Identity as a Business Control: Ayan Roy on Risk, Governance & AI Strategy

0:08 Everybody, welcome back to Sevy Talk. The best conversation you're going to hear all day. Glad to be back with you. 0:14 It's me, David Lee, of course. Enrique here. What's going on, my man? Hey, David. Good to see you, man. It's been a little 0:19 bit, man. It's been a while. It's been a while. Yes. Missed you, man. Me, too. I know. I should have moved to Canada. 0:25 And Simon, too. I know. Jim, where's Simon been? I don't know. Anyway, listen. We got a 0:31 great episode coming up today. We have Ayan Roy, head of cyber security at EY, coming by to have a conversation. We're 0:36 going to get into some stuff. We're going to talk about identity security. We're going to talk about where the industry is going. Stay tuned. You don't 0:43 want to miss it. All right, Ian, welcome, man. 0:50 Thank you. Thank you. Happy to be here. Excited. Looking forward to the conversation. Yeah, it's going to be a good one. Yeah. 0:55 Ricky, how you doing, man? I'm good, man. I'm good. Great show. Yeah, we're in Texas. Great to have amazing 1:02 guest here. Thank you for joining us. Thank you, Henrik. Anybody had any barbecue yet? 1:08 I have not. I mean, you know, we're in Dallas. I had eaten Indian food. You I Indian food in Dallas? 1:14 Inevitable, right? Hanging with the people that we hang out. Okay, that's true. But I'm just saying you're in Dallas, so you guys 1:20 And I had both. I had Indian food Monday night and pork chops last night and they were both amazing. 1:26 So, it was weird. We had um I went to a dinner last night and all right so we're in Dallas and we were talking about the 1:33 the the different things on the menu talking about different like barbecue sauces things like that. So they had a Carolina barbecue on a Dallas menu which 1:41 is crazy. So, all right. There's different kind of barbecue sauces for people that don't know, right? And and like Carolina barbecue sauce is us like 1:48 a vinegar based kind of sauce, but like in Texas, right, this is when you move to Texas, there's three things you get 1:54 soon as you get here, right? You get your ID, right? You get a gun and they tell you about barbecue sauce, right? 1:59 And so, like Texas has their own type of barbecue sauce. So, the fact that we're at a Texas restaurant and they allowed 2:05 Carolina barbecue, I was like, I don't know who this chef is, but I don't know 2:10 how they allowed me. clearly. So anyway, it was just interesting. So I got to make sure I I grab some barbecue. 2:16 It wasn't I don't really like the Carolina style barbecue sauce. Anyway, so it was just one of those things. But anyway, 2:21 um what do you guys think about the show so far? Uh very exciting. Yeah, very exciting. It's uh amazing to see 2:27 all the innovation that's happening around AI security and uh our clients need that. So it's it's amazing to see 2:34 all the new development. Uh so excited for solving the AI security problem for our clients. 2:40 Yeah. How do you think that we've been watching this industry right 2:45 for the last you know couple of years kind of transform from you know identity and IT administrations identity security 2:53 right we're going to come to IVIP in a second oh my god I know I know it came up a couple did it 3:00 came up last night in the conversation we're going to get to that but um like 3:05 this move to identity security and how we have to look at it now I'm interested I to get your take on 3:13 how do you think we need to look at it now, right? Cuz I think for the longest time, you know, we've kind of looked at 3:19 identity more so not as an enabler, but more so like cost center as a thing that 3:25 we have to do. Yeah. But now I I think it's it's different now. We kind of really have to start leaning a little bit differently. So 3:31 what's your what's your take on that? Absolutely. No, couldn't agree more. Uh I've been working in this space for over 25 years and back in the days it was 3:38 single sign on. uh then we went to compliance and now what is so exciting 3:43 is identity security and what I mean by that is if you look at what is happening around us now a lot of nation state 3:50 actors are using AI to create more advanced threats and attacks and the 3:57 time to exploit is reducing in a in a big way uh so what we are now trying to 4:04 share with our clients and discuss with our clients is how to build the right defense in depth and identity is a 4:10 critical component is a critical layer to build the right defense in depth. The one other data point I'll share with you 4:17 David is um we do a lot of shadow investigations post breach we go in and we look at how the threat actor is 4:24 exploited and the kill chain 90% of those attacks we have seen uh lateral 4:30 traversal privilege escalation and the counter measure for that again comes back to identity how do we secure 4:37 our privileged not just human ids but the non-human ids as well um so identity 4:43 is now in the forefront we need more identity signals going to all our endpoint detection into your SIM 4:49 security event monitoring and that is a fundamental countermeasure now to deal 4:54 with the advanced threats which is no and I I agree 100% 4:59 especially if you think about for me it will be so obvious uh if you think of the attack chain and the critical path 5:06 being identity I don't remember last time I saw a a breach or an attack which 5:11 didn't involve identity correct So why do why do you think leaders and organizations 5:19 uh they don't embrace that and and identity is still seen as this perhaps uh the stepchild of cyber security. Why 5:27 why are we not talking about that more and uh or maybe they are do you think 5:32 your clients are now perceiving the importance of identity and and giving a a different 5:39 look at this? Absolutely. Yes. And so Enrique I'll share again a story. I was talking to a 5:44 good friend of mine. He's the cyber leader at a private equity entity and uh when we were having a conversation he 5:51 said you know I and I wish I did more identity growing up to become a CISO 5:56 and that was music to my ears. He grew up the ranks being a attack and pent tester to building some of the most 6:03 sophisticated cyber operations center sock and he was one of the best architects that I've known for sim and 6:10 coming from someone like that and saying that I should have done more identity because and that was a eye openener for 6:17 me as well because now a lot of cyber leaders are realizing the importance of 6:22 identity like to make zero trust really work you need conditional access in addition to micro segment mentation and 6:29 that is in my mind a realization the industry is realizing business leaders and cyber leaders are now realizing that 6:37 identity is a critical countermeasure and identity security really helps us 6:42 build the right defense and depth like without identity security we cannot have AI security 6:47 and and I love it because uh well knowing you you work for EI right and uh 6:53 you are in charge of a much broader scope uh than just identity in cyber security. So, uh, having that context of 7:00 the growth of importance, I think, and the advocacy on on the topic, uh, I hope we didn't have to talk so loud about 7:07 this and the importance about this, but I I think I uh, yeah, as as you're telling us, uh, I think the 7:13 we see the tables turning a little bit. Yes. And identity not only having a seat at the table as as I think we spoke in 7:20 other episodes, having the biggest seat absolutely as well. So to your point, CISOs having to have this knowledge 7:27 about identity. Um but let me let me perhaps ask a few 7:34 different angles on this which is how about the identity practitioner having to learn more about threat detection. 7:40 Yes. They they having to learn about this taxonomy of what an attack chain is and 7:46 and what this means to them. So do you think uh uh do you see EY or yourself 7:51 talking to your clients also approaching identity teams having to learn this new 7:56 skill in in in cyber? Absolutely. Yes. Absolutely. Yes. And and Rick you bring up an excellent 8:02 point. As identity practitioners we have often thought about new hire transfer 8:07 termination authentication type of controls. What we now need to learn is how do we 8:13 integrate with the right data security tools? How do we integrate with our threat and vulnerability management tools? How do we do a better job of 8:21 managing non-human ids and integrating with operational technology OT security 8:26 solutions? So that is very critical. Uh a lot of our as we work with our 8:31 clients, it is very difficult to build the right security with just one product. So one of the things that we're 8:37 talking to our clients right now is how do we bring the ecosystem of our alliances? We're working with our 8:43 alliances like Saviynt and Crowdstrike building the solutions integrating the solutions and that is so important. The 8:50 other layer that we are very focused on we have to as identity practitioners we also have to understand what are the 8:57 business trends what is happening in the business and hybrid is here to stay. Yeah Nvidia is pushing GPUs on prem 9:04 hybrid is absolutely here to stay. How do we create a single pane of glass across different hyperscalers? How do we 9:11 create a single pane of glass so we have more visibility into what's happening so that we can build the right defenses 9:17 hybrid and and it's it's interesting because we we spoke about hybrid cloud 9:23 for so long and and having onrem with with with SAS and and is 9:29 uh are you talking about hybrid in a sense of intelligence as well the hybrid 9:34 of human intelligence artificial intelligence and the combination of both absolutely absolutely so so I I would 9:41 say hybrid uh onrem uh in the cloud multiple hyperscalers. So we are 9:46 absolutely seeing that with our clients uh and and that's primarily being driven by resiliency. We've seen some outages 9:52 now and humans in the loop is so critical right now. So we are using AI uh for our 10:00 L1 L2 automation and humans in the loop is so important to kind of drive the uh 10:07 accuracy and the speed of of uh cyber uh threat management. 10:16 How do we how do we make a shift from 10:22 moving identity from like this cost center mentality like to this enablement 10:28 mentality, right? And outside of the solutions, right? But really driving this this thought mindset of these 10:35 leaders, right? So I want to dig into that example of that the guy you were talking about saying like, I wish I did more identity coming up, right? Oh, 10:42 and we we've had this we've had this conversation, you know, a number of times of a lot of these leaders, a lot of the 10:48 thing with identity, 80% of it is the tech. This other 20% which is this big chasm they have to cross is all the 10:54 other stuff. And I was having a conversation about this last night. It's the, you know, the horse trading, the, you know, talking to the application owners, 11:00 getting your committee together, right? And really understanding across the business like why this is so important 11:05 and getting all those things done to actually build the program. And now when we look at this like we the business 11:10 gets it identity isn't everything and we can say that it's an enabler but how do we how do we work with the rest of our 11:17 industry? How do we help our practitioners do that right and then say okay well it's an enabler but 11:22 so then how do we enable the business right like how how do we how do we work with the rest of our our peers to go 11:28 well go enable the business and how do we get the business to look at it like that. Yeah. So uh excellent question. So I'm 11:34 going to this is when I start dating myself. Um so about 25 years ago I was 11:39 working for an automotive company when you were five. 11:45 And in the automotive company um they were the market leaders in all segments 11:50 with the exception of the new first-time car buyers. So what this automotive company decided to do was they wanted to 11:57 launch a new brand to get the first first-time car buyers to start uh buying 12:03 u this brand and so they at back then I had a 8month timeline to get web single 12:10 sign on onto those uh web properties and they came to us and said the business 12:16 came to us and said we are going to launch the portal uh for this new brand 12:22 in 8 weeks at the New York auto show. So we we either get security done in 8 12:29 weeks and my traditional SDLC was 8 months or I'm going to go without 12:34 security. So that was my alternative and I worked with IT infrastructure to kind of enable the business. So I kind of 12:40 started doing this way back in my career and I have always taken that philosophy 12:46 to our clients. as a cyber practitioner, my job is to enable the business to 12:52 perform their transactions securely. Uh, one other client story that I'll 12:57 kind of share with you, uh, and this became real to me when the CFO of a cruise line, one of our clients went to 13:04 the board and said, "We are going to add a billion dollar of revenue using our 13:10 digital channels." So this is a cruise line that is going through a digital transformation and one of the big 13:17 challenges for us was to create that omni channel experience the ship shore 13:22 experience for uh the customers and and what became real for me was we have to 13:29 enable the technology to meet the business need so that the CFO could go back to the board and say yep we have 13:35 generated a billion dollar in incremental revenue. So I have lots of these examples a life sciences example 13:40 where uh researchers and scientists are working on drug research bringing drug 13:46 to market. What we are what we need to do from a cyber perspective is how can we enable these researchers to come into 13:53 the environment more securely and create a frictionless seamless experience. 13:58 Yeah. I I I was looking at your answer and and and and listening to the examples you gave 14:06 which are basically CIM customer. I am two of them CIM one extended workforce. I I had this hypothesis when we think 14:13 about identity and as a not as a cost center but as a value uh generating uh 14:20 type of business. It is hard to think outside of CM because yes, you put a dollar, you get 14:25 more clients, revenue. Yeah. Um and uh but I I like the last example which you 14:31 gave is researchers or external um employees or non-employees accessing 14:37 this the less frequent they have to do that it also enables business. 14:43 Absolutely. Um I think those are great examples. Uh and I I my hypothesis is is there anything 14:50 outside of customer outside of the either B2B or B2C type of uh more 14:57 workforce focus that we could think of making identity more as a cost center. Yeah. There's the risk avoidance and the 15:03 cost avoidance of user provisioning for example efficiency of getting access. Do you see other examples perhaps in 15:10 your in your career 25 plus years that by the way I remember web SSO. Oh my 15:16 god, that that brought me back. Wham web access management. Yes. Um, but do you 15:21 see other examples there are perhaps workforce uh that are not just oh this 15:27 this is good it's it's saving me money but no it's it's making me money which I think it's a it's an interesting 15:33 difference. Yeah. So Enrique one other u so I was with our chief economist uh a few months 15:39 back and he was talking about the macroeconomic uh trends right now. M. So if you look at our clients and their 15:45 businesses today, they're dealing with supply chain disruption. They're dealing with the impact of tariffs and what does that mean? They 15:52 are going to different suppliers in different countries. Our clients are going through more 15:57 transactions than they have ever done before. Like we are seeing a increase in M&A activity. That is another area where 16:05 identity plays a critical role. This is where we are enabling the business. How do we onboard hundreds and 16:12 thousands of users so that they have a again a seamless experience? The last thing you want is parent entity and 16:19 acquired entity having two different identity systems. So we have such an important critical role again to enable 16:25 the business to get seamless access the right level of security uh and and 16:31 without identity without the right identity technologies the processes and the right team the people process 16:37 technology and the right level of data it is very difficult to enable business. No, I I I love it because uh how many 16:43 times we were talking to clients even prospects and they they asked us I said no I I like the idea please help me to 16:52 to talk to the business in a way that we can justify this. So I think those examples are just a great way to 16:59 illustrate that a blueprint if you will uh to have those kind of conversations. Yeah. But I think it's also like we we 17:05 have to shift and I say we as an industry right like the practitioners in general like we we have to shift the 17:12 mindset of how we approach all of it. Right? The conversation I had last night um you was talking with you know a 17:19 customer and you they were talking about you know they're excited to get started on their journey things like that and 17:24 the guy was just asking me all these questions how do we do this how do we do this how do we do this and I finally had to say dude like techn is not the answer 17:30 to everything right like you know like well well and if we do this how are we going to get audit to agree to do this 17:36 and I was like you go talk to them and ask them right like well but they always do this 17:42 and they're old school and I was like then you have to go ask them and say, "Well, you did it this way before. If I 17:48 show it to you this way, well, they're never going to accept that." Then you got to go figure out and come up with a 17:53 compromise. Like, we have to get past this like techn is going to make it better. Techn is going to make it better. Techn is going to 17:59 make it better. It's not always going to make it better. And maybe there is an answer, but also the answer is going to them and saying, 18:05 "Hey, listen. I know that this is what you're used to and this is your process and this is what you want. So now let's have a 18:11 conversation and get to why is it that you want something a specific way, right? Okay. So you know that your 18:17 process is XYZ and this is what you want, right? And you're you're you're telling me to do something that I feel 18:22 is inefficient, but this is what you're saying to do. Okay. Well, I can sit here and we can we can butt heads all day 18:28 long. Or I can go we're teammates. We work with the same company at the end of the day. Like we 18:34 want the same thing. So, let me figure out why is it that you want this and then show you that hey, this is what you 18:40 want, but I'm showing you that I can get you to the same result just in a different way and it's more efficient. I was like, these are things this is 18:46 identity all day long. And that's the one thing that I think we we've lost in in the industry is that we forget that 18:53 so much part of this is you've got to get involved with the business and talk to them. And some of it needs to be changing your process, some of it needs 18:59 to be changing the technology. And one of the things that I told the customer at the end of the day is like this is how you need to measure this, right? Yeah. when you look at it, you should be 19:06 doing you should be tweaking on both sides, right? And neither shy should ever tweak too much. If you're tweaking the business process too much, you're 19:12 wrong. If you're if you're tweaking the technology too much, you're wrong. But you should never be sitting there and going, "Well, the technology should 19:19 solve everything." And you should never be saying, "Well, the business absolutely has to change." Those are, right? It should be a mixture of both, 19:25 right? And you know, for those of us who are musicians, stuff like that, or whatever, it's like when you're on a mixing board, right? You're trying to 19:31 get the perfect mix and balance. I'm gonna raise the trouble up just a little bit. Now I'm going to pull down the B. Like you're constantly trying to find 19:37 that perfect mix and blend. And I think in the industry we lost that, right? Like and and and I'm always 19:43 going to be critical of us first in the industry. This is we live and breathe this, right? It's it's our job to be in this and and helping our customers and 19:49 reminding them doesn't matter if we're on the vendor side, the practitioner side, wherever, right? Yeah. We have to do that because they look to 19:56 us to go, hey, what are these answers? Right. And it's sometimes calling them out and not telling them what they want 20:02 to hear like, "Oh, okay. We're going to do this." No, no, no, no, no. Like, hey, you got to go do some work. 20:07 So, you're going to go have to talk to the audit team. You're going to go have to talk to your application owners. And yes, you're going to have to spend some 20:13 hours. And yes, maybe our technology will there's some technology that'll make it better, make it easier. Yes, maybe a consulting company will come in 20:19 and do some work for you, but like you still have to do some work as well, right? And I think those are some of the things that we have to get back to 20:25 because I think that what we're going to see over the next really 3 years with 20:31 where we are with technology and and how the opportunity that AI presents, right? 20:36 And and I and I want to be very clear when I say that because it's, you know, there's all this buzz around AI and and 20:41 what it what it can be and what it can do, but it's very clear the opportunity that's presented and how it's allowing 20:47 us to change the way we operate, right? Right. And so that opportunity is going to give us this ability to completely 20:54 change the way a lot of people work and and and how we address a lot of these problems. And that's not something that 21:00 we can ignore, right? Absolutely. And so I think leaning into that and giving our customers the ability to go like there's 21:06 things that there's ways that you can address problems that you just you couldn't even imagine doing before. 21:12 Yes. Right. Yes. So, couple of thoughts, David, that come to mind. And you brought up some excellent points. And by the way, my 21:18 daughters are in orchestra. So, your music and how you play together. We got to talk more about music in this 21:25 episode. Yes. Yes. They're they're violinists. And uh so, so to your point like how the 21:31 orchestra comes together is so important. Um and as I think about your your point 21:36 around engaging the business, we often in cyber get into our technical jargon. 21:42 Yep. We talk about killchain indicators of compromise and we lose business at that point when we start using that 21:48 language very much. What we need to really focus on is talking in business terms. What is the 21:54 business impact? What is the business risk tolerance? Because we have to partner with the business to design the 22:01 right process. To your point, we have to design the right endstate process. And with AI, we actually have an opportunity 22:08 to do that. We have an opportunity to rethink how we have historically done 22:13 things and how we should be leveraging AI in our future state process and it 22:18 should really be a a partnership with business to get the right level of 22:23 security and business should be in the discussion signing off on the risk tolerance because we are not doing 22:29 things to them we are doing it with them right so that is that is so important great point David I I think uh going back to balance uh 22:37 it's almost like we're balancing three things. The two that they brought up, which I think 100% it's solid advice, 22:44 which is the technology and the processes, right? They're fine-tuning those two things. Uh and the third one, 22:51 which is we got to talk the same language. Yes. If we're too deep into the weeds of what 22:56 identity proficiency and O 2.0, we lost the audience here. Yes. Um we we saw a 23:03 Garner how much they're pushing the idea of outcome uh driven metrics. So um 23:08 having leaders talking more on this sense of business language of hey let's talk about the 23:13 outcome. Uh let's talk more about the problem we're solving versus the tool and and balancing those three things. Do you 23:20 agree? Makes sense. Number one, I love the rule of three but also it's easy to remember and it's a process. It's the 23:26 tools but also the language we use. I think um good stuff were coming up. 23:32 Absolutely. Absolutely. And it that is the other part that we have to unlearn like you know I would love to talk about 23:38 Spiffy and Samuel and what to your point but but that's the that's where we geek 23:43 out but not with the business right so so yeah couldn't agree more Enrique 23:49 music now what's your favorite band you two 23:54 okay it's and they have stayed a band together and I think that the power of the team in in identity the power of the 24:01 team in cyber it is so important perseverance. I I I can think of a few identity vendors that they just 24:08 persevered and perhaps they they thrived because of that. I can like Purge, 24:13 another band like that. So, of all the grunge bands, is Pur Jam the best band of that era? I don't think they were, 24:20 but uh they just stay longer. Yeah. Are they still the same band? I don't I don't I don't I think they changed drummers, but most 24:27 drummers Yeah. Yeah. Eddie Was it Eddie Veter? Is that the Eddie Veter is the singer? Okay. See, I know a little bit. I don't know a 24:34 whole lot. I don't understand. It's not my genre. R&B, not my thing. So, I know 24:39 I'm learning classical music. I mean, I'm I'm I am developing a big bigger appreciation for classical music now 24:46 because the girls are playing violin. So, yeah. How many How many girls you have? Two. Two daughters. Yeah. 24:51 Both play violin. 13 and 11. Yeah. They're both in the orchestra. Yeah. That's awesome. So, that's it's uh I enjoy watching them 24:57 and hearing them. Yeah. Is it So, is you're playing with them? No, not yet. 25:03 No, that was it's a it's a tough instrument to learn. That's what that's what I've realized. Like it takes a lot of practice. 25:08 Yeah, there's no frets. It's it's it's No, I I really admire. Wait, is technically right, there's a 25:15 fret on a violin, isn't it? No, no, it's fretless. Oh, is it is fretless? Okay. So, you got 25:21 takes a lot of practice. Okay. That's what I'm learning. Yeah. But yeah, longevity of what we do in 25:27 identity too and and in cyber security companies they say no we know who we are. How many times at Garner I spoke 25:34 with with startups and vendors and they say tell me who you are and and not all of them they have that answer tip of the 25:41 tongue it's no we do this AI so and we start with that question AI and and in 25:47 this conference here uh yes I think it's changed the way we work it's changing the way we'll protect it's changed the 25:54 way attacks are being uh constructed as well um however 26:00 too many noise isn't it Ian and and And um how do we even come out with perhaps 26:07 recommendations or suggestions to filter out the noise from the the good stuff? 26:13 Yeah. So what do you think Enrique couple of thoughts and going back to the uh the three points three S's. So I have 26:20 started using that in my client discussions. Design for speed, design for scale and 26:26 design smarter systems. Speed scale scale smart. So 26:32 going back to the days of human identity and smaller population, now we're dealing with a higher volume of 26:38 identities. So the need for scale is so important. The human ids, non-humi human ids, I 26:46 talked about speed, the what is the way zero day exploits were um uh were 26:52 leveraged in attacks. The time to exploit is shrinking rapidly. So that 26:58 speed is so important like as we design systems as we think about identity for the future we need to design for uh 27:06 speed which is you know fundamental. We need to make our systems more intelligent. So for me again the fact 27:12 that we have started building more intelligence and more AI into our 27:17 identity systems is very exciting and for me that is where the innovation is going to happen like a lot of good 27:23 innovation and most of the uh most of our some of our alliance partners who are thinking along those lines who are 27:29 embedding speed scale intelligence into their innovation journey are absolutely 27:35 going to be the winners at this point. That's that's very good because I think everybody a little bit afraid of bubble 27:41 scenarios. Uh we saw the bubble of web. Yeah. And um because there was a lot of good 27:47 stuff happening at that point and a lot of garbage, right? So I I can imagine with with AI a lot of real good revolutionary 27:54 innovative stuff and a lot of man you're just doing you don't you don't know what you're doing. It's a bunch of people in 27:59 Brazil typing things and selling that as AI and and we we saw examples real 28:05 companies now our AI was a bunch of guys like just typing in the back back end right so um I think a lot of leaders are 28:12 a little bit okay I know I need to be fast but I'm I'm I'm super cautious about 28:18 making the wrong wrong call here yeah and I mean some of us have been in the identity space for several years now 28:25 or decades I should say and if you think it's just years. Thank you. 28:31 And way back when we started talking about access uh certification socks 28:36 compliance, we enabled more rubber stamping that was 2000 that that wasn't real security in my 28:43 mind. So the fact that we are really talking about identity security now for me that couldn't be more exciting 28:49 because I'm so I get excited talking about building a secure and more trusted working world. So for me, identity 28:56 security is here to help us get there. Yeah. Do you remember what what Sachin said about about the certification campaigns? 29:02 I think man, this is brilliant. And and not because our CEO, but he said 29:07 something about certification campaigns. So if you're running a certification campaign and you're removing 5% 2% of 29:14 entitlements, you're doing compliance. Yes. Now, if you're doing this and now you have recommendation, you're removing 60% 29:21 7% of entitlements, you're doing security. Yes. Wow, this absolutely it's kind of brilliant. 29:26 Zero standing privileges, just in time access, shrinking the tax interface. Yeah, so important to 29:34 I I'm on the other I don't I don't believe in access reviews at all, but that's that's a different conversation. So, I I 29:41 will say this. I agree with you. I'm I'm I like where we're going from just the 29:47 identity security standpoint of it, right? I want to see identity get to the point where we're less about the 29:53 compliance aspect of it and the administrative aspect of it and more about looking at identity from a true 30:00 like risk perspective like here's all this access here all these things what does it mean right what does it mean for 30:06 this account and these access and these privileges within my organization right 30:11 David has access to these cloud accounts this these privileges so what does that mean right cool David accesses this 35 30:19 times a day. Is that good? Is that bad? Right, he has access to this much data. Like to start 30:24 having these kind of intelligent conversations around like the type of risk that this brings to the the 30:29 organization. So, um this has been awesome. We're going to we're going to wrap up with a with a couple of things. I want to get back to 30:35 IVIP because this came up at dinner last night and we could not figure out like so somebody went to the session was like, "Yeah, they came up with this new 30:41 acronym, a gardener IBIT." We made the Jeff G because all gardener analysts get their bonuses based on if they come up with an acronym and it's sticks. Uh but 30:48 like I don't what does it stand for? What is it? Cuz I remember we talked about it at SERS. What is it? IVIP is 30:54 identity visibility and intelligence platforms. Okay. All right. That's and uh and it's a hoax. Uh analysts 31:02 don't get paid by the acronym. I can attest. 31:07 Um but I I I did call one of my old good friends a gardener and say hey what is 31:12 this about? So I I did ask them and u what was interesting I didn't see from that angle uh because we talk about ISPM 31:19 as well identity security posture management and so my question was more about what's the interaction or the 31:25 intersection of both and the way they describe no visibility it crosses security 31:31 there are things we can do for example with IV which includes for example uh license management 31:36 so are you overusing licenses are they so that has nothing to do with security 31:42 so Okay, I can see that. And then as as a as a reporting dashboard of visibility, it it includes other things 31:48 that are not security. While security posture management, it's mostly focused on uh reducing attack surface and um 31:56 improving your posture, right? So security. So I think I I was satisfied 32:02 for now, but I I say I want to go deeper and maybe another episode on this 32:08 because I could see that kind of going back to like the enablement discussion, right? like I just think in general right and and 32:14 we'll kind of close with this right going back to making an enabler right I think we have to kind of retrain 32:21 how we how as again when I say we us as a practitioners how we see ourselves in 32:26 the business and get out of us putting ourselves in that hole of like we just 32:31 do this right and nerding out on our little technical things and when we come to the table being able 32:37 to do things and asking those questions around hey like as a business what you know what drives you every day like 32:43 what's your P&L right talking to them in their language and so things like like license management or things like that 32:49 or whatever like realizing that we've got to be able to understand what we can bring to the table and that can help 32:56 them succeed at what they do and I I think AI is going to help with that because instead of being threatened by 33:02 like hey now AI allows even a business to come up with apps and things like that I think what it will do will be 33:08 interesting is that now it can kind of be that translator for us where a lot of us we sit there in our technical like we 33:14 want to talk all spiffy all this stuff whatever well they don't know that but now they can just say you know what I want I want an app and here's the things 33:19 I want to do and then AI can just kind of make it and then we can go oh that's what you want well okay to do that you really need this is whatever and don't 33:25 deploy that app yet cuz a whole bunch of stuff we need on the back side but now all of a sudden right like cool we can 33:30 make this happen for you let's do some stuff over here that we need to do don't worry about it we're going to make it a little bit more secure add some here but 33:36 now we know what you want business and we can help you get there faster more securely, right? And now it's, you know, 33:43 there's this there's this kind of real conversation happening where we know what it is you're wanting and 33:48 now we just kind of have this translation layer, right? I I don't know. I just I I feel like we can kind of get closer to that where 33:54 it's like now we're truly helping and working with the business and like I think AI can help us get there. Absolutely. And and David, one other 34:00 point I will highlight because this is how I make friends in the business. AI can actually help me bend the cost curve 34:07 for doing identity and cyber. So it can absolutely help me from an affordability standpoint. Our businesses have an big 34:14 agenda to build more affordable and affordability is a big priority for our uh clients and using AI we can 34:21 absolutely bend the cost curve. Um so I talk a lot uh you know to my clients and 34:26 CISOs and cyber leaders and identity leaders and we need to hold ourselves accountable. We need to be given what is 34:33 happening around us and this is back to my three A's. Yeah. uh accountable, 34:39 adaptable uh and agile. So agility, adaptability, 34:45 and accountability. We need to hold each other accountable. Awesome. Yeah. I'll use that to make more friends. 34:51 Yes. No, it it's been great. Thank you for coming. Thank you for sharing this 34:57 with us. I I I I love the conclusion we got here together of the product 35:02 process, the language. Uh and uh very grateful. I think the audience would appreciate that as well. 35:08 Thank you for having me. This is awesome. Pleasure. Appreciate it coming through, man. Thank you. 35:17 All right, that was good. Hey, that was really good, man. Man, I Roy Uno. 35:22 Two violinist. It's pretty awesome. Without frets. Without fret. I see. I 35:28 Here's why I thought they had frets. Because of the strings. Like I just assumed like there would be frets there. What? 35:33 No. super difficult as identity inside what people like to say it's difficult. I had a surprise for you though. 35:40 I started I picked up acoustic guitar. Good for you. Yeah. Yeah. Technically, I've I've I've been playing 35:45 for a while. Yeah. Um it I I'll I'll tell you off off camera. It's a long story, but I started playing again. 35:51 Yeah. You know, working on my got to build up my calluses again, you know. So, well, I'm I'm holding myself back here not to jump into advice mode. And 35:58 speaking of good advice, what what Ian said on on the the three 36:04 things, well, I think we came on that conclusion of the balance. Yeah. Right. The balance and I I like your analogy. 36:11 Well, I'm an analogy guy, but the how you're mixing things up. So, it's a good level uh of product uh the process, the 36:19 language. Um and and that was something that uh I was always 36:25 very self-conscious about. Yeah. Even in the natural sense of language 36:31 like the Portuguese and English being a second language and how AI can help me if I go Gemini polish this 36:40 in a way that my colleagues uh would uh clearly understand. Yeah. Uh what you 36:45 said about that too in in the language side of AI could help us in identity to rewrite 36:53 and polish this the way the business can understand. I was thinking about that. I think it's going to be huge. Right. 36:58 And I like his um I like the three S's, right? That too. Yeah. So it was the uh see if I remember 37:03 them. It was the speed, scale, and smart. And smart, right? 37:09 Yes. Always got to keep it simple, man. Three. It's easy to remember. Uh, and 37:14 uh, no, it was a very good entertaining, but also I learned a lot. Always learn. Did you learn? 37:20 Always learn a lot, man. I'm always learning. We do. And it's hard not to. We got the great guest, man. It's always 37:26 the guest. It's never me. So, let's do it. Let's do it, buddy. 0:08 Everybody, welcome back to Sevy Talk. The best conversation you're going to hear all day. Glad to be back with you. 0:14 It's me, David Lee, of course. Enrique here. What's going on, my man? Hey, David. Good to see you, man. It's been a little 0:19 bit, man. It's been a while. It's been a while. Yes. Missed you, man. Me, too. I know. I should have moved to Canada. 0:25 And Simon, too. I know. Jim, where's Simon been? I don't know. Anyway, listen. We got a 0:31 great episode coming up today. We have Ian Roy, head of cyber security at EY, coming by to have a conversation. We're 0:36 going to get into some stuff. We're going to talk about identity security. We're going to talk about where the industry is going. Stay tuned. You don't 0:43 want to miss it. All right, Ian, welcome, man. 0:50 Thank you. Thank you. Happy to be here. Excited. Looking forward to the conversation. Yeah, it's going to be a good one. Yeah. 0:55 Ricky, how you doing, man? I'm good, man. I'm good. Great show. Yeah, we're in Texas. Great to have amazing 1:02 guest here. Thank you for joining us. Thank you, Henrik. Anybody had any barbecue yet? 1:08 I have not. I mean, you know, we're in Dallas. I had eaten Indian food. You I Indian food in Dallas? 1:14 Inevitable, right? Hanging with the people that we hang out. Okay, that's true. But I'm just saying you're in Dallas, so you guys 1:20 And I had both. I had Indian food Monday night and pork chops last night and they were both amazing. 1:26 So, it was weird. We had um I went to a dinner last night and all right so we're in Dallas and we were talking about the 1:33 the the different things on the menu talking about different like barbecue sauces things like that. So they had a Carolina barbecue on a Dallas menu which 1:41 is crazy. So, all right. There's different kind of barbecue sauces for people that don't know, right? And and like Carolina barbecue sauce is us like 1:48 a vinegar based kind of sauce, but like in Texas, right, this is when you move to Texas, there's three things you get 1:54 soon as you get here, right? You get your ID, right? You get a gun and they tell you about barbecue sauce, right? 1:59 And so, like Texas has their own type of barbecue sauce. So, the fact that we're at a Texas restaurant and they allowed 2:05 Carolina barbecue, I was like, I don't know who this chef is, but I don't know 2:10 how they allowed me. clearly. So anyway, it was just interesting. So I got to make sure I I grab some barbecue. 2:16 It wasn't I don't really like the Carolina style barbecue sauce. Anyway, so it was just one of those things. But anyway, 2:21 um what do you guys think about the show so far? Uh very exciting. Yeah, very exciting. It's uh amazing to see 2:27 all the innovation that's happening around AI security and uh our clients need that. So it's it's amazing to see 2:34 all the new development. Uh so excited for solving the AI security problem for our clients. 2:40 Yeah. How do you think that we've been watching this industry right 2:45 for the last you know couple of years kind of transform from you know identity and IT administrations identity security 2:53 right we're going to come to IVIP in a second oh my god I know I know it came up a couple did it 3:00 came up last night in the conversation we're going to get to that but um like 3:05 this move to identity security and how we have to look at it now I'm interested I to get your take on 3:13 how do you think we need to look at it now, right? Cuz I think for the longest time, you know, we've kind of looked at 3:19 identity more so not as an enabler, but more so like cost center as a thing that 3:25 we have to do. Yeah. But now I I think it's it's different now. We kind of really have to start leaning a little bit differently. So 3:31 what's your what's your take on that? Absolutely. No, couldn't agree more. Uh I've been working in this space for over 25 years and back in the days it was 3:38 single sign on. uh then we went to compliance and now what is so exciting 3:43 is identity security and what I mean by that is if you look at what is happening around us now a lot of nation state 3:50 actors are using AI to create more advanced threats and attacks and the 3:57 time to exploit is reducing in a in a big way uh so what we are now trying to 4:04 share with our clients and discuss with our clients is how to build the right defense in depth and identity is a 4:10 critical component is a critical layer to build the right defense in depth. The one other data point I'll share with you 4:17 David is um we do a lot of shadow investigations post breach we go in and we look at how the threat actor is 4:24 exploited and the kill chain 90% of those attacks we have seen uh lateral 4:30 traversal privilege escalation and the counter measure for that again comes back to identity how do we secure 4:37 our privileged not just human ids but the non-human ids as well um so identity 4:43 is now in the forefront we need more identity signals going to all our endpoint detection into your SIM 4:49 security event monitoring and that is a fundamental countermeasure now to deal 4:54 with the advanced threats which is no and I I agree 100% 4:59 especially if you think about for me it will be so obvious uh if you think of the attack chain and the critical path 5:06 being identity I don't remember last time I saw a a breach or an attack which 5:11 didn't involve identity correct So why do why do you think leaders and organizations 5:19 uh they don't embrace that and and identity is still seen as this perhaps uh the stepchild of cyber security. Why 5:27 why are we not talking about that more and uh or maybe they are do you think 5:32 your clients are now perceiving the importance of identity and and giving a a different 5:39 look at this? Absolutely. Yes. And so Enrique I'll share again a story. I was talking to a 5:44 good friend of mine. He's the cyber leader at a private equity entity and uh when we were having a conversation he 5:51 said you know I and I wish I did more identity growing up to become a CISO 5:56 and that was music to my ears. He grew up the ranks being a attack and pent tester to building some of the most 6:03 sophisticated cyber operations center sock and he was one of the best architects that I've known for sim and 6:10 coming from someone like that and saying that I should have done more identity because and that was a eye openener for 6:17 me as well because now a lot of cyber leaders are realizing the importance of 6:22 identity like to make zero trust really work you need conditional access in addition to micro segment mentation and 6:29 that is in my mind a realization the industry is realizing business leaders and cyber leaders are now realizing that 6:37 identity is a critical countermeasure and identity security really helps us 6:42 build the right defense and depth like without identity security we cannot have AI security 6:47 and and I love it because uh well knowing you you work for EI right and uh 6:53 you are in charge of a much broader scope uh than just identity in cyber security. So, uh, having that context of 7:00 the growth of importance, I think, and the advocacy on on the topic, uh, I hope we didn't have to talk so loud about 7:07 this and the importance about this, but I I think I uh, yeah, as as you're telling us, uh, I think the 7:13 we see the tables turning a little bit. Yes. And identity not only having a seat at the table as as I think we spoke in 7:20 other episodes, having the biggest seat absolutely as well. So to your point, CISOs having to have this knowledge 7:27 about identity. Um but let me let me perhaps ask a few 7:34 different angles on this which is how about the identity practitioner having to learn more about threat detection. 7:40 Yes. They they having to learn about this taxonomy of what an attack chain is and 7:46 and what this means to them. So do you think uh uh do you see EY or yourself 7:51 talking to your clients also approaching identity teams having to learn this new 7:56 skill in in in cyber? Absolutely. Yes. Absolutely. Yes. And and Rick you bring up an excellent 8:02 point. As identity practitioners we have often thought about new hire transfer 8:07 termination authentication type of controls. What we now need to learn is how do we 8:13 integrate with the right data security tools? How do we integrate with our threat and vulnerability management tools? How do we do a better job of 8:21 managing non-human ids and integrating with operational technology OT security 8:26 solutions? So that is very critical. Uh a lot of our as we work with our 8:31 clients, it is very difficult to build the right security with just one product. So one of the things that we're 8:37 talking to our clients right now is how do we bring the ecosystem of our alliances? We're working with our 8:43 alliances like Saviynt and Crowdstrike building the solutions integrating the solutions and that is so important. The 8:50 other layer that we are very focused on we have to as identity practitioners we also have to understand what are the 8:57 business trends what is happening in the business and hybrid is here to stay. Yeah Nvidia is pushing GPUs on prem 9:04 hybrid is absolutely here to stay. How do we create a single pane of glass across different hyperscalers? How do we 9:11 create a single pane of glass so we have more visibility into what's happening so that we can build the right defenses 9:17 hybrid and and it's it's interesting because we we spoke about hybrid cloud 9:23 for so long and and having onrem with with with SAS and and is 9:29 uh are you talking about hybrid in a sense of intelligence as well the hybrid 9:34 of human intelligence artificial intelligence and the combination of both absolutely absolutely so so I I would 9:41 say hybrid uh onrem uh in the cloud multiple hyperscalers. So we are 9:46 absolutely seeing that with our clients uh and and that's primarily being driven by resiliency. We've seen some outages 9:52 now and humans in the loop is so critical right now. So we are using AI uh for our 10:00 L1 L2 automation and humans in the loop is so important to kind of drive the uh 10:07 accuracy and the speed of of uh cyber uh threat management. 10:16 How do we how do we make a shift from 10:22 moving identity from like this cost center mentality like to this enablement 10:28 mentality, right? And outside of the solutions, right? But really driving this this thought mindset of these 10:35 leaders, right? So I want to dig into that example of that the guy you were talking about saying like, I wish I did more identity coming up, right? Oh, 10:42 and we we've had this we've had this conversation, you know, a number of times of a lot of these leaders, a lot of the 10:48 thing with identity, 80% of it is the tech. This other 20% which is this big chasm they have to cross is all the 10:54 other stuff. And I was having a conversation about this last night. It's the, you know, the horse trading, the, you know, talking to the application owners, 11:00 getting your committee together, right? And really understanding across the business like why this is so important 11:05 and getting all those things done to actually build the program. And now when we look at this like we the business 11:10 gets it identity isn't everything and we can say that it's an enabler but how do we how do we work with the rest of our 11:17 industry? How do we help our practitioners do that right and then say okay well it's an enabler but 11:22 so then how do we enable the business right like how how do we how do we work with the rest of our our peers to go 11:28 well go enable the business and how do we get the business to look at it like that. Yeah. So uh excellent question. So I'm 11:34 going to this is when I start dating myself. Um so about 25 years ago I was 11:39 working for an automotive company when you were five. 11:45 And in the automotive company um they were the market leaders in all segments 11:50 with the exception of the new first-time car buyers. So what this automotive company decided to do was they wanted to 11:57 launch a new brand to get the first first-time car buyers to start uh buying 12:03 u this brand and so they at back then I had a 8month timeline to get web single 12:10 sign on onto those uh web properties and they came to us and said the business 12:16 came to us and said we are going to launch the portal uh for this new brand 12:22 in 8 weeks at the New York auto show. So we we either get security done in 8 12:29 weeks and my traditional SDLC was 8 months or I'm going to go without 12:34 security. So that was my alternative and I worked with IT infrastructure to kind of enable the business. So I kind of 12:40 started doing this way back in my career and I have always taken that philosophy 12:46 to our clients. as a cyber practitioner, my job is to enable the business to 12:52 perform their transactions securely. Uh, one other client story that I'll 12:57 kind of share with you, uh, and this became real to me when the CFO of a cruise line, one of our clients went to 13:04 the board and said, "We are going to add a billion dollar of revenue using our 13:10 digital channels." So this is a cruise line that is going through a digital transformation and one of the big 13:17 challenges for us was to create that omni channel experience the ship shore 13:22 experience for uh the customers and and what became real for me was we have to 13:29 enable the technology to meet the business need so that the CFO could go back to the board and say yep we have 13:35 generated a billion dollar in incremental revenue. So I have lots of these examples a life sciences example 13:40 where uh researchers and scientists are working on drug research bringing drug 13:46 to market. What we are what we need to do from a cyber perspective is how can we enable these researchers to come into 13:53 the environment more securely and create a frictionless seamless experience. 13:58 Yeah. I I I was looking at your answer and and and and listening to the examples you gave 14:06 which are basically CIM customer. I am two of them CIM one extended workforce. I I had this hypothesis when we think 14:13 about identity and as a not as a cost center but as a value uh generating uh 14:20 type of business. It is hard to think outside of CM because yes, you put a dollar, you get 14:25 more clients, revenue. Yeah. Um and uh but I I like the last example which you 14:31 gave is researchers or external um employees or non-employees accessing 14:37 this the less frequent they have to do that it also enables business. 14:43 Absolutely. Um I think those are great examples. Uh and I I my hypothesis is is there anything 14:50 outside of customer outside of the either B2B or B2C type of uh more 14:57 workforce focus that we could think of making identity more as a cost center. Yeah. There's the risk avoidance and the 15:03 cost avoidance of user provisioning for example efficiency of getting access. Do you see other examples perhaps in 15:10 your in your career 25 plus years that by the way I remember web SSO. Oh my 15:16 god, that that brought me back. Wham web access management. Yes. Um, but do you 15:21 see other examples there are perhaps workforce uh that are not just oh this 15:27 this is good it's it's saving me money but no it's it's making me money which I think it's a it's an interesting 15:33 difference. Yeah. So Enrique one other u so I was with our chief economist uh a few months 15:39 back and he was talking about the macroeconomic uh trends right now. M. So if you look at our clients and their 15:45 businesses today, they're dealing with supply chain disruption. They're dealing with the impact of tariffs and what does that mean? They 15:52 are going to different suppliers in different countries. Our clients are going through more 15:57 transactions than they have ever done before. Like we are seeing a increase in M&A activity. That is another area where 16:05 identity plays a critical role. This is where we are enabling the business. How do we onboard hundreds and 16:12 thousands of users so that they have a again a seamless experience? The last thing you want is parent entity and 16:19 acquired entity having two different identity systems. So we have such an important critical role again to enable 16:25 the business to get seamless access the right level of security uh and and 16:31 without identity without the right identity technologies the processes and the right team the people process 16:37 technology and the right level of data it is very difficult to enable business. No, I I I love it because uh how many 16:43 times we were talking to clients even prospects and they they asked us I said no I I like the idea please help me to 16:52 to talk to the business in a way that we can justify this. So I think those examples are just a great way to 16:59 illustrate that a blueprint if you will uh to have those kind of conversations. Yeah. But I think it's also like we we 17:05 have to shift and I say we as an industry right like the practitioners in general like we we have to shift the 17:12 mindset of how we approach all of it. Right? The conversation I had last night um you was talking with you know a 17:19 customer and you they were talking about you know they're excited to get started on their journey things like that and 17:24 the guy was just asking me all these questions how do we do this how do we do this how do we do this and I finally had to say dude like techn is not the answer 17:30 to everything right like you know like well well and if we do this how are we going to get audit to agree to do this 17:36 and I was like you go talk to them and ask them right like well but they always do this 17:42 and they're old school and I was like then you have to go ask them and say, "Well, you did it this way before. If I 17:48 show it to you this way, well, they're never going to accept that." Then you got to go figure out and come up with a 17:53 compromise. Like, we have to get past this like techn is going to make it better. Techn is going to make it better. Techn is going to 17:59 make it better. It's not always going to make it better. And maybe there is an answer, but also the answer is going to them and saying, 18:05 "Hey, listen. I know that this is what you're used to and this is your process and this is what you want. So now let's have a 18:11 conversation and get to why is it that you want something a specific way, right? Okay. So you know that your 18:17 process is XYZ and this is what you want, right? And you're you're you're telling me to do something that I feel 18:22 is inefficient, but this is what you're saying to do. Okay. Well, I can sit here and we can we can butt heads all day 18:28 long. Or I can go we're teammates. We work with the same company at the end of the day. Like we 18:34 want the same thing. So, let me figure out why is it that you want this and then show you that hey, this is what you 18:40 want, but I'm showing you that I can get you to the same result just in a different way and it's more efficient. I was like, these are things this is 18:46 identity all day long. And that's the one thing that I think we we've lost in in the industry is that we forget that 18:53 so much part of this is you've got to get involved with the business and talk to them. And some of it needs to be changing your process, some of it needs 18:59 to be changing the technology. And one of the things that I told the customer at the end of the day is like this is how you need to measure this, right? Yeah. when you look at it, you should be 19:06 doing you should be tweaking on both sides, right? And neither shy should ever tweak too much. If you're tweaking the business process too much, you're 19:12 wrong. If you're if you're tweaking the technology too much, you're wrong. But you should never be sitting there and going, "Well, the technology should 19:19 solve everything." And you should never be saying, "Well, the business absolutely has to change." Those are, right? It should be a mixture of both, 19:25 right? And you know, for those of us who are musicians, stuff like that, or whatever, it's like when you're on a mixing board, right? You're trying to 19:31 get the perfect mix and balance. I'm gonna raise the trouble up just a little bit. Now I'm going to pull down the B. Like you're constantly trying to find 19:37 that perfect mix and blend. And I think in the industry we lost that, right? Like and and and I'm always 19:43 going to be critical of us first in the industry. This is we live and breathe this, right? It's it's our job to be in this and and helping our customers and 19:49 reminding them doesn't matter if we're on the vendor side, the practitioner side, wherever, right? Yeah. We have to do that because they look to 19:56 us to go, hey, what are these answers? Right. And it's sometimes calling them out and not telling them what they want 20:02 to hear like, "Oh, okay. We're going to do this." No, no, no, no, no. Like, hey, you got to go do some work. 20:07 So, you're going to go have to talk to the audit team. You're going to go have to talk to your application owners. And yes, you're going to have to spend some 20:13 hours. And yes, maybe our technology will there's some technology that'll make it better, make it easier. Yes, maybe a consulting company will come in 20:19 and do some work for you, but like you still have to do some work as well, right? And I think those are some of the things that we have to get back to 20:25 because I think that what we're going to see over the next really 3 years with 20:31 where we are with technology and and how the opportunity that AI presents, right? 20:36 And and I and I want to be very clear when I say that because it's, you know, there's all this buzz around AI and and 20:41 what it what it can be and what it can do, but it's very clear the opportunity that's presented and how it's allowing 20:47 us to change the way we operate, right? Right. And so that opportunity is going to give us this ability to completely 20:54 change the way a lot of people work and and and how we address a lot of these problems. And that's not something that 21:00 we can ignore, right? Absolutely. And so I think leaning into that and giving our customers the ability to go like there's 21:06 things that there's ways that you can address problems that you just you couldn't even imagine doing before. 21:12 Yes. Right. Yes. So, couple of thoughts, David, that come to mind. And you brought up some excellent points. And by the way, my 21:18 daughters are in orchestra. So, your music and how you play together. We got to talk more about music in this 21:25 episode. Yes. Yes. They're they're violinists. And uh so, so to your point like how the 21:31 orchestra comes together is so important. Um and as I think about your your point 21:36 around engaging the business, we often in cyber get into our technical jargon. 21:42 Yep. We talk about killchain indicators of compromise and we lose business at that point when we start using that 21:48 language very much. What we need to really focus on is talking in business terms. What is the 21:54 business impact? What is the business risk tolerance? Because we have to partner with the business to design the 22:01 right process. To your point, we have to design the right endstate process. And with AI, we actually have an opportunity 22:08 to do that. We have an opportunity to rethink how we have historically done 22:13 things and how we should be leveraging AI in our future state process and it 22:18 should really be a a partnership with business to get the right level of 22:23 security and business should be in the discussion signing off on the risk tolerance because we are not doing 22:29 things to them we are doing it with them right so that is that is so important great point David I I think uh going back to balance uh 22:37 it's almost like we're balancing three things. The two that they brought up, which I think 100% it's solid advice, 22:44 which is the technology and the processes, right? They're fine-tuning those two things. Uh and the third one, 22:51 which is we got to talk the same language. Yes. If we're too deep into the weeds of what 22:56 identity proficiency and O 2.0, we lost the audience here. Yes. Um we we saw a 23:03 Garner how much they're pushing the idea of outcome uh driven metrics. So um 23:08 having leaders talking more on this sense of business language of hey let's talk about the 23:13 outcome. Uh let's talk more about the problem we're solving versus the tool and and balancing those three things. Do you 23:20 agree? Makes sense. Number one, I love the rule of three but also it's easy to remember and it's a process. It's the 23:26 tools but also the language we use. I think um good stuff were coming up. 23:32 Absolutely. Absolutely. And it that is the other part that we have to unlearn like you know I would love to talk about 23:38 Spiffy and Samuel and what to your point but but that's the that's where we geek 23:43 out but not with the business right so so yeah couldn't agree more Enrique 23:49 music now what's your favorite band you two 23:54 okay it's and they have stayed a band together and I think that the power of the team in in identity the power of the 24:01 team in cyber it is so important perseverance. I I I can think of a few identity vendors that they just 24:08 persevered and perhaps they they thrived because of that. I can like Purge, 24:13 another band like that. So, of all the grunge bands, is Pur Jam the best band of that era? I don't think they were, 24:20 but uh they just stay longer. Yeah. Are they still the same band? I don't I don't I don't I think they changed drummers, but most 24:27 drummers Yeah. Yeah. Eddie Was it Eddie Veter? Is that the Eddie Veter is the singer? Okay. See, I know a little bit. I don't know a 24:34 whole lot. I don't understand. It's not my genre. R&B, not my thing. So, I know 24:39 I'm learning classical music. I mean, I'm I'm I am developing a big bigger appreciation for classical music now 24:46 because the girls are playing violin. So, yeah. How many How many girls you have? Two. Two daughters. Yeah. 24:51 Both play violin. 13 and 11. Yeah. They're both in the orchestra. Yeah. That's awesome. So, that's it's uh I enjoy watching them 24:57 and hearing them. Yeah. Is it So, is you're playing with them? No, not yet. 25:03 No, that was it's a it's a tough instrument to learn. That's what that's what I've realized. Like it takes a lot of practice. 25:08 Yeah, there's no frets. It's it's it's No, I I really admire. Wait, is technically right, there's a 25:15 fret on a violin, isn't it? No, no, it's fretless. Oh, is it is fretless? Okay. So, you got 25:21 takes a lot of practice. Okay. That's what I'm learning. Yeah. But yeah, longevity of what we do in 25:27 identity too and and in cyber security companies they say no we know who we are. How many times at Garner I spoke 25:34 with with startups and vendors and they say tell me who you are and and not all of them they have that answer tip of the 25:41 tongue it's no we do this AI so and we start with that question AI and and in 25:47 this conference here uh yes I think it's changed the way we work it's changing the way we'll protect it's changed the 25:54 way attacks are being uh constructed as well um however 26:00 too many noise isn't it Ian and and And um how do we even come out with perhaps 26:07 recommendations or suggestions to filter out the noise from the the good stuff? 26:13 Yeah. So what do you think Enrique couple of thoughts and going back to the uh the three points three S's. So I have 26:20 started using that in my client discussions. Design for speed, design for scale and 26:26 design smarter systems. Speed scale scale smart. So 26:32 going back to the days of human identity and smaller population, now we're dealing with a higher volume of 26:38 identities. So the need for scale is so important. The human ids, non-humi human ids, I 26:46 talked about speed, the what is the way zero day exploits were um uh were 26:52 leveraged in attacks. The time to exploit is shrinking rapidly. So that 26:58 speed is so important like as we design systems as we think about identity for the future we need to design for uh 27:06 speed which is you know fundamental. We need to make our systems more intelligent. So for me again the fact 27:12 that we have started building more intelligence and more AI into our 27:17 identity systems is very exciting and for me that is where the innovation is going to happen like a lot of good 27:23 innovation and most of the uh most of our some of our alliance partners who are thinking along those lines who are 27:29 embedding speed scale intelligence into their innovation journey are absolutely 27:35 going to be the winners at this point. That's that's very good because I think everybody a little bit afraid of bubble 27:41 scenarios. Uh we saw the bubble of web. Yeah. And um because there was a lot of good 27:47 stuff happening at that point and a lot of garbage, right? So I I can imagine with with AI a lot of real good revolutionary 27:54 innovative stuff and a lot of man you're just doing you don't you don't know what you're doing. It's a bunch of people in 27:59 Brazil typing things and selling that as AI and and we we saw examples real 28:05 companies now our AI was a bunch of guys like just typing in the back back end right so um I think a lot of leaders are 28:12 a little bit okay I know I need to be fast but I'm I'm I'm super cautious about 28:18 making the wrong wrong call here yeah and I mean some of us have been in the identity space for several years now 28:25 or decades I should say and if you think it's just years. Thank you. 28:31 And way back when we started talking about access uh certification socks 28:36 compliance, we enabled more rubber stamping that was 2000 that that wasn't real security in my 28:43 mind. So the fact that we are really talking about identity security now for me that couldn't be more exciting 28:49 because I'm so I get excited talking about building a secure and more trusted working world. So for me, identity 28:56 security is here to help us get there. Yeah. Do you remember what what Sachin said about about the certification campaigns? 29:02 I think man, this is brilliant. And and not because our CEO, but he said 29:07 something about certification campaigns. So if you're running a certification campaign and you're removing 5% 2% of 29:14 entitlements, you're doing compliance. Yes. Now, if you're doing this and now you have recommendation, you're removing 60% 29:21 7% of entitlements, you're doing security. Yes. Wow, this absolutely it's kind of brilliant. 29:26 Zero standing privileges, just in time access, shrinking the tax interface. Yeah, so important to 29:34 I I'm on the other I don't I don't believe in access reviews at all, but that's that's a different conversation. So, I I 29:41 will say this. I agree with you. I'm I'm I like where we're going from just the 29:47 identity security standpoint of it, right? I want to see identity get to the point where we're less about the 29:53 compliance aspect of it and the administrative aspect of it and more about looking at identity from a true 30:00 like risk perspective like here's all this access here all these things what does it mean right what does it mean for 30:06 this account and these access and these privileges within my organization right 30:11 David has access to these cloud accounts this these privileges so what does that mean right cool David accesses this 35 30:19 times a day. Is that good? Is that bad? Right, he has access to this much data. Like to start 30:24 having these kind of intelligent conversations around like the type of risk that this brings to the the 30:29 organization. So, um this has been awesome. We're going to we're going to wrap up with a with a couple of things. I want to get back to 30:35 IVIP because this came up at dinner last night and we could not figure out like so somebody went to the session was like, "Yeah, they came up with this new 30:41 acronym, a gardener IBIT." We made the Jeff G because all gardener analysts get their bonuses based on if they come up with an acronym and it's sticks. Uh but 30:48 like I don't what does it stand for? What is it? Cuz I remember we talked about it at SERS. What is it? IVIP is 30:54 identity visibility and intelligence platforms. Okay. All right. That's and uh and it's a hoax. Uh analysts 31:02 don't get paid by the acronym. I can attest. 31:07 Um but I I I did call one of my old good friends a gardener and say hey what is 31:12 this about? So I I did ask them and u what was interesting I didn't see from that angle uh because we talk about ISPM 31:19 as well identity security posture management and so my question was more about what's the interaction or the 31:25 intersection of both and the way they describe no visibility it crosses security 31:31 there are things we can do for example with IV which includes for example uh license management 31:36 so are you overusing licenses are they so that has nothing to do with security 31:42 so Okay, I can see that. And then as as a as a reporting dashboard of visibility, it it includes other things 31:48 that are not security. While security posture management, it's mostly focused on uh reducing attack surface and um 31:56 improving your posture, right? So security. So I think I I was satisfied 32:02 for now, but I I say I want to go deeper and maybe another episode on this 32:08 because I could see that kind of going back to like the enablement discussion, right? like I just think in general right and and 32:14 we'll kind of close with this right going back to making an enabler right I think we have to kind of retrain 32:21 how we how as again when I say we us as a practitioners how we see ourselves in 32:26 the business and get out of us putting ourselves in that hole of like we just 32:31 do this right and nerding out on our little technical things and when we come to the table being able 32:37 to do things and asking those questions around hey like as a business what you know what drives you every day like 32:43 what's your P&L right talking to them in their language and so things like like license management or things like that 32:49 or whatever like realizing that we've got to be able to understand what we can bring to the table and that can help 32:56 them succeed at what they do and I I think AI is going to help with that because instead of being threatened by 33:02 like hey now AI allows even a business to come up with apps and things like that I think what it will do will be 33:08 interesting is that now it can kind of be that translator for us where a lot of us we sit there in our technical like we 33:14 want to talk all spiffy all this stuff whatever well they don't know that but now they can just say you know what I want I want an app and here's the things 33:19 I want to do and then AI can just kind of make it and then we can go oh that's what you want well okay to do that you really need this is whatever and don't 33:25 deploy that app yet cuz a whole bunch of stuff we need on the back side but now all of a sudden right like cool we can 33:30 make this happen for you let's do some stuff over here that we need to do don't worry about it we're going to make it a little bit more secure add some here but 33:36 now we know what you want business and we can help you get there faster more securely, right? And now it's, you know, 33:43 there's this there's this kind of real conversation happening where we know what it is you're wanting and 33:48 now we just kind of have this translation layer, right? I I don't know. I just I I feel like we can kind of get closer to that where 33:54 it's like now we're truly helping and working with the business and like I think AI can help us get there. Absolutely. And and David, one other 34:00 point I will highlight because this is how I make friends in the business. AI can actually help me bend the cost curve 34:07 for doing identity and cyber. So it can absolutely help me from an affordability standpoint. Our businesses have an big 34:14 agenda to build more affordable and affordability is a big priority for our uh clients and using AI we can 34:21 absolutely bend the cost curve. Um so I talk a lot uh you know to my clients and 34:26 CISOs and cyber leaders and identity leaders and we need to hold ourselves accountable. We need to be given what is 34:33 happening around us and this is back to my three A's. Yeah. uh accountable, 34:39 adaptable uh and agile. So agility, adaptability, 34:45 and accountability. We need to hold each other accountable. Awesome. Yeah. I'll use that to make more friends. 34:51 Yes. No, it it's been great. Thank you for coming. Thank you for sharing this 34:57 with us. I I I I love the conclusion we got here together of the product 35:02 process, the language. Uh and uh very grateful. I think the audience would appreciate that as well. 35:08 Thank you for having me. This is awesome. Pleasure. Appreciate it coming through, man. Thank you. 35:17 All right, that was good. Hey, that was really good, man. Man, I Roy Uno. 35:22 Two violinist. It's pretty awesome. Without frets. Without fret. I see. I 35:28 Here's why I thought they had frets. Because of the strings. Like I just assumed like there would be frets there. What? 35:33 No. super difficult as identity inside what people like to say it's difficult. I had a surprise for you though. 35:40 I started I picked up acoustic guitar. Good for you. Yeah. Yeah. Technically, I've I've I've been playing 35:45 for a while. Yeah. Um it I I'll I'll tell you off off camera. It's a long story, but I started playing again. 35:51 Yeah. You know, working on my got to build up my calluses again, you know. So, well, I'm I'm holding myself back here not to jump into advice mode. And 35:58 speaking of good advice, what what Ayan said on on the the three 36:04 things, well, I think we came on that conclusion of the balance. Yeah. Right. The balance and I I like your analogy. 36:11 Well, I'm an analogy guy, but the how you're mixing things up. So, it's a good level uh of product uh the process, the 36:19 language. Um and and that was something that uh I was always 36:25 very self-conscious about. Yeah. Even in the natural sense of language 36:31 like the Portuguese and English being a second language and how AI can help me if I go Gemini polish this 36:40 in a way that my colleagues uh would uh clearly understand. Yeah. Uh what you 36:45 said about that too in in the language side of AI could help us in identity to rewrite 36:53 and polish this the way the business can understand. I was thinking about that. I think it's going to be huge. Right. 36:58 And I like his um I like the three S's, right? That too. Yeah. So it was the uh see if I remember 37:03 them. It was the speed, scale, and smart. And smart, right? 37:09 Yes. Always got to keep it simple, man. Three. It's easy to remember. Uh, and 37:14 uh, no, it was a very good entertaining, but also I learned a lot. Always learn. Did you learn? 37:20 Always learn a lot, man. I'm always learning. We do. And it's hard not to. We got the great guest, man. It's always 37:26 the guest. It's never me. So, let's do it. Let's do it, buddy.