Cybersecurity has always been an apprenticeship, OK? It's always been an apprenticeship. It's not a a skill that is just kind of like learned off of books. Like you work with a lot of people. I've learned a lot of stuff from other people. And there's a lot of repeat work that you do over and over and over again. And it gets better every time you do it right.
But we don't have but people that are sticking around long term to be able to cultivate that apprenticeship models anymore the way that it used to be. So if we get 2 years here and you've got another year here and two years over there, it looks like you've got good experience at very large, reputable firms and you were part of, you know,
their, their cyber team. But if you took that person as an individual and you said, OK, let's look at your own personal depth on something, right, related to these topics, I find it sometimes lacking. And I think that that's the shift that that needs to be made is that we've got to bring back the apprenticeship model a bit more.
We've seen that apprenticeship model like if you if you look at some of the other countries that are ahead of us in in tech development and they're moving faster than we are, everywhere you look, the apprenticeship model is intact. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim.
Hey, Jeff, how are you? It's a bad cowboy. How are you I? Was wondering because I was going to scold you if you didn't say anything about my hat. How could I not? How could you not? I mean, you know. OK, so we're at Gartner, I am Grapevine, TX, and I'm the only one wearing a cowboy hat. A little disappointed. OK, Mom, you sticking out like a sore thumb. You've got the you've got the cowboy hat and you've got the Hugh Hefner sort of crushed velvet jacket. You definitely look like a
smoking jacket, right? But out of Deadwood or something like that. Yeah, well, that's that's my jam, you know? We did talk about it with Head last year. By the time people were hearing this, I mentioned that because you looked like a like a dealer in that one and we got a little bit of that in the very beginning. I always say I just want to blend in. You're doing a terrible job of
blending in exactly. So I want to say thank you for Gartner for having us. We're going to be speaking tomorrow, so it'll be in the past at this point. But they've hooked us up with a room. They've done a really nice job. RSM has paid our expenses to be here. So thank you to them as well for, you know, making this possible to be here and to put this podcast together for the community. So thank you. So thank you to Gartner, thank
you to RSM. Why don't we jump into it because this is really the start of a series that we're going to be working on throughout 2025. And this whole idea of identity at the center, right, That's what we named this podcast. And it is all about the intersection of cybersecurity
and digital identity. And one of the things that I think about here is as identity people, we sort of get into our silos sometimes like, oh, it's identity thing, but we really need to understand how identity plays in other parts of organizations, security, privacy, because we cannot be successful as an identity individual within an organization that needs to be organizational buy in.
So a lot of these conversations that we have, sometimes you're reaching outside of the identity team a lot of times, most of the time I would say, and you really need to kind of understand, OK, well, what are the, you know, the, the tricks, the, the, the tie insurance, right? To how does this affect maybe somebody who is in application security or attack penetration or maybe even the business or strategy or risk, right?
So the whole idea here is we're going to put together over the course of 2025, about 10 episodes where we kind of pull together these ideas and say, OK, so this is the Identity Center podcast. What does that mean when it comes to X? And today we're kind of setting the stage with it, so we'll kind of go with that. We're going to talk obviously about digital identity and all these, but hopefully that makes sense.
Anything going to add? I mean, what I'd like to add to that is like the biggest theme that's happening at the conference and in the industry overall is this idea of identity security. So it's that identity is moving into a larger role within cybersecurity overall. And so I had an interesting conversation with a few folks yesterday where it's like, all right, the industry is kind of heading to this identity security route.
A lot of clients are still fighting the, the AB, CS and 123's of role based access control gave their authentication house in order giving privilege access management. And that's great. Like if you have to, if that's where you are, that's where you are and get those things fixed. But this is where the industry's heading. So even if that's where you are, pay attention to this because a year, 2 years down the road, this is where you and your organization are going to be.
This is where you're going to be making your investments. So start boning up on it now. Yep. Important to be well-rounded and that's kind of what we're trying to do here. So we have partnered up and buddied up with our friends at RSM. We have a lot of really smart people that we work with. So we're going to talk with some people from RSM.
We're going to talk with maybe some clients that you and I work with throughout the year and probably others and experts in specific domains kind of help tie us all together. So hopefully by the end of 2025, we'll kind of have this curriculum where people can kind of go back and look and say OK, identities at centre. What does that mean and how does that relate to some of these other topics? So let's kick it off with the man, the myth, the legend.
He leads our security and privacy and consulting practice here for RSM. I want to welcome Tasif Ghazi. Everyone just calls him Ghazi. So welcome to the show, Ghazi. Thank you guys. It's such an honor to be here on the podcast. You know, I'd say that it's, it's not my first time. I, you know, I've been behind the scenes probably at least three or four times. So I was really privileged and honoured this time around to, to get to come and actually speak to both of you.
So thank you for inviting me. So the first time technically, I think that you saw us do our thing was at a Gartner conference a couple years ago and we were doing some things and I, I, I think it was probably in Vegas when we were doing that. And so, all right, who the heck are these guys? What are these podcasts all about? What's going on? And then I think you hopefully started to see it was like, oh, you know, we're talking to, you know, really intelligent, smart
people in the business. We're having conversations, not presentations and really kind of getting to the the crux of things. So hopefully that made a good impression. It must have because we're still doing it two years later. And you've been very supportive of what we do. No, it was, it was definitely a really, really good impression. And, you know, I was really
floored. I mean, I had listened to the podcast before, but you know, just the guests that we're on and their perspectives, you know, there was so much learning just, you know, I, I just find that really, really intriguing because you know, cybersecurity, we're going to get into this today. It's not a topic that's can be solved by one 2-3 people in an organization. It's an organization wide activity, right?
And there's a lot of lessons that we got to learn from other organizations, other colleagues, you know, third parties that are helping support one another. You know, there's such a huge vendor ecosystem now around cyber. So bringing all that together, you know, and getting that perspective, I think it's you guys have done a really good job at this podcast. And, and I was really impressed with the the guests that come on. This is going to be the downfall probably.
Well, flattery will get you everywhere on this podcast. I'm very fond of saying that. And now you're in the hot seat. So we've got you here for the first time. Tradition, when you come on our show that we talk about origin stories. So give us the Ghazi origin story. How did you get into cybersecurity at large? You know, it was really by accident. You know, I was a young boy.
I, you know, really didn't know much about technology, but you know, my father was very good about making sure that technology was around me always. I used to have AZX Sinclair Spectrum plus computer that, you know, most people probably don't know what that is, but you know, it was a pain in the neck to boot up and, and work on and, you know, I was resilient on on
making sure that it worked. So it kind of, you know, having access to it. One was, was really good, but in my, you know, teens, you know, 1718, one of my first jobs was actually at a Internet service provider and it was really doing customer service work. However, the customer service call center was right next to the server room and I was fascinated by what was going on in that room, right? So I made friends with the the server engineer and I used to
work the night shift. So, you know, after customer service calls died down, after all the kids were offline, mirc and all of that, right? him and I would, would sit there and, you know, we would talk about routing, we would talk about some Microsystems, all kinds of other things that were, that were going on. So I got fascinated by that and that's how I kind of stepped into it.
Learned a lot of infrastructure, learned a lot of Windows, a lot of Microsoft tech and really started on the infrastructure side. And that was really fortunate to to, you know, step into the security and privacy and the realm. It came through a public accounting angle with a big 4. But that gave me an opportunity to actually go and build a cyber practice.
And, you know, that gave me, while I understood the tech, you know, it gave me new aspects of what application security means, right, what penetration testing means and how do you bring that back together. And then that extended beyond even enterprise systems into operational technology systems do a lot of IT and OT convergence work in my career. And little by little that's just kind of grown. And I've always been fascinated by cyber security and just tech
in general. So it's constantly kind of fed itself. I have a finance degree. So, you know, I, I don't really have any. I've never had, I've never felt the need to actually go and study it in, in the university and such. So, so that's kind of my origin story. I've been with RSM about 10 years now. I lead our security and privacy practice for North America. But my day job is, you know, obviously I, I'm the practice team, but I'm a client service professional.
I'm really helping organizations build their cyber programs to help them mitigate against the wide array of risks that that our clients face today. And that cuts around identity, that cuts around perimeter endpoints, you know, user awareness. I mean, you, you pick a cyber concept and it's there and then, you know, there's, there's industry specialities that you have to have within that realm that you have to bring up as well.
So it's been a very, very good journey over the last 25 years in this space and, and just learning from our clients and giving back, you know, those learnings to others that don't know it. So. Gazi, I love that that curiosity angle injector. You saw the server room, you got excited. You know what's going on in there. Let's stay curious, man. You got to stay. Curious, you know, and I talked to folks who listen to podcasts. I don't think there's anybody's job description that says listen
to this podcast. If you listen to the podcast, they're trying to to expand themselves. But I would say that's a key for anybody is to you've got to be curious. You've got to put in the extra hours to learn. If it's not what you want to learn, figure out what it is in this world that you want to learn and what you're passionate about, do that. But if you want to be in this space, I mean, there's endless amounts that you can learn. Absolutely.
I mean, I tell people that I'm coaching all the time that, you know, those learnings don't stay with an organization, right? That's investment in your own self, right? And you're going to carry that wherever you go. So a lot of times people say, well, like, you know, I don't want to work 40 hours or I don't want to work 50 hours. I'm like, you know, I'm going to do my job and I'm going to go home. That's a disservice to yourself,
right? And I'm not saying that you should do your your job in a, in a way that you're overextending. I mean, your personal time is very important. We'll talk about what I do for my personal time maybe today as well. But I do think that there's investment that's required, right? And bring it back to yourself always. So stay curious and invest in yourself. Stay curious and then you'll hit the pinnacle of your career being on the Identity Center podcast. So there you go. Made it.
So let's talk a little bit about some of these planned episodes we've got coming up over the year. We're kind of starting this overview with the digital identity level and sort of the the overarching kind of vision of that. But we're also going to talk about things like strategy and risk, compliance and governance, architecture and engineering, application security, attack and surface management, secure cloud, detect and respond,
resilience and recovery. Resilience is a big one that we're hearing here at the Gartner conference. And then of course, emerging technologies. There's always something new on the horizon. I know I just kind of threw an awful lot out there. Are there any things that kind of jump out of your mind? It's like, OK, these are things that are really kind of top of mind for you right now. I mean, they all are top of mind, you know, now, some more so than others, right?
But I think the important part is that the, the reason that, you know, when we were kind of orchestrating this with UVI is about the, the, the episodes is because you need every single one of these things to kind of work together, right? And identity ultimately is that the, the core of everything because you can't do strategy and risk if you don't, you know, manage identity workflows properly. You can't do governance and compliance if you don't manage
identity workflows properly. You can't do application security if you don't manage identity workflows properly, right? So whether it's cloud, whether it's attack surface management, you know, whether it's threat management, emerging tech, we talked about AI now or you know, people were talking about blockchain forever, right? Tomorrow it's going to be about agents in in, in the space of AI, right, And how they're, there's needs to be rigor around
that. That's going to be another ID that we're going to talk about at some point, right? All of that cohesively, right? Has to be on top of mind for every seesaw like they're contending with all of these. A lot of times, you know, you talk to seesaw and you're talking to them about identity. But you know, if you think about, you know what seesaw thinks about when they're sleeping at night. They sleep. One, they don't sleep, but when that is what, what are they
thinking about? I mean, they're thinking about compliance and governance and they're talking about architectural engineering, right? They're talking about resiliency and they're thinking about resiliency of their organization. That's why they do sleep because, you know, are they resilient or not? So you kind of bring all that together and it's very hard to dissect this in one go.
And I think giving it some time and understanding that there's all these different pieces, but they all have to come together. They have to work together. That's how I think about my cyber team here at RSM as well, that we have specialists in each one of those areas, right? I'm not an identity specialist by any means, right? I'm a operational technology specialist. That's what my bread and butter was. But you need engineers, right?
You need identity professionals, you need penetration testers, you need, you know, operations managers, right? You need governance and compliance specialists and strategy specialists. So all of that, you know, has to come together. And I, I think that that's the, the big hill that everybody has to climb right now is that, and it's not one thing. It's which people talk about vacuum, all right, or what what that is.
It's it's always because it's so many of these things, but I think that if you're organized about it, you can take credit for multiple things, right? If you engineer things correctly, right, if you structure your applications correctly, then you know you've got benefits on on other sides that you can take. Governance compliance is a great
example of that. If you know you've got to comply with this on one side, you can comply with the plethora of other requirements, you know, that might be required for our organization. PCI compliance or CMMC compliance or whatever that is, right? Healthcare compliance, you do it one time, you should be able to take credit for that because access control is everywhere, right? Change control is everywhere.
And I know that we'll talk about that in more detail, but, you know, I think about these these episodes and the structure of some of these topics that you just talked about, Jeff, as something that is really interrelated, but at the same time needs enough time and attention to be kind of dissected by themselves, right? So they have to stand on their own, but then they have to come together as well.
So we're hot right now. When I say we're, I mean digital identity and sort of this business that we're in this, this vertical or industry, whatever we're going to call it. Why do you think that is and why, why is it getting heat now? You mentioned some things like compliance and security and risk, but identity has been around for a long time. But now we're starting to see, you know, it's getting a lot more top of mind, it's being paid more attention. We're seeing more investments in it.
Why do you think it is now? Is there something that's maybe changed within the last couple years or is it just this is the normal evolution of kind of how you've seen maybe waves come through cybersecurity at large? Well, I think that the change happened 10 years ago, maybe maybe even more. What's done over the last two or three years is the, I think acceleration, right? And I'll talk about that in a minute. But I think before that, why is identity hot? I think that's, that's a really
critical question. And I think we've started this conversation about why are we talking about identity and cybersecurity together, right? They've always been together. There's never been cybersecurity without identity. There have been times where identity has been carved out from cybersecurity because it's it's a massive endeavor. And and you know, there's a business enablement component to it that you've got to work through. But why is it hot? Think about what, you know, what
hackers do today, right? It's credential theft, right? And it's bypassing authentication, right? It's impersonation, it's session hijacking. It's man in the middle attacks, right? Exploitation of token systems. Everything that I just said is related to identity one way or the other. OK, so I don't know if you've ever played this game, Call of Duty. If you play Call of Duty, there's a there's a mode of play mode called War Zone, right?
And in war zone, you kind of see this perimeter, right? And then over a period of time, that perimeter shrinks and shrinks and shrinks and shrinks, right? And it gets to a very, very confined spot till the time the the last man is standing. That's how I think about identity is because that perimeter has been shifting, right? We used to have perimeters. We had defined perimeters, we knew what they were. And then we went to cloud, right?
And as we went into into SAS applications and cloud environments, we lost the control of the perimeter, right? So it started coming in. So then you have to go to the next thing. What's the next thing? Well, how are you going to protect it? Well, identity becomes naturally the place. Well, then we added remote workforce right through COVID. Well, that accelerated. We also added bring your own device, right? So that's accelerated.
So you have to kind of start seeing all of these things that happened in the last and all these things happened in the last 10 years. And that's accelerated the conversation and really put identity at the forefront because honestly, what what else are you going to do? How else are you going to protect your environment, right, if you can't protect it by by making sure that identity is at the centre of it. So I think that's what's changed in my mind. I don't think identity has
become more important. I think it's just become more visible to people clearly on what that is. And then the technology stack has changed, like what you could do with identity 10 years ago, right? You, you can do so much more today, right? Whether it's role based access control or, you know, secrets management and things like that. There's so much more there to dive into to, to get a better, you know, security profile of your organization and get better protections.
Yeah, you touched on this a little bit, but so when Jeff and I came up with the name of this podcast, it was a 2019. So the idea of identity security hadn't even been thought of at that point. But in terms of, you know, what we were thinking with identity at the center's, identity should be at the center. I think right now or back in
2019, it was silo, silo silo's. Now what you're hearing more and more folks come on our podcast and they're like, because identity is at the center and they're like, oh, that's kind of funny. I'm on the identity at the center podcast. But I also think our industry can be a bit of an echo chamber. Like it's identity at the center. We're in identity, go identity, everything's identity. And you know, I hear terms like
identity is the new perimeter. People are saying that a little bit less, but I wonder when I when you hear that that term identity is new perimeter, and maybe you just touched on it there with like that analogy of the shrinking perimeter. What is that? Is that what you're kind of getting out with the identity as the new perimeter? In other words, you can't trust, I think that the old perimeter, the idea was, you know, you have this crunchy shell and the soft
inside. That was what produced the sale time, right? And that doesn't work anymore. Like the crunchy shell is just almost might as well not even have, even though I'm more in favor of layers of defense. In other words, like, you know, get past the crunchy shell. Now I get past this, now I get past this and then, you know, we're going to instantiate the identity check. But I also kind of feel like I have this.
This is like a a spider web that reaches out into so many areas where identity is now part of your your logging mechanism where you can start to use behavioral analytics where you're watching who's coming in and you're tying it all all back to an identity. Or it looks like somebody's been compromised. Maybe somebody's laptop has been compromised and that shows up an X number of vectors, but a lot
of them are identity based. So when you hear identity as a new perimeter, what what of that resonates or kind of what comes top of mind to you? Yeah. I mean, it's, it's all of that, right? For me, you know, it's, it's really challenging to figure out where to put the controls, right? As a cyber professional, that's the fundamental job, right? Is that where are you going to put the controls?
So the analogy that I was sharing from this game, right, where the perimeter is shrinking, that's what's happening. Over the last 15 years, we've seen that perimeter shrink, right? You, you, you had edge computing and edge protections, they're kind of dissipated, right? Then you go inside and you say, OK, well, maybe it's on the application level, right? I need to put that, well, that didn't work out really well, right? So much compromise happened in
the application security space. Then you can go on the endpoint level, right? But endpoint still has the challenges of what you said, right? What access should you have, right? And what is you, you as a person, what should you be granted access to? So you start looking at all of those challenges. I mean, we've had PKI infrastructure used and, you know, public private key infrastructure used forever, right?
It wasn't easy to use. So it's shrinking, shrinking, shrinking, becoming more and more difficult to manage and ultimately where you settle down. Is that OK? Well, I think it's the individual. What is the access that you need to do your job right? What are the resources that you need access to? What are the two or three things that you need to have to validate or verify that identity that it is you, right? And you know, is it going to be multi factor authentication and all of that?
And you know, or it's going to be a, you know, UB key and you know, you're going to have tokens and and other things to to support that. Or, you know, it's going to be a text message. Whatever the the vector is that you're going to use, it's still coming back to the person, right? Or the non all the non human stuff, right? It's my phone, it's my laptop, it's my IoT device that's sitting out there, right? But you have to take that in connection with the
proliferation of those devices. I can't tell you how many people I know that walk around with two phones, right? They've got a laptop, they've got an iPad. So each person, if they're walking around with four devices, right? I mean, that's, that's a lot, right, to, to work through. So for every single human ID you have, you know, fourfold, I would say even probably more once you get servers and desktops and all kinds of other peripherals accounted for. It's, it's a massive endeavour
to, to work through. And there is no control point other than the identity of that device of that person for you to put any, any sort of control on. And that's where it's been very difficult actually that's that's been challenging for Cisos in in general for for our clients as where does that start? Yeah, You're hitting on a very interesting point about the control point and understanding access control and what it
means. Because, you know, you can say, all right, we're going to rely on identity as the kind of the final perimeter to whatever our data or application, but what does that mean? Identity is? How did that identity get created? How's it authenticating? You know, how's it being monitored? So there's all these controls in on top of like identity is just one word, but it means all these
different things. One of the things that I'm, I'm really interested in with this series that Jeff and I are starting up around the intersection of identity security and cyber security is the conversations that we're going to get into. So for example, one is secure cloud. I mean when I think about secure cloud, there's, you know, I think of two types of clouds
primarily. 1 is your SAS applications and one is your platforms or your infrastructures as, as a service, really what, what can you manage as an organization from a security perspective with those applications? Primarily when it comes to SAS applications, all you can control, there might be some configurations, but it's your identities, you know who gets access to what and then what authentication do they go through.
If you're setting up your IDP, if you're talking about platforms, there's more, you know, infrastructural service, there's more that you can manage, but identity is probably still the key one. When you talk about resilience and recovery, that's another conversation.
One of the things that gets me jazzed up about that is, you know, I kind of feel like I did a disaster recovery plan a long time ago and you know, it's like the Active Directory on Prem Active Directory was like, can we restore that? Well, OK, well, you know, check, move on to the next thing. Now it's just such a complex web that needs to be up and active before you can access anything. So these conversations, I think are going to get really interesting.
For sure. I mean resilience 1 is, is, I'll just pick on that one. You know, it's not about the business continuity plan anymore or it's not about Emergency Management. It's how quickly can you recover, right? How quickly are you going to get back on your feet and what's the loss right, associated with it? So, you know, you start thinking about resiliency very differently. In order for you to accomplish that, yes, you need a business continuity plan, right?
But you need to make sure that your vendor ecosystem is just as as tightly knit because when an issue happens, it's it's especially if it's related identities and those identities are cutting across multi cloud, Those identities are cutting across multiple SAS applications. Well, you got to have all those people in the huddle with you, right, to solve for it. Your security operation centres need to be be read into it. You've got to have better
monitoring and, and all of that. I mean, you talked about even identity based threat monitoring earlier. I think identity based threat modelling is going to be like almost a necessity. You can't flip things back on until that's working. If you do, it'll be down in five seconds. Exactly right. So you have to rely on the heuristics and the behaviours of people. Ghazi connects from this device from this geographic location 95% of the time.
If he's outside of that, this probably should be a flag. Somewhere I'm really excited for that conversation because I think another thing when it comes to disasters is the nature of disasters is different. You know, OK, you could still have an earthquake and your primary data center that you manage goes down and then you fell over to Sun Guard or something. The new disaster is a hacker comes in and encrypts all your data. It's an intentional disaster. There's no failing over to
another data centre. Yeah. And we, we consciously you know at RSM, we moved our business card community team and you know our disaster recovery teams alongside our cyber teams because a lot of those events now are, are actual cyber related events, right. So you have to be integrated in delivery of that service. And it's not just for us to integrate and, and be be able to deliver that service, but it's also for our clients. They have to think about it the same way, right?
Because they can't. You, you have to have all of these pieces together to be able to solve that problem. And it's very difficult when when you know you're in that boat where you know you, you, your data is encrypted. Yeah, guys, you one thing I want to talk to you about while, you know, I don't want to shift completely away from this technology conversation so exciting, but you manage a large organization of cybersecurity professionals.
There's a huge skills gap out there and it gets worse every year, right, Even though we're starting to build many more or create many more opportunities for people coming out to college or coming into the industry. However, the gap gets wider and wider between the need and what's available.
And so you had some ideas in terms of some of the, I mean, you talked about being from public accounting firm and that being a a great opportunity for folks to kind of learn the base skills and turn into cyber professionals. I was wondering if you could explain why that is? Yeah. You know, I, I, I'm a techie,
right? And I believe in engineering and I believe in the bits and bytes of, of everything that that we do. However, over the last 25 years of, of being part of cyber practices and running cyber practices and, and really helping clients stand up there, you know, operations and, and programs.
You need, you know, people that can do penetration testing and people that can do cloud engineering and somebody that can do, you know, infrastructure as code and somebody that does CID to CD pipelining and all of those right, They're all required, But there's also a general lack of, you know, kind
of lifting and shifting. So one of the things that, you know, I've found very helpful throughout my career, and this wasn't really, this is again, by by accident that that you know, this happened when I joined a public accounting firm. I actually didn't understand what I was doing right holistically. Like I, I joined a cybersecurity practice, but a lot of the work that I actually did wasn't really cyber security. It was really controls work.
And that was just the nature of the, the market at that time, right? Sarbanes-Oxley was new. Everybody wanted to talk about Sarbanes-Oxley, right? But if you think about those type of compliance requirement, what, what, what is it talking about? The fundamental very first thing it talks about is access
control, right? So you have people that are getting schooled and trained in the basics of access control, basics of program management, basics of change control, right, basics of resiliency like backups and operations and how you're going to make sure that your environment is resilient. So is there a skill gap? Yeah. But there's also people that can shift right and can be skilled up. Not everybody needs to be your, you know, high end engineer in this space.
There's a lot of work that needs to be done and it's everything from policy writing to making sure that compliance and governance is in place, right, to making sure that, you know, the programs are being managed appropriately and orchestrated. Cost management is a huge portion of it. Like you, you know, I mean, there's a lot of cost to cyber tools. There's a lot of FDE cost associated with cyber management of cyber operations, right?
So management becomes just as important as the the skill set. So I think that there is, there is definitely places you can pull from to holistically build a team, right, and orchestrate this. It's been really successful for me right, to upskill people. It's been really successful for for me to actually invest time in the university systems and actually help them kind of develop the program that we
need. Because the biggest issue is not that you're not getting people that have a cybersecurity degree. I mean, most universities now offer a cybersecurity degree. That wasn't a thing 20 years ago, right? There was barely an IT was a thing 20 years ago. So most whatever they're learning in school is better right, from a cyber perspective than it was 20 years ago. However, are they coming in ready, right, ready to jump in? And I think that there's a gap
there. So right now my work with some of the universities that I recruit at is trying to get people more ready for the actual work that needs to happen. And the, you know, the actual work is around the, the 10 things that you Jeff talked about at the beginning, right? It is around application security, it's around secure cloud, it's around detect and respond, right? It's around resiliency and recovery, right.
But are they touching this at a, at a topical level where they just know the the concept or are they getting any practical experience with it? Right? And that's been the biggest challenge. The other thing that goes alongside with, and this might be a little deviation from your question, but it's it's skill set related, the shortage in the market then, you know, you, you get people to move around. But cybersecurity has always been an apprenticeship, OK, It's always been an apprenticeship.
It's not a, a skill that is just kind of like learned off of books. Like you work with a lot of people. I've learned a lot of stuff from other people and there's a lot of repeat work that you do over and over and over again, and it gets better every time you do it right. But we don't have people that are sticking around long term to be able to cultivate that apprenticeship models anymore the way that it used to be.
So if we get 2 years here and we've got another year here and two years over there, it looks like you've got good experience at very large, reputable firms and you were part of, you know, their, their cyber team. But if you took that person as an individual and you said, OK, let's look at your own personal depth on something right, related to these topics, I find
it sometimes lacking. And I think that that's the shift that that needs to be made is that we've got to bring back the apprenticeship model a bit more. We've seen that apprenticeship model like if you, if you look at some of the other countries that are ahead of us in, in tech development and they're moving faster than we are, everywhere you look, the apprenticeship model is intact. So that's what my, I guess soapbox is that I got I, I really, I really struggle with that one.
Yeah. But I mean that's a a big part of you know, developing people. It's not only the long term benefit of two through organizations that person is going to really appreciate and start to build their career. And I think we have this concept of at RSM of the boomerang people. So it's like people who go out into industry work 3 or 4 years to come back now they've got
some new skills and experiences. But I do agree with you, the one year, 2 year, it's kind of like go somewhere time start to get rough. If you stick it out, that's where you really build your metal is going through the hard times. And I think that's a life skill, right? It's you learn more from the hard times than from the easy times. You guys have been doing the identity podcast for since 2019, but you've been doing identity work a lot, way longer, right?
And I, I bet that even in the last two or three days, you've probably learned a thing or two that's new, right? And it's always evolving and you're probably going to go teach that to somebody, whatever you've learned. And that's what it's all about, right?
So keeping teams together and I think building that apprenticeship model, whether it's a consulting business or whether it's a, you know, you're, you're in the industry and you know, you're kind of running your own operations, it's required either way, so. Yeah. I mean, one thing I did want to kind of pull out of that conversation was that, you know, it's, it's kind of the working with the frameworks, understanding the frameworks and
the access controls. So the access control or I'm sorry, the frameworks are designed to help you meet the access controls, right. So it's going in and taking a NIST cybersecurity framework. Questionnaire and kind of like working through that. And I think you you mentioned it gets better the more times people end up doing it, they
understand it more. Now when they go to a position where they're applying that framework and building a program around that framework, those pieces are really coming together. I think it has additional benefits as well, right? A lot of cyber stuff still gets pushed down because of, you know, compliance requirements, right, or governance needs and things like that. So some of that actually helps you work out, hey, you know, here's what the operational things are, right?
Here's the tactical things I've got to do, but why am I doing some of these things, right? And if you understand the, the, the control side of it, you understand the auditable side of it, right, versus the actual, the work that needs to be done, I think you can be a better consultant, you can be a better internal specialist because you understand both sides of the house, right? I don't think I had appreciation of that till much later in my career.
I did not like doing the the control work personally. I was like, I'm a cyber professional, right? I can architect and not work for you, right? And do a pen test for you. Why am I doing this other stuff? But you realize over a period of time that you still have to at some point justify those things, right? You still have to be compliant with certain regulations and so
forth. And by understanding the infrastructure side of it, you know what that difficulty is, You come up with newer ways or better ways to solve for the compliance challenges you have because now you understand both sides of the world, right? So you bringing those two things together, it's, it's really hard for people because you know, the compliance is boring. It's really boring, right?
But it drives a lot of like budgets for security, right, for organization, even for identity, like a lot of big companies, they, they do what they do because there are compliance requirements that they need to fund. Especially in certain industries. I mean, that is so that that was my background was I was in identity doing a lot of engineering program management, but in the manufacturing industry where it wasn't as heavily regulated, especially working on a lot of CIA and
stuff. I ended up in the financial services industry doing internal as well as banking and and the loan operations. What I found out, especially on the workforce side of the House was the regulatory framework or regulatory oversight, which led to all the frameworks and having the GRC controls in place tested on a frequent basis and making sure it's a lot more rigid and demanding.
And if you don't take the time to understand that and I had to kind of learn trial by fire, if you will, but I mean that was it's foundational I think for identity as you move up into more advanced leadership roles. And it, it's only going to get complicated with hybrid cloud environments, right? Because what is inherent in the cloud environment that gives you those controls, right? What is it that you need to
build on top of that? Because just by putting your stuff in in the cloud, you're, you're not, it's, it's still your risk, right? It's still your data, it's still your problem, right? Ultimately. So sometimes I find it naive for people to say, OK, well, yeah, what was in Azure? And Azure's giving me these control points, right? What was it configured for that,
right? If it's not configured for that, then you're you're not going to get those control points and the auditor will come and and we'll find you weaken those, right. We'll talk a little bit more about AI, but I, I kind of feel like this is 1 area where if we put AI in charge of making decisions about our access, we may have a harder time tracing it back to, OK, you know, was the right decision made, was the right information provided in order for that decision to be
made. But I don't want to divert us into the. I didn't want to add 1 one thing real, real quick because I think it's, it's related to what we were just speaking to. One of the things that I've, you know, been really contemplating is so the large companies, right? Generally, there's a lot of conversation around identity at those companies, right? We deal with those clients all the time. You guys deal with them, I deal with them, right.
But we have about 30,000 companies that are in the 500 million to $5 billion range, right? In the United States. They don't have the resource leverage that that some of these larger companies have. They don't have the budgets, right? They're still contending with the same proliferation, right? They, they have scaling issues, They're still running hybrid environments in most cases. They're still kind of on prime and then they've got some stuff in the cloud.
It's not very cohesive, right? They still need to be compliant with, with different requirements, right? So you kind of think about that demographic and I think that we've seen over the course of last so predominantly in the last five years that the attack vectors have shifted from large corporations right to some of these middle market companies or upper middle market companies, right? And it's because of that reason, it's because hackers are
generally lazy, right? They're going to go after what's what's easier. And I think within the identity space and generally within broadly in the cybersecurity space, you can't functionally deal with those companies the same way that as the larger companies are because they don't have big programs that they that you can tap into. They don't have 10 resources to, to go pull on, right?
They might have a total of five, they might have a total of 2 cyber professionals that are in that organization, right? But they're still rotating through, you know, $2 billion. So there are, they need a lot, a lot of help as well. And you know, I think there's going to be some changes that, that are going to be required on how identities are administered, built, managed, operated for that demographic of client.
And we've been, we've been thinking about that a lot in RSM on how we can make that mechanical and mechanise that holistically for those that demographic of client. But that's, that's huge. That's where most of the attacks are right now, and that's. Getting scanned just as much as the big companies. And it's kind of like the point that you were like, I was thinking like a safari example. The lion scans the herd and looks for what the weakest, the youngest, whatever, the easiest target.
And so if we're scanning everybody and somebody's under invested and has some weakness like that's the target. So I thought I'd I'd mention that a little bit because it's been, it's been on my mind lately. AI is on the top of everyone's mind right now. I think I'd like to do a little bit of a lightning round, maybe an identity or security Rorschach test for you. So I'm going to throw out some terms and just tell me what comes to mind when you hear the term zero trust.
I don't think there's anything else. Zero trust. I think it's a great concept like, hey, I don't trust anybody. OK? So you have to prove to me every single time that you're going to get access to a resource that you know you are who you are and you are connecting from where you're connecting. Otherwise, no. But reality is that it's, it's not been implemented at at an appropriate level and it is extremely cumbersome to manage. It requires a lot of manual intervention.
So I feel it's more, you know, I'm not going to throw it as that it's not a good concept. It's a great concept, but it's hard to implement. It's really, really hard to implement. Real world execution is is the trick, right? Because it's not just why I bought it in a zero trust product. Now I'm zero trust. It's it's a combination of things. And there's a lot of, you know, product conversation around it, right?
Well, you get this product and you get that in and you know it's going to solve the world's problems, right? But it's about how it's implemented. It's about how it's used. It's also very important. The one thing that I find missing in zero trust conversation is the, the business acumen within that conversation. There's no two businesses are alike, right? So what this business needs is very different than what this business needs, right?
And the way that they access things is very different than the way that they access things, right? And the frequency of the, the the access is very different than the frequency of the access. So I think that it has to be business centric. Does it work? And I don't think that you need to have zero trust deployed everywhere. I think you need to know what you're trying to protect in the 1st place and then define, you know, your zero trust
architecture around that. A lot of companies just think, OK, well, that's by default. That's what we're going to go do. It's a very, very costly proposition to get that through and manage it. No, I wanted to throw one thing into zero trust conversation. I'm sure you've heard this your entire career of doing consulting in the cyberspace, which is you talk to a client and they'll say, well, only people who are plugged into a network slot can access this. They can get it.
No password or no MSA. It's like, so as a consultant, you just nod your head. It's like, yes, that is better than if the outside Internet could come in. No, MFAI grant you that. But if you're asking me to say that's OK, I'm not going to or the the example we see all the time is, but there's only seven people in the domain administrators and we know them all, so it's OK. It's like if you're asking me to tell you whether or not that's OK, the answer is no, it's not OK.
You can't be. Familiarity isn't security. Exactly, that's spot on. So you know, I feel like that's a important part of 0 trust. Like the implementation of it is like, OK, you may not get 10 out of 10, but let's not just like because we, you know, getting from 9 out of 10 to 10 out of 10 is just so difficult. We're just not going to do it fine. 9 out of 10, not ten out of 10. No, I, I agree. I I do though, think that the zero trust conversation should be uncoupled from least
privilege. They're two different things, right? A lot of times people would just kind of combine them together. It's like, well it's least privilege. OK, Least privilege should be by by DNA right? That do you need 7 domain admins or did you need like 3 in the 1st place? Does their job actually require them? But what if? What if? What if that? Then that's how that circle
expands. Exactly. Well, I think. There's also even vendors in this technology, vendors in the space that will actually encourage organizations to grant people access that they don't need by saying, oh, this role is 80% of the people who are in the accounting department have access to this application. So why don't I just give it to 100. It's going to be simpler to manage. There is a benefit to simpler to manage this. 20% of people don't
need the access. By definition of what least privilege is, they should not have the access. So I don't know, maybe I'm just fighting over principle, but I think that's I think that's what it comes down to. A lot of times it's like, hey, there's just so much to manage that you have that these trade-offs to say. All right, well, some, you know, bundling this into roles and maybe people get more access than they need becomes more secure become because it makes it more manageable.
I mean, you always have to hedge risk, right? This that's that's basically the bottom line is that you have to, you may have to make smart choices based off of the cards that that are in your hand, right, But you also have to learn from what good looks like, right, and what best looks like and try to achieve that at the lowest cost point that you that you can. That's the name of the game, to be honest. All right, next one pass password less. What do you think of?
That excites me password less. Yes, I mean who, who, why, why, why are we remembering passwords like it, you know, 2025? I wanna have 48 different passwords for things said nobody ever. It's like it's, it's just the, it's the oldest thing that we've had, right? This password less Yes, all the way.
What do you think stops or maybe slows organizations from adopting it 'cause this is a a standard that the Fight Alliance has, has really helped kind of put forward over the last couple years and it's there, it works, people are using it. What is the what is the driver that a CSO needs to say is like, we're going to do this? I think Cecil's are pushing.
I've, I've had a lot of conversations with CSO's where they're driving that it's, it's getting comfortable with the technology, right, that you're employing. It's getting comfortable, it gets getting the the board comfortable. It's getting the executive management comfortable. It's getting the regulators comfortable because how are you going to audit that, right, in a regulated environment? So if if you don't have the standards for it today, you're going to create one, right?
So it's it's all of those things, right? And people get gun shy because they're like, OK, well, it's new. Well, I don't want to be bleeding edge, but you know, and it's not, this is not a bleeding edge concept. I mean, it's been around for a while, but I think the adoption of it is really getting people comfortable with the idea that they don't, they don't need to know their password, right? And how they're going to mechanize their processes are completely different, right?
It's very much a possession based authentication scheme and not everybody has something that they're comfortable using for possession based. And there are challenges, right field services and other types like, you know, not No2 business or alike. It's it's easy where you know, if you're connected to the Internet all the time and you're connected to a device all the time, OK, great. But you know, there's a lot of business.
It's the edge cases, and I think that's the excuse that people give the most on why it won't work here. It's that legacy system or the field engineer. But I say then carve those out, do password lists everywhere you can, and do some other mechanism for the edge case. I agree. I mean, I I that one excites me. Yeah, like I can't get rid of. So your team password list, I'm with you on that. One I'm I'm definitely team
password. List, how about I'm going to call an audible here because I had a couple of different ones who were kind of picked through, but you mentioned blockchain earlier. So when it comes to blockchain and decentralized identity, what it comes to mind? You could do a full podcast. On that and we have in. My Bitcoin wallet, What's it doing today? Yeah. Do you know anybody who's using it today out of all your clients and people that you're working with? I do not.
In fact, I, I would say there's a lot of innovation that is coming with blockchain, but it hasn't moved as fast as everybody thought it was going to move. At least that's my impression. OK. I, I, I won't speak for companies that are actively doing building tools technology on, on blockchain, right? But I'm a cyber professional and I've, I've evaluated based off of the number of requests that, that you know, are coming to us to say, hey, we're implementing this new technology.
I don't know if this is going to work for us. Can you come in and test it out? So far there have been zero those requests, right? So it's, you know, it's not like there's a ton of them. There are some and there's some some really, really creative ones that you go into like, oh, shoosh, this is going to, this is tough and it's hard both from a, it is, it is well orchestrated from a security
perspective, right. But then in, in general, I think your, your question is more identity and distribution of that. It's, it's very hard in a, in an environment where you know, you don't have you, you have obscurity, like how are you going to regulate that?
There's this trouble already in regulating blockchain right now where you're going to go and, and say a public, public company that is a SEC registered that that is going to come and deal with identity through obscurity and you can't really manage that appropriately. I think it's a really tough sell right now. I think it's a great concept, but I think blockchain and crypto in general has to kind of flush itself out for the masses, for the masses.
Yeah, I feel the same because I think like it's the solution that's been out there now for a while, but I don't know anybody who's using it not in the in what I'll call the real world, right? I'm sure there are some excellent use cases for it. When it comes to decentralized identity, I think we have to figure out, OK, well, who's blockchain, who's running that blockchain and how are we making that interoperable with others? And do you trust the blockchain
that it's on? I mean, at any given point, half the population is for or against government. There's healthcare, there's education, there's finance, and then you've got social media networks. You know, I, I think it's a really interesting, almost like a social experiment. It's OK. Well, when does this come? Because I've been hearing about it now for, I don't know, almost a decade I feel like.
But I've yet to see a I'll call a normal company adopt decentralized identity as part of their identity apparatus. I I haven't seen much of that either, so. I think the interesting thing about blockchain is this uneditable Ledger idea. I don't know the exact use case that it's going to be used for from an identity perspective, but I can tell you this where at Gartner I am it's not being
talked about. So it there's probably somebody listening to this podcast right now like you dummies, you this is the this is the future. Yeah, they're probably lighting up right now, but. I mean, I, I think the the fact is not like blockchain as a technology, it's fantastic. OK, So this is not a dig on blockchain in itself. Is your question is, is it being used today? I don't see it being used. Are there solutions out there? Yeah. Are they implemented solutions
where they're working? No. And just with any technology, it comes with its risks. You got to still figure out how you're going to make it resilient, right? How are you going to test it? How are you going to make it auditably compliant, right. All of those questions still have to be be answered. So I think there's work to be done there. OK. Last one we kind of touched on earlier, but AI, where do you see AI taking us in 2025? Let's just do kind of predictions.
It's it's January when people listen to this. Where do you see AI taking both cybersecurity and identity? And maybe there's any linkage between the two? No, I, I think that wherever we're going to go, it's going to be much, much better. I am really positive on on AI simple things, right, security operations, there's so much potential to automate things, right? I think that there are certain cases that I personally believe
again, it's my belief system. So take it for what it is that there is accuracy in decision making for for AI because this it doesn't have the emotion. I don't know if you saw this report, I might misquote it a little bit, but I think they ran some experiment where with doctors and they said, OK, doctors, you know, diagnosing a complex problem for for a patient and they're, you know, and they are going to do it by
themselves. They're going to diagnose that problem with the assistance of AI and AI will diagnose the problem by itself. And I think the AI diagnosed the problem 95% of the time or 93% of the time correctly. The doctors identified the the problem like 70% of the time, or maybe it was 75% of the time. OK. And doctors using AI actually reduced their competence in their own ability to to, you know. Meaning they became more reliant on the AI to make.
The No, they didn't. They didn't trust the. Game they didn't trust the AI, OK. So I think it was 65% where where it was. And so you take that, OK, we take it with a grain of salt, right, Because I don't know what the experiment parameters were and all that. But I do think that there are ample scenarios within cybersecurity, in the construct of cybersecurity in a broad sense where AI can be used to automate a lot of those decision making points, OK?
I've seen that within our practice and our security operation centers already in the amount of alerts that we are generating now that we can use AI to, to cleanse through what false positives are and so forth, right. I think workflows will become really, really big in 2025. What does that mean? That means in in doing your
day-to-day activities, right? I'm a consultant, so I do a lot of consulting engagements which require writing reports and making presentations and, you know, evaluating controls and evaluating configurations and things like that. There's very, very simplistic ways of, of using AI to evaluate those to make the process more efficient and actually increase the quality in the in, in that right. But you have to what AI is not, it's not a silver bullet, right?
You still have to, to give it the parameters. And I, the thing I think that I don't think this will happen in 2025, but it's very soon after it's going to be the ability for AI to use agents on devices and do different things where, you know, it can simplify the tasks. And I know people are, are
afraid of that, right? That if, if you've got AAI agent running on your laptop and it's monitoring for two months of what activity you do and it's kind of figures out, here's the patterns, here's what you do, e-mail comes in, you respond to it this way and then you go do this task, right? If it can compress that and predict that. Just to you, it could be you. Right. But then people take that immediately and say, OK, well, that means I'm out of a job. OK, well, no, it's it's not
going to happen that way, right? You just have to stay abreast of it. But at one point we used to have a Ledger, right? We used to take all the, this was the accounting spreadsheet. Somebody would like debit some credits and write it down. And then spreadsheets came in, right? And you don't see people walking around with a register underneath their arm, right? That has all that information, like it's readily available. And then spreadsheets turn into ERPS and you know those like all
that information is available. Yeah, when's the last time you bought an encyclopedica for Canada, right? To that point, but are you are, is the accounting professional profession done? No, you still need accountants, right? So it's, I think that you have to separate the technology and what it can provide you from the actual, you know, job that you have. Your job is going to evolve. The people that are going to lose their jobs are the ones that don't keep abreast of it,
right? You got to make sure that you're abreast of it, you understand it and utilize it for what that is. But something that used to take 40 hours can take like, you know, 10 minutes to do. Yeah, why not? Why wouldn't we do that? Why wouldn't we take that efficiency, Right? Why wouldn't a business take that efficiency? Absolutely we would.
Yeah, I think that there's a lot of thinking that the upcoming generation, they're the ones that are going to lose their jobs, say AI, and I think the exact opposite is true. They're going to be so much more efficient than our generation was because they're going to be able to use technology and have technology do all these menial tasks, things we don't think of as menial tasks right now, but we do them.
They take a lot of our time to write reports or analyze reports, and they'll just be able to expand the amount that they get done putting in less time using the technology so. And, and we'll have to completely update the controls and the protections and the mechanisms of, of authentication that we have as that proliferates. Why? Because the bad guys are going to have it as well, right? They're going to make their workflows just as more efficient, right?
So it's not just for, hey, if you use it for, for, for the good, right? Everything has two sides to it. And that comes with risks. That means that the security profession of the future, we'll have to account for that to understand how how those risks, risks, you know, propagate and manifest themselves in our clients environments and how we're going to protect against that, right? Are their pro, are their programs, you know, ready and
set. And it's, you know, with any new technology when you roll out, you know, it comes with learning. A lot of companies are experimenting with this, right? And there's so many, some companies have the stance of saying, OK, their acceptable use policy is that that should not use AI, right, for any work purposes. There's others that are like, OK, well, we're going to segment this portion off. That's where we're going to do it, right?
And there's others that are like absolutely 100% we're going all that, right? And if the all insurance don't, I mean, there's a risk, right with AI like you know, what if it's not secure enough, what if our crown jewels data goes into our AI model and somehow it's. I mean, there's a lot of acceptable use conversations around that. If that doesn't happen, though, they're going to leave their competitors in the dust. I mean, they're going to get so
much more done. The competitors could go out of business if they don't. I think you'll see this happening over the next few years where companies will cease to exist because they didn't. They didn't transform. That will transform themselves. And I think that that's going to be very, very prominent in the cyberspace because we started this conversation about skills and we talked about gap as well of people lack of lack of talent that's available, right?
Well, the solution to the talent problem is twofold, right? 1 is OK, Well, upskill other people, train more people, get more people interested in cybersecurity, right? Like I'm, I've got a 17 year old daughter. I'm really passionate about, you know, young girls being in the cyber field. I think it's a hugely rewarding field. I mean, it's three of us here, right? I mean, career wise it's been it's been fantastic. This is. Work. This is what I always think.
Feel like this is our job? And this is, I mean, I love it. So other people should have that, you know, satisfaction in life that, you know, you can, you can do that something that's that's going to, you know, take you somewhere and you're going to enjoy it. But, you know, we nearly don't have enough, you know, women joining the cybersecurity professional. I mean, it's better than what it was, but it's not anywhere close to what it needs to be.
And I find that every time that I have, you know, women in my team, the perspective is different. And it's, it's so much, you know, there's diversity of thought there, right? That that allows you to be be a little bit richer. But the point on this was the skill gap is either you, you train people up, right? And you add more, or you solve it by technology by taking out the manual work, right? And you transform that with tech. And that's, that's the work.
And if that's the work, now, if you look at everybody, because they're all short staffed, if that's the work, well, AI is the one that's going to help you solve it. But you, you, you also mentioned we, the, the risk portion of it is that you can't have publicly available models, right?
You're not feeding all the like, you know, corporations have to be very careful that they're most organizations in the future will have their own large language models, right, That that are supportive for, for their own needs, so that their their data, their, their stuff is in their own. Their data center and then eventually it will all be a software as a service, right? And then you will still need identity around all of that to manage that.
So identity will stay at the center I think for for a good bit of time. So. That was quite the lightning round, Jeff. No kidding, right? Well, let's go ahead and and let's let's shift gears a little bit. I want to talk some music because I know that you're into music. We've traded some stories around it. Tell me about your inspirations, the music you create, your process. Are you available to edit podcasts?
Tell me all that kind of stuff. I I will I will gladly lend a hand in editing a podcast, probably do a good job. What's your inspiration when it comes to making music? You know, it's, it comes from a lot of different places It comes from it generally comes from life, right? But it comes from sad times, it comes from happy times, it comes from fun times, it comes from stress times. And it's I've I've I've noticed that the inspiration arrives
weirdly. It's not like I'm actively sitting down to create something. In fact, most times I'll actively sit down and create something, it doesn't happen. You're trying to force the creativity. But then I'd be on a plane, you know, going from Houston to Chicago and, you know, something pops in my mind and, you know, then I then I need to do something about it, right? So I'll, I'll sketch out ideas when whenever that happens. So, but yeah, I've been at it
for about 20, five years. I think mostly electronic music kind of it's a good, you know, way to blow off steam. There's a lot of learning in that that space as well. I find, you know, the intricacies of chord structures and, you know, different genres of music and their intersection really, really fascinating. So there's a lot of learning there. I'm I'm a geek when it comes to audio production. We were learning about our about
our rack deck 4 it's. Got my, my new Mac so yeah, I've, I've been like, I've revved it up to, to make sure that it's going to work. But yeah, I've got a full recording studio. You know, I'll do it for myself. I'll, I'll have friends come in and you know, they, they want to record a song or or two, I'll do it. Got about 120,000 people following me on Facebook so. Maybe we'll get we'll call a couple more thousand maybe after
listening that's. That's been, that's been fun, but you know, it's, I think for me having passions outside of your, your work. It's not like I don't love my job. I love my job, but you have three parts to you. It's the, the piece that you do for yourself, the piece that you do for your family and the piece that you do for your work, right? And it's very hard to juggle, but I've noticed that anytime the cup is empty in one of those three, right?
Life is not stable and you need to do a good job at work and you need to make sure that you're, you know, you're, you're, you're creating something valuable. And just like I started this conversation, you have to continue to invest in yourself because it's not really who you're working for or what you're doing, but it's really what are you getting back out of it personally, The family is, is, is head and shoulders above
all the rest. And then you know your personal things and it could be anything, right? Your music or you like travelling or whatever that is. A podcast. Podcast, whatever that is, right? You got to have those three things in check all the times. It's that balance, right? I think what you're looking for in, you know, the the great warrior poet Thanos once said balance in all things, and then he snapped and half the universe disappeared.
He was a badass though I think. It's probably a good spot where we can leave it. This has been a really good conversation. I'm really excited for this series that we're going to put together throughout the year. And I think this is kind of a great starter, right intro. It's always, I always enjoy listening to you and hearing your thoughts and perspective on things. You know, we're always kind of synthesizing data that we get
from our different sources. And I think this is going to be a fun run that we're going to have here. So and, and thank you for the support for the pockets that you've shown over the last couple years.
I again, you know, I know you all are passionate about it and we are passionate with you about it because I, I think it, it's such a good service to the community, the identity community and then broadly to the, the cybersecurity community, such a good resource for people to go and listen to. And you know, it's, it's easy to listen to, right?
And we try. Yeah, a lot of people have identified with those problems and and you know, I think they could probably find some solutions through through this or or at least a a different thought process than than what they've had. But I think the series that we've talked about and just generally talking about how the intersection of cybersecurity identity happened and how, whether it's risk governance, engineering, you know, all these concepts, resilience, how they interplay.
I think it's going to be really fun here for you all to to dissect that and I'm happy to support it. Well, this is what we do for fun, Jim. Our day job is identity consulting. I think we've done a good job with the podcast, people not realizing that we actually have day jobs. Well, I always say, people say, oh, Jim, you've, you work really hard. I'm like, well, it's not quite like going into a coal mine or something, right? It's. Oh, we got to pump that up.
Like, yeah, it is. It's terrible. It is like my. Back all right. Let's go ahead and leave it there for this week. Thank you so much, Ghazi, for joining us. I'm going to have a link in our show notes to your LinkedIn profile for people to reach out. Maybe if I can convince you to get your Facebook link for the music stuff so people could check that out as well. It's it's interesting. We have such a diverse population of people, not only in identity, but in cybersecurity.
A lot of musicians we've actually had on the show and, and, and things like that. So it's, it's very cool. We'll leave it there. We're on the web, idacpodcast.com. If you're watching this on YouTube, thank you. Like and subscribe. If you're not watching it on YouTube, check it out. idacpodcast.tv. Connect with any of us on LinkedIn. We're always happy to have conversations with folks and, and just kind of engage that way. And yeah, so we'll leave it
there. Thanks everyone for watching and or listening and we'll talk with you all in the next one. Thank you all. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.
