So when I talk to somebody that has no idea what I do, depending on the conversation, I've, you know, I'll say I help keep my clients out of the news, right, because that's part of our job as identity security practitioners is helping mitigate data breaches. So we do a lot of that.
But ultimately, I find when we're working with clients, more of the time than not, what we're doing is connecting different pieces of the organization that may not have even spoken to each other before to understand how they view access, how they view the different audiences and the personas in their organization to be able to try to put some level of control and security around that. This is identity at the center.
If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How are you? Oh. Not so bad yourself. Good. I've been looking forward to this episode for a while because we've got a special guest, somebody I've known and worked with for roughly 8-9 years.
And the the funny part was we did a YouTube video together as kind of like a a panel of folks from the company we worked together at, which was identropy. Eventually you joined identropy, but it was me and Chad and Mike Woodburn and Wayne Cecil and Mario Dusai. And one thing I noticed was that I looked like I was about mid 30s and Chad looked like he was about maybe 20. So you know it was it was just so funny looking back on that.
And I came to the realization that from 40 to 50 is when you age the most. Yeah, the the accelerator gets pressed. The ramp becomes suddenly just kind of takes off. Now you're like this grizzled mountain man. You've got like this big beard and you know, you got the long flowing hair and you know, the swole jock physique. That's a far cry from the original Jimmy Mac I am. Yeah, I was lean and mean. I had a little goatee, a short haircut, so definitely change of
style. I was more of a runner back then. Now I'm more of, like you said, a mountain man. But I do think that the beard probably ages me a little bit. But I don't know I'm comfortable with it. Now it looks good and you mentioned that video. I actually watched that video before I interviewed with identropy, just to know what I what was I getting myself into? Who are these characters? And I was like, OK, these guys know what they're talking about.
It's like, all right, let's, let's do, let's, you know, let's give it a shot. So. And you still took the job, the funny. The funny thing was I was, I think it was you asked me on a previous episode, like, you know, you've been doing this for 12 years. Do you feel like you're much better at the job than you were 12 years ago? And I said absolutely yes. I mean, I do stand by that, but I think the advice that, you know, at least what I said during the panel was good advice.
I do think though the interesting part was it's like the assumption was everybody was doing their IEM on Prem or not in the cloud, right, Because I mean eight years ago is how the video was. I mean, you know, doing cloud IEM was, you know, a novel concept at that point. Very cutting edge of you to be in that area. But yeah, didn't scare me away. I knew some of the faces and you know, today's kind of special episode. I think we've been looking forward to this one for a while.
We're featuring the company that we all work for for the first time ever, I think, on this show. So today is a sponsor spotlight episode. We are the RSMUSLLP Identity and Access Management or Digital Identity Team. If you don't know who RSM is, we're here to tell you about it. Don't be afraid because I wasn't either when they called me. So I was like, all right, who the heck are these people? And you know, this group here and others have. We've been building up a really
strong team. So today's episode again, fully sponsored. We have our guest today, Mr. Chad Wolcott. He's the Managing Director at RSM. Welcome to the show, Chad. Thanks guys. Thanks for having me. This is by far the highlight of my career. So undoubtedly and you've been in this space for a long time, you and I have known each other for a very long time, was a former customer of yours. That's how far back we go and the three of us were identropy and and now we're putting a band
back together at RSM. So very exciting times ahead. But before we get too far along the way, let's talk a little bit about your identity background. People are familiar with Jim and myself at least to some degree. What about yourself? How did you get into identity? Is it something that you chose or did it choose you? Well, I'd say, like most people in identity, I knew from the first time I dialed into AOL on my Commodore 64 that I wanted to grow up to be an IAM
practitioner. No, but that's. A great story, very inspiring for. All those words, right? All started. It was a winding journey to get to get here since then. But I think I've been in in identity for a lot longer than I care to admit. You know, Jim says that the beard ages you. It's actually the kids that do, but I've been doing this for probably from somewhere between
20 and 25 years. I got into identity through a former boss of mine who at the time was with a company called Corion, who was an IGA vendor way back in the day based out of out of the Massachusetts area. And he asked me to come over and be what they called an identity management consultant, which was kind of a mix of ABA and a project manager. And I had done a lot of work, similar work for him previously on the professional services side.
And I said that, what the heck, I had just kind of parted ways with my own software distribution company and said let's let's give this a try. And that's really kind of where
I got started in identity. And it's been kind of a a long journey since then involving multiple acquisitions and moving from company to company and going from you know a small three person company that I had myself to couple 100 people then back down to 80 to 100 people at Entropy, which was then acquired by another consulting firm and then most recently here at RSM. So it's been an interesting journey. Yeah, it's very interesting journey. Now you're at RSM, so who is RSM?
What is? What does RSM stand for to start with? So RSM, it's funny, Jeff, you mentioned before that you didn't know who RSM was. I didn't either at first. So RSM stands for Robson Roads, Solustro, Riedel and Ian Mcgladrey. Some people may be familiar with Mcgladrey that was AUS accounting firm back in 1926, I believe is when the firm started. Now we are the 5th largest accounting, tax and consulting services firm in the US So people talk about the big four. We like to call it the big 5.
So we've got about 16,000 professionals in in North America today across 87 cities and four cities in Canada. Yeah, it's interesting. You know, I'm a New York Yankees fan, and Chad, please don't hold that against me. I know you're a Red Fox fan, but I knew who Mcleodry was because they ran commercials during the Yankees games. I was like, oh, Mceladry, tax and audit tax and consulting.
So I knew about Mcleodry. I think it takes some guts for an organization to take a, you know, maybe not a household name, but a certainly a well established name and change it up in that way. So I think that's a big part of kind of not knowing the name, you know or or like sounding new. But to me that's that's an interesting aspect and kind of like bold for companies to do. Yeah, absolutely. I mean, I think we've been RSM since 2015 is when they rebranded.
So it's a fairly recent change. But like you said after at that point nearly 90 years of operating under that name to to change the brand is that's a pretty bold, bold step. So I had heard of Mcgladrey, but I had not heard of the other one. So Robson Rhodes was in the UK so Lustro Riddell was France. So for international listeners, maybe those names might ring a bell.
But I had heard of Mcgladrey, but I thought they were some sort of advertising firm or something, maybe just because I was, you know, not really paying attention. But yeah, now here we are. We're all underneath RSM. My master plan of putting together identropy 2 point O is, well is well underway. I thought it would be interesting to kind of peel back the curd, kick down the 4th wall. We do that a lot on this podcast. And. And what is identity consulting? Like, what do we actually do?
How do we explain it to the people that know us or don't know us? You know, you're sitting in the Barber chair. Oh, what do you do? Well, you know, I'm a consultant. Oh, what kind of consultant? OK, Information security. Oh, like, like hacker. Not quite. But, you know, things like that. So I thought maybe we'd start with, what is Identity Consulting? And Chad, from your perspective, what do we do?
Well, the answer I give my kids when they ask me is I have meetings because that's what I do a lot of. But I think that's as consultants, that's what we all do a lot of is have meetings but but ultimately, you know when I boil it down to the simplest components, right, identity, identity is about understanding or identity. Digital identity is more about understanding who has access to what, what are they doing with that access, are they doing the
right things, right. So for me, taking that as sort of the core of what we do, like making identity at the center of everything and it's really expanding that to the broader cybersecurity space. So when I talk to somebody that has no idea what I do, depending on the conversation, I've, you know, I'll say I help keep my clients out of the news, right, because that's part of our job as identity security practitioners is helping mitigate data breaches.
So we do a lot of that. But ultimately, I find when we're working with clients, more of the time than not, what we're doing is connecting different pieces of the organization that may not have even spoken to each other before to understand how they view access, how they view the different audiences and the personas in their organization to be able to try to put some level of control and security around that.
So let me flip this over to Jim because he loves to ask the question, what was, what is it you would say you do around here, Jim? Yeah. And before I even answer that question, Jeff, I do want to recognize that you said this is your master plan and then you did the Mr. Burns thing. But you know, kudos to you. You really did pull this together. I mean, you know, I I wanted to follow you over here and it was
a great decision that I made. It wasn't long after you know, another year and a half and Chad came over and I hope that he's looking at that decision now and smiling, but you're the kind of the master cog to all that. So to answer your question, what do I do? So I've run our digital identity advisory services. So it's really if you look at the the model that we use, it's assess, advise, implement and manage. So really the assess and advise usually gets grouped into advisory services.
You start with an and you could do just an assessment or just advise, but usually it's you assess and then the advice which is like strategy and road map kind of work stacks on top of that. So assess is really how are you running your identity program now? What's working well, what's not working well, what needs to be improved. And from that you can kind of start to identify areas where you need to make improvements to reach a certain level of maturity.
And by the way, usually when you say to reach a level of maturity, it's one of those things where that maturity curve is kind of moving constantly. So you know you're, you're doing things to make yourself look younger, but your body's getting older or really what it is that the industry's advancing to try and stay ahead of the bad guys, if you will.
The advice part is really about now that we know what the gaps are, the areas that need to be improved based on our experience and I call it experiential based advisory or experiential based consulting. So in other words, we're not coming up with ideas like that or whiz bang or hey, no one's ever tried this one. But you try it based on our experience of seeing what has worked and well and what hasn't worked well at the clients that we've worked with.
I mean you and I have worked with over 100 clients. I know Chad's probably somewhere in the ballpark of 200 clients. And what what are, what are they doing that would be considered leading practice or best practices, whichever term you kind of gravitate toward. And where do we see where organizations tend to hit walls and flop and avoid those things
of course. So now you build a strategy and really the road map, once you have the strategy, the road map is just building a plan that is going to do those things in the right order, in an order that the organization can absorb them and then an order that the organization can make the investments that are. Required.
So if we're working with an organization and Jim this is the background you and I have been working on for what 8-9 years now at this point is that assess and advise kind of area, right. What are we trying to do? Who are we trying to do it to and what are we going to do it with? Right, Sort of that, that kind of question and that transition. At some point you have to stop talking and start doing. And that's typically where we might get into like implement or
manage. And historically this is where we would bring our friend Chad into conversation, say, hey, what's going on? You know, here's kind of the situation, what, what can we do here from a technology standpoint. And maybe Chad, if you want to talk to me about implement and so manage, which is that back half or second-half of the assess, advise, implement and manage process, we can get into a little bit more.
Sure. I I I think once you get into the implement that's where it becomes a lot more complicated, right? Not that not that the strategy in the road map is not a complicated process because it is like the technology is actually the easiest part of it.
But when you get into the implementation side, there's lots of different considerations that you have to think through, not the least of which is there's a long list of technologies that are out in the identity, the broader identity domain and trying to determine which of those technologies is the most appropriate for the, for the client, right at RSM, you know, so our our idea is really meeting clients where
they need us most. So that doesn't mean just going out with the leader in every identity domain and saying this is what you should should plug in. So there's an aspect of understanding the different capabilities of those technologies, but then working with the client in a way that makes sense for them. It is ultimately a a, a transformation effort that goes on when you implement any identity technology.
So really understanding all of those key components of how to get that through the organization, how to drive the adoption, how to drive the completeness of the breadth of what you're trying to connect to. And then ultimately how are you going to get all the downstream people on board with that including internal and external auditors and those types of security organizations to be
able to drive to get there. So having a team of people that understand the nuances of the technologies and how to work through the change management required at an organization of you know, 200 people versus 250,000 people, right. And trying to work through those nuances, that's really where our, our implement or build team comes into play is helping clients navigate that and from you know, program management all the way down through hands on keyboard development if
necessary. And then often that transitions to our manage capability which can take different different forms and flavors. But ultimately we continue to see more and more clients just wanting to have someone solve
the problem for them, right. Don't just give me technology, give me a solution and that's when our manage team comes in and helps clients either in a Co managed way where we're we're doing the day-to-day operational support for their identity technologies or in a true you know managed service provider capability where we're we're managing the entire infrastructure and the whole the whole problem for them.
And I think one thing that is, is starting to get a little attraction here is a lot of people I think associate manage with implementation and sort of technology and tools. But you know, myself, I do a lot of program management myself. So even though it's maybe not part of that, you know, formal kind of, you know, assess and advise, I'm helping organizations build up their IM programs, projects, program charters, policies, standards, do we have a steering committee
and things like that. And so I think that's something that sometimes gets lost in the mix of the people just kind of think, oh, it's just like a, a tech service. It's not always that way, right. A lot of organizations struggle just kind of getting the bare bones of a program in place. And you know, I know, Jim, you've done it. I've done it. Chad, I'm sure you've done it as
well. But that's another aspect of it that that I enjoy because at that point it's like, oh, OK, now we're actually starting to fix things. Don't get me wrong, I love the advisory stuff that you know, we typically work on. You know, I always say it's it's a great gig to have if you can get it because you're paid for an opinion. Now that opinion needs to be good and it needs to be based on facts and understanding and be able to say, OK, you know, I understand what the client is
looking to get done. And I'm marrying that up with here's where the industry is going and here's where technology in general and the business etcetera and really kind of putting together you know those Tetris pieces to put together and start you know illuminating lines of the ever of the ever growing Tetris problem for identity.
I think one of the interesting parts of of that Jeff, I think is as you get involved in more of those program management engagements when you're working with you know, senior executives at at a client and helping them navigate the complexities of this, you learn. You get to learn a lot more about their business and you actually learn a lot from them
about how they see things. And we can take that, those learnings and actually apply those to where we go next, right, and what other clients we work with because we get a different perspective on how different clients approach problems and how they think about the, you know, the business benefits of some of the solutions that we talk about.
Yeah, Jeff, the thing that I was going to add to that is what I think is so cool about program management is like that's the reality, That's how all this manifests. It'd be nice to think like you wake up one day and say, oh, we're going to do identity and access management starting with assess and then we're going to get some advice and we're going to implement and then we're just going to manage it. That's just not the way it works, right. It's a program. All those things are kind of
happening at the same time. You're definitely implementing and managing at the same time, but you're also thinking about what's next, where do we need to improve and that's really that assess and advise. Yeah. That cycle is ever present. You know, I I think sometimes we all wish it was that easy. It's like, oh, well, we're going to start here at the beginning. Well, that doesn't know what's happened really. You're probably in flight, right? I'm sure people are listening to
this. It's like, yeah, we're already have, you know, either an identity program where you've got some capabilities in place and it's OK Well, what's next? What should we be working on? What should be improving? And I, you know, I enjoy that type of work.
I, you know, I hate to say it, but I sort of enjoy figuring out the psychology of an organization to say, OK, what's the trigger word or trigger phrase or thing that I need to whisper the secret password that's going to unlock investment in time or resources or people or money or whatever it is right to improve things because I don't think nobody
wants to do it poorly. But a lot of times the reality is, look budgets are limited, resources are limited and people get put into a position where you have to choose like OK, well how do I advocate for proper or better identity access management as part of that process? I find that aspect of the job, you know, a lot of fun and you know I've, I've made a lot of good friends working, you know, working, you know hand in hand with, you know some of our
clients. And it's been, it's been great to kind of grow with them as they've matured their program and seeing them get better and say Oh yeah, I remember, remember back in the day when Chad, when we were working at Walgreens and I was like hey, we got to do like password resets. So we need to handle our mainframes and As for hundreds and like and you know what you want to do, what it's like you're crazy like stuff like that right. And you sort of evolve and mature the program over time.
So let's talk a little bit about again assess, advise, implement, manage because I think historically it's called people might be familiar with like plan build run, I know we use that historically. Any reason to change from plan build run? Is it just an evolution of the process, is it aligning with any kind of other methodology or we just modernizing the way we think about things? What are our thoughts about that, Chad?
I think, certainly my thoughts around that, I think it's a little bit of all those things, right. Some of it is a bit of an evolution that's to a degree necessary just based on the construct of the firm that we're
with now, right? And that that's largely the way the firm approaches things, being able to, you know, being a public accounting firm, we have independence things that we have to work through which in some respects causes us to need to have some level of separation in some cases.
So being able to separate out an assessment function where we're you know evaluating the client's current state of affairs with providing advice to how you move that forward and then implement an operator really I think analogous to the build and the
run pieces. So I think it really the evolution is kind of taking that holistic advisory function and breaking it into a couple of areas which in some respects you know there's a never ending list of regulations that comes out every year and new and updated things. And we have to really be up to speed on all of those. And that's for me is is a large function of the assess capability that we have is to really go through and evaluate client's current state based on the various frameworks and
regulations that are out there. Advisory takes that to the next step, right? Great. Here's where you are, here's where you need to go, here's how you solve these challenges. In some cases, the client just wants to understand where they are against NIST, CSF framework, right. And then they can run from there. But by being able to tie all those things together, I think it's as much as we would like it
to be that linear path. But tying all those functions together, I think in that in that cycle that cyclical process is important. You know, I just to add to that, I've always I I love plan, build run because it's like so easy to remember. But I also think then it's like OK, so are you only planning in the plan phase? Like don't you build project plans during build and don't you are you saying that you don't plan during run?
And so I don't think that that model was, it was great for the mnemonic and easy, easy to remember, but I don't think it was like complex enough to quite capture what we were trying to communicate. Yeah, I think that's fair. And I think as many organizations move towards more of an iterative or agile type of a model that plan, build, run or you know, assess, advise, implement and operate, even it, that lends itself more to a waterfall sort of mindset and
approach, right. I think to do it the way we talk to clients about doing it, it's got to be iterative. So we're doing all of those functions, you know some degree of planning upfront with that assess and advise. But very quickly you're rolling into implement while at the same time you're going and replanning, right, and and trying to revise that plan because you're going to learn as you go, you're going to uncover things. And we see this with clients all the time.
You think you've got all the requirements, understood. Everybody in the room nods. They're like, Yep, that makes sense. And then you start down the path and a week later, you know, Susie gets called in for a meeting and you bounce one of these ideas. Oh, that's not how that works, right? And then you've got to change everything over again. So it really forces you into that more iterative approach, which ultimately is a benefit to clients, right?
Get some value sooner. A long time ago, someone said something to me, and it's always stuck in my head, right? Incremental progress over delayed perfection, constantly iterating instead of just trying to set a path and a goal and just blindly charging for it. It's because things are going to
change along the way. That's why I like to follow the pattern of you know, how are we better this month, this quarter, even maybe even this year than we were this time period last, whatever measurement period is I, I, I said we'd kind of kick down the 4th all a little bit here. I'd like to understand what's a typical day like for each of you. And Chad, I'll start with you.
So you're a managing director, you know you're in charge of a digital identity for us. What's your typical day like as a managing director in consulting? So my typical day involves a lot of different things as we've been really building out this practice and really driving towards you know sort of our our big launch if you will. You know our fiscal year starts May 1st. So this is our new year and we're jumping into this.
So a lot of my, the last couple of months have really been working through our strategy and our approach to how we talk to our clients, how we talk to different technology vendors really are go to market and really are why, right. That's what I've been trying to establish is what's our why? And then so I spend a lot of time talking with RSM partners and understanding our client base and the needs that they
have. So a fair chunk of my day is meeting with different whether it be clients or our partners, there's a lot of boring operational stuff that goes into it that that problem is going to continue to get worse as the practice gets bigger and bigger, right. So whether that's staffing calls or revenue forecast meetings and those types of things, but it's also because we are a North American practice, it is US and Canada.
I spend a lot of time with some new partners that we just brought on board up in in Canada, aligning our our collective experiences around implementation, around advisory, around managed services to make sure that we're taking all of the benefits of all of our experiences and being able to kind of craft that into our own secret sauce that we can bring
to all of our clients. So a lot of my time is spent with clients, with operational things internally and more sort of strategic trying to figure out where is the market going, where do our clients need us most and how can we make sure we're there before they are. So a lot of meetings. You weren't lying when you said that earlier. I wasn't lying when I said that earlier. Thankfully the the travel has slowed a little bit, but it's starting to pick back up, so that always adds another
interesting wrinkle. You know, after a couple of years of not much travel, it's tough to get used to working from a little laptop screen again. Jim, what's your kind of normal day like? Well, mine will be easier to explain. So there there's two roles that I have here at RSM.
One is obviously serving our clients with the assess and advise projects and it's interesting because we've got a a couple of folks on the team, I'm thinking of Brian Lindstrom and Ben Dowd who are just like superstars, right. So they wind up actually doing most of the work, but they do ping back to me, right, because you know we, I've been doing
this role for 12 years now. So I have some good insights at least I'd like to think so and but I mean if you come and do a project with RSM to put together RSS and advise and many other areas, but specifically on those and you're working with Ben and Brian, you'll see what I mean. These guys are just superstars. So my role is mostly as like engagement lead for this projects, but I also focus on some internal initiatives.
So I'm what we call the strategic pillar lead for our training and professional development track. And so what's been really cool about that is RSM. It's the group that we're in, the security and privacy Risk Consulting has been really, really focused on making sure that people are getting the training that they need to be great in their current role, but also ready for promotion to that
next level. And so it's an investment in the individuals, but it's also something that the organization obviously reaps benefit of as well. So it's just been fascinating. I've put a lot of focus on that area again because it's like it's important to RSM. So I'm able to carve out a big chunk of my week to dedicate
toward that. And I'm, I'm honestly learning a lot because I'm starting to interact with folks in different areas of our practice and I'm learning a lot about what they do and what training requirements people go through to be, you know, to. Usually when we hire folks, there's obviously people that we hire who are fresh out of college or whatever, but most of the folks that we hire are already experienced to some level. They come in with different certifications or different
experiences. So it's a matter of going ahead and and how do they get you know go from uncertified to certified or if they have certifications how are they maintaining those certifications and what are the things that you know currently we don't have a solution for and let's make sure we have a solution for that. So I'm really proud of my work there and like I said I get to carve out a a quite a bit for
that. It's gotten to the point where I'm pretty busy between client work and the strategic work and we're doing a lot of podcasts in the evening. I know you're you're in the same boat, Jeff, but and actually I kicked the question over to you. You know, other than being the podcast producer, which I know you're doing at nights and weekends for the most part, what's your typical day like? It depends on the day actually. It changes so much.
I have been doing a lot of travel for like the last six to nine months. I would say. I think you know last year was a record for me over 100 flights I took in 2023 alone. I'm already platinum with Delta for next year. So I I I kind of see myself a little bit as as a Flex person now. So I'm kind of wherever I'm needed.
So I might be meeting with clients, I might be you know on a phone calls with clients kind of talking about what's going on, might be pulling you guys into conversations as well, obviously doing the podcast. And so there are other kind of internal stuff that we work on different projects, but and then advisory work, I mean I'm still involved with some of those projects and kind of work through that.
So it's a little bit of a this and that and the other thing which I kind of like gives me some variety and definitely the podcast which we are always have to point out is not an RSM podcast. That's why we can do what we need to do. But RSM has been very supportive. You know, they're helping sponsor this episode and they help us out quite a bit. But yeah, I mean that's and and this is one of the ways that I
stay on top of things, right. So what's going on in the market, yes, talking with clients is one thing, but also getting to meet all the cool people in this space. I mean just in the last couple of weeks, right, we've interviewed Enrique Teshara who was with Gartner for a long time, very popular analyst and now he's with Sabian. We talked with Omri Gazit, who's over with Asserto.
I had a conversation in Troy today because we were talking about policy based access control for some of our internal initiatives and was like, Oh well yeah, I know a couple things around this and I can make some introductions, right. So stuff like that, maybe we'll be a matchmaker, stuff like that, but that's, you know, my, my day is rarely the same, but most of the time it seems like I'm headed to the airport. You know, the work address in my car is the actual airport.
So if that gives you any sense of of where of of how I typically spend my time, that's that's pretty much it. Chicken or steak? Depends on where, man. If we're doing chicken and waffles or are we doing like a nice steak place? Well, it's it used to be like the the phrase they would have on Delta flights was like, you know, has your life become, you're sitting at TGI Friday's or getting a meal on the plane is like chicken or steak? Yeah, neither. I'm probably going to bring my
own. Bring your own Snickers bar. Chatter Are you a chicken or a steak person? What are you doing on the airplane? Probably more a chicken than a steak person. I do like a good steak, but airplane steak? Probably not high on my list of of things to to go for. No matter how much they microwave it and dress it up with a a fancy cloth napkin, it's not the same.
Exactly, exactly. Let's talk a little bit about the market because I think one of the things that we get to do is be really at the forefront, at least we try to be of different aspects of identity and access management and there's a lot of spaces. We're not going to cover every single thing about identity today, but kind of picked out a couple things that are usually top of mind for our clients. And hopefully people out there listening will get some value
out of this as well. But what I wanted to do was kind of pose the question of where are things going, Where do we see the identity industry going in X? The first one, and I'll start with Jim for yourself. Where do we see the identity industry going in authentication? Yeah, I mean great question. And you know the the biggest trend is toward password list, it's getting away from knowledge based authentication into possession based authentication which includes biometrics.
So it's you know you still see the number one and #2 attack vectors being social engineering and fishing. Well those things become a lot more difficult when you layer in multi factor authentication and almost impossible when you get to password list. So those are kind of the biggest trends. Those are being led by the Fido
alliance, you know. So if you're not familiar with the Fido Alliance, I think you should get familiar with it and the standards that the Fido 2 standard for authentication will really help drive. You know obviously pass keys is on the tip of most people's tongues. Now that's mostly focused on you know the customer facing or or or web facing type of applications. There's plenty of solutions also in the enterprise.
You see, I think the other thing for authentication is really now using verifiable credentials so that you can, you know, prove your identity and start to match yourself up with a credential and kind of a live selfie test. And then some of that information can then be leveraged from an authentication standpoint. But all this is trending toward getting away from the password and having a better sense of that. The person on the other end is
who they say they are. Yeah, I got to give a lot of credit to the Fight Alliance for really pushing pass keys forward, getting basically the big three in the same room, Microsoft, Google and Apple, to collaborate on this, which is no small feat. So shout out to Andrew, Shikiar and Megan and Adrian over there. We'll be at Authenticate later
this year. We're big supporters of that organization, but you can show your appreciation by sending your favorite Heart song to Andrew Shikiar, 'cause he's such a big fan of Heart. We want to make sure that, you know he gets that. Chad, where do you see authentication going? I I don't think I have anything materially different to say to that.
I mean password list is really what all the clients that I talked to aspire to get to. Now many of them they have difficulty just get getting people to change a password you know once in their life cycle of journey at that client.
But password list is really where I see more and more clients wanting to go. But interestingly it's it's all about, it's more about the frictionless experience for their constituents, whether that's employees or vendors or customers than it is even they're not even thinking about it from a security perspective. It's more just we've got to stop asking people to remember 25 different passwords.
And you know, Single Sign On is great when you can connect all of your systems to it. But as a lot of our, a lot of clients that I work with have environments that are very mixed. In some cases they're very easy to integrate Single Sign on, in other cases it's virtually impossible. So getting to something that's much easier for the end user is really where where we have to get to. We've got to find ways, creative ways to get there easily for clients.
Yeah, I think over the last couple years, COVID really kind of forced people down the MFA route if they haven't already, which they should have been, but a enough like a little pandemic to get people started. So we're past that now and I think like most organizations, MFA now, they're looking at password lists, they're looking at, I've seen a lot of interest in Windows Hello for Business on the Microsoft side.
So you know, projects coming along where it's like, hey, the the hardware cycle has caught up with where it's been from a software perspective. Remember, you know, Windows Hello might sound like, Oh yeah, it's been around for a while. But if you think about it from like a organizational perspective, it takes time to refresh hardware and it usually takes multiple years to kind of get everybody up to the same
playing level. Do I have a compatible fingerprint reader or camera or things like that. And you know, thankfully now we're into that phase. So I am seeing more Windows Hello for Business and sort of taking that approach of I don't want to have to type my password a whole bunch of times. You know, I mean I I have Windows Hello set up on my work machine and I look at my camera and I'm in, you know, and it and it works great. So I think that's that's been a nice trend.
Why don't we shift gears to authorization? And Jim, I'll come back to you on this one. Where do you see things going from an authorization standpoint? Well, I mean obviously the hot trend is around P back, a back re back, what does they're? Using acronyms, let's not lose people. OK P back policy based authentication. A back attribute based authentication. Re back is relationship based authentication and it's not that I'm against those things. Those things are great trends.
What I still see organizations, clients having to do is RBAC. They understand RBAC, they get the concept, they can start to develop it without having to change their paradigm. But guess what? The other thing is, almost every organization I talk to, their group management in their Active Directory, their enter ID is a nightmare. They have more groups than they have users. They don't have the owners assigned to the groups.
They they've got an ugly nesting maybe they've got poor descriptions and they've got groups that people just don't know what they do. They're afraid to delete them. They're afraid to write the description that says this group does XY and Z, because what if it also does PDQ? You know? So anyway, I think this entire spectrum is what's going to continue to happen. I think it's different than authentication, right?
It's not like you're going to see more and more password, you're going to see the password go away. I think 510 years from now, it's like the only folks using passwords are like true laggards. I I mean, it's getting there now. So I'm saying I'm being generous by saying 5-10 years RBAC is definitely going to be around 5 years from now. Yeah, I I find a lot of organizations want to be our back or role based access control.
They get about 15 minutes down that road and like oh, this is harder than I thought it would be. You know what I mean? We just can't make a, you know, a role called analyst. OK, well, you know, do you have the data, do you even back it up? That's another challenge typically see. So I'm right there with you. I've always been a fan of
alternative backs. So attribute based is generally where I like to start things because generally you can say is this person an employee or not an employee Generally that's well defined. You can start to drive rules or policies based off those different attributes. Chad, what are you seeing from an authorization standpoint and where the industry's headed? So I I don't disagree with Jim about the about RBAC not going away. For a lot of organizations that's pardon the pun, a four
letter word, right. They've gone down that path and like you said they've realized and this is a lot more complicated than we thought it was. But ultimately for many, for many companies that's really the only thing that they can, they can tie on to a degree R BAC is can be a little bit like a BAC, right. You can leverage some of the same principles which I think is great being able to do that attribute based access.
I think where I see us getting to down the road is a little bit more effective dynamic evaluation of access really to be able to get to be able to make it easier to administer the process, be make it easier to kind of govern the controls.
The hurdles that I think we've seen recently with a lot of the dynamic conditional access, dynamic groups, those types of things is more from a governance and an audit perspective because there's no historically has not been a good way to actually determine why that person was granted access at that given time in the in the past, right. You've got policies and you can say, well it's because they fit in this bucket, right.
If you've got a series of screens and they made it all the way through each and they have the access they need, but there is no accounting for how they got that right. And that's where I think the gap has been there. It's got a lot of promise because I think people would much rather define a policy and manage that policy rather than going through and managing thousands and thousands of discreet roles. I I think we need to get there.
I just don't think that the technology is is there yet where it needs to be. It's a probably a pretty good segue because they think the next thing I want to talk about is automation. I feel like to do things around automation or or say around policy based access control. Attribute based access control is you need some level of automation to actually make this real. Jim, where do you see automation helping those things or maybe other areas in the identity industry?
Think that our scope as identity professionals is growing so fast and it can't all be done without automation. And I think most organizations who are in kind of a a laggard position or under invested over time, some of those, if you take over an identity program or maybe even managing it for a long period of time and haven't had investment in terms of you know spending money on automation, that's where you
want to go, right. And that's how you're going to be able to do more with your resources is by automating as much as possible. So provisioning and deprovisioning has got to have automation. You've got to have automation in terms of you're monitoring and
alerting as well and response. So that's the other one of the other big challenges is that you know you've seen these slides where it talks about the anatomy of a breach and it's like it takes 170 some days to figure out you've been breached, it takes this, that and the other. But when you find out like from the time clone breaches you to the time that they've got the keys to the Kingdom, it's like seconds.
So your system has to be processing that data in real time to capture that that's happened and respond and the response has to be effective. So I think automation is, you know, table stakes at some level. What do you think? I mean, yeah, I think a lot of these things are really neat ideas, but they are not something that you can do by hand. If you're really serious about doing identity, you're going to
need some level of automation. And it's going to be either, you know, identity governance, which is probably most traditionally associated with automation, onboarding, offboarding, like you mentioned, changes in access, taking your different attributes that you know about individuals or policies you define to say, OK, you know, Chad is here and he is a new
joiner. And because he's a new joiner as an attribute of an employee in this department or this physical location, we've defined a policy that says these things mean you get these other things in automation or take them away. I think that's another way where automation is really helpful is a lot of organizations are really good at granting access and really not great at pulling away access when someone moves from, you know, one team to another team or whatever that
looks like. So I think that's an area where automation is, is definitely big as well. But Chad, what do you think? Where do you see automation fitting into the identity industry and where things are going? Yeah, I think interestingly enough, back at the beginning of when when identity really started to become a thing, right, we like often call it the first wave of identity. It was all about connecting everything, connecting all the systems to drive a lot of that
automation. That was kind of the promise back in the, you know, early 2000s. This is what identity is going to be. And everything failed like nothing worked. You couldn't connect to systems and then it shifted away from that and became more governance based.
I think the rest of the technology around, you know, IT broadly has now gotten to a point where it actually may be possible to drive a lot more automation, right, as a lot of the legacy systems that you, you know, couldn't really integrate with very easily are all being retired. There's still obviously a lot out there, but the ability to integrate with systems for automation purposes I think is better now than it ever has been.
As more organizations move to, you know, Federated models where you're leveraging some access management system to provide authentication and authorization, the ability to automate is just going to be that much better. So I I think, you know, the only way to do this effectively is to drive more automation. There are too many applications, too many users, too many regulations, too many controls
for people to do that. I had a client the other day ask me, are there any tools out there that we can use to verify that our help desk did made the changes to the accounts that they were asked to in the ticket? So basically, are there is there automation that we can you put in place to check the work of a human?
So like that's a very interesting idea, but why wouldn't you just remove the human from that process, you know, to start with and then put the human back in to check the work of the automated system, right. So I think we've got to drive towards more automation broadly across all of Identity. And that automation typically leads to more data than you probably know what to do with.
So next topic is AI and analytics, because AI has really kind of taken the world by storm the last couple years, but generally in the last year or so, that means that we have better tools to sift through data. Jim, where do you see AI impacting identity in the analytic space? Here's where I am right now is that I believe AI could be used in an IM system, call it IGA, or call it like the total picture of your system to query it for
meaningful information. It could start like, you know, just iterative questions that build on themselves. Give me a list of all the people who have access to this application. Now no I want to see the administrators of that application. Or you know who has access to be the administrator of that application and is also at least a a a power user of this other
application. So in other words, have a way that people who maybe don't know how to use advanced reporting tools can go and make take me ask meaningful questions of your IM system to get meaningful answers. So I could see that as a fantastic way to use AI, and where I'd like to see it go is to be able to ask questions that we don't have the data for it now. So tell me all the users who can enter an order in our order entry system or SAP system, the IM system would have to know
enough about. Or the AI would have to know about enough about your IM system, which is which roles and groups entitlements are going to give me that access. And then maybe it's going to have to know enough about SAP to understand how those groups map to some entitlement structure within SAP that gives you access to that order entry screen
within SAP. You know, in other words, it's it's going to have to be the big brain that can cross the chasm of identity and business systems to kind of drill down and ask questions that we can't answer today. And what why couldn't AI do that? What? Why couldn't AI have a big brain and understand both of those models and and look at the entitlement structure of those applications, especially
packaged applications? So it sounds like you see AI as being more of a helper for people using IM because what you're describing saw sounds off like querying data, right? And today, maybe you need to run Sequel statements and look at a database and pull pull data to make reports and things like
that. I certainly see that same use cases like, yeah, show me all the users who have access to this rather than doing Sequel joins and trying to figure out, you know, what your database schema looks like to pull this information together or trying to do some sort of custom report. I think that's a really interesting approach to it is, you know, talking to your identity system basically, right?
And talking to it and say here's what I'm looking for hey identity system give me this information and it's it's kind of the ultimate low code no code environment if you think about which is where we've been heading in the last you know several years was that it? Same thing. It's just instead of doing drags, dragging blocks on a screen, now we're just talking to it. Say hey product, give me this information.
Yeah, you know, I think so. I think that's the the one major functional use case that I would like to see. I think the other thing I will do is chase the money. I I kind of feel like if you could have AI automate the work of an IM team across 50, a hundred, a thousand different organizations. So you get the same size team that can manage one organization, be able to manage hundreds or even thousands of organizations, Now you have a
force multiplier. Well, you can only do that with a tremendous amount of automation. And if AI can become smart enough that it could build the automation and it could give you insight so that you could manage, now you free up a bigger portion of humanity to work on other things. Yeah, it's very similar to like when you know, manufacturing lines, automation started to hit that. You know, it used to be you'd have hundreds of people on a line building something.
And I worked for SC Johnson for a while and I went to one of the factories and there was one person working a line spitting out 40,000 cases of Windex. So I I see it very similar except more more the IT production line so to speak, where you come in Chad, you've got a background in product. I'm curious from your perspective and all the experience you've had, where do you see AI hitting the AI or hitting the identity space and how is it going to help with
analytics and things like that? Yes, I think there's there's two angles. I I, I love the idea of having AI that's smart enough to take a problem like application on boarding right? And that's that not only is that sort of instantiating the application in the various technologies but building the integrations right. You've got you know there's you can go to use AI now to generate
code for things right. Imagine being able to just say, hey, I need to, I need to automate access for, you know, system X and just provide some information. And off the AI goes building the integration, connecting to the system, pulling it into all of your infrastructure. That's all stuff that needs to be done today to drive that automation, take that problem away, drive it through AI. And I think there are, you know, there are some vendors out there that are taking steps on that path.
I think that's a that's a really cool idea to take some of the burden off the IT organization to be able to drive the breath of the implementation if you will, of these various technologies. But I also think there's a end user angle, right, an adoption angle that helps with this. Like I said, just being able to say, hey, I need access to the softball file share. Like I don't, I don't know where to go for that, but just tell the AI and it goes off and
handles that for you. That sends things out for approvals as necessary. So I think there's an end user enablement or empowerment angle with AI. I'm really interested and I'm actually looking forward to one of the panels that identiverse that's talking about AI from AN, you know, from a threat perspective with identity security. Like that's something I'm really excited to dig into a little bit more because, you know, you've got the people that love AI, love to use it.
I use it fairly regularly. A big fan. You've got the doomsayers that are like, oh, it's going to be Skynet and yeah, I can, you know, it can go both of those paths. But I think it's going to be, there's going to be a balance. We've got to find good use cases. The amount of data that these identity systems generate is tremendous and there's minimal correlation between those systems.
Not a person is not going to be able to make those correlations and define those patterns and and action from there. So that's where I think we can use AI from a from an analysis and a monitoring perspective to make our people smarter and where they focus their attention in addition to a lot of the automation capabilities that I think it will be more enabling technologies. You bring up a couple
interesting points there. And this idea of a copilot seems to be catching a lot of traction with the industry of some some sort of helper, right, that's helping you navigate through whatever it is you're trying to do today in space. You brought up security of AI, which I think is really
important. So, you know, I'm looking forward probably the same session that you're referring to it identivers, but I think that's something we're going to have to navigate together and say, OK, well how do we keep
these? AI is safe and secure and you know, large language models and they don't get poisoned with, you know, false information or manipulation or whatever that might be. It'll be interesting to see how the industry moves forward with this idea of AII can very I can my my vision right here is I see like a generalized AI and I think about things like Chachi, BT, Gemini, Meta, Perplexity, which is kind of a mix of everything clawed and that's
sort of like the general AI. Then I see very specific AI, large language models or generative AI that is very product specific. Oh, here is the sail point. AI, here is the Sabian AI, here is the Octa, the ping, the Microsoft right And how those models interact together and keep your data safe and not have a transitive attack from another large language model into another one. Will be interesting to see how that develops.
You know I'm I'm sure there are already plenty of companies that are you know thinking about what their their startup is going to be or is to protect protect your large language model. Protect your AI, right. Shield it from that thing. And maybe this is just at the end of the day API management, how are we managing? AP is talking to each.
Other right. It is an interesting thing to think through because obviously you want you want those sort of proprietary large language models to be able to reap the benefits of all of the public ones that are out there and the
more general ones. But you need to be able to segment your own data that you want to feed it so that it's smarter about your firm and what you're trying to accomplish and let your people do. So that's a that's a interesting balance of trying to understand how to firewall that. And there might even be tenants within tenants. So say you're an A cloud identity provider and you've got 70 customers and they're all putting data in.
Now it might be really interesting, at least from an administrative perspective to say to query that data spanning all 70. But then you wouldn't want two of your customers to start looking at asking questions that would violate that that tenancy model. In other words, what's my competitor doing with IAM? How many accounts do they have? What's their password policy I mean? No, those aren't really competitive secrets. Maybe, but still, you don't want them. You don't want to have that
happen. Well, I'm looking forward to the day when AI start arguing amongst themselves trying to resolve conflicts. Well, the SAPAI is saying I can run this T code, but the other AI is saying that you can't. OK, well, you guys figure it out. Wake me up when when you've got that figured out. Chad, you mentioned Identiverse. We're going to be out there in full force and, you know, hopefully people come out, meet with us, but what are you looking forward to most at this
year's Identiverse? I think the thing most I'm looking for, there's a little panel on Wednesday about identity security that this guy, Jeff Steadman is is moderating. I'm really looking forward to that. Check is on the mail. I think there's a couple of things I'm I'm really looking forward to catching up with, you know, new and long time friends, right?
As I mentioned at the beginning, I've been in this space for a long time and every one of these concert concerts, these conferences is like, you know, old, old friend week, right. And it's just about OK, which firm are you with now, right, Both from a software as well as a consulting perspective. So it's great to catch up with those, those folks as well as some clients that are going to be there. But the two areas I mentioned AI, I'm really interested in
digging into that a bit more. We talked a bit about password lists and you know, candidly that's not an area that I have a lot of expertise in. I usually go to gym when I have questions about password list, but that's an area I'm, I'm really interested. There's a number of sessions that I'm going to be digging into just to get a little bit more educated on that so that I can bring some of that knowledge to my clients. Jim, what are you looking
forward to today anniversary? I think in the order of importance, it's hallway conversations, It's podcasting. So you and I, Jeff, work on trying to give a little taste of what's going on, but have it be original content, right? It's not just, you know, us dropping into a session and recording them and and posting them on the Internet, which I don't think the folks over at the Cyber Risk Alliance would
appreciate. No, it's all the conversations, it's podcasting, It's attending as many sessions as we can fit in other than those things above. And then finally it's Las Vegas. I mean we're going to have go out and have some fantastic food. I'm looking forward to that part, look forward to the sights and sounds. I'm probably leaving something out, but what do you, what are you looking forward to, Forward to Jeff? I mean it's pretty much what you
guys said. I think for me it is very much like a high school reunion almost where you know, if the the identity industry is a very small industry comparatively to others and people tend to know each other and chatty hit on the head, it's like, OK, well, which company you're with now or which consulting firm or whatever it may be, which vendor and people tend to move around a little bit in the space.
And so just meeting people, you know, sometimes this is the one, one time of year that I might see somebody who's over at X organization and we catch up for a little bit and say, all right, well, see you next year or see you at the next conference, maybe Gartner, you know, later this year, stuff like that.
But yeah, I think just the hallway conversations meeting people, you know, establishing or just you know strengthening relationships we've got out there in the space and you know just trying to be a a a good friendly dude to to walk up to and say hello to. So that's what I look forward to. And then of course, you know I'm moderating a panel our friend Sean and and the tool have asked me to moderate a panel on identity security with Cape Continuous Authentication Evaluation Profile.
So I will be the person helping the smart people get the word out for that and quiz them with questions and things like that. So that'll be on Wednesday, May 29th, Joshua 10 plug for that 11:40 AM come out see me sweat on the stage as I don't know as much as these other guys but I'm sure it'll be a a good one. But that's what I look forward to and and you said it Jim Vegas, I know a lot of people don't like Vegas. I don't gamble. I don't really drink.
So the food and the world class people watching and you know the shows if there's time for that all top notch. So I'm always a fan of that and generally everything is pretty easy to get around to, especially in a location like we're out in the area where you know, you've got the Cosmo, the Vadara and you're just a few steps away from, you know, the the strip itself. So I'm, I'm looking forward to
it all. And of course, editing podcasts every night just to try and get something out on time, since you're a real slave driver when it comes to the podcast gym. Six episodes in three days, baby. Yeah. And now we're doing a video, so that's just even more work. So, all right, we have gone over an hour, but I'm happy to keep going here for a few more minutes. Let's close out a couple ways. The first will be I am horror stories.
You know, I think we've all been in this space for 20 plus years. We've probably come across some really weird stuff. The rules of the game are, you know, a Horror Story. But we will protect the innocent. We won't name names, we won't name clients or anything like that. But I think hopefully these are stories that we have that will help people avoid some of these situations in the future, or at least be aware of what these can happen, you know? If you don't account for that,
Chad, we'll start with you. Do you have any good? I am horror stories. So this one is it's interesting, it's it's somewhat of a Horror Story. I worked with a client for many, many years. This back when I first got started an identity and it was one of those situations where you gather, you meet with a lot of folks, you gather a lot of information, you understand really where they want to go and and you build out a truly world class solution for them. It was amazing.
It did everything like made you coffee, you know, took the dog out, did did everything you needed, connected to thousands of different applications, built out roles. All of those things are true, like a really robust IGA platform and it worked great and then they had a team of like 60 people managing it, which now you think that's crazy like you know we would ever do that. And probably three years later I I ran into the CIO at A at a dinner one night and I just said
hey, how how's everything going? Because it's been I moved to companies. And so I talked to him a little bit about it. He said, you know, you you built exactly what we asked you to build, but it turns out it wasn't what we needed, right? It was. They were just looking at things from a very tactical perspective. Just fix these problems and just make the like add more things and make it more complicated to make it larger and larger and larger.
And it became unmanageable to a point where they continue to have to add resources at people to manage the system. And it really wasn't even remotely close to what they needed. Now they paid a firm a lot of money to build this and it did a lot of great things, but it just, it became something that was unwieldy. They couldn't support it anymore. They couldn't move to new versions of the platform.
And unfortunately that's a pattern that I've seen over and over and over again, right when you talk to clients that are on their second or third iteration of of their identity journey and they've done the same thing. They customize the heck out of something and it's cost them millions and millions of dollars and what they've got is some big mess of spaghetti, but they don't know what to do with. So I know that's a little bit of a general Horror Story that I unfortunately I see over and
over again. So how do you approach that conversation with, you know, a client like that where, you know, I think a lot of people are familiar with the phrase, the customer is always right. Well, the customer is not always right. Sometimes you have to help them figure it out. How do you approach that conversation? Say, hey, look, based on my experience or here's why are they generally receptive to that kind of conversation approach to say, hey, here's what you need
to be thinking about? And based on what you're telling me or what you've built, here are some of the risks that are out there. Yeah, I I I think your mileage will vary on the the on the customer when you have that conversation. For me it really comes down to the organization's maturity around dealing with change. It's not even like a technology maturity.
It's are they do they understand what true transformation initiatives are like or is this their first time going through it Because having that conversation about the complexity of just trying to over engineer everything for you know every single edge case. I think most people that I talk to certainly most C level executives have done this a number of times and they it resonates with them.
Don't do that again. But every it seems that there's always somebody in an organization that says no, this is the way we've always done it. We have to keep doing it this way. So it's really hard to try to to peel people back from that. But that's ultimately one of the first questions that I talk to clients about when we start down this identity journey is how open is the organization from a cultural perspective to changing things, right?
Do we have to fit everything into the way it's being done today, or is there an openness to think of new ways to do it? And that's really what we spend a lot of time doing with clients is trying to get them thinking about different ways to accomplish the goal. Don't tell me how to do something, tell me what needs to get done right. And then we'll work through the best way to do that.
But you know there's I think there's a lot more openness within the last two to three years to to change because you can put together a reasonable business case for doesn't make sense to do this as an on premise. You know waterfall project where you're putting this a bunch of servers in your data center and making people think a little bit more about taking a different approach to solving the problem. That's a good one, Jim. How about yourself?
You've got to have some I Am horror stories. Yeah, I've got a few. But I'm going to tell one that's a real doozy. And I'd much rather if you had asked questions like tell us about one of your great successes. But you learn way more from your failures, right? So this one goes back to the identity DS and I was a real hardcore spokesperson for, you know, I learned about Fordraw, a client and I said that's the wave of the future. We need to get on that.
And I think that was very good advice. So we built A-Team, learned Open AM, learned Open IDM. It took a long time. We finally found a client, helped them build their strategy and then you know, they said, you know, we trust you guys, we're going to bring you back and build it out. The Open AM part was simple. The thing was Open IDM and I think it was like version 1.2 or something like that. You've heard it probably described as a box of Legos and what can you build with a box of
Legos? Pretty much anything, right? So we started like planning the project and I was very involved, right? I was the practice lead for our Ford Rock team, but things were picking up like business was picking up in other areas. So I had to go and focus on some other things. So I left the team with this one piece of advice which was don't integrate that application. We have to integrate like 3 applications, but it ain't going
to be that one. And the reason I said that was I looked at it and was like that's one of those applications they built 10 years ago. And they've been building out like every feature and functionality for their identity management like you know, edge use cases ever since. And if it took them ten years to build, it's going to take us 10 years to build. I don't, I mean Open IDM is a great tool and everything but we're they're going to want every feature. So I said that thing needs to be
re engineered. So I went off and got involved with my other projects and then you know started hearing some grumblings like it's not going so great project's not going so great. I come back and find that our team had basically rebuilt that application in Open IDM and it was, you know, what I I realized was we could work on this thing for another three months, six months year.
It's still not going to work. So we had to go back to the client and talk about like, you know, we can't integrate this application. It's going to have to be a different application and we had to wind up integrating that other application at no cost. The client still wasn't happy because it blew their timeline and they didn't get the application that they really wanted.
The learning from my perspective, was don't walk away like that again, you know, like I knew that thing could not be rebuilt in our project and if I stayed on, I would have said no, no, no, I would have pounded my fists, fists on the table before I would have done that. But again, you learn from those things, so that's the best thing you can get from your failures is a good lesson, a life lesson that you won't forget. Those ones are pretty good stories.
I'll keep mine short and sweet and I'll focus mine more on the operational side of things. We we all know our good friend Wayne Sissel. He's the reason I got into consulting in the 1st place Back in the day. I was a customer of of Wayne's Curry on at Walgreens and so forth. And we're going through the process of rolling out Curry on IGA.
And I remember very distinctly we were in a conference room, we were in Lincolnshire, IL. So if you're listening from Walgreens, that's how far back this goes. And we were sitting in a conference room, we were talking about orphaned accounts and we had built this home grown authentication system and directory and everybody in the in the company had at least one account in there.
It was how all the stores so like 250,000 people had accounts and we were in the process of doing mapping of those accounts to say, OK, who do these accounts belong to? And I walked in the room and I remember Wayne seemed kind of nervous and he was like, all right, we've, you know, we've, we've done some account mapping. And I was like, all right, cool, you know, where are we at? And he's like, he's like, I hate
to tell you. And he always, he always say it was like, you know, super nice music, but there's 90,000 accounts that we can't map. And I was like, oh, that's not too bad, 'cause I was expecting like more than that. And he, I just remember him having like shocked face, shocked Pikachu face like it's 90,000 accounts. Like, yeah, there's no guardrails in this application. You can name your account whenever you want.
And there were plenty of people who took advantage of that at the store level with not safe for work names, all kinds of stuff. But that idea of 90,000 orphan accounts and you know, really put my hands there, right? There needs to be better structure around how accounts are built and lesson learned, right? Putting in rules of the road, you know, safeguards to prove to prevent that, the importance of having an employee ID number
associated with accounts, right. All those little tips and tricks to kind of make your IGA platform hum. But I'll never forget, you know, Wayne's face and it's like, oh, it's 90,000 And she's like, oh, that's not too bad. It's like, all right, like, that's just a drop in the bucket. We already have like several million accounts that we're managing, you know, 90,000. That's like a Sunday. You'll get that done your week, Wayne. Yeah, so the Horror Story was for Wayne. Not.
It was probably. More for Wayne at that point. But the fact that we had 90,000 orphans in one in one system out of like dozens that we're integrating, I'm sure probably caused some heartburn in the Korean side. All right, we've gone real long. So we'll wrap things up with a very quick question. We always like to end in a lighter note. Chad, what's the most unusual job you've ever had? So I think probably the most unusual that most people wouldn't have experience with
right out of college. I'm a mechanical engineer by a degree, right out of college. I started working for a company in Cincinnati, OH, and I was able to design and build robots. They're all powered by AI, and they're going to come back to kill us now. But no, I my I worked for a company that made projection television lenses and I was responsible for building a lot of the security really around our robotic class manufacturing lines. So big automated plants like you talked about before.
We, you know, have one person managing a line of robots of these ten machines that would pick up a glass blank and Polish it through a number of stages at lightning speed and having to build a lot of the controls and the security around that to make sure that if someone walked anywhere near the robots envelope they weren't going to get beaten up by that robot.
So it was very cool. It was from a mechanical engineering perspective, was a lot of fun, but it's definitely this was back in, you know, the mid 90s. Not too many people were dealing with robots then. That is pretty cool. That's definitely unique, Jim. How about yourself? What's an unusual job that you've had? And that's impressive is that one. But also mid 90s. I worked at an arcade in the mall and what was really cool and unusual about it was I had to take public transportation to
get there. And it was like 1/2 hour 45 minute bus ride and I would take the bus home and it'd be like 11/11/30 at night. I lived in Philadelphia so public transportation could get you just about anywhere. But with the maintenance guys and oh man, some of the stories, this guy's hotel and just like horsing around on the on the bus and everything, like, yeah, that was pretty cool. So that was an educational trip as well then, I'm sure. Very, very educational. Let's see.
People are probably familiar with my long history in restaurants, but that's not the strangest or I guess unusual job I actually was. I don't know what my position was but like, bank teller, I guess. But really what that meant. And I I this was, this came actually from a customer of mine. I was serving tables and somebody from TCF Bank in Chicago. I I guess I waited. I'm going to impress him and say, hey, give me his card. And he said, hey, I'd love to have you work for us.
You know, give me a call. And I did. And I was like, all right, will you see what else you got? And I was like, you know, what do you want to do? I was like, oh, you know, like like working with people or stuff like that. I was like, all right, so I go, I get the job and go through training or whatever and I show up and I'm assigned to a Cub Foods.
And so if you're familiar with Cub Foods, it's like a grocery chain, kind of like I don't know where it is now, but kind of Midwest, maybe upper Midwest, that kind of thing. Illinois at the time. And my job was to stand outside of the Cub Foods trying to get people to open checking and savings account and hang them Flyers. And I was. I lasted 3 hours, went to lunch, never came back. Called on the way, you know, on my car on the way back. I was like, this job isn't for me. Sorry, I quit.
That's the only job I've ever quit with. Like, you know, no notice, didn't do anything. But it was not what was advertised to be. I was basically handing out Flyers outside of a Cub Foods. You're working with people. Who didn't? Want anything to do with me? So yeah, that was not my most favorite job, but you know, things work out for a reason. All right, let's go ahead and leave it there for this week.
Hopefully that gave people some insight into RSM and the the digital identity practice that we've been building here. And people come out, we'll be at Identiverse. A bunch of us, pretty much all of us will be there. So you get to meet the rock star team that we've built here. And yeah, so rsmus.com. And what else should we should we plug? Maybe ourselves? IDC podcast.com our Twitter at IDC podcasts Our Mastodon IDC Podcast at infosec dot exchange I know Jim, you're all about the
YouTube channel. See There's happy. I was like there there. We are. I'm happy now. Look us up on YouTube. We're starting to put more of our episodes in a video format and stuff like that. But yeah, and hire us, right? I mean, Jim, Chad, myself. We're happy to talk identity, but love to work with folks who are listening out there. Call us if you got any issues or concerns that you think we can help with and we'd be happy to hop on a call.
So more meetings for Chad because I know he loves them so much. I do and thanks for having me guys. I appreciate it. Yeah. Thanks, Chad. That's it for this week. Thanks everybody for listening and or watching and we'll talk with you all in the next one. You've been listening to Identity at the center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com.
See you next time on Identity at the center.