[podcast] Getting into the Sexy World of IAM
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
On this episode # 2 and with Jim on vacation this week, Jeff has called up Fletcher Edington as a pinch hitter. Fletcher talks about his path from college intern to IAM implementation engineer to IAM sales. They also talk about how to get young talent into the IAM space to solve the UI and design challenges of the future.
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #2 Full Transcript:
Identity At The Center #2: Getting into the sexy world of IAM
Jeff: Welcome to the Identity at the Center podcast episode number two on this podcast, we talk about a wide range of Identity and Access Management related topics. It might be current events, topics you see come up during our consulting engagements or other items that we think you might find interesting if there's a particular topic you'd like us to talk about or just have general feedback or question. You can always e-mail us at questions at identity at the center.com. Hi, my name is Jeff Steadman. I'm a strategic advisor with an enterprise advisory practice. Jimmy McDonald was on a well-deserved vacation. So we've called up a pinch hitter. With me today is Fletcher Edington. Fletcher, won't you introduce yourself?
Fletcher: Hey, Jeff thanks so. My name is Fletcher Edington. I'm an account executive with Identropy in Austin, Texas.
And I've been in the IAM space about seven years now.
Jeff: Great so last week we were talking about how people get into Identity Access Management. And I kind of mentioned that I didn't really know too many people really any at all who started there. They were kind of other roles and just kind of moved into that position. You've been with Identropy for a while. Can you talk a little about how you got into the IAM space, maybe start with, you know, from schooling, you know, if any, and then into, you know, how you got into where you are today?
Fletcher: Sure. It was. So it's kind of a random series of events.
So I was at U.T. Austin here in the computer science school and I actually did take a few cyber security classes that related to identity and my senior year, but I didn't directly relate it to identity. at that time, I think cyber security was as that was about all I knew about the industry. So I had some basic idea and I knew I wanted to stay in the kind of software security field going out to college, but I didn't really know how to get into it. So I looked at a couple of options for IBM or Oracle or some internship that I had that I got turned down for. That we won't talk about. And then, I mean, honestly, what it came down to is between my junior and senior year, I needed a job, it was the summer I was running out of food money. And at the time, I was working two part time jobs, one in South Boston and one in north Boston. So every other day I was driving like 20 miles either way and my broke up truck to try and make that try to make some money until eventually I saw the Identropy internship pop up and it was like five minutes for my apartment.
So it was kind of just an amazing coincidence that this job that's, like been a big part of my life for the past seven years was really just because I had somewhere closer to go for work. So I got into the gutter, think IAM space kind of, borderline out of desperation, trying get some food money. But then by the time I got in there, it turned out to be an amazing spot. So, I honestly didn't know what Identropy did for about six months. It took me a while to figure out exactly what Identity and Access Management was. I heard in the last podcast, there's not like a training manual. There's not really an introductory Identity Management course. So learning about it was a lot of on the job. It was a lot of talking with customers and with people at the organization and partners and just trying to figure out like how does how does all this come together? So after about a year of internship from one summer to the next, when I graduated, I got hired on full time as an implementation engineer. And that was the only way that you knew people were getting into industry at that point is somebody just saying, “all right, yeah, let's take a chance on this guy”.
Let's see if we can if we can train him to be a consultant or not. So by coincidence, I and a few other folks for my graduating class ended up at Identropy and at SailPoint, a few at OCTA. So there were some people in the space kind of disconnected and we eventually linked up later on and figured out that we were all in the IAM space. But, it was a lot by accident. So I did implementations for a while directly for customers and then eventually I rolled onto the sales team where I. This is my current role here. And so I got kind of a broader view of the industry. But it's just kind of a lucky series of events that I ended up with Identropy close to my apartment and then ended up liking the people that I worked with a lot. And then by the time I got around to, wrap my head around the industry; I realized how interesting and fun it was. So that was kind of my long path to get over here long and winding road.
Jeff: So what were you actually studying when you were in school?
What did you want to be when you grew up?
Fletcher: At one point I think I wanted to fly fighter jets. I think I wanted to be a like a Navy or an Air Force pilot.
Jeff: To be in Top Gun, too.
Fletcher: Yes. I'm in Top Gun, too. I'm an extra.
I was always interested in math and science stuff. And what is really interesting about it is that, this the consulting side, the math, science, technology. That stuff's always it's really interesting. But by far the biggest skill I think that we have on our side and that and that honestly, customer’s organizations have with that is communication. That technology is always there. The things that press the buttons and move the widgets are there.
They're pretty much laid out at this point, and the biggest thing that I've seen from college, getting into the industry and then moving around to different pieces of the world, is that the communication piece is what a lot of folks are missing and what's. it kind of solves the puzzle for everyone.
Jeff: The connection part is difficult and sometimes you just kind of get that through experience. I mean, there's t obviously naturally gifted orators who can get it, etc... But you're going to be able to communicate concepts. Here's what we're trying to tell stories, make it relatable because not everyone is super deep technically.
And you don't really need to be from an IAM perspective as most of this business process. So, I mean, the communication part certainly comes along as you get experience especially as you learn more about it, you're able to talk more effectively, and if you know your subject matter.
Right, Absolutely. So when you were in school, this was I'm going to guess, what, 10 years ago roughly.
Fletcher: It was 1994.
Jeff: nineteen ninety four
Fletcher: That was about two years.
Jeff: So you mentioned you know that you were studying some security classes there. I guess what was the draw to get you into the security field to begin with?
Fletcher: The security field, I think gave me some direction with Software Management and Development and Coding.
So I was in the computer science school. So we were doing operating systems, coding and learning Java and different languages and kind of the underlying theory behind it. But it wasn't really until these cyber security classes that I saw like a direction I could go with it, you know, before that it was just OK. Do software.
Be an engineer code and that it was just at a very high level for me. So cyber security gave me some direct real world applications like protecting the bank from hackers. So that account information is not greater, protecting the public utilities so that the energy for Cincinnati isn't taken down. Stuff like that.
So it just gave me a lot more clarity on how this stuff affected the real world and like how that was gonna end up playing out in real time.
Jeff: So you went from imitation engineer and now you've moved over to the sales side. How did that come about? And I can talk a little about that.
Fletcher: Sure. Yes.
That's was a little more purposeful than my initial entry into Identity Management. So like I said, initially, I had no idea what I was going to dive in like the people. And the work was interesting enough to kind of keep me around. And then after a couple of years of doing development and kind of understanding that we're a little better, I got to a point where the technical implementations, while really rewarding and like you go in everyday and you get something done, you can say, OK, yes, I know I did the three use cases. This is great. I wanted to get a little broader understanding of the world. I wanted to see why is the engineering work? I'm doing important to the customer. Why does my architect in my project manager and the sales guy and the director on both sides like why is why does all this matter? And the sales team at Identropy here is a small organization it's a great way to see kind of all pieces. I'm talking to the engineering team. I'm talking to the advisory team. I'm talking to finance and partner management. And externally, I'm talking to vendors and partners and analysts. And it just got to I knew I wanted to get a little deeper into the game. And it seemed like the best way to do it from where I was at with engineering. So I basically just went to the management here at Identropy, Vic and Jeff and Lewis at the time and talked about transitioning to sales. And luckily, Louis saw me and I just happened to join about the same time I was getting into this. And he created kind of entry point of the sales team for.
So it was a couple of months of transitioning for, you know, especially doing engineering and sales work for a while. And then eventually it became more and more sales until I was just fully transitioned over. And now I don't ever need to do engineering again.
Jeff: You sound a little bit happy about that. What was the hardest part about that?
About that move over from going from an implementation site into the sale site and looking to kind of grow your overall knowledge?
Fletcher: I think the transitioning from engineering itself, like as an actor wasn't hard.
And it actually having been in the world for a little while to do implementations and understand some of technology, I think it gives you a good sense of like what are you actually selling? Like when I tell a customer, OK, we're here's the couple of use cases, this product solves it. Here's kind of roughly how it how it goes. I actually have done that before. So I kind of have at least have an idea of what I'm what I'm talking through. The toughest transition was that Identity Management as a business problem, as a communication point for organization is a really big challenge. So I think the biggest thing I had to wrap my head around was that I'm talking to a representative from a customer organization and they're going back to talk to their team and their management and their finance and try to organize this giant project. And, you know, the best we can do as a sales team and as an organization that works with customers that well is to try and simplify that process. And that took a while for me to wrap my head around that. This is such a complex problems that the communication was going to be a big deal between their team and my team at the different organizations that might be involved there.
Jeff: I can certainly see that the folks that are reaching out to you, what are some of the challenges that they're bringing to you directly saying, here's this problem I have. is it? Is it mostly around, you know, identity and automation? Is it single sign on multifactor?
Fletcher: What are you mostly seeing out there?
For the most part right now. You know, as a use case, I think it is in general automation.
whether it's M.F.A. or whether it's provisioning, whatever it is, there is some process that's either behind the times or that's never been actually automated. And now they're looking to modernize or to augment the program. And I think the differences between I think there's differences in levels here at what customers asked for. There's a technical level, there's a financial level, there's a business process level. And for the most part, the conversations I'm having tend to be kind of that. Like, what business problem are we solving here? Is it an audit finding? Is it we're going through a merger? there are different levels of it.
And I think what it really comes down to for us is like risk mitigation, that customers come to us with a problem and the technology is all there. If you want Identity Governance, if you want Access Management, if you want a Cas-b solution, like all these technologies are pretty mature. And for the most part, you can kind of make the technology do what you needed to do to solve your challenge. But the real question they're having is I'm about to do this. It's going to cost a lot of money, take a lot of time and a lot of our resources. Is this going to work? and so the best thing that we do as an organization, I think is kind of talked them through like, OK, here's our experience over 10, 15, 20 years for some folks on the team. Here's what we've seen in the field. And here is the safest way for you to do this and achieve your goals. So I know I think that the big thing customers bring to us at a really high level is not necessarily fear of failure, but just a constant worry of like, look, I've got four million things on my I.T. security plate and I can't have this go poorly. This is way too important for this to go bad. So that's a risk mitigation support force.
Jeff: And that validation or either direction.
And we see that a lot of the advisory side. Are we making the right decision? What should we do? It's funny you mentioned doing other challenges. Sometimes the challenges that are kind of initially presented are really kind of masking other problems beneath the business process or just organizational kind of, let's say, culture. Maybe he isn't. Is there a need to be for change those sorts of things? I mean, on that kind of stuff comes up. But it's interesting to hear you talk about that from your side where it kind of initially, you know, things are going to pose to you and we kind of have to spread out. Right, what's the real issue here? We're trying to solve.
And you talk about budgets; right IAM is expensive, just like any other type of technology and the security side of things. It's requires it. I think that's one. The challenges that I see quite a bit is OK. Now he's got this plan. How do we pay for it? Yeah, I mean, it's expensive. And unless there's truly a desire to move forward, sometimes you can have a great plan and just kind of sits on the shelf, which sucks right now if you spend all this time to kind of pull together and then, you know, it's a year later, it's like. So how are we doing? Yeah, we did well.
Fletcher: We haven't done anything yet.
Jeff: So, you know, trying to make sure that you've got the budget out front certainly helps. But there's ways around that too. You don't really eat the elephant all at once.
Fletcher: Yes, absolutely.
Jeff: And so, you know, let's start small and try to build out what are the key things to kind of get done first. And let's figure out what's a must have versus a nice to have and try to build about something that makes sense that way.
Fletcher: Luckily, at this point, the technology's also gotten modular enough where you don't have to say, OK, we're gonna implement all of our data use cases because this one solution, you have to either turn the switch on to turn to switch off. You can there's a bunch of different buttons you can press now to say, OK, we're gonna fix password management over the next few months, then we're going to fix provisioning, then we're gonna fix single sign on. So, you can you can kind of break off the different pieces as opposed to saying, OK, we're going to go away for three years. And when we come back, we're gonna have a full I AM program. So you know that incremental progress over delayed perfection is a big deal.
Jeff: That's a good point, because it used to be you know, there were only a handful of technologies out there. It was Oracle, it was IBM. It was C.A. And now you've got the next generation, we'll call it the current generation of IAM tools, things like SailPoint, CDM and Identity when I do any those types of things that are out there. And they certainly took a different approach, which I think really helped the industry grow and move forward by taking that modular approach. There is a little of a challenge that I see now is there's it's almost sometimes too modular. There's so many different ways and trying to get all of these things to play together correctly in the way that they should. Can sometimes be a challenge. There's been some work around that, though. Know there is there's different alliances between the different vendors and begins and, all this other stuff. But I think overall of the modularity has gotten a lot better where. you can turn on a let's just do active directory automated provisioning from Workday. And that's simple enough typically to configure in a matter of weeks, technically.
It's all the stuff that goes around it that takes us inside the organization. It's change management. It's testing. when I was on the customer side and just being transparent, I used to be a customer by that tree when I was running IAM operations. I was feeling a lot of pain from a bottleneck on the inside because, you know, the contractor is getting everything done and we're working to kind of test things. But then when you get bottlenecks, because the internal team just couldn't keep up with, making sure that testing was done correctly, that architecture boards were satisfied, that software review boards were satisfied .Change management windows all that stuff. So, you know, the technical component is certainly a lot quicker than it used to be, but the stuff around it really hasn't changed too much, at least from an organization standpoint. Some are better than others. Something really slowly, some move relatively quickly. But I think overall that's that process is pretty much stayed the same.
Fletcher: Taking a cue from the name of the podcast here Identity at the center. I think you're right.
The current and next gen wave of identity solutions is about tying every. Together in your I.T. program with Identity, you know, it's where this Identity going, what device is this identity using? Which application are you logging into? You know, there's a bunch different of questions. It all relates back to identity. And on the technology side, most of those challenges have been, you know, I don't want to say like a hundred percent solve, but for the most part, like if you're a business and you want to buy a solution to fix that Identity problem, there's probably a solution out there for you. So at this point, technology's not really the problem. But you're right. Like the organizational challenge of saying, OK, we're going to buy a SailPoint, we're going to buy Ping, we're going to buy Exabeam, and then we're going to happen in I.T. security program. I think people underestimate the organizational challenge to first just acquire those softwares and really understand what it's going to do for your program. And then the big problem we've seen is that customers will buy these softwares.
They'll have their entire stake stood up, but then they don't talk together, it's you lose the entire focus of Identity Centric Security. If you have these multiple great solutions and they're siloed and the technologies don't integrate and the teams that run them don't even know each other's names. So, we see time, we see organizations all the time have breaches or problems occur where the Identity Governance tool probably could have deeper vision. The access and the behavioral ethics tool probably could have detected the anomalous behavior early. But because these things weren't integrated that you’re losing the value of it. So and that's not that's not a technology problem. You're right. That is an organizational challenge from top down and bottom up to say, OK, the I.T. security director knows who the access management manager is. And the engineers are all gonna be able to communicate together to successfully triage and figure out what these problems come from. And that hopefully cut out problems as early as possible.
Jeff: There’s so much data hiding within even just your basic you know, IAM system that sometimes just never sees the light of day.
Fletcher: Or is this in context from other system? You know, there may be data that you have there that if you had it plugged into your SIM tool, it would have detected OK, based on these other logs, here the contextualized problem you have.
Jeff: And it’s a challenge because you have to walk before you can run and somebody's got to crawl before you can even walk.
Jeff:You know, a lot of the companies that I see that my consulting agents they're still using paper and some faxes to get stuff done. You can certainly add intelligence to it, but that's typically something that, you know, we've got to kind of work on down the road. But it basically requires an investment, right? It's a program, not a project. So you start with the basics, then you start adding on. You start to try to figure out how to get more value out of it. You pull your metrics out, you do your reporting, you find your orphan accounts, and you find where your risk is great tools Exabeam, one of them. I know that we have a lot of experience at that one. And that's something that really interests me. Is that the analytic side of things to try and detect issues before they become a problem? that's why things that I know that organizations I've worked for in the past have struggled with. Right, there’re never enough people on your security operations team to try and find these needles in haystacks.
And sometimes you don't really know what you're looking for anyway, or how much you have an Identity background. So if when there are tools out there those kinds of help pull that forward, I think that's a win for everybody. But it’s an investment, right? You've got not only just the technology, but in making that integration happens between your different systems, getting all of your applications on board to be part of part of the program, and you have to work towards getting more value out of out of all the tools is certainly a challenge.
Fletcher: Right. Right.
What's your experience? Like with these with programs that are doing this? Well, you know, do you do you see a lot of customers moving this direction? Do you see people struggle with this concept?
Like what's your experience on the advisory side of talking to folks about this Identity Centric kind of vision?
Jeff: Yes, I'm going to caveat it because you typically don't call advisory unless you have problems.
Right, so my view on advisory sites is skewed.
Fletcher: Yes, I talked was on fire.
Jeff: Let's get things fixed. Yes. But there are so many organizations that I think have invested the time and it was not an overnight success. I'll bring up Capital One, actually. There's something that we worked with in the past. They recently gave a talk at the identifiers conference and now they start to open up their Identity proofing technology to other areas. This is a bank who has invested in IAM for a good reason, right. I mean, we're talking about money. They've got to make sure that the right person has the right access for sure. But they've gone a step further than I think than other folks in the finance industry and actually opening up the technology that they use to move forward with that Identity proofing and offering it to other folks as well, which it's interesting if you think about it.
It's here's a bank who's doing IAM work, so they had to start somewhere, they've got good internal processes around it and a really talented team there. But that's not something you see every day. There’s obviously the big organizations like Google and Microsoft and Apple who have all taken strides, especially on the open a D-front or being able to log in through Samwell, you know, those sorts of things and kind of having your social identity be your authentication, which is overall a net win, especially on the consumer side, less accounts to manage. Now you can kind of make one account super strong and make it easier to manage for yourself individually. But I think the trend is a lot of people want to do it. They see the value in it, but they struggle with connecting year one, maybe the program with year three or four.
Fletcher: Ping security is like being an umpire. The best umpires are the ones you never hear about because there's never any problems. So it's right. It's tough to get funding for something that you're never gonna hear from me. You won't ever talk to me again.
And we'll have the most secure program on earth. How do you get budget for that?
Jeff: Exactly. In the meantime, you know, I.T. or security is having a staff up, dozens of people to kind of make things look like their work pay no attention to the man behind the curtain.
Fletcher: It’s hardware and security.
Jeff: So, that's certainly a challenge. I want to bring it back to the roots. How do we get younger talent into the IAM fields directly? It doesn't strike me as a as a super sexy part of security, although I would argue, it's fundamental part of it, most of the breaches that you see starting with identity at some point. So I guess what's the approach that you think would be helpful to reach out to the younger folks who are in school thinking about it and kind of pull them forward? Because I really think that we need that younger talent to come into the IAM field and help drive the future of IAM. What is the next interface like? Is Alexa or Siri or Google or Cortana gonna be handling IAM functions in the future? What does the interface look like? Humorous- expecting different experiences now that maybe you in five or 10 years ago.
Fletcher: Absolutely. And I think even when I got in the industry in 2012, 2013, IAM as a specific industry hasn't really been around that long as a pure focus.
So I think it's still kind of developing and it's still small enough where, you know, most of the people in the space, most of the you know, you go to the conference, you go to five conferences in a year, you'll see that, you know, 80 percent of the same vendors, everyone, you get to know everyone and kind of see everything. Whereas, you go to something like A W.S. conference or like a Microsoft conference. There are four million people there. There is so many different pieces of the other, you know, other I.T. security and larger software.
But I am specifically as such a niche industry that it's been a little tough, I think, to build a recruiting strategy when you're just trying to, like, flesh out your business here, as different organizations and as something, Identropy, if it struggles with. But just by the nature of our business, we're a remote company. So organizations that have folks working outside of the headquarters or in different locations, it's a kind of tough to on board a lot of cultural or a lot of culture to do when you're saying like, okay, Skype in from your from your Seattle office to our Missouri office, that's the all hands meeting. So it's kind of different world that we live in now than maybe, you know, five, 10, fifteen years ago when you kind of had to be near your people physically and was a little easier to say, okay, well, if we have 10 people here now, let's just go recruit at the local college and hire a couple of interns and know build up, build the team here. So, the distributed nature of our work makes it a little tougher to on-board people. But, you brought up an interesting point about the next wave of IAM technologies and integration with A.I. and voice based controls and things like that and social media loggings. I think there's an opportunity for the younger generation coming out of college and with earlier experiences here to start to do some really creative things.
I think because the industry as a whole is still kind of fleshing out here, a lot of it has been kind of kind of utilitarian. It's been like, OK, we need an IAM technology to fix this business problem. And it hasn't really gotten to that, like, iPhone iPad where it's like, OK. Now we have phones. What's some cool stuff we could do with this tech? So we haven't really started fleshing out to do fun, interesting things necessarily. I know there are there are some cool projects out there, but, I don't think there's been like a like a Steve Jobs press conference. The speaker is the future of fun. IAM technology so there can be some opportunities. But I think the big deal is that the folks that have been here a while, the folks that are in the industry, I think we've got to do a better job creating an atmosphere where the younger generation wants to work, that goes for people just outside of the mainstream, women, minorities, getting other people in the industry.
I think it's about creating a more inclusive, open environment that kind of fosters that creativity and discussion based stuff. So I think we're heading more there. And I think a lot of people talk about wanting to do it and, trying to figure out different ways. And so I think we're probably on the cusp of some cool programs coming out from, some larger vendors and some smaller players like us. I know that in the past couple of months we've hired a few younger engineers and tried to get them on boarded to start doing IAM work. It's just I think talking a lot with them about what interests you and what, what's a good place for you to work and what do you guys want out of this and trying to build a program around that. I think we have a tendency to kind of look at the problem from our point of view of like, oh, we don't have enough young people in industry. What do we do about this? Instead of going to talk to young people and asking them, like, what? What would make you want to work here? So I think there's a collaboration aspect that would that would help the most conversations.
Jeff: that makes sense. And I think it's an issue point you bring up around the remoteness of the company. In the Austin area. And there we have an office there and you do have congregation, folks who come in and so forth. I'm in Chicago where I'm by myself, which I like, that's great for me. I’ve plenty of congregation here at work over the years. And now I'm enjoying work from home. But that might not be something that appeals to folks. They want to have more of a social experience, especially when you're younger side and you're looking at your needs, more mentors and stuff like that to kind of help move you forward and figure out what the next steps are going to be for you. The thing that I think interest me the most is where is UI designs go next? I mean, if you think about it, 15 years ago, IBM, Oracle, that you guys were not great. They were utilitarian. They were basically a spreadsheet. Was it pretty much it you know, you've seen definitely big strides by SaiPoint in that regards and sort of the current generation.
I see what saving is doing today. And I really like what they have from a UI perspective. I just wonder what's next. What's the next UI look like? And I think that's where the design aspect of IAM sometimes gets lost is it can be just as much of a product as anything else. If you can make it super easy to use, people want to use it. let's get some of that fresh blood into figure out, does this make sense? How do we make it just work? Just kind of like the Apple model. And then kind of move, things forward on that front. The technology is the technology behind the scenes, but. It's like you said before, if it's working correctly, you really don't notice it, transparent to the user. And in the end, it's a win for everybody increases adoption, everyone becomes safer, more secure, your mitigating risk all over the place, that kind of thing.
Fletcher: you're exactly right.
Jeff:All right, I think this is probably a good spot to wrap it up for this episode, want thank you for initiating for Jim.
Yeah, I know he'll appreciate the baseball analogy since and I am not.
So with that, we'll go ahead and close out and we'll talk to you guys next time. Thanks.