This is identity at the center. If it has anything to do with I AM, This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Not so bad yourself. Good. Hey man, I'm going to throw it back to you today because you just opened my eyes to a new product and we're not a commercial for any one product, but this thing looks kind of cool.
Flipper 0. Yeah, I you know it's it's been out for a while. I don't, I'm not technical enough to know all the ins and outs of it. It literally just came into my mailbox like less than an hour ago so but I eagerly ran down to it to grab it once I got the notification. It's a little like multi tool
for. Variety of different tasks if you think about it like from I don't want to say hacking because that's probably not the like the best way to do it but you know it's designed to do like wireless signals, Bluetooth, infrared it's called Flipper 0. Don't ask me any more questions about it because they literally just opened up but it's been making the the news for a little
while now. I think it actually got like some sort of like maybe stop shipments into the US or something like that at some point while people trying to figure out what this. Thing is, but it's Flipper 0 I'm just reading for the website. Flipper 0 is a portable multi tool for pen testers and geeks in a toy like body. It loves hacking digital stuff such as radio protocols, access control systems, hardware and more. Fully open source and customizable.
You had extended a bunch of ways, got a memory slot so you can put your memory card in there. So I saw the access control thing as they found interesting. Let me see you know what this is all about and kind of play around with it and see what interesting things. I can get in trouble with basically, yeah. Well, it looked like a like a little carry in your pocket buddy for geeks like us. And I I saw like the on the web page there's like a screen where it was like a little picture of
a dolphin head. It reminded me of that toy that kids used to carry around, where it was like you had to feed your your friend. Oh, that. Yeah, that was it. Tamagotchis or like Neopets or things like that, yeah. I never had one of those. I just, I, I, I think I was like in that generation or age range where it was like after that. And so I was like kind of not right in the right age for that. Yeah. Well, I have mine right now and he's very hungry.
So maybe we should get on with the show and I'll feed him and then I'll jump back in. Yeah. That's probably a good idea. We don't want your virtual pet to die. Who knows, maybe at some point that's like AI. We could talk about AI, but like the virtual assistant type thing. Yeah, we got a pretty interesting show today. I know we're going to talk about sort of how do we talk about identity with the board and stuff like that.
But before we get to that, you and I have a lot of different engagements, speaking wise, conferences and things that will be at. So I've got a few. I've got one coming up in Cincinnati, OH on September 14th. It's called the Cybersecurity Midwest Summit 2023. It's put on by COM Spark and CDO. So I'm not sure how large it is. Seems like kind of a regional thing. But I'll be there. I'm part of a panel to talk about identity and access management.
Something you haven't figured out what the topic will be? What is I am? I don't know. It's the existential question, as always, So we'll figure that out probably as we get closer. But if you're in the Cincinnati area, come on down, Check out the link I'll have in the show notes to come say hello or show support or whatever it is. I don't know if I have any stickers left, so I think next
time you and I connect. I'll need to get some stickers from you because I feel like I gave almost everything out I had at the at the Identifiers Conference. So, yeah, yeah. Well, we'll split them up. I don't think we're going to get into 2024 with very many. At the rate we're going, we're giving away pretty good. Yeah, we're going to have to add some more. We've got Identity Week, America that's coming up. I'm going to be out in Washington DC October 3rd and
4th. And we're going to be, I, I, I'm going to be hosting a panel there around identity and access management pass keys. We kind of talked about that in our last episode with Andrew Shikiyar and sort of the conversation we'll just kind of have around that. Again, I still need to firm that up, but I'll be out there for a few days. We've got a discount code for that one, which is very exciting. You get 30% off of your conference pass.
If you use the code Ida C30, you can hopefully, you know, use that, take advantage of it. It's Washington, DC. October 3rd and 4th, Identity Week America. I'll have a link in our show notes and then we've got you and I will be at the Authenticate conference. We've got a code for that one as well I D AC15 podcast that could shift 15% off of your registration. I'm really looking forward to that one. I I like it because it's, it feels like, I don't know, more
like a community style event. I don't know if that's right, but it's in Carlsbad, which is just a little bit north of San Diego. It's on a nice resort. There's golf, there's the beach. That's gonna be a lot of fun, I think, and we're part of the keynote type thing. We're gonna end up doing something like a live show as part of the. Part of the festivities here, So that'll be interesting, nerve wracking, but hopefully people enjoy it and we put on a good show.
It'll be the first keynote that I've been a part of and I don't have to be as nervous because I'll be up there with you. And we're just doing our thing. We do it every week. So, I mean, what to get nervous about? I mean, yeah, we talked to, you know, what millions of people every week about identity and access management all around the
world and the universe. There's just something I think different about being on stage, the bright lights and, you know, microphones and hearing your own voice amplified, which nobody likes the sound of their own voice. I think we'll have a good time. I think hopefully it's entertaining and hopefully, you know, people enjoy it. So that's why I'll be cautiously optimistic for. I think we'll do a good job. Yeah.
And and the other thing is, if you're at that conference, we're going to be recording probably like six other podcasts. And the way The Room is going to be set up, the idea is that there's going to be able to be live studio audiences for all those episodes. Yeah, I'd love to have something where we can like engage with people, you know, in addition to our guests and stuff like that. So we have a opportunity to have a lot of fun that. Answer questions, you know,
stuff like that. So hopefully people are there. Check us out. I'm gonna make signs to say like, applaud, applaud or laugh. Yeah, we have like something that comes down from like the top, right? And it lights up like when people should be doing their action like a talk show. Maybe we can set it up like Kramer when on that Seinfeld episode where he had like the couches and things like that. That would be a lot of fun. Yeah, right. He really got into that one.
Okay. So that's all the stuff we got going on. Plenty of stuff. Over the next few weeks, hopefully people come and check us out. Hopefully people take advantage of all the different discounts we've been able to secure our show. We'll have all that information, links and codes and stuff in our show notes, but let's talk about how we talk about identity with the board or other kind of
senior executives. I kind of loosely thinking the title of the show will probably something like Bored Conversations about I am. And when people hear that, they're like, you know, how do you spell board scenario, But, you know, try to be clever to help us with this conversation. Someone who has had a lot of conversation with boards, not boring conversations, but board conversations BOARD.
We've got Bob Ramin. He's the chief product and operating officer at Viridium. Welcome to the show, Bobber. Thank you, Jeff. Thank you, Jim. Thank you for having me. It's great to join you guys and we're not going to have bored conversations. No, we we do our best to not be boring on this show.
I think people, we kind of realized like, OK, we have some personality here and yeah, identity is a topic, but we try to be entertaining about it. You and I actually met through mutual friend Andy Hindel who introduced me to you at the Identifiers conference. So shout out to Andy for making this connection and we just start kind of talking in the hallways like, hey, you know what? We should probably record this. This would be a good one. So let's. Let's do that.
Before we get into that, we always like to have the origin story of people who are in the identity business when they join us for the first time. So maybe you can kind of explain to us how did you get into the identity and access management field? Is it something that you chose or did it choose you? So I actually chose it pretty. Thoughtfully, I guess so. I've always, I've always liked security. I've always liked, you know,
secret writings. So. So I was, I was a big fan of encryption and you know how it worked and you know, the whole, you know, that led me to authentication. And you remember the whole way people used to talk about authentication. Still, do you know there's the Bob and the Alice?
Conversations that happened and then you know a colleague of mine introduced you know the the in the middle we call it the evil duck of darkness so that was the that was the that was the person in the middle who was trying to get in the middle of that communication. So so that's that's where I started. I started with the with authentication protocols and and had a great great mentor there Roger Shell and and he. You know, he's still pretty
active in the industry. Amazing, amazing person and just a great mentor. And I learned so much from him. Fast forward from that, you know, eventually I decided to move up from just the technology side of things and I focus more on the business angle. And that's where I realized that a lot of people don't really understand, you know, what is it
that we're doing? And partly because we make it so complicated, you know, people just want to, you know, understand things in simple terms and and how it relates to them and how it affects them. So the last few years, my focus is really to, you know, turn the whole process into storytelling and. And simplify the conversation, simplify the message and have people understand why something is important, especially cybersecurity and identity being a crucial aspect of cybersecurity now.
And that's the conversations we're having at the C level, that's the conversations we're having with at the C level with our customers and also how to educating our customers how to have that conversation with their boards because. You know those those conversations need to happen for them to get the funding for them, to get the alignment for them, to get the support they need. So you're with an organization called Viridium.
For people who aren't familiar with Viridium, can you give us sort of like the 30 to 62nd elevator ride? What do you guys do? What problems do you want to solve? That sort of thing? Yes. So, you know, going back to, I'd like to make things simple. At a high level, what we do is we make security invisible. What does that mean? Right? So invisible security is not bad security or less security. It basically just means that you remove the friction and make it less obvious and not in your
face. We do that specifically for authentication for credentials. So we remove passwords from the user experience, right? So where we enable password less authentication? And we do that with a variety of factors And then we have two of those factors are our own in house factors that are developed for biometrics. We use computer vision for biometrics. So that's a key factor for us. But yeah, we make security invisible, remove anxiety from the login process.
And and help organizations get you know stronger and and have better overall access control. OK. So the elevator doors just opened up. You've explained what you do or what we're idium, you know, does take us through sort of a week in the life of someone who's responsible for both product and operations, for an identity organization like yours. Can you just kind of help us walk us through and kind of appreciate you know, what are the types of things you do work on that sort of thing?
Yeah, so you know it is and you and I were talking about this earlier it it is wearing a two different hats. So the product side is really focused on you know what is it that we're doing on the product itself, how are we, how are we advancing the state of of the product, how are we, you know making sure that you know we're we're supporting standards and and we're doing all the integrations with the existing.
I am infrastructure that our customers have in their environments how we're supporting legacy applications, cloud applications. The operational side focuses more on demand generation, marketing, go to market, channel development, the other areas that are also touch points for a customer. But they're not directly related to the product. So the overall goal really is to remove the friction from every touch point you have with the
customer, right? That means when a customer comes to your website, or when a customer engages with you, or when a customer is trying to buy something, or when you're trying to explain to them you know the value of what you're providing to them. When a customer is trying to do procurement, when they're trying to do a renewal, all of those are touch points and you can have the greatest product experience, but you can have the worst procurement experience.
We've all seen that in our normal lives. So the operational part of the job is to smooth that aspect out. And make sure that the business
is able to scale as as we grow. And since you bring up all those facets of it, I think everyone probably has a story of like, oh, this is a great product, but oh, procurement was a real pain or, you know, the sales team wasn't responsive or, you know, whatever it may be. And that can really kill the experience, overall experience, right, with an organization. So it's interesting to hear you talk about that. Do you ever find yourself in conflict where?
Because you own? You know, responsible for the product side and the operations where you know, I think most product managers are like, yes, it's going to do all these great things and the budget's unlimited and you know, we don't have to worry about support, you know, this other stuff. But obviously in the operations side, you've got to be able to smooth that stuff out and make sure you actually can deliver a product that not only works but works well and has all those
other different parts. Do you ever find yourself sort of in a conflict like that? No, I I think just like what you just said it, it actually it actually forces me to think holistically in a 360 way and you know look at things from the most pragmatic point of view, right. It's not about the shiny toy, it's about how much value and what's the fastest way the customer can achieve value from that. That is the number one focus,
right. So, so for everything we do that is the number one focus is how do, how does the customer achieve value in the fastest possible way because if there's just sit on the shelf then it's doing nobody any good. So Bobber, I've been thinking about these, you know, bringing these topics to the board and I think it's two things, right? Kind of classified as like you're selling an idea. And the second thing is by the time you get to the board, you've already had this conversation.
You've already done this presentation a number of times. So now you're refining your story. And I think that that word intentionally picked that word story. I think you're telling a story, right? You're talking about we have the problem, we have a solution and then here's what we need in order to implement that solution. So I guess what I want to do is throw out some of those ideas to see, do you think that's the effective way to approach that
board conversation? We have some other thoughts that need to be added or in place of that. I think the first thing and and I think Jeff and I spoke about this, The first thing to do is to really make the board understand and and educate them as. You know, they don't know what they don't know. In fact there was a survey and we'll we'll put a link in there from diligent survey as to what directors think. And you know they they ranked, you know different things that a
board member is concerned about. And board members in that survey ranked cybersecurity, which you know identity and access, is a critical part of, as the most challenging. Issue to oversee right. This came ahead of digital transformation, this came ahead of innovation, capital allocation and and why is that right. So, so that becomes really the the biggest issue because most people don't really understand what that means and and I
frankly, I blame our, you know. Profession for not doing a good job in explaining that we use too many acronyms. I've had conversations where, you know, it's like the whole sentence is full of three letter acronyms with a proposition thrown in there just so you know, it sounds like a sentence. So really, it's. Educating the board on cybersecurity on identity and access, right. So first of all, you have to explain to them, and by the way, a good way to do that is board decks.
Board decks are always provided up front to the board, and it's a great place for them to get educated on with a lot of material and data they can read up on beforehand so that they come to the conversation more prepared and they're not feeling on the spot asking questions that they don't want to ask or you know, you're. Being put on the spot either, but helping them understand that, one, cybersecurity is much
more than data protection. So if you ask 10 board members out there, I'm making this number up, you know, what does cybersecurity mean? Most of them will say, oh, it's data protection. Well, you know what? It's more than data protection because and I didn't a cybersecurity attack, you know, that is you know. Basically an identity breach or something like that. It can be way more than data extraction.
It can affect your supply chain. If it affects your supply chain, it affects your ability to deliver product if it, that is going to your bottom line immediately, right? So if you can't deliver product, you can't. You can't. Sell thing. You can't make revenue, Your customers will go to somebody else, your customers will find an alternate product. The other aspect is what happens from a reputation damage and a
business disruption perspective. So again, talking in the language of business becomes really, really important, right. Does your board understand what are the different disclosure acts? Because each disclosure act for your industry is going to cost X amount of time, effort and money to to process that and to make that happen.
So what is happening that you don't have a set of people sitting there that are doing nothing waiting for, you know, a disclosure act or a disclosure to happen so that they can do their job. These are the same people who haven't nine to five job and now you're asking him to prepare information because there was a breach and you have to do some disclosure. So. So it's taking away from somebody else. Does that does that make sense Jim? Does that, is that what you're hearing also?
Yeah, absolutely. I think one one thing that a trap people fall into is they look at these Board of director meetings where they're going to get up and speak about a topic, something like I did in the access management, which could be. Tremendously technical or like you said, you could tie it to the business speak, but all you know the business outcomes and rather than thinking of it in terms of I'm here to make this understandable and to inform
people they think of it as this is my opportunity to show that I'm the right guy for the job. I really understand this issue. That is the wrong way to look at something like that. You know, kind of one of the things I was thinking was, you know, what are you, what are you hearing when you go to board meetings or when you work with people who are presenting to the board? What are, what's the board asking about in terms of identity?
What is kind of that that understanding level that they have today Or what do I, I think kind of going in there with like that that understanding of here's what I'm here's the level of knowledge that I'm likely to be dealing with. So that you're not trying to make it so basic that OK, you're boring the heck out of me. Or you're making it to advance that they're not understanding what you want to do.
When you say we're going to use SAML to connect to our Idp to issue a token, yeah, and you said it right. They don't really care that level of detail because board members are not operators. Board members are a governance function that is helping an organization steer strategically. So for board members, it is more important to understand how cybersecurity identity and access affect the organization at a global or at a company wide
at an organizational level. So when you look at it from that perspective, what is, how does, how does any of this affect an organization at an organizational level? Well, the first thing is, is it going to disrupt my business? Like the business continuity becomes really, really important. It doesn't matter if you're using tool A, Tool B or tool C What's more important is business continuity and the disruption to the business. That could be from supply chain, that could be from people not
being able to access something. That could be people, employees not being able to log in. Or that could be your data is locked up because somebody encrypted everything. So then the conversation happens, OK. So it's not a matter of, it's not a matter of if, it's a matter of when, because cyber attacks are opportunistic. So what is the mitigation plan? What happens when it happens?
So what is the mitigation plan? Another thing to do there is to, I don't know if you're familiar with tabletop exercises. So do a tabletop exercise with your board. Because what that allows it is to that everybody is you know it's a non threatening environment because you know it's a collaborative exercise at that point. And it also identifies if there are gaps between what is it that is going to happen in case of a disaster, in case of a problem.
And everybody understands what their role is and you find out if there's a gap and then who is going to fill that gap and what kind of people we need to bring in to fill that gap. Does that make sense, Jim? Yeah, that's good. I think another thing that is helpful is working with people who maybe know the individuals on the board, what angle they're coming from, because it might be somebody on the board Golfs with the CEO of Super Platform. And they want to know why aren't
we just using Super platform? It can solve all of the problems that we have. We should use Super Platform. I think the other thing is, you know, and I knew this more, maybe not as a fact, but I hear it a lot, is that board members tend to get wrapped around certain industry buzz terms like zero trust or a I. And they might not really know what those things mean like zero trust almost.
You feel like the the way it works is implied by the name, like we don't trust anybody so it must be bad or something like that. But I wanted to get your perspective, especially around the second point, Like how do Zero trust or a I or some of these industry buzzwords wind up getting ingrained to people's thinking and. Do we have to like kind of get ahead of that, debunk some of those things or explain some of those things ahead of those questions coming? So that's a great question.
One way to actually elevate the conversation is to attach the conversation to larger initiatives which you know zero trust digital transformation. Those are you know some of the some of the some of the major initiatives that that happen at at at a board level. Zero Trust is extremely important to everybody right now. So and and it's OK that you know people they they might have slightly different understanding of what Zero Trust is, right.
That's less important. The more important aspect is that you can tie the everything that organization is doing from a cyber security perspective, from an identity and access perspective. You can tie that to the work that is going on to the work going on around zero trust. And you can say, well, you know what, this is what we have to
report. Like if zero trust becomes part of the messaging, if zero trust becomes part of the reason that your customers and your partners feel more confident about what you're doing, then that's great, right? So it's less about, it's less about that they have to understand all the nuances of zero trust. But it's more important is that they understand that there are well thought out frameworks like there's a NIST framework for
zero trust. So attaching, you know what everything that is going on inside the organization and you know saying that look, this is attaching it to this framework, this framework is already defining what is 0 trust. So we're doing XY&Z or we're using these tool sets to attach
to that. That's the more important aspect because they don't really need to understand the nuances, but they need to understand that you're thinking about it in the right way and framework thinking is the right way because then you're not hung up on a single tool, you're not hung up on a single vendor, but you're looking at things more holistically. That's been my experience. That's my advice to everybody is to use frameworks. I'm with you on the framework thing.
I think 2 areas where if you can attach your thinking to a framework where it's kind of shows that, all right, this isn't just some you know idea that we're we're throwing in to the mix or replacing everything we've always done, but it's actually is part of a bigger ecosystem of a way of attacking the problem. I I also think that Board of Directors are also very interested in what are our peers
doing. So if you can collect that information and say, Oh yes, our peers are going down the zero trust route and we have a, you know folks that are focused on identity at these peer organizations. We have a a monthly touch point or a quarterly touch point where we just talk about some of these issues and this is the general direction that we're heading. I think that's. That buys a lot of value as well.
I actually wanted to shift the discussion a little bit to an idea that was talked pretty heavily about at Identiverse, which was the idea of the Chief Identity Officer. We had Ian Glazer on the podcast during Identiverse. He talked to us about this and we we joked around. So what is how do you shorten the name of Chief Identity Officer? We came up with Cheeto CHIDO. Joking all joking aside. I. Love your. Vote that. Let's make this a thing. Let's make this a thing.
It's Cheeto. It's Cheeto. It's Cheeto. You heard it here first. So Bobber is your vote. That organization should have a Cheeto. That's an interesting question. Without thinking about it too much, I think that yes, organizations should have a Chief Digital Officer. And the reason behind that is that, you know, everything that organizations do nowadays is in some way, you know, associated with digital, for lack of a better word, right?
So Cheeto would be Chief Identity Officer, just for clarity, fair enough to me. To me they are, they're, they're similar, right. And the reason I say that is that identity becomes the gate and becomes the, you know, the the front door before you can really do anything, before you can access anything, before you can give somebody access, before you can know what is going on in your organization.
So identities started in the HR system because identity was used to make sure that people got paid so you knew who to pay. But now because we've got so much, you know, digital transformation and we've got so much digital stuff, identity becomes crucial to interaction, you know, day-to-day interaction. So my vote and my opinion really is that you know, Chief Identity Officer and Chief Digital Officer are two sides of the same coin.
Obviously the Digital Officer has slightly more responsibility, but but they are two sides of the same coin. I don't think you can have a Chief Digital Officer without understanding identity and I don't think a Chief Identity Officer without you know how this is going to affect the rest of the organization, which is more and more digital is also not not going to be very useful. Yeah, I mean, the heck we call it. Identity at the Center for a
reason. So to kind of close this conversation out around communicating to the board, I think the most nervous you get when you're going to speak to the board is the first time. So what are your tips for that individual who's getting, you're getting ready to do their first time in front of the board? Yeah. So I'll come down to the really the basics. The Board first of all is there to help the organization.
So you know they the more information they have the better they can help and the better they can help make that decision. Now knowing that you know and knowing that the Board is there for governance and not day-to-day operations, that's important also because that's how you frame the conversation and frame the frame the information to them. So what does the board care about, right, That's important. So you have to frame the conversation in those terms and that comes down to, you know,
risk assessment. What are you going to do if there is an incident? How are you going to respond to it? What kind of measures you're going to put to protect me from an incident and then you know that can go you know break down into you know how is this affecting my supply chain, How is this affecting you know and supply chain can go to vendor management.
How is this you know affecting employees because if you start putting too much friction on the employees then that creates you know, people, people you know find ways around things. We've all seen that. And then, you know, what is the investment that you're going to need and how is that investment going to, you know, give me a payback.
So, so that's what the board is really caring about because if you go in there and you say, hey, the sky is falling, the sky is falling, the sky is falling, I need, you know, $20 million to make sure I shore it up. And then you say, well, yeah, it's showed up. But now, you know, the other part of the sky is falling. You know, it's, it's reactionary, right? It's not proactive. So the best advice I have for that is that you provide upfront information, lots of information.
And so that that's the education aspect. But then tie what you're trying to achieve there. Why is cybersecurity important? Why is identity and access important? Tie that to the business and business continuity, increasing the top line, increasing the bottom line, customer satisfaction, making sure that you're going to pass your audit, make sure that you're going to be, you know, pass your regulatory requirements. That's how you have that conversation.
I think it's helpful too that when we're having those conversations is that hopefully it's not the first time people are hearing it. Everyone in the room, if you can brief somebody ahead of time, you know, someone to be aware of that and kind of bounce things off of whether it's. Be a member of the board itself or maybe somebody at the C-Suite. I find it helpful to have already talked about it and have an ally going in to the
conversation. At least it understands sort of the, you know, what the direction is rather than just walking into, you know, this I imagine like the cold corporate board room, right? It's all steel and glass and you know, frowny faces and you know it's it's a difficult spot to walk in cold right off the street, right, without any sort of. Relationship ahead of time or at least prep. And I think that's where the board deck comes into play as well.
Sending pre preread information is always helpful, right? They'll probably get better, come better armed with questions and things like that. I imagine one of the things that comes up is around cyber insurance because it's getting more and more expensive. The questionnaires that are coming out are far more comprehensive than they have been in the past. It used to be. Oh, do you have MFA? Check the box. Right now it's. You know, do you have MFA?
What kind of MFA? What are your rule sets? Who's using it? Right. They've gone a lot more detail and think we're starting to see things more around privilege access management starting, starting to make its way into those sort of questionnaires. What are boards and other C-Suite type executives asking about this and how the organization is going to be able to, you know, retain those insurances or things like that? And I guess maybe even more importantly, what are they
actually doing about it? Yeah, so there's a couple of things happening there. You're absolutely correct that cyber insurance companies and reinsurance companies are asking the question, hey, what are your, you know, what steps do you have put in place, right. And and some of those steps are just simple blocking and tackling. One of you know you mentioned questions changing.
So one of the questions that used to be asked was do you have a password manager in place And if you replied yes to that question, that was considered good. Now the same question is being asked, but if you reply yes to it, that's considered a point against you, right? Because if you have a password manager in place, that means that you know you're you're, you don't have, you know, a Federated single sign on. That means that you still are relying on password. That means that you probably
don't have MFA in place either. So so there's a lot of implications you know from that perspective and passwords as we all know are the are the, you know the most you know fishable credential out there. So, so that is that is extremely important for the Board to understand that hey, if I need to continue getting cyber insurance, you know, sometimes your underwriters will actually stop underwriting or try to manage my premiums. What are the things I need to do? What are the things the
organization needs to do? And some of those things are that you put the right cyber security policies in place and the tools in place. And it's not just getting the tools in place, but also the practices in place, because you can have a tool in place, but if nobody's using that tool, then it's not useful, it's not really helping. And this is where, you know, cyber insurance companies and their questionnaires are becoming more detailed.
So they're not just asking, hey, do you have this, they're asking how you are implementing it and how, what is your processes and procedures around this, right. A certain aspect and and a board plays, you know, a larger role in that because most boards are involved in, you know, if you have to pay ransomware for example, or if there's a breach, they're involved in talking to the large customers. They're involved in having the conversation from a mitigation perspective, from a reputation
and a risk perspective. Another angle there is that another thing that is happening is board members could personally be targeted. You know for cyber, cyber from cyber incident perspective because they have access to a lot more information. So business e-mail compromise targets, C-Suite. They also target boards.
So making sure that you know, your board understands, hey you know these things are not just happening, this is not just a vague or a hypothetical situation, but this is actually real and it's affecting me and especially when it comes to cyber insurance as you're talking about Jeff, this is
affecting the bottom line. This is affecting business continuity because if you don't give, you know it is possible that without cyber insurance you might not be able to continue your, you know business and continue your operations. You might not be able to pay your ransomware. So, so this is this is affecting continuity and and and operations of a business and the ability for that business to
survive when something happens. Yeah, I think, you know nobody wants to get breached insurance is there hopefully as a backstop, but it's getting harder and harder and you know I think people because the the, the pricing look insurance companies don't want to pay this, right. So they're doing their part to make sure that organizations are doing their part from a security standpoint as best as they can and. You know, you don't want any position where you're uninsurable.
It's not a great spot to be in, Bob. This has been a great conversation. I want to start to kind of wrap things up, but I'm curious where do you see AI just taking the identity space overall? I think so. I'm pretty excited about AI.
It it is going to be extremely helpful in everything from discovery to forensic analysis to you know, mitigating, you know, attacks that, you know, we might not have even thought of because you know, the first thing it can do is to figure out where everything is like where's your data right now. Organizations spend a lot of time, effort, manpower, resources, money to identify where everything is, who has access to what and they do that over and over and over and over
again, right? I mean they have to provide that for audit reasons. They have to provide that maybe to their cyber insurance companies. AI can definitely help from that perspective. So discovery is a very important aspect of that. The other aspect around AI is the being able to query and being able to surface information using natural language. Up to this point you've seen like when we create policies, policy creation is not for the
faint of heart. And sometimes you know when different organizations when you create, when you distribute policy creation, one of the problems organizations run into is the policies might be interfering with each other or canceling each other, right? These are security policies I'm talking about and Identity and access policies.
So AI can play a really important role in that aspect because it can make sure that you know one your policies are not interfering with each other or canceling each other's out or creating orphan orphan legs. And at the same time, it can also help create policy because you can explain in natural language what is it that you want to do and it can create the security policy that that is most relevant.
So that allows you to take that whole process closest to the business that you know, the application owner, the business owner, the person who is, you know, taking the product to the market or trying to do something. They can make that policy by explaining in simple, you know, English terms, you know, simple language, natural language, what is it that they're trying to achieve and the policy can be
done automatically. Those are those are probably the two most important things I think AI can can help a business from an identity and security perspective. Yeah. I'm real excited to see where and how this is going to affect everybody. Obviously, selfishly the identity space, that's what I pretty much care about, but I'm very bullish on it. Well, you know, this shows moniker or we've been told it's getting started to be called. A I at the center.
So we have to have the obligatory a I question every. Week you got to you got to adapt, evolve, overcome, right? I mean, so as things change, who knows, right? Maybe I a I goes away and it's less important, but right? Certainly it's in the zeitgeist right now. I don't think it will. But who knows, right? We can always adjust. Barbara, let's end on a lighter note. I wanted to ask you about an Iron Man that you just competed in and lost. To somebody. Do you want to talk briefly
about that? Because I also know I want to talk about candy after that. Well, I wouldn't say last, last, last, last. I'm just impressed that you actually did it. We were talking about this and I think explain Iron Man because I started asking about what are the different fractions of Iron Man and how can I watch them. Not necessarily participate. Watch. Yeah. So Iron Man is is really a brand for for a triathlon. We just did the Iron Man 70.3 in Oregon. It's a beautiful venue.
I encourage everybody to do that one. Amazing, you know Salem OR amazing town, amazing people and and an amazing venue. So so the three legs of a triathlon are you know swimming, biking and running and they always do it in that order because you know you don't want to do the swim when you're really tired. The, the, the, you know prospect of drowning increases as as you get tired. So they always start with the
most dangerous aspect first. So start with the swim, then you do the bike, then you do the run. Because you know when you get, when you when you fall over, when you're running, it's much, much closer to the ground than even from a bike. So 70.3 is is what used to be called half iron, and that means the 1.2 mile swim, 56 mile bike ride and then a 13.1 mile run which is half a marathon. And that's what we just did in in Oregon. And yes, I was, I was behind considerably like hour and a
half behind me and my partner. But you know, she deserved it because she actually focused on the training and I kind of goofed off a lot. So, so the results book for for how we how we trained for it. All right. Well, I like I said, I'm impressed that even, you know, got out there and did it. I certainly should not be involved with any of that right now. I would probably die of a heart attack like 30 seconds in. I want to talk. You should try it, Jeff.
Start with the start with the Sprint and the and the Olympics length triathlons. Right. Don't jump into the Ironman, but you'd be amazed. You'd be amazed of the support, the community, the, the fellow athletes and and the and the feeling of accomplishment as you go through that finish line. It is absolutely amazing. You're thankful for being able to do those things right.
We don't think about those things normally, but when you do all those things and you're able to do that, you're like, you know what? Yeah, the universe is. The universe is helping me. I find sports like running and. Lifting weights. Boring for me because I like competition and team sports. It's like I'll play basketball all day long, like literally all day long if I if I could. It's just something about like running.
I find it boring. It just doesn't like mentally stimulate me. But like I said, I'll play basketball, football, you know, stuff like that. You know, all the time we're running short. But I want to ask about candy, and this stems from a conversation. That Jim and the team here at RSM had earlier this week. We try to do like a team building sort of thing every other week or so. It's just we call it the the mandatory Chuckle club or
something like that. We used a I to come up with a name and it's basically just like an open door where we have like a meeting invite set up and we can you know, have people kind of come in and just kind of talk whatever, if they can make it great. If you can't, whatever. And we start talking about candy. And Jim has some serious serious, I don't know, thoughts, likes just likes. Candy. Finally, a subject that I'm an expert on. Yeah. So he had a whole like we.
So I was like, all right, let's let's get serious about about this. We put together like a tier ranking we had. We showed Jim a bunch of different candy pieces and had him rank them. Snickers was on top as like S tier along with Reese's. Peanut butter cups. And then we started talking about candies that we don't like, and Jim had some opinions about that. So that's today's lighter note. What is a piece of candy or whatever it is that is just your
least favorite? The least favorite for me would be any kind of gummy Berry type things. You know, Swedish fish, gummy bears, any of those gelatinous things that that you know have that strange gluey structure? It's that unnatural. It's not. It's not from nature. All right, Jim, tell me, what's yours? Because you had a.
Few so I have to explain. We have to explain scoping for a second, which is you're using this app which lets you create like a almost like a magic quadrant, but it was more more vertically oriented and the bottom. But you only had choice of the candies that they had there. There are more, but I think they picked some really solid losers. And let me pit tell you some of the real garbage candies that are out there. First off, Mike and Ikes, they are garbage. Jelly beans are disgusting.
Whoppers are. Candy corns. I don't even consider them candy, so I had to pick what's what's up with that, right? Is it corn or is it candy? Both. I think it's neither. I'm with you, Jim. See, I like. Candy corn. You don't eat them, though. You like the football thing? I'll eat them, yeah. So I I use candy corn to explain football formations to my wife. So we would have the candy corns would be like receivers and running backs and quarterback and then.
Around, you know Halloween, you've got the pumpkin candy corns. Those have become like defensive lineman or offensive lineman, right? Stuff like that. So I explained defensive formations when, you know, very early on in our relationship to help her kind of understand American football. I should probably be, you know, clear on that. So there is a spot and at least in our house for it and and I like candy corn. I I don't can't have too many of them. They're just way too sweet.
But I don't detest them as Jim obviously does. Well, here's the thing about this conversation, right? This is one of the few areas where we can all sit down for a civil conversation, have strong opinions. It's not religion or politics, right? So you could This is fair game for any party. And I'm sure I'm saying some things that some people out there are like, no, you are wrong. Whoppers are not horrible. But guess what I'm going to say?
Whoppers are my least favorite candy I could have. Packs and packs of Whoppers in my kitchen and nothing else. And I would go hungry. They're terrible. Interesting. I, you know, I don't mind a Whopper. It's not my favorite, but I it doesn't feel like it's in that category for me. I I don't really like peanut butter. So things like Reese's Pieces and Reese's Pieces Bits, that kind of stuff doesn't do it for me at all. I mean that's I like, I like peanut butter, but only on
bread, right? I don't really like it when it's in it's solid form in a in a peanut butter a. Peanut. Yeah, which is crazy because I love a Snickers bar and that's packed full of peanuts, of course, right? So that's like my favorite thing. But I just don't like peanut butter. So like Reese's Pieces and those peanut butter cups, just, they don't do it for me at all. So those those are definitely favorites.
I don't know if I would say I would go hungry if they were in the house and just not eat them, but. That was Jelly beans. I don't mind Jelly beans. I mean, the black ones are gross, but Jelly beans are fine. I'm not a I'm not a Jelly. I mean, they just don't appeal to me. Yeah, I would not go seek it out, but it was there and someone handed to me. You know, I'm taking candy from a stranger. I would. I would eat it.
You know, if somebody gave me a Christmas present and it was a nicely wrapped box and there was like an ugly sweater inside a pig. Oh, beautiful sweater if someone gave me a box of. Jelly beans. I'll probably throw it at them. That's how much I hate Jelly beans. So I think we have. So Jim, there are these Jelly beans, and I just got them for Christmas from a vendor. They're champagne Jelly beans. Now. I still didn't eat them, but
what do you think about those? Well, I've never had them, but I'm pretty sure I don't like them. All right, so here's a community challenge, if you feel like. I don't know sending Jim a LinkedIn picture of like Jelly beans or whoppers. I'm sure he would totally appreciate that. Not too many, you know, maybe just one or two here or there sprinkle throughout just to let you know that you know, you're thinking of him. Maybe next time you have either of them, I'm going to actually.
So we have this tier list that we put together using some some web thing that I found to to help the conversation. I'll put it up on our Twitter. Probably before this episode airs as sort of like a teaser to stick it for people to stick around to the end and hear the the fascinating conversation and opinions that that Jim has around Candy. We're going to go ahead and wrap things up for this week.
Bob or thank you so much for taking the time and spending with us. I'm glad that Andy hooked us up at the Identifiers Conference and we're able to. To have a conversation to get to know each other, I'm going to have a whole bunch of links in our show notes so people can connect with Bob around LinkedIn. We'll have a link to viridium.com, VERIDIUMI d.com so people can learn more about Viridium.
We'll have a whole bunch of links around the Cybersecurity Midwest Summit, Identity Week America, the Authenticate Conference, the discount codes we have for those, and you can always find us on the web at IDAC podcast.com. We're on Twitter or X or whatever the heck it is. Idacpodcast. We're on Mastodon, idacpodcast, infosec, dot exchange, Like, subscribe, tell a friend, tell an enemy. We don't care. As long as somebody's listening. We'll keep doing what we're
doing. Thanks everyone for listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.