Cyber909: Episode 21 with Jeff Reich

Transcript

Narrator:

Welcome to Cyber 909, your source for wit and wisdom and cybersecurity and beyond. On this podcast, your host, veteran chief security officer and cyber aficionado. Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for Cyber 909, episode 21 with Jeff Reich.

Den:

Hey everybody, welcome to another episode of Cyber 909. I am your host, Den Jones, and we are blessed as always, with a host of characters should both educate and entertain with some wit and wisdom. And today's guest is know no exception to that rule. We have got the, he just said to me, he said, I'm rich but I'm not rich. So we've got Jeff Reich on the show who's apparently not rich, but he is rich. I dunno, fuck it. We'll find out. Jeff, welcome to this show. You are now the idea SA, so Identity defined Security Alliance executive director. So why don't you do a better introduction?

Jeff:

Well, thanks, that's a good introduction. You pronounced my name correctly, so that's always a great start. Thank you for that. The Identity Defined Security Alliance, for those that may not know, we've been around for six years. We're a nonprofit and we focus on education and the betterment and raising of awareness for identity security and the security of identities. We are a member organization, so we have mainly organizations that are members that are either identity or security vendors. In fact, in the past, that's all of the members were that. Over the past year or so, we've been bringing in more corporate members at our consumers of identity and security services and products and some affiliated partners that may either advise or in some cases resell some of those products. So we have a good mix as well as a few individual contributors. As I said, about six years. I've been here a bit over two years now and really enjoying it. I've been in this field for about 50 years, so

Den:

You don't even look old enough, Jeff, to have a job for 15 years.

Jeff:

Thank you. I guess I need a better camera apparently.

Den:

Yeah. And your predecessor, Julie, I first met her and IDSA because originally the origins of IDSA was spun out from a relationship between Optive and Ping, right?

Jeff:

That's correct,

Den:

Yeah.

Jeff:

You know your history. Yes.

Den:

Yeah, yeah. Well, I kind of got involved, I think it was 2018 and I'm sure it was like Boston and I partnered with IDSA to do a presentation on the Zero trust deployment of Adobe. And then from there, then I continued to hang out with Julie and the Peeps every now and again as I think more like the customer advisory board type situation with my role at Adobe. And then also when I went to Cisco, I got the team involved with IDSA. When I went to Cisco, when I went to Banyan, we became, I think a sponsor for maybe one year, I dunno maybe about that, maybe a couple of years. And I've always been an identity person myself since 1992 when I was a novel admin back in. That was one of my many responsibilities. So identity is close to my heart. I've always enjoyed the work you guys have been doing. So why don't you share a little bit about your background. So before you got into the IDSA, what kind of work were you doing? What was your journey in the whole space of IT, technology, security, identity?

Jeff:

Well, if I go back, and I'm not going to go through the whole thing because we don't have that many hours to go through it. I'll use about your memory, but way back, I did some work with security and law enforcement in the seventies and was convinced my degree is in science education. I also taught astronomy in a planetarium. And so now someone, and we may have said this before, but after meeting me, someone that's taught in a planetarium, there just aren't many of us around. And my background was obviously working, building with computers because dealing with physics is pretty much what you have to do at the time. And computers were very basic, as in I built an analog computer in school and those, no one even knows what those are anymore, but did little law enforcement associated work and was convinced to get back into what they call the smart field at the time and went to work with EDS to start their security program.

But actually pretty quickly left. They decided to defer it a bit, started a security program at Arco Oil and Gas Company, started security program at Dell computer, started security program at Rackspace Computing and a couple other hosting companies, a couple financial services companies. I was the director of operations for a research center at UTSA for a few years. So I've done a bunch of different things. I like being able to say that I've tried to walk around the gym of security and see all the different facets of it. And the one that really has caught my eye and for the past two years, and I'd like to think for the foreseeable future is how identity ends up being at the core of all of it. I'm not going to use the name of another podcast here.

Den:

Yeah, yeah, I know those guys.

Jeff:

Yeah, no, and they do a good job, but it really does all focus on identity. It all comes down to it because without proper identity, you shouldn't be able to get to things that are going to be secured. And now it is no longer as simple as, oh, I have the right identity. Well, is it really, is it you? Is it deep fake? Is it ai? Is it a non-human identity? There's so many different components now that we peel that onion back. It's another whole discipline unto itself.

Den:

Yeah, no, absolutely. And I think of it, not necessarily that we're at the center, but I certainly think of it, we're at the front lines when I think of breaches, 80% of the breaches tie back to identity some way. And I look at that and think, holy shit, that's a big number. And I also look at it, a lot of the clients that we speak to, a lot of people just even haven't done the basics. We're sitting there, we're talking about you should do some zero trust, and they're looking back and they're like, we're still trying to do MFA. So I mean, where do you guys, and you are blessed because you sit in the middle again, the center I guess, of a lot of these vendors that are at the forefront of identity. When you're engaging with all of these vendors, what inspires you when you think of where we're going as an industry, but then also what disappoints you?

Jeff:

My answer is going to be very similar to both sides of that question. What am I really excited about and what am I disappointed in? It's nice to hear that most of the vendors are saying, you don't hear the word password anymore from the vendors, which is good. What disappoints me is there are very few environments where you don't need passwords. So which part of that do you like? It's great that we're getting there, and I do think I've been in this field long enough to have heard for the past 40 plus years that the password is dead. I do think however, that it is now actually on life support. I do think it is approaching that end between MFA. So MFA, there's another one, both sides of it. I'm glad that MFA is considered general, it's table stakes. I'm disappointed that a lot of people consider MSA to be an SMS message.

Den:

Yeah,

So a couple of things you said, talking about the password is on life support. I kind of look at it like in the banking industry, mainframes and COBOL existed long, long after they should have done, and I think passwords are like this. I also recognize that at the end of it, whether you're doing biometrics or certificates or something instead of a password, the fallback method, the fail safe switch sometimes most often is a password. So I think as an industry, we're getting there from a user experience perspective, which does improve security or can, but this back door, which still exists, which is the whole, oh, my biometric thing doesn't work. Okay, I'll fall back and I'll use a password.

I'm hoping, and I'm watching the industry as we move forward, I think we're doing a better job. I love the vendors getting there. I remember talking to one of our vendor members in the IDSA in 2017 about, because they had it at their conference and they didn't deliver it for many years. I remember my team in Adobe doing passwordless in 2017, and for 40,000 people, no more passwords, we used certificates instead. And in the background we were doing some security intelligence. We stopped doing the change your password every 90 days thing. We moved away from that and that was 2017, early 2018. And I'm sitting there thinking, wait a minute, that now is over seven years ago. And then in the last two years you see these vendors boasting almost as if it's bragging rights that they've created. And I'm like, holy shit. Two people in my team in Adobe done that six, seven years ago. What's the problem, right? Why is it so why do you think it took so long for many of these vendors to get to the position that we're at? Because we've been talking, these vendors have been talking about it for so long. What do you think took the, why did it take so long?

Jeff:

First of all, I'm not sure it's fully past tense. I think why is it taking so long? Maybe appropriate question because we're still not quite there yet. I think there's really two main reasons for that. And I'm going to go back to the COBOL example you use, which is, I don't know how much of your audience would even know what we're talking about when we say cobol. I had done some work in COBOL and that was supposed to die in 2000. If you remember, Y 2K was supposed to kill cobol. It wasn't designed to last past that, but it's still around. I do know some state run programs that are still running on cobol, on mainframes. Some of that is there's fixed costs that are sunk in order to replace that. It's a complete new re-architecture of everything, and in their minds it isn't broken yet. So I think that has a lot to do with the stickiness, especially with applications. If there's integrations with homegrown applications or locally sourced applications where there isn't an out of band authentication method, which is a password, it's hard to be able to take all that in. So I'd say those are two driving factors that really help resistance to move forward. And then there's also the cost. Vendors can say, Hey, we can take you to Passwordless. Here's what it's going to cost to do it.

And organizations will say, well, maybe next year I'm not ready to spend all that this year. And that's a standard business driver. But at some point what we need to be able to do is start really looking at the ROI of security in general. And that means that you say, I need to spend this much to upgrade the system or replace this system and here's what we're going to do with either opportunity costs or risk reduction. Productivity security has finally become a productivity tool. For the longest time it was considered anti productive, but security now is a productivity tool. When you do things correctly with security, you can do things faster and better.

Den:

Yeah, yeah, exactly. You have the ability to do that. We used to always talk about it like we're going to remove, reduce friction, reduce costs and improve user experience. And that was part of our Zen mantra. So Adobe, we called our zero Trust Initiative Zen. So zero Trust Enterprise Network. I think the other alternative names were bullshit, so we didn't use them in the end, but

Jeff:

Yeah, that's too long, too many letters.

Den:

So I get into the situation where I was just thinking about this when we go, so you've got human passwords, you've got machine, you've got non-human service accounts and all of those things, and we're doing more API business. And then you've got the CyberArk of the world and the strong dms and the HashiCorp now these guys, so they all, they've made a lot of money on password vaults and then something that I push a lot to people, things like one password and Dashlane password managers, certainly on the consumer side, they're invaluable. But where do you think password vaulting the whole concept of vaulting goes in the next five, 10 years as we try to demise passwords because are vaults then not required? I mean, what do you hear these companies talking about in that respect?

Jeff:

Well, what I'm hearing is two things. First of all, you mentioned certificates earlier and I don't think those are gone. In fact, you mentioned what you did at Adobe, and I'm not by any means saying it was easy. However, you had a controlled environment as in every employee was told, here's how we're going to work and you had the right support to do it. And it's easy to do that, try doing that with a consumer, a group of consumers. And that's a very large challenge. So simply saying, you don't need passwords anymore, we're going to use PKI install this certificate and here's how often you have to refresh it. And by the way, you lost them at we're going to have to install certificates so they didn't hear the rest.

So there's a challenge. So I think vaulting is still going to need to be there, but I think something that people don't necessarily tie together yet are wallets and authentication. And if we start calling it authentication instead of simply passwords and it's not just a semantic change, now we can get into how we're going to authenticate and you can have a vault for your authentication tools. And by the way, within that tool, and what I'm hearing some companies say is you can start having different categories of vaults as in if for your banking for a consumer for instance, you want that highest quality, most secure vault for browsing the internet. You want that at a lower level. You don't want to spend as much to control your access to get to a website as you do to get to your online banking site. And it's that classification and categorization that from a consumer perspective I think isn't even on their horizon yet. But the product vendors I believe are going to start dragging them there.

Den:

That makes sense. And the one thing in any of, I think of the Adobe story that use case, most of the time you've got to do these things in a way that's seamless to the recipient. The minute you start saying, here's 12 steps and then you'll be good. They don't want to do 12 steps. So part of the strategy that we employed was we're going to push stuff silently. Now we have the ability for some people who are not going to be recipients of our genius, they keep doing the thing that they're doing today, but other recipients where we're silently pushing stuff and then all of a sudden they realize they're not logging in as much. And I used to tell people this, I'd jump on stage and I'd talk about our experience doing zero trust at Adobe. And I was like, I never found myself asking 40,000 people if they'd like to log in less.

Never a question. This not a question. So the good news is I think vendors have it within their power to think of the experience as they evolve the industry. And I think that's the most important piece here because as you said, consumers don't want to know or do they need to know sometimes we can be better. Where I didn't remember teaching anybody how to use Facebook, but for the longest time, any app that it pushed out for 20 years, there was this bloody user manual that went along with IT training sessions and days of training for this, but then all of a sudden you get social media apps coming out and no training. And what that really told enterprises internally was we could do a better job of delivering services and capabilities where the end user doesn't need, they don't need such rigorous training practitioners. We still need to really know our magic. So we need to train and that's an important piece of our thing. I wanted to jump back to the IDSA business for a second or not a second, probably for a good five minutes. Really.

Jeff:

I'll give you 10 if you like. Maybe

Den:

Yeah, we can maybe get to 10. Actually, there was a couple of things. One is, so you guys started doing Identity Management day a few years back and I see it, I can read and actually I see it, I can read, but also you pointed it out to me earlier, I was a dumb ass April the eighth, identity management day 2025, right? So how many years have you guys been doing Identity Management Day? And then can you explain what it is and why people should care?

Jeff:

Absolutely. And thank you for that opportunity. It is April 8th. This is our fifth iteration of Identity Management Day. It's an online conference, although there is a hybrid part of it in Australia, and I'll get to that in just a minute. The first three years we're done, it was Americas centric basically, although anyone around the world could join, because it's an online conference, each session is recorded and available to view later, and we do get a lot of on-demand viewing after the fact last year we expanded it to include really the two, not the but two other regions of the world. So we started in Oceana Asia and it was coming out of Melbourne, Australia, and there were seven hours of content there, a small break. Then we went to amea, had about seven hours of content there. Then immediately went into the Americas and had close to eight hours of content there.

And we're duplicating that schedule this year. This is not the sort of thing I could do very often. I'm too old for 21 hour events, but it's fun and the reason people are going to want to attend and with it's free. So you just register and we'll get you the URL to register. And once you have a ticket that's free, you can join any of the sessions around the world that you want or look at any of them after the fact. But what you're going to hear are some of the questions you're asking right now, you're going to hear, and there's not going to be product pitches, but you're going to hear speakers talk about, and some of them will be from those identity vendors. Here's the sort of thing we're doing research on. Here's what we see coming next, here's what you should be able to look at.

And you're going to see perspectives both for the enterprise and the consumer. So educational sessions, there's opportunities to ask questions and engage. There is gamification throughout the America's region and the way that works is exhibitors have booths and it's going to feel just like a real conference, conference rather in person, but it is a real conference. But you don't have to travel, you don't have to worry about hotel or how anything smells or anything else because you do it online. But there are booths. And when you go to a booth, you can click on it and either interact with someone in video just like this looks, or you can download a white paper, watch a video, look at a product. Booths are booths. Those are dedicated to people want you to see their products. And for every activity like that you do, you get points, you get more points for interacting live on video than you do for downloading a white paper.

You get more for downloading a white paper than you do simply visiting the booth. And there's a leaderboard that says who has the most points? And there's a competition to see who wins prizes at the end of the Americas region for doing most of that activity. Now that's nice. It's not the main thing we do, but people do really enjoy it. What I really like about it is you are getting CEOs of organizations, whether they're using identity services or providing identity services, you're getting senior architects talking about what's going on. You're getting some customer stories of not here's what I did with a product, but I went through the journey of having to get to Passwordless and here's the pain I encountered and here's the benefit I got from it. So you're going to see all of those aspects of it. You're going to see it around the world, different perspectives, people from each of those regions, and I think a lot of fun, a lot of good information and you can plug in whenever you want.

Den:

That's excellent. And then the added benefit of you don't need to put up with the shitty conference coffee.

Jeff:

Oh, exactly.

Den:

Hey, that's probably worth the price of admission right there.

Jeff:

In fact, if you want to spend the whole day drinking a beer or having some bourbon throughout the conference, we won't stop you from doing that.

Den:

Yeah, you can do that. And we will put the link to register in the show notes as well as the details and stuff. I think it's a brilliant day and I've not paid as much attention to over the years, some years more than others, but I remember when it started and it literally was just maybe half a day worth of sessions. I mean I can't remember, but it wasn't as big and grand as it is now. My big thing, Jeff, is do you guys have plans to make it an in-person or hybrid conference in the future?

Jeff:

So potentially right now, identity xp, who is our partner that is co-chairing it in the Oceania Asia region last year and this year have an in-person event in Melbourne, Australia, and they stream it at the same time. They even have some remote speakers both. So it's remote to the people in Melbourne and it's online. So there's that true hybrid mix there. We are thinking of doing it. The reason that we haven't done hybrid yet is, and it's a good reason, last year there were 82 different countries that participated in joining Identity Management Day anywhere from, we had retired people, students up through CEOs of organizations that wanted to make decisions about identities so broad both for geography industry and whether it's job level or life level. So even though we talked about do we want to make this in person, the challenge we have is how much of that audience do we exclude when we do that?

Den:

And I think if you've done it hybrid, then you don't exclude the audience. But I can imagine one challenge would be, well, how many people would turn up to be in person? And the logistics just even, because normally when the conference starts, they would've started in person pre covid, it'd start in person, there'd be a small group of people getting together and that can gradually over time get bigger and bigger. The guys, some of them are all Adobe guys doing the pre-con, the pre ski conference in Utah, and they'd done the first one last year. It was excellent. I'm thinking I might try and go back this year, but I'm not sure if my schedule will allow it. But it was a really good conference. But the benefit they had was they knew the venue they were using could accommodate all the people plus more and then it got bigger. Then they're like, okay now. But they knew that they had that. And I think for you guys from a virtual perspective, how many people do you expect to register and attend this year?

Jeff:

We expect to go over 2000 registers this year. The live attendance, it's always hard to tell with a free event because you sometimes feel I don't have any skin in the games of I don't go. It's okay. And that's across the board, it's always like that, but we expect at least 50% of those registrants to attend live and at least that many again, to watch on demand sessions. We find the same thing with our webinars. Our webinars are live that we do a few per month and we get a third of the people that engage in the webinars that watch it live. Over two thirds of them are watching it on demand. And I think more and more we can thank Covid for that. More and more you're seeing that's how people want to consume this. So we're not opposed to an in-person event. We're almost trapped by the success of a virtual event and we will eventually branch out because Australia's doing it that way and it's successful for them. So I think we can do the same thing.

Den:

And I kind of look at it like it's maybe less about the programming content if you think of it like that. And the in-person thing is more about the networking with your peers and either in the conference halls themselves or in the bars and restaurants afterwards. I mean RSA for me, I don't go because of the vendors now. I actually just go because of the networking afterwards. So I think of it like that.

Jeff:

So I agree. Now I will say this, we'll see what happens with Identity Management Day. And this is the first anyone's heard of this. Don't put aside that we aren't going to do some in-person activities. It just may not yet be identity management day. I'll leave it at that.

Den:

That's excellent. Hey folks, you heard it first here.

Jeff:

Remember that

Den:

Unless you're watching this on demand and then you probably heard it elsewhere first and you're just rewatching this. And I think that's one thing about the virtual events because you can put on I think a show which is professionally probably better for the audience in the sense of they can watch it afterwards whenever they want in the comfort of their home. They're not struggling to hear or see. They're not dealing with people sitting beside them making a noise or people, I mean, I've been in conferences where people are sitting there while someone's talking and they're just on their laptop, tap, tap, tap, tap, tap, tap, tap, tap. And you're like, this is a pain in the ass. So I think the virtual model's great. What are your sponsors think of Identity Management Day and the fact that it's all virtual.

Jeff:

They love it. So we have a lot of levels of sponsorship. There's title, there's Platinum Platform Spotlight, and then there's gold, silver, and bronze. The title through Gold sell out almost immediately as soon as we put it out there. Being virtual, we can keep our costs lower than they would with an in-person event obviously. So they like that, but they like it because they have the opportunity to create a booth that's attractive enough for an attendee to say, I'm just going to go click that and see what it is more than, I'm not getting points for the game, but I want to click it. It looks interesting. And they have the opportunity to do that. Now I don't want to, I'm all for in-person. Events are great. You can't touch the networking that you get within an in-person event, which is why I say don't discount us on that yet.

But even within this virtual conference, there is a networking function. You can see a list of everyone there. You can hide yourself if you want, but you see a list of everyone there, you need to click, and I like to spend a few minutes with you and you get a three minute session to meet each other or maybe catch up with each other again and trade information should you want, and then you have a new contact, you can build your network that way. So we don't ignore networking. We know it's a very important part of what you do.

Den:

Yeah, that's fascinating. I think the concept and how you describe the virtual booths and things of that nature, I've seen that in action before and I think it's brilliant. And actually some of the conferences that we sponsor, it's the same sort of thing. You can stroll around the halls and an avatar really. So yeah, so that's excellent. So IDSA, how many vendor members do you have and how many members do you have? And then where do you see the IDSA going in the next few years?

Jeff:

So our number of vendors, and we can break it down into three categories. We have some individual members, and that's actually a handful under 20, actually individual contributors. There are some people that like to do that, but most of the people that have that interest are either going to say for a few dollars more, I can get a corporate membership. If your organization consumes identity and security services. We have about 30 vendor members right now and we have under 10 corporate members. So we're not huge yet. We've grown since you were involved last, but our growth now is we're adding about two members a month. And that has become a steady pace for us for the last four or five months. And I anticipate that continuing, especially with things like Identity Management Day. So we do not plan to be the largest nonprofit in the world dealing with identity.

We want to be the source that people can trust. That's vendor agnostic. Now the third category that I didn't mention are the number of people that can take advantage of IDSA benefits. There's certainly a core of benefits that are available to everyone. We're nonprofit and that's how we stay being a nonprofit. But there are a lot of other benefits such as getting all the data behind one of our research reports that the general public won't necessarily have access to. And that is in the, I'd have to take a look and count it, but it probably is approaching a hundred thousand. And I say that because a member say like Cisco, I'm going to use one of your alumni. And it's not a small organization. Everyone with a Cisco email address has access to all member benefits at IDSA. Same with members like CrowdStrike or BeyondTrust or Okta. So yeah, take those numbers, extrapolate it out. That's a very large number. We have a large audience that can consume what we have as members. So it's hard to say how large are we or not. It all depends on how you want to look at it.

Den:

Yeah, which lens. And for me, when I first got involved at Adobe, I loved the fact that we had the ability to sit down as part of the advisory board, sit down and have the Okta guy there, the CyberArk person there, and the SailPoint person, the ping person. You're really sitting there with a group of people where you get a chance to talk about the convergence of the technologies because Adobe or Cisco or Banyan or wherever I go and now even advise clients, you're not buying one technology. You need a group of technologies to deliver and run a business. So the reality is these technologies, there needs to be a level of integration, there needs to be a level of understanding. And I saw, and that's what inspired me about IDSA when I was involved years ago and through the years, is the ability for these vendors to actually come together and recognize that we're all in this together. And they do. And I think that's really exciting.

Jeff:

They check their guns at the door, they come in and say, how are we going to make this better? They each have products to sell, but they know they're not going to sell 'em there. They're going to do something that's going to attract someone to approach them to have that selling opportunity, which is good. And I want to mention two other things real quickly. We are also a member of CD Hub, which is an international sustainable identity nonprofit. And the focus of that is really coming up with interchangeable sustainable wallets, for lack of a better term. If you're in the eu, you know what that means? Because legislation has been passed. It said that everyone needs, every country needs to be able to provide the capability for people to have an online wallet. And a wallet is more than simply having a credit card on your phone that you use to pay to check out at the grocery store.

That actually is part of it. But think about having your passport there or your driver's license or your national ID card or insurance card and everything else that's going to be there. That's what I was talking about with, you're going to see vaults that deal with wallets that are identity and authentication and we're excited about where that's going. I would offer the rest of the world seems to be moving faster than the US does on that front. And we'll see what happens when the US wants to catch up on that. And the other thing that I wanted to mention, just because I wanted to drop the plugs in here is there is no other conference, it's Identity Week, it's the us it's in September, and I'm not here advertising that, but I am saying that we do an annual research paper where we engage a third party research firm so we can abstract who's answering our questions to get information that we use to create an annual report on the state of digital identity security. We will be releasing this year's report at Identity week in DC in September. And I'm looking forward to that. We're already starting work on what that's going to be. We'll be getting information over the summer, that's where we get the input. And then I'll write the report in late summer. So another benefit that we have that everyone can take advantage of, members get to look at all the data that's behind it instead of just what's in the report.

Den:

That's excellent. Yeah, I, I dunno, I've lost the number of conferences that are tied to identity, but you travel, I know that you travel around a lot, you go to a lot of events and network with a lot of people. If you were trying to pick one conference, I guess I don't necessarily want you name the name, that's probably unfair of you and the conference people, but I'm guessing there's one conference that you get more excited about than the rest. So what makes that one different from the rest?

Jeff:

So there are, without getting into all of them, some of the big ones are identi verse and identity week without question because they're out there and they're both great. I think that what makes a good identity conference is the ability for identity folks to network. First of all, as you said, I think that's real important for it's primary for an in-person conference and then being able to walk away with, here's the next round of technology that I need to get ready for and I want to take advantage of simply having a bunch of vendors saying, here's what we sell, here's what we sell. Well, I heard that last year and what you're selling isn't any different than you did three years ago and I want to be a little in front of this. I'm glad you're selling to the people that are five years behind me, but I need to see what's going to be coming up front. That's what an ideal identity conference is for me. Someone that can come away with what do I need to start getting ready for next and how can I take advantage of it?

Den:

And I always struggled, or my team at Adobe struggled. We were, I never say bleeding edge, but we were kind of ahead of most of our peers and we'd go to these events and struggle really to walk away learning something that, I mean, there was things, you'd always learn stuff. There's always something doing something better than you in certain areas,

But sometimes it was a bit of a let down because you'd go to a conference for two or three days and you'd pick your sessions that look interesting. Then at the end you're like, it wasn't really that good. But I look at it like networking's number one, I love your observation that the future thinking stuff is great. That does, it'll help you get ready for what's around the corner. I would love vendors to do some cab meetings at these conferences and really think of a way where there's the opportunity for people to talk and brainstorm ideas for how a vendor could do better, but in a way that I think is constructive, not disparaging to the vendor. It's not like knock the vendor down, nonsense. But the reality is I am dismayed with how most vendors run their cabs because most cabs that I would go to, it would always be we're showing you our stuff that's around the corner. Coroner, we want you input, but we really don't because it's already getting built anyway. So you're not really advising, there's no advisory opportunity because they really just want the opportunity to give you an early preview and that's different. So I would love the industry to have the ability to enable advisory staff that actually is meaningful, that actually will have the ability to impact products of these companies. A lot of smart people in our industry, we are recipients of the vendor's stuff, but yet we could contribute more.

Jeff:

And sometimes you can be both recipient and a victim product product and no, I like your idea because it's not a requirement session. And you're right, vendors run the risk of having an advisory board turn into are our 10 largest customers. So because of that, you get access to what our next, what's already underway, but what's going to come out next. And to your point, how much are they really affecting the direction?

Den:

And that literally was every advisory board I ever went to my time with Adobe and famously myself and one of my architects. And the worst of this was is this was like the Sunday before RSA and we're in some shitty hotel room listening to this vendor tell us about the future of whatnot and their thing. And there was no advisory piece.

Den:

Literally

Den:

We got there at eight o'clock in the Sunday morning, lunchtime Sunday. We're like, screw this without a here. We went out, we got lunch, we sat at the bar, we had a beer, we chilled, we chilled for the rest of Sunday. And then they asked us, why did you leave? It was very visible. You got a room, maybe 40 people, very visible that this top tier customer, Adobe didn't come back after lunch. And we were just like, because we weren't advising, there was no advising piece to this puzzle. So at that point, I didn't want to blow a Sunday. I was going to be up there for Monday, Tuesday, Wednesday, Thursday as well. It's like why I don't need an extra day. So

Jeff:

Yeah, I'm with you. If you're going to be an advisory board, advise and if you want to call it an advisory board, then take their advice. It doesn't mean you have to follow all of it, but you need to listen to all of it.

Den:

Yeah, exactly. And ideally have the conversations before your product is being baked in the oven already. You want us to do advice, but we're not getting a chance to change the ingredients or change the product or whatever. You're already baking the thing based on your already made decisions. So that's all negative and stuff, Jeff, so why don't we end the show with something a little positive. What are you looking forward to from an industry perspective?

Jeff:

I'm looking forward to three things. One, I'm going to drop the URL, it's identity management day.org, and I know you're going to send it out later as well, but what I'm looking for, I can't help plugging, sorry. What I'm looking for, and I'm looking forward to in the industry, and I said wallets before, but I think wallets are going to play a huge role in identity and authentication, especially when it comes to cross border activities. More and more now, borders, well, a lot are in flux right now, let's just say to the least. And depending where you're living, it can be a dangerous change, but cross border activities are now the norm. If you live in Canada and work in Illinois, that's not that unusual and you have to be able to bank, you have to be able to have transactions that go across borders.

You have to be able to cross the border. You may need healthcare in one country or the other. All of those things right now are a challenge, and I'm looking forward to a good wallet, technology or architecture actually use a better term that can allow cross border activity. Let's look at refugees for instance. Refugees have a problem of when they leave their country, they may not be able to take anything that identifies them with them. They may not have anything. How do you identify them? What happens to them next? Can they bank? Can they work? Can they live somewhere? So I'm not making a humanitarian thing, but although there are a lot of humanitarian benefits to it, but I think we're at the point, it's 2025, we are a quarter of the way through this century. We should be able to provide a way to online or at least have a digital version of who you are and how you can authenticate that. And I expect to see the first good implementations of that within the next five years.

Den:

Yeah, yeah, yeah, definitely. No, you said three things. I think that was two, right?

Jeff:

Okay. Yeah, I talked about identity management day and I talked about what's going forward with wallets and transborder, and I think within the third one is, thank you is within enterprises. I think the days of let's find a way to rip everything out and give you a new way to authenticate, and we're going to send you texts and we're going to need to have this token in your hand and blah, blah, blah. I see that going away, especially within enterprises, maybe not in the consumer space within the next three years.

Den:

Yeah. Yeah. I mean the whole onboarding and verifying who you are and all those things, it's funny because even that from an enterprise perspective with the wallet technology in place would be a breeze.

So there's a lot of benefits to all three of those things. Jeff, thank you very much. I really appreciate your time. It's great having you on the show. We'll put the links to the IDSA on the show notes. We'll have the registration for Identity Management day. We'll have any other links that Jeff wants us to share or him, as he says, a little shameless promotion in there. So we'll add all the links. You'll get Jeff's bio and a link to Jeff on LinkedIn. So thank you very much, sir. We appreciate it. Great catching up, and we'll speak soon.

Jeff:

Always a pleasure, Den. Thank you very much. Thank you.

Narrator:

Thanks for listening to Cyber 909. Subscribe wherever you get your podcasts, and don't miss an episode of your source for Wit and Wisdom in cybersecurity.

‍