah, I think you had the most academic answer but you know after you after we listen to your answers like yep I agree. And then we had Ian's and every listing that and it was different like yep I agree.
And then we had, you know, one which we played On a different episode from fried entity and he made his analogy of like, it's like football. You be talking about the physical object of a football or you could be talking about the this idea of a game that we all call football. And I was like, yeah, that I agree with him too.
Yeah, I feel the same way. It was like the, the context changes based on who you're talking to, and what I found interesting about that conversation was of the people That we had on that sent us something. Only one person was not an identity product person and that was Adam from Texas A&M and he had a completely different answer to. What was generally kind of
agreed. Sort of a, you know, I think what we call like a disagreement of identity was still, sort of an agreement and Adam was the only one who had a completely different. He actually flipped on his head. He saw, I am a sort of like the thing. At the top and then July 2nd is the thing below that, whereas everyone else saw it flipped the other way.
And I wonder if that was something because of how close maybe people in the identity industry, are we work in the stuff day in day out and Adam is running an identity program. For I think the largest university system in the world as far as I know. So he has a totally different. He's that he's more of a consumer of identity products whereas you you're managing a team of identity people and your building. Aw, Magneto and other identity
type products. The same as like, Ian for Salesforce and and Jamie at Sadie and things like that. And I wonder if if it's being so close to the problem, you know Shades your answer One Direction or another. Well I think it speaks to what a poor job we've done as a community of actually defining our terms and making them
consistent. That's something we're trying to do is part of Ida Pro. There's a article in the body of knowledge that is just terminology and some Of the words in the terminology have multiple definitions, right? Because different people to find them different ways in different
contexts. And so we're at least trying to codify all that in a way that's free and online where people can go and look at it. But yeah there's a there's a lot of things that the identity Community has done in a terrible way like every time I get an Uber and they're like what do you do? I'm like I work on login systems and I'm so sorry that we suck at our jobs. Yeah. I guess it's a question to us like, well how do you do like well I'm a security consultant
so what does that mean? Say well, you know, I IDs and passwords that sort of thing. And then it's like, all right, end of conversation. They have no desires. Talk to me after that me. Hi, I'm the problem. It's me about that, but I think that was the Genesis of the conversation is because there are so many different, you know, different interpretations of that answer of, you know, what is identity and Jim and I have this joke and this is something
I've been doing for years. We have, you know, we ride anywhere, I'd any Nexus management experts, right? And then one of us might ask well, you know, at the end of a session will what is I am? What is that? And it's just a running joke that Jim If it's kind of stupid inside baseball. But let's talk about identity and access management and managing a team because I would imagine you have a pretty large team that you're managing from a
Cognito perspective. And I think this is an area that we really haven't touched on is what is it? You know, what is it, like, to manage people in the space of identity, we talked, we talked an awful lot about technology and standards and how things work but people are still the biggest equation when it comes to making all this. Work and as the actual end users and real want to kind of get into what is it like to manage an identity team and I guess I'll just start off the question.
You know, what's the most important thing that people should know about managing a team? Is there any difference between managing a normal team as I'll say versus an identity and access management team? Not that they're not normal but I hope you get my drift. Yeah, I think one of the hardest parts of managing identity projects in managing General software projects, is that the Timelines are really unpredictable, right? Because identity is a security perimeter.
It has to have really high usability, it has to have really high availability, right? At the login system is down. Nobody's doing work, nobody's, buying, widgets, nobody's, doing whatever they're supposed to be doing. So, we have to have extremely high usability. We have to have bulletproof security where subject, to a ton of regulations, the security regulations.
And if you're in the consumer identity, portion as Cognito is your subject to International SMS, Nations which are changing constantly to try to combat spam and how do you, how can you use long codes? How can you use, short codes? What are those costs? Look like we're subject to App, Store, regulations, and then like we are middleware, right?
We have 100 things Upstream. We have 100 things, Downstream, all sorts of things could break us, if they make small changes, we could break all sorts of things Downstream if we just make small changes. And so, if we want to make really big changes, that means that you've got to get a whole bunch of people on board and And ready to work. So it's it makes the timelines really unpredictable. So if you are an identity team manager or you work in an identity team, you're going, oh my God.
Like why do these projects never come in? When we think they will, like, you're not alone. That is, that is completely consistent with what the rest of us are feeling. And that's part of being an identity team. Is that like you go with the flow and things get done? When they get done sad, but true, but I guess solace in the fact that you are not alone, right there are is the Equation of it.
And I think about when we think about building an identity team, there's also the human side of it to say, okay, well who are the people that we're going to have on this, who's going to work on what? And can we find the Unicorn? That knows the technology is great at documentation understands how to communicate with customers and clients and things like that. Oh, and oh, by the way, they're also really cool to work with right.
There is no personality issues there that might cause conflict, I guess from your perspective, You know, I think I know what your answer is going to be. I'm going to ask it anyway, right? Do you hire for knowledge or attitude if you can't find both? Yeah, I mean ideally, we want both but finding knowledge is hard, right? Finding identity experts is really difficult. Amazon pays a lot of money and we have trouble finding people
who are identity experts. When we do it's great, I love working with Dean sacks and Aaron Crow and all the people who I work with who are just amazing. But obviously that's hard to find. So as soon as you get a critical, Mass on your team. What we tend to do is just higher for ability to learn, right are and are you a nice person who will help others learn once you get to be an expert and not just sit in a room by yourself and tell people to go away miserly?
I am wizard, you, no pay no attention to the man behind the curtain, whatever it may be. Jim I know this is a topic that comes up a lot, right? It's like we always get asked, it's like what does our? I am team look like and I don't know. I'm going to ask that. Question is if I was a client and I'm trying to stay It up and I am program and services at the Enterprise level. So, not on the product side. But hey, a consumer of these Services out to my my users. What do you know, what do we
kind of think? As I kind of our viewpoint on? How do you build an? I am team to start with? Yeah, I think it roughly is shaped like a pyramid, right?
You have to have people with a lot of experience, a lot of knowledge at the top, but I think to Sarah's Point like having people who work well with others, so you can kind of Build that team, there the wide part of the triangle and the bottom of people who have less experience, the less technical skills, put them in the right training, get them the right project experience and invest in them.
They'll then move up the pyramid and I think one of the risks is that you know those people may leave your organization, this happens, no matter where you are. I'm sure even Sarah thinks about that with like at Amazon like hey, These people might move out either to other parts of Amazon or they might leave the organization to go, make more money elsewhere. But look, that's what we have to do. We have to invest in people because, you know, one is the right thing to do.
But number two, some of the people are going to stay, right? And if you don't invest in them, they're still going to move up the ladder that just won't be as prepared. So you know, those were my thoughts, but what about you, Jeff? Yeah, I feel like you're totally right on, right? I think if you try to plan around the worst case scenario, you'll never get anything done.
So if anybody, if you're operating good effective team that takes care of your own team members and gives them opportunities, and things like that, I feel like that's kind of stuff that it will work out in the end. Give me attitude over knowledge, any day, if I can get both fantastic, but if I could only have one, I feel like I could train the knowledge. It's much more difficult to break habits personalities. It's things like that.
And, you know, everybody wants to work with people that they like to work with Jim, you and I been working together for 89 years. Now, at this point, we are complete opposites in real life and yet it works, right? Which is whatever it is, whatever reason and so I know how people think we're twins, right? Yeah, I do. Yeah, we couldn't be further from that and I don't know how that even as possible.
But okay, let's talk about the knowledge aspect of it though because that's probably the next step, right? Is I think we can find people who have good attitudes. I think we all have those people in our Lives and teams that they are just, you know, great people. How do we embolden them? And give them the tools, they need to grow better or to improve their knowledge in a certain area and I'm curious Sarah from your perspective. Like what do you establish is sort of like the Baseline for?
I am knowledge as someone joining your team, you know, if it's I would imagine is probably difference if it's someone who's, you know, never had a job before or not, you know, not in that space versus maybe a couple of years or maybe even more like what is how do you establish that Baseline? We do. Do a lot of things. It's not easy to get people up to speed and identity, but the first thing we do is have them join it Pros.
So little plug here, Ida Pro dot-org, Amazon as a member at a level where we get unlimited memberships. All of our employees, can go be members of ID Pro. I would highly recommend that for your organization and that just gives them a place where they can go ask any question, right? I have a stupid question about Samuel. I have a stupid question about open ID connect. I have a stupid question about idea. Whatever it is. And very nice people will come and help you and share their
experience with you. So that's, that's a big part of it, pointing them toward the body of knowledge and having them read, especially the intro to Identity article and the is Sean's. MSA for humans, article is a great one to doing those. We try to create a culture where it is okay to escalate and they know what they should be
escalating about. Out. So when they see something, that might be a security issue like hey we were testing this with fake user data and we noticed that fake user data showed up in the logs. Like should we be paging someone like yes. You should be paging someone. And if it turns out that it's fine, and it's not a problem, and that was totally intentional Behavior. Then you say, you know, this was unnecessary. But thank you for paging me,
right? If you tell them, like, you wasted my time, stop doing that, think more about what you do in the future, right? If you're mean to them, then the That happens. They're going to be like, oh, I better not, tell Sarah about that. She's gonna be mean. We always want to make sure that like, if someone is bringing up a security issue no matter how it. Like, there's a 1% chance that something is wrong but they get priced for like, yes, please bring that to our attention immediately.
That's a huge part of it on my team. We have a weekly learning meeting for half an hour where we just re-watched identifies video, or we read an article, or we do something, and it's a forcing function for us to go and keep up on the industry and learn Learn what people are writing and saying, and reading about different identity topics. So that's a huge part. And we have our new Engineers actually get on the phone with our customer support people.
So, they'll sit right next to a customer service rep, and they'll put on their headphones and just listen to customer support calls and be able to hear first-hand. Like this, is the pain that customers are having. This is the confusion that customers are having so that they get a real feel for what the customers are going through and how they can help. How In build Products that come back that. So there's a number of different things that we do to help get our team up to speed, but it's
hard. It's challenging and we're constantly evolving how we do it. I find that interesting that you have people sit in on actual customer calls, kind of your things. Can you talk a little bit more about that? Because that's, that's a little bit unique. I don't know if I've heard that one before. It was a way to get people sort of up to speed on the identity questions being asked. And I bet that there's probably some parallels that maybe people can take, even the Enterprise
scenario. Like, what are people calling? For password, resets, or things like that. And really kind of listening to the customer and probably their frustration with something that's not working. Absolutely, it helps us understand what terms customers doing, don't know, right. It's a lot of people tried to build identity systems, like I'm just building an app and I need to build a login and I don't really know anything about identity yet. This is the first time I'm
trying to do this. And all of a sudden, I'm drowning and documentation about oauth, Scopes and claims. And all of these terms that I don't know what they mean, and I've never heard of and what's it say? Okin and where can I store the token? Should I store the token? And so those kinds of questions are things that you know may not even occur to the average developer that, oh, somebody doesn't know this. Like they assume that the people who are building our identity
experts and they all know. And that's not the case, right? Like when we build things, we have to be very, very clear as much as we can. In plain English about this is what this system does. This is how you make this decision. So having them on those calls and hearing that firsthand directly from the mouth of the customer is really helpful. It's nothing like pain. And someone's voice to really jolt someone into doing the
right thing. You talked about the body of pro body approach the the ID Pro body of knowledge. You talk about sitting in a conference calls and sort of learnings around different webinars that are going on.
And I think one thing that I'd like to control it is conferences because I feel like things like identifier sand Gartner's. I am Summit and and touching things like identity, we can Chrysalis and like it seems like there's no shortage of places for people to congregate physically and kind of talk about different things. How important do you do you see conferences as part of development and Jim, we're going to ask you the same question is like, how do you see that as being important for?
For folks? Get on there, cuz I'm curious to see how he answers me. There might wind up or maybe not Sarah wants to go first. I think it depends person-to-person kind of what they need, if they have no exposure to the identity Community. I absolutely like this. To be going to conferences, they should be meeting people. They should be asking questions.
They should be getting an idea of like these are the conference presentations that happen for someone who's been to identifiers for like five years in a row. Then I'm like, okay, you probably can do most of the presentations that are going to be. There is that it is that the best use of your time, Maybe not, maybe you should be presenting, maybe you should be trying to get a keynote slot, right?
Like maybe you should be trying to level up your level up your skills or go to something different. Go to A European identity conference and see like, how are they talking about things? There's way more of a focus on consent, on privacy, on open banking on things that are not issues in the US and so that that ability to go to Regional conferences and see how different identity is in
different places in the world. Really interesting really valuable Jim about yourself, a feel like for you and I we probably have a little bit different take just because the future for a job. I feel like it's networking is a big part of getting out there and meeting people and things like that. Do we actually Ed ever learn anything These conferences. Now we do.
I mean, you definitely learn through osmosis but you also, we get to attend some of the sessions, but I just thought that stars answer was perfect because attendance to conferences. Really what you get out of it is going to depend largely on where you are in your career path of your earlier in your career path. Just sitting in some of the sessions and the networking you know, that's where you're going to get a lot of benefit as you.
You move further into your career contributing is going to be more important. I also was just thinking about it from. I mean, look what you sir are tight. Everybody company's management got used to not traveling and not sending people to conferences during covid-19 Alex back and I think they're kind of slowly, you know, getting back into making that investment. But Companies have to, you know, it's a cost a lot of money to
send somebody to a conference. You know, you've got the conference pass and then you've got the travel. And so, I think, you know, if you're an, I am company, you're probably going to look at it, like, okay, business development is going to be your number one priority, but I think one of the other key priorities is rewarding High performers. I think this is the independent of. If you're in the I am industry or your company.
And you're doing, I am. It's if you got people on your team who are high performers, doesn't mean you need to send to every conference, but most people, I believe, look at being sent to conferences as something that is like a reward. So they get to go, they get to network. They get to go out to some nice dinners maybe and to me that that's part of it. What do you think?
Not again spot-on. I mean think I you have to like to do it. I think a I recognize the fact that not Everyone likes being in that sort of social you know environment right with potentially hundreds thousands, tens of thousands of people that is not comfortable for a lot of people and I think at least offering it as a choice is an option for people who are interested.
Great you're totally right about the travel thing and it's not cheap to go out and stuff and I think people have not been going to converse the last couple years, I was at RSA right before things. Kind of shut down for covid. You know, few years ago, it was kind of like the last hurrah.
And then things just went downhill from there is like nobody's doing anything in person and then I was at RSA of last year when things kind of opened back up and there was like this celebratory feeling of hey we're back we're back. Covid is no more not, maybe not necessarily true but there was a there was a sigh of relief that's like Hey we're getting back to this, do you think there is value of being, you know, in
the same place? So people hearing the hallway conversations that take place are Are things that just don't normally happen on us, Zoom call, write or, you know, in a text message or an email or things like that. That's the kind of stuff that I find, really invaluable.
I always point back to, I think it was the coup, bring ercole conference a few years back on customer identity for Roger Grimes. And I were at like a little table outside of this room and he explain Quantum Computing to me. And now I'm an expert on Quantum Computing. Just based on that 45 minute conversation that Roger was So Graceful with this time within the money. And you know, just educating me on the spot. That would not have happened.
If he and I had both not been there right him to impart his wisdom and share his perspective and me to absorb that like a sponge as much as I could. So I think is super valuable, but I think as Leaders of teams and we all are that is we have to understand that it's not always the appropriate choice for a person. They may not be comfortable in
that role and that's okay too. Maybe it's a virtual pass, maybe it's some other, you know, learning development, you know, things like that, that, that that they might be more comfortable with. And I think we have to understand and be okay with that. As well. They might see it as a punishment. It's like, what do you mean you're sending me out? I don't want to go to. I don't know. Someplace cold in the middle of winter. Like that doesn't sound like fun. Let's talk a little bit about
that. That concept of managing identity 18 and I'm curious Sarah from your perspective. What is something that you wish you knew about managing a team of identity engineers and analysts or whatever it may be? That you wish you had known that when you started that might have made your life a little easier. It kind of falls into what we've
been talking about. I think one of the, one of the mistakes I made us an early manager was I put my people on things, they were good at And what you do then is you use cement their skills and keep them from growing, right? So when I joined AWS, they were like, oh my God, Sarah is an amazing speaker, right? He was an exemplary, Erse speaker, she's been identified. As keynote. She's a top 100 influencer women, in cybersecurity
speakers. All he's saying is and my manager is immediately, like, yes, top doing that. Like you need to learn pnl, you need to learn leadership. You need to learn like all these things like stop spending all your time doing something that you're already good at.
You don't need to learn that and so when I get a project on my team that's like yeah this requires a whole bunch of data and Analysis. Like I don't go to the guy who's great at data and Analysis, I go to the person who needs to learn that and I mean, unless we're on like some crazy tight deadline, right? And we need our star players but really expanding the the capabilities of your team means that you don't put the best person from the team on the job.
What do you do to support that person? What's the support systems in place where they understand them? Maybe they're not the expert on it, but you're trusting them or giving them the tools that they need to be successful and ask questions and things like that because I think sometimes there's this I don't fear or whatever it may be is like well I don't know how to do this so and then I can't do it or I'm afraid to ask questions without you know what's the support system?
You put in place to help those folks out. You've gotta cultivate a culture where failure is okay. So, like the way that we incentivize, our leaders at AWS is that you have to meet 70% of your goals. If you're meeting a hundred percent of your goals, then you're way too comfortable. You're not learning anything. And so, if you're meeting 70% of your goals, then like you're really trying, you're really stretching yourself.
You're trying to do more than you've done in the past and you're failing a little bit and that's good, right? You should be feeling a little bit. That's how you learn. I love that idea Jim. What about yourself? Any tips for how you would, you know, support somebody who maybe, you know, we come across every day, right? Nobody's an expert in everything. Right? How would we approach that on our side?
Yeah, I know, you know, Don't know if I have any real Pearls of Wisdom year but, you know, I kind of I love identity and access management and I think that everybody should. And I think that, you know, you have to be prepared to some people. This is just a stop along their path in their career and they're going to go do some other things, but I will say I didn't access management projects are hard. You know, I kind of feel like I talked about, I am as middleware a lot.
And you know what's hard with middlewares? It is basically technology that's connected to other systems. So so many other systems depend on it. That makes everything more complicated from the development to especially testing and then when you go into production, how you keep, you know, to change not only within your application but all the connected system to make sure that things don't go awry. And so you know I think that it's not for Everybody.
But for folks who like really get a charge from a challenge like that I think can be a great place to build a career. I think it's good. I think it's good advice, right? I think the three of us. Our identity lifers, probably at this point, but I think it's important right. That future see sales, right? They may not be an identity expert, but they should be walked coming through at least
some of this on their way there. And I would certainly encourage folks to you know, even if you're not interested in being an identity lifer and you're not that knots like we are you need to know this stuff to be able to really come up with a adequate and effective information. Security plan, whatever that is, you have to know what you're going to protect. Who's got the keys at the castle, right? All that stuff. That's all fundamental.
All the marketing terms that people have heard of last couple years, zero trust. Guess what identities at the center that too. So you need to know that stuff. So even if it's not your primary domain or expertise within cybersecurity, for example, our information security, you still need to be Converse it and understand it and in those cases you lean on the experts, right? And maybe Jim like your
question. Um, maybe that is where you bring in a consultant because you know, No, maybe 20% or 40% and you bring in someone who can fill in the Gap to get you. The rest of the way 100%, you know, in in a certain area would rule, maybe I think you answered a question that I was going to ask next to Sarah, which is what is the biggest challenge that
you have today about managing? I am saying you mentioned just how hard it is to actually do my taxes management projects successfully because of all the upstream and downstream things and I'm curious Sarah's is that a challenge for you as well? Is there is there other sort of things that you see is like these are the big Yogi's that are out there that we really need to be aware of and manage against or for there are a lot
of them. Like I personally think identity and access management is really a, it's a very nascent field. Like we are the internet in the 1970s, right? It's going to be so much better in 30, 40, 50 years and there are so many big rocks that we have to move and so like too many good ideas is one of the challenges of like you have to say no to a lot of things in order. To be able to prioritize the really big things and then the
other challenges, like okay. So you've got somebody new coming onto the team, they've got to they just completed their CS degree. They're really excited, they're 22 years old and you're like, yeah, we've got this five-year project that's going to like change this little thing. But changing that little thing is how we get to this bigger
thing. And like, you definitely want to spend the next five years of your life on this, which is, as far as they're concerned as like, 20% of their entire lifetime, right? Like convincing them of that is very challenging. Thing. But I think it's possible, right?
If you are passionate enough and you can kind of explain that this is, this is a really long term evolution that we need to have in the field toward usability towards security and it's not going to come easily and it's not going to come quickly. It requires a lot of people putting in a lot of hard work. Rome wasn't built in a day pass wordless will not be built in 20 years. It's like we've been trying to 10 years are probably another 10
years by the time. It actually you know comes around but But the things that are happening now, in this identity, spay in the industry itself, right? The Advent of Pat's keys and things like the fight Alliance and getting Apple, Google and Microsoft all to agree on something, right? Those are momentous things. And it is an interesting concept to say, Hey, you are solving problem, you are working on problems. That they, that may not be solved in your lifetime, right?
However, you define lifetime, whether it's literally, you know, you'll be dead before. It's done, or your your With a particular company, right? I'm sure there's people as they yeah, I started this and, you know, it's been organized, five years and here. So the end game that we're kind of working toward and then they decide to move on and work on something else. That is a very different mindset. I think to have, and that sounds challenging to me, especially with some stuff AWS works on
right. These are huge, big problems. I don't remember the exact stats at the last time we chatted. It was you get like, a ridiculous number of offend occasion calls per second or per minute or whatever it was right? Right. I don't think normal Enterprises deal with that level of scale, and you're working on the hardest problems and identity. And I would imagine that is reflected in, you know, some of the personality of the work that gets done for your team. Am I right on that or my
thinking about differently? Oh, absolutely. Like in in AWS identity as a whole we authenticate and authorize over 500 million API calls every second and that was as of last year. You can see how much our revenue is growing. Even in a recession here you can kind of imagine how much our scale is growing in terms of
number of requests. And so the the amount of work that has to be done just to keep things, smoothly running is huge and then on top of that to really revolutionize the field and say like and we need to rebuild this whole thing from scratch and figure out how to do it better faster, more secure. Like, that's all big rocks that need to, that need to move and need a lot of passionate people. 500 million that is I don't Ludacris as I'm just gonna leave that there.
I don't think I can. I can follow up on that one at all a couple. Follow-up questions here is just kind of the team aspect. No, we don't kind of running a bit long and appreciate the time you spent with us.
How was this shift going from in person to remote you and I were kind of talking the other day about sort of this transition and sounds to me like you guys handle it better than most but I think that's part of the culture and I want you to explain that because I think this is something that I think is a lesson that a lot of people can probably learn in the identity space and managing identity teams of how you can maybe
replicate this. Yeah, one of the things that Amazon learned in early days, was that it's really easy to paper over sloppy thinking with PowerPoint. And one of the ways that you can combat that is by all being in the office together, right? And you're sort of batting ideas around and you're saying oh yeah, no I didn't think about that edge case, I didn't think about that. This is actually a terrible idea, right?
But when your remote and you just have PowerPoint, it's easy for those terrible ideas to kind of slip through. And so we got rid of PowerPoint, all together internally, we still use it externally. We use it for training stuff like that. But when we have an internal idea, a product design, an investment proposal, we always
write it down. And so we have this very document heavy culture, everyone here is a very experienced writer, and so when you go into an Amazon meeting, it's actually silent for the first 20 to 30 minutes while everyone reads through the Fire document. So there's no charismatic presenter people with more Charisma aren't more likely to get their ideas appearance and people with less Charisma. You don't have people interrupting in the middle to
ask questions. Everyone reads the entire document, and then everyone is aligned. Unlike here is what we are discussing and you have all the information. And now let's have a conversation about it. And so, the transition to, to remote culture was really fairly straightforward for us because we have always had this culture of you need to write down your complete thoughts, and As in all of the edge cases, and all of the things that might go wrong as part of how you formulate
your ideas. And so that made it very easy for us to switch to remote. So interesting to me because that culture that you just described in a gave me a little window insight and I'm wondering if that's Amazon or Silicon Valley culture, you know, kind of tech company culture, but I'm also thinking that for some people and probably for me, Me like I might melt down in an environment like that, like it's so different from everywhere. I've worked.
Have you run into people who just kind of meltdown or do people kind of even if they're, you know, coming from like a banking culture, they come in and they I guess I either fit in or a Fallout right one or the other. There's a little bit of that we try to select for it in the interview process. We actually make you do a writing sample as part of your interview so that we know that Can you can communicate your ideas in writing competently?
But I would say, actually the people we see falling over the most is not due to the document culture. It's due to the ownership culture that we push ownership very far down and the org chart so that each individual team is making decisions about. Here's what we're going to build next. Here's how we're going to do project management. Here's how we're going to get this thing out. Here's the order, we're going to release things in and those decisions are vetted with upper
management but they're not. And by upper management, no one has told what to do and so we have when we have director-level people come in from other companies and other cultures and try to like tell the team's, okay, we're going to work on this, we're going to work on this. These are your goals like teams are like this adorable. That's not how we do things here. Like we're the Smart Ones, we will tell you what we're going
to build next. And you can tell us like, if it's a bad idea and why we can discuss it. But like, there's no top down planning. Yeah, yeah. So interesting. I wonder you met, you Tension project management. You know, I'm probably going to sound like a grumpy old man, which I do, you know, a lot of times anyway, but I'm like a waterfall guy. Like, you know, I just feel more comfortable when I have the plan all laid out. And I know step by step and then, you know, made career for
me agile. Really gate gain steam scrum. And actually, I actually have a lot of respect for agile methodology. She when it doesn't just become an excuse to do without plan, I'm on my soapbox here, but I do have a question. So, the question is, like, where do you guys fit on the Spectrum, as waterfalls agile. This is something in between, we actually let each team decided. So we have a concept of what we call a to Pizza team, which means that a team that's working on something.
Should be no larger than a team that could be fed with two pizzas and so each of those teams gets to decide for themselves, okay, we want to do We want to do scrum, we actually want to do waterfall, like that's what makes sense for our team for this project. So there's no top down dictatorship about this is how you do project management. It's up to each team to say, you know, this is what we have
experience with. This is what's working for this project, this is what working for this team. We're going to do a combination that the ink is whatever it is. It's totally up to that. And it's, it's a little chaotic. It's a little crazy, but it works for us at school. Now, if you had Jeff and I on the team, I think you'd have a maximum of four people on a team. Half a pizza for each. Each what size pizza we talking about here and you get the most important thing, right?
Exactly. Exactly. I did also just was wondering little bit of the inside baseball for Amazon or you know at AWS. Do you guys have a lot of shared services? Sounds like a lot is team Centric but I'm wondering do you have sir? You know shared services like You know, testing center of excellence change, Advisory Board service desk. Things like that that you incorporated into your projects or do you guys try to be self-contained for most of those things?
It depends we have. We had a lot of things that are distributed. We have some things that are centralized, one of the ways that we try to make those decisions. As a product, is if we have someone on the team, are they going to have people to learn from? Are they going to have a ladder up in their career, right? If we only need one usability person on that team, who's that person going to learn from right? How are they going to get promoted where they gonna go versus?
If we centralize all the usability people and we say okay you guys are all one team. You work for all the teams and you do all this distributed work but you get to work together with other people who are doing what you're doing, like that's that makes more sense for us. So it really depends how many people you have. And whether they have people, they can learn from All right, we've been running long and I think, I think it's cool how you've kind of incorporate this
into sort of, like, your plan. So I want to start to wrap things up. We always end on a lighter note, and we came up with a couple actually Sarah. So we're talking about this beforehand, kind of how we're going to work through things. And the idea here is I would like you as of Wednesday, February 8th, which is one recording, this this will go live. February 13th, I think on Monday at some point described. Your current state using either emojis or meme or GIF or
something like that. Now remember this is an audio podcast so you have to be as verbally descriptive as possible, so people will be able to follow along, okay, so there's a gif of Kermit the Frog and he's like, waving his hands in the air and screaming because he's so excited and like that's how my life is right now. Like everything is chaos but it's super exciting. Right there is so much going on. Is going to be amazing. That it will all come together
and it will be great. That's a really good one because I immediately knew what you were talking about. Ha, ha, ha ha ha got along at home gym, about yourself. How you going to describe your current state using an emoji? A meme, a gift, something like that, c-czar's day Optimist. And like you said, let's start the podcast off on a good note. I'm looking at it. Like I'm like, yeah, super busy, too, but I'm not doing a happy dance. So my current Estate would be the meme.
Ain't nobody got time for that. I just feel like, you know, it's like people want to get me involved with doing this. That and the other thing I'm like my plates already full. It's overflowing but so yeah. And then you push it over to me and then I take care of it. That's what I, you ain't got no time for that either. I'm here to help out as much as I can. I like that one, too.
You know, I was thinking about one earlier and right now, I'm going to change it on the Because I feel like I'm very fortunate as we've been talking about identity teams, I work with some really good smart people and the the GIF that I'm going to go with is it's gift, not GIF. So, don't even come at me, bro. With anything. Any of that, that that pronunciation is from the movie Analyze. This, where Robert De Niro is talking to Billy Crystal and he's like, you, you are good,
you got a gift, my friend. And he's like pointing as I know. Yes you are. Are your good. And I think about this the really smart people I work with then Trini Ross, Robert Selena yourself, Jim. You know, it's people like that that really kind of get the real work done in the team, and I feel very fortunate to be kind of surround with that. So I use that gift today with someone who is helping me with a
contract. So you know, that was my way of communicating, I feel like I'm I am meme and GIF, first English, Second Language as the way I approach it, but that's how I feel. Now is I just feel like there's so many good people and try to give them recognition wherever I can. Okay, Sarah.
I got one more question for you. I was trolling your Twitter account and I think it was earlier this year, you mentioned something about a chaos button and I am fascinated to find out how this works, tell me about the chaos button.
So somebody posted a picture of a microwave where like the controls for the microwave had been translated into honorable English and the My Grave has a chaos button on it and so we were kind of speculating about like what is that mean like can we just put a chaos button and everything?
And so my new goal is like every product that I work on is now going to have a chaos button and it turns out that it was actually defrost because in defrost like all of the microwave raised go to different places in the food so that it can get uniformly, warmer something like there is a reason Hidden behind the chaos. But now I'm just like, when you want to set your password policy and Amazon Incognito it's going to be like do you want to require uppercase?
Do you want to require lower case? Do you want to require numbers or do you just want chaos? It's everything. I hope more identity vendors do. This is like a Easter egg within like their settings somewhere. It's like yeah, it's a radio button inside of I'll sail point or saving, or OCTA, or Cognito, or maybe is like click this button, and it totally scrambles all your settings and your tenant or something like that. Exactly.
I love the idea. I think we need to find more ways to incorporate the chaos button. So I am I'm hopeful that we'll see it somewhere and maybe some documentation. I don't know if it's no good, making him say WS, documentation any point, but if you spot it, I guess what? Sarah. No. That's why is I'm guessing. All right. Why don't we go ahead and wrap it up for their Sarah. You're always so generous with your time and you are such a good speaker.
I always enjoy, you know, seeing you present and listening to your stories that you tell on Agent stuff like that, so I'm glad that you keep doing it. Despite people saying not to do it, those people are crazy, keep doing it because I think there's a lot of value that you had out there to just the identity ecosphere, especially the ID Pro stuff, we got to get more people
involved with that. It's such a great resource, we'll have a link on our show notes, ID Pro dot-org is I think it still $150 for a normal membership? It is on the price. I don't know. Okay. Like, hands down, like the best thing you can buy for yourself, or ask your company, too. Expense it. It's a total no-brainer just just for the slack Channel alone and having access to all those
people and stuff like that. So Shameless plug we don't do commercials but we are big supporters of what Ida Pro does. So so we'll have that in our show notes. We'll also have a link to Sarah. Do you want to ask her questions? Chaos button, advice on teams? I don't know, whatever Cognito I guess, maybe. Whatever might be, we'll have a link to her on LinkedIn that people can reach out and connect with, as well as Jim and myself. We are on Web, idac. Podcast.com we're on Twitter at.
Idac podcast, we're on Mastodon, which is at idea podcast at infosec that exchange S8 every week, but I hate the way Macedon does because they're naming structure. It's not easy to use and needs to get better and I am very happy. Also, again, plug for the Gartner stuff that we're working on, send us your hard questions, and if you don't want your identity known on the post that Jim put out there, sent it to me.
I will, you know, will invoke like the journalist rule right of not not doing the sources, Jim will send, you will get your address and send you a sticker and, you know, stuff like that. So we hope to see people at the Gartner. I am Summit in March, a lot of friendly faces and I'm we're looking for hard questions, so don't be shy. Let's, let's really put it to them and see what we can get away with, as we work through, you know, that process.
So, Sarah, any final words of wisdom before we let you go. No, really great to talk to you guys on the episode 200, 200 next. I have no idea where we're going to do, we will figure it out like we always do. All right, thanks, everybody for listening, we'll talk with everyone in the next one. Thanks for listening to a podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.