#307 - Creating an IAM Program

It's like me playing Grand Theft Auto. They're sure there's a main story and a main quest or whatever you want to call it, but I just happen to just randomly drive around and find random things to work on. So I need like something that's a little more on rail sometimes. Right. And it's like if we achieve the scope of getting $35,000, we can get a better car in the game. That's really what I think. It's the difference between the word objectives and goals. I agree with you, they probably

mean about the same thing. I think objectives implies that there's some kind of metric driving like we want to get 10% more efficient or we want to improve our security platform by some metric and that ought to be the objective. So you see, the objective is like the measurable result of a goal. I think. So OK, I mean I can argue it both ways, but I don't, I don't want to argue. This is identity at the center if it has anything to do with IAM.

This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I think we're having the Internet as you're saying, we are best on this episode, but we'll just. It's very laggy, that's for sure. I feel like there's like a delay, like I'm saying something and then the gears are turning in your brain like, oh, processing, processing.

OK, now we put out voice. I'm responding as soon as I hear your question mend. That's all I can tell you. But minimally tell, we're doing our best to stay on track of recording an episode and publishing one every Monday. That's our commitment to our loyal listeners. And hey, sometimes it's going to be a shit show.

Yes, very well, maybe. So I'll do my best at this and make it sound natural, but if there are unnatural delays in between things that I just can't do cleanly or make it sound at least somewhat normal, I might just leave them in and just, yeah, deal with it. Hopefully the conversation and the topic makes up for it. And yes, this is the the joy of being an identity consultant and living in out of hotels. This time you're in the hotel and I'm actually at home.

So that's a little bit of a role reversal there. Big time and well anyways I had meetings in Austin, TX very cool city, great food and and what I learned was that I dated Concentric stickers are in fact currency. You can use them for people who are die hard this years. We had a few at company called towels. They do B to BCIAN and as they're in my role as a consultant for RSM, that's my day job. We partner with them. It's a good relationship.

I was there with Chad and Fletcher from our team. And again, they talk about the podcast like they just love it. And it's amazing, Jeff, because people keep asking like, why didn't you guys start doing this podcast? You know, five years ago, podcasts weren't even a big deal. And it's pretty cool. Just, I mean, the story's pretty, pretty lame. It's like, yeah, Jeff asked me to probably just start the podcast and like, yeah, I guess so.

Like what else are we doing? Yeah, all you have to do is just speak into a microphone, right? It's that easy. Which one of these? I mean, you know. Well, except, except when we're dealing with weird Marriott Internet foibles. You know, that's the one thing that I think hotels have really missed the boat on is just black luster Wi-Fi all over the place. It's just not good. Yeah, totally. And even enhanced Internet is enhanced of a what over horrible Internet that operates at the

speed of like flip phones? I don't know. Well, you're tethered to your phone, so we'll give it a shot. Why don't we get into a couple of the conferences that we want to make sure people are aware of. We can talk about Identity Week in Asia. We were just at the DC conference, which was a lot of fun about Asia still taking place October 22nd and 23rd. And if you use the code IDAC 30, that gets you 30% off. We'll have a link in our show notes for people to check that

out. But before that, we've got the authenticate conference that you and I are going to be at October 14th through the 16th in Carlsbad, CA IDAC 15 gets you 15% off of your registration and I am very much looking forward to that conference. We've got some exciting plans for what we're going to be doing there. As part of sort of the official agenda, if you received an e-mail asking you to fill out a survey with a bunch of identity questions, please do so because that's for us.

And it's something that Jim and I are working on and we need as much participation as possible from people listening. So if you're attending the final conference, whether it's remote or in person, hopefully you have an e-mail. If not, check your spam folders and look for that survey so that we can collect some information from folks and turn into what we hope will be a really fun session at the conference itself. That will be in person, and I believe it's going to be streamed too.

So it'll be a lot of fun, but we need your help. So that's my tweet. Everyone has register register using our code. Yeah, of course. So you save money, we get a, we get a little bit of of credit as far as like, hey, you know what, we want to partner with you guys again because we were able to drive some some folks to attend. So that's how that works. Yeah.

So conferences and I think today's is kind of be about conversations that you and I have both been having and sort of our real jobs around IM programs. I'm kind of like thinking about this like, all right, so you want to start an IM program, Cool. Now what, what do you do 1st and maybe kind of take a high level approach here from a, from a strategic perspective, say, OK, here's how we want to go about building out an identity and access management program. And I think this applies to

really any organization. If you have an IM program, great. Take a look at it and let's see, you know, if there's anything that we mentioned here that you might want to incorporate. If you haven't started 1A, better time than now to start thinking about, OK, how do we want to get things kicked off? So why don't we start there? And I think the first thing that you probably want to start to think about is what is your IM program want to be when it grows up? What are its goals, its hopes,

its dreams? What is the scope? You know, what is it your program is meant to address? Is it internal enterprise workforce, you know, employees, is it customer, is it both? Should you mix both into the same program? You know, I think there's, there's different options there's but what do you think about starting there? Jim is like, hey, let's, let's figure out what we want to be before we start to design this

thing. Yeah, I think golds and scope are obvious two things that you need to define. I think sometimes you have to work backwards into that. In other words, what are the drivers? What are the outcomes that you're trying to achieve? When I think about these drivers and the outcomes, a lot of times it's it boils down to improved efficiency, reduced cost and improved security and a rich reduced risk, improved

compliance results. So if you have those objectives in mind, that helps and certainly helps you drive your scope because if all these things require that you're doing a workforce saying customer I am, that may be the scope of your project. You may know those things are scope of your program, you may know those things going in. But either way, I think it's important to define what are the drivers, what are the outcomes that you're looking to achieve

within your program? I feel like we're saying the same thing. We're setting goals, we're saying outcomes. So I think we're on the same page and I think those goals and outcomes are very different based on your scope. So if your, if your remit within the organization is you're in charge of employees, that's going to be a very different, you know, set of outcomes that you're trying to put in place if it, you know, compared to customers, right, true customers.

And maybe maybe organization is more in the middle where it's like B to B is more like partners and other vendors and things like that. Think of like like a dealer network, right? Or insurances like that too, right? We have a lot of different kind of B to B partners that are, are doing things. So certainly figuring out those initial things starts to take the, the, the universe, right, and make it a little bit

smaller. And I think that's, that's helpful because if you have a tighter scope and a tighter vision of what's of what you're trying to do, that helps narrow the focus and say, OK, here's the path you want to follow.

Because otherwise, you know, it's like a, it's like me playing Grand Theft Auto. They're sure there's a main story and a main quest or whatever you want to call it, but I just happen to just randomly drive around and find random things to work on. So I need like something that's a little more on rail sometimes. Right. Maybe it's like if we achieve the scope of getting $35,000, we can get a better car in the game. That's really what I think. It's the difference between the

word objectives and goals. I agree with you, they probably mean about the same thing. I think objectives implies that there's some kind of metric driving like we want to get 10% more efficient or we want to improve our security platform by some metric and that ought to be the objective. So you see, the objective is like the measurable result of a goal. I think. So OK, I mean I can argue it both ways, but I don't, I don't want to argue. Yeah, no, not.

Let's just call it that for now, yeah. That's how it feels, obviously that's how it feels at the moment. OK, so we've got our objectives, we've got our goals and scope. What do you think is the next step that we that we want to start to think about? Well, normally what we do and we engage in this process with the client is we start with an assessment. And so it's very helpful to have people who have perspective.

So either maybe people on your team have a good deal of experience of working at different organizations within your industry and have some background in how I am is being done at different places. Or you engage with the third party and which I've experienced with seeing what works well, what doesn't work well from an identity perspective.

And then designing, well, really performing an assessment of where you sent, how mature are your current processes compared to other organizations in your industry and a world at large. Yeah, I think about it as, all right, I want to build this Lego car, spaceship, boat, whatever it may be. What Legos do I have that will help me get to that end state of whatever it is I'm trying to building? And more importantly, what Legos am I missing? Do I need, Do I have the right people?

Do I have the right processes, the right technologies? So I think about it from an inventory perspective to say, OK, here's what we've got, here's where we're trying to go, what's working, what's not working? What are the parts that are missing? What are other people doing to solve for maybe some of these gaps? Maybe there's a unique Lego shape and there's only three of them in the world and you're not going to have access to it, so you've got to come up with an

alternative. So I think working through that process of assessing and saying, OK, these, these are the things we have to play with. What does our toolbox look like? Are the tools we have good enough or do we need to buy new tools or upgrade our current tools or train our current tools right? Or maybe learn to use our tools in a different way through a business process or something that makes things more efficient?

So I'm totally with you right there is like, OK, goals, let's set them up. Let's set our objectives now let's assess and see what we've got to play with and where we want and how are we going to get there with the tools we've got. Does that make sense? Yeah. And it it makes you think of an example. So one of the areas that we talked about in this one of these Lego boxes is what is the system of record for your

identities? Normally companies do a very good job of having all their employees in a single HR system. They have a good search system of record for who works. Sierra Star's employees, contractors, It's really hit or miss. Some, many organizations have spreadsheets or databases of contractors without having the perspective of what is best practice, what are other organizations doing Startsheet good enough databases could not.

I mean, generally the answer is going to be no. But how would you know such things? So I think having some experiences because trying to think about the identity management, it's experience based and you know from a consulting standpoint it's experience based. It's not like you go into each client organization and come up with the Whizbank solution, coming up with the solution based on what you've seen work in other places and what you've seen where it's caused major

problems. You want to avoid major problems. So that example I just used, a major problem is an organization where we've got a spreadsheet for every country and they may or may not have the contractors in that spreadsheet. We may or may not have all the identity identities in the system of record. That is not going to be a good starting point for an IGA implementation. Yeah, if you're trying to go down the IGA route, you definitely are.

The goal is to become more data-driven in that aspect is you want good timely quality data sources to drive that automation. But let me take the alternative here. If contractors are only 1% of your total users, is it worth saying, OK, well, we haven't won the battle yet to put him in our work day or whatever, you know, ADP, whatever the identity source of truth is for for employees. Can we get away with. Yeah, you know what, that's going to have to be a

spreadsheet for now. And maybe it's a little bit of a Field of Dreams approach where we say, well, we're going to build it and we're going to hope there comes the employees will be taken care of and people are going to start to wonder why contractors don't have the same experience and they are more of a hassle. Well, here's why, because we've we've got the tools, we've got the business processes in place

to manage our employees. But for whatever reason, non employees have, you know, don't have feature parity, right when it comes to those business processes. And so that's an option, you know, I guess.

So I'm just. One example, but I think it's good that you bring up the devil's abdicated approach because I think the scenario you brought in was a very edge use case where the company has, let's say thousands of employees and only 1% of those employees are, I should say a thousands in the workforce and only 1% of those are non employees. That's I, I almost goes as far as to say I've seen that very

rarely or maybe never. It's almost always a greater percentage, always almost always dealing with hundreds or even thousands of contractors. In those cases, you need to have a system record. When you're talking about a couple dozen individuals, you may be able to come up with a a more simplified way to manage to choose. Ultimately, you do need to come up with a solution. That's just one example of many identity use cases. Yeah, I mean, I agree with you. I, I, you know, there's there's

no magic number, right? 1% of 1,000,000 is a lot of people. So I think it really is kind of let's take into context and say, OK, well how big of a problem is this? And do we, do we stop progress because 1% of our population is not going to be addressed and addressed very well? I'd argue no, unless that 1% is like critical to the business and causes a outsized amount of risk that you're unwilling to take, then OK, let's figure it

out. Ideally you've got everyone covered, but I think in the real world, you have to make sacrifices sometimes. And that might be a battle that you, you know, push down the road a little bit rather than just waiting for everything to be perfect before you start, because that's it's, it's never going to happen.

You got to start somewhere. But I'm with you on that because a lot of times these programs we start to think about this is like, hey, this, this advice you're, you're saying Jim and Jeff sounds, you know, pretty, you know, common sense like duh. Well, some of it is, yes, but people aren't doing it. It's like, OK, well, why aren't you doing it? Why aren't you setting a structure around this? You know, who owns identity and access management, right? Things like basic questions like that.

And so sometimes it doesn't sound so innovative until you get further down the road and say, oh, yeah, we needed to like, build the base, you know, before we started to add in all the fancy stuff that that we really were thinking about getting to. But if you had tried to do, you know, let's put AI on top of it right now, terrible time. You're, you're, you're not going to enjoy it. The data will be suspect and you'll wonder why you ever did

this in the 1st place. So I, I'm a firm believer in and thinking about that firm foundation. And that's where that assessment part comes in. It's like, OK, what do we have to play with? What's realistic? I see. The other thing about an assessment is that you're going to find where are your big gaps, Where is it that you really need to have a mature, stable process and you're underwhelming. And I think probably most practitioners intuitively know

where those gaps are. But putting together a bar chart of like we're here in terms of maturity, we need to get there or where we are, where we are heading, I think that's an important exercise. I think it's important. I don't place as much. I mean, it's a bar chart and you know, 50% of all stats are made-up. So you know, it's kind of like, OK, maybe that's what you need to get executive buy in because ultimately you're going to need executive buy in to get this thing going.

And so maybe, you know, your executives are very big on charts and you need to quantify everything or as much as you possibly can, but sometimes those metrics might be a little bit subjective and you have to kind of explain. OK, well, you know, the Active Directory team is doing a great job, but AWS stinks. So how do you try to combine things into like 1 bar chart might be a little bit challenging. So I think you have to kind of understand as part of that assessment process to say, OK,

here's what we're doing. Well, here's where we need improvement and let's figure out how to get this together because unless you've got executive buy in, you're going nowhere where you're going to have a very difficult time.

This is not a grassroots campaign that you can typically stand up and all of a sudden you've got, you know, whatever investment people or technology that you need to get things started and certainly not you don't have the support to do business change, which is really, really hard. That's probably the hardest thing of us, if it's the change and you need the executives to be part of that, that process.

Yeah, I think that's one of the reasons I love interviewing chief information security officers on the podcast is that they speak the executive speak, but understand cybersecurity. So they're able to put investments and return on investors in terms that executives get. Why would I spend money to reduce risk? I could spend that money to improve my business in other

ways. So it's important to make that that business case, that return on investment case for investing in identity and access management, investing in an improved user experience or improved security posture. Yeah. And so you need the people who get that, who understand that and are good at making that case or you're going to be running around and doing IM on, you know, pocket change. That is no fun.

Not only is it no fun, but it's hard to be effective and you're going to constantly be chasing your tail. Yeah, I think one thing that I've seen a a big improvement over the years in talking with CSO's and others at the executive level is their ability to articulate why something

needs to be done. Because a lot of times the pain and suffering is hidden because there are heroic IM people running around doing things that are beyond the scope of their role or going above and beyond to fix things just out of the they know what's the right thing to do. And a lot of times that stuff gets hidden and covered up. Well, nothing's broken. Why do we need to fix it?

Well, let's open up the the covers and look at this, you know, engine that is like a bunch of popsicle sticks and a hamster. Like that's not, you know, that's that's not where you want to be and it's it's a risk, right? If one of those popsicles has a break, the whole thing kind of falls down. Or if the really important hamster leaves, who's going to

drive this engine? So I think, I think that a lot of the executives that you and I both talked to have gotten better and articulating that of here's why the investment is important. Now ultimately the business is going to decide. And I think it's the CSO's job or whoever's in charge of making that, that case really needs to understand the risk component for it and be able to articulate that out to others to secure the other buying.

Because it's not like CSO's can do this all on their own either. Typically they have to go out and get support from their peers and other executives right within the organization. So it's important that that executive buy in is in place, not just in information security or wherever the IM program is going to live, but across, because you're going to need people across the organization to make this thing happen.

You're going to need a cross functional team, which is really where you start to say, OK, we've got our our goals. We've started to think about what we have in place. We've got executives saying, yes, you know, proceed, let's start to figure out what's next, and let's put together A-Team because you talked about those conversations that you have with a whole bunch of other people as well.

It's not just information security as part of an IM program, it's infrastructure, it's the help desk, it's the business themselves. So you really want to make sure that you pull enough people together, but not too many people to be able to have insight and windows into the different parts of the organization so that whatever it is you're designing works for as many people as possible. Yeah. And suddenly pulling that information in Billy Evangelist in the cross functional area.

So HR and other parts of IT or other departments, they can go out and talk to their teams about how I am is coming with the strategy, how it's important to align with the strategy, adopt the shared services. I always like to talk about the 360° view of IM conference. And we worked with a guy named Ben and he's like, oh, gag. Like 360. Like that's so cliche. And I don't think it's about 7/27/20 is like make your head spin on.

But I think about the 360 is like looking at bulb on and communicating what the IM program is contributing to the company and getting feedback about what the business is doing and how the IM team can support that. It's, you know, working down with the IM implementation teams, with the operation teams, the project management office and understanding how things are going with the DJ on the ground.

It's also working laterally with the business and with other technology teams to make sure that the services you're creating as an IM team are effective, that business can use them, that the business understands them, and that from a technology perspective, they're fitting in with what the needs are. If you're doing all those things, you're going to build evangelists and the people are going to say, hey, the sign in program is not so bad.

And you're getting results out of it and things are happening. And it's not just, you know, a committee for committee sake, that kind of thing. Here's why I don't like the 360 term. I get where your, your head is at makes sense. But to me, 360 is 2 dimensional. And it's, it's more like it needs to be like a sphere or a globe And to be able to say, oh, we are, you know, we're, we're communicating at in all directions. I don't know if 360 gets that three-dimensional aspect to it.

Does that make sense? Well, definitely, I mean in terms of the mathematics of the 360 is definitely 2 dimensional, so I get that. I don't know what the sphere would include that the 362 D view doesn't when what are you thinking there? Let's. Let's just go with it. Yeah. I mean, let's let's go with it because I think, I think the concept makes sense and I don't want to, I don't want to get into a geometric discussion, but I do want to ask you what's at the core of that 360 at the center?

Would that be the I am program manager? So I always think of the I am steering committee as kind of the core body that pulls all together. But if you go even more central to the core, yeah, like now you're in that little ball and center of the earth. This is the I am program manager. I don't think it's just one single role. I think that person holds it together that the IAM architect,

they become a team. It's like the business person and technology person and really the IAM program manager running around who doesn't get the tech is going to have a problem being effective. The person who gets the tech but doesn't understand the business is going to have a hard time getting around. So usually it's two different people. I guess there could be one person who really guess both aspects of it, but it's both

sides ahead. And then the third leg of the stool, there is one is the executive who's kind of saying, all right, this is what the business needs to buy in. So it's not Even so much conversations upward because they're so hard to have. You don't get that much time from executive teams, so if you have somebody who's from that that world who is part of your core, they can tell you like this what the business is expecting from the program.

And they might be part of the steering committee or something like that. But I'm with you. I think there's like this, this core I am team that kind of sits in the middle. And there will be other resources that kind of spin in almost like planets orbiting or moons orbiting a planet, right? That kind of situation, you know, maybe HR is really important for this first phase because you mentioned IGA, we need HR to be there because we're going to be using their data to drive automation.

Once that's done, maybe they spin out into a further orbit where they're, you know, not as I want relevance, not the right word, but they're not the focus. You know, maybe now we're pulling in IT infrastructure team because we're doing

privileged access management. They become much more in focus and then OK, we fix that and they kind of slowly drift into a further orbit and then, you know, you've got these other components that are coming in. But I think I'm with you in that like you've got a program manager. I'm going to tell you, a good program manager is really hard to find someone that can communicate and understands the

technology are exceedingly rare. If you are one of those people, be sure you're taking advantage of that, of those skills and really driving your organization. If you're, and if you're a, if you're a techie and you're really not great at communicating, work on it.

I mean, start to work on the communication and if you're a good communicator, but you understand the tech, you know, watch videos, get more involved with that stuff and kind of learn it. Because I do see that that Unicorn of a single program manager that understands the vision of the program can communicate why that's important and what people are going to get out of that in layman's terms, terms that everyone's going to be able to understand, but also

understands the technology. They don't need to be a developer. They don't need to be, you know, in the guts of the applications configuring things, but they need to understand the capabilities that are there and have the resources at their disposal to enact those things. Engineers, analysts, you know, whatever that looks like for the tools. Yeah, I mean, let's try the most important role in the program overall. You brought the cross functional team line is thinking about

that. You know everything we just described would work as well for a workforce IM program or customer IM program. Oh, you think about that important role of the program manager. How often have we talked to folks who've made their way through I to become the identity program manager, You know, essentially the the chief practitioner of IAM for their organization and how many different paths people can take

to get there. I usually find that it's people who understand the business, know how to make the case for return on investment, and have enough technology understanding that they know what the parts of pieces are or more. You know, I don't think that just because you're not technical, you should use as an excuse to say I don't need to learn that or I don't want to learn that. I think be a sponge. I think if you're technical, learn as much as you can about business.

They can only help you in whatever position you take. Yeah, I totally agree. I think once you've got that team in place, now you start to think about the tools you're going to do battle with, right? What are the capabilities you want to bring in? Do you need an IGA tool? Do you need privilege access? Do you have single sign on and MFA? Have you got all that, you know, figured out already and now you need to do something with ITDR or some other analytics? Or maybe you're on the customer

side. You're like, hey, we don't really have a good way for our customers to manage their profiles or maybe their their data consents, especially if you're in Europe or other places where you have, you know, laws like GDPR, for example. So I think really understanding what the technology fits are is important because these are typically long term decisions that you're making, right? You don't buy Octa and say, OK, well, we'll get rid of it in a

year. These things are generally too expensive to like turn over that quickly. They're not disposable in that way. And that can be really challenging because there's a lot of really good products out there, products that are like in your face and everyone knows about and ones that just for whatever reason struggle with awareness and, you know, presence in the market. And they're new or upcoming or, or maybe they're big in Europe, but they're not big in the US or

vice versa, right? Things like that. So I think understanding the technology landscape is very helpful because it almost always comes down, in my experience, to the details. You're going to buy an IJ tool. Guess what? They can all do provisioning. They can all create an Active Directory account, you know, remove it, add permissions and run an access review.

It's all the details around it that are typically the differentiators at this point for a, for a, for a technology that's that mature, you know, up and coming things maybe like an ITDR or some sort of, you know, AI enhancements as we're seeing now, maybe there is a little bit something there. It's like, OK, you know, there is a little more maybe meat on the bone that we need to kind of chew on.

But I think the, the right technology is, is really key because you're going to be stuck with that for probably, well, at least three years if it's SAS, cause three-year subscription's basically right, but probably longer because people are going to ask you, well, why did we spend all this money implementing this tool only to RIP it out three years later? That's a really tough pill to swallow. Yeah. Well, I mean, that's the question is like what should be the horizon that folks should

look me at? It almost seems like to say 10 years is like a little bit polyamic or unrealistic. At least five years I kind of feel like is the minimum where you start to really get your money's worth. You're ripping it out at five years and having to rebuild. That's a major reinvestment. There's a tough decision. I think one thing is just saying this company is the leader now and assuming they're going to be the leader in five years.

Well, if history is any teacher, that's not always the case. In fact, it's rarely the case. I don't know if history is the right teacher for this. I mean, you look back on this industry 15 years ago, you have said you choose Oracle or CA or IBM. None of those companies are really relevant in this space anymore. Maybe IBM, but CA and Oracle are not relevant in their identity space anymore. They owned the identity space. They were the only choices really.

And now you look around and the other incumbents, will they be around 5-10 years down the road? I think they it feels like they will. It's choosing the right technology is is not easy. No, because there's so many good choices. And the truth is you could probably be successful with almost any of them if you're willing to adopt their business process that they bring to the table. That's sometimes a challenge for

organizations. You know, you bring up this this idea of like, will the company be around in five, 1015 years? I think that's real important. You know, IBM and you know, the CAS and the Oracles, they've been around for a long time. And yeah, they kind of had their heyday in the IM space, but they

were around for a long time. I mean, it wasn't like they were only an IM for like 5, you know, 5 minutes, five years, whatever that is. It was decades, you know, that they were kind of the the only real players in that enterprise market now. They let, you know, upstarts like Sale Point and others, you know, come up and kind of steal

the market away from them. But there will be other vendors that come up. But when do you make the investment in a small player versus an established player is always interesting 'cause I think a lot of that has to do with the risk appetite of the organization. If you're a small organization, maybe a little bit more nibble

in your choices. Maybe you are willing to go with, you know, somebody who's new where it doesn't have the track record, Maybe they don't have, you know, that's the fancy training portals and kind of all that stuff. But you feel good about their technology and you've gotten maybe some insurances from leadership over there, right, The CEO or people who are maybe more hands on maybe than than

another organization. Or maybe your organization is a little more adverse to that type of risk and wants to have an established partner. And those are the types of organizations that will say, well, give me the Gartner Magic Quadrant. Let me just look at the upper right. I don't. Think there's anything wrong with that? I it might be, but maybe that's just the profile of the

organization. They're not willing to look at a smaller company until they've grown and gotten through that, that hump of hey, we're in the market, We've been around now for 5-10 years and we have a bunch of customers and there's less of a concern that they might die overnight, for example. I can get that. I get the risk. I understand it. I don't agree with just saying look at upper right of Gartner and even Gartner will tell you don't look at just Gartner upper

right. That doesn't mean as much. But there are organizations that do not want to play with the smaller fish. They're looking for the more established fish in that case, and I get it. I think that's just something that you have to think about. You have to think about it. So you know, as you've been talking, I was thinking I just talked about Oracle CA and IBM. People are saying I think you probably, yeah, that ancient

history in terms of identity. They were replaced by Octa paying for Jack. No, they were replaced by Gigya and January. Those companies basically don't exist. They're bought by Akamai and SAP and they pulled back those capabilities so much that I mean when was the last time they've either seen SAP or Akamai and an identity conference. So these things run in cycles. There's acquisitions that can take place and then companies can deemphasize the portfolio. Can you take that and like glean

me the operation from it? No, I just think it means that you're saying the right technology is even harder than you think. Yeah, I agree. OK, So we've got our program, we are, we've got our goals, our scope, we've done our assessments, we've got our buy in from the executives. We've got a team kind of put together. We've, we've muddied through the process of, OK, we figured out the technology we're going to use. Now how do we get it

implemented? And typically you'd probably want to do this in a phased approach versus a Big Bang. Because Jim, I'm going to go off and build this thing. I want you to give me $3,000,000 and I'll see you in three years. Are you going to give me that money? No, I might give you a loan to the first phase. Right, so I need to show wins right along the way. You didn't need to show wins. I think my feeling on implementation has been maturing. So I'm going to tell you where it's at.

Today I came up as a wonderful guy. I have a PMP and I learned that PMBOK and it's waterfall based project management. It's create phases. You start a project, get into project. At the end of the project, you have a bunch of functionality that you defined and built requirements for and designed in the beginning of the project. Today things are shifting more towards agile project methodologies where you do

sprints and they're very short. They're almost like many projects where you do requirements design, implementation or I'm sorry, development, testing and then implementation all within a two week time period or something very short. That's the way I think the industry is going. I don't think that approach works well for initial deployments.

MVP deployments are called them where you say, OK, today we have some legacy technology that's barely supported anymore and it's doing automated provisioning or it's doing some basic capability within the identity space. I still think that. You know, defining a project and saying we're going to RIP and replace, that's the way to do

that. But then when it comes to integrating more applications into your environment, when it comes to enhancing functionality or rolling out new functionality, I think that agile approach works really well. I think 1 is a little bit more difficult is taking that approach and communicating it to the executives because ultimately they want to know what they're going to get for their money.

And you can't say, well, every two weeks we're going to decide what we're going to work on. So I'm still kind of struggling with that. And it's not like I learned about Agile last week. I've been struggling with this for a decade, you know, since I've really kind of like brought my head around it. I think that in a way you're kind of like layering phases and layering non pure agile on top of agile to say, all right, we're going to do 8 sprints.

At the end of the 8 sprints we're going to deliver this set of features and functionality. But within those sprints you decide what to work on when. So that's kind of how I feel like, you know, the approach to the implementation plan, realistic reality being thought. Right now, I feel like to some degree you're almost bound by whatever your organization tends to do for projects. Some organizations are waterfall, some are agile, and some are somewhere in between.

But I think a lot of times, especially if you're in a big organization, you know, large enterprise, they probably have a program management office or project management office, and they have a defined set of criteria that every project goes through. And sometimes it's not a great match, but you still have to do it anyway because that's just the way the organization works. I do think the phase approach

generally makes sense. I think if you're implementing a technology, almost always the first phase looks alike no matter what technology vendor you pick in a certain area. So I'll pick on IGA again. If you're going to deploy IGA, you're probably going to connect it to identity source of truth, right? Your, your HR platform, you're probably going to connect it to Active Directory and or your Intra directory or Azure Active Directory.

And maybe you're going to connect it to service now or some other ITSM tool, your ticketing system, that might look like phase one for any IGA platform because they generally all will kind of start in the same area. Then from there, it might iterate based on, well, we are a financial organization, so we have socks and other things that we need to be aware of. So maybe financial apps come next because you need to do that, right? Or maybe they're included as part of phase one.

But guess what? The real phase one is still probably AD first, then the other financial apps, right? And maybe that's the same for you. If you're doing an authentication, you're putting it into IDP, what you got to connect it to is probably going to be whatever your new directory is. Your first step is hopefully going to be enabling MFA and then you're going to talk about, OK, what are the applications

that we want to connect to that? And so I think a lot of times these, even though it's like the same pattern, it's really the technologies are really going to start in the same spot. What what the variation ends up being is what are the objectives that you've already defined to say, OK, well, we're doing this because we need to be compliant because we failed our socks on it. OK, well, let's start planning. So this time next year, we have those applications under

management in our new platform. They're going through a new access review process and we'll feel more confident that we'll be in a better position to be more compliant. Or maybe it's our cyber insurance is going to be due for renewal and they charge us an arm and a leg because we didn't have MFA or we couldn't get insurance because they didn't have MFA or because they're starting to ask questions around privilege access management. And we don't have good answers

to that yet. Let's not be in that position next year. Let's start with the phased approach to get there. And let's start with the priorities to say, OK, what do we need to get cyber insurance MFA mandatory? OK, now we know what our first

phase is for an IDP. And I think you can take that same logic and apply it to any technology that you're looking to deploy, especially in a core identity solution or identity situation, Your authentication, your life cycle management and your privileged access, like those three things are generally going to kind of start in the same ballpark. And then Spira from there based on your business use cases or things that you want to address. Does that make sense?

Yeah, I, I'm wondering if you're from running to folks in the business who say, all right, you're, you're building a plan for the company that we are we're planning to triple in size over the next five years. You know, really that plan to me, I mean, my, the initial log that comes to my head is crawl, walk, run. In other words, you can't go, you're crawling today. You're doing things in a certain way that you're saying we just, we want to run, teach us how to

run. Like feel like we need to teach you how to walk first? Right. You ever, you ever been sitting on your foot and your leg falls asleep and then you try to get up and run, you're going to fall over and look like a dummy. Yeah, you know, and sometimes after you know, that's what needs to happen is like, hey, you know what if if you could run, wouldn't you be doing it already? But you're not because there's problems. You've got to solve some of

those root issues first. I don't know any organization that's like, hey, we're going to plan, we're going to be smaller in five years. No, no, no company does that. Every company is looking to get bigger. There's nothing unique about that. Every company is the goal is to make more money, grow larger, blah, blah, blah. Right. So yes, you want to design your program to meet the future, but every program has foundational building blocks.

No matter how big or small you want to be, if you don't have those foundations in place, you're going to struggle. You're going to have, you know, dead leg and you're going to fall over and look like a fool. That's, that's my $0.02 on it. I love it. All right, so we've got our phased plan, we'll call it, or at least you're starting to figure out like what chunks that you want to do from an implementation standpoint for technology.

I don't think you didn't want to ignore the user experience because you can have the best technology in the world, but if nobody can use it, guess what? Nobody's going to use it and you'll use your ROI and you got unhappy campers literally all over the place. So when you're designing the implementation of these tools and you're evaluating which tools you want to use, you should be looking at what is the end user experience. Does this make sense?

Does it look like a program that was designed in the last 10 years even, right. I mean, I think you and I have seen a lot of products where it's like, well, that was a great interface for the year 2000. You know, here we are in tier 2024 and nothing has changed and

it still looks like that. Does that give me confidence that the user experience is going to be good maybe for a certain part of our workforce that understands that, but maybe that part of the workforce is aging out and moving on in our in our newer workforce totally doesn't get it and they think it's a terrible user experience. So I think you've got to focus

on your constituents, right? Who are the scope of your of your programs, whether it's employees, partners, customers, whatever may be, really pay attention to that user experience. Nail it because that's going to be the first impression that your IM program makes for a lot of people. The first time you have to go in and reset your own password if it's a total hassle. This thing stinks. What do you mean I have to call somebody? Can I just do this on my own

right? A lot more self-service, a lot more agency. Where the where the Amazon points of things where it's self-service. I want to go to a portal, buy the thing that I need or request it and never talk to a person and just have it magically appear on my doorstep in two days or even better yet, same day. If I live next to a Prime, you know, warehouse or something like that. That's the sort of mentality I think is if you treat I am like a product for your organization, think about that.

User experience is such an important part that I feel is getting better. I feel like a lot of people I'm talking to recently are thinking about that user experience, but it hasn't always been that way. And I think it's something that we should always be vigilant for as identity people is take a step back, you and I get identity. Maybe there's somebody out there that's like, yeah, I I'm an Azure expert. I totally get it.

But we sometimes get lost in this, you know, self delusional spot where it's like, yeah, I get it. What do you mean you don't understand why my SAML connection isn't working? And I gave you an error message saying open ID connect not configured. No, normal humans going to be under be able to understand that. So you've got to think about that from, you know, Jim's dad's perspective. Can Jim's dad use it? All right, now we're on to something. What do you think?

Yeah. Well, I, we had an interesting conversation about this today and I'm going to answer this question off of you. So I think customer identity and workforce identity, this topic needs to be treated differently. But I want to ask this first question is from an executive owner perspective, workforce identity and customer identity generally owned by different executives CX OS within the organization. What? What have you seen mostly? I think typically they are, they

may have some shared teams. I think historically marketing or some other customer kind of facing department might have been in charge of it, e-commerce, whatever that looks like for whatever position. I think it's two different mindsets. And I think now you get into, you're trying to find an IM program manager that knows how to do talking and talk tech. And now you want them to talk both on the enterprise workforce side as well as the customer side. Yeah, that Unicorn just became a

lot harder to find. So maybe it does make sense to have a couple of people. Maybe my focus is enterprise and your focus is customer or vice versa, right? Whatever it may be. I, I guess it's, it's the consulting answer of depends, which I kind of hate to say, but I think it's difficult to find one person who really understands everything about both sides and can talk all that

technology and be that good. And I'm sure there are people out there who are like, yeah, I can do that no problem. Great, cool. I think it's a unique skill set and it becomes more unique the more requirements you pile on that role. And that's just another set of

requirements. So I can certainly see information security, for example, owning the enterprise workshop or the enterprise IM program, but I can also see the the information security team telling or advising some other group to say, hey, we know you're working on customer identity. Here are some services that we have that you might be able to use.

But more importantly, here are the guidelines or the governance or the policies that you need to make sure are in place so that the risk is at the level that our organization is willing to tolerate. I don't have to own it, just make sure you put MFA on every account, right?

Or something along those lines. I think everything you said there was spot on. So I think what you normally see is that the C so is responsible for workforce I am and then the question or then this statement doesn't become prioritized user experience. In other words, it's more important than security. It's don't forget the user experience. So in other words, like 10 years ago, or maybe it was longer, but it was like the user experience for workforce I am doesn't matter.

These people work here. I don't do what we tell them to do. I think companies and that was a terrible mindset, but they, I think it was the predominant mindset, at least where I worked at once, right? I was, you know, going back before I got into consulting. I think the industry's matured. Companies have matured to say not only is cybersecurity important, but giving our employees a good experience with their IT is important so they can be productive and so they don't hate working here.

On the customer identity side, I think it's kind of important. I think on the customer identity side, you're right. It's often times the chief marketing officer or some business executive, VP, let's say, who owns the customer portal, let's call it. It could be whatever, but it's customer I am and I've heard things like and I'm not kidding about this Jeff, like we need to have 8 character passwords, preferably would be 6 and ain't no way we're rolling out MFA.

When I hear that I tell whoever I'm talking to they are wrong and you can tell them that Jim McDonald told them they're wrong. That is just terrible. I'm I understand that the user experiences paramount when it comes to customer IM. And if you're going to put 6 chart capacitors, 8 chart capacitors, you're basically putting their data at risk and it's your fault. It's not their fault if those accounts get breached. And so for them, I'm not going to say prioritize the user

experience. They already are prioritizing user experience. It's almost like don't forget about security or don't de prioritize security. I think you know at least SMSOTP is ubiquitous. So if you have a low insurance use case, at least do SMSOTP. Don't rely on 6 and 8 character passwords and if you start getting longer, there's a passwords or password change frequency. I mean you're making that user experience worse. Start using multi factor authentication. Move to, you know, unfishable

multi factor authentication. I'm not saying you should mail Ubikeys to all of your customers but have no authenticator apps. I mean, it's these things aren't that far out anymore. I feel like yes, you, you kind of said something there about like they're, they're focused on the user experience versus security. I'd argue they're not focused on the user experience because they're not doing a good job of helping the user protect themselves from themselves.

And I think this is a spot where, again, you know, maybe it's a program manager, maybe it's executives. They really need to articulate why that's a bad idea to not have MFA in place. OK, you don't want MFA in place. Well, what if I told you there was easier? What if we just didn't have passwords at all and we went passwordless? Tell me more.

Right. I think this is where if you're staying current with the market and identity space, hey, passkeys might be a solution here that everybody wins. So I think there's options there. But I think sometimes you're totally right, not sometimes you're totally right, but sometimes you do have to draw a line in the sand. Like look, that's just not acceptable. And I'll flat and I'm with you.

If you do not have MFA on your IDP today, you are asking for it and I want it in writing that I told you this was a bad idea. And when you get breached, it's not going to be me that's going to, you know, be rolling out the door. It's going to be the, you know, someone else. Sometimes it's CYAI hate to say it, but there are politics in every organization and you're not going to win every battle.

The best you can do, especially sometimes if you are not at the level where you've got the juice right to be able to kind of direct policy is look here. This is This is why this is important. I want you to real understand the risk that you're taking if you do not follow this advice. But I think you also have to be able to work with your business partners. OK, I get it. We don't want to have 16 character totally randomized, you know, can't use the same, you know, character more than

once, right? Some of these, you know, we've all been in the end of that password policy. It just is like impossible. Like how am I supposed to go with the password for this? Like it just doesn't work. Come up with alternatives. Look at modern authentication ideas, you know, use web auth, then use pass keys.

I think there are enough options out there now that hopefully this trend starts to lessen because it's almost like you kind of talk there about the employee experience is like, well, they work for us. We can tell them what to do and it doesn't matter. I think the products have gotten better in that space also. So it's not just that we're getting better. The products are getting better because we've been asking them to get better.

Hey, I want a better user experience, even though I'm just an employee in quotation marks, right? I'm still a customer of the services that my organization's providing. And it it can and it should be better products have caught up. But yeah, when I I'm with you, I will, you know, tell them, tell them Jim and Jeff said you're wrong. I'll add my name to that petition as part of that process. Oh, your slot language? Yeah.

All right, let's keep it moving. I want to combine this idea of like governance and policies and like metrics and measurement because I feel like they kind of go together. But I think that's what the other part of this program is to think about, OK, what are our policies? What are our standards? Are they realistic? Do you even understand what a policy is versus a standard versus a procedure? Maybe it's time to rethink how you, you know, define what those things are.

My mind a policy is, hey, you should have multiple forms of authentication. Great. How I do that might be an IT standard or a corporate standard or a security standard that says, OK, The policy says we have to have multiple forms of authentication based on our risk tolerance as an organization. And we've talked to the executive about it. We've kind of established this is the minimum bar that you need to be at.

We're going to allow SMS, we're going to allow push notification, and we're going to allow you the key. And maybe that changes on a row. But those are the three we're going to do for now. Now you've got your standard, here's our standard process for that, or sorry, our standard for the implementation or application of that policy. And then the procedure is how you do those types of things.

I think sometimes I see a lot of policies that are like trying to jam standards into it. And depending on the organization, maybe you can change policies really easy, maybe you can't. Maybe it requires a board approval or something that doesn't happen very often and you get stuck kind of behind the times and you're not able to really kind of push, yeah, the security of a certain policy or a certain standard that you want to put in place.

So I feel like the governance, the policies that go around that, the standards, but then also the monitoring, the measure goes with that as well as OK, well, OK, we got this. I am program. How do we know if it's successful? What are some of the metrics? You know, can you just stick your head out the window and say, well, it feels a little bit warmer today. So I think we're doing good, you know, yeah, customer satisfaction surveys will certainly be important.

It's like, hey, our people, you know, they think this is a good experience, but there should be hard metrics as well, right, Jim? It's like how many automations did we are we able to do for onboarding, for off boarding? How many, you know, bad sessions were we able to block from authenticating entire environment, right.

There should be some ability to drive some metrics that makes sense to your organization to kind of demonstrate it because at the end of the day you need to show value and a lot of times. Especially in the IM world, that value is almost invisible because it's like, well, I just typed my ID and password or I did a prompt on my phone and I was in like, what's security? You're right.

OK, Well you know, I've said this before, like look in your Microsoft account and go and look at your access history and I'm sure you will see tons and tons of things where people were trying to get into your Microsoft account and Microsoft to their credit, blocked it. They're giving you a log and say, hey, these roads again, but they didn't service it to me because it never rose to the level where they felt confident

it was me logging in, right? You need to be able to demonstrate those sorts of wins and publicize those wins, make people aware of it. Continuing about what the value is that you're bringing to your organization, whether it's efficiency, risk reduction, you know, hey, we saved X percent on our premium this year because we had our strong privilege access management, you know, platform in place.

Hooray win. You know, maybe it paid for the privilege access management, investment always be looking for those things to to promote the wins and to measure the success of the organization. What do you think? I think you you know that there were a few points I wanted to add on to. I think when you have Carl's you framework and you say you shall have every access shall require multi factor authentication. It's Cuba simple. What are you doing to monitor that?

So let's say you have 700 entry points and 500 of them are connected into your IDP that has multi factor authentication. Maybe you're doing adaptive, so that's green check box for those 500. What about the other 200? Are you? Are you keeping track of whether or not they have met all the policies? If not, you don't know whether or not you're complying with your own policies as an organization. And so I think that's very important.

I think also having a very formal exception process because you'll have legacy applications that say our application is like dumb tube, you know, in other words, it's a telnet section and MFA is not possible. OK, maybe it is, maybe it isn't, but let's just say it isn't and they have a a technical reason why it won't work. Whatever software they're running won't integrate with whatever solutions you can come up with. That's fine.

You have to file a formal exception and somebody in the business, some business person, even if it's an IT executive has to own that risk. That's to me. And, and by the way, this has nothing to do with identity. This is how you run a good cybersecurity department is yeah, policies the organization has to policies and standards they are. They're not optional. It must be complied with by everyone. And if they can't be complied with, a formal exception needs

to be applied for and approved. And in order for that to happen, a senior executive needs to sign off on it. And usually it's an ink signature, but you know, a workload tool would probably be fine as well. But what I'm getting at is that, you know, that's a risk management exercise that's above and beyond identity. I should include really all of your cybersecurity policies and standards. So I think that's important. We also talked about, you know, clear roles and responsibilities

for your program. I, I, I think you may be into that, that I think that, you know, identifying those up front is going to be very important, evolving those overtime who's responsible for what decisions within your program, spending money or changing policies, things like that. Who, who's got that responsibility within your program? Yeah. So I think those things are very important.

I think that the basis of your IM program is your policies, your shared services should be called your easy button to comply with those policies. So, you know, teams that are, you know, maybe have some autonomy over their application or they're saying, hey, our application is too important to rely on your creaky IM system, so we're just going to do our own IM. That's fine, whatever you know, maybe executives have said just leave them alone, that's fine.

They still need to comply with the policies or if they're not going to apply someone you're saying the race as to see. So that's the personality. Yeah, I agree with that. I think that idea of, you know, basically conducting a certification campaign right against things that are not within compliance of whatever policies you set out makes sense. Maybe it's OK, Yeah, telnet example for example, that you mentioned. OK, yeah, they, they can't comply.

All right, let's check back again in a year and see if things changed or six months or whatever the right time frame is. Yeah, maybe it's time to move on from a technology that doesn't meet modern standards. You know, maybe there's a company out there, and I think we've mentioned this in prior episodes, like there's this website, right, SSO tax or SSO dot tax or something like that, where companies charge for basic security things like enabling

SSO. Maybe they're not the right choice if they're going to charge for basic security concepts like that. Yeah, maybe they're a good product and you know, maybe, you know, they, they, there are no other choices, but I think that's part of that same, same ideas like, hey, what are we doing to get better? Track what you've got, measure it. And yeah, some things are going to be a compliance, especially when you're just starting out. Nobody is 100% compliant 100% of

the time. There are always accepted risk somewhere that someone of the appropriate authority level or, you know, signing authority has said, OK, I'm willing to accept that risk. If something happens, then we'll deal with it. That exists. Plan for it and you won't be surprised. You also mentioned one of the thing that I've got to cover which was around monitoring or measuring user experience and how much of your ROI they committed to you're achieving.

So you're asking the company to invest in identity. I think the thing you should do with being a program is really have a well thought out plan of what are the dials that you're going to improve. Snap a line, where does those

dials exist today? Whether it's in terms of things that are easily measured within the tools that you have, you know, longer password resets, things like that, or things that you have to go out to the business to measure with survey data, for example, like user experience. But either way, you need to be able to show improvement over time. Six months, a year, year and a half, two years to show, hey, remember I asked you for $1,000,000. I said I could do all these

great things. I did all these great things. User experience improved by 50%. That's huge. This shows you're a good bet, right? And if you can deliver on that, you're guess what? You're probably going to be more apt to find funding for future projects that you want to work on as well or to keep things going. And I think This is why it's so important to be communicating. You know, throughout this entire process. I don't think you can

communicate enough. I do think you need to give some thought into the communications that you are doing. Know your audience. Who are you talking to? What is relevant to them and what do they care about? Try to think about it from their perspective and tailor that communication to them, but always be thinking about, OK, how do I explain this? I get stuck in an elevator, you know, with somebody. Can I explain what my IM program is doing on the 15 second write up?

Or can I, hey, you know what? We just rolled this thing out and you should check it out, you know, and and and and have that dialogue going with people, both part of your program, but also to your customers of your IM program, whether it's workforce or, you know, customers in AB to C type scenario. So the communication is super important throughout any time you get to celebrate a win, celebrate the win. Draw attention to it, highlight it. If there are issues, address them as well.

Hey, this is not working and let's not be afraid to go back and rethink how this is implemented or the business process is designed or whatever it may be. It's OK to be wrong. And I think sometimes we struggle with what we have to be perfect every single time.

It's just not realistic, right? We're humans, we're going to make mistakes, but be willing to admit the mistakes and think about it and maybe you think it's great, but your customers hate it. Hey, I'm sorry, as much as I love it, I'm going to have to redo that and and come at it from a different angle. And that's fine. It's OK to get smarter. And I think sometimes we lose that as well. I think lastly, the most important thing I think is to stay current.

A lot of times we see investments in, hey, we're going to stand up on IM programs could be awesome. We gave it like 2-3 years and we were really kicking butt. And then it just kind of like died on the vine and just kind of coasted and didn't keep up with the world and the environment. And now here you are four years later, five years later, six years later, and it's like, wow, what happened? Like we used to have a really kick butt IM program and services, but we didn't keep up

with things. We didn't stay current. And I think it's really important, you know, we had, I kind of had this conversation earlier today was there's peaks and valleys in an IM program. If you're not doing it right, you want to smooth those peaks and valleys out as much as

possible. If you're behind, you're going to have to invest to catch up. And invest means money, people, time, whatever that is. But there's going to be a spike to get up to a certain level and then you're going to have to keep a certain level of investment going to maintain and

to keep current with things. What typically happens is if you look at, you know, a budget for an IM program over 10 years, if you're not doing it right, is you'll see a spike in year 1 and then it drips down to like, you know, year three-year 4 and then another spike and it kind of drips down.

If you had just kept current, it would have been a lot cheaper and you would have been a lot better positioned from a risk and a usability standpoint, most likely, if you had just maintained and kept current with where the market is. And I think that's really important for people who's like, great you put in technology and what's next? What should I be thinking about? What did I see at a conference? What did I hear on the world famous Identity at the Center

podcast, right? What are the things that I need to be thinking about for, you know, skating to the puck and hockey. You don't skate to where the puck is, you skate to where it's going. The business is like that. Your IM program should be like that. And if you're not doing it, guess what? The puck is still going, you're just going to be further and further behind. So you want to make maintain your cadence and your ability to keep up with the world from an IM perspective as well as the

business side of things. Yeah, I think, I think organization can fall back, fall behind for a few reasons. One is they have to shake up people and maybe the people who were responsible for the IM road map moved into all through things. Priority shifted and that role never got back filled. So it just became continue to operate. And that's something that we say I am. It's not a project that's program. So you take your eye off the

road. We just you have the things the car keeps moving, but you're not paying it to to the road and bad things can happen. I think the other thing is I've seen this happen for a few clients over the years. They get signed up in the MSSP doing indemnity as a service, but they build that MSSP around what we do today.

They have to take into account that they're going to want this system enhanced, but I think probably the best way is to set some money aside or have some flexibility to be able to perform enhancements in the system themselves, one or the other. Usually they don't have any staff left, right? They outsource the management of their IM. They need to put some money aside for enhancements because what you have today is not going to serve you three years on the rig.

I don't care who you are, I can almost guarantee three years on the rig. You're going to require enhancements along the way because if it's going to change, you're going to have new applications, a new HR system, say it's there. So you need to take that into account. Even if you're outsourcing the maintenance of your IM system, which may make total sense to your organization, may make total sense for you.

Just remember to put some money aside or build it into your budget, build it into your bill to get that system to have tickets or whatever their process is for enhancing that system. Yeah, I think that's a really good tip. I think the other thing I'll add to that is there's a lot of vendors out there and fewer

partners. If you are working with, you know, an MSSP or or something on those lines, whatever managed service, look for a partner, look for somebody who's you know, got your, is interested in helping you involve in helping you get the most out of things and has a plan to say, hey, you know, this thing is what it looks like right now. It's going to change and that's OK, that's fine. That's natural. Here's how we're going to keep

up with that, right? And maybe it's as simple as, hey, there's going to be a version upgrade because we're a partner with so and so company and we're using our technology. We know this is coming. This is something you want to plan for or hey, I saw this neat thing called pass Keys at a conference last year. Have you guys thought about that? If you have a good partner, it makes a world of difference for your experience with any type of

managed service. And I think a lot of times, you know, it's unfortunate, but money rules sometimes. And those partners tend to be a little bit more expensive upfront, but maybe they pay off in the long run because you're in a much better position and, you know, maybe you've developed a better relationship with those partners.

So I think it's also something to think about as, you know, if you're going to outsource, really consider who you're working with and make sure that you had a really good comfortable feeling with it. People are going to change, right? I mean, you and I might go from one company to another like we have, and those relationships, you know, will probably carry along from there.

But you really want to make sure you understand the company that you're getting, you know, to partner with and making sure that they're the right fit for you strategically. Because hopefully you hope that. It's a long term relationship. Thank goodness it any better believe you they're I keep hearing the same company names also working.

I'm not not going to repeat them on the podcast, but you know, they leave a Trail of Tears that they go in off at the lowest price and then change order you to death. And and to avoid all the change order issues, basically sit pad and have a system that gets older and older. It's not a good situation. Yeah. OK. I think this might be a record for our longest episode ever, so why don't we leave it there? I'll just kind of recap real quickly. I just realized we have 10 steps here.

One, define your goals in the scope. 2, conduct an assessment. 3, get that executive buy in. Four, put together your your IM team and it should be a cross functional kind of core team. Not everybody a core team. Make sure you're picking the right technologies. Number six, think about what your deployment is going to look like, whether it's phased, some sort of implementation plan. How are you going to make this thing digestible for the organization?

Don't forget about the user experience. Make sure that that's a priority. Think about your governance and your policies and your standards and your measurements and how you're going to monitor all that and then stay current and communicate this sort of like weaved kind of threw out there. So but it's 10 if we don't count communicate because you should be doing that the whole time. So that's the kind of sum it up. You know, I didn't really think

of a lighter note question. You got any ideas? Have you done? Anything. What was your last trip? My last work trip was DC. You were there. I mean, we were in DCI think before that. Or was I? You know, someone said to me the other day, it was like, you know, you travel a lot, but you don't remember where you've been. And I feel like that's where I'm at. I guess my last personal trip was that trip I took to Texas for my friend's 50th surprise birthday party, which was a lot of fun.

And that was good times. You know, that was it was a great time to reconnect with some folks I hadn't seen in a long time. And it was great to just kind of, you know, do a nice thing for somebody who, you know, as a friend of mine and, and kind of bring joy to their life. And I think more people should do that. What about you? What's the last personal trip you've taken? Personal trip I've I'm in

Austin, TX right now. One thing I've noticed is like everybody I talk to is like it's great here. They love living here. It's too hot. I mean, it, it's mid-september and it went up to 100° today. So I'm assuming that's too high. I can't do that, way too high. But everybody seems to love it. But everybody complaints about how expensive it is to live here. And I think that's the thing. It's like if some place becomes awesome to live, other people find out about it and everybody

wants to live there. They jacked up the real estate cost and then you can't afford to live here anymore. So I don't think many people who live here, like living here, are planning to sell their homes and move to a new house anytime soon. They're they're kind of stuck until 20 forever. Well, that's a real positive story, so thanks for that. Well, no, I mean it's supposed to be lighter. Come on man. It's a cool city, people. Love, it's a cool.

City and the only downside is the cost of rules leader thing and the heat. Yeah, well, I just read the other day, you know, I'm in the Asheville, NC area and we're no longer the most expensive place to rent in for the state. That honor now goes to Charlotte. So Asheville has typically been one of the more expensive places because it's a very desirable location, very touristy and the weather is great pretty much year round. But now we're #2 and that's, I think that's a good thing.

So I'm I'm happy about that. Yeah, that's really good sign. All right, Jeff, we do against the hours to be like a 15 minute episode, but no advice. Yeah, we try, We try, but we just talk and talk and talk and we have so many Nuggets of wisdom that we want to share with people. So hopefully people get it and understand it and they're able to put up with our our weird delays with, you know, cell phone connections and and bad hotel Wi-Fi. But I think it was good episodes.

I've got a challenge. Yeah. We've been recording this long. If anybody is still listening, comment on Jeff's YouTube or I'm sorry, LinkedIn post about this episode and say where you were on your last trip. That'll be interesting. That way we'll know where our last five minute Drew is. Yeah, on LinkedIn or on the YouTube video, either one's fine. Yeah, give us a like and subscribe wherever you're listening. idacpodcast.com is our website, idacpodcast.tv.

We'll take you to our YouTube channel and yeah, connect us to LinkedIn. If you were listening this long, thank you very much. Tell us your last personal place, personal travel, not business travel that you went on. And yeah, we'll keep the conversation going. So with that, we'll leave it for this week. Thanks everyone for watching or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center.

We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.