This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Oh. Not so bad yourself. Not so bad myself looking forward to We've been talking a lot about our conference agendas for the summer, right Identiverse is a big one.
And then Authenticate, which I guess is the fall, but we're going to San Diego, so it's like it's spring, like year round there. It's like perfect weather. Actually where I am right now is like perfect weather in Augusta. It's going to be Masters week next week when we're recording this, and I'm stoked about that, but also stoked about that that conference, it's just a a fantastic one. Every year we're going to start having discount codes available.
Soon we'll start announcing that with our our normal line. Yeah, I have a placeholder on the website right now. So if you go to idacpodcast.com, I added all our codes basically right on the homepage. Just Scroll down so you'll see codes for Identiverse European Identity and Cloud Conference Identity week and a coming soon authenticate. And I do love the San Diego area we'll be in Carlsbad. Don't have a lot of details right now other than you know
we're planning to be there. I booked my flight today so hopefully I'll I'll be able to use that ticket but San Diego weather has gotta be the best on the planet. I mean just nothing that matches. This weather and I don't know, we're not gonna like, tease what we're actually doing. But I will say like what we talked about doing today would be like crazy fun. So I think that's one thing. You know, we try to be educational with the podcast, but we want to have some fun
too. Yeah, a little about edutainment, I think. Yeah, if it if we can pull off what we're trying to pull off, I think it'd be an amazingly fun and different thing than we normally would do. I will give a hint that we've done this in the past, very long time ago, but we are looking to do it better now that we have, you know, 270 some episodes under our belt and have at least a vague inkling of what to do. But that is the Authenticate
conference. That's October. Before that we've got the Identivers conference that's coming up. You and I are both gonna be there. That's May 28th through the 31st. It's at the Aria resort in Las Vegas. We have a discount code like I said on our main page, but if you're listening it's 25% off, IDV 2, four dash, IDAC 2/5. I know it's really easy to remember, so that's why it's on. Trolls off the. Tongue, right. It's gonna be on the main page.
You know, it'll be easier there. goaheaduniverse.com. Use that code. That's how you can show support for the show. I think early Bird might still be there or not, but it does stack with whatever's available right now. Don't be that guy or gal who shows up and it's like, oh, I thought I registered, I didn't. And then you end up paying like a ridiculous amount of money. Or, you know, you're like on the outside looking in through the
glass. Like, I wish I could be in there with all those cool identity people. The funny thing with conferences though, I mean especially like identiversa, obviously use the discount code, save the money, but the biggest expenditure for a conference in Vegas is not going to be the conference fee, it's the flight, it's the hotel,
it's all the the meals. Now I think if you're going as a practitioner and you control any kind of destiny within your company in terms of what IAM technology, you don't need to be buying your dinner straight. Somebody will take care of that for you. If you're a real live person, come find Jim or I. We'll buy new dinner. Make that statement. Yeah, exactly. Let's see. A lot of people are hopping on a plane. After that's over, they're going straight into Europe, into Berlin.
Specifically for the European Identity and Cloud conference. That's June 4th or the 7th. So the Cooper, your coal folks have given us a discount for that as well for our loyal listeners around the world, EIC 24, IDAC Two, 525% off of that registration as well. Again, I'll have it on our homepage in our show notes and you should have plenty of places to find it. But another way you can support
the show. And if you're heading out there, you know, probably want to register soon because you'll want to make sure you take advantage of those codes. And then we've got Identity Week. Jim, tell us about Identity Week. Well, Identity Week America has been one that you've attended in the past. I was quite jealous. It was actually much better, I think from the description that you gave me than I realized it was going to be. But I think it you had a fantastic time there, right?
And I mean, obviously you said this year if you're coming, so we're both going to be there. Identity Week America is in Washington DC, September 11th and 12th, but they also have two other conferences, Identity Week Europe, that's in Amsterdam, June 11th and 12th, and Identity Week Asia and Singapore, October 22nd and 23rd. And this one we got a 30% discount code we use for any of the above. And that code is IDAC 30. That one actually does roll off
the tongue. Yeah. So if you forget it, it's going to be in the show notes of course. And yeah, hopefully for those folks who can make it in to the Identity Week America conference, make sure to stop by, shake our hands, fist bump, whatever you're comfortable with. And one of the biggest thrills for me in doing this podcast is meeting people at the conferences and you know, hearing from them that they enjoy the show, things like
that. So whether it's in person letting us know that you enjoy the show or you reach out via social media, either way we really appreciate when we hear that. And of course you can five star reviews and a full on comment that would even be even better. Not that I'm asking for that. Well, you should be asking for that, like subscribe all the all the YouTuber stuff, right. We're trying to grow the YouTube channel, so trying to put more
content up there as well. But yeah, that's all stuff that's good, even if you're just, you know, a subtle nod from across the room like, hey, I know who you are. Thanks. Thanks for what you're doing. Like that. Even that'll work. I'll get a kick out of that. Yeah, exactly. All right, so we've got the conference stuff out of the way. We're going to have a wide-ranging conversation about just a ton of things from any perspective. We're very fortunate to be joined by John Podboy.
He's a senior vice president in cybersecurity for a major bank. We won't mention who. I'm sure his opinions are his own, all that legal mumbo jumbo stuff, but welcome to the show, John. Yeah, thanks for having me. I'm really excited to be here. Well, thanks for taking the time. I know that right now you're under a weather watch of some sort. There was like, tornadoes, hurricanes. And we kind of said, well, OK, we do want to go forward or not.
I'm like, yeah, let's do it. It'll be the most if if something happens, it'll be the most memorable episode we've ever done. Yeah, maybe the last will and testament of Jon Podboy. It'd be kind of momentous. Well, don't hold us accountable for that. We want you to be safe, but sounds like things are blown over. We're good to have a
conversation here. And I think the first time that we like to have people on, and you're probably familiar with this, is when we have someone on tell us about your identity, origin story. How did you get into this space? Is identity something that you chose or did it choose you? Oh, gosh, great question. You know, I think you talk to people, you know, at a cocktail party and people ask you, you know, what do you do? And well, how'd you get into
that? You know, most people will assume you, you had a traditional background, right? You studied, you know, computer science or you did something and then you, you know, went into that field. But you know, like most people in this space, they kind of found me and, you know, to maybe the surprise to some people, you know, very diverse background, you know, much like identity, right? Physical people have, you know, various backgrounds and educations.
And you know, interestingly enough, I actually studied philosophy, right, and somehow ended up in the identity field. They kind of seemed destined to happen, right, the questions of who you are and what you should do. But, you know, broad level arts background. But I've always been into cybersecurity and IT and I have to chuckle, you know young John Podvoy back in you know the early 90s figuring out how to hook up a dial up modem and getting into trouble on the Internet.
You know, sticking stuff into the CD drive. You know exploring, you know what is this thing or the floppy Dr. I guess back then. So you know, you know Fast forward graduate college. You know during the recession. Yeah really interesting time to get into feel. But moved back to Northern Virginia where I grew up and got into the government world. You know got really fortunate to to get a job as a contractor for the Drug Enforcement Administration as a systems engineer.
So we were the team that you know figured out how to build anything that you know the agency needed. And you know really cool environment is you have to work on a little bit of everything IT and cybersecurity and you know one of those things was identity and kind of bit me and from there you know haven't really left since. So we were talking about before hit record, what we're gonna call this show. And I think I just came up with a name, The thinking man's I Am with Jon Podboy.
So here's my question. As a philosopher, and this is a question I always ask what is I am? Oh man, I I feel like we need a drink for that conversation. You know, I tend not to over overthink it, right. You know at the end of the day as a security leader, you know it's our job to highlight things we need to do to protect and enable the business, right. And you think of identity, you know traditionally that's been focused on people.
Yeah. And you know that's obviously evolved over the years and continues to grow into you know, non human identity. You know, ultimately it's the things that we need to enable with controls, you know, whether that's authentication, authorization, whether that be EPI controls, you know, in this digital economy.
And you know that kind of is evolved over the years from the castle and mode analogy to you know, just you know, build out workstation or server controls or network controls to you know really where we're at now where identity is evolving and taking on a greater role in the cyber world to protect any organizations in that kind of that corporate security mindset. But then also taking on a completely different role for kind of end consumers, right? Yeah, what can we do to drive
consumer trust and enable that? And so it's a pretty exciting field at the end. You know, one of the reasons I've stayed in it for so long, even though I've done a variety of other things, is the opportunity to influence and impact organizations. Is is so unique. Yeah, John, something that you mentioned there triggered me to think about Adm that I received from a person named Nathaniel.
I'm not going to say his last name because they didn't get his permission to kind of read this on the air, but he did say thank you. I started listening to your podcast. I'm looking to land a role as an IAM analyst and your podcast mentions how rare it is for people to go straight into IAM. I'm looking to do that. So what I replied was I say don't let anyone stop you from
pursuing your dream. In the podcast we speak from our experience and usually talk about what we see the most, but there are no set in stone rules for getting into this, this fun industry. Best of luck and thanks for listening. And I I'd say that, you know, when we have folks like yourself who are in the same ballpark range of ages, Jeff and I. In other words, you were around when Pearl Jam 10 came out and you listened to it and it was like new music and you still probably listen to.
Rocks. Let's just be clear here. It still rocks. That's awesome. It still rock. Absolutely. But what I would say is like there was no IM industry really at that point or it was so it was so niche that no one was really starting their career in that and probably spent their
whole career in there. So, but now I think if you're coming out with a cybersecurity degree, it's a very viable option, maybe not even a cybersecurity degree, but I think, you know, it's that diverse background is what you said, like you're kind of a liberal arts guy. My original degree was in political science, so who would have known? But I it's, it's funny, you know, and Jeff will probably say the same thing, which is that politics is such a part of being successful in this world of
identity. You have to have a little bit of tech. You have to have a little bit of business. But man, if you can't understand politics and, you know, make friends or what do you say, Jeff, kiss babies and shake hands, something like that. You can't do those things like you don't want to do the. Opposite you don't shake babies and kiss hands. There you go. That's that would be a very bad idea. But you know, John, we, so we have this podcast called Identity at the Center.
And you know, you and I, we've only met a couple of months ago now and I never asked you this question, but why do you like that name identity at the center? What does that mean to you? You know, I I think it means a lot of things right in, you know, identity really evolving to such a forefront of digital enablement, whether that's security, whether it's driving revenue, you know, it can meet a
variety of things. You know, maybe the simple answer, you know, we have to put people first, right? You know, people are complicated. We have diverse backgrounds, right, Physical conditions, right. You know, in society we have or hopefully have, you know, the ability to accommodate people and the diversity of people, right. We're not analog. You know, in the digital world we tend to think of things as very analogue, but they're, you know, we probably shouldn't be, right?
We have to have really, you know, adaptive security controls and experiences. So you think about identity at the center, it's, you know, keeping people's, you know, in mind being, you know, we're here to protect them, you're here to enable them. And we're also here to enable things workstation servers write data, but thinking differently and you know if you kind of look at the different methodologies out there, I kind of equated to design thinking if people have
heard of that. If you haven't, go Google it right. But design thinking and I, you know the skills that make you successful in identity are really similar, right? You have to understand people, things, devices, network connections, you know how things are architected and how they fit together. So you know how to influence and you talked about, you know, whether it be political or maybe to use a different word, you
know, using influence, right. You know, no one necessarily wants to invest in identity because it's not, you know, the most easy thing to understand or say like hey this this matters. It's one of the things that you know, I think has been really important is, you know, to be successful in identity, yes, you have to have deep technical knowledge of your hands on
keyboard. You have to be technically aware of leadership roles, but I think even more importantly is you have to be willing to drive transformation. And that's beyond anything that is within your direct control, no matter what organization you work for, right? Because ultimately we're here to orchestrate from the phone you have in your hand to the workstation to the server, to the application, to architectural standards, to user behavior, to politics or things, right?
That's a lot, right? And you know, obviously other types of disciplines have a lot to influence, you know, but you know in this space it's very broad and very deep. So kind of being committed to, you know, diving in, learning that technology I think is really important, but you know, building those soft skills to drive organizational behavior.
I love that answer. I think you and I have a very similar mindset of treating identity as a product for whatever organization you happen to be serving, right? Whether it's enterprise identity or customer identity, or somewhere in the middle, right? Whatever that looks like. So this idea of treating identity as a product, are you putting out a good product for your users? Yes or no, right. Would you use it? Are other people looking to find ways around it?
Because they feel like if you are able to take that design thinking and say yeah let's design this with humans mind because humans are going to use it. I think you're going to be a lot more successful in you know not only the adoption but just the efficacy of the different solutions you put in whether it's technical solution could be a policy procedure, whatever it may be. But I love that idea of designing identity around
humans. So you're definitely showing off your your philosophical side around this because I'm with you on it. I want to ask you about identity data because I think that's something that sometimes that gets lost in all this stuff. Hey we just put in an IDP and we can do single sign on an MFA and we put in IGA and we can do automated on boarding and off boarding and privilege access management. We're vaulting and session management. That's cool. What about the data that you're collecting?
What does identity data mean to you? You know, it's a great question. I can't help but chuckle a little bit. If I pose that question at, you know, any of the players I've worked at, right, people would probably look at me like I'm crazy, like I have no idea what you're talking about. Right. You, you go talk to like a chief data office or folks that would work in IT, they would understand that question immediately. But then they'd be like, why you
even asking, right. So we tend to think about data And you know a lot of organizations have data offices that have tools techniques for moving data and transactions and the security privacy implications. But no one thinks about that in terms of the identity context. And you know, ultimately I think I go back to that design thinking mentality of like well you know, in a good architecture or at least in my opinion, right. Identity, should it be at the top of the pyramid, right.
D char or something authoritative for, you know, the physical person or life cycle controls, applications really should feed into those identity systems. And you know you have attributes and things about people or devices. But ultimately then it's going to understand zooming out in that architectural view, who's consuming it applications are. And you know, I think the piece that people don't necessarily understand is a lot of applications don't just hook into identity and reference it.
They hook into identity and then copy it locally because they need to store it for whatever way that application is architected. And when you ask me about what do I think about identity data in my mind can't help go into the importance of understanding that architectural diagram. You know, I verbally talked about and the importance of managing that data because you change setting an AD around, hey, I'm going to make this field mandatory, capitalize when
it was free tax before. You may break every app and you know in your organization so you know it's it's thinking differently about it. And you know, I think maybe more interesting is, well, what does the future of identity look like when you start talking about privacy regulations? You know, this question of what data do you have about people, what are they doing is going to get really interesting.
And obviously in Europe, right, there's been a lot around controlling or limiting, you know, tracking of employees or customers you have in the US, right. We're kind of really at the early stages of those privacy conversations. So you think for practitioners, right, it's understanding what is your current state and you know, potentially what could evolve over time, I don't know. What do you guys think? Yeah. Jim, I know that you are interested in this as well or
this concept of identity data. Like, what do you what does it mean to you? I don't think there's one answer to this question I but I do think John kind of pointed to the right point. So I think of identity in the realm of attributes about a person. The attributes aren't like flat, just lists of texts. They could be things like relationships potentially. It really depends on the organization.
I think when you're talking about like managing identity within an enterprise, it's usually the data that you can get from the HR system. It's maybe some data points that are coming from other systems. But when you look at like ACIM environment, now think about this, think about, OK, Jeff Steadman is the identity that we're interested in. His relationships are this is his spouse, these are his brothers. Things like that. Is that identity data is data about them.
Identity data. For you, what about what websites you've gone to within that realm? What about what orders you've placed? Where do you draw the line? And then you start saying, well, no, maybe orders. That's not identity data, but certainly the person's name is. Well, now what if you have seven different websites and you allow people to define their name? Or a better example would be addresses.
So in one system you have an address that's like here's my shipping address and here on another system here's my shipping address and etcetera, etcetera. So now as an organization you will say, no, we're not going to now let you set your shipping address in those seven websites. You have to come back to some central profile system to set your delivery address that it really depends on what the organization is trying to achieve. So I'm not even going to try and solve that answer.
But what I'm saying is like there are very few attributes about a person where it's clearly yes, this is identity data that should be managed in the center and should not be managed in applications. It's really depends on what makes sense for your organization. Yeah, that's if I were to jump in there. You know, I think you tease on something I'm really passionate about is, yeah, you think about what is identity, right? Obviously the centralized tools, directories or SSO clearly sit
with the teams that run them. But I think there's that broader definition and responsibility of you know how is your corporate phone managed or the consumer's phone or their laptop.
Well, there was all that local data that sits in there about who you are, your behavior that usually an identity may not run, but if you think about identity as a perimeter, new perimeter, you know identity at the center or identity centric security, we have to orchestrate that and no one else is going to do unless
we do it right. So like that mesh concept of I think previous speakers have talked about you know that graph, you know what who you are in these different systems, your behavior to really build out those analytics I think is really the forefront of where security is going to go. Not only for you know corporations to drive security maturity, but you think about if you draw a comparison right, some of the largest companies in the world don't really sell a
lot of products. We give them our data and you know they're multi billion dollars because they're really good about understanding that broader context of who you are, what you're doing, where you're doing it to build analytics. Yeah, but we don't tend to think about identity and security in
the same way, right. We, I think we have to shift our mindset of you know, not that I'm going to advocate for browser cookies and the enterprise for tracking, but you know this problem has been solved at scale globally in different markets like marketing. You know how do we think about that differently in you know the enterprise Oregon consumer space to really drive that mesh
architecture. Well, I think you open up a little bit of a Pandora's box here, because now we're talking about data and is it identity data or just data? And then who owns it? Who's responsible for it? Where do we see responsibilities live for the data collection? And if it's identity data, does it belong to the identity team? And then how do you make that available to others who might use it? Should you make it available to
others? If you're somehow collecting non identity data because a marketing team says, hey, we'd like you to collect e-mail addresses for people, you don't maybe need it for your system. Maybe e-mail address is a bad example because everybody logs in with an e-mail address, but go with me after this one, right? You may be collecting bits of data on behalf of another group, so who owns that data? Who's responsible for that data? Have you come across this in your experience like that?
Ownership struggle? Or maybe it's not a struggle, Maybe it's clearly defined upfront. Yeah, that's a good question. And you know, my experience, it's not even really a conversation, right. People, I think, think about the problem so differently. It doesn't even cross their minds. And I think part of what will drive the change in the conversation, understanding the problem of that identity data is, you know, more regulatory pressure around security or privacy. And you know who's really
supposed to drive that? You know, regardless of ownership, You know, like most things and identity, you know, you kind of sit in between multiple lines of ownership, direct and indirect and. Right. If you have X amount of employees, right, you've got X amount of people telling you, you know what they think and feel, you know that's important thing to remember in terms of how do we engage with people. We have to be hyper collaborative and focus on the problems that business needs to
solve. So you know we're always keeping it at a step above versus you know having that direct ownership is important. What about indicators of compromise? Do you see that as an area where we can use these bits of identity that we're collecting to say, hey, we're noticing things, How successful do you generally see identity data contributing to an indicator of compromise? And I think we're all familiar with something like, oh, there's a bad login attempt or too many
bad passwords entered, right? Sprite passwords, Bray text, things like that. But do you have ideas of how maybe we can leverage identity data to help with that? Oh gosh, yeah. I think that's gonna be really interesting. And you think about, you know, the analysis people put out there about the identity market as a business, right? People say it's 60 billion a year or 80 billion. You know, people throw out on
these big numbers. You know, at the end of the day, all that tells me is there's big problems for companies that have to solve and you know, there's foundational stuff you either should have been doing or you need to do, you know, SSO and MFA, easy examples. But then there's more advanced like how do you start connecting things together. And you know, people use that analogy of security controls are shifting less. And I'm not big on buzzwords. I don't, I don't particularly like them.
You know, I think most people don't really know what they're saying or other people don't hear what they intend to say. But I think the, the point, you know, when people say that is architectures, corporations are changing, right. You're going to more SAS solutions, cloud solutions, environments, environments are getting more complicated at the end of the day, right? We have to move security controls to, you know, earlier or you know to use the analogy,
shift left. And the way I think we have to do that is connecting all those things together. You know, to use a simple example, right? You you may have Intune, you know in your environment, right? That has its own identity that may be separate from how you log in say with a Ping or an Octa or Cyber Ark whatever the vendor may be. I think you know how do you connect those things together that may not natively connect.
That is I think where the innovation will be and you see a lot of companies filling that gap of how do you connect those entirely new product categories. And so you know I guess maybe I'll conclude it right. I think a lot of the legacy, you know, things around identity, they're not going away, but they're really becoming commodity services and companies that are focusing on indicators of compromise and the ability to see, you know, where you have permissions, where can attackers
get into the environment. That is where I think there are a lot of the value it's going to be going forward of simplifying this complexity of the IT environment. Hey, John, I totally agree with you on what you're saying with like using buzz terms like shift left. In fact when people use this kind of terms, I have zero trust for them. So I just wanted to get that out there. So John, obviously you're going to speak from your experience, right?
You're not answering this for the world in general, but your perspective. When you talk about identity to the business, or when you hear what the business thinks of identity, they have any concept of what it really is. Or is this just about changing passwords, You know, still like people living in that Stone Age? You know. I think a lot of people struggle and I think that it has to
change over the time, right? But rewind 10 years ago, people were having the same conversation about anything in cybersecurity. You're like, why are we talking about this, right? And I think it's one helping people understand what are we trying to solve, what do we need to solve to protect an organization, to meet regulatory or privacy requirements. And I think one of the things that is a challenge, identity is like a super set in cyber, maybe
one of the largest, right? And we have tend to use our own language. Well, you know, it's my experience, yeah, that doesn't always help us, right. Because you know, even within cyber IT people are like, we have no idea what you're talking about, right, Because we're using our own language. They don't hear what they want to hear or need to hear. So kind of going back to that communication and you know, I think it's really important to
ground yourself. You know, if you work in an enterprise environment, most likely you're not working for an identity company where you're, that's how you make your money, right. It's, it's other things. And I'm not belittling the criticality of identity at all. I actually think the opposite. You know, we can and should drive revenue, but it's not the direct thing that drives revenue. And understanding that in aligning to organizational priorities is important and
balancing that with risk, right. You know, just because we want to do something to drive revenue doesn't mean we should also do something because it's you know, risk driven. But boiling it down to more simple terms and language, you know, I think it's really important and you know, I think things have evolved and will continue to evolve right where people are in tune with you know, vulnerability management or patching or the importance of you know, security awareness,
right. People understand why we have to invest in those things. You know, I think just continuing to focus on the business or the customer, if you're a customer identity, you know what we need to do to enable them is is a good way for us to drive the industry forward. Yeah. And I think in in the banking industry you certainly have been driven a lot by regulation and the need to drive security in on the customer side, prevent fraud for sure.
So there's like all the security benefit is obvious, but I'm wondering you know the do you feel like the business understands or thinks of Identity as an enabler like we can use identity to improve our our grow our business? Yeah, That's a good question. I think it depends on how you position it, right. It could be that that carrot or
it could be a stick, right. You know, sometimes obviously that we have to do things because it's things you have to do for security or regulatory requirements. But going about it in terms of like beating the business over the head, well, people usually remember that hurts, right. And you know, it may be required sometimes, but it has a lasting negative impact. And you know, I'll, I'll be a
little bit more real, right. I think, you know, say in the customer identity space, yeah, it, it can be something that's critical, but we have to position it the right way. Right. And let's maybe use an example, right. And I'm making up an example like if I went to a website and it was painful for me to log in, to sign up just to get in, I might not, you know, continue. Well, that's the easy one, right.
Well, what about if I, you know, say go to, you know, a car dealership's website and they've got some type of buying program. Well, they need to sign you up for identity, they need to, do you know, KYC and KYC really is identity proofing. You know, for the most case they have to do background checks, identity proofing. Well, what if they said I need to mail in a paper form, right? No, thank you.
Right. You know, these are simple and easy kind of dramatic examples, but they're very real, right. A lot of our, you know, digital products, softwares were built in the 90s and 2000 and took static human processes and put them into the digital world. I think what you're seeing now is identity continuing to accelerate where yeah, we really can know who the person is really quickly with a high degree of accuracy that is tied back to financial things, right.
And if we start talking about it in that way, right, one and you can talk about customer retention or onboarding or you know sales cycle that has direct revenue ties, You know that that is an opportunity for us to really drive and think about identity, to drive the security aspect, but also the revenue side as well. I'll give you a real world example that just happened to me this past weekend. I had dinner reservations set up.
Actually, just lunch reservations, taking my aunt out for her birthday and it's like, OK great. I get a call saying, hey, we cannot process credit cards, we're only accepting cash and personal checks to pay your bill and Nope, not happening. I went and found someplace else they made they made it. Too much friction for me to go to their place of establishment and spend a lot of money you know on on a nice lunch and dinner.
So I am absolutely in that use case of like you're gonna send you're gonna have me do what Like that Friction is such an important point that I think people really need to think about. You know, I I have not written a check for a a meal in probably 25 years or ever like that's that was the response. Like really OK we'll try your place another time we'll go someplace else. So I I just want to echo that part.
Yeah. One of the, yeah, one of the things I think is interesting is you talk about you know this notion of like a pre customer if you're you know, digital business, right. You can log someone in maybe, but they're not signed up for a product or service that you offer. Well, is, is it the identity team's job to drive that or maybe is it marketing?
I think that's an interesting question because you know if maybe my spouse is a customer of that site and you know, maybe I'm considering signing up for something obviously BM abstract here. But my point being is like we talked about, you know, in human life, we all have connections that, hey, I learned about this awesome podcast, Can I, can I come speak And you guys were like, yeah, this is great, right? Our, our connections kind of
brought us together, right. How do we do that in the digital world where we're correlating this data and you know that broader notion of identity and who we're connected to that's you know, very a lot of very clear and a lot of revenue potential to think about digital modernization in in a real way. So you know, I think we're not necessarily talking a lot about that as identity practitioners or security because we're focused I think more on the security side in a lot of cases.
But I think we should talk more about, you know, what does it mean to drive connectedness digitally and you know, what does that do for the business? Yeah, that's a great point, Jeff. I loved your story. It reminded me of the Seinfeld episode. You know how to take the reservation. You just don't know how to hold the reservation, and that's really the important part of the reservation, the holding of the
reservation. Anytime we can get a Seinfeld, you know, reference into a show, I consider it a win. We should probably just stop right now, but let's keep going. We should probably stop right now. It's also a high note, Jim. There you go. There's another one for. You, you throw a cream of reference in and you know I'll give you guys a high 5. We'll see if we can work one in by the time the show's over.
Perfect. So John, I mean, one of the things that you're tasked with, right, you have to sell identity investments to the business, whether it's for security purposes or for enabling some business growth opportunity. So what is the angle that you take? Is it you try to speak the language of the business? What are some of the tips that you'd throw out there for the listener? Yeah, I go back to understanding what's going on in the business. You know IT.
Are you an IT team? Cause a lot of identity teams sit within IT and have security. You know what's going on. You know, what are your leaders talking about and what are their leaders talking about? And I'm a little weird, I I like to read SEC and business statements, 'cause I think you know, it offers an interesting perspective on companies, right.
So if you're a publicly listed company, read that stuff and I don't know, maybe you're probably more educated than I will be, but I don't understand a lot of it. But you do pick up on you know where things are going, you know what's what is driving revenue, where things are focused, what are they concerned about. And you know may that may not help you directly, but understanding that broader organization I think is important, right.
So what are the organizational efforts, how does this tie in And you know if you're lucky enough, right identity is a organizational priority. That may or may not always be the case for everyone, but you know, tying back into why it's critical for what we do, you know, what are we driving? You know, if you're in Europe, obviously there are a lot of laws and regulations where identity is very clearly tied. And you know, you don't have a choice.
You know, in the United States it's maybe a little bit more abstract. But you know, at the end of the day, you know, whether it's protecting money or protecting data or protecting just customers, right? It's understanding like how does it boil down because you know, at the end of the day, right, for the layperson, you know, I don't care about us. So like, why does it matter, right? But it's it's about what does it get us and why does that matter for people in for, you know,
people consuming the services. So you've been in this space for a while and I'm curious what you think has been, what's the most important change that you've seen in the identity industry in your career in IT? Oh. I think there's probably 2 and I think one was the broader recognition of the criticality of security and identity right.
You see a lot flip flop of identity teams being within you know maybe a non security to people using you know buzzwords of identity security or you know shift shifting identities in new perimeter. You know it's been my experience if you actually ask people well can you tell me what that actually means people are like what right.
But I think what's happening now is you know whether it's the the big identity providers or the traditional security providers starting to offer identity technologies, is people really understanding you know the role of all these tools connected together and what can they do to protect people.
So I think we're on the cusp of the next evolution of this becoming real, right, whether that be password lists, technologies being real to identity, actually providing new insights around behaviors and indicators of compromise or attack, You know, continuing to drive that I think is really critical. I think customer identity is similarly on a different journey, right, because it has different focus, yes, security, but also a lot of user
enablement, revenue generation. And you know, I think that journey is just beginning where you know has a lot of potential to go in many different directions around doing that correlation we've been talking about. So I'm particularly excited by that because you know, it'd be really fun to see Identity actually having ability to drive revenue and insights in a totally different way.
You know, kind of going back to that analogy of, you know, cookies and Google and all these companies making money off tracking behavior, right, You know, and thinking about it in a
different manner. Do you think we've I I feel like we have and I'm just wanna curious your thoughts you feel like we've moved past the phase of you know you contribute nothing to society is whereas identity is not really well understood and now it is I. Don't know if we've moved past it. I think we're still early in that journey and you know ultimately understanding the
role we play, right. Like I mentioned, I don't think any of us or most of us are going to work for organizations where we are the ones driving revenue. And I think it's really important for security practitioners, anyone in technology to understand how do how do we drive revenue and why it's critical. And I'm not minimizing the role of technology or security or identity at all, right, But it's understanding everyone has different focuses and organization.
They're all equally valid and. The role we can play and you know why that matters because that builds that influence, that credibility versus US kind of bringing that stake of thou shalt do this really hard thing called identity and it's probably going to take five years and you're not going to really see anything until five years, right.
We have to think differently about it of showing incremental progress, value and impact and continuing to move on in terms of where we need to be in the future. So, Jeff, was that a cream of reference? Darn Tooting it was, yelled it out at Newman. Right over my head. It. Was for the wind, for the. Wind the trifecta. We're good. Awesome. Good. We're good. OK. John, So the Creamer sliding into the apartment. Kind of reference here.
The Cohibas smoking a Cohiba. So John, as far as kind of what do you see as kind of the big future innovations for IM and specific to the banking industry, I was gonna throw one out there and then feel free to come up with your own. But 502 pass keys password list, I mean I think it's kind of just taking you know commerce by storm in terms of you know that's that's the future. It's not just MFA because that's just the builds A builds friction in getting in right.
Even though like as far as what it does for security it's like a huge step up. So I'm not dissing MFA, but I kind of feel like Fighter Two is and Pesky's is really where things are heading. I'm wondering what you think of that for banking. Is there something else on your mind? You know, it's a great question
and you know, I'd echo right. Yeah, I haven't seen a long time the way we talked about MFA has to move on and it's good to see almost everyone's already recognized that now and you can use different terms, right. I think we all kind of alluding to the same thing, you know, adaptive MFA, contextual MFA, you know it's all about do we really trust that's you right.
And how do we prove that in a, you know, a way that we know for certain it is. But you know I think if you talk about the banking industry more broadly, you know I imagine a lot of people have different opinions about banks right now. I got to go into a bank or it's painful, you know, but they play important role in a society. And you know, I can't help but
get excited. If you kind of look at the news, what's happening in the Europe right now with Europe passing on a digital identity or it seems like I think they passed it. I don't know, Jeff, I think you're maybe heading out in here, but the digital wallet, European digital wallet, right. The European countries have, you know, wanted to pass this.
And you can't talk about digital wallets without identity, right, because you have to be able to prove it's really you in a really secure way to get access to that. But you know, I think financial services as a whole is shifting from really static capabilities that were probably built for when you went into a physical place.
You know, a lot of those controls, whether they're fraud risks, security, you know, were transported into a digital world but never really designed for the digital world. So I think, you know, we're about to see a massive shift. And you know, I think Evident alone is look at all the fintech companies that are out there that are soon started. You know, the opportunity to do innovation is massive.
And you know, that I think is really neat because it's going to change not only the technology but more important, you know, the impact for society. And you kind of really get into this broader notion of identity, right? You people talk about decentralized identity, I think for a long time. And I'm like, yeah, it makes sense. But show me something real, like, you know, has anyone
really using this? And you're starting to see real examples now emerge where you know, people that are immigrants that have no documentation, like how do you integrate them into societies, whether it's Europe, the United States, You know, how do you connect them to service loans? Right. You know, a large portion of this country doesn't have access to Internet, right? Like the majority of government services are offered through the Internet. That's a pretty important
problem for society to solve. And it's really all around identity and how do you connect people? So I'm, I'm really bullish. I think there's a lot of amazing opportunity going forward for decades. And I think the problems that you know, we have to solve today or in the past, you know, we'll evolve, right. And we're going to have these new problems around the data and citizen enablement and e-commerce. And I think that's really exciting.
And I think you know Jim, right, you're going back to, you got to build broad skill sets and identity, right. It's not just technical, and that's really pretty important. Yeah, you know, I'm just going to throw this out there. We are coming close on time and I want to be respectful of your time. So more of a rapid fire and I'm going to bring up something that I don't know a whole lot about. But I understand these things are kind of quote UN quote game
changers. So financial grade APIs and open banking to areas where I'm not an expert, but I'd love to hear your thoughts. You know, I I don't know if I would say I'm an expert either. You know, I have had conversations. I can understand the use cases, you know, but I think that will continue to evolve and you know, questions I would have as I look into that is what problems are we trying to solve more broadly? And you know, personally, I definitely am interested in learning more.
So I want to ask what your thoughts on a couple of items here. Just real quickly. AI is everywhere, it seems like. I have to imagine that you're seeing it as well as part of some of the stuff that you work on. Where do you see AI really impacting identity for you? You know right now it's not I think something that we're seeing direct impact yet.
I think the potential is there and you know I I try to have a level head about these things, It absolutely will be a game changer for society, for companies, no doubt you know, but if you zoom back, a lot of companies are doing things that we said were bleeding edge 1520 years ago, right. You go look at the Magic Quadrant or whatever, you know, maturity, scale, right, of where people are going to invest their
time and money. You know, everyone said when the iPhone came out, oh, we're going to, you know, you know, build mobile apps. And yeah, companies kind of did it, but not really right. And companies are still investing in those things 1015 years later. So I think practically I think it's going to take time, but maybe not as long. You know, where I think I think is really exciting is the ability to have a technology that can integrate into that data set of identity.
Hey, does this person really need access or did they just say right, are they using it? Give me the ability to know that, right. Having really intelligent versus static controls, you know those are easy examples where it's going to have huge influence, you know in this space going forward. And and I can't help but going back to the, you know, we have to drive outcomes more broadly,
right? If we have the ability to see this stuff in Orchestrate, those are great tools for people to scale out versus continuing to try to ask for more headcount, right, because that's probably not a winning strategy, right. So I'm I'm really interested in see how it influences the product Rd. maps of companies coming coming soon here I'm. Going to throw another one out for you. This big trend in the industry is around converged identity.
In other words, one software vendor does it all and can compare and contrast that with best of breed. And if you're like me, there's not a black and white answer, but I'd like you to. I'd like to understand your headspace when it comes to converged identity versus best of breed approach. Yeah, no, it makes sense.
And you know, I think if you're a smaller company organization, if you don't have an IT staff, you know going to something like a Microsoft or some other comparable vendor, right, totally makes sense because you're you're really there to enable other things. But as you grow in organizational size and complexity, I think that
question probably shifts. And you know I think ultimately to enable business security outcomes we have to be able to shift tools when they no longer serve our needs. So I get hesitant to say that we should go all in on you know a massive platform because the stickiness that that drives and the ability to move off of it, you know doesn't necessarily enable those business outcomes. So I think it really depends and
you have to be really careful. So we've had a great conversation and I want to start to wrap things up. We were talking before we hit record that you're interested in vineyards, and so I want to understand a little more about this interests. I don't know if it's a passion or a hobby, or maybe it's everything, but if you were to create your own vineyard, what type of wine would you specialize in and why? No, that's a great question. And you know, I didn't say where I live.
I actually live in Virginia. You know, when people think of wine, they obviously think of the West Coast. But Virginia has phenomenal wine and, you know, amazing scenery, probably not really well known outside of Virginia or, you know, people that are really into wine, you know? So I can't help but think about, you know, wine's awesome, right? It, it brings people together, you know?
You know, we're obviously really interested in that as an identity professional, right, about bringing people together. But also, you know, I think it's really interesting because wine grows in a place and it absorbs the flavor or the characters of a place. And so, you know, I couldn't help but think about, you know, living in an awesome world, you know, beautiful mountains or rolling hills. We are crafting this thing that brings people together. So, you know, personally, I love caps of.
But you know, if you were to come out to Virginia and I encourage you to do so, right? There's pretty much everything out here. A lot of wine that you've probably never heard of, like VMA or Tanat or Petite Mensee these great white wines, red wines, you know they have a lot of character and you know, bring you out to amazing places and you know, make awesome connections. I recognize some of those words, but only because my wife is really into wine, so I definitely know the only Jim
for. All different language. It it absolutely is, and it's fascinating. I I think that there is a little bit of a biological factor in this as well because my wife is the kind of person where she can taste it and she can taste all the tasting notes, right? She's very good at telling you I was like, oh, here's what the terroir was and here's the notes of this and that.
And for me, all I taste is alcohol and wine and it's very hard for me to enjoy it and appreciate it like she does, because I just, I don't pick up on any of that. Like I I can't smell it, I can't taste it, and so I don't enjoy it to the level of others. But I don't begrudge people for that. You know, I have AI have a infirmity and I just live with it.
There you go. Yeah, well, I think the important thing, like anything in life, it's about enjoyment and, you know, having good connections and time with other people. But I can't tell the difference between Coke and Pepsi, that is for sure. So you know, I've got my priorities straight. Jim, if you were going to create your own vineyard, what, what, what type of wine would you be making? So my favorite kind of wine is Merlot.
And The funny thing about Merlot is I feel like people like wine. People think it's lowbrow. First off, as I was thinking that that's what I wanted to say, the thought came to my mind of what does lowbrow mean? First off, that's like outdated. And anybody who's talking in those terms, I'm not taking advice, I think. It has something to do with like if you're drinking out of a brown paper bag or something
like that. Well, if you're drinking Merlot out of a brown paper bag, I mean you do you Jim, however you want to assume it, that's yeah, that's not been my experience. That's like Boone's farm or something like that. But actually I so I guess Merlot, but I wanted to threw this other idea out there. So I had this idea recently of you know maybe I'm going to throw this out there. This is the first time you've heard this idea Jeff.
But you know how last year we did an axe during event for identity at the center kind of a meet up of all the listeners at Gartner and it was an awesome event and few people who were like really into the podcast showed up. We threw axes. We had a couple of sponsors come out and like pay for the whole thing. So it was completely free for everyone. What if we did a high end wine tasting and like for people who drink, you're more than welcome to swallow.
If you don't drink, you're more than welcome to spit it into some kind of like trash can. But my idea was we'd have, I think the right term is sommelier, like somebody who like, really knows the wine. Who would say, all right, now we're going to open this 1997 Cabernet Sauvignon? And this was a great year because it was, you know, a drought or something like that. And, you know, expect some hints of coffee and black cherries or something like that.
And then everybody would get like, you know, 1/2 an inch of this wine. They'd be able to taste it and it would be wines that most people would not buy because like $200 a bottle or something like that. And we could do it with like 10 different wines. So what do you think? Is that a good idea? A bad idea? I don't know, but it's sommelier, so that's how you pronounce it. My wife actually used to do. That I mean the sommelier. The sommelier. I mean, I don't think in her.
I thought you were gonna have something a little more interactive, like doing a crush, jumping into a VAT full of grapes and just stomping on them and stuff like that. That's pretty popular actually. People go and do that. We could do wine pong, yeah. Something like that. I don't know. I don't know, John, what do you think? Would you go to a a wine tasting of some sort? Oh, absolutely. You know, but Jim, you said you live at Augusta. Like, why don't you have us all to the masters here?
I mean, come on, that's a that's a way better option. I definitely would do that, but I would not buy people tickets. You know, to buy those tickets on Sub Hub, they're going for like $1700 a day now, and then Sub hub's gonna throw another $500 in fees. So if you got a ticket, I've got like several guest rooms in my house. And John, I'd love to have you over lot. But Jim, you're a Co host of the world's most popular identity and access management podcast. What do you mean you don't get
tickets to the Masters? Well, it's, yeah, I mean, I don't know. How can I explain it, man? It's a lottery system. They have a lottery system. I enter the lottery system every year, but it's just like the regular lottery. I'd never win. So if you win the lottery, you can buy up to four tickets for the days that you won at like 90 bucks a ticket. And then when you get in, they sell sandwiches for like $1.00.
So it's like they do a lot of things that are traditions for Augusta. The whole thing is about it's a tradition like no other, but if you aren't lucky enough to win the lottery, it's just like any sporting event. You can go on to StubHub and buy a ticket at some exorbitant fee. So think of how many people win this lottery. They get 4 tickets at 90 bucks and then go and sell them on StubHub for, you know, anywhere from 1500 to $2500. Sounds like a pretty good investment.
It seems rock solid. Like, you know. Well, here's the here's the strategy. Just go win the lottery and turn that $90.00 into, you know, 10 times that. Yeah, it might as well enter the lottery every year, whether you like golf or not. All right, let's go ahead and leave it there with the fact that you're not bringing anybody to the Masters gym. I'm very disappointed in you. I'm bummed. Yeah, I know. No kidding, right? Yeah, I'm, I'm taking a I'm taking a training course on how
to become a better some leader. All right, you can find us on the web idacpodcast.com or on Twitter X, whatever it's called by the time you listen to this IDAC podcast. Macedon. At IDAC Padcot. Yeah, IDAC podcast at infosec dot exchange. And of course look for us on YouTube. Start to put more content up there and hope to do more in the
future. And of course link, you know, catches up on on LinkedIn. Send us notes, comments, what you like about the show, what you don't like about the show. We read them all. And for those that have sent stuff in the past, we definitely appreciate it. We'll have a link to everyone's LinkedIn in our show notes so people can ask questions or, you know, give Jim a hard time about the pronunciation of sommelier. So with that, we'll go ahead and
leave it for this week. Thanks everyone for listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.