What is ISPN? It's a great question. I was about to write and publish something on ISPN at Garner and then I got hired and I left. But ISPN, Jim, is, is an Apple Watch for your identity program. And, and the way I, I, I use this analogy is to explain that is the first or perhaps the best way of, of surfacing metrics, not to show you how good of a job you're doing protecting your environment. So that's the, the reason of, of ISPN to exist, right?
So are you improving your security status or are you decreasing? Are you improving that? Are you getting worse at that? So the same way to watch helps you to remember, hey, you should take 10,000 steps a day. You should take this amount of sleep every night. So you healthier, you stronger. That's the same process with ISPN. So the idea is ISPN is everything you can do before an attack, right? So are you taking the necessary steps to sustain an attack?
This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity Center Podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Man, I am happy you're back. Man, I am so happy you're back. And today is that the Today when this episode drops December 9th, Monday, first day of the Gardner, I am Summit.
So for those who are in Grapevine, TX and are, you know, listening to the episode, you and I will be on stage on Wednesday at 3:30 with Becky Archambault. Really excited for that. She's going to be turning the tables on us and interviewing us. So that's going to be quite different.
And for those who aren't able to attend the conference but are still listening to this episode, you know, we're going to record a couple episodes while we're there, while we're here hopefully, and we'll have that for you guys to listen to. Yeah, it's going to be a fun week. It's I feel like it's been a while since you are recorded like in our normal sort of studio environment. I've been traveling and had, you know, my real job has gotten in the way of the podcast, so to speak.
So I'm, I'm glad I'd be back in a normal studio, neither not recording like on site somewhere because you know, I've been traveling over the place for conferences like authenticate, etcetera. And yeah, so I'm back, baby. Well, a lot of people think this is our full time jobs. I mean, people ask me that all the time. It feels like it. It does. It feels like a second job, right? You hear about people working 70 hours a week and it's like, oh,
that must be horrible. But then I think about the hours that we put into the podcast and we're probably I don't think we're a 70, at least I'm not. But and the other thing is like, it's, it's funny, sometimes my family members members will be like, oh, you know, you're such a hard worker. I think, you know, yeah, I like, I'm very dedicated to my job. I do a good job at it, but it's not like I work in a coal mine. You're a hard worker. Not a good worker Jim, but a
hard worker. Oh, I wasn't going to say that, Jeff, thank you very much. Yeah. No, look, we do this because it's a lot of fun, and we'll keep doing it until it's not, until it's not fun, and then we'll figure something else to do. So there you go. So we don't have any discount codes to share with people today because this is probably, well, this is the last conference of 2024. As you know, Q1 is not a big conference time, but next year we're going to be going to EIC Ideniverse.
We'll be coming out with discount codes for those early in 2025. Yeah, stay tuned. I'll put them on our our homepage at idacpodcast.com. Just Scroll down a little bit and you'll see whatever the current discounts are. And yeah, feel free to use those. There is one for Gartner. If you are in the lobby of the hotel in Grapevine, you can't get in IDAC 375. So there you go, last minute
discount code. But yeah, why don't we get into today's episode because I feel like we have so much to cover. And this is a guest that took us a while to get on. We had him on earlier this year. And now we're back. We're going to talk about ISP M, We're going to talk about AI. Of course, I am. And maybe get into some 2025 predictions on identity. So I want to welcome back Henrique Teixeira. He is the Senior Vice President of Sabians. And just the guy.
Welcome back, Enrique. I'm just a guy, just a guy. Thank you, Jeff. Thank you, Jim. It's always a pleasure to be back here. The show, guys. Well, it feels like a lifetime since last time we spoke, but thank you. Thank you for having me. Well, anytime the door is always open and I, I appreciate the mood lighting you've got going on. It's a very dramatic effect. You know, we're on video. So if you're, if you're not watching a video, you can hover YouTube and kind of check that
out. But you were with us back in episode 281. That was back in May. So here we are about, you know, 6, maybe seven months later and just curious, you know, what you've been up to since then. And then I'm curious also, you shifted over from a role at Gartner, obviously as an analyst and now you're with Savion. Does anything surprise you with that that role change? Oh, yes, and lots of travel, right, since I, I, I moved here, my son jokes say that why are you travelling so much?
And we, we've launched this series of, of events throughout the globe, all these amazing destinations. And so wow, I, I got to support this company I work for now, right? And I, I'm very grateful that we have this opportunity. And I'm of course, I used simpler words. He's 11, Lucas, my son, right. And so, yeah, dad, I think you should go back to, to Gardner and no, but it's being amazing. Just the opportunity to be
closer to the problem. That's that's exactly what I was chasing right when I moved and and I know we are now close to Garner the IM summit getting ready for that as well. It it feels bittersweet. Of course, I I'll be meeting all my my good friends at Gardner. It feels like the the whole show right, which I used to be the chair of. It's now an adult that has left the house, went away to college and and took his own speed, its own pace.
And so I'm I'm super curious to see what Garner will be delivering excited. I'm I'm I'm very happy to be there and there's new capacity. Of course. It's funny that I don't know if you noticed that the theme they chose for the show, right. So for the Garner AM Summit 2024 is identity amplified and I can claim I was the person in the room when, when we're choosing the the theme for that. OK, let's choose identity amplified because I can see I
have amplifiers here, right? And, and, and, and guitars. So this is part of my life and perhaps a little bit of Terravia when I suggested that and there was a bunch of other suggestions, amazing options. Every year we go through an ideation process at Gartner to choose the, the, the theme of the, the, the conference for the year.
And, and then I left right. And I, I don't know what happened, but in my own branding, on my own LinkedIn profile, I used the Enrique Teixeira identity amplified and I, I kept using that. And then I got a phone call from Gartner and they say, Enrique, guess what? We, we chose identity amplified as the theme for this conference in 2024. So good. I feel flattered, right. That was my idea. But would you mind switching your profile to something else and say, OK, of course, of course.
So I I didn't make any any fuss and I changed now it's. Where a good trademark comes in. All right, yeah, but it's it's OK. It was not a big deal. So now it's Enrique Teixeira identity driven because I have an OverDrive here and everything else. So identity driven, I think it's what I am as well. And what we've been doing, it's saving, right. So driving the importance of identity and and, and fixing
this problem. So, but to your question, yeah, lots of surprises aside from the travel, which I I already expected with, with, with them saving. And I was surprised for the size of some departments inside of Savient and how organized it is. And I had no idea, right. And and I used to joke that Savient was this best kept secret in the industry. So why, why, why don't you guys speak more about this or that, this particular innovation that
you're launching? And because it was very much driven by technical people and engineers. But now we have a CMO, we have an amazing team, also marketing and messaging what it does. So I was kind of surprised about the thing in a good way about those things that, wow, even myself as an analyst and I was paid to analyze you guys and understand what you, what these vendors were doing. I thought there was a lot that was kind of mysterious and I I just learned after I joined the job.
So now this is like your first Gartner as a civilian and it's freeing, right? You kind of mentioned of you're not really in charge of it. So now you can kind of go as a, as a normal attendee, right? Just a guy. Yes. What is something that you look forward to other than, you know, obviously relationships and meeting people and you know, and stuff like that, But is there like something specific that jumps out you, you know, this week as we're all here, it is like, I'm looking forward to
this. I mean, obviously of course then, you know, giving us fist bumps and stuff like. That, yeah. And I had a little bit of a taste of that when I was at SRM securing Risk Summit and National Harbour. So I was able to reconnect and, and, and, and feel that vibe again. But little things that I used to care about when I was preparing those conferences. Like for example, the tidbit you just shared that now Rebecca will be interviewing you guys.
So I'm curious to say, OK, this is an interesting and fresh approach to this or who are the other guest speakers that they have picked, right? Because that was part of, of a chair and choosing who are the, the guest speakers? Who are the, the keynote speakers? So I, I'm more curious about this, the, the background choices they made. And I, I know it's a, it's a lot of work and I'm, I'm curious to see how it pans out, but I'm very excited for them as well. So I'm, I'm on the sidelines
cheering for them. I'm, I'm sure it's going to be great, but also meeting my friends and, and, and our clients as well and, and being there within the booth saving it. We won't have Vans this year as we had for for other events we had like a Vance store and Vance shoes, but we have a nice surprise in store as well with that. I've got my vans in my closet. So that was a that's that's that's a memorable swag for
sure. And we've told Becky for our session, like, hey, you know, you guys are really gracious and we interviewed you guys on stage. You're like, hey, we'll ask, can we ask anything? And we've told Becky same thing like Turner vows, Fairplay. So Becky, come at us, bro. We're happy to engage and where that may be. You've got other copies you've been to. I know you were at Hipcomp, which I've never been to. Maybe you can give me kind of an update of what was Hipcom full hyphen?
Is that something like that I should be looking at for next year? Yes, that, that was my first time as well. An amazing roster of speakers and, and I think that's what drove me there, right. So Alex Weinert and and Pamela Zingle and and a bunch of other amazing people, right. And it reminds me of and, and I, I've never been to Identiverse on its early days, but it reminds me of that the early days of Identiverse, a very practitioner oriented type of conference.
Pretty cool. I like the, the venue as well was New Orleans by the, the actual space where they had the, the whole Mardi Gras like Carnival type of thing. So it was pretty cool. And, but like I said, they're practitioner oriented, right, versus only Sisos and and leaders who had like all kinds of people from different levels, but also different type of content as well, which was pretty interesting. Pretty, pretty cool.
I, I, I'd love to to go back. Yeah, I, I get excited for the same thing, like find out who the different guest speakers are going to be because I'm responsible for booking, booking our guest, booking our talent that comes in. I use those lists oftentimes for finding future guests who have an interesting and unique perspective. So, you know, it's part of the whole identity at the center brand is bringing in great speakers like yourself.
I I know I don't have to sell folks that are listening on the show because they're already listening, but I've gotten so much feedback, you know, so many times where we're doing the episodes where people say identity is at the center and I feel like we just accidentally struggle or I shouldn't say accidentally because we talked about identity as the center as a concept, but we never thought once about changing the name of the podcast. I think we just we kind of
nailed it with this concept. And trademarks are expensive, Jim, so. Yeah. Well, that's right. IDAC is something we trademarked and that's a perfect segue because I was going to say we want to talk to you about the latest and greatest acronym ISPN Identity Security Posture Management. It's something that you've been talking about and wanted to give you an opportunity to kind of talk about. First off, what is ISPN? No, awesome.
And it's a great question. I was about to write and publish something on ISPN at Garner and then I got hired and I left. But ISBM, Jim, is, is an Apple Watch for your identity program. And, and the way I, I, I use this analogy is to explain that is the first or perhaps the best way of, of surfacing metrics to show you how good of a job you're doing protecting your environment. So that's the reason of ISPN to exist, right? So are you improving your security status or are you decreasing?
Are you improving that? Are you getting worse at that? So the same way to watch helps you to remember, hey, you should take 10,000 steps a day. You should take this amount of sleep every night. So you healthier, you stronger. That's the same process with ISPN. So the idea is ISPN is everything you can do before an attack, right? So are you taking the necessary steps to sustain an attack? Are you strong enough? Right. And so?
The management part is kind of like understanding where you are now and then improving it through me through evolution of like fixing things. But I'm also wondering, is this now a product space? So are there going to be ISPM vendors that maybe dashboard all this stuff out? What are your thoughts there? Yeah, and and exactly so that the first step of it, it is about visibility, right?
Just surfacing that type of metric that say, hey, you're not doing a good job here in in identity hygiene, right. So you're not even enabling fishing resistant MFA to everybody in your organization, like half of your employees don't even have MFA. So this type of visibility is super important. But yeah, as the remediation of that is part of ISPN. So that's the M right, the
management part. So you, you remediate, you fix this type of stuff getting stronger as you go and you improve your security posture, right? I think it's a great question to ask. Is this a, a valid market? Is it I, I don't care and I don't think buyers care about if it's a market or not. The thing is, is it real? Is it not?
I think it's a, it's a type of discussion that as a gardener, I remember having those type of discussions, especially because when you have things like a market guide or a magic quadrant, by definition, it has to exist as a market and and Garner has very strict rules. What a market is now in in reality, if I want to buy a a smartwatch or an electric car, is it is to a car? Is it something else when like
a, a faster horse becomes a car? I, I think buyers, they will buy what they need to solve a problem they have right now. And so that's why I, I, I said not, not in any trying to be facetious or anything, but it's, it's, I think it's just, it might be a market. I, I, I know of companies that they, they leave and die and that's the only product they have. It's their, their, their MVP is an ISPN product and that's what they're doing.
So the way I, I wrote research, it's more on the I, I, I make the analogy almost like a sitcom, right? I, I, I, I, I evaluate the situation. I take a picture of what's happening right now and I write about what's happening right now and what's happening right now. Yes, there are companies that are building tools that they do exactly that is to surface those type of metrics. Savant is doing that. We we have announced our entry into ISPM and I think it is different, right.
So, so no, it is something different than IGA, it is something different than Pam. It, it is something else. So we we could argue what the name should be, but I think it is it is a category of different things for sure. Is it different than ITDR? It is. It is. How's it different than ITDR? I I feel like the definition of ITDR is providing to secure your
identity systems. But then when companies go to market with a solution A, solution A from company A and solution B from Company B could be quite different and they still fit into this ITDR bucket. And you know, whereas like IGA is pretty much means closely the same thing to everybody. Now, I, I would love it, feel free to disagree with me on any of that, but I'm wondering, OK, what, you know, how does ISPN become about or what is the bucket of ISPN?
And is it, you know, is there a clear definition over it or is this something that you're still spitballing or the industry hasn't like, you know, come to consensus on it, which is fine. No, for me, Jim, it's very clear in my mind, right? So, and the way I, I, I, I wrote this research on ITDR is that this happens during an attack and after an attack, right? So it's a, it's a runtime threat detections.
So you already have somebody shaking the gates, like forcing the door open that they're trying to get in. That's when ITDR gets in. So it's threat detection, it's identity threat detection at the moment of the attack and responding to that attack. ISPN, it's all about the prevention. So if you go to NIST and other type of frameworks, so those are the things that happens before the boom, right before the attack, everything that you can
do to prepare for an attack. So take Mike Tyson for example, and Jake Paul, right? So all the preparation they did for the fight. So are you sleeping well? What's your nutrition regim? Are you training hard? Are you taking all the precautions so you don't die on that ring? Right, So that's ISPM. And yes, you're correct in the sense that IGA fits in that prevention space as well. As a matter of fact, everything that we did so far in Identity is preventive, right?
That's why the ITVR gap was so big, because MFA is preventing bad guys from getting in. Pam is vaulting credentials and not allowing it to be misused. So it's all about preventing an attack. So ITDR happens when somebody is already trying to break in, so it kicks in in the detection mode and responding to that. And that's what ITDR is about. ISPN is the prequel to that, right? So everything that you do before the fight.
I feel like this is not to disagree, this is probably more to agree, but just the thought is that I mean, I've seen Gartner has like the Venn diagram on this and I think the third, so it's ISPMITDR and I think the third is IGA. I'm going by memory. This is something I saw a long
time back. But some of the stuff you're talking about prevention is in some of the ITDR platforms, like for example, Sempress, they, they do some analysis of here's the configurations within your Active Directory that are potential cracks in the in the foundation. So I feel like still companies are kind of built bundling all these things into their solution.
They're not being purist, which I'm not advocating that they be purist, but I think it does make it hard to wrap your brain around, OK, ITDR, it doesn't necessarily mean one thing, even though you're giving a very clear definition. I just kind of feel like we're still in this churning period, which leads to a lot of clients, in my experience saying, OK, well, is this really the right time to jump?
In yeah, and, and, and I, I think it's a great analysis what you just made, right, Because when we are writing research and, and the market takes that idea and runs with it, it may be hey, this is not the whole thing. And, and, and yes, a lot of vendors that were doing ISPN because I didn't have the chance to publish things about ISPN before. So now this is, this is ITTR. What we're doing is ITTR and I can remember 3 or 4 vendors that did that and say, guys, this is not ITTR stop.
But then the word was out. The cat was out of the bag, right? So no, but we like ITTR. We're going to be using this label. So but this it's, it's wrong. That's right. I'm going to be right about ISBN next, which is the prevention. Then what you're doing is about prevention. It's finding the cracks and fixing the cracks. You're not being attacked. So we're not detecting threats,
right? So to your point, it is kind of very enlightening to see that the power of writing research and and what the vendors do with that, but also the buyers, right? And and yes, the buyers get confused because, OK, this, this is like the DRI thought, this is more preventive. But when we talk about those things at Sabian and say, guys, no, this is like the Dr. this is ISPN. So that's part of the job of being a strategist is to be clear about those things.
But I, I don't fault those other vendors. They, they say, OK, no, this, this is a cool concept and, and we can run with this and, and this is good for positioning and messaging, say, well, more power to you. But it, it can get confusing. That's I think is a characteristic of our game, if you will, or our trade. Yeah. I mean, that's exactly, I feel like we're, we're getting into almost a little bit of semantics, right. We're throwing out, we're really
good at creating acronyms. It's funny. And Enrique, I was going to, I was going to interject when Jim asked you, what's the difference between basically ITDR and ISP M? And I was thinking about it very similarly. ISP M is all the stuff that happens before I get attacked. It's, it's your plan, right? It's your hygiene of your identity program, your systems, your capabilities, your data, right? All that stuff, and I don't think there's ever a bad time to
do that. You don't need a tool necessarily to. Do exactly that's that's a day-to-day training. It's an idea. It's hey, should we have MFA? Yeah, well, guess what? You just improved your posture management for an attack because now you've got a second level of authentication, right? And I think there are things like that where we can look at it and say, hey, here is here is what is my i.e.
SPM look like. And yes, maybe there are productized versions of that that have a very, you know, structured approach to it. And it's a checklist. And maybe it bleeds over into a technology where it's like, OK, here's your checklist. And oh, by the way, if you click this button, it will do this thing for you and keep it In Sync maybe with whatever you define as your i.e. SPM, because not every organization is going to have the same level of risk tolerance or capabilities or things like
that. So I feel like ISPN is more like a framework and idea set to say, hey, here's how we're going to manage our threat level and our posture to protect against identity. Secondary to that is exactly what you said is OK, something bad has happened. It got through our posture management approaches. Now what do we do? And that's the detection response. And of course, there's plenty of technology now in that area, you know, to help with that.
But that's kind of how I was thinking about it in my head. And that's exactly, and you said perhaps even better than I could, But yeah, that's, that's, it's about training and, and things, and things that you got to do regardless, right? You got to eat and got to sleep. You got to train and, and, and the more you do of that and, and eat healthy, you're going to be better prepared for a gang day. Gang day is you are attacked
right now, right? So all the drills, all the training that you do, that's a posture management. So you you're becoming stronger in that sense of protecting your identity infrastructure and your identity systems. So I did find that that Venn diagram and it was a Gartner diagram published in 2024 and the two overlapping circles there were not 3. So I don't know if it's technically a Venn diagram, but it's overlapping circles. We got to get Yvonne. She's our expert on Venn
diagrams. So Eve, if you're listening. Yeah, exactly. We have to. We have to have Eve's input on that. We could put a link in the show notes, but it was prevention and ITDR and the overlap. And you can see pretty much to my point, there are companies that are trying to play in both spaces. Now, whether or not they call it one product or not, I. Don't there is an overlap that
that's a that's a good point. When I was writing about this with Mary Ruddy, which is now chief of research and Gardner, right. And, and, and between the prevention things and then posture management and and detection response, you could detect a change in posture, right. So I, I don't know if you guys saw on the iPhone now they have this vitals thing now metrics that say, hey, your vitals changed.
So there was not an attack, you're not having a heart attack, but your vitals change like you had a change in posture. So a little bit of detection changes of posture. But then, but I, I, I, I think for the benefit of the industry, right? So this semantics discussion, I think it's important, but we shouldn't be just focusing on that. But I think, and Rebecca talks about that too, focus on the outcomes, right? I think it's super important.
So the outcome of ISPM is to be stronger for the attack. That's right. And the outcome of ITTR is to detect things faster and respond faster to those things. I think that's simple as that. I think this is a great segue to because I feel like this is where AI is really starting to
shine. What we called maybe machine learning before and AI and all that's coming together now we've got things like Co pilots and agents and bots and you know, all kinds of stuff going on where, you know, where do you stand on this from like an AI perspective? And especially I think this terminology of copilot agent bot, is there really a difference or is it really again, we're back into semantics of it's still this, you know, non human identity performing an action on something.
Yeah. And, and I'll get to that when, when we talk about difference between AAI agents and, and, and AI Co pilots, but when we think about AI, right? And before AI, it was cloud. And, and, and one of the things I've been talking a lot in those different Rd. shows that we're delivering is that if we look at the trends that driving change in 2024-2025, man, cloud has been around for more than 20 years. Cloud was invented around the
year 2000, right? So almost like 24 and and which is crazy to think about how long it took here to so we get to the cloud security of Wiz and and Palo Alto, the CSPMS of the world. The reason I bring this up is that now we have this other inflection point or a second wave happening, which is AI, which happened two years ago,
right? And and, and, and, and generative AI becoming mainstream and, and even like people like my mom, she's in healthcare and, and she's what have you used this Chachi PT thing? Yeah, it's amazing, right. So it's now it's in the hands of the people. So this new inflection point, I think gives you the, the perspective what is driving innovation in companies today, the same way that cloud drove innovation for the last 20 years. It's undeniable cloud drove that type of innovation.
So you, you pay money to AWS, you pay money to Azure and you run your workloads in the cloud. It's, it's better than in so many ways, right? And more elastic and resilient, etcetera. AI is driving this, this other wave. And when we think of of, I think was during the Salesforce event and, and Marc Benioff was bashing Microsoft because no Co pilots are dead. The, the cool thing now is AI agents. That's that's that's why AI has to exist.
And now man, it's again, it's a, it's a semantic type of discussion that I think it's not very productive. But those are different things. And, and, and there's not better or worse thing, but a copilot is an assistant, right? That that's by definition, a copilot is an assistant that helps you generate code. It helps you to to generate photos or or code or generate text.
So this an assistant. It could be also a chat bought in a sense right translating natural language in a sequel type of statement like a Claude and other models that can do that very well. An agent is going to be performing actions, so it could be a workflow or executing a remediation or a lawyer type of agent or a marketing type of agent. So this becomes more of an agent in that way that execute tasks versus an agent that creates
content. So I think it's just a category of of two types of of things that is not one better than the other. There are applicability that you got to have an assistant will be the best application. An agent will be a better application for other things. So that that's that's my interpretation of that. What's interesting, however, in that push to innovation, right? So there's a lot of opportunity for us to still profit from that
cloud innovation curve. So how many start-ups can launch their own products in in the cloud? And that's still happening, right? AI is going to be the same thing. However, my prediction is that that curve is not going to take 20 years to maturity. Cloud today is mature, right? Especially infrastructure as a service, even SAS, it's mature AI. We're going to see that curve going much faster. There's an an author called, what's his name, Ray Ray Kurzweil.
I think that's his name, Ray Kurzweil. And he's a, a futurist Ray Kurzweil. He predicted that AI or technology singularity would happen in 2040, five, 2045. But now this, this person revised his prediction. No, no, it's not 2045 anymore. It's going to be 2029. So and I, I was bang on and I, I, I, I, I made my prediction before I saw his and I was just looking for evidence. OK, who always agrees with this crazy stuff I'm talking about here.
But I think the wave for maturity in AI is going to happen in the next 5 years. So Henrique, I think the whole idea with agents or bots or Co pilots, I think it's going to sharpen my point on this holy war and the holy war. Jeff and I use this term, right, and we prime example of the holy war is where should contractors be managed in the HR system or
something else? And you know, it's like each time you go into a client, you talk to them about how they're going to manage things going forward or where they are today, it becomes a holy war. HR doesn't want to manage these people or yadda, yadda. I don't want to talk about that. What I want to talk about is a different holy war, which is what should be the front end to your I, your access request process. So many companies say we want it to be our ITSM, our ticketing system.
We want to take ServiceNow where you go and request everything else in the organization. That's where you go to get a parking pass or a new iPhone or etcetera, etcetera. Why can't you go there and ask for access to a folder? Personally, I think it's a terrible idea. And I'll tell you, I think that the AI future is going to put an exclamation point on why I think this, which what I've always felt was the change management for this is a nightmare.
But I think the bigger issue is going to be you're not going to get to take advantage of all these things that are going to be built into the front end with an IGA system. So now I go into an IGA system and it tells me, well, you know, you should request this access or you shouldn't request that access, etcetera. Or even better, we get into a generative interface where I say I need to give Henrique.
I just hired Henrique. I need to give him access to the accounting system similar to what Mark has. And then it starts asking me questions and we going back and forth to have a question, a conversation until we get to the point where it's a well formed for quest that I submit. If you're using some intermediary front end, I just don't see how you ever get to the point of being able to do that. Yeah, but isn't this just the March of progress and technology?
We, there really wasn't an option to request access in this scenario until let's say 10 years ago. It was you had to call the help desk, right? Or walk down to a desk or something like that, right? Somebody could do it. And then it became, oh, why don't we try to Amazon this and make it more of an e-commerce style. Let's create a shopping cart.
And then you have things like service now, right where you have or other ticketing systems, right, where you have like all your services listed and you can make a request. Now we're in the age of AI and we're seeing identity governance vendors pull in some of that, right? They've, most IGA players have had a request interface of some sort, right? Whether it's Savient or Sale Point or Armada or Fisher or whatever it may be, right?
They all have that. Now we're looking to this AI future is what if your IGA didn't have a web interface and it was a chat interface of some sort, natural language processing, right? Things like that. The whole goal of those interfaces are to do what? To request the access, to make sure that it's appropriate and to log the proper approvals and receipt trail, right, so you can audit it, those sorts of things. Yeah, if you have to make like a
yeah, a wedging bat here. Yeah, I, I think Jim, and I'm sorry, I agree with Jeff here. I think I, I, I agree that the future of IGA and then all the things around life cycle, it should live in a, in a more natural language, chat oriented. So I'm a big proponent of chat OPS. If you guys are familiar with what chat OPS is, but for the sake of the audience here. So chat OPS is the ability of using Slack or Jira or service analysis, whatever.
So we already have those apps in your phone that you can check messages and respond to those messages. So interacting with your IJ tool through Slack and, and, and it's funny that we are also announcing that within saving it. So there's a company called Pronoassis and they developed a chat bot, a chat bot for Slack that front faces saving it. And I think that's brilliant. I don't want to build an iOS app.
I don't want to build a, a, an Android app because you already have an app, you already have teams, you have teams, you have Slack. So I think that's the future of the human interfaces for today. It may change into the future to be even more natural language, but I think I only see the benefits of doing it that way, right. So people, they are already used to use Servsina or is it teams or, or, or slack. So why not embrace it?
And of course, we, we still have all the controls for segregation of duties or separation of duties for fine grain entitlement and, and, and all, the, all the things that we need to do from a security standpoint. And yeah, as IJ can continue to do that. But from a front end, I think the future is on chat OPS. It doesn't replace things that we that exist today either, right I think. We're in this transitional state, right? It's that's. Exactly. Another arrow in the quiver.
It's like, OK, yes, you can interface with my web interface, or you can my chat bot, or send me an iMessage or RCS message or whatever it is you're using, right? Those sorts of things. That's kind of how I always think about it too. Yeah, exactly.
So my point is, OK, where I'm confused is, is what you're saying that if I'm a client now, a customer of yours now and I'm implementing my IGA system for the first time or maybe I had one that was like 20 years old, something like that, and now I'm going to buy your software, I'm going to implement it. Would you tell me? And I tell you, I want to use ServiceNow because ServiceNow is where people go to request everything, parking pass, etcetera. I don't want to give them a new place to go.
Are you, are you going to discourage that because. If you say let's go, let's do it, let's do it, let's use Servsenal, let's use Servsenal. And we have a native integration with Savant, right? I think modern IJ providers, even before I joined Savant, I was recommending vendors say this is the future. We, we, we should not fight this
holy war anymore, right? So you have this front end, you have trained thousands of employees to use service now, So why are you trying to train them in something else? So they are training using that interface. Don't fight against that tide, right? And we connect in the back end. So we have service catalog integrations, right? So the same way you can request your laptop to be fixed, you could request this new package.
Now there's the whole AI thing. And I agree with you, Jim, in that one that we can use RBAC up to a point, right? So you package everything, you make that package requestable within ServiceNow. You get to the point where things get so granular. And I think we're not there yet, but we get to the point where you're going to open a SaaS application on your phone or in a browser and say it looks like you're trying to access this app and you don't have access.
Would you like to open request right now, Right. And, and and then things happen even before you know it's already a flow going on, right. I think that's where we're going to go. So you're saying it's kind of a multi channel way to go ahead? And very much. Omni channel identity and access management request. That's the future guys, absolutely yeah and I and I I can't force everybody going through my own interface all the time. That's not kids these days,
right? So they they are they're multi channel. They they're they're using Roblox to chat. Come on. So we we got to keep up with the times. You know, Jimmy bring up an interesting point, because they think this is a a struggle that a lot of organizations faces.
Yeah, we are deploying an IGA. And I think by default, I think a lot of folks are like, yeah, let's put it, make it part of our, our ITSM system, which Henrique, to your point, right, we've, we've trained our users already how to do that. But I think it's an interesting approach to say, hey, you know, why don't we do a little bit of both? Yes, let's do the ITSM integration, but why don't we also consider some sort of chat bot type approach, right?
Or a conversational approach of how do I do this? Maybe it's a little thing that it's in the corner and it's like, hey, it's not replacing anything. But hey, do you want to try the future, right? Or do you want to test it, right? Or, you know, do things like that. I think there's an opportunity here where, you know, products in this space could layer on some sort of conversational, you know, approach to requesting access.
Because the, the biggest concern that a lot of people have when it comes to this is I don't know what I'm requesting access for. I don't, I don't know any. All I know is I need to get to
this file. And if there is something behind the scenes that translate that to say, hey, Jim, I need access to the, the logo file for the Identity Center podcast, you know, oh, OK. You know, the the robot figures that out for me, handles all the approvals and maybe you get a text message and it's like, hey, Jeff wants to access this file, is that okay? And you just say, yeah, through a text message, right? Or something like that. Yes. Exactly.
And then it's like, okay, you've got all the things that you would normally do through an ecommerce type approach. Traditional I will say is still logged and happening. But anything that removes that friction I think is really
interesting. And I would be curious to see, you know, what are the some of the solutions out there that can layer on that chat bot type approach Because I don't think ServiceNow as it exists now is going to be the way ServiceNow does it in the next 5. Ten years there already. Yeah, yeah, to your point, I think multi channel is is the answer, right. It it really depends on on culture what your users are more familiar with it it if if they
use a lot of Slack right. And having that integrated with Slack, we had IBMIBM is using Savant internally for their own employees. They built their own chat bot, this AI chat bot based on Watson, whatever Watson acts that interacts with Savant, right? So they also built this, this, this thing because well, now we are IBM, we're using Watson, that's it. Good. So I think having this openness right to to communicate through multiple channels, I think it's
the direction of the future. I'm not going to be strong arming users. Yeah, you got to use through my own interface. I think that's the wrong way to do it. Enrique is not going to show up at your desk and put you in a headlock and say submit this form. Yeah. Maybe he will, maybe he will. I don't know that you know Henrique well enough to say that he won't do that. Here's my gift to you, Henrique. You need a trademark Henrique I and then make a chat bot. Enrique, I love.
It thank you. Thank you, Jeff. So think about it. Henrique, let's shift topics a little bit because I think it's fair to say, at least I'm going to say you don't have to agree, is that you're an influencer within this space. You a lot of people follow you and look to your vision, your strategy for the identity space. And I I've got to think that you're pulling inspiration from others, right? I mean, that's how it works.
Oh, yeah. I want to know who are some of the other influencers that you're following and what they're talking about that excites you and kind of like informs you to build your perspective on the world. No thank. It's a great question, Jim. And it's funny that sometimes I find people that say, oh, why, why haven't I met this person yet? Right. So one of them is and because of my job today, I'd say I'm in charge of strategy. So I'm thinking about strategy a lot.
I'm, I'm, I'm studying more about the discipline of strategy. So there's this guy named Eric Leach. He used to work at Strata Identity and he writes a lot about strategy. And I think if, if you, I think he has his own blog on Medium and, and stuff like that. But there's one thing that it really stuck with me and perhaps with the audience would be interesting as well to understand that. So one of the things that I do is to think about the vision of
saving long term and etcetera. And it said something even before we, we, we stop to write and think and, and, and communicate vision. We got to think about purpose. That really stuck to me. So what are we trying to do with this? What is the problem we're trying to solve? Oh, oh, we were trying to prevent things or we're trying to detect things. OK, now with that purpose in your mind, you can draw a, a vision where you want to be, right?
So OK, we're, we're protecting this or we're doing this, we're detecting that and then vision comes. So Eric Leach is one that I, I, I strongly recommend people to follow. The other one that come that comes across is one of the founders of Netflix, Mark Randolph, and he's very active on LinkedIn as well. And I wish I could meet him one day, but he seems a very interesting guy. And he said this thing that stuck with me as well, especially because strategy,
right? So a good strategy is not about having that great idea that one idea. It's about having a a system that allows you to test as many ideas as you can, right? So being inclusive, not to be constrained by my own thoughts because I, I, I joke to say I'm, I'm just a guy. I'm one guy, right? I'm, I'm, I'm too limited in my own capacity. So I, I really like that concept.
OK, creating that system of just testing very quickly as many ideas as possible and coming up, well, OK, now you have like 10 amazing ideas. I think that's really eye opening. So we're coming up here at the end of 2024. It's always good to look back and say, you know, what got accomplished. What do you think it will be remembered for? Things like that. How do you think identity is going to be remembered for in 2024? Were there any specific trends or topics or or things that jump
to mind? I think 2024 was the year of ITDR, if you will. I think it became very mainstream. We spoke about that HIP conference, the Hybrid Identity Protection Conference. Man, it was a whole conference, like 2 1/2 days, just about ITDR basically. Wow, this is crazy. So I think if I had to choose one thing that was very, very popular this year and identity will be remembered.
Yeah, the identity breaches, right, That happened all, all the stuff that we did to protect our systems against those type of breaches. I think that's what the year is going to be remembered for. Jim, what about yourself? What does 2024 bring for you? You know, I, I feel like the recognition or the creation of identity security as a concept, which has a lot to do with concepts like ITDRI. Think if we look back on this year though, it's like a
formulation era. There's a lot of things being put out there. ITDRISPM wallets. Machine identities, right? Machine identity, blockchain identity. Yeah, yeah, Non human identity is like, well, I feel like non human identity has always been there. It's just like the recognition all of a sudden that, Oh my gosh, there's a problem. Oh, you got to protect that too. That's an art scope.
So there's all these things like what's going to actually, you know, stick around and be a part of the future and what's going to kind of fall off the plate. To me, that's the year. I don't know that it's 2024 specific, but it feels like we're at that point where it's like we're up to here with ideas and some of them, you know, nothing ever comes to a clean death in the identity space. Think about UEBA, right? It was like all we could talk about 3 or 4 years ago.
Nobody talks about it now. But has anybody declared it dead? Or is it now just like? It evolved into, you know, ITDR. Almost. OK, yeah, yeah, I agree. It kind of evolved and like nobody declared it dead. It, it becomes a, a capability of something else, right? And I think that's, that's what may happen with active Dr. as well. It are becoming a capability of, of bigger markets like XDR or, or SIM or whatever, you name it, right?
So you're building this tool and it has ICDR capabilities in it, right? And that's something that I I had predicted before as well. I think the health of the industry is that you're seeing the leaders continue to invest in their platforms, bring in new things and hopefully get stronger. But also the startup community is as vibrant and as strong as ever.
You go to conferences in the identity space, but I think in cybersecurity overall, and there's like just so many startups out there, and it's not like they are, you know, just trying to add a feature on to something else. Like some of them are incredible and they're taking on big problems and taking them on in new ways. And that, I think, is an indication of like how healthy the industry is. I think for me, you guys have
both really good answers. I think it's, it's still AI like it seems like everything, every topic this year that we talked about had some infusion of some level of AI and how are we going to plan for this? How are we going to integrate it? How are we going to leverage it, right? How are we going to protect it? How are we going to protect against it? I feel like AI is sort of like the this thing that's sort of like the shark beneath the the waters. Or maybe it's the iceberg, right?
You've got this. Little no, it's the wave, man. It's the wave rising cloud is the now is the, the AI wave. So absolutely everything that we spoke about, I think they're, they're, they're surfing the wave of AI. So I, I agree 100%. So the same way we surfed the cloud wave and and we had the start-ups way back like autumn eyes and cloud knocks and Airmatic for that cloud wave.
We're going to have that. That's going to happen again, man for AI, And I think that's the the the push of innovation identity itself, it's protecting that and that's the constant, right? The constant of all the waves sees the mainframe through the decentralized compute to cloud to AI identity as a constant, right, Like Jem said, but even machine identities, it's been there forever.
It's just now we have this different type of pushes or waves, like I said this, this shark now in, in the water. I, I still think 2024 being that year of threat became like mainstream. But at the same and, and, and I spoke exactly about that, Jeff. Two things that happened in 2022-2023 with real exploit 2024 was AI and identity threats. Those two things that can happen at the same time. So what about 2025? Any predictions for next year?
Are we still going to be talking about AI the same level we are now? What do you think, Enrique? Yeah, I think we're going to still surfing that wave, right, at least for the next until 2025, until 2029 when we hit singularity and AI becomes more powerful than us. And in humans, I think that the big prediction for next year is going to be identity or machine identity security, which is something that we briefly spoke about here in this episode today, is that it's being there forever.
But now people, OK, I think we've done a decent job with workforce. We didn't, we've done a decent job with CIM and externals. Oh, what are those machine doing? And it will become like undeniable. We can't ignore this problem anymore. So I think for next year, I do predict that organizations that invest more time and money into finding basic things like visibility and hygiene of machines, they will improve their resilience in cyber like
considerably. I'm, I'm, I'm, I'm estimating from 30 to 50% efficacy of, of protection or being stronger and more resilient. I like that prediction because I feel that spot on, you know, and again, it tails back into this AI, there's going to be this explosion of non humans doing things in our environments. We have to manage those things.
So I feel like this whole, whatever you want to call it, machine identity, non human identity, I think, I think we need to settle on what that definition might be as an industry. But that whole idea of like, OK, there's going to be little bots running around and there might be, they might be so ephemeral. They only exist for a millisecond because their whole task is to do one thing and it's
gone. And being able to track all that, it's going to be really interesting and I think really compute intensive to try and track all that type of stuff. Jim, what about you? What do you want to predict for 2025? I got something but I want I first wanted to say. So we did a podcast with David Motti recently and we talked about non human identities. And one thing he argued for is that we shouldn't define
something as what it's not. So saying that is a non human is defining by something by what it's not. And anyway, so that's a little side note. Yeah, but let's talk about that real quick. Two minutes if I may. That's a that's a good point. And see, that's why I like David, he says Mark Guy defining things by whether or not is like a like a Turing machine. It's called a Turing Turing machine. It's like a Turing non human, right? But non human is not wrong in the sense that we have humans
and we have non humans. In that category of non humans are cats, they're dogs, right? They're animals or bacteria. There's ghosts and there is machines, right? So I see machine as a subset of non human machines. Machine. You could break that down into workloads and devices. So I think non human is not completely wrong. It's just that it's a, it's a much bigger scope of things that we're not talking about. I'm not talking about cats and dogs, I'm talking about
machines. So it's a non human but it's a machine and then with the machine it's either workload or a device. It helps group this concept which I don't think is well managed as people. And when you look at enterprise people, there's kind of a way to manage them. They start an HR system, they go into your IGA system, they get provisioned access, etcetera. Machines like what's the authoritative source for machine accounts that there's really not?
And the kind of identity or machine or account that Jeff mentioned that is created for in an ephemeral nature is a lot different than the Active Directory Service account that is used by the SQL Server that was set up 12 years ago. Yeah, yeah. So the way we're defining that Savient, it's it's and this is important, right. So the the the hierarchy or the taxonomy of that. So we we categorize it as a machine identity, a machine account and a machine credential, three different
levels. And we can talk about that perhaps some other day, but there's a, yeah, some lack of clarity of what are we talking about here. And to your point, yes, there's no alternative source for identities that are machine based most of the time. All right, here's my bonus 2020. 5I I got to answer this 2025 because I did. I'm sorry I took this off track there, but so you know me, Jeff. Doom and gloom. So here's my doom and gloom prediction for 2025 S Nobody.
Great, everything's going to work. New Year's Eve, you should be celebrating the year behind, not the year forward. The So here's my concern is as humans, we react to things that happen. You know, people fly planes into a building. We start screening people better. We don't think, oh, somebody could fly a plane into a building, so we better start screening people better to prevent that. So it's very unfortunate.
That is human nature. And I kind of feel like identity security is in the same place where people actually have to be breach or breaches have to be on the front page of the Wall Street Journal. More and more so that you can't escape the issue for people to amass invest in identity security. But that's what's going to happen at some point, whether it's 2025 or later, I don't know. But I think there is going to be, you know, a sharp increase in breaches that drive the
identity security investment. It makes sense, right? So what you're saying is that it's going to get worse before it gets a little bit better, right? It's going to get worse before people go and get behind this thing. It it makes lots of sense. No, I don't think it human nature of people thinking, yeah. I don't think it it, I don't think it necessarily impedes though the pace of innovation, right? What we're talking about is, is investment.
And yes, you know, we are humans and budgets are limited and people go where the fire is and they put out the fire. There will still be people who are thinking about where will the fire go next? And products will be developed in anticipation of where those go.
And sometimes they're right and they make a billion dollars and sometimes they're wrong and they fail or it wasn't the right, you know, solution where it may be. And so, you know, I, I'm with you, Jim. I'm trying to make it take a more positive spin on it to try and end our show. But I'm with you because it, it does take a bad thing to happen sometimes to OK, well, we can't have that again.
We can't have another, you know, socks, you know, finding or we can't have another regulatory finding or a breach or whatever it may be. We have to invest and catch up. And I think that's where a lot of companies fall into this trap of what I call the peaks and valleys of their investments is they didn't keep sustained investment to keep pace and keep good security posture management in place. They did a spend, caught up and then let it die slowly.
And then now they're doing another spend and they're going back up again instead of having this this, this consistent approach to it. I agree, which I I had a comment on that the last thought of how we keep things interesting, right. So posture management becomes day of your life. And one thing that I caught up during my, my recent travels, which has, they have been quite intense is Duolingo, right? I, I, I'm, I'm learning French and I, I can order tea in French now.
It works. It works and, and, and that type of gamification. So I'm, I'm thinking perhaps that we could do that, something like that for identity posture that becomes something more acceptable, right? Yeah. Nobody likes to wake up in the morning and work out. But that's basically what we're describing that identity security posture management
requires. If you can figure out how to turn World of Warcraft into some sort of, you know, gamification of identity management, I am right there with you, baby. There you go, man. Start up time, yeah. All right, let's go ahead and start wrap things up. I, I got to ask because you mentioned it earlier, Henrique, Mike Tyson versus Jake Paul. You know, they, they fought a couple weeks ago at this point, you know, what are, what are
your thoughts on that? Man, it, it is crazy because my son was asking me about this because when I say, hey, I'm going to do this podcast today and say, OK, are you going to be talking about Mike Tyson? Say what? No, I so now I I think I'm I have but now. You can say you kid, you did. Yeah, we did talk about Mike Tyson, man, what I think was amazing is that how many generations were watching that thing from from Gen. alphas all the way to boomers and and and and different preferences.
Of course I, I, I wanted Mike Tyson to win. I think people, my generation would would perhaps OK, yeah. There's no, no way this YouTube will, will, will I, I thought Jake Paul would will lose that one on points, but I think there's a lot of the controversy came in about the things he said after the fight, right. And so, yeah, I that he took it easy on, on Mike and, and which is kind of weird, but before all the the hype came in, I thought, well, man, this guy's going to
be destroyed. I think Mike Tyson's going to kill this guy. And and there was a fight before the main match. I don't know if you guys saw it. Did you guys watch it Was a was a Brazilian was a Brazilian comedian was a Brazilian comedy called Winderson Nunes the Winderson is a is a stand up comedy comic in in Brazil turn into fighter and now and then and he got demolished right by
this this Indian boxer. And I thought yeah, that that's that's what I would expect to happen with with Jake Paul, but I was wrong. I think as many people, I think a lot of people. That was a weird. Fight. I mean, it was an exhibition, right? I mean, let's look, Father Time is undefeated, right? Tyson is 58 years old. You know, I sneeze and sometimes my back hurts. He got into a ring and went 12 rounds with a young man who is a, you know, a, a, an established fighter.
I don't know how good he is, but he's been in the ring and he's been fighting. You know, he's got some success there. But 58 years old, Hey, man, you know that's off to you. I would have loved to see Tyson win only because I think it's like a generational thing, right? You grew up with Mike Tyson, you grew up with Michael Jordan, you grew up with Walter Payton, right? All these sports heroes of your time, you don't wanna see them get dethroned. And hey, Tyson made what, $20 million?
I I don't need to go 12 rounds, you know, someone can, someone can push me and I'll take the $20 million and I'll fall down and take the TKO. Right, exactly. But but I'll tell you what, also hats off to to that guy, Jake Paul, just to orchestrate this, this whole endeavor, right. And he has this vision of OK, I'm, I'm gonna number one, I'm gonna learn a new sport and I'm gonna fight perhaps the, the, the GOAT. And, and to make that happen,
yeah, it takes a lot of yeah. Jake Paul got 40 million for the fight and Enrique I don't. And Jeff, I don't know if you guys watched the fight or not, but Jake Paul definitely could have pummeled Mike Tyson. First off, he was like 6 inches taller and bigger. Exactly, his reach was. For my my fellow 50 year old and plus, you know you're not going to beat somebody in their 20s who's more fit than you. It's just. Not good to.
Happen, you know, if it was a one round fight, Tyson might have been OK, but your VO2 Max, which is like your ability to move oxygen around your body at 58 years old versus a young man in his 20s and his prime, that's just. Did I say Father Time? The idea of him lasting, I think it was an 8 round fight, the idea of Tyson and and he was exhausted by the end. But Tyson said one thing at the end which is he doesn't know if that's his last fight.
Why would it be? Who amongst us wouldn't go in the in the ring for $20 million and just let Jake Paul kick the crap out of us? As long as you live, you got 20 million bucks. So, Jim, maybe this is our our future endeavour. We did, you know, Fido feud at authenticate. Maybe we do a identity boxing circuit or some sort. If there's anybody who's listening who wants to beat me up for $20 million, I'll take
your money, right? I will not get into a cage match with David Mottie however, so this this is where I draw a line. Even for 20 million. That guy that this, that guy is massive so. Yeah, he is. He's he's he's really. Built well, but but back to to Tyson and Jake, just to to close that up my what my son told me right this morning, he said, but that you know that that fight was scripted right. I said, what do you know about scripts? I don't know very interesting either.
Yeah. I mean, everyone has the plan to get punched in the face, I think Tyson. Said that once. Tyson Yeah. Yeah, it was an exhibition match. It was interesting to watch. You know, it was a spectacle if you could watch it. I know Netflix had trouble streaming and I didn't watch it. I didn't really care so much. But hey, just to be in the ring for 58 years old and to go the distance and, you know, be up there, like I said, you know, sometimes I sleep wrong and my neck hurts.
You know, I'm not going to criticize any of those guys. You know, hats off to them. They made their money, you know, time to move on. All right, why don't we go and wrap it up there for this week? Enrique, it's always a pleasure having you on open door policy. Anytime you got something you want to come on and and talk about, you know, the door is open, come on in and you know, we can get to it. We're going to go ahead and leave it there for this week.
Enrique. I'll put a link in our show notes to your LinkedIn profile. So people want to reach out, connect, you know, they'll be able to do that. Also have a link to Savient so people can check that out. If you haven't heard of Savient, not sure who you might be if you're listening to this podcast, but go check them out as well. And yeah, we'll have links for Jim and I as well to connect. Helps us, you know, if we get feedback, say what works, what's not working.
So we're always looking for stuff. If you have ideas for shows, drop us a note there. You know, that's always good. And then of course, you know, we're still on the YouTube. idacpodcast.tv takes you straight to our episodes there. Do us a favor, like and subscribe. That helps out the show. And yeah, we'll leave it there. So thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center.
We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.