#336 - IDAC Mailbag - March 2025 Edition

Eventually though, you cannot have a strategy of heroism. It's just security strategy that is not sustainable. It might work in short bursts and it might be something that's needed in the short term. But I would, I would definitely start to think about, are your business processes secure? Do you have a way to look at the data? You know, how are you making sure that you're trying to reduce the risk as most possible? At some point, you know, someone's going to have to make

a decision. Hey, it's time to spend a little money and catch up here or augment or whatever it may be. What tends up happening a lot of times I see is you get so far behind that you have to spend a lot of money to catch up. And it becomes like this ginormous task to to just get to where good is or maybe even adequate. And then, you know, we, I, I talk about peaks and valleys from a budget perspective, you spend a whole lot of money catching up and then you don't keep up with it.

And then guess what, in three to five years, maybe a little bit longer if you're lucky, you're spending a whole bunch more money again to try and catch up. Good. If you could just figure out how to make that a slow and steady, you know, probably increase just because prices get more expensive over time, I think you'll have a better approach, But it takes a lot of financial discipline to do that.

And not if your organization is in that mode of, Hey, this is going to be a sustained investment identity is forever. And so I think you need to think about identity as a long term commitment for the organization. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity of the

Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. I'm doing good. Hey and all transparency today is Ash Wednesday holiday and I saw something I've never seen before.

So I'm in Phoenix, AZ in the United States and was driving up to a corner in my Uber and they had drive up Ash Wednesday where they put the ash on people's foreheads. But you didn't even have to like go to church and park and do all the other inconvenient steps. You could just like pull up. They do the blessing, give you the ashes and on your way you go. I didn't do it, but I think it's

very convenient for people. You know, they have a drive up wedding Chapel in Vegas. I mean, how convenient is that? Well. Apparently there's a drive up for everything so I think so. I guess that's what it is and more transparency. You're not in your normal location. Where are you? I'm sorry, I'm in a hotel lobby because my room was not ready. So we decided to record at 4:00. My room's supposed to be ready at 4:00 and 4:00 came and no room was available.

The joys of business travel, right? Yeah, I mean, basically we spent all day in like in a tube, not at 40,000 feet the whole time. A lot of it was like ground level, just sitting there waiting for the take off. That's the worst thing. We just get all. The time off. Can't go anywhere. You're just kind of like, all right, let's get this thing done. I know, I know when I first got out of college, like my dream was to travel for work and it

was a blast for the beginning. And then it's like, you know, when you're sitting there and it's like 10:30 at night and you just want to get home and get in your comfy clothes and get in bed and you're like sitting and you know, you've got like a 2 hour flight ahead of you, but you just been sitting there for hours on end. Takes a little fun out of it do. You have the Flighty app your iPhone. I'm guessing how? What is that?

It's it's basically like a little app that will track like your flights for you and kind of, you know, tell you if delays and stuff like that. And I'm a fan of it. I've had it for a few years now, but it tracks every single flight And so you can track like how many you've taken, you know, I'm looking right now, hours lost from delays like your has your passport, how many flights where you've gone miles and stuff like that. 2024 we'll just go over this.

My, my quick stats, 101 flights in the year 2024 only 58,000, almost 59,000 miles. So a lot of it is just kind of, you know, regional US travel 33 hours lost from delays because of that because from flying so a day and a half basically. You'll never get that time back. Nope, Nope. Just sitting there and I'm already at three hours lost from delays this year and I am only going. I think my point a couple times so far. We should see we are not sponsored by the Flighty app.

We are not, but I would happily take a year subscription if anyway from Flighty is listening. It's a great little app if you're a frequent traveler. Highly recommended. Unfortunately it is iOS only so my friends with Androids unfortunately can't partake and I did not when I I I flirt with Android every year and I recently did it a few months actually a few weeks ago with a new Galaxy phone and I could not find anything close to what

Flighty does. So I really hope they add an Android version to the road map in the future. But as you said, not sponsored by Flighty. I'm just a fan of the app and I think it has some interesting information. I always know when you're trying out the Android app, they're getting green text from you. It's like blue Boo Boo green like Jeff's on other Android. Yep, that's that's me, man. I was trying something you got to know. You got to know what's going on

in the world, right? I love Android phones. They're great, but. Here's something you taught me, so I didn't know this. You know the the green text, you think they're SM s s, but they're not necessarily necessarily SM s s. They could be a very we call them, but RCS. RCS, yeah. So Apple added support for that last year. I think it's part of like iOS 18.

And so now there is some comparable capabilities and features that are similar to iMessage but cross-platform between Android and iOS users, as long as your messaging app supports RCS so. But just, you know, educate your family out there because there is a warning that I'm thinking from the FBI like your texts, if they are SMS texts, they can be seen by just assume they can be seen by anybody who is a hacker.

So, you know, I'm sure nobody who listens to podcast does this, but taking pictures of your credit card and then like texting them to somebody, you trust them the other end. It doesn't matter if you trust them on the other end. It's all the people in between that can actually see that. So spread the word, Goodfellow. That's a that's a risk no matter what you do, I guess. So just got to be careful. Why don't we cover our conferences real quick?

Because I'm, I'm, I am nervous that you're going to like, you're in the hotel lobby and someone's going to come over and cause problems for us. They're going to ask for an autograph. You know it. Are you the Jim McDonald from the Identity Center podcast, Sir? Let's, let's see, let's start with London. We have the Gartner IM Summit coming up March 24th and 25th. If you use the code IDAC 425,

that'll save you €425. That is definitely coming up here in the next couple of weeks by the time this airs. So definitely want to make sure you take advantage of that. Show some port. We will not be there, but we'll be in Berlin for the European Identity and Cloud Conference. So that is May 6th through the 9th. I still only have a flight into Berlin at this point. I still haven't figured out what I'm doing after that. But if you use the code IDAC 25 MKO, that'll get you 25% off.

So hopefully we'll see lots of people out there that we know and make and meet new friends while we're out there. So that'll be exciting. I know you've got identity as planned, right? At this point, it's just the one identity beer in Oslo, and then I'm sure you'll be there for this one as well. There there's like the identity beer, which is the first. I guess it's May. What's the first day? The Monday before the conference? It's like May 5th or 6th, yeah.

Yeah, so there's an identity beer in Berlin there, so we'll definitely be there as well. It's. Pretty cool. I'm looking forward to it. And then I take a week off and then come back for I think maybe a week to the US and then head into Ideniverse Las Vegas June 3rd through the 6th. If you use the code IDV 25-I D AC25, that gets 25% off. Don't worry about trying to remember these as I quickly ran through them.

They will be in our show notes and they're always on the homepage of idacpodcast.com and just Scroll down and you'll see everything that we've got active at that point. So hopefully people are able to take advantage of that and doesn't cost us, doesn't cost you anything. It's saves you money and just show support for the show. So please use those if you plan on attending events.

Yeah, and I just want to say something before we kind of dive into our topics of the day is I've had a lot of people reach out to me recently and connect on LinkedIn and say that they really enjoy it. So, and I got to tell you, like every time that happens, like it's just like fills my heart a little bit just to know that people are out there that were part of their their lives or as part of their, their day of their week. And you know, we don't know

that, right? We, we put the podcast out there and maybe people listen, maybe they don't. But when people reach out and say I really love the podcast and he's laughter to me and I know it's us to you as well. Oh, for sure. I mean, the fact that we we don't advertise at all and we are 100% word of mouth, I mean, it's pretty amazing, you know, how big this thing has gotten. And yeah, it's definitely not lost to me. Definitely appreciate everyone who takes the time to reach out

and yeah, it's great. So we'll keep on doing it.

And really that's what this show is all about today. Even I mean, today's a mailbag episode, which we get lots of emails and, and stuff like that asking us questions and we try to kind of save them up to we've got kind of a, a good amount that we think we can tackle that might be interesting questions to for everyone to hear. So why don't we just jump right into it? Do you want me to read these off? Do you want to take turns like

how to how to view? Why don't you go ahead and read them off for some kind of like in the hotel? I've got just the laptop screen, no second monitor. So I'm going like cheap and cheerful today. That's fine. All right, let's start with, and this is a very global mailbag by the way, so let me read this off here. So Ryan from Sydney, Australia, I presume I have a new I am professional looking to grow my career. What certifications or skills which would you recommend focusing on in 2025?

I think this is a pretty common question. A lot of people kind of getting into the space. Where do you even start? Yeah. Do you want me to go first or do you want to? OK, so. Yeah, I feel like this is right near wheelhouse because this is all about sharpening the saw or maybe even building a saw and. Providing the saw yeah, yeah, totally. And I, I, I think there's not

one answer for everybody, right? Because you may be really good in one area like you and I are especially was running a program, but we're not going to write application code and things like that work that's other people like they love, like coming up with an idea, make something happen, then be able to make it work on the computer. So you have to know like what what gets you excited? What do you what are you going to put the time into for other

people? It's like, hey, the idea of being the go to person who makes a project happen. And by the way, project managers usually get a lot of credit. You know, it's a whole team that that pulls steers the boat. But a lot of people in upper management came from a project management background. So if you're a project manager who delivered a project and made all the parts and pieces come together, you get a lot of the credit behind the scenes anyway.

I love a good project manager because I hate doing that work, so it's hard. One is invaluable for sure. So let me give a kudos out shout out to people like Krista and Ben. If you guys are listening, like definitely you know the stars of the team. Yeah, yeah, for sure. Like, and, and that's kind of my background and I think it's a great place to go and develop

your skills. I also look if if what you really enjoy doing is detecting from the side of the house and like that's going to get you to develop yourself and build your career, then you don't want to be doing stuff other than project management and stuff. Put your time into what

interests you. I do think certification is definitely having some leverage behind your name in this market is a great way to kind of prove that you've got some knowledge and maybe that you're you have some ambition and aspirations to further your career, especially if you're starting to take certifications that are maybe a step beyond where you are at the

moment. And then I think, you know, so that can go all the way up to like when you start thinking about certifications like CISSP and PMP and stuff like that, where it's like, oh, now I'm thinking like, I want to be somebody who does large scale project management or I want to be maybe a seeso someday. Now you start getting looked at and offered positions and opportunities maybe within your current company to take on bigger roles. And that's how you build a career.

I think, you know, the question was probably more of like, how do you start out? But it's, I think we, we, we do wind up answering that a lot, I think. But I think one way is to don't be afraid to do kind of some of the entry level roles like working on the help desk. I mean, you know, my role, my first role wasn't really helped desk, but I did a lot of like help desk work where I would like do end user troubleshooting stuff.

And you'd learn so much from doing that, both sides of the house, dealing with people and also like learning how to fix computers and work through your identity access non vintage shoes. Yeah, I mean, I started in the help desk, you know, didn't really have anything, any fun stories out of that other than, you know, that's how I got into it is like help desk. The next thing you know, I'm doing IoT stuff before it was even called IoT back in 2001.

So definitely would echo you need to make a decision probably earlier on, do you want to be technical or non tech? Because there is plenty of space for both. I feel like it might be easier for some people to do the technical because there is a wealth of training. You know, there's different vendor trainings for different products. Some of them charge, some of them are free, tons of YouTube videos, things like that.

It might be a little bit tougher to get hands on with vendor solutions because those typically cost money and you really only can learn what you got access to. So that's where maybe a certification does help because typically with a certification, especially particularly a course, they might give you access to, you know, like a like a sale point training environment or a Savient training environment or ping or cyber Ark or or something like that. If you don't want to be

technical and that's fine. I think you still need to be technical enough to have a solid conversation, but that's where the soft skills come in. So if you could articulate and communicate really well, if you're well, organize plenty of spaces, you know, for that kind of stuff, and then you just kind of build up the experience from there.

I think you've got to be realistic too, that if you don't have any I am experience and you're looking to get I am, you're probably going to need to figure out, you know, how can you how can you kind of make that work? But I would definitely echo the same thing. Start, start with what you like to do and then fill in the cracks around that. ID Pro has a great body of knowledge for people who are looking to, you know, get into it. I think it's, it's a good

starting place. You know, there's, there's a lot more resources now than there ever has been and new ones are always popping up. So like our friend Andrew Chance, the phone has, you know, YouTube channel, He does LinkedIn learnings. Like there's a bunch of stuff that's out there that people have access to, but you have to be prepared to, you know, grind it out. It's not going to happen overnight.

What do you think about for somebody who is, you know, mid to late career, do you think that it makes sense for people who are say, coming out of the military or I've just decided to like, I need to change. I need I want to get into identity. I listen to Jim and Jeff and I, you know, I hear people like Eve and Ian talking. It seems so exciting. What do you think for those

hoes? I mean, a lot of folks coming on the military may already have some of these skills, especially if they're coming from an IT background into the military itself. You know, there's definitely opportunities for sure to take advantage of that. I think the other things to think about would be, you know, again, IT, yeah, I think the military teaches discipline and that is always helpful no matter what job you're in. So yeah, I think that's, I think that's a good background to

start with. And look there, there are roles out there. Some of them aren't, you know, sexy. They're entry level. You might have to start somewhere. But if you are interested in IT, you know, spend the time, I mean, I started an help desk, didn't know anything about IM. And next thing you know, I'm being shown here's these different things and then start to figure it out.

And then next thing you know, I'm programming Siemens lighting controls to make them on the network and, you know, connecting them to electrical panels and all kinds of stuff. You know, before that I was bartending. So really. Yeah, the, the, the line is very thin that you need to kind of pass. So you just need the opportunity. And I hate to say it was sometimes luck is part of that. And you can increase your luck by maintaining and building

relationships. There's a lot of people in this space. And if you start to work in those relationships, you know when things open up that'll that'll help you get your foot in the door. I'm sorry, I think that's, that's a great summary, right? Because it's not like if you take this certification or get that degree, you're guaranteed a good job anyway. You could be stuck in a tough job market or you have none of those things and you just get lucky and lend in a job.

So you just got lucky of it, you know, get that opportunity that you didn't even really know where it would lead. Yeah, for sure. And I think there's certain sectors maybe that might be easier to get into. You know, maybe like nonprofit, it's typically, you know, looking for folks all the time because they may not, you know, pay as well as others, but you get lots of great experience there and you get to wear a lot of hats. So, you know, maybe that's a an attitude to get in the door for

for folks. So volunteering is another way, local organizations, you know, just offer to help and be helpful and hopefully you know that leads and stuff. Yeah, Yeah. That's a great, great 1. So I think we hit that question pretty good. Yeah, that was going from Ryan. So hopefully that helps. If not, drop us a message on LinkedIn and tell us what how else we can answer that question. That's a. Good question for you, Jeff. That's a good question. So I looked at our podcast

listener stats and I don't trust them completely, but I wanted to ask you, US is definitely our top country for listener that like 36%. Surprisingly low if you think about it. Where this thing? Started what country came in second place? I think it's the UK, isn't it? I mean, it's gonna be English speaking India maybe. India, OK. So yeah, give me a guess of what percentage of our listening population. 10:15 I haven't looked at this. I have access to that I just haven't looked at in a long

time. So this is just over the last 30 days and it was 3.6% three. .6% That doesn't sound like a lot. It doesn't. That's second place. So it's really spread out over all the countries. That's right, we are. We don't, we don't put all of our eggs in in one American basket. We spread them all over the world. And eggs are really expensive right now, so that's probably a good thing. Yeah, that's true. All right, well, let's let's keep moving around the world

here. Let's go to Diego from Madrid in Spain. What are some of the most common mistakes companies make when rolling out MFA and how do you avoid them? So first mistake is if you're waiting till 2025 to roll at MFA, you're probably about, you know, 10 years really too late, but really probably four or five years too late at this point. But hey, yeah, let's, let's assume you know, that maybe they, they, you know, just couldn't get to it and now they're doing it.

So what are some common mistakes that you've seen, Jim, when it comes to rolling out MFA? You know, so my, my first reaction to this question is that the IM practitioners that I've worked with tend to know their user populations really well. So I don't think the, it's just like the user experience or just forgetting things about your

user is a common mistake. But I do think that's probably the area that, you know, we say this has got to be the front and foremost on your mind is like our user is going to receive this. And there's user populations that don't have access to their device when they are at work. So if they're in like kind of a clean room environment or maybe working in a prison or something, they can't bring in

their phone, that's a concern. Then there are certain users where they're like, those are my phone, I pay the bill, why should I have to take, you know, install your software on it, things like that. So I think different organizations face different use cases like that. But in my experience, like practitioners seem to know that

one. I think the biggest probably thing that I've seen people get hung up on, it's like if they try and push it up to too many users at once and they're helped us yes, for us with issues for because I mean, let's face it, you know, we go back to my my favorite person to bring up on like who's a non-technical person, my dad. I. Haven't heard from your dad in a while. I know. Well, here he is and you know, you push out MFA to him and he

might be like, what is this? They want me to, especially if you, you do something new. And it's not like if it's the SMS to your phone, he's trying to get to figure that out because everybody does that. It's like you picked up us now, but if you have to go and download an authenticator app, it's not going to get it. It's might be the first time he's ever had to do it. It's going to be super

confusing. Or even if he has done it, he maybe hasn't done it twice on the same authenticator app or no. Like the insurance and outs of how it's going to work. It's going to be confusing to him. So he's probably going to have to call the help desk or open some kind of ticket or something. Which is fine, he can handle some tickets coming through. But if you do 10,000 users in one weekend and your help desk gets 1000 messages, man, you're

in trouble. Yeah, I mean I I don't want to get 10,000 calls from your dad asking me to set up an authenticator. You know they won't be quick, They won't be quick calls. Well, I think that, but that highlights, I think, the importance of communication and the user experience. Think about what you're doing and then make it as simple as possible. Yeah, just simplify it. So definitely, for sure, I think

simplification helps. You know, I struggle with this because everybody at this point, no, everybody in the IM industry and security industry probably understands the SMS is not a great MFA option. It's very easy, it's ubiquitous, we've all figured out how to use it, but it is better than

nothing. So if you have the choice and you think your users can tolerate it, try to go with a, you know, an authenticator app of some sort, either your own company or one of the major ones like, you know, Google, Microsoft, Authy, you know, things like that. There's plenty of those out there. But I would not, I would not try to force people, especially right away into the most difficult one.

Try to have a couple options. I think mistake that I see is, well, we're only going to use the the authenticator app from Microsoft, for example. Just pick on that one for now. It's a great app. It works well, but if that's the only option you've got, what if your phone doesn't support it? What if you forget your phone, right? There's a whole bunch of other kind of things around that and you, you're really setting yourself up for pain on the help desk side. So you'll want to think about

that. I think the other thing that I

typically see is they think it's like an, like a, either an all or nothing or well, we're just going to put it on this app. And so you end up with these gaps and covers. OK. Well, we have MFA, but it's only on our Active Directory and there's a whole bunch of like SAS apps out there that don't have MFA.

So I think trying to have, you know, the coverage to make sure you have as many applications as possible with an MFAA lot easier if you have a single identity provider, single sign on provider that you're using that you can tie that to might not be feasible for everyone. But try to have as much coverage with as many different options and let people choose the option that they like. And over time you can ratchet up

the security. Like I said, I don't, I don't think you have to go immediately to, you know, retina scan and and you know, send me your force born child. To prove who you are, but you're definitely going to get hate

mail for that one. So direct the hate mail to Jeff at I Back podcast, not Jim. That's fine. Yeah, you know, you know, you've made it once you get hate mail. So that's I'll take it. You have to have haters. OK, so two thoughts come to mind #1 is, you know, MFA is multi

factor authentication, 2 factors. And here I'm going to name three factors. Then you get to pick two of them, but they have to be different ones. Something you know, something you have, something you are. So if you say our MFA is first, we're going to get your password and then we're going to ask, you know, what was your first bet like that's not MFA.

Knowledge based medication sucks, don't do it. Probably what everybody already, everybody already knows, but you still know it's out there and it's horrible. So I will send you more time on that. The other one though, is what I used to talk about a lot was the unhappy path. So you've got to make sure that

if you're going to let people self-serve, reset their multi factor authentication that doesn't go back to knowledge base, like, oh, you want to reset your authenticator app? Sure. What what was your first touch name? Like? No, like that's what the heck are you going to go right for? So most people know that they're saying, I mean, like you said, like it's should not be in 2025, the thing you're rolling out, but if you have to, you have to. And then think about NFA

everywhere. Yeah, communicate have many options. Make it easy.

If you, if you treat your IM program and your services like a product, is it a product that people want to buy from you and use? Think about from that perspective, if it's a crappy product, no one wants to use it. They're going to find ways around it. So find ways to make sure that your IM product or collection of products, right, Whatever that looks like for your own program or, or whatever it is. But they're good. I mean, nobody wants to use, you know, garbage.

So make sure you actually, you know, give some thought into like, hey, is this something that I would use? And if it's not, rethink it. You know, maybe there's an option that that might be, you know, a little bit easier. You know, sometimes you have to make trade-offs. I get it. But I'm a big fan of productizing. I am. And if you have a good product, people will gravitate towards it. That's how I feel, totally. What else do we have? All right, let's continue.

I feel like we're staying in the in that same hemisphere. We'll go with, let's see, Omar from Dubai and the UAEI like this question. I kind of say this one for last because I think we can probably go into this quite a bit because OK, so he asked us how should small and mid sized businesses

approach IM when they don't have the same resources as large enterprises? Omar, I'm going to give you the identity at the center listener of the week stamp of approval because I think it's such a good question. This actually got sent maybe a few weeks ago. So I kind of been sitting on this one because I knew we were going to have a mailbag coming up. So I haven't responded in person, but hopefully you're

listening a more. I love this question for a number of reasons, but please, you start Jim. Well I got to say for Omar, if you send us your address, we'll mail you a sticker. International UAE like 5 bucks to mail a. We'll leave it at the hotel in Berlin and you can come pick it up. How about that? Or just meet us up in the conference. But yeah, I mean, it is a good question because you know, where do you start saying, well, don't spend your money on this, don't spend your money on that.

I think it's you have to think about the crown jewels of your organization and then like kind of critical data, critical applications. And so once you kind of focus on what those points are, I think the first thing you have to do is have strong authentication to all those. So if you do have any kind of network or IDP, you've got to protect that with strong authentication, which means multiple factors of authentication. Ideally it's something like biometric based authentication.

I think the second thing beyond that is like protecting your e-mail system, protecting your ERP application, whatever are the applications where it's like that's where our data says that's where our our information. Maybe it's your recipes, your your recipes system, but usually it's like your business system and your e-mail. And you know, a lot of times it's your Microsoft system.

So I'm not saying this is what people should do, but this is what I see a lot is that organizations say, all right, well, you know, we make doughnuts or we make chairs or, you know, they're they're not a mega, you know, billion dollar company and they want to still be secure, but they don't want to spend all their money on security and on 19. So we'll go out and get the Microsoft suite and they'll use the Microsoft authenticator and they kind of like build around

that. They put all their files out on the Microsoft shares. I'm not saying that's the only way to do it, but that is what I probably see the most. Well, I think that's, that goes to the strategy of simplification, right? If you have fewer places to try and secure, if you've settled on a platform, let's say like Microsoft or Google Workspace or something like that, right, you're, you're reducing the attack surface by having fewer things. So that's good.

I like this question because nobody has unlimited funds. I don't care who you are, there is always a theoretical cap maybe for some people, but you have to pick and choose the battles. This is a question you and I have wrestled over, you know, for years over well, where do you start? Do you invest in authentication first? Is it privileged access management? Is it IGA? Is it something else? And the answer is, you know, or consultants. Depends. It kind of depends on where things are at.

But it's not just a technology thing. It could be the people in the process.

What if you don't have enough people to AT at, you know, adequately or effectively do? I am for your organization, you go out and hire new people, that's expensive. Do you contract it out? That can also be expensive. Do you get maybe get like a, you know, security provider or a managed provider of some sort to kind of augment things?

Believe it or not, that actually might be cheaper than trying to hire somebody and, you know, and, and train them and bring them up to speed and then keep them on the long term for, you know, a, an employee. So I think I think you have to look at it from a few different fronts. I'm going to tackle it from the business side first because they think you have to make the justification for how do I invest in I am. Do we have enough people?

If we don't, what is our staffing strategy going to be? Can we support hiring people? Do we want to contract it out and maybe, you know, fill that temporarily while we're bringing in, you know, staff? Or do we want to go the route of, Hey, let's keep the important stuff on our side and then maybe use like a managed provider or something like that to baby be like our outsourced, I am operation or, you know, I

am service in a box, right? Whatever that looks like, you know, for the different providers out there, I think that's one thing you need to figure out first is like, OK, from the business side, how do we want to structure this from a staffing perspective? And then on the technology side,

where are our crown jewels? My, my current thinking and, and has been probably for the last couple years is if you don't have MFA, that should be your first thing that you do, no matter what, figure out how to get MFA in place. If you're not licensed for it, which I don't know how that would even work for Microsoft. You know, make sure that you got it set up, take advantage of the licensing you have and turn on every single security feature that you possibly can that makes

sense of your organization. A lot of people for whatever reason, just don't take full advantage of their licensing, you know, in that perspective. But you know, get MFA in front of places and there's plenty of options out there. Doesn't have to be just Microsoft, right? There's add on MFA and all kinds of things. And then start thinking about your business processes. Where are you going to get the most bang for the buck?

I think a lot of people wish they could afford a, you know, top end, you know, product like a sale point or a satient. They're very expensive. You know, that's just, that's just the way they are. But there are a lot of good products, especially in the IGA space that I'm finding that are

much more economical. They may not have, you know, the, the cachet or the the tracker of success or the great training programs, all that stuff, but you might find that there are some other products in this space that, you know, maybe more palatable from a budget standpoint. But I wouldn't even bother trying to justify an IGA spend unless you have a lot of onboarding, offboarding, you know, critical compliance needs to run access certifications

and, and things like that. I think you can get a long way with the appropriate business process, the appropriate governance on a program level before you even need to spend money on stuff. That's kind of what I'm thinking right now. But what do you think, Jim? Yeah, I had a couple of other thoughts that you were talking.

I think there's a big difference between a small enterprise and a mid sized enterprise where you could be talking about you know a 10/20/30, a $100 million company that is not the multi billion dollar company. And so those are different scenarios, right. I also think it's kind of what is your starting point? Are you this your first foray into trying to secure your enterprise Oregon? Have you been investing in it along the way?

And it's like, OK, yeah, MFA, we did that a while ago backing up our systems. We did that a while ago, having some kind of endpoint detection. We've we've been doing that. So, you know, we can handle if we get reassure have a data loss or something like that. The other thought I had was

cyber insurance, you know, are, is that a good investment for you? We have a couple episodes that we have recorded and if you go back to our archives or it's had people come on who have expertise and cyber insurance and how to think about it and how to position yourself well so that you get not only the right cyber insurance, but you get the a price that you can afford. Don't want to sound like an insurance Marshall, but you know it, it is about not in a lot of

cases. So maybe that is your safety net. I think a lot of it comes down to where you are, what you've been investing in over time. You know, you might have authentication already in place, but it's really old and rickety, You have to update it. Same thing with IJ. You might be in a position where you have the home boat, home built system and you've outgrown it versus somebody that's like 50 employees and they've they've never had to take the song before.

Maybe they can manage the nose for a future only 50 people, especially if they're not in highly regulated industry. The other thing is that, you know, the question might be coming in from Omar that you know, he's coming from the perspective of customer. I am and that's a whole different discussion. Now it's about, OK, well, even if you're a small to mid sized business, you obviously have

aspirations to get bigger. What do you need to put in place to make your customer experience, you know, superior to what else is available? So then you have to start thinking about what is your growing market strategy and how does identity fit into that? That's it. That's why I love the customer side because that's such an

exciting conversation. Well, the other thing too is on the customer side, what happens if you get breached, Are you, are you done because you got breached and you know, all your customer data went out the door or whatever it may be? What's the risk tolerance that your organization has? Look, this stuff isn't cheap. I mean, security is expensive,

especially in the aggregate. When you start thinking of all the things you can and should be doing, I think you have to figure out where, where is your most riskiest areas and then what do you want to do about it? Not everything has to have a technology control. If you have a strong business process, you have vigilant people. I don't know the I am heroes that you and I talk about all the time. You can get a long way with that and a lot of places do. Eventually, though, you cannot

have a strategy of heroism. It's just security strategy that is not sustainable. It might work in short bursts and it might be something that's needed in the short term. But I would, I would definitely start to think about, are your business processes secure? Do you have a way to look at the data? You know, how are you making sure that you're trying to reduce the risk as most

possible? At some point, you know, someone's going to have to make a decision, Hey, it's time to spend a little money and catch up here or Augment or whatever it may be. What tends up happening a lot of times I see is you get so far behind that you have to spend a lot of money to catch up. And it becomes like this ginormous task to, to just get to where good is or maybe even

adequate. And then, you know, we, I, I talk about peaks and valleys from a budget perspective, You spend a whole lot of money catching up and then you don't keep up with it. And then guess what, in three to five years, maybe a little bit longer if you're lucky, you're spending a whole bunch more money again to try and catch up. Good. If you could just figure out how to make that a slow and steady, you know, probably increase just because prices get more expensive over time, I think

you'll have a better approach. But it takes a lot of financial discipline to do that and not if your organization is in that mode of, hey, this is going to be a sustained investment, identity is forever. And so I think you need to think about identity as a long term commitment for the organization. I did want to say one more thing on this question before we close

out. I think a lot of people are, you know, so always feels like you're like right on the cusp of the next big thing and that if you just wait one more year, then like AI agents are just going to do this all for you. Well. Blockchain and picks everything for us up. That happened a few years ago, right? And here we are.

But I really feel like that, you know, I even had this conversation with Brian the other day, one of our colleagues, and he was like, you know, it feels like someone's just going to come out with this big AI product in two years down the road. And like, why spend $1,000,000 right now on IGA or whatever that's like do. You think that Amrax would be cheaper? Yeah, right. Exactly, exactly.

That's a good point. All these companies, you know, spending billions of dollars developing, you know, IAI, they need to recoup that money and they can't have like a 20 year payback plan. So it's going to be like everything else, it's going to be expensive at first and then it will slowly come down in price.

But you know, whoever is building the 1st 100% automatic AI agent that will solve all of your security needs, expect to pay a lot of money for that and expect for it to not work very well as a first iteration. I think, you know, first versions of anything typically are the starting point minimum viable product. Maybe you're you're going to be in for some growing pains and expensive growing pains too.

It's a really good point you don't think of that, but I also don't think in two years you're just going to flip some AI switch and send to it all for you. So what we find, what I find tend to find is that the organizations that don't invest steadily over time, but once you fall way behind and have to do so much just to get to, you know, base level that it's like a really painful process for and everything. Why do you need multiple millions of dollars to solve this problem?

We did something eight years ago. It's like, yeah. And we did something eight years ago and didn't do anything with it since. And now it's old, rusty, it doesn't doesn't work very well. Yeah. It's not a moving, it's not a stationary target. This is a moving target. What's good now is going to be not so good, you know, at some point and you're going to have to modernize or upgrade. Or maybe I think that's, that's my case for sustained, you know,

appropriate funding. I won't say give me all the money in the world because, you know, if you you gave me a billion dollars, I couldn't once spend it all at once and I couldn't get everything done anyway. Give me, you know, $100 million. Thank you very much over the next 10 years, right. And and it'll have to be a little more risk like maybe that's, you know, it's a ridiculous number, but hopefully the the example.

You'll still have every consulting company and every technology vendor go through your best friend. Yeah, that's for sure. Yeah, that is, that is definitely a good point. OK. So I think those are kind of the the three that we want to tackle. Anything else or should we end this thing on a lighter note? And who knows, maybe your maybe your room will be ready. Yeah, yeah, that would be the the best lighter note of all for me. All right, do you want option A or option B?

Do you want me to stay tell you that without knowing what the question is? Yep, I'll go to option A. Option A OK, if you had to swap lives with a historical figure

for a week, what would it be and what would you do differently in their shoes? I was going to say something like Hugh Hefner or something, but I don't think that, you know, just like quote UN quote, the easy life is is living life. You know, you can pick somebody like a Frederick Douglass who like man, what an impact he had on the world. So, you know, I just got done watching the Harriet Tubman movie. Really awesome movie. What I want to trade places with somebody had it so hard, Yeah.

So it's a really tough question. Well, this is a chance to do something differently too, right? So I'll give you an example, right? For mine, the one that kind of jumps out to me right away is Abraham Lincoln. And, you know, not to be, I guess, flippant about it, but I would probably not go to the theater one night. Yeah, yeah. Now you want to go to the Ford Theater. You know, if you do DC, you can go and see where Ford Theater was. Are you more great by it?

You're just filled with all that kinds of fun facts. I know you're watching history documentaries all the time. Oh, yeah, I do. I do. I was watching someone on the. I had plenty of time on the airplanes today, Hours and hours to watch history documentaries. You know, I'm good with Frederick Douglasson. You know, he was a contemporary of Abraham Lincoln. He, you know, bought his way out of slavery and then just fought to end slavery. What would I have done

differently? I don't think I think he had a hard time during his time of really building a bridge between himself and Abraham Lincoln. You know, he more saw Lincoln for his, you know, I, I think he just couldn't get over Lincoln's flaws and his eyes. He saw the slaw. He went to Lincoln to be an abolitionist. The country was not in the polition where they were going to put an abolitionist in to be president. And so that wasn't what Lincoln was.

He became an abolitionist by the end of the war, by the end of his first term. But he wasn't there and it took time to get there. So maybe partially it was people like Frederick Douglass pushing along, but I think I would have tried to befriend Lincoln a little bit more and support him. And, you know, I think that's what I would have done.

You know, our friend Chad, he has a a saying and I don't know if he he made it up or stole it from someone, but was it Incremental progress is better than delayed perfection. I mean, that's how I feel about it too. Yeah, for sure. It's it's yeah. And the late perfection never comes. Is that how long is that delay? Yeah, We're still working through that. And we're still working through that in this country when we're talking about slavery, right?

We're both big people from that time period where the country was going from a country that has slavery to a country that didn't have slavery. But the remnants of slavery are still part of our society today, right? That's the delayed perfection. Because like, do you, you don't really ever achieve perfection probably. And so it's like just a memory. Well, you don't look back on like ancient Rome and like, oh, and we're still living the, the, the things that didn't ancient Rome.

We probably are at some level, but we don't even know about it. So 1000 years from now, I think probably most of those years will be dealt with 100%. Well, it'll be on, hopefully it'll be on Star Trek and, you know, exploring no worlds, all that stuff. So. Yeah, if, if there's a world left. All right, well, let's leave it there before. Either on that lighter note. Yeah, thanks, Jim. All right, let's go ahead and wrap it up for this week.

Thank you to Omar, Diego and Ryan for sending stuff in. If you have other questions, drop them in emails or LinkedIn messages to Jim and myself. We try to answer as many as we get as they come through the good ones. We tend to save, you know, for a mailbag like this. But definitely appreciate people taking the time to, you know, send us our thoughts and stuff like that. So let's see on the web, IDC, podcast.com, if you like what

you heard, like and subscribe. If you don't like it, like and subscribe anyway. And then send it to somebody you hate. And, you know, maybe they, they will either hate it, watch it with you or listen to it or maybe they'll like it. So let's see what else connect us on LinkedIn. And yeah, we'll leave it there for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center.

We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.