You can't be secure without identity. You can't deliver online services without identity. You cannot deliver employee productivity without, you can't do anything really. You can't do this podcast without identity. So there's a lot of things I think which will probably surprise non identity practitioners. I think for the for the, for the people who've been in the identity space for a long time, I think it will give a better set of analytical tools.
I think there's a lot of assumptions you can make if you spend time a long time in any technology sector. And I think it's really about unpicking some of those maybe bad habits or, or, or complacencies we all get into and trying to say, look, have a a fresher and I guess more contemporary analytical framework to look at how identity should be measured, how it should be integrated or problems it should be solving in trying to help analyse both the vendors and also existing deployments.
Because nobody has the luxury of, of designing things from scratch and picking out the best technologies. You have to deal with existing systems, existing problems. So I think the big take away will be at least provide people with a set of analytical tools that they can look at their existing systems, existing vendors, existing suppliers and be a little bit more informed around what success looks like. This is identity at the centre if it has anything to do with
IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity Center Podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great One. I do have one complaint, OK. No, that's shocking. You complain. No, only one. That's the shocking part. So. It's what is it 1 complaint with like 8 different bullet points. Yeah, exactly.
Now we've got we've, we're doing awesome in terms of or what I should say is our listeners are doing awesome in terms of, you know, downloading the podcast, listening to it mostly unlike audio only formats. I've checked out our YouTube site, our numbers. What would you call those rookie numbers right? So not complaining is definitely not knocking our listeners be. Careful, Jim, don't don't take
off our listeners. I'm not taking off the listeners hopefully, but what I wanted to say was I was watching this channel earlier today, so it was beard versus food. The guys had a video out for one year where he eats a pizza. Basically he eats a pizza during the episode. 8.5 million views. So he's doing something right that we're not doing. What it what could it be? Doing something right, I don't know about right. Doing something that's attracted
viewers, I guess I don't know. I mean, if you have a beard, if you want to eat pizza while recording, and if you think that'll get, you know, people to like and subscribe, we can give it a shot. Well, I'm up for anything, so I'll give it a shot. I'll give it a shot. I'll take a video of me eating pizza. We'll see if we get 8.5 million views. Unlikely, but hey, you never know. This is how this is how maybe you go viral, right? I'm. Pretty sure you can monetize
that many views, right? I mean, for sure, yeah. I mean, if you're having, if you're pulling that stuff in, you know, that'll probably pay for, for the pizza that you're eating. No, so OK, so beard versus food is the guy that does all these eating challenges. So the pizza was a 30 inch pizza. So it's pretty much like the size of the moon. And he ate the whole thing in one sitting. And he was the first person to ever beat this challenge was actually at a pizza place in Norway.
So really cool channel. I think there's a lot of channels out there, but I think, you know, the coolest one is still identity at the center. Oh, without a doubt, it does make me wonder about your algorithm. Like why is? Why is this being pushed into your feed? No, I well, well, two things. One is I'm going to Norway next week, so I've watched a lot of videos as I've covered in past episodes. I think the other thing is that like, this guy's channel is
awesome. Watching people eat like massive amounts of food in like 20 minutes is pretty entertaining. I I'm I'm struggling with why this is entertaining. It's just watching people eat, like what's the point? He's doing something that you can't do if you can use a 30 inch pizza. I mean, I'm sure you could build a heck of a following. OK, well I guess to each their own. Yeah, I guess so. So we should talk about our conferences. By the way, I'm going to have a cache of stickers with me at
every conference. I'm going to make sure that you've got a pocket full of stickers too, at all times. So folks see me or you. That's not the reason to go out to YouTube, so they can see our face and recognize us when they see us on the conference floor. We have stickers and they're good stickers. They are like vinyl stickers. So they're kind of weatherproof, dishwasher proof, all that, and
we'll have them. Yeah, Jim is very proud of these stickers, so you definitely want to get one for sure. Let's talk about the conferences because you and I are going to be at EIC and well, by the time people listen to this tomorrow, we'll see you tomorrow. So it's kind of the last chance for people to use a discount code. If you haven't already registered, you know, probably want to get on that, but it's May 6th or the 9th. If you use the code IDAC 25 MKO, that'll get you 25% off.
Like I said, if you're listening to this, chances are you're probably already registered or you're not going to be there, but we will be at EIC and looking forward to that. Then we've got the Identiverse conference coming up that's in Las Vegas. So kind of a quick turn from Europe over to the US. June 3rd, the 6th, we have the code IDV 25-I D AC25, another 25% off for that one. So we hope to see lots of friendly faces there and I think
we're at the spot now. We're going to say, hey, we are bringing our game show to Identiverse and we have, at least for now called it Identisquabble. So this. Is finalized on the name Identisquabble. For now, right. And I gave a lot of thought over this and then you just kind of blurted it out, I think yesterday in real time as we're talking about this, like, Oh yeah, that's better than anything I've been thinking about.
So we'll just go with that. So yeah, Identisquabble, we're going to kick off, I think the Expo kind of opening night in the Expo hall. So we'll have a space there. I will bring my cameras and I definitely want to try and turn this into an episode. But if you're familiar with what we did at the Authenticate conference last year, it is a Family Feud style game. So Jim is going to be a team captain. We're going to have another team captain, a couple of team mates for each of those.
We're going to have judges and things like that. They're going to help with, you know, deciphering the answers that our contestants come up. And I will be playing the role of MC or Steve Harvey or whatever you want to call me, trying to keep these cats moving in the same direction. So looking forward to that. Definitely want to invite people out to that. So if you're going to be in Ideniverse at Ideniverse in Las Vegas, definitely come check us
out the opening. I think we're the first on 1st on the board that night. So I think it's like 5:30 or 6:00 PM or something like that, that we'll be there. But look forward to seeing friendly faces and having some fun. So it's going to be just a fun you. I don't know if you'll learn anything, Jim, but hopefully you'll be entertained. Yeah, I mean, I think you'll learn how goofy we can get, but I think it'll be a good time. So I'm really excited about the
guests that we have. As somebody that I've known in this identity space since all the way back in his four Drock days and before we got started recording, he mentioned he's on the Ubuntu computer, which I thought, oh, that's, that's so him, that's and that's so Legacy 4 Drock Classic to be on some version of a Linux laptop. So I had to or I'm I'm not sure if it's a laptop or a desktop. I shouldn't say laptop, but why don't you go ahead and introduce him?
I mean, it's Linux. It could be anything. It could be a Flipper 0 for anything that he could be recording on right now. So yeah. It could be a black BlackBerry, right? Right, Who knows? Yeah, let's introduce Simon Muffet. He's an identity researcher and author. He's an identity podcaster, just like we are, and he's the founder of the Cyber Hut. So, Simon, welcome to the show. Hi guys, it's great. Great. To be honest. It's it's, I've listened to you guys for a while.
As you know, it's, it's a small world and the identity space, albeit it's getting bigger. So you guys doing a, doing a great job in, in entertaining us and informing us of all of the identity worlds. But it, it is a laptop, it is a, it's a Linux laptop. I I don't know why I fell in too Ubuntu actually it wasn't really a forge rock thing or be it being in the open source game I guess for that's all 1020 years
I suppose. But I, I, I fell into using Ubuntu 15 years ago and I don't know not not really seen it all to not a Mac fan and I didn't nobody likes Microsoft. Did I? Should I say that? Hey, hey, I'm on a man. So I, I just, I've used lyrics and Ubuntu for a long, long time. I think everything's browser based these days, isn't it? It's everything's web-based, so I, I totally fully enjoy having a very lightweight laptop or I probably can't see.
I, I, my Kindle is my, is my main device of choice these days, a nice old fashioned Scribe and a Kindle and my mobile phone. I can, I can just about get by most days with that. I'm just the five years of the laptop may may disappear, but that's that's probably another podcast worth of conversation. But what what devices we may end up using in a, you know, five years from now, I guess.
Well, I. Think we can definitely have a conversation about that at some point because I think if you've been following like where some of the tech companies are going, it's glasses are back, right? Maybe it's, you know, Google Glass was a big thing a couple years back and then, you know, now we're getting back into what I would call more normal looking
glasses. And I have some that I use like when I travel that are, you know, I plug it into my phone and I can watch a video and a a movie like it and a huge screen. But yeah, there's a lot going on for sure. I'd like to get to know more about you, Simon. So one of the things we like to do with the first time that we have people on the show for the first time, and I'm kind of shocked that it took 347 episodes to do that, is let's
find out about your background. How did you get into the space of identity and access management or digital identity or whatever the heck we're calling it these days? Is this something you chose or did it choose you? It, it seems a long time ago. I, I started in 2001. So that's nearly nearly 25 years, which is, I mean, that's an absolute eternity in, in any technology or any career, I guess. And I think identity has seen just huge transformation in that time.
But I, I, I did sort of fall into it ultimately. I did, I did economics at university with Microsoft first degree, utterly unrelated to identity and access management. And you sort of roll out of university at sort of 2122. What, what should I do in this big, big wide world?
And I, I ultimately, I took on a contract straight out of university for three months working for a large insurance company in the UK. And it wasn't a particularly complicated contract, as you can imagine at the age of 22 or something. You know, we have many great life skills at this age. And the, the, the job was for three months to do mainframe Security Administration.
And the project essentially was this, this insurance company had about 3637 thousand users and they ran it out of user IDs. Can you believe it on their racket for mainframe system. Long story short, they run out of I DS. So the project, they pulled in three or four graduates who we all didn't know anything about mainframes or identity or
anything like this. And they brought us in for three months and we essentially had to go through this list by hand, 36,000 identities within rack F and essentially copy and paste them onto a new rack FID. So if your ID was, I think it was something like 5 numbers in a letter, so say 12345 and then A and we have to essentially change the ID to be something like 123456 and then A, something like this. I can't remember the details well.
We literally had a print out everyday from PeopleSoft and used to go through this list, find the ID within RACF and then copy and paste and set up all of the TSO options. The the job control language stuff, the data says all this stuff. I knew nothing about the age of 22, but it was all by hand. So there's no, there was no connectors, there was no provisioning systems, there was
no ticketing systems. So they, they essentially brought in actual people to with sort of shovels to shovel through this huge list of mainframe identities. And obviously the project never lasted 3 months. It lasted 12 months. And that was my first taste of, well, first and last taste of, of mainframe Security Administration and TSOIDS and job control languages and Karla languages and all this crazy, crazy stuff.
But it did get me into this identity world and and from there I spent another three or four years in house for this insurance company looking after their Novell E directory directory services for the mainframe looking after 30-40 thousand identities in Novell. And that was then replaced by Active Directory. So all of the good learning skills you're looking having to look after servers. People remember servers that don't get serviced anymore.
So having to look after servers, having to do health checks, having to script things, having to build out sort of resilience and and directory replication topologies and all this really by hand stuff, which no way do you need to do in 2025. But as as a young guy starting my career, it was great. You know, I learnt, I learnt loads.
I was working with experienced professionals, technology of all calibres, you know, old fashioned mainframes, what at the time was pretty cutting edge Novell directory. So it was, it was a really good apprenticeship if you like.
I did that for four or five years and then I went into consultancy for a couple of years, similar sort of stuff, Directory services, moving a little bit more into the sort of networky world as well, VPNs and firewalls and the like, but still very much focused on, on the directory. And then I guess I got a big break, if you like, probably six years into that. I, I, I started and I, I didn't
start. I joined a startup called Value, which was one of the early pioneers in role based access control and identity certification and access review. And they had a, a stellar two or three years and were then acquired by Sun Microsystems. They become Sun role manager as part of the, the open source Sun stack, Sun identity manager, the DS Sun access manager, all this stuff. And they acquired this tiny company called Value as part of their role based access control strategy.
And the rest is history after that. If you like a lot of time then spent in the in the vendor world. And it's yeah, it's, it's looking back even sort of the early 2000s, things just have changed just substantially really in a, in a whole host of ways. I did 15 years in the vendor
landscape at a time. So Microsystems, they were then acquired by Oracle. I had a couple of years at Oracle looking after the European identity business there for Oracle Identity Analytics. And then I spent a good eight or nine years at another open source company called Forge Rock, at least partially open source, started, started open source, ended up closed source for various different reasons. It was a great journey, great journey.
I was doing sort of solution architectural work and finished off doing four or five years as a, as a product manager there for, for their access management technologies. And as part of that, to sort of close this little story off, part of that process was looking at emerging technologies. What, what should four drop do next? Looking at start-ups, looking at standards, looking at OF2 and OP ID connect and what what what's going to happen next.
And it was a struggle because I couldn't, I couldn't find the information I was looking for. And yeah, we have big research agencies out there doing high levels quadrants and compasses and this sort of stuff. But I was struggling to find that knowledge of the next big thing if like the start-ups, the emerging patterns, use cases, etcetera. And that really was the inspiration to set up for an organization called the Cyberhuts, which I set up during
the pandemic. If, if, if there's ever a difficult time to start a business, do it during the pandemic when the whole world is shut down. But I actually, in hindsight, it was a huge opportunity because everybody else was at home as well. So I, I found at the Cyberhooks the end of 2020, start of 2021, looking all of the exciting, cool emerging identity technologies, use cases, patterns, vendors, all that sort
of stuff. And attempt now to to deliver enablement research, Fender guides, training, all of the stuff to just help the world understand our our amazing identity, practitioner knowledge, vendor knowledge and all that stuff. And it feels like a really good, really good journey. So a lot of lot of knowledge accumulated in that time. A lot of a lot of change, as you can imagine, as you guys have seen as well.
I think the world has changed spectacularly even the last 10 years, let alone last 25 S Things like servers. Well, exactly. You know, they've got AI to deal with as well. So it's it's been great. I feel feel privileged actually to, to be doing what I'm doing now, which is essentially being briefed by technology vendors, understanding what's happening next, understanding what use cases are being solved and attempting to translate that
into into consumable knowledge. You feel like it's, of all the jobs I've had over the last sort of 25 years, I feel this is the, this is the nicest job, I think. Is there a particular content that you like that you kind of have an affinity to? Is it written? Is it audio? Is it reports? Is it research? Is it thinking about the future, Right. And sort of ideating, like where is this thing going? And we're going to get to a book you're writing, you know, on
that topic. But is there a a specific thing that you really kind of like? Yeah, this is really my favorite part of this part of what I do. Oh wow, yeah, I think content is really interesting for me. I think it has the, the technology has changed, so has content. And I think you know, we, we have, we are swamped with
material. We have material everywhere on your phone, your Kindle, you can research anything, 30 inch pizzas if you want, you know, wherever you go, whatever you want to buy a new car, you can find as much content as as you like. So information overload is the issue. So I think it's it's trying to deliver content in in design material.
In a variety of ways. And that's something definitely the Cyprus experimented with being, yeah, the podcast thing, but also taking maybe a big research report and then breaking that down into a whole host of different channels and different opportunities from one or two-minute training or videos or training shorts by guys training in the written form. So that this, I think the content aspect is, is totally changed. I think for me personally, I
like to read and write. I think most people do. I consume via reading, but I also helps me think to write. So if I'm ever stuck on something that I write, because then I can much more easily understand it. And if I can understand it, I can then deliver that in a way which other people can. But I think it's, it's always about, to me, there's three things you should always be doing 3 ES essentially educate the audience, empower them and maybe entertain them a little bit as well.
So it's how you can get some of these, some of these complex topics we're all engaged with. Now. How can we put that across in, in simpler ways? And I think we have to do it in a variety, whether it's written books, reports, podcasts, whatever. Simon, I have a question about your writing process. Take us through that. Like do you like to write it at night to like to write in coffee shops? Or what is your What's the perfect situation for you to get the most creativity out of your time?
Do you know, do you know, I think there's, there's a few, there's a few parts to this. A lot of people like this is my second book I've done. So that's I don't know how many pages I did 700 pages, but I, I as an analyst, I write for a living in the sense of I write all the time. It's writing isn't difficult. And I, I say this with a bit of a quip here, but the difficult part is thinking about what to
write. The act of writing something if it's researched and thought about it should take seconds. It should take as, as as quick to write as it does to read. In my opinion. That's how I typically like it to operate. And my, my modus operandi is I'm thinking and by thinking, I've got my Kindle here now, my Kindle and my Scribe. I use this daily, hours per day, writing, sketching notes, small things.
I'm quite pictorial, so I'm like pictures, matrices and diagrams and drawings and stuff like this. And I will do that constantly. But a lot of the time it's thinking, thinking about the topic, thinking around the topic, thinking sort of through the topic and trying to create counterpoints and I guess arguing myself out of a particular position, for example. And I think if you spend time on that aspect, on the thinking aspect, the writing to me is, is relatively relatively simple.
But you, I think you do have to be dedicated at it to, it's a bit like going to the gym. It's you have to do a little bit everyday, 20 minutes, thirty minutes, 15 minutes. Even if you have writer's block or content block or whatever, just just do something, something, a little a line, a sentence, a word, anything. And that just continues to push that rock a little bit further forward. But I think, yeah, I, I, I'm always jotting stuff down.
I've got reams and reams and notes for all sorts of stuff. And it, over time it's sort of builds out a bigger picture. And then the execution aspect, physical active writing is, is pretty straightforward for me personally. You've mentioned the. Podcast and I've mentioned it as well. Tell us something about the analyst brief, because you do this with our friend David Mahdi's. And I'm curious, like, what is the topic? You know, how did you get this
thing started? And just tell us a bit more about that. Yeah, it's, it's nice. It's not as professional as this one though. Guys, this is, you know, this is the you, you guys are doing the professionals. So we, I guess the honest brief is, is, is a couple of things. Really, I think it's we try to make it part of that contemporary back to that content view. You're trying to provide that contemporary comment, if you like.
There's, there's, there's so much material, so many vendors doing so many amazing things, product launches, features, mergers, acquisitions. There's so much happening. And I think the analyst brief that the real modus operandi there was to try and provide a bit of commentary, really a bit of simple commentary as to what is happening. It's not every week, it's probably a couple of times a
month. Really it's, it's trying to provide that commentary around, look, there's so much change around technology identity, security, all of these overlapping technology areas and just try and provide a little bit of clarity there, a little bit of an independent view, you know, cut out. The vendor. Speak or the the solution providers speak and the gimmicks and the acronyms provide a bit of real commentary there.
Peel Back had a bit of history and they had some stories, maybe call out some of the vendors perhaps, or maybe call out some of the situations or the buzz terms or whatever it can be. But just to provide that, that that weekly or that monthly view of this is the snapshot of what's happening. This is a bit of an independent view of of how things are going, maybe why they're heading in that way.
So it's, it's trying to provide that contemporary view, if you like, of, of all the change which is happening. And it's there's a lot of change as, as you can, as you can tell, there's all this, all the technology change, there's a lot of stuff happening. So it's, yeah, it's trying to provide that, that comment. I think it's the, it's the, it's the big goal. Well, there's so much to cover.
I feel like, you know, when Jim and I started this six years ago now, I guess at this point it's like, all right, well, at some point we're going to run out of things to talk about Lean. It's identity and access management.
What can you possibly do? And here we are, you know, six years later, 347 episodes and counting, and there's just always something happening and there's something new to report on. And, you know, you're putting out so much content between the podcast and the reports and the, I guess the the Moffett laws of identity security that you put
out over this year. Tell me a little bit about what those laws are and what are you trying to get out into the identity sphere of influence with those things? That was good. I quite like a lot of the stuff that side but does and quite a lot of the stuff I do really personally is, is just to get conversation going, is to get discussion going, involving as many different people as
possible, many different voices. And for me it's always about the signals which which get generated the conversations, not necessarily to be provocative or get people disagreeing, but just to get people thinking and discussing.
And the laws was part of that. Laws was a tongue in cheek, tongue in cheek thing around describing it or having to try and describe what what are some of the best practices really around this, this area of protecting our identity infrastructure, our identity landscape because it's under attack. You know, there's there's no question about that. You can Google, Google on any day of the week and you can find a daily breach of some description and it probably has identity at the centre.
They'll put into there's identity somewhere in those breach reports. So the, the, the, the techniques and tactics and procedures, they're somewhere in there. Whether it's human or non human identity, something's gone wrong with that identity landscape. So the laws, the laws aspect was friends. Look, we need to just have a, have a conversation here around what identity security looks at. How can we protect all of this identity stuff that we have in there? And to be honest, there's one of
two disagreements. So that the big the biggest disagreement for those who haven't read them all, there's, there's 10 basic statements in there. I think there's #3 which is the one which always gets people chatting. I think it's the carbon life. They'll go on, They'll go on that you can tie food.
They think that the law was something around every identity should at some stage be tied back to a carbon life forms a physical person ultimately, especially for the workloads, NHI, agenda, Ki, you name it. Smart TV's what anything where there isn't a physical person there. And it was, I think a lot of people once they actually understand and nod and agree actually, yeah, that's probably
not a bad thing. But the problem is with this is that actually a lot of our human identity records and identity profiles are not linked to a carbon life form either, which is this subtle part which a lot of people miss because even if you're you're Active Directory record, it's not necessarily tied to a biometric validated and verified identity. It's just Simon's AD entry with the UPN and whatever else.
So there's a bit of a subtlety in that around trying to make this real for, for, for all identities. But yeah, the, the laws is really again, having some discussion putting the flag in this. I don't want to own the flag in the sand, but I will put the flag there and we can all at least dance around it or discuss it and get that get those topics and people's agenda around talk about policy, talking about clean plenty of this of of identity data, humans, people, software devices.
Let's talk about all of that stuff as well and just yeah, raise awareness was the was the idea behind it. So. Simon, I remember when you posted this on LinkedIn, I went out and read them. And by the way, I think one of the things I know you for and probably other people knew you for is you're not afraid to be
bold. And I exactly #3 jumps off the page to me because I agree with it and I know most people don't agree with it. It's that, you know, basically every say the controversial part, they're not the controversial part is that every non human identity must back map to a physical person who essentially owns it who can speak for it. I do think the one potential exception is that if AI becomes advanced enough, it could be a representation of a person, in other words, able to make
decisions. So I think that at some, and I don't think we're there now, but at some point you might have a company where there aren't people or basically the whole company is run by bots and maybe those bots are the decision makers and identities as we know them are owned by that bot. So I think that could be an exception. I know you know, that's super sci-fi at the moment, but I
thought, let me argue. Against that point, because I think those bots, unless this is a 100% AI company, there is still theoretically a human at the very top. They might be the CEO of, you know, founder, bottle washer, janitor and all these agents or AI or whatever things that will
map to them. I could do we get to the point where an entire company, like a legal entity, a definition of a company is 100% AII have a feeling we would probably put a stop to that at some point, at least until the AI takes over the judicial system and the governance and stuff like that. But. Here's my thought on that. Jeff because I think that's, that's a good point. But I think the intent of that statement or that law is that a person who is accountable for it.
In other words, you understand enough about what is doing to say whether or not it should be, should exist. If you have a billion baht company or say a billion dollar size company and it's all robots and maybe there are a few humans at the top, those humans probably can't be accountable at that level. And you may delegate the decision to a bot that is smart enough to determine whether or
not that access is appropriate. A lot of supposing there, But I think that the key point is what Syme made, which is essentially that some life form, whether it's artificial or real, has to be able to make the decisions for identities, like an identity that, you know, runs a like a computer process or robotic process. You know, you just can't like leave these things kind of unattended and have nobody accountable for deciding whether or not that access is
appropriate. And I think that is that is my concern is that when we call these identities, to me, they're really accounts. They're accounts that exist. They're not identities, I I. Agree. I just disagree. I, I think the, the accountability thing is, is really what, what what's important here. I think there's a good slide that does the, does the rounds, I think on, on LinkedIn and
socials. It's by IBM, the 70s and it talks about no, no machine should have decision making capabilities or management capabilities. Maybe it says because it can't be held accountable now that that accountability is really important. It is. It's just also a separation between decision making and accountability. Now, if you talk about a genetic AI and and whatever may come over the next decade, all for autonomous decision making that
that's just going to happen. There's no way you can let you know you get get in the way of that and put the put the genie back in the bottle. That's going to happen.
Autonomous decision making, which is perfectly legitimate if you have accountability of a chain of accountability around who has the final say who, who is going to be the person on the hook in the court of law to say, yes, that was me, that was my responsibility to do so. And I think soon, as soon as you have a disconnection there, you have a whole host of, of liability issues and and process issues and governance issues around how that data processing or how the organization should
be run. So it was really all about saying, look, we have this brand new world potentially of, of autonomous decision making, which is absolutely necessary and scalable. We have to have some sort of accountability there. And it may just start off being a team. You know, it could be a team that responds to an oath to client.
This team, this, you know, SEC OPS team owns this particular oath to client perfectly fine because you then know who in that team to go and knock on the door and say hey, this this or two client is whatever behaving suspiciously or whatever it could be. But you need to have that lineage, I think to a physical person. Yeah, maybe 100 years from now or 50 years from now, we do have bot wars. And you know, I watched the film recently, the electric electric state.
It was called electric state film. That was pretty, pretty Skyfire with robots and humans and stuff. And there's absolutely some, some potentially terrifying use cases ahead. So being held. Accountable for being held accountable for an AI would be you're getting unplugged for 10 years. It's like going to jail. Exactly. Exactly. So yeah, the whole thing about the laws was having these sort of conversations. I think it's you've got to start. You've got to start somewhere, I
think. So this this whole topic of AI fascinates me. And I think we're sort of in an inflection point here where people are starting to wonder, well, am I going to have a job when AI comes around? And one of the things that's been making the rounds, I think, you know, especially in the consulting world and probably the analyst world as well. Can I just have an AI do the same things that Jim, Jeff and Simon are doing if it's just
spitting out stuff? And there was an article that was put out by Mike Neuenschwander around this very topic. And I think he's hopefully right that it's like, yeah, we're not dead yet. There's still plenty to go. And, and I think there's still going to be opportunities for being able to leverage those types of tools. But maybe take, hey, here is Simon's brain maybe to some degree, and here's what he's
thinking. But you're always going to have the individual human element where, you know, we're ideating, we're thinking about, OK, where things are going. And at some point maybe we do borrow that line a little bit. But where do you feel about AI? And, you know, there's this idea about replacing consulting, you know, for any number of topics because it's not just I am, right, it's doctors, it's lawyers. I mean, there's all kinds of stuff happening right now. Absolutely right.
Look, I think first of all, progress is is always scary I think for all parts of of society and for all parts of of the world. And I think this is a few cliches you can throw out around, you know, futures here. It's just not evenly distributed and things like this. And you know, the industrial revolution, I doing this podcast now sort of 20 minutes South of Manchester, which was the sort of world's first industrialised city sort of 250 years ago.
And obviously when the industrial revolution came along, that was a scary place. If you're a subsistence farmer in rural Cheshire or Midwest or whatever, it could be suddenly, wow, this huge big city with factories and mills and automation, steam engines and this sort of stuff that that's a pretty scary time. The pros and cons for where the industrial revolution has taken us, I guess. But ultimately it was changed, which you couldn't stop.
So I think AI is here to say, first of all, I think will it impact jobs? Yeah, absolutely will, no doubt about that for the next probably 3-5, ten years, I guess a lot of jobs, which repeatable jobs, which will be automated purely for productivity reasons. Flip side, of course, if you're looking at things like government services, health triage systems, banking systems, government services where you do have finite resources, you don't, you can't do everything
with the budgets you have. You leverage automation. So there's positive benefits to being able to triage and scale services in certain ways. I guess back to your question around replacement of people, we've experimented with, with stuff for the cyber with, with AI, virtual analyst stuff for internal uses. And by that we've we've fed it, if you like, we've fed it all of the cyber's contents.
So things like research reports and things that we have generated and I've generated and book material and everything else. And it's very easy to create a very powerful system. I guess there's a couple of things I would add to this though. It's very easy to get an answer for something or to create a system that will give you an answer for something. It's not so easy to have the right questions.
And this is where I think the value comes to play from being a, an experienced practitioner where you know the questions to answer, you know the questions that need to be asked. And that's, that's a big, big difference. It's very easy to go and do a search and say, right, give me a identity assessment framework for IGA, whatever, you're going to get some stuff splurted out there and great, you know what,
what can you do with this? But I think being able to again, leverage judgement, leverage creativity, leverage the ability to ask the right questions that really only comes with human experience. Now. I was quite like another another cliched quote around the guy who who gets hired to fix the big engine on the big in the big industrial plant and the engine's not working effectively. It's making a horrible noise and he gets brought in. He comes in, he looks at it and
he just whacks it with a hammer. It takes him 30 seconds, you know, gets the hammer out of his bag, whacks the engine. The engine starts working. He gives a bill to the to the factory owner and says they go, there's a bill for 500 bucks and the guy goes, well, that just took you 30 seconds and you all you did was whack it with a hammer. So yeah, yeah, absolutely. But I knew exactly where to hit
the machine with my hammer. And that, that's the sort of stuff which potentially I can't do because it's bringing out that judgement, the experience that, that creativity angle. But I I think there's some huge, huge benefits. Summarisations, being able to query things quickly, being able to. Rapidly get to at least an area where human can add a bit more judgement to the equation. So I think it's, I think. The one thing, Simon, is that it's hard to say where AI will be in 10 years.
I'd say, well, you know, looking at AI right now, you're right. It lacks the creativity. It's almost like a calculator. It can. A calculator can do arithmetic far better than a human can, but the human has to decide what goes into the calculator, what, how the calculations get applied
to something, etcetera. And I think AI sort of similar, like we can never research the Internet or summarize these large amounts of data in the way the AI can, But what we bring to the table is the creative application of that data and what we want to get out of that data. Now, maybe where AI is 10 years from now, as you say, hey, here's some examples of information. Maybe you plug some raw data into it and you say, here's the kind of output that I want. And boom, analysts, reporters,
birth from that. I, I actually could see a process and I, I, I messaged this to Mike where potentially you could have the AI tell you, hey, this is the kind of data or tell me what kind of data I need to gather from a vendor to tell me about their, you know, the example uses as ITGR for the, your ITGR solution. Now you get that output.
Now you feed into AI all the output that I'm sorry, all the, the vendor questionnaires responded to you give some samples of here's the kind of papers that I'm looking to create. Cross these two things, get what you can find on the Internet and produce me an ITGR paper. I bet you it could be pretty good that way. So yeah. But I think there's huge, huge opportunities, huge, huge value. And it's, I think you're right in the sense of where will it be 10 years from now?
I think there's, there's probably a lot of ambiguity there. And I think we're definitely probably not going nothing spoiled under the the podcast there. But there's definitely issues around things like misinformation, disinformation, data authenticity and where the the output is, is could be used for. And I think we're definitely moving towards a, a realm of assume fake, if that makes sense. I think we in the enterprise, we assume breach, you know that we talk about zero trust.
We assume the network's breach now probably got to assume that everything online is fake. Everything's generated. It's a deep fake. It's the content is synthesised articles perhaps do not have factual information in them or they are synthesised and blended. So there's definitely my, my bigger word really is, is all about that authenticity of the data origin really, and providing data origin authentication against a piece of content and making sure it's you know, the origin of it.
You can trust it and you can use that as part of, of something else. And that that to me is, is not really an area being actively solved at the minute. I think that's that's the biggest, a bigger word for me going forward, yeah. That's a good point. So one of the, the, the main reasons we wanted to get you on to the show, Simon, is you're producing this book. Producing is the term I, I chose to use because it's not just writing. I mean, this is a, a production
that you put forth. Tell us what is the book called and what is it about? Yeah, this is my second book. It's called IAM at 2035, so I am at 2035. Basically, it's a future Guide to Identity security 1010 years from now, which does seem a long, a long time to go in the current evolution of things. Why? I guess what? Why would I bother doing any of the books? I, I did a book about four years ago looking at BTC identity, So consumer customer identity and
access management. And as, as books go, you typically never finish a book. And by this you write a book and then you get asked to do a second edition and, and et cetera, et cetera. And you've sort of leveraged that book for, for consultancy and whatever else.
And it, it came to a point, the real inflection point, probably about 2 1/2 years ago, I guess, when there were more non identity people asking about BTC application owners, digital owners, non-technical and product leads and others who are wanting to know about BTC identity, which is quite, a, quite an obvious thing because BTC covers a whole host of
different stakeholders. But it just got me thinking around, OK, well, BTC is changing, but the whole identity landscape is changing and there's a whole host of new stakeholders wanting to understand what identity is, where it's been for the past 25 years, what are the current problems now and obviously where things may be heading to.
So I am at 2035. Essentially it's based on the back of probably 2 years of of interviews and briefings as part of the Cyberhub. Being interviewed, being briefed I should say of all of the interesting start-ups doing a whole host of different technology areas from password less authorisation, ITDRISPMNHI, new authentication flaws, orchestration, identity, data management, identity risk management, the whole thing around AI and agentic AI in
there as well. So, so much going on, I felt compelled to try and focus upon where we were, essentially where we are today. All the problems we have today around lack of coverage, NHI cloud versus hybrid, decentralised versus centralised access controls is a bit of a mess to be honest with all this stuff around identity as an attack surface because of visibility concerns and behavioural monitoring issues. So there's, there's a lot going on with identity, but it's becoming more important.
So getting identity right can deliver huge benefits to B to E workforce productivity and security. It can deliver revenue and services online. It can help with the disinformation thing we talked about earlier, integrates with data and network and endpoint security. So you, you get it, right. You want a, a huge opportunity to deliver robust, secure
services. And I guess the, the, the sort of second-half of the book is looking ahead, you know, where things may end up in the next decade, looking at things like intents, looking at attributions or I guess back to #3 in those laws around being able to really tie identities to a biometric.
We're talking about people looking at behavioural monitoring, intent of identity behaviours, looking the whole world of, you know, how can we secure this identity ecosystem if we are starting to see IAM and cyber merge together? So it was really trying to say, look, this is where we are now. A bit of the history there and a bit of the future view of, of, of where things are going to. And it's, it's been a really good, really good journey and enjoyable journey, if if not a,
a long one. Yeah. My my favorite part, to be honest, was the history part. And I think you could probably just write a book on the history, but I could tell even there, there had to be some things left on the cutting floor. So when you look back on it, can you tell us what were the things you said they have to be in here and what did you end up cutting that you were especially things? What I'm really interested is like it almost made it, but it didn't.
Oh wow, it's, it's funny. What do doing a book is, it's a little bit like going on holiday with a very small suitcase and you're desperately trying to scram your sewing trunks in your jumpers, in your sunglasses, in your Lido and all you're trying to squeeze it all into this tiny suitcase and you can't get everything in. So you really have to be, you have to be quite brutal with, with stuff. And it's, it is difficult when you are trying to, trying to do 2 things. One, trying to get your
experience across. You can get AI to write a book if you want to. I'm sure, I'm sure AI will do a great job of that, but it's probably going to be pretty dry. So part of part of both the books are written. We're all trying to put your experience across.
You know what I've learnt my, my mistakes, the anecdotal conversations that the water cooler chat, the linking together of, of maybe some patterns I've heard or seen really somehow trying to put my experience right and wrong in a book which people can obviously hopefully then wrap into their world as well. So I don't think that in itself is congenerate content. I think the stuff that missed out, I think you've always got to think of your audience, who
is the audience for this book? And it's it's really it isn't just identity practitioners. First of all, it is a whole host of of different personas I'd like to think gain benefit from this non-technical as well as technical. The security landscape, data application owners, seesaw sea level people who are non-technical in obviously and really should take them on that zero to hero journey.
And I think the stuff which you then pull out of there is often some of that really fine grained detail, you know, explaining what zero trust is for example. Well, you can go Google that to be honest with you. Or the difference between O2 and no IDC. So there's a lot of maybe fine grained detail in there which you sort of assume can be found
elsewhere ultimately. So there's a lot of that stuff gets sort of dropped and I try and raise up a little bit some of those meta patterns and some of those bigger trends and then so highlight my sort of experience in Yeah, so that so. I think you covered well. Like who should read it now? How should they read it? Should they read it like you eat an elephant one bite at a time, or like you eat a 30 inch pizza all in one sitting? Oh well.
I reckon you could do that. It's two pizzas, isn't it? 30 inch pizzas? That's probably 2 regular. I think I could do that. I think anyway, definition of two is well, yeah, it's a really interesting question. So the the the book, essentially The thing is 16 chapters we ended up with. And ultimately you talk, it's based on the sort of standard, standard model of situation, complications, implications, solution.
And obviously the first thing people look for is give me the solution page, Give me what's the, what does 2035 look like? Give me, give me the ideas, give me the, the buzzwords or the, the vendors or the, the categories that will definitely exist in 2035. So I reckon a lot of people will aim for that. Now, in my opinion, you're better off reading the whole book. It's, it's you, you can get through it, I imagine pretty
rapidly. So I, I think it, it is a journey read it is, it is looking at understanding the past so you can better predict the future. You, you can't, you can't understand the future unless you've got a good understanding of history. And I think that is vitally important. So my, my, my recommendation will be to start at the beginning with a coffee and slowly go through it. You can probably do less than an hour per chapter. I think 16 hours, probably condensed under 12 hours.
It's not a long, it's not a long period of time. So my recommendation would be to read it through in a in a journey in a journey and enjoy. It. Enjoy it, enjoy it. Exactly is the book going. To change people's mind about anything. Are there preconceived notions that most of us identity practitioners are walking around with? And you read the book and you're like, I needed to question the way I was thinking. I, I hope so.
I hope so. I think it'll, it'll definitely change the mindset of, of non identity people. I think it'll definitely put identity is a more strategic enabler. I think, you know, 25 years ago, identity was the purview of the CIO of operations. It was focused on productivity and compliance. It's, it's not that anymore. It's it's certainly a strategic fulcrum within even the smallest enterprises. You know, they can't, you can't be secure without identity.
You can't deliver online services without identity. You cannot deliver employee productivity without, you can't do anything really. You can't do this podcast without identity. So there's a lot of things I think which will probably surprise non identity practitioners. I think for the for the, for the people who've been in the identity space for a long time, I think it will give a better set of analytical tools.
I think there's a lot of assumptions you can make if you spend time a long time in any technology sector. And I think it's really about unpicking some of those maybe bad habits or, or, or complacencies we all get into and trying to say, look, have a fresher and I guess more contemporary analytical framework to look at how identity should be measured, how it should be integrated or problems it should be solving in trying to help analyse both the vendors and also existing deployments.
Because nobody has the luxury of, of designing things from scratch and picking out the best technologies. You have to deal with existing systems, existing problems. So I think the big take away will be at least provide people with a set of analytical tools that they can look at their existing systems, existing vendors, existing suppliers and be a little bit more informed around what success looks like for some of those things. Yeah, I mean.
The other thing I think is like you come with such a great perspective. You kind of gave that history, but also, like I said, you. I think your. Creativity and kind of how you set yourself up for these, this deep thinking and also your willingness to be bold and to not just accept like, OK, this is what everybody's saying, but I'm going to question it and I'm going to put out some big statements and not everybody's going to agree with it.
That's going to get people thinking and potentially change some minds. But I'm wondering now, what did you learn through writing the book? Did you start to question your own thinking? 100% yeah, I generally did yeah. I think, you know, I've been as you guys have you do this stuff for a long time, you do get into patterns of, of thinking, patterns of behaviour, assumptions around certain things.
And it was I think it's really it's quite refreshing I think to to to be briefed by technology start-ups who are early in their journey. You feel like, you know, maybe tackling ideal behavioural analytics or NHI or modern approaches to authorisation or some quite esoteric parts of our identity world and they bring a freshness to that. And you have to be, you have to question that. You have to question it, both business and technical is is to
their back story. But equally you've got to be open minded. I think as well, I think there's definitely opportunities for huge improvement across all parts of our identity life cycles. And to me, that's, that's what keeps me interested in this because I think, you know, you could easily sit there and say, well, you know, we still haven't solved the elder bar back problem. And for honest support, we never
will. So accept that and move on and start tackling some of the more pressing problems if you like. But I think I, I always try and keep an open mind. Don't accept, don't reject. Question the assumptions of things. Question the assumptions of vendors questioning assumptions of design and what, what, what real problem is being solved. And I think that that is definitely refreshed me over the last couple of years.
I think definitely kept me invigorated as to IAM being a a really powerful dynamic industry that will definitely be around 10 years from now. I think there's there's no question about so with this. Idea of like all this proliferation of writing that you do. I want to take us to a lighter note here as we kind of wrap up the show and talk about if you were, you know, writing a fictional story, Do you have any ideas on what a fictional book might be from the mind of Simon Moffett?
Oh God, digging into my mind. Well, that's a fun. Do you know, I, I, I do, I do, I do like writing. I think writing is a very enjoyable pastime. I think I, I don't, I don't actually read a lot of fiction. I must say I, I typically read non fiction, essays, biographies, history books, how how the world works, sort of thing. And it's, I've actually a bit of AI try and keep my local library running. There's a big thing in the UK about libraries closing down.
So I, I try and go library relatively frequently. And I'm, I'm probably four or five books at the minute into whole history of, of looking at the natural world, if you like.
I'm reading an absolutely amazing book at the minute about Eastern owls in Eastern Russia. A guy, a guy went over to Eastern Russia about 20 years ago and he researched these fish owls, massive big birds of prey, fish owls in eastern Russia on the Japanese Sea of Japan. And he, he spent five years going through, you know, the eastern coast of Russia, tracking these fish owls, measuring them, checking their habitat, all that sort of stuff. I love all that. I carry on. It's, it's real life.
It's again back to the memoirs. And he's trying to transpose his experience into into US non fish owl experts. So I'm I'm into that sort of thing and non fiction me. I think if I had to write something non professional, I would probably go down the sort of essayist routes or writing of essays around, you know, how we live our life, how how to take a walk in the countryside, how to make a cup of tea and how to
drink a pint of beer. These sorts of things, which you can, you can extend over 5 or 6 pages of link and really uncover the real world. I think that'll probably be my that could be a nice hobby, I think describing, describing the mess we're all leaving this planet in, that sort of stuff. What would be the setting for this? Would it be something that is like realistic, a place that you've visited? Is it something maybe a little
more fantastical or fantasy? Like give me the idea of like, OK, I am, I'm reading about this character who is learning how to, you know, sounds like, you know, relax in life a little bit, take a step back and maybe have a cup of tea or some other beverage it. Will be contemporary, so it'll be it'll be right now it'll be 2025. I did saying I wouldn't do a non fiction, but I did I did.
I did start an idea for something and it was it was based on the back of reading 1984 by George Orwell Disatopian novel where everything's everything's terrible. And my book was going to be called 2361 right. And the, the the the reason for this 23 the hour 202361 meant 61 minutes past midnight, which you can never get to, of course. Now the the reason being long Long story short. It was all focused on the Doomsday Clock.
If, if you've, if you've heard of the Doomsday Clock, which is I think it's at 89 seconds to midnight at the minute, which is the destruction of the planet, the nuclear annihilation of everything. It's it's clicked forward to 89 seconds to midnight. And my, my idea was to say what happens at one minute past midnight when the whole world is in a dystopian mess. But yeah, I, I didn't think it would be happy ending sort of books.
I thought I'd I might park that, park that for the time being and focus on 2025 and how we can all live a slightly better life. Not to be confused with the Iron Maiden song 2 Minutes to Midnight, which is I guess roughly kind of the same idea. Jim, if you were to. Write a fictional book. What would you write about? Or I got this?
Idea. So I've switched companies a couple of times and when you switch companies you have the ability to take your retirement, roll it out of your 4O1K in the US was like the employ the employment retirement package to an IRA, which is kind of like an independent retirement package. And during that time, it's kind of like you have to transfer all your money into cash, freeze it, and then it goes into your IRA and you select the investments that you want to go into.
I'm not sure exactly how that process, but I've done it a few times. It's been a while. Anyway, so my, the backdrop of my story would be I, you know, the, the character in the book is switching jobs and decides, OK, he's going to roll his money over. It gets frozen in cash and then the market tanks. I mean, it drops like 85% and then it's out of his control. It's frozen in cash. Then it gets put into the market. When it's down 85%, it bounces
back up even higher than it was. And so now the guy's like an instant multi millionaire with dumb luck, right? So now he's got all this money and then he goes to the doctor and the doctor says you have only two days to live. And so now he has all these millions of dollars and he has to spend it or he has to decide what to do with it in two days.
He hadn't like given us any thought because, you know, he basically by dumb luck became a a multi millionaire and now he finds out he only has two days or some amount or some short amount of time to live. He's got to figure out what to do in that time. And then I think as like the kicker, you get to the end of the two days or whatever it is, and then you find out that he was still alive.
And you go back to the doctor and they'd be like, yeah, we've been trying to call you, but it was going to voicemail. We we gave you the wrong person's information. You're actually going to live. There's nothing wrong with you. You've given. This a lot of thought. More, more. No, thought I, I. Thought about it. All within the last hour. It. Has like elements of like Brewster's Millions, Joe versus the volcano. There's there's tragedy. There there. Isn't there? Right.
Yeah, there's. Identity plate, Yeah, like we tried to get a hold of you and you know the wrong information scopes. Of two token yeah I. I just thought of it like I thought of different parts throughout the show, but I was listening to you, Simon. But I, I, I've been thinking about this like this investment thing because the markets have been crazy lately. But I also thought about that whole thing about how the IT
would have been. It's just too obvious to say I bought a lottery ticket and won $10 million. And maybe if I needed to keep that front part of the book short, I would do that. But I think that whole scenario that I just talked about could be a kind of a backdrop that it also ruined a bunch of people. And now there's all these desperate people living in the world.
Because one of the the offshoots of the story could be that there's all these desperate people and they kidnap somebody from your family who you had a falling out with and basically you are estranged from. And they were asking for all of your money as so state was one of your parents and you're estranged from your parent. And now they're saying they want all the money to release the hostage.
Hopefully it's not like. Stalin and his son, where they kidnapped his son and then he's like, man, keep him. Yeah, right. Right. Well, you know, you'll have to read my book. Yeah, well. Get get on it. You know, maybe you make an AI Co writer or something to get this out there. Get inside of your head. Yeah, right. Good. Idea I I I can't. Top that because you have so much detail in this vivid imagination years. I was I was waiting for the downer part of it.
And you, you, you got to it with the the death diagnosis and with the kidnapping and the desperate people all around the world. So it had a little bit of everything, you know, for you, yeah. Hey, if I'm going to be the author, you know, there's got to be some, some downside to the whole thing, all right? Well, I, I'll just say probably for me, something sci-fi, just because I'm a sci-fi nerd and I
am not super creative. So I, I don't know even what it would be about, But it'll be something far, far in the future where, you know, maybe I can somehow extend my brain to be able to experience all the things I'm going to miss after my mortal life is dead is has ended. So maybe it's like an AI version of Jeff or, you know, I always talk about the the the Baba verse set of books, which I
think is really good. So maybe something along those lines of like some sort of AI immortality and what does that actually mean? And you know, maybe it's something on those. Lines. So I don't know, we could. OK, let's go ahead and wrap. It up there for this week. Simon, thank you so much for taking time with us. Really you step appreciate you stepping in with us. I'll have links in our show notes for everything we talked about today.
So link to the cyber huts as well as the podcasts as well as you are present on LinkedIn, Simon. So hopefully that's all cool with you and perfect. Thanks guys. Yeah, it's been. Great. Let's not wait another 347 episodes to do this again. Let's let's let's talk more and I'm sure we'll see each other at conferences coming up in the future. So with that, we'll go ahead and leave it for this week. Thank you everybody for watching
and or listening. Thank you, Jim, for not really ticking off our listeners at the very beginning. Like and subscribe. That's all we're asking for. Share it with a friend, share it with an enemy. We don't care. As long as somebody's watching or listening, we'll keep doing this. We're on the web, IDC, podcast.com, visit the YouTube channelidcpodcast.tv. And yeah, thanks everybody. And we'll talk with everybody in the next one. Cheers, guys. Thank you.
You've been. Listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon, but in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.