The Identity Industry Has a Problem (Reflections from Identiverse)
Identity and access management (IAM) has a problem. Something that I don't really see covered. It has very little to do with technology, standards, processes, and even budgets.
I find myself in the sweltering Washington, DC heat and humidity at the identity-focused Identiverse conference. I see a lot of familiar faces that make the routine identity conference circuit. The vast majority of us have been in the IAM space for years. We have been fighting IAM battles for 5, 10, 15 years and some even longer. Everyone I talk to here just sort of fell into identity (just like me - I started in a help desk and did automated lighting control support of all things) and it turned into a career for us.
So, what's the problem?
There is a distinct lack of younger IAM professionals attending these conferences. I am sure there are younger folks out there, but if identity is going to continue to evolve and improve, it needs fresh blood. It needs new ideas that solve the challenges that our younger folks are experiencing. I'm in my 40's as my wife, dogs, and back remind me. I've traded spraining an ankle rollerblading at midnight for a neck ache because I sneezed too hard. At some point, we need that fresh infusion of talent to keep the identity industry moving forward. I see a wave of others in their 40's and 50's, which seem to make up the vast majority of IAM professionals, retiring at some point. The beacons of Gondor need to stay lit!
I looked for identity focused college programs and the focus is on cybersecurity as a whole. Sure, identity security falls under that umbrella, but there is so much more to identity management beyond the security focus. There is the business analysis, reporting and analytics, cost justifications, audit and compliance fronts, user interface design, marketing, relationship development and management, and more. I think part of the problem is because identity management, while fundamental, isn't really a sexy part of cybersecurity. When you watch a movie, the hacker is some young wizard who is using a command line to break into the vault. That looks fun. Maybe complicated for the average person, but still fun and interesting. In the real world, if the identity team is doing their job, you don't notice us. We fly under the radar unless there is a problem.
Where are the young wizards creating the next generation of user interfaces so that IAM products aren't terrible to use? Will there be an expectation of asking Siri/Alexa/Google/Cortana for access to something? Does that then turn into Siri/Alexa/Google/Cortana asking the approver if that is ok? I bet the CISO's reading this are giving me a very hard stare right now. We have to ask ourselves, what is the future of IAM UI and who better to help design it than the people that will actually be using it.
Where is the young wizard contemplating a world where active directory is no longer the industry default corporate authentication system? Can you imagine asking your CIO or CISO if to look at using a phone number or Snap Chat as an identity provider to authenticate to a corporate file share? It's a ridiculous thought… but is it? The younger generations expect things to just work and expect to bring their own identity to the party.
What happens when these folks start to become the data owners who are responsible for making sure the access certification is done? Are they going to look at the current crop of compliance interfaces/spreadsheets, say WTF, and then just click approve all (which people absolutely do today)?
I don't have answers for any of this. I know organizations like IDPro.org are contemplating a certification process for identity professionals. I talked to some folks at the conference that offer an intern-like experience for college students to learn their identity business. Both are good ideas, I think, but more could be done.
Or maybe I am crazy, and we will just let the AI handle all of this in the future while we enjoy our flying cars.