Well, if I had anything to say before you take us out, it would just be thank you to our listeners, people who've been listening for five years or five episodes. I mean that we wouldn't do this without our watchers, our listeners. And we keep trying to make this thing better for you all because it means so much to us, like Jeff said, where people come up and actually know who we are and listen to the podcast or just connect to us on LinkedIn.
It's it's why we do it. It's why we've been able to like do this for five years. And I think, look, we've recorded a lot of episodes on like Saturdays and Sunday nights to get them out on Monday. And you, you have the all the humans work after that to like, you know, do all the editing. It's a lot of work, but it's worth it. I don't think we've ever questioned whether or not it's worth it. Yeah, yeah, it's a labor of
love. And definitely thank you to everybody who supported the show, listeners, people who come up, you know, even sponsors who are now getting involved with stuff. Yeah, definitely. Thank you. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing good, man.
It wouldn't be a episode. This is a special episode, but it wouldn't be an episode if I didn't bring up some thought that I've been having. That's been like eating away at my brain. Whatever. Is left just like that amoeba that I got in the lake last summer, eating away at my brain? No, it's just going back to this whole thing of centralized versus decentralized. And it's kind of been one of the topics that's always been there in the identity management world.
I remember doing an identity strategy at a big university in the US and someone said, well, if we go to single sign on and have all these apps wrapped into one user account per person, what if they lose that account? Won't the person have access to all their applications? It's like contrast that with that person having different accounts for all those applications and having to try to coordinate their passwords.
I think in the long term, where where I was easy, where I easily came down was that the the benefit of having just one account from an end user perspective and to just have to manage one password, one MFA and B having one place to set the policies outweighs the risk of potentially losing that account and that one account giving access to all the applications.
But there are also other scenarios where like for example, I was working with the client today and they have all of their network configurations for all of their locations around the world in like an online application where you can go and kind of monitor all the equipment and change configurations. And if one account were to get compromised, game over, game over, you can like just change all the configurations you wanted.
And so I mean, constantly have to kind of go back and forth on, OK, well, is that the right way to go? Is that just putting too much risk, too many eggs in one basket? And I guess that I guess I'm coming down on this whole thing is, is not like the final answer, right? I'm not giving, you know, this is what everyone should do, But I think you have to keep reevaluating and questioning things that you may just accept.
It's kind of like, well, everybody just accepts that one username and password per user is better than 400. OK, but is that, is it a problem to question yourself and make sure that you can truly articulate why it's better? I think that's key because that same question might come from somebody who's an executive in your organization who says, OK, well, what if that account gets hijacked?
Then what happens? Better be able ready to be at the ready to answer that question and answer why it's better to do it that way than the alternative way. Thoughts. Consulting answer depends. I mean yes, generally speaking right? One account is easier to manage, but I think it should be a risk based approach. I don't think you do one account if it's only a password. I think we've all learned hopefully by now that password alone is not good enough.
There should be appropriate risk based controls on that single sign on account, MFA, conditional rules, adaptive, you know, all kinds of stuff that can be done to really secure that one account. If that's the strategy you're going to follow. And a lot of companies do and they do a great job with it. So you know, they they're managing based on the risk. Do they put all of their network infrastructure on the same account?
Probably not. They probably separate it out into a different system, maybe different accounts, you know, different Mfas, even different different MFA methods. So I think there's options out there and you have to weigh the risk versus the reward, the usability versus, you know, the potential for red tape that might get involved and people finding ways around it. So yeah, I'll stick with depends. That's my that's my answer.
So yeah, depends a good answer because you know, I, I do think that the single sign on that large, that was probably solved a long time ago. I kind of went through like how I, my mind evolved to answer that question. But then take a scenario like a password vault. What if you are, should you integrate your password vault to
your IDP? Now what if the account gets compromised or somebody gets into the IDP and does like a lateral movement and then is able to log into your password vault now has hundreds of service account passwords. That's a real sticky situation. So I think that there's there's one of those places where you really need to ask yourself that
question. Well, if you've architected your vault in a way where everything is literally in one spot and requires only one set of credentials and maybe one permission group to get to it, yeah, maybe. That's probably not the best way to architect it. There are ways to, you know, create blast doors in between things. So if you think about it like a submarine, you know, if one compartment gets breached, the
whole thing doesn't go down. Hopefully they seal the doors and yes, there's going to be damage and things are, you know, bad things are going to happen in that one area. But the whole idea is to contain that, you know, that that issue. And so I think if you have enough doors to close on your IM submarine, you know, I think you've got a better shot.
I think that's what most organizations try to do, right, is you want to limit sort of the, the breach impact, the scope of what could happen and, and things like that. I mean, that's why a lot of organizations will separate like PCI networks from their regular networks or their operational technology stuff away from other stuff, because they want to have a very, you know, very clear line as to who can get access to what and what it takes to get access to those things.
That's that's putting a blast door in between things. Yeah, that's, that's a really good analogy. The I am submarine, You better go, you better go, you know, put the the copyright on that one and. That'll be our next podcast, the I Am Submarine. I don't know if there's any like positive though puns on that one. I feel like submarines just go down. We want to be uplifting here. I mean, it's our five year anniversary, man. We've been doing this show for five years.
And this is, let's see, what's this, episode 292? I mean, that's absolutely nuts. Yeah, it's, you know, when we first set out on it, I never could have imagined five years later we'd still be doing it. But here we are. And it's pretty much every Monday we drop an episode we have taken off like Christmas and New Year's because who's going to listen them anyway? But then there have been weeks where we dump five to seven episodes in a week to two weeks.
So I think we've more than made-up for it. In fact, we have another Pat Yourself on the Back episode coming up where it'll be episode 300 here in the near future. Yeah, other milestone. It would be cool if they kind of tied together, but no, let's spread out the good vibes across
a couple episodes here. But yeah, I mean, it's crazy how much this thing has grown and, you know, the community has has, you know, caught on to it. And we thank everybody who listens and subscribes and shares and stuff like that. I get, I tell you, I get such a thrill when I, you know, talk to people and it's like, oh, I've heard your podcast and you know, it's like, oh, OK, that's cool, 'cause I feel like podcast is sometimes a little like a dirty word, like everybody has them.
But we've, we've been consistent. We've tried to put out content that is timely, at least the time, right? It's a time capsule. This is what we know right now. But try to be helpful and kind of get out there and show some of the personality I think that I am has, you know, not everybody is a, is a robot. And we like to have fun with it. I, I especially like to have fun with it. So any time that I can, you know, sneak in a movie reference or make a joke, you know, I'm
all about that. Yeah, right. I think we call it edutainment, right? It's a mixture of education and entertainment. Usually the guests provide the education and you and I provide the entertainment. Try to It's subjective. Obviously not. We don't entertain everybody and that's fine. Not everyone gets my sense of humor, and I'm OK with that. Yeah, absolutely.
Yeah. So I was wondering, I was actually going to ask you high points and low points are some high highlight memories or low light memories from the podcast? What do you have? Let's see highlights. I think I, I don't know if I can point to any specific like thing. It's, it's just general idea of all the people that we've been able to meet along the way.
You know, really the who's who of the identity industry has been on this show and we've had the opportunity to talk with them for 30 to 60 minutes and maybe a little bit more and really pick the brain of the smartest people in the industry. And I hope that that continues, right. And I hope we talk to new people and, you know, people that that are coming up in this space as well.
And I really do enjoy that. I, I especially like when I talk with people who are doing it in the real world, you know, real identity practitioners. Tell me about your IM program. How's it working? What's not working? Share your story with us and with the rest of our audience so that we can learn from that. I think there's a real benefit to learning what works and sometimes, just as importantly, what doesn't work so we don't repeat the same mistakes.
I think we're very fortunate that identity is not really secret sauce. You know, security, most organizations are not competitive when it comes to this type of security. Everybody's doing it. We're kind of all in this together. It's not a trade secret or anything like that. And obviously, if you're a product company in the space, sure, there are methods and ways that things get done that, you know, probably are a little more sensitive in in that area.
But for the most part, people who are doing identity, we're all in it together. And I think for me, that's been a real highlight. It's just meeting people. And then, you know, just the fans, the people who listen and I, I, it's such a weird word for me to say fans of the show, but people who follow and listen and walk up and, you know, say hello
and introduce themselves. I think it's awesome and you know, if I feel like every time I go to a conference, there's just more and more people coming up, which is which is always very, you know, very well appreciated by me. What about you? What are some of your highlights? Yeah, I'm actually glad to have a highlight that's different than what you just said, even though I totally agree with. Everything so you don't care about the listeners is what I'm hearing.
Oh, no, no, no, I totally agree with everything you just said. The listeners, the guests that we've had, the the people are the highlight for sure. But some of the greatest memories for me have been being on stage with you and being at conferences with you and doing this podcast that we love doing the industry events that we used to just go and attend because they're fantastic learning opportunities. And now we're going and we're part of the event.
I think, you know, authenticate last year where we're on stage and we did the, you know, we're part of the keynote. Like I'll just never forget that. And also being on the Gartner stage with Henrique and Becky, I'll never forget that. I mean, those were highlights for me. And you being so sick and it's
and you're very white shoes. You know we can't forget the white shoes at Gartner. Absolutely ran I I took it as an opportunity to go out and buy some some new dress clothes and be a little extra fancy as far as low light. I I really had to dig for one, but the one that always jumps out at me is not always our guest. Sometimes it's me on the rare occasions you and you're at a hotel, it's the bad network connections.
Man. I think that you do such a good job with the editing of this podcast that people don't even realize most of the time. But we've done some video podcasts where we had to just turn them into audio only because the then bandwidth was so poor. Now the recording platform that we're on is nothing like the way we did things five years ago, where it was like, basically we're just recording a Teams meeting. So for anybody who's thinking about doing a podcast, it's not
a good place to start. Oh no I disagree, I think it is a good place to start. It's a low barrier entry. You probably have a license through your work or it's cheap. Look, it was fine for what we started. We graduated and decided, hey, you know what? Really, you know, I think it's well documented that I am extremely focused, let's call it particular, yes, on the quality
of the show, right? Both especially audio since that we're doing and now that we're getting into video on YouTube, you know, having that sort of production to it, not necessarily overly produced, but just good quality audio and video. So it's not distracted with the conversation we started on Zoom. A lot of people do still do things on Zoom and there are things that Zoom can do that it couldn't do even four or five years ago.
So like original audio sound is like a higher fidelity now is as good as a paid platform like this, which is a little more expensive. No, but I think it's a good way to start. If you're interested, give it a shot. I mean, that's how we did it. I mean, it's, you know, if you listen to episode one and you listen to this episode, yes, there's clearly a difference. As long as the as long as the recording doesn't distract from what you're trying to say, have fun.
Go at it, give it a shot. What do you have for low lights? It's I mean, it's definitely the the technical issues that come up, especially when like we have things kind of set up and we're ready to rock and you've planned and planned and planned. It's like, all right, You've thought of every possible scenario, the little finger school of thought, fight every battle everywhere, never be surprised. And then just something comes out of the blue.
Like I remember one time I was like, all right, we got everything set up and then my power went out in the middle of a, of a, of a recording. Is that OK? Well, I guess guess what I'm going, I bought on Amazon the next day was a UPS power supply, which I still have here sitting off to my side that powers everything that I'm recording through to prevent that. You know, I mean, stuff like that where it's just kind of like, you know, why did that
happen? And that's real life, I think is you try to plan it for as best as you can. And then if something goes wrong, you analyze and say, OK, well let's what can we do to solve for that in the future? Yeah. And I think, you know we started the sponsor spotlight this year. I was in year five, we started
that, but I think after a lot. Of demand A. Lot of demand, but there's also a lot of expense in getting to this point like you bought that UPS that's one of many, many expenses and on top of all the I didn't even. Include that my totals so maybe I. Should you didn't even include that? All right. So yeah, your, your, your total was definitely 5 figures, right and then some.
So, yeah, but I guess the big question is, do you think we'll be doing this five years from now and they have a 10 year episode. I hope so. I mean, I like doing it. I think, you know, you and I will keep doing it as long as we're having fun doing it, you know, will people stay engaged? I hope so. I think as long as we continue to evolve and stay current with the times, hopefully people do. And yeah, at some point we might get too tired, too old or, you know, whatever it might be to
kind of do it more consistently. But I'm going to ride the wave as long as I possibly can. And I and I and I, we'll just look to the future and we'll go as far as we can. I'm enjoying it. I'd like to be here five years down the road, 10 years down the road for the 15 year episode, but let's go for 10 first. Actually, let's just go for five years plus one. Let's go one episode at a time. Exactly. You know, it's just like the old sports attitude, right? We're, we're all just, we're all
day-to-day. Keep it, keep it going. Yeah, exactly. You and I were talking kind of like, well, what are we going to do for five years? And you actually had the brilliant idea of why don't we go back and start with episode one and kind of redo it. This is something that you and I have talked about and it's kind of like, oh, you know, should we re record it or like remaster it or somehow or kind of improve the auto quality? It's like I've kind of pushed it off for now.
It's like, no, it kind of shows the journey of the show, but I think it's time maybe to refresh how we, how you and I in our real lives, you know, develop IM strategies. What's our framework, what's our process? So today's episode is really focused on you and I, you know, what we do all the time for our actual, you know, real life jobs and how do we develop an IM strategy? That's really what we're going to talk about.
So you can listen to episode one for what we thought back in July 2nd, 2019. So almost, let's see, five years ago, well, it'll be about 5 years by the time this thing that by the time this publishes and see what's changed because just like anything else, right, things will evolve. You have to think about what has changed in your organization, what's going to change next year, etcetera. So why don't we start with that and then we're going to kind of
do this in a four hour. I'm going to ask you a bunch of questions. You're going to give me your two cents, I'll pile on my two cents and we'll just kind of keep things moving. So I guess the first question is why do we need an IM strategy? Because there's a lot of people are like, oh, isn't it just a piece of paper? It just says here's what we're going to do and that's it. Why do we need this? Well, I think, I think the big purpose of it's not just strategy, it's the strategy on a
road map. And it's kind of like if you decided to drive back to Chicago, you you might be able to do it by memory. If you just jump in your car and start driving, intuition may get you there, but probably it's not going to get you there as quick as if you chart a course that takes you in the most efficient way from where you are today to
where you're going. In fact, I picked Chicago as an example because you know, you want to go to Chicago, you know you want to go back to maybe where you lived in Chicago, but sometimes you don't even know where you're going. You don't know where you want to go. Sometimes you pick a place on the map and say that's where we want to go, and then you map the course. And so I think having a strategy and a road map is the most
efficient way to get from. Where you are today to where you want to go. Yeah, I mean, what's your destination? It's like you said, you know, when I get in the car, if I'm going somewhere that I don't know how to get there, what's the first thing we all do? I'll get their GPS, right? Google Maps, Apple Maps, whatever it may be. Very. I don't think any of us really rely on the old.
If you're an old timer like we, you know, AAA and they're triptychs that they used to have where you'd actually go to like a AAA store and like get this paper weird, right? They had like step by step, turn by turn directions on how to get there. I remember using that in a drive from, you know, Chicago area to Florida for years. You know, I would drive down for the summer and stuff like that and spend there, spend time there. Now you've got a road map built into your pocket.
You just need to tell the destination where you want to go and it creates that road map for you based on a whole bunch of information that it's already been collected by whatever mapping service you're using. So I think I totally agree with that. You asked me at one point, do I
think AI will replace us? And I'm going to use the analogy now, which is if you just said, I want to go back to my old address in Chicago and type that address into Apple Maps, it might say, well, if I take you this way, it's going to save you 2 minutes. So we're going to jump off the highway and drive through this like, crowded area to get you there to save 2 minutes. Experience tells you even if it saves me two minutes, it's not worth the headache, right?
So I don't think AI is going to replace this because I do think AI won't really have the experience of having, you know, gone through this. That's not to say that people can't develop their own road map. I just don't think we'll be replaced by computers overnight. Not overnight, but I, I, I do think stuff like this will become easier to replicate, especially if you're looking to take like a standard space approach.
Oh, we follow NIST to the, you know, to the letter and there are no deviations from it. Great, fantastic. I sure hope the rest of your organization is on board with that. And there are 0 variables that you have to worry about. Good luck. So I think the experience part will definitely be there. But you know, I, I think it's just anything else. AI is going to iterate and evolve the way we do things, and people will just need to adapt us, include it as we go through
this process. So next we've got why we do this. Who is typically involved when we're setting up an IM strategy and a road map? Yeah. I mean that's a great question. I think the most important people to be involved probably are the people who are doing IM on the day-to-day basis, the manager as well as the team who are hands on doing the IM because they know what's working well, what's not working well.
They have ideas for wow. If we could just do this thing, it would make life so much better. And the contributions of those ideas is really what is going to tell you. You know, here's what your strategy needs to be. But I also think you have to include other groups, especially groups like human resources, which are, you know, the folks who should be in charge of who works here, the identities. Now that's an assumption that you're talking about, you know, workforce identity.
If you're talking about customer identity, it's a different group of stakeholders. But I, I guess what's most important is like people who are either going to impact your IM strategy or be impacted by your IM strategy, you need to be involved at the appropriate level, right? You're not asking somebody to come from human resources or your chief marketing officer to come and tell you what technology to employ or how to set up your disaster recovery
plan. You need to involve them appropriately, but you know they should be involved because here's my perspective is that if you're not invited to a seat to the table to contribute to the problem, you won't be bought into the solution. Yeah, absolutely. I think this is an opportunity to bring the organization together and really work together to solve problems. You know, I think the past is the past. So I think a lot of things that you and I like to do is we don't
like to do audits. That's not the way we like to approach it. We like to approach it as a conversation, Right? Sure. Mistakes remain the past. How do we get better? How do we get smarter? That's fine, right? Those things are in the past. Let's figure it out. But yeah, having those conversations and sometimes those conversations are political in nature.
You know, maybe it is a greasy wheel within, you know, within the organization that you're a squeaky wheel, I should say, you know, and the conversation might be the grease that kind of helps smooth things out. I think having enough representation is, is really the art and the balance because I see a lot of organizations struggle with too many people involved and it becomes, well, we want to get down to this level of detail on all 1300 of our applications.
And that is not realistic, not for a strategic, you know, initiative. This is strategic, it is not tactical, which means you're trying to look at the big picture. You're trying to look at how dots connect and you're playing, you know, hopefully 4D chess, while the rest is the organization's doing 3D chess, right, or things like that. So I think there's that balance in having enough representation to get a sense of what's going on and where you're trying to go, what's your destination.
Yeah. And the point that you brought up that I think was right on which was like the level of depth of the strategy. So you mentioned the 1500 applications and whether or not all 1500 could be integrated and how they should be integrated. And that's not a strategy. It's like a project plan or a detailed integration document. A strategy has to be at the right level. So if you're planning a trip from New York to San Francisco, you don't need to map out every rest stop that you're going to
hit along the way. And we're going to stop at 9:00 AM to go to the bathroom here, and then we'll stop at noon over here and have lunch. I mean, if you're driving. Electric you need to find out your stops. If you're driving, lecture. You do. You can tell you that for sure. Yeah. So I mean, the strategy's got to be at the right level and that's kind of more of an art than the science. But you're building a strategy, not a detailed project plan.
Detailed project plan is kind of the next step. And even that I would say you don't want to get into the detailed project plan for the next two to three years, like plan out your projects at that detailed level prior to those projects happening. How long does it typically take to create a strategy and a road map? Yeah, I mean, this is a good question as well. I'd say, you know, based on my experience and you and I do this together all the time. So it's like anywhere from like
6 to 10 weeks. Obviously, we can do it down to 31 in less time. It can take longer if you throw in doing some detailed requirements analysis and documentation as well. So, but that's kind of our sweet spot. Again, we're kind of starting with all of our templates in place with a process that has
been tried and true. Like I think the framework of the process, somebody goes back in this since five years, they're not going to find like these guys have completely reinvented how they do strategy and road map. No, it's still kind of follows that same structure. And so we have templates that we use and we don't kind of have to ponder, like when we come out of the assessment phase, we want to make sure that we're making things memorable.
We're talking about like three major headlines or four major headlines. Like if that's not there then we kind of skip the step. Yeah, I mean, I think it's the timeline. The innovations are really small. They're micro. They're like the little stuff that happens behind the scenes. The framework is the framework as they work through it. You mentioned the, you mentioned the step of assess and that's kind of the first step as we go through our journey here as part
of the framework. What is assessing and why do we do this? Yeah, I think the assessment kind of leads assessment is the foundation for the strategy in the road map. So you start with the assessment to understand where are things at today, what's working well, what's not working well. And then it's also kind of a, a gap fit to some extent, to use kind of a industry term, the idea that you're here, you're trying to get there, what is the
difference between that? And that's what ought to come out of the assessment. Like how we get to the assessment. I think that's, you know, first starts with the questionnaire, right? We want to try to gather information in a written form because it's a very efficient way to do it. And part of this process when we start working with an
organization is education. Now, if you're AI am program manager and you're kind of taking this on for yourself, you might not start with a questionnaire or maybe you do use questionnaires to start to engage some of your stakeholders and it's just an efficient way to get information. But typically, we then shift to workshops. So we get people in, we talk about a specific topic. It might be authentication. How's the authentication set system where systems set up today?
Is there multi factor authentication? Are you doing kind of conditional authentication? Are you doing Fido authentication, etcetera, etcetera. And in those workshops, it's less about telling people the way things should be and listening to the way things are and also getting people's ideas for how things could be better. You know, if maybe you do have multi factor authentication today, but people are finding it very difficult to use because it's asking them to re
authenticate all the time. It's like different things kind of leak out in some of those meetings and they can be impactful for the strategy. I think you know one, most organizations when they bring in an outside consulting firm or people like me and you, they want to know how they stack up against their peers. They want to know overall, like, you know, within the industry, where do we stand? Like you guys work with, you've worked with hundreds of
companies doing this. So you got an idea of like where we sit in that hierarchy, are we doing very good? Are we doing very poorly? It's really broken down by capability area. But then I think more importantly is you're given all the factors that that come up with, what are their requirements? So they may have a regulatory compliance need, they might just have a need from a user experience standpoint, et
cetera. They might have some very serious security issues, maybe some that have shown up in audits or resulted in breaches or maybe they're just very concerned about that happening. And all that should lead to, you know, here's the capability maturity score. We use a framework called CMMI as like the model upon which we base that. Yeah, pretty heavily customized specific to identity, except you, you and I have been doing this for together for almost nine years, maybe nine years.
I don't remember long time. And we've it's that that cadence and that rhythm, right. And I think there's a lot of ways to collect information. You mentioned questionnaires, you mentioned, you know, meetings, discussions. And so it is it's discussions, it's not presenting, it's not instructing or teaching. It's listening. It's a discussion. It's a two way conversation. Tell me about this. Why do you do it that way? How does that work? What's working, what's not
working right? Things like that. I think. And that's, and you know, it's, it's that again, this is not an audit, right? We, we, we harp on that when we go through this process a lot with, you know, with our, our clients. It's like, oh, OK, this is a safe place, right? Nobody here is to get in trouble, right?
This isn't going to be end up on an audit report finding and then you're going to have to write a management response and then it's going to go up a place and I've written those and they suck and I don't want to do that. So we, we definitely take it from a conversation standpoint. So now that we've kind of assessed how things are going, really gotten a sense of like, OK, kind of get the, the way of the land here. The next step is we typically start to develop
recommendations. How do we come up with those recommendations as we're moving through? Just finding out we've just kind of gone out of the phase of, OK, starting to get an idea of how things are working here. Now let's come up with some ideas on what can we do to improve it. How do we how do we work through that process? I think the biggest key is at a high level, the the recommendations need to tie off
to the assessment observations. So you know, you find a bunch of things that stand out that the organization. Usually it's not just that, you know, we used the consultants came in and said, oh, you're not doing a good job in these areas. Usually they're like, we're not doing a good job in these areas. So we're going to point you to the areas where we've got some dysfunction or we have some growing to do.
So those things usually come out loud and clear, but the recommendations ought to tie off to the observations. And then there's usually some key themes. And I think what's important about identifying those key themes, So let's say one of the key themes is that the governance and organization, there's a lot of development that needs to take place. Maybe the the policies need need to be matured. Maybe the organization is like way too small for the scope that they're managing.
Maybe there's, you know, some centralized areas that doesn't fit the entire scope of all the identity that's taking place. And so there's other teams that are working on different areas, etcetera, etcetera. So a major theme might be that there needs to be more formalization and inclusion when it comes to the IAM program, right? So however we come up with that, that that's going to be one of
the major themes. So I, I like to be at the level of like three or four major themes because ultimately those are going to go into how you communicate your strategy. These are the major four things or major three things. I'd like 3 especially. Here's the major three things that we need to do. There's science behind three. Like that's the magic number for people to remember. I agree. I agree. I mean, that's, you know, I've always felt three was the best
number. And then you start to subjugate those recommendations under that. And then the idea, I think the best idea is that you start to group those recommendations into actual projects. So this is when you're going to be able to fix those things and it's in logical grouping. So they could be people process technology. A lot of times with IM, there's, you know, a heavy emphasis on, you know, you need to improve the process and implement the technology and that's going to
happen in this project. And that should solve these different things. A lot of times the governance and organization has nothing to do with processor technology. It's just people. It, it might be a process, but it's less about technology. It's having the right people in the right place to people knowing what they're responsible for and what other people are responsible for, and then having
good process policy, etcetera. You're kind of getting into the road map section, but I want to ask you a question. Can you have too many recommendations? I think so. I think it's, I think it's possible. I mean, you know, if you start getting into a recommendation like, you know, you should change this configuration of this type of user to this, I mean, you're going to end up with hundreds of recommendations and then it's going to like freeze people.
It's not that this thing shouldn't be recommendations, it's just they shouldn't headline. I think that those things you don't want to lose track of them, but generally in terms of the strategy, they shouldn't be headlining. Maybe they should be part of the, you know, like a summary recommendation.
Hey, some configurations need to be changed and then you start listing off the configurations and then you might find a project where it's like, OK, we're going to take on this configurations or maybe they get split. You don't want to lose track of that detail if it comes up, but you don't want to headline with like, hey, our IM strategy is we got to change all these different configurations and I'm going to list them off to you. No one's going to care.
Yeah, I think this goes back to the word strategy. This is not a tactical project. This is something where we're talking about the broader picture. If you're getting down into, well, we need to go into the Azure Control Terminal or Control Panel and go into this menu and click this and that, I think you've lost the plot. Let's go. Let's go back and think about it from a strategy perspective again, it's important.
Yes, you need to do that, but let's state the strategy has to be digestible because you need to understand it for your organization because you're going to have to communicate to others and nobody is going to care, you know, about the specific menu in whatever platform you're using and the configuration variable that you change. Nobody cares. It's about the outcome. What is it that did? Why is why is that better? I think it's where auto produces struggle.
Is that that communication aspect of it? You talked about grouping things together, right? Different projects. That kind of sounds like a road map to me, and maybe it's the very beginnings of it. What goes on a road map? What's the process to create one? Yeah. I think if here's the way I always talk about it is like if you get the assessment right, in other words, you've identified the areas that need fixed and then the recommendation is here's how you fix all those things slash.
So your strategy is going to be do all those fixes. The road map says how you're going to do all those fixes more. Importantly, not how maybe, but what order they're being done. In Yeah, that's, that's right. So, you know, are you going to do a series of projects over time? And I always say the road map is not only the Gantt chart, it's also the resource plan. It's also the budget, but it is also the Gantt chart.
It is also because that's the thing that people kind of gravitate to. When are you going to fix these things? When am I going to see this happen? Well, we're going to do these projects. We're going to implement an IGA system. We're going to select the system, we have the requirements, we're going to implement the system phase one, and then we're going to do some additional phases. And all these recommendations are going to happen in these various projects.
Now the question becomes, OK, how much money do you need and who are the resources that you need? How's it going to impact the rest of the organization, things like that. So now you've got the big picture of when are these things going to happen, What's it going to cost? How many resources do you need not only to implement but also to operate? And how's it going to impact other people in the
organization? Yeah, there's a lot that goes into it. I think what questions that I, you know, typically think about as well. Can I just download a road map? I mean, it's the it's, it's identity. It's all the same thing, right? And I think this is where it really needs to be discussed. What can you tolerate from an organization standpoint? How much change can you tolerate? How many things can you work on at once? Can you work on more than one, more than one thing and at once,
right, things like that. Because what you don't want to end up with is. Like this Boyer plate wall, you know, I downloaded this from just pick any source, right? The Internet and this is what we're going to follow. Yeah, I I almost guarantee that for 99.9% of the organizations out there, they're good ideas. What's missing is the prioritization. You know what's best for your organization. You know how your processes work or don't work, you know how it takes to get how long it takes
to get through a legal review. You know if you're working through a contract or how long change management processes take place. Or you know, what is your organization's preferred style of communication when it comes to end user training, right? I think that's where you as the expert within your organization, and maybe it's not you, maybe it's other people in your organization really need to come together and say what's realistic.
Because I think there's a difference between a standard road map that you just download and a no, this is the road map for XYZ organization because it has our DNA, you know, built into it. It's how we operate. It's how we do things. And it's realistic for us as an organization, which is the most important thing coming out of a out of a road map in my perspective, is it has to be realistic. Don't just say, yeah, well, see this three boxes, right? This one box right here.
Well, that's IGA and that's a three month thing. OK, Good luck. You know, most IGA, you know, implementations take way longer than that. Maybe that's phase one, right? Or maybe standing up part of an IGA platform. And I'm sure there's other things like that that are out there. You really have to think about, OK, what's realistically how long it's going to take to do this task or set of tasks? And then try to align that with what do you have from a resource
standpoint? What are your assumptions? You know, do you have the people do it? Do you need to go out and get people to help you do it right? Those sorts of things. Yeah, I think you just did a really good job of articulating something that I find somewhat hard to explain, which is why can't you just, you know, why can't you just copy a road map off the Internet? And there's just so many reasons why I think you just said it at a high level because I think we often say, OK, you're not a
snowflake, right? You're not like completely individual, but every organization is individual enough and does have its own factors enough that you can't just kind of take something from another organization, copy it over. What doesn't belong on a road map? Well, I think that, you know, one of the themes of since we've been talking here is like too much detail. I don't think the road map should be a detailed project plan. I think that is what some folks tend to expect.
But this is your strategy. What you're trying to communicate is big picture. What are we going to address for the next and the road maps, usually two to three years. Here's what we're going to address over the next two to three years. You try to tell the whole story in the Gantt chart, you're missing, you're going to miss the big picture. And so that's what I think
should not go on the road map. I also think things that should not go on the road map are a tremendous amount of detail in terms of what other teams are doing. I think it's good to recognize like, hey, new HR system is being implemented and you know, recognize that on your road map, especially if that's a dependency.
So new HR systems going in, in June, we're starting our project in April, our expectations, the HR systems going to come online that way if you get to that point, it's like, oh, the HR team just pushed back their implementation to December, right? That's going to impact your timeline either going to have to build tech dead to connect back to the old HR system where you're going to have to push your project out. So I do think projects that have a big dependency belong on there.
And it could just be the fact that it's taking everybody's attention. New ERP system is being deployed, that's taking everybody's attention. It's going to be very hard to implement a whole bunch of identity technology, which is at best going to take second fiddle. What are your thoughts? I, I think you hit around the head, what are some tips for prioritizing things? Because I think you mentioned
one, right? It's like technical dependency on something else or maybe other organizational initiatives that might take resources away. What are other ways or other other things you can think about that might be helpful for people as they're looking at their road map and saying, OK, well, how do I prioritize this? Yeah. I, well, I think one thing that nobody wants to hear that everybody intuitively knows is that there aren't going to be
foundational elements. So your executive team might be saying we need RBAC because they heard about RBAC in somewhere that the. Identity at the Center podcast. They've been listening to the Identity Center podcast, and we're sure that RBAC is going to solve all the problems. But you don't even have an IGA system in place. You, you know, there's a dependency.
You got to get it in place. You got to start bringing in the identities in the accounts and entitlements and start making sense of it. Just turn on our back. That's just how it works. Just turn on the everybody push the our back button. It's. Super easy. It's why everybody does it. We're trying, yeah. So I mean, so there's
foundational dependencies. I think another priority that I think I alluded to a little bit earlier, which is like if you had a a breach or if you've had an audit finding those things
are going to automatically. I mean this is probably obvious, but those things are going to rise to the top and drive your priority if. I can tell you first hand if you get an audit finding and you're in charge of writing the management response and you've got the support to say, OK, yeah, we're going to do something about this and involve
some sort of technology. I don't know how many times, you know, I've written something that's like, OK, we're going to address this via the implementation of XYZ methodology and technology by X date, which puts a lot of pressure on your organization to get. Something to the next state then, right? Yeah, exactly. I. Think there's probably some other obvious ones. The one that like jumps out of my mind is if you're not using multi factor authentication or password list.
But let's just say you don't even have multi factor authentication like that's. Stop listening and go do that right now. Come back, we'll be here. Go turn on your MFA like right now. Don't tell anybody you listen to the podcast until you have it in place. No, that's, you know, that's obviously got to move right to the top.
So as you're prioritizing things, I think where you get the, you know, the low hanging, I don't think we'll call it low hanging free because sometimes it's very difficult to implement and the implementation will cause a little bit of heartburn. These people don't like change and it inconveniences people, And if they don't kind of understand the value of the security that it's bringing is just the extra headache. Oh yeah, that would. You call it important.
Hanging fruit, maybe? Important hanging fruit there you go but it it's got to be done and then I think you know your privilege access you've got to be mindful of that you you need to have kind of the basics for privilege access in place. You can't, you know, have your most key administrative accounts get compromised. So go ahead and put. And we talk about like those best practices and leading practices, if you will, all the time on this podcast.
So you have to kind of educate yourself on that. And it's not always, everybody's not always in agreement, but you don't want to have like you don't want to be overexposed. So I'd say those are probably things that are going to jump to the top of the priority list. Yeah, take a risk based approach to it, right? It's OK. Where is our biggest risk? What can we solve quickly? What are precursor steps or dependencies that get to solving another part of risk or whatever it may be?
But yeah, I totally agree with you. We usually wrap this up with communication, right? It doesn't do any good to develop a strategy and a road map and have it sit somewhere on someone's cloud drive or if they're old school printed out and on their desk. You have to communicate this as other people.
And that's typically where we would have a conversation with whoever needs to hear the message, you know, to say, hey, here's what our strategy is. Here's the way that we're approaching some of the issues that we heard. Here's how we're how we've planned to address these. Does this make sense? Are we all on the same page? You do that first, right? And then you take that message to a broader audience. Maybe it's an executive
audience. What are some of the other reasons why we communicate the way we do around the strategy, around the road map? Yeah. I I mean, I think the biggest thing is on, you know, finalizing getting buy in. Ideally, even as consultants, we don't want to just create a deliverable that's like, hey, here's what we would do if we were you go have fun. We want our clients to be able to take that strategy and say
this is our strategy. So our expectation when we go into kind of that executive presentation is we're presenting along with the kind of the key contacts that we've had from our clients to say, yeah, here's your strategy. It's not the Jim and Jeff. Strategy. Here's our strategy, your strategy, right? Yeah, yeah. Your strategy, our strategy, however you want to look at it. And so I think that's an important. And a lot of times what you'll hear CIOs or Cisos say is OK, what's next?
What do we have to do? I'm by you. It's. A while. Show me the math, right? Where'd you come up with this? You need to know your subject matter and you need to be able to go back to what you've already done in a previous phase, right? When you work through the assessment and you said, OK, here's what we heard. Is that correct? Right. Sometimes those conversations come up.
So I think if you're talking with your CSO or CIO or whoever, when you're presenting this strategy, think about those sorts of things. Anticipate the questions that you think that they might ask and what's important to them. Again, this is an area where you might know your organization or that person the best. Try to get ahead of it and and think about what they would be interested in too.
Yeah, I'd say also don't make that the last thing you do after you have that presentation and the project is done. Keep going, keep presenting it. Present it, we're done, everybody's in agreement with the strategy and magically things will just happen behind the scenes. Right. No, yeah, keep keep presenting that, keep keep telling the story to whoever will listen and keep working on, you know, I think funding is probably the the biggest thing that holds folks up from moving forward
this strategy. So do the things that are necessary to get that funding, even if it's maybe not in year one. Everything you hope to get, get some of it, get the most important things done. Adjust your road map. That's the thing with the strategy of road map also is that it should be a living breathing document, especially the road map part. You're going to get some of it done. You're not going to get all of it done as it was originally forecast out. So re forecast.
Yeah, you're going to want to revisit it. Things will change and that's fine. I think most people recognize that. In fact, you probably should build into your road map a refresh. Maybe it's a year, maybe it's every two years or whatever it may be because things will have changed, practice will change, the business will change, etcetera. People might have changed, you
know, those sorts of things. So I think it's important to make sure you keep communicating as well, just because, you know, if there's there's nothing that hurts my hurts my heart, or then you and I, you know, work with a great client, having a lot of good times and we've developed this rock solid strategy. Yeah, makes sense. Everybody's gung ho coming out of the, you know, executive meeting that we presented to with them. And then it sits, it sits, it
sits. 3 months go by, 6 months go by. All that work that you did, things might have changed and now you've kind of got to go back. Maybe maybe parts of the strategy are still good. Maybe all of it's good. Maybe all of it's thrown out the window because you waited too long or the will to move forward. Inertia is very powerful and you need to find ways to keep momentum. So the transition point from talking about it, you've developed a strategy, you've talk, talk, talk.
You've communicated it. Great. When do we start actually doing things? It's that, it's that in between part, they've got to make sure that you keep momentum going, keep pushing forward. That's one of the things I I like to do is front end a road map with projects that don't cost money spent outside.
So it's like the day after you present the strategy and get the standing ovation or the week after you can start some project to, you know, refresh the policies or start a cleanup of your Active Directory groups and accounts and start doing things with the resources that you have, with the dollars that you don't have, you know, in other words, like without spending any money because that way you can start to build a build some
momentum. If you clean up your Active Directory, even if you never do anything else, it won't be for naughty. Yeah. And that's it. That's how we develop a strategy and robot. Super easy, right Jim? Anybody can do it. It doesn't. I don't think it takes. I think it takes experience and understanding kind of the methodology goes behind it and
be able to ask questions. But I think anybody can kind of take this approach, sit down with their organization and maybe it goes faster, maybe it goes slower depending on, you know, the conversations. But I don't think that this should be rocket science. I don't think they're a secret sauce in developing a strategy. Everybody needs it.
How you do it the you know, the little tips and tricks you might know Sure that kind of comes with experience and, you know, maybe work in a different, you know, folks are on the. Way if it was rocket science, you and I wouldn't be doing. That this is, this is true. But I like doing it, you know, it's, it's one of the most entertaining things for me is to sit in a room with a bunch of people and talk and say, OK, tell me about that. Why do you do it that way?
Because I learn something every time. No corporation or organization or anything that I've worked with ever does things exactly the same. There's always just this enough difference to be like, OK, that's interesting. I see what you're doing there and Maima's like, oh, OK, well, you know, maybe I bring my experience to the table just like you do or others to say, oh, well, have you thought about this? Sometimes it's that outside perspective that helps.
I hate to say it. Sometimes it's the, you know, quote UN quote experts that you hired to come in and say the exact same thing that you've been telling the organization. But for whatever reason, the only move forward when they have consultants come in and tell them that. I hate to say that's, that's one handle, that's one angle. Another angle is sometimes it's more effective. Just sit in the room and not say anything and let have the consultants come in and conduct the meeting.
And you, you're either one of the group or you're able to stay completely silent. Because if like if you're doing all the questioning, people are starting to wonder, OK, what's your agenda? What are you trying to push here? Or are you just kind of getting trying to get the answers that you've been looking for? Yeah, We'll have ulterior motive. Give us a little bit of insulation between that sometimes, yeah. Totally. Yep. OK, what else? Or should we wrap it up? Five years, man.
See if you got to like put the episode one and episode what is this 292? 292, I think it'll be, yeah. Yeah, that's a. Little inside baseball for us. I used to say what episode we were on, and then we started recording things sometimes out of order, or something would happen and we'd have to release and it would cause me a lot of problems when I'd say, oh, it's this episode, I'd say it and then I'd have to call it something else.
So I have not said what episode we are unless we're very sure, like, yeah, this is going out Monday, right? Or or something like that. Well, this one doesn't go out Monday. I don't know what's going on Monday. It's going to be this one, I'll tell you that right now. So why don't we wrap up with, I don't know, the funniest or most interesting behind the scenes thing that has happened on the podcast so far?
I'm not. I'm thinking of hundreds and dozens, but like, what do you have for that topic? Yeah. So what I have for the topic is more of like an inside baseball thing. And I'm going to joke on you a little bit. So if someone saw our show notes, every show note, we have preparation. And my little note that I made to myself, I was going to say Jeff's 13 point checklist. And actually looking at it now, there's a 15 point.
Checklist. And it's like all of our guests, they come on and we're like, OK, silence your phone. Oh, yeah, make sure you have headphones that make sure you have something to drink, not in a crinkly bottle. Breathe up. You're too close to the microphone. Oh, move back from the microphone. And then they it's like, don't move. They're like usually do it to me. Product man. Yeah, well, don't. Don't move too close to the
microphone. Now I just sit there and gay always like I see this happening to other people. I'm like you say I shouldn't see thinking of personally. All those times had nothing to do with me. Has to do with you and your desire to put out the perfect quality. I have a maniacal focus on quality and I want this to sound good. I want it to look good. It hurts my soul when either of those things doesn't happen and I want to be able to enjoy my
life outside of this. I mean, I spend a lot of time on it. So the more I can do upfront and look, people come on the show. We want them to be comfortable. We want them to present well, right. Nobody wants to come on and be like, oh, that guy, you know, sounded like crap and, you know, really didn't make a good impression. My job as the producer is to make sure that people show their best, whether it's audio or
video, whatever. We yes, I have a 15 list, 15 points on this list and they are rare for a reason because just like the the the label on your shampoo says don't drink it, somebody drank it at some point. So yeah, silence all your. There's meaning for all of them. Like #13 if you're on the Mac, turn off camera emoji. That's a new one. Yeah, don't do this on a Mac because you'll get the little thumbs up emoji and I don't want to see that on the camera.
I just had that happen on my phone on a FaceTime call the other day. So it's a real thing. But here's what happens. It's like you start telling the guests and they're like smiling. And then you get about halfway through and they're like, I'm not going to remember all these things. How much does it remember all these things? Yeah, I mean, it's just, hey, think about it, right, The way you're on camera and, you know, or audio, Look, we want this to sound good.
I can do a lot of stuff behind the scenes to fix things. And I have done a lot of really butchering episodes to try and save bad audio. That's really one of the things that that comes up, you know, inside, you know, here's here's my thing for for this episode. My teleprompter went dark and I lost connection despite the, I don't know, thousands of dollars that I've spent to put together a rig that is extremely
resilient. So during the middle of this episode, I'm in the middle of talking and all of a sudden things just crash. I don't know what it is. That's going to be my weekend after I edit this episode is trying to figure out what the heck happened and trying to figure out a way. Is there a piece of technology or something that I need update? But stuff like that drives me
absolutely crazy. Well, you, you know, I do is look back on episode 291 and the little segment intro if you look on YouTube was me talking and my monitor went black and I'm like, and and it must not have affected my camera because. Yeah, we. Could see you. On camera, Yeah, yeah, yeah. That was our intro. You know, it's your, it's on YouTube. It's also in the audio. It's the same thing. It's just one has video and the other one doesn't.
But yeah, like I, I don't think, I think it's fair to say most of the technical issues are usually on your side, Jim. It's pretty rare for me to. Thousands on your rig and I've spent nothing. Yes, but it shows, right? Even no matter how much you spend, there's always something that could pop up. So. But yeah, that was kind of fun. I think there's a lot of little things like that where it's like, OK, you know, how am I
going to rescue this episode? Really bad audio or connection or uploads or downloads, incomplete stuff like that. That's kind of a lot of things that kind of happens, you know, behind the scenes for me as. I think we've also done a good job. We never name names. We never embarrass people, right? Because like, even when I brought up bad network connections, I was thinking of specific episodes, like kind of like name names, people I see at conferences all the time.
But no way would I ever do that. I love our, It's not about that. It's, it's really either the, it's, it's, it's what keeps it fresh, right? You and I have conversational time and there's always something that goes, I mean, we've had a really bad just technology streak for like the last, I don't know, four weeks, 5 weeks, six weeks now.
And anytime I travel and have to be on a hotel, you just never know with hotel Wi-Fi. And you know, we just try to make it work, but there's lots of variables. But the technical stuff, as usual, it bugs me and it's like, all right, how am I going to fix this? And there's times where like, I'll text you Jim and like, it's like, here's what I'm dealing with. Let me I'm going to have to see what I can do to like fix this. And you know, I've gotten better over the years.
I think our earlier episodes, you know, from an audio quality suck compared to now, But that's that's kind of behind the scenes. If you're watching this episode, you're listening to this, just know that at some point during this episode earlier, obviously my thing crashed. And if you spot the edit, let me know. I'll try to hide it as best as I can make it, you know, probably easier to spot on video maybe versus the audio.
But you know, we had technical difficulty and I will, I will be addressing that with my 4K capture card. I think is the culprit, you know, after this. Well, if I had anything to say before you take us out, it would just be thank you to our listeners, people who've been listening for five years or five episodes. I mean that we wouldn't do this without our watchers, our
listeners. And we keep trying to make this thing better for you all because it means so much to us, like Jeff said, where people come up and actually know who we are and listen to the podcast or just connect to us on LinkedIn. It's it's why we do it. It's why we've been able to like
do this for five years. And I think, look, we've recorded a lot of episodes on like Saturdays and Sunday nights to get them out on Monday. And you, you have the all the humans work after that to like, you know, do all the editing. It's a lot of work, but it's worth it.
I don't think we've ever questioned whether or not it's worth it. Yeah, no. It's a labor of love and definitely thank you to everybody who supported the show, listeners, people who come up, you know, even sponsors who are now getting involved with stuff. Yeah, definitely. Thank you. You know, hit that like and subscribe button. Keep sharing it. We'll keep doing it. And yeah, happy five year birthday to us, Jim. Let's see what else. I think that's it. We're on the web, IDC
podcast.com. We're on YouTube, youtube.com slash at IDC podcast, which just seems kind of weird, but that's what the URL is. Mastodon IDAC podcast at infosec dot exchange. Jim mentioned it. Connectors on LinkedIn have lots of people reach out with, you know, ideas for shows, ideas for guests, feedback, what you like, don't like. We read it all and we take into consideration as we move things forward. So here's to another five years. And with that, we'll talk with
everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.