This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good, good. I'm wondering if anybody else can hear my breathing. Right before we went on, you said heavy breathing. I'm like, darn it. Sound like Darth Vader?
Yes, Jeff, I am your father. You are not my father, that I saw like Maury Povich. Yeah. Or what is what was that, that TV show that was real popular in the 90s? Which one? Yeah, we're the Jerry Springer. Oh, yeah, Springer. Sorry. That's that's what I was thinking. Yeah. Yeah. You're not my father or you're not the father. You're you're not the father. Yeah. So yeah, you've been on the road. You're actually, we're connected. And you're in a hotel room.
Another bland hotel room. Shocking, right? Yeah, I am currently in Reno, NV and was in Las Vegas earlier this week. Was at the sale point sales kickoff for kind of all the partners and stuff like that. First time attending one of those was kind of interesting and fun. Met a lot of great people and give a shout out to Bobby, Alec, Katz, Ahmed, Ashley. I'm sure there were others. Those are kind of the immediate people that were sitting around us.
We went to dinner one of the night, so it's kind of a lot of fun to kind of talk with them and see what's going on in the real world and from their perspective, But it's interesting. Vegas was surprisingly empty for what I'm used to. Usually there's a lot of people there, and it just seemed like it was like the calm for the storm before the Super Bowl arrives there in a couple weeks. So yeah, it was interesting to just not be inundated with people ever. It was.
It was actually kind of, kind of pleasant. Yeah. Don't you think it's interesting how the whole world is fixated on whether or not Taylor Swift is going to be able to make it to the game? I mean, like, that's what everybody's talking about. Did you see that the embassy in Japan put out a press release.
I read this this morning. They put this out that basically says there is plenty of time for Taylor Swift to make it to the Super Bowl. And because she's playing a a show in Tokyo the night the the night before. But because of time changes and stuff like that, if she leaves after the show, she should be getting there in plenty of time. But there was like concern that you know, would she be late, will she cut the show short to try and make it?
I mean it's just it's gotten pretty ridiculous. I've never, I don't think I've. I can't really. Last time there was like this phenomenon around somebody, an individual that was really impacting the NFL world. It's kind of crazy. What do you think of Taylor Swift? Are you a fan? Nah, I didn't. I don't really care. Or another. I'm sure she's a talented singer or songwriter, but I don't really listen to anything. Yeah, yeah, I I think she has some catchy.
Songs that I like and But You're a Road Warrior. You're I mean, like I used to say I've been a road warrior for 20 years, which I kind of feel was true. I mean I wasn't like the elite traveler like you are today. But I mean I was one to three weeks on the road every month for like 20 years. You're like you live out of out of your suitcase now. Yeah, I think it's just this I I think that's kind of a little bit of my role at the moment.
So kind of utility player doing what I need to do but definitely not something that has been historic. Historical at least for me last year is really kind of when it picked up. But I enjoy it gets me out talking to people which is what I like to do and talk to a lot of really smart people. Got to have a really nice dinner with friend Bert who I used to work with so way back in the day and kind of listen to him. I am trying like heck to get him
on the show. We actually were sitting there, we were talking over dinner and just kind of catching up because it had been a while since we'd seen each other. And he's, he was talking about keeping your vendors accountable and honest and making sure you get the most value out of the products that you're buying. I was like, that's it. That's our episode right there. So yeah, that's that's one I've
been working on for a while. And hopefully, Bert, if you're listening, we got to get you on, man. Yeah, let's face it, Bert is sounds like he's the he's the person or exemplifies living in the real world of identity. He's the practitioner out there making it happen, but he doesn't really think. Of himself as an identity person. I mean he's a he's a siso and that's happened. I used to work for him back in one of my prior roles and you know I it's it's interesting.
You know it's like well, I don't really, you know, I'm not I'm not an identity. It's like yeah, we, but we talk about so many other information security things as well, right. Identity's part of information security. It's one of the, in my mind, one of the pillars from a security strategy like there is you. Could say there are things. We can talk about it is Epicenter for sure. We heard it from this. So you know Ryan? Yeah, Ryan, Ryan, last episode really nailed that.
But we were talking about, I was in a meeting, I think I was with you and someone was talking about, you know, Microsoft and all their different offerings, like a Venn diagram of overlapping. And I was thinking to myself, hey, I I know what the center of that Venn diagram is. It's the identity. Yeah, I mean, it's everywhere. You can't escape it. Like, what industry do you specialize in Friday? All of them.
Every industry uses it. So, I mean, that's obviously maybe my selfish view of the IM space, but everybody is doing identity and there are a lot of overwrap in use cases. You know, I hate to say it, but not everyone is special, right? There are certainly some unique use cases, but there's a lot of common things that stretch across no matter what industry or vertical or size of organization, everyone is dealing with things in the identity world.
Yeah, so we've been teasing this episode for a while. It's the five questions that we were asking people to leave us voicemails with questions. We got a lot more than five. We only pick five because we're giving away some donated codes to download the e-book Learning Digital Identity by Phil Winley. Phil's gracious enough to get us those codes. So today's the day where we're going to play those questions and then answer them the best we can. Yeah, it was. I mean there were a lot of good
questions. So it's kind of hard to like choose those. Oh, that's a great was like maybe we should do a whole show around that or, you know, I love that for for different reasons. But yeah, these are the ones that we kind of settled on. And I don't know how do we want to go into this? Do we want to go into that, do everything else we want to cover before we start going to voicemail? Yeah, we should talk about
Identity Week, right? I mean, those are upcoming and we've got a fantastic discount code. So we've got Identity Week is a conference that hits Europe, Asia and America. So Europe is in Amsterdam June 11th through 12th, America's in DC September 11th and 12th, and we'll be at that one Singapore. We'll be at the sorry in America, so we'll be at the. We'll be at the 1:00, we'll be there and then Asia is in Singapore, October 22nd and
23rd. Wish we would be there, but I don't think we're going to be anyway. That discount code is IDAC 30. It gives you 30% off for registering for any or all of those those conferences. So that's one of the things that we do is like we're going out there and trying to get these discount codes.
We don't benefit directly from them, but you know, we're doing it for the folks who listen and hopefully they can get save their organizations a few bucks or if they're paying for it out of their own pocket, save for themselves. Yeah, yeah. And then come check us out. Jenny Week, America or the other ones. It's kind of cool. The code works around the world because I know we've got folks listening all over the place. So, you know, there's three different conferences, 3
different regions. I I enjoyed my time there last year. So I'm looking forward to continue to grow and expand. We'll have a little more of a podcast presence this year. So we're working with the conference organizers to help with that as well. But yeah, I, I, I like where that that conference is going. So I think there's plenty of room for learnings and to get together as groups and kind of you know, hear from from folks of how they're tackling some of these challenges that we see out
there. Yeah, I think also just, you know, I've seen conferences do this a few times where they try and go regional. And what is great about the regional aspect is people who normally wouldn't get to go to a conference can go if it's, you know, local and they don't have to hop on a plane or necessarily get a hotel or they can minimize that. The cost of their organization, they can get to go. So I think that's real valuable.
So I think with like Identity Week, America being in DC, there's just kind of a a increased focus on kind of the Beltway and everything that happens inside or near the Beltway. Yeah, I think historically it's been a government focused, kind of more government focused conference. But I think they're trying to expand, right. And the way to expand is to get more people involved, different viewpoints and like I said I I I'm encouraged by the direction of it.
I think it's still a growing thing, which is great. There's there's definitely room for that and it's a good time of year because there's really nothing else I think from identity perspective taking place in the US around around that time. Now, before we get into those awesome questions, I know you had found this post on Reddit. You sent it to me during the week, and I was just like, oh, that's really cool. We need to talk about that during the podcast. So what do you tell everybody
what that was? And then we'll jump into the questions. Yeah, I just happened to randomly be scrolling through Reddit as one does. I'm mostly a worker, and I subscribed to the identity Management subreddit, and there was a topic that said what are your top five cybersecurity podcasts and newsletters that especially focus on identity and access management? And it's like, oh, OK, that's kind of cool. Let me see, you know what's in there?
What are people saying? And the first one was a comment. Identity at the center is the only one I'm listening to. And then the original poster put a comment that's top shelf. So yeah, I had to comment on that one. I normally don't really kind of get involved, that kind of thing, but it was very flattering to kind of see it out there. And I just happened to catch it. I think it was just, it wasn't like I was looking for anything. It was just, oh, OK, you know, what's up there?
And yeah, there we are so Reddit famous, I guess, which is very cool. So if you're on Reddit, you're listening. Thank you so much. If you're not on Reddit and listening, thank you so much. Yeah, what I liked was there were six up boots and so subtracting the up boot that you put and that the original poster probably put, you know, four people loaded it up.
Yeah, not a very heavily trafficked subreddit, but occasionally there's some Megan's in there and some interesting questions and kind of things like that. I think. I think it's one of those things where that subreddit seems to get a lot of like what I would call like spam advertising and sort of like sponsored branded posts and things like that. But every once in a while, you get one that seems kind of legitimate.
That could be annoying. You know, one of the things I'll do a lot is, you know, type whatever I want to search and Google, and if I don't want to just get sponsored content, then I'll put the word Reddit just to see what comes back. And you sometimes get some real human beings, like what you used to get when you would search, you know, 20 years ago. Yeah, I mean there's there's a lot of sponsorship and advertisement. I've read it for sure.
But this one I choose to believe was legitimate because I actually ended up having a conversation with one of the the posters on there, training some linked messages back and forth. So that was kind of cool. But yeah, very, very cool to see that out there. People obviously still discovering us and for the folks who are sharing that out there, definitely appreciate it. Why don't we get to some voicemails? Yeah, that sounds great.
I one thing I want to say before we start the voicemails is we're going to go through 5 today. We had lots of them. The ones that we don't go through today, we're saving for future episodes. Like Jeff said, some of them were, we didn't want to like punish, but they're good enough questions that we can base the whole episode on the question. So we did save some for that reason. But also it's not like the voicemail lines are now closed. Keep putting questions out there.
We'll use them for future episodes. So yeah, please keep doing that and then, you know, spread the word, let people know. That's how the podcast is growing, is, you know, a lot of times I'll talk to people who are practitioners in our space like, oh, you have a podcast identity at the center. I never heard of it before. Like, oh man, this is somebody who should already know about this. So, you know, spreading the word is certainly appreciated. Yeah, lots of good ones.
I was surprised only one spam slash, not even like trolley, because it was funny. There was one from So whoever put in the Chip chipperson one, I got you. I know who chip chipperson is. So my thought process is like, either they know that, I know that, or they're just a fan of Jim Norton, who is a comedian and that's like his alternate persona. So I got a kick out of that, whoever set that in. But sorry, you didn't win a book. I did recognize it.
Yeah, and then, well, I guess it's not validated, but I thought the person's e-mail address said likechipchipperson@aol.com. And I was like, wow, did they go through the effort of creating that e-mail address too? Or did they just put it in there and it doesn't just put it in there? Yeah, home run chipper. So good job. All right, The first one up is Andrew Champ, the phone. So that's a nice one. So let me play that clip and then and then we'll respond.
Hey Jack and Jim, a new champ on here. Just friend of the show and I'm asking you guys about the barrier of entry and identity access management. There seems to be so many companies are looking for talent, but it's hard to come by, especially entry level roles and that seems to be a struggle around the industry today. There's not many people who can get sell point experience because they're not on projects that will do sell point.
Yes, sell point did open up their identity university to people, but it seems to be still a gap. What do you think are some changes that need that need to happen in terms of companies giving actual level of people a shot into? I am because I just don't feel like there's an easy answer to it. Thanks guys. Letter of D what you guys doing and hope to see you guys soon on the show. Bye. All right.
So, Andrew, definitely in front of the show, seeing that a couple actually saw my identity week in Merkel last year. Good question. I like this question because I think a lot of times we focus on people who've been in the space for a while. But this is an area that I think is interesting is how do you actually get into identity? I feel like hands on as the best teacher and how do you get an entry level you know I am position where you are hands on with the tech with the technology.
What are your thoughts, Jim? Yeah, great. Great question from Andrew and I also really appreciate what he's out there doing to try to help people get these entry level rolls. And so this is right in his his lane. I think one of the questions is like if you're starting off what what do you can define as entry
level? In other words, you're already in the company, you're already working in some kind of technology or customer support or is this somebody who is just out of whatever training they're doing and decided like IMS for me. And I think First off, First things first, like you need to know what you want to do, like where you want to go or have at least some idea, right.
That be open to the idea that it's going to change if you're in that role, where are you in that space where you don't have a role yet? I think you just need to get that first role and you have to be open minded. Like yeah, I'd like to learn Cell point might be your entry point, but you might get in a company that doesn't have Cell Point, it might have something else.
And it's like then be open to learning a different area of IAM because you can learn it all if you give it time and you get the experience. If you're already in a role and you want to move up within, you know, to be willing to take on new opportunities and learn outside of work. I know everybody's life situation is a little bit different. But most companies don't want to pay people to just sit there and learn, right. They want to pay people to do a job.
So you're going to have to spend some of your own free time kind of improving your skills. I think getting those years of experience under your belt, that's key. I think going and doing a good job, that's key and keeping your eyes open and being somebody who is a sponge and is learning. Those are all the the keys to kind of building yourself up. You know, I think everybody kind of looks at us like, oh a cell point engineer. They can make 6 figures.
I want to become a cell point engineer, but it's not really that easy, right? You have to kind of pay your dues So you know those entry level positions, you know they might not look like cell point engineer that they may get your foot in the door, give you the opportunity that where you're getting a paycheck doing something close and you're building the skills and then when they need somebody to step up and do some more things, put yourself in that position.
What do you think, Jeff? Yeah, I think you've got to be able to, you have to really invest your own time to this. No one's going to hand this to you. So I think you're going through training, you got to work your network, try to find those, those entry level positions. I think sometimes if you're doing like a career change or career pivot, you got to be willing to take a step backwards. If you don't know anything, no one is going to pay you 6 figures to do that work.
This doesn't happen, right. So you have to be able to take a step back and say OK why don't anything. But I'm willing to invest the next couple years getting that experience to that eventually get to you know, the higher paying role or whatever it may be. But I think you hit something very early on that I think is important and that is the what do you want to be when you grow up? Question because there's a lot of different ways to get into the IM space.
There's technical and there's non-technical roles. What do you want to do if it's a technical role? Well what does that even mean? Is it IGA? Is it privilege access management? Is it authentication, authorization, password lists, verify credentials, decentralized right. There's a lot of stuff to kind of know and kind of figure out but I think you really have to kind of figure out where what do you think you want your role to be in the IM space?
If it's time to go, great, go out and do whatever self learning you can, collect whatever certifications you can, you know try to find the entry level engineer role. I think the ones that immediately come to mind if you're looking for that kind of role is 2 consult is 2 areas. The 1st is consulting. A lot of consulting shops are looking for kind of entry level people to train up and develop and sort of augment their more senior staff and that's
primarily around a cost basis. You can't have you know senior level people doing all the work. That's just it's very expensive to do it that way. So you're always looking for you know, fresh talent to kind of come in and start to learn the ropes and kind of offload some of the administrative things or you know, basic configuration items that go on with any kind of technologies. The other is actually going to the technology companies themselves.
If you've, you know a lot of these folks are looking for sales engineers and for Level 1 supports and people they can transfer themselves. So there's a a specific technology that you're looking at. Check out their website and see if they're hiring for those types of roles. You know that's another option that that you can take a look at. But I really do think you kind of start with what are, what do you want to be when you grow up in the IM space and then figure
out what you need to get there. The role that you start with may not be a 100% match, but if it puts you in position to either get to that, you know whether it's with that company or in others. I think you've got to figure that out. And that's different for everybody. Everyone's got a different. Situation. I think there are also some certain intangibles that if you have these things, you're more likely to get a position. I really want to be a part of a
team. I really like to encourage others and, you know, provide leadership. Wherever I have the ability to lead. I don't feel like I need a title to lead some of those, to tell me those things. I'm like, this person's got the right stuff now, Do they have enough technical skills to do the job that I'm looking for? I don't know. That might be a separate decision.
But if you can make the person know that, like you've got the right intangibles, you know, being a good team member, looking for opportunities to lead, you know, I think those are those are great things. Those are coming to me that people don't hate you. All right, yeah, We just be a decent human being. All right. Should we move on to the next one? Let's do it. All right, so this one comes from Alex Suarez. Hey Jim and Jeff, My name is Alex Suarez and I am an I am domain Architect.
The question that I have is, given the increasing complexities of each slice of Identity and Access Management, should a single I AM Architect encompass the entire domain? Meaning should an I am Domain Architect focus in all aspects of Access Management, Pam, IGAMFA, etcetera? And therefore could there be an opportunity to have an equivalent of an Enterprise Chief Architect role but solely focus on the I am Domain as a whole? What are your thoughts? Thank you.
Interesting question. What do you think, Jim? Yeah, my initial reaction is different. Part of it's going to depend on what the organization needs, how big their architecture group is, things like that. I mean, Alex points out something that it's become very obvious to me that the IM space is growing. There's all these different domains, there's so much to know. I usually don't think that architects need to know the intricacies of every technology
that they're involved with. But I guess that would also depend on the organization, right? So if you are like a consulting organization, you really need to provide expertise at the architect level for your clients. You do need to have a certain level of expertise. If you're the architect at a company, you probably have to be more a Jack of all trades and and have a good understanding of how these things work. So I think it kind of depends which is the consulting answer.
You know if you're roll up your sleeves do I am every day you're probably you might just focus on access management or something like that or identity governance for sure ITDR. But I think if you're working for a firm that you know it's like a say GE or a bank or something like that, you're probably going to have to have a broader scope. It's just they just don't have enough architects to, you know, specialize too much. Yeah, I like the I hate to say it, but I like the depends asset.
It depends answer and that's what kind of mind is. Is there enough of work to support someone working only as an identity architect? And that's got to be a massive organization. It's got. Or maybe it's a massive identity footprint that you're trying to pull together. I like the idea of it, but I don't know if I necessarily see it in the real world yet. Maybe as we move things along and identity becomes more.
Larger. You know, more spread out across the organization, maybe some things like that. But I find it difficult right now to say, OK, I only focus on identity architecture. That might be a focus for a couple weeks, a couple months, maybe a year as you're kind of standing something up. But once you've got the architecture in place, then what, like what do you do? As I say, it goes back to the question of like is there enough work to support someone working only on identity architecture
for five years, 10 years? I don't know. I think you'd have to be a really massive identity product. I could see maybe something like that at like you know a meta, a Google, large ID, PS Microsoft, right? Things like that. A normal organization, probably not. And I say normal. Just meaning identity is not their secret sauce. It's not their products, right? To deliver to others.
Maybe a massive e-commerce type thing maybe something like Amazon you know might have something like that but I think it's an interesting conversation and and then should a chief IM architect exist. I think the second part of the question again kind of goes back to is there enough work to support that? What does a chief identity architect do? That means are there sub chiefs right, Are there other identity identity architects and there's one person who's kind of like in charge of all those.
I mean that to my my mind is like how much how big is your identity architecture to multiple people in a long term role to keep that up and running? I think if you have an identity consulting firm, you definitely could have that kind of structure, right? I mean, we worked at a company where there were several cell point architects, so you could see something, but they were. Focused on cell point, right. Yeah, that's all they did. Yeah, Yep. But we also had people who were
architects in access management. So I yeah this is one of those depends on, So sorry Alex. Yeah, I hate to say it depends. I think if you understand the identity space and you're able to combine architectures and understand how authorization, authentication, privilege, access, identity, governance, ITDR, you know all that stuff kind of comes together. I think that's great that obviously, you know, makes I think it's very valuable to have that skill. I just don't know if there's enough.
That's a question only your your organization can answer, right? Is there enough work where you only focus on identity architecture? Maybe there is and I'm happy to be wrong because I would definitely want to promote the identity space, but I I just haven't seen it yet where there's been one dedicated identity architect. Usually it's a shared architect type role where they they know the identity side but they also know some the other things going
within the organization. Yeah, like an infosec architect who also understands like the logging architecture, because look at itdr, it's it straddles that line between identity and threat detection. All right. Next up we've got Tim Ritter, so here he goes. Jim and Jeff, Tim Ritter from Cloud Identity wishing you guys a great 2024. I'm sure you guys have great plans both personally, professionally and with the podcast here, but wanted to touch on the hiring front.
Cloud Identity, obviously a global leader in IAM and Pam staffing and some advice for people looking out there. If you do have your current role, be grateful. Layoffs have created fierce competition for roles for numbers as everyone is seen on LinkedIn, and now is definitely not the time to be looking for that dream job. If you need income right now, utilize your skill sets and look
at rules. That may not be exactly what you're looking for if you do need income, but the good news is, is our clients have projects starting and we're seeing identity projects throughout the landscape that are getting under way. So we're anticipating around Q3Q4. You know, there'll be a good flow again on the hiring front within the sector.
But my question for you guys is with all these breaches happening in the introduction of AI, what do you think the most influential roles will be inside for 2024? Is it the SISO? Is it our technical talent, functional leadership? I'd like to hear your guys opinion, but again wishing you guys all the best for 2024 and hopefully she you either at Gertner, IAM or Identiverse. Take care guys. All right.
So Tim's a friend of the show, definitely stuck a commercial in there, but we'll allow it. Anything that gets Identity people up and working and employed, I'm in favor of. I think the first part of his statement really is kind of like the job market and competition and things like out there.
I mean, I think that's it's a very competitive market that we're in. Identity, I think there's always people looking for folks, but I definitely agree that it we've seen a little bit of a slowdown with organizations taking a step back. You know there's been layoffs have taken place you know within the identity space as well.
So I think I'm encouraged by it. I think the last year a lot of this was driven by the economy, especially the first half of the year in the US and starting to see that pick up. So a lot of things that people really want to get started maybe in first, second quarter of 2023, they kind of had to punt for a little bit, figure out what the US economy is going to do and it seems like Q4 and then now we're into Q1 of 2024, I'm definitely starting to see that pick up as well.
So totally get that. As far as the influential roles when it comes to AI, and I am, what do you think, Jim? Well, yeah. First I did want to say like I thought that was a good input from Tim. You know, as far as like here's the state of the current job market, but he sees a pick up coming.
That would be great news. You're still seeing layoffs, but that was big reason why we wanted to play this question was like there's a tidbit of information from somebody who's actively, you know, looking to place people all the time as far as kind of those influential roles. I I still think, you know, as far as AI, let me put that off to the side for a second. I still think that it's the CISO who has access to the board and has to keep educating them on
this evolving threat landscape. Organizations cannot just take a hiatus from investing in informational security. And what at least what I'm seeing is that I we've been calling Identity at the center of this podcast has been going for nearly five years, but it just becomes more true every year. The investments in the identity landscape need to continue. In fact they need to increase.
So it's those Csos and them being able to influence and help the board understand that this is a real threat to the business. I mean being shut down for a couple of days or a week, it's kind of like a, a death knell for a lot of organizations. So putting money into that is, it really is an investment. It's not FUD factor either. I mean, we've seen organizations that, you know, go offline for several days when they they suffer a massive breach.
So I think they're influential, but everybody's influential. You know, the, the engineers, the architects, they have a voice within the organization. They need to be letting the see so know, here's what we're seeing. This is what's happening. This is, you know, the state of affairs that we're in. You know, as far as like AI, the the impact of AII think is going to probably impact engineering, the engineering and operations the most.
Because the role I see AI playing in identity is that we can do more with fewer people. So we can, you know, manage bigger landscapes, you know, or say, with the same number of people, keep the same number of people, but basically have the software be able to do more and accomplish more. And rather than taking a year to roll out a software platform, maybe it only takes a couple of months, right? There's still more to technology rollouts than just technology.
There's communication, there's user training, things like that. But I see AI impacting all those areas and making it easier to communicate effectively, to train people as well as to manage complex systems at a larger scale. Yeah, you hit everything that I was going to say he wants to add other than. I slow your Thunder. Yeah, you totally did. And I I think you were thinking alike on this one. You know, influence in an organization takes many shapes and forms.
So whether you are the CSO or you are an engineer, an individual contributor or part of the board, I think being aware of how it's impacting not only you know life at large, but specifically for your organization, How are you going to be able to leverage the capabilities that it has? What are the threats that you see that you need to defend against? I think it's, I think it's an important area. It's definitely going to change the way that Identity works for on a number of fronts.
You know, my we've talked about this before is how am I going to use AI to configure or set up connections between maybe you know different applications. Hey, I use a, you know, natural language interface and it's using large language models to convert my basic statement of I want to connect this to that, do it right and it it it's able to kind of infer that. How do you know that it's doing it correctly? Is it configured? Is it set up and secured correctly? Right.
Things like that. I think that's still the area where I I would imagine, especially engineers in this area are really going to take a look at. Can you trust the model or the AI or whatever it is to do it correctly and to keep doing it correctly? And when it doesn't do it correctly, why did it do it wrong? What did it do wrong, and how do you correct that behavior going forward? And then, you know, I think that trickles up.
But obviously you know as you as engineers are talking amongst themselves and they're working maybe with the CSO or maybe they're working with the board, right, whatever it is, I think
that influence goes up front. But I think we've got to make sure that we don't get stuck in the fun factor, you know fear, uncertainty and doubt is let's be honest and open about the benefits and the negatives, you know, that will come come with us and be prepared for it. So I think that's, I think that's the only thing that I'll kind of add to what you just said. All right, let's get to Pedro's next. I like his question.
So let's Harriet. Hi I'm Pedro, I'm a Service security architect based in Brazil and specialized in IAM and my question is regarding regarding ITDRI would like to know if there's a better solution to my ITDR implementation in ways like is it it would be more recommended for me to use my ITDR capabilities of my IEM solution for example using Microsoft Intra Identity Protection as as part of the Microsoft Intra Solution suite.
Or would be better if I have a dedicated ITDR solution to to monitor all my all my my IEM in in spam solutions? Or even or even if it would be a good approach to have both solutions working together using my native capabilities of my IEM solution and my my dedicated solution of ITDR? Thanks. I think this is a question that everyone struggles with is do you use what you've already got and do, or do you need to get something else? Or maybe some combination go you go first Jim.
OK. Well, we weren't talking about ITDR 2 years ago. Now it's like all we can talk about. And I'm really bullish on my TDR. But how many ITDR solutions exist today? There are a lot of them. I'll just say there's more than a dozen. And so you you think you're so OK, Well two years from now, how many were the will there be? I think part of it is Pedro hit on a great point is that a lot of products are now being built with ITDR features. And when I think about TDR
features, I think of two things. One is looking at your identity system and when we talk about built in, I'm just going to say system, I'm not going to say systems because if you're say running Octa and you're leveraging what they're developing from an ITVR perspective, it's not going to also work against your like your cell point system or your cyber arc system, right. It's just going to work for just Okta. It's going to look at like how vulnerable is your system configured?
Do you have certain patterns that are well known that could be attacked, but it's also looking at, from a life perspective, what's happening in the environment, how the identity system being used And are you potentially hitting on suspicious behaviors. That action needs to be taken like the response. In other words, we detect that it looks like some hackers trying to use one of the accounts and we're going to respond by you know disabling
that account etcetera. So again like specific solution built just for that identity system is going to be just for that identity system. And if you're looking at the true ITDR that are I should say a standalone ITDR that's independent of an underlying product, then it should cover essentially all of your identity system. So it really depends on the position that you're in.
I I suppose I haven't gotten far enough down that path to say whether or not and I think a lot of the ones that are being built into products are not at the maturity level that a dedicated product would be. So I kind of think you're going to do both, right. You're not going to ignore the features that your system has, but they're probably not going to be enough for just their own product but also for you know products outside of that product. So that's what my answer would be.
Both. Your answer is both, so having both technologies in place to cover everything essentially. Yeah, I think you need an ITDR to do ITDR things. But if your system has ITDR capabilities, like if you have Octa and it has ITDR capabilities, you should not ignore those. It's kind of like Microsoft has privilege identity management. OK, so should you get a privilege identity or privilege access management system? Well, you need it for everything else other than the Microsoft
stuff, right? But if you do have one of those, does that mean you don't use the Microsoft privilege identity management? No. You can use both, right? They can all fit into one program. So I kind of see it in a similar fashion. This stuff costs money. So before you add a new tool and see if I read, how do you justify that sort of thing? Because this stuff isn't isn't
cheap. You know, if you're, we're talking specifically about Entra, if you're a 100% Microsoft shop and you can live in that world, yeah, go for it. I'm, you know, everything's taking place from a Microsoft perspective. It's probably a good fit. If you've got stuff that bleeds out of that, I think you got to decide, is it worth the cost to add another technology into your
environment. You're going to have to pay licensing fees, You're going to spend money to get it up and running, and then you're going to spend time and resources monitoring. Yet another thing. Does Entra feed into that tool? Maybe. Maybe it doesn't. I think there are. Opportunities here for, you know, thinking about it from a smart spend perspective, yeah, if you have 80% coverage through Entra, great, Is it worth it to go that extra 20%?
I think all you can decide, I think you need to figure out is the business going to justify the spend to cover that additional 20%. And those are just arbitrary numbers, right? Maybe Entra is only 25% of your environment. And yeah, you definitely do need something else, you know, to collect things without really knowing the details on the architecture side of things and kind of what use cases you're looking to address or are at least covered through the Microsoft stack, what are the
gaps that come out of it? It's just been my experience that if you are, if you're all in a Microsoft, that's really the only thing you're using. Yeah, they've got great tools and you should absolutely be leveraging it. Don't go and spend money just because it's, you know, the hot kind of thing right now. Save that, you know save that conversation and over that that budget for other things in a space. Have have you gone password list
yet? Have you implemented session monitoring, recording in the privilege access management space? You know have you automated onboarding, offboarding like all this other stuff. So I think there's other things to think about as well. I don't like spending money just to spend money. You know, this is, you know, a conversation we have all the time. But if there truly is a gap, is it justified or not? I don't know. I think that's. I think that's my answer is I
don't know. Only you can really decide that because it's if it's a small gap, you might be OK with accepting that risk. That might be OK, right. Maybe there's a manual way to kind of close the loop. But if it's critical to your business, if it's maybe you got a history of security issues, right, things like that. You just have the visibility. Yeah, maybe it's worth it. I can see certain industries, you know, are are more prone to attacks and therefore need to be more secure.
They are the place as well, especially, you know, finance for example, regulations, you know that they have to, yeah, adhere to and stuff like that. Yeah, we don't disagree much. I think we do disagree on this, but I think it's because we're looking at it from different contexts. I think we you're right for a small organization that's all in on Entra and it's covering 8580% plus of all authentication, you might be able to get by with that.
I'd say first, well you know, is this just checkbox compliance ITDR or is it like a true, you know, full-featured ITDR for intra. The second thing I would look at is like I've worked with a lot of organizations where their management of privilege access management is very decentralized. In other words, things that are integrated with the Windows environment are very much like, yeah, you've got to use your Windows environment to get
privilege access. They're still sending standing privileges, but you know, put that off to the side for now. But then there's other pockets that are very important where you have like standalone accounts and databases are in the cloud. And you know, maybe you have 15 different pockets where privilege exists. And I think potentially that's where ITTR could give you a way to have some central program of privilege management without having centralized command and control.
You know when when you're in one of those environments and like your mandate isn't centralized command and control, but at the same time you have responsibility to keep the environment secure. Monitoring is a fantastic way to do that. And I think standard monitoring of like monitoring you know security logs and IP based events, it's just far short of the modern threat landscape which is much more focused on identity based threats.
Where in other words I saw a statistic the other day was like 42,000,000 credentials for sale on the dark web. It's like what and? They're probably like $6. Yeah, and they're cheap. They're cheap, right? And if they don't work, then you get your money back. I doubt Bitcoin. Yeah, I don't. I don't know if there's a there's a money back guarantee on stolen credentials. I look at it from a business perspective. You want to spend money? Tell me what I'm going to get for that money.
Is it reduction of risk? How are you going to use the tools? They. A lot of organizations buy tools just because and then they send on a shelf or they don't get full value out of it. I'm in. Look, if you've got the budget, go for it, right. I'll never say no to adding more capabilities, but just be careful about adding capabilities that don't get ever get used and unwise spend.
Just make sure you've got a good story and a good understanding of what you're getting into and how are you going to give those, how are you going to use those tools in your environment, you know, demonstrate the value. All right. Next up we've got Chris Power, another friend of the show. He actually sent in a couple. So this is kind of a a good way to get like you know, 3 for one. The first one was wrong goals. So I'll play that here. Hi. Jeff and Jim. I love your podcast.
This is Chris Power. We've talked many times at a couple conferences and really appreciate the insights that you give us. My question for the day is it is goal setting season for most of us in January, both on a personal level as well as on a department level. I would love to see what you think is the most impactful goals in the identity space for both people as a individual as well as teams as a whole. I hope this comes in as a good question. And. Look forward to hearing your answers.
Well, it definitely comes in as a good question. I think this is you're totally right. I think a lot of organizations operate on like a calendar year and say all right, you know, go into whatever your system is and start setting up your goals. Jim, what are your personal and professional goals for this? Like what do you for the identity space? Like what have you thought about you know, what is your next year look like yet?
Yeah. So I think going into, you know, when I set my my work goals, I tried to set goals that I feel like are, you know, high likelihood that I will achieve them. Because, I mean, who wants to have that conversation with your career advisor at the end of the year? And you haven't achieved your goals, so that would so try to set. This is the art of low bar goal HR. You know HR goal setting, right? You got to pick something that's
like good but attainable, right? Because you don't want to miss those, not. Sandbagging. But you know what I mean. For personal goals though, I think it's good to make them, you know, aggressive. I think that you should be thinking about big things and you know, I've got a, you know, a lot of goals for the podcast and getting out there and building my network.
I think building your network is probably one of the biggest investments you can make in yourself, going out, meeting people and and doing it in a genuine way. If you're, if you're not comfortable just, you know, going and introducing yourself and I mean look you you're going to face some rejection, right? And that's unfortunate, but that's part of, you know, going out there.
But I think you'll face a lot less rejection then you think you're going to. You just go up and like you know, insert yourself in a conversation or just stand it. You know, there's Circle people there seeing Glazer and some other Identity folks that I follow on LinkedIn. And you know, I'm, I'm not at their level. I mean, I kind of had some of those thoughts early on, right?
Like, but then when you go and you stand there and you meet the people who are, they're totally normal people and very welcoming. So to me. And quotation marks. Let's put that we got some real weirdos in the space. There there's sure. There's, and I, and I mean that in a fun, jest, jesting way. Absolutely, But you might consider yourself a weirdo. So. I'm definitely weirdo for sure. Yeah, but welcoming is is definitely true.
And the more I reach out for guests for this podcast, I mean, I I can't, I can probably count on one hand the number of times I've been rejected by people to be a guest on the podcast. And you got to remember at one point we probably had like 50 subscribers, you know, I mean, so it was zero. Yeah, we started with 0. Sure. So anyway, that's my goal is to, you know, build my network is probably one of the biggest ones. And I really want to see the podcast.
You know, we we doubled our listenership every year since we've been around. Jeff, I want to do that again this year. It gets harder every year, right? Because the number gets bigger doubling it. At some point we'll have critical mass too. It's like there's only there's only so many people who are interested in identity. Eventually get to 8 billion and you're like, wait, everybody on Earth listens to identity at the center.
Yeah, my goal is to show up in Google News as having signed an exclusive $250 million contract with, you know, some audio firm right to do the podcast. What's a good goal for the Yeah, that's that's a good goal for a team. So if I'm an IAM team, what's a goal that I would be setting? Like what's impactful to improving IAM in an organization? Well, it's got to be about the business, right. You got to achieve things for
the business. I think you can have like I mean look we all want to have team building exercise and everything and those are important. But I don't really think those would be goals that you would set that that Chris was talking about. But I think like achieving things that are actually impactful for the business would be right. And I think you know trying to focus it on like improvements and metrics that are actually you can measure against, I think that's important.
What were you thinking about? I guess I was thinking about it for like a maybe a capability standpoint. We keep hearing about everybody hates the password. Set a goal, go password less, enable it for some population. I feel like that's low hanging fruit at this point. It's built into a lot of the ID PS that a lot of us are using already. There are specific tools and vendors out there that offer, you know, maybe enhanced
versions of that. But let's stop talking about how much we hate it and actually like, start fixing it. I don't know anybody who's like, Oh yeah, you want to take my password away and make it easy for me to log in. Please don't do that. And if you've got the funding and you've got you know, the right, you know, team in place, go for it. Even if it's just for like a small group, prove it out, Show that it works.
You know, work work the, you know the issues out of the process so that you're ready to go live with more people. I think that's a that's a team goal. I think I'd like to see more people is take advantage of it is take advantage of things like passkeys and Fido and you know the work that's been done in that area. Look at how you're going to help the business. Go password list. Nobody likes it. So stop talking and do something individually.
You know, I think this is kind of a tough question. Does everyone has whatever they want to, you know, work on and the I think you have to decide what is going to help you individually from a professional standpoint. It might be technical training. It might be, you know, speaking. It might be communications. It might be writing. I think if you're going to be well-rounded and really move forward in your career, you do need to be able to communicate.
You do need to be able to come and comfortable to talk in front of people. You need to have domain expertise. You know, which of those things do you need to work on? Again, you've got to kind of pick with this, but I think, you know, be your own worst critic and say, OK, well, how can I get better at that? What are things that I need to be doing to improve this aspect of it? I never wanted to talk in front
of people, whatever. And, you know, here we are, we're doing a podcast for, you know, billions of people around the around the Galaxy. And, you know, that's not something that I ever thought that I would be doing. Am I great at it? I don't. I I think I'm OK. But you don't get better. Yeah. Thank you very much. I appreciate your natural check's in the mail, but I think this is an area where you get better the more you do it, get
reps doing it right. The people that we see on stage is at Identiverse at Gartner. They started in the same boat. It was, you know, there are certain people who are naturally gifted and others that have to work at it. I'm in the latter category and that's just one example. You know, if it's technology based, you'll get a
certification. If you are looking to get more advanced and identity, is there a specific tool or technology you want to go for or is there, you know, a broader identity certification like CID Pro from idpro.org, right. Things like that. Or is it a soft skill? You know, can you articulate, you know, can you build a PowerPoint slide that doesn't look like crap? Because that's the method that your organization uses to communicate, you know, amongst each other, You know, stuff like
that I think is important. And I think people need to be willing to spend time on YouTube, self study and learning and trying to figure out how things work. And whatever that thing is doesn't necessarily have to be a technical thing. It can be a process. It can be, you know, a mindset, whatever that is. Yeah, look at us. Like the other thing is put
yourself out there. Yeah, you know, let's look at us. We, it's not like we're experts on every subject and that's why we have guests or anything or anything, right. That's why we have guests come in who are experts. But we put ourselves out there and take a chance that we're not going to, we're not going to know what we're talking. About I think it's I think it's that is easier said than done. I certainly recognize not everyone is comfortable doing that and that's fine.
Like, I don't think everybody has to be out there all the time, but I think if you find your your tribe right and you start to communicate with those folks and if you're a solo person, that's great too, right? Think about what's going to help you as well. But you know Jim, you said it kind of up front. The industry is very welcoming. Walk up to people, hey, I just want to walk over introduce
myself. I'm Jeff, you know, I follow you here or hey, I really liked what you wrote about that thing. Just want to let you know that's it doesn't have to be anything fancy. You don't have to like, you know, have some sort of secret handshake or curtsy or bow or whatever it is, You know, most of the people that I've talked to have been very welcoming around that. All right. So Next up, Chris, again, another good question. So we're going to keep it
rolling with him. Good morning, Jeff and Jim. Chris Power from Indianapolis IN. My question of the day is as more products become web-based, more both identity and security related issues and then bundled as a service from those particular vendors or partners, how do we avoid issues where where it becomes a situation where one problem that happens in one place happens to all of us now because we all have, we're all running the same policies and procedures and processes.
I see this as a situation where, from a security point of view, we're now becoming more regimented but also more predictable in the minds and the eyes of attackers and others that are meant to do us harm. What questions or concerns could you get out of that, as well as what answers do you have to make myself feel better about this going forward? So I kind of see this as a question of, hey, an attack against a large service provider that a lot of people are using.
What the heck do you do about that? Hopefully I kind of distilled it down, but what happens when Microsoft or Okta or Google or Apple, you know, have some sort of issue that affects the number of people? What do you do about that, Jim? I think a lot of those services are quote UN quote too big to fail.
I mean the the amount of impact is so broad reaching that it's really hard to imagine Microsoft Azure going down for a week or Amazon Web. Now the fortunate part is these bigger services are spread out over a geographic landscape and even smaller services generally leverages infrastructures and managed in a globally load balanced kind of way.
So the likelihood of something like that happening from, you know, a pure disaster perspective like an earthquake or something like that, taking down the grid is is less likely. But from a security attack perspective, I mean like we don't know. I think the only thing we can do
is like plan for these things. Like what would happen, your tabletop exercise planning what would happen if these things were to take place, if our Okta system went down, if our Microsoft system went down, what will we do and what if it came
back up in various states. And then I think the other thing to think about and plan for is the the shared security model because I've talked with clients in the past where it's like, oh, that's outsourced, we don't have to worry about that, our vendors responsible for it. Well, do you, Are you sure, Are you sure you understand what your responsibility would be in that scenario? Would you be expected to? You know, what if? What if the problem was because
of something that you did? In other words, you had the administrator account. Somehow the administrator account ended up on the dark web. They got in with the administrator account, wiped out all the data or change the data in such a way that locked you out. What's your recourse? Well, maybe it is that they would restore and you'd be back
up and running. But again, planning around that and understanding exactly how it would work and not just, you know, saying we don't have to worry about that. Yeah, I like the idea of tabletop exercises. I think a lot of times people think about tabletop exercises like a breach, right? Or something like that. It can be anything you want. I mean, it can be done as a dragon as far as I'm concerned. But walk through the process, yeah. What happens if our IDP goes down? What do we do?
How do we get people in? How are administrators going to get in to assess and diagnose? How are those things you know secured in case somebody does get access to I think having layers and different you know parts of the the onion right as we look at it from a security perspective is dispense in depth. It shouldn't be down to just one control one password and you know you're you're you're
breached or you're popped. What are your different compensating or layered controls to make sure that if there is a breakdown somewhere, you know the the the blast radius is is limited or the impact of the breach or whatever it be. If it's something where you know you're talking about internal infrastructure or your Active Directory goes down, OK, great. You know what is the plan? Do you have ADR plan? Do you have a, you know business continuity approach to it?
Have you done tabletop things like that. I think you have to kind of go into it with the mindset of what if, what if this happened and sometimes there's an answer, sometimes there's not. And I think you have to be kind of OK with that and it's OK to go through the process and say that you know This is why we're doing this exercises. We don't know what we would do if there was a issue with X. Let's talk about it. What can we do, you know get people in the room and start talking about it.
And we had the architect question earlier, maybe that's a great time to pull up. You know you're if you've got 1A Chief Identity Architect to kind of come back and say hey you know what are the dependencies that we need to consider here, What needs to be up and running for identity work. I think just being open to having the conversation and just talking about it is probably the biggest thing that I would I would recommend here is talk about it. Work as a group and try to figure it out.
There are, there may be levels of survival that you're willing to accept for a certain amount of time and that might be OK, right. We have limited processing capability or limited functionality, you know, things like that. And that might be OK. If it's a mass out, you know, outage. You know Microsoft gets picked on a lot. You know, teams goes down. You know half half the organizations can't do anything, you know, from a meeting standpoint. OK, well what do you do?
Do you just? All right. Well, we'll just meet later. Yeah, maybe It's not business, you know, mission critical. If it is mission critical, what's your what's your plan to get up and running quicker? Yeah. I think the other thing is like sometimes the business goes out and procure services without checking with identity or informational security first.
They just go out and get it and now you've got some, you know, software as a service that you've never heard of and they don't have like a complex disaster recovery strategy in place, like a say a sales force or an Octa or something like that. Dig in anyway, especially if that is a mission critical, a mission critical system. Yeah. So we're already up over an hour and we probably want to get start to wrap things up.
But Jim, I know you reached out to Phil, we had sort of like this famous question this has become of, you know, what's the difference between digital identity and identity and access management. So I'm going to play that here and then we'll start to wrap things up.
Hey, Jim, Jeff, on the question of what's the difference between Digital identity and identity and access Management or IAM, I've usually thought of Digital identity as a broad overarching topic, whereas Identity and Access Management is more applied. You know, actually solving the problems of a specific company's identity needs would be identity and access management. Whereas you know conferences tend to talk about lots of different things. So maybe they're about digital identity.
An analogy might be the difference between biology and gene splicing. Although that might be two, those might be two different in terms of broad field versus a specific application. Anyway, I I think of I am I if I pick up a book on IAM, I'm expecting to see chapters that are like how to, you know, solve your authentication problem for your users or, you know, how does authorization help you with your application, that kind of thing.
Whereas in a digital identity book, I'd expect to see, you know, maybe a broader coverage of what are the problems of digital identity, how do we solve them, you know, what are the basic technologies that we have in our hand in order to do this. So that's how I think about it. So I think still kind of aligns with kind of what I've been thinking is I see kind of like digital identity as the top as sort of like the macro concept or discussion.
And then down from there are the different parts of that I AM, CI, AM, yeah, etcetera, etcetera. So I think again another slightly different answer. I don't know if everybody's answered it quite the same way, but still it's kind of like where I'm thinking is generally speaking, what do you think? Yeah, no, I I this is the way I organize digital identity and I am is like I am being a set of functions within digital identity.
I but I still go back to that original episode that we did where we had like 5 practitioners kind of come on and answer this question. And one was Adam Michael from Texas A&M University and he took the opposite approach, which was IMS at the top. And your record, Jeff Stedman, is your digital identity within my Identity and Access Management ecosystem. And I thought that was really
interesting. And I'm not. I'm not putting myself in a position to say that either one is right or wrong, because I don't think that there's the set answer that everybody agrees with you. Yeah, context matters. I I absolutely get where he's coming from and totally legit, totally valid. I'm not going to, I'm not going to go either way with it. I think context matters and I think based on your use cases, you might have a different, you know, viewpoint of it and that's
great. I think that's a great part of of the idea of spaces. And probably maybe a little bit of the frustrating part is like we just, we're really good at, like disagreeing and not coming together with like, yes, this is what this means and we've settled on it. And then that doesn't happen and it changes. And then I'm like, OK, well, what do you mean by identity?
Are you talking about physical identity, digital identity, your, you know, your persona online or in your wallet or whatever that look like so makes it for an interesting industry to be in. All right, let's go ahead and wrap up on a lighter note and in keeping with the trend since Chris sent so many, we're going to play his lighter note and he actually called her a lighter note. So I feel like we're OK with that. Let him ask the question and then it'll answer.
Hi, Jeff and Jim. This is Chris Power from Indianapolis, IN. Really enjoy the podcast. For a lighter question, I'm going to ask what is your favorite IAM analogy? Recently I heard Identity is like gravity, which is really resonated with me as well as Identity is the Nexus between security and IT. What other ones have you heard that really seem to sink in? Look forward to hearing the. Discussion.
All right. So Jim, you said you had something for this one, so. I have something for this one, so it's you're only one I am misconfiguration away from a breach. That sounds like a maxim, like this is like a truth. It's like in a book. I think you can probably convert that into like a haiku or something like that. Oh yeah, that's a great idea. But I yeah, I know it's not really, it's not really an
analogy. But I heard it on another podcast and I was like, I've been saving it up to use it on our podcast and you may hear me say it again puts a lot of weight on the I am practitioner like, oh man, 1 Misconfiguration. How many configurations do I have in my environment? Millions. So I don't know that it's a truth. It's kind of a truth, but it also puts a lot of pressure if it is the truth, and it puts a lot of pressure on the I am practitioner. What was that other podcast?
Let's give him some. Credit that was the Google Security podcast with Anton and I can't remember his last name, but really good podcast, especially if you're in the if you're doing things in Google right? I mean because they do talk about Google Cloud and Google out Google Suite, G Suite. Yeah, G Suite or Workspace, I think had a few different names, but I get where you're going with it. Yeah. Yeah, I I I like to tell stories.
I like to try to distill things that'll help people understand it. And I think the analogy or the example that I'll tend to use is there's a couple. There is the story of how we get into an airport. So if I'm trying to say look at Denny's like this, right, you're trying to do this thing, it's look, if you're you're going to go on a flight, you have to show ID. You have a credential, you have a boarding pass that gives you authorization to go to get on to a certain plane, a certain gate,
right. And there's a bunch of different steps to go through there. And I think, you know, the analogy for me is like this is this is what identity is. It's a set of, you know, rules and structure that get you to where you need to go in a safe and secure manner. Another one that I'll use is sort of a story of around like a, a sports arena. Same idea, right?
You've got tickets to get in. You've got seat numbers with where you're authorized to sit, certain areas that you really can't go. You shouldn't be on the field, right? That's privilege access. That's only for for the players or coaches or you know, other designated admins, right, so to speak. You've got cameras maybe in a corner that are counting where people are going or tracking things, right? Maybe that's behavior analyst, maybe it's ITDR, right?
Maybe it's flow that you're saying hey what's a lot of people are going to the hot dog stands and not as many people are going to the sushi stand. Let's try to shift balance right things around that and using kind of metrics. So I think there's there's a few different analogies, but I like to base it on real life things that I think people easily understand. I think probably the most common
one is like the house, right. You've got a key to get on the front door and then which rooms can you go into? I think you whatever it is I think you've got to be able to make it something that's relatable to your audience. So I like to use a few different examples like that. I I like I I'm trying to figure out the identity is like gravity one. I'm not sure what that means. I'll have to look at that Chris, next time. Next time we chat, maybe an Identiverse.
You can walk me through that one. I like I I it sounds cool. I want to understand it before I start using it. So I just thought of an analogy. I'm going to throw it out there. So the Winchester Mystery House in San Jose, CA. And if you ever go to it, all the rooms are decorated in a different style, painted different colors and a lot of like trapdoors and things like
that. And so I think the so I think the back story is Winchester like the gun brand, the the person who began that his widow became paranoid that people were going to kill her because her family was responsible for creating these guns that kill all these people and that somebody would be mad and want to kill her. So she designed the house so that if they came into the house they would never be able to find her.
And so where I've used that analogy from an IM perspective is when you kind of come in and come, he's got all these different portals like think from a customer perspective, all these different portals and you never know if you're in the right one. And they all look a little bit different and trying to get down to a more common layout, you know the rooms feel the same, you have one key to the front door etcetera etcetera so. I like that one because it it's
it's an interesting story. I can kind of start with that and it's entertaining, right? You're not going to lose. Hopefully you don't lose people right away. I think that's the the one thing is you want to keep people's attention. So I like that one. That's a good one. Yeah, you have to make it relatable, especially when you're presenting about I am to people who don't know I am at all. Yeah, like us, we're dummies. Let's wrap it up. I, I really appreciate everyone who sent stuff in.
Again, it was there was lots that came in and you know Jim and I had some difficult decisions to make. Jim, you're in charge of reaching out to you know our winners. So Andrew, Alex, Tim, Pedro and Chris be on the lookout for messaging from Jim. Zio How you can get a copy of the of the book from Phil and let's see we're on the web idacpodcast.com we're on Twitter. X, whatever it's called. IDAC Podcast Mastodon at IDAC podcast at infosec dot exchange.
We're on LinkedIn. Keep sending those messages in. Hit that like and subscribe button and follow us on YouTube. What other YouTube or whatever self promotion can we do. Oh, don't forget about Identity Week America. Our discount code IDAC 30. So if you're going to any of the conferences, Europe, America or Asia, Friday, any week, you can use that code and get 30% off. So we'll have link in our show notes as well for to make it easy for people to find.
So with that, we'll go ahead and leave it for this week. Thanks everyone for listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.