Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

PODCAST38
 
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
 

In this episode, Jeff and Jim talk with Richard Bird, Chief Customer Information Officer at Ping Identity, about data privacy and why data privacy regulations are dead on arrival.

 

LinkedIn article by Richard: https://www.linkedin.com/pulse/data-privacy-joke-your-town-nation-richard-bird/

Brought to you by identropy.com

Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message or email us at questions@identityatthecenter.com .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #38 Full Transcript:

Identity At The Center #38 - Data Privacy Regulations are Dead On Arrival with Richard Bird

Jeff: Welcome to the Identity at the Center podcast. This is Jeff and that's Jim. Hey, Jim. How you doing?

Jim: Jeff, I’m upset. So you just gave away my PII. I don't remember agreeing cure for privacy policy. We may have the legal issue.

Jeff: Well, there's nothing private anyway anymore at this point. I think with all the different restrictions that have been loosened quite a bit around the whole Corona virus thing, then you're just going to have to deal with it right now.

Jim: Well, do you have any cookies? I mean, I'm not talking about computer cookies, but I would like to snack those late in the day.

Jeff: Cookies. I'll tell you what, I will order them on Amazon. And based on Amazon's delivery times, you should see them sometime in May. So why don't we dive right into it? Because we have a guest today. He's the chief customer information officer at Ping Identity. He's also a member of the Forbes Technology Council and a board member of the Identity Defined Security Alliance. Well, I say that, right? Identity defined security alliance for you. Also easy for me to say, right. He's also a fantastic bow tie, kind of suer and bourbon collector. He is Richard Bird. Welcome to the show. Richard Bird, how are you?

Richard: I'm doing well. Thank you very much for having me on.

Jeff: How are you surviving the pandemic?

Richard: I'm very fortunate. I have a home bar that a couple of years ago when I left the corporate environment, I was working remotely from home. I intentionally took a workbench from the 1890s and put wheels on it. So it was exactly at work desk height because I've been standing up and working for about seven or eight years. And the other benefit to it is, is it is also exactly the right height for a bar.

So I am surrounded every day when I get up and I'm doing all of my meetings and everything with several tens or dozens of bottles of booze. And it works out because it motivates me to drive through the end of the business day so I can host my own happy hour.

Jeff: And it's on wheels so you can move it wherever you need to.

Richard: Exactly. Adjusted for the view. Yeah. But no, I mean it's obviously been an interesting time to have to. There's a difference between working from home and having to work from home. So navigating all the challenges with. We had a remodel project that was already in flight. We live in a loft here in the city and we were already living in a small, much smaller footprint than we ever had together. And then you combine a hundred and forty pound Great Dane and a 15 year old loss of suit in a brand new cat. And about 20 different subcontractors. And it's been pretty close to chaos on a relic on a daily basis.

Jeff: I guess it is what is right. I mean, people kind of have to deal with it. But how is I was Ping navigating some of the challenges out there. I know that, there's been a lot of announces, announcements around, being able to take advantage of different technologies that vendors may have available. Have you seen or have you heard of any uptick around that from people actually taking advantage of that?

Richard: Yeah, there's definitely been and it has been, even prior to kind of the national push for, stay in place or lock downs. We were already working with a substantial number of our customers who were recognizing that their business continuity plans had all been prepared based upon what they expected would happen not necessarily a worst case event, like 100 percent of your workforce sexually having a work from home. And because you know those dimensions that have been somewhat under scoped, because nobody obviously could predict something of this scale. A lot of companies were quick to ask for help and support to resolve their work from home issues and the challenges they were facing. So there definitely has been a huge uptick in technology is not just Ping identities, but technologies that are used to support the remote workforce. And companies have been scrambling to close those gaps as quickly as possible. So it's been really weird, actually, as I'm standing here working at this great desk. I was reminded the other day by my wife that I'm very clearly working many more hours in the last couple of weeks from home than I did in the office, because that's the level of urgency as well as the level of demand that we've been experiencing.

Jeff: Yeah. Plus, without the travel out there, I think people like Jim and myself who travel quite a bit, us being grounded. I find myself stuck in front of the computer, ten, twelve, even more hours a day, some of them by choice and some of it, just trying to get things go in here and keep things afloat. So one of the things that I know was recently announced was the Identiverse conference, and that was going to be in Denver later this year and I was actually looking for to get out there. I don't really make it out to Denver very often.

So I was looking forward to that. But it's now turned into a virtual conference. Can you talk a bit about what you know and anything that you want to share with the with the audience?

Richard: Sure. I think that, there is a lot of disappointment as there is for all of these major events that are getting forestalled. One of my other big passions is music festivals. And everything that I bought tickets for six months ago is now not going to happen. But, same with Identiverse that.

Such a well-known outlet and avenue and pathway for the sharing of really important knowledge about identity, whether it be kind of managing your current state use cases and getting through your own transformations or kind of future state discussions. It's everybody's really disappointed with Identiverse not being able to be held.

That being said, I know that I have a really good working relationship with the folks that are coordinating Identiverse and Ping identity as the founding entity for it. And we're very actively involved in trying to make sure that there is a content rich online opportunity. I know that a lot of the keynotes that had been previously red light are green lighted, rather are going to go forward. It'll be interesting. But I also think that based on what I've seen in the last couple of weeks, because a lot of people were really, really concerned these events going virtual, the participation is going to be low and so on and so forth. The reality is, is that everybody is at home. And many people are finding that there's a stir crazy factor that equates into our work from home scenarios. And it's really been interesting, a number of webinars and activities that I've been involved with online. We're seeing double and triple the number of people participating. So that's really my hope for Identiverse is that, first of all, everyone recognizes that it's not happening, that it is going into a virtual, but there's gonna be really high court quality content that isn't stuff that was just kind of pulled together last minute. These are going to be the same people that we're presenting onstage in Denver. And I still think there's gonna be a lot of benefit to it for the practitioner as well as for those that are curious about identity.

Jim: Right, I think one of the other great angles by having it be online virtual is people who maybe couldn't get approval to me. Just pretty spendy to travel, stay in a hotel.

Plus a conference cruise by doing a virtually I don't know if that's been announced, whether or not there are conference fees to attend virtually, but there still would be a lot more affordable than of the travel.

Richard: The other last communication that I saw was that the details were still pending in terms of how it would be structured and relatively participation. But that's definitely an ongoing conversation. I'm sure that news is going to come out pretty quickly.

Jeff: I think Identiverse one of the best conferences of the year, especially from an identity perspective. It's really matured over the last several years I think before it was, the Ping conference and now it's Identiverse. And I think one thing that the conference does really well with is really focusing on identity, obviously, but also making the content available after the fact. The  Identiverse YouTube channel, for example, always gets the videos that may not be right away and, kind of trickle out over months. But a lot of that content ends up on YouTube at some point, which is great and kind of, shares with the community. And it's something that Jim and I have talked about in previous episodes of the show about kind of which conferences we think are the best from an identity perspective and identifiers as the one that I would make a point to try and hit every week or so, every year this year. Being virtual, I think will be interesting because, you might have a captive audience. So like you said, the attendance may go up, as far as events and things like that, too. I'm supposed to be in London in June to watch the Cubs play the St. Louis Cardinals. So at this point, I'm not sure if even that's going to happen. So I think people are gonna have to be able to kind of roll with the punches and kind of figure out what that strategy is going to be and stay tuned for other similar things probably happening for other types of events.

Jim: Spring training games, Jeff.

Jeff: Yeah. They could be right. We'll see how that goes. I guess, one thing I thought was really interesting is you mentioned music festivals. A lot of stuff seems to be moving online now. I've noticed the big push with a lot of musicians doing concerts in their house or, everybody just kind of streaming it out there, which I think is pretty cool.

Richard: Yeah, I agree. It's I think that I mean, sure. Certainly has been a number of articles about what this event means in terms of change for the future. But, it's really clear that there are going to be new avenues and opportunities relative to how we interact with each other. I mean, we basically have taken a bunch of digital devices that we're nothing more than a distraction and kept us from socializing. And now all of a sudden it's everything that we're using to socialize.

I think it has the potential of having broken or breaking the bad patterns and habits of the last several years where we took devices and isolated ourselves. I mean, we're I've got children, literally all over the world right now as we're managing through this. And one of our children was here visiting. And one of our children actually is, struggling through the realities of coping 19 right now. And she's in quarantine. And one sister couldn't sue the other sister. So they were here, face time and playing Yahtzee and Battleship together. Like there's no way prior to this event that would have ever happened like it. But now I think we're struggling to see as a society, maybe potentially. Hope springs eternal and maybe potentially a better way to use our digital assets to be engaged with each other instead of being separated from each other.

 Jeff: Yeah. I'm a big fan of things like virtual reality and the connectivity. I don't think that technology might be there yet, but I think that being able to leverage these tools that we have are definitely a step in the right direction. There's probably limits and probably some things around how our data is being treated and privacy and all those other things. But yeah, being able to face time, even before this, right Mike and face time. My wife from the hotel room, when I'm on the road at night, I remember when I was this is how old I am. I probably was like ten or eleven or twelve. And this would have been probably the mid-eighties. My dad and I had bought a video phone to be able to communicate with our grandparents. And it was this giant piece of grey telephone block that took digital still images and like this grayscale color that would then transmit it over the phone lines magically right to the other unit and you'd be able to see still pictures of each other every one minute two minute as the data went across the wire and I think how far we come now. It's amazing.

Jim: As far as sending fax images.

Jeff: It was definitely not, HD, HDR, 4K, 60 frames per second, but it was that we have its time. And, my dad was always a gadget guy and I followed in his footsteps.

Jim:  I think that was interesting. I think what Richard's bringing up also, though, that's so interesting as well.

I really am glad to hear him be optimistic about looking for the silver lining in all of us. I think he's right, it's easy to fixate on some of the other side issues that are going on. One of the things that definitely I want to wind up spreading any disinformation, but one of the things that was, that came across my radar was the idea of people who were quarantining, potentially wearing G.P.S. tracking to make sure they're not breaking the quarantine. And maybe that was just an idea of magic if this were to happen in the United States, because I feel like in the United States, we are protective of our privacy. We care a lot about our privacy as individuals. We don't want the government knowing our every movement yet.

We got probably well, we certainly have less privacy regulation than our European brethren. And so I think it's kind of interesting that we're a society that is kind of so independent and so we feel so strongly about our privacy that we give up so much privacy on the Web and with our mobile phones. And we don't have kind of that privacy, that piece of privacy regulation like GDBR.

So, Richard, having said all that, what are your thoughts on that?

Richard: I spend a substantial amount of my time in the privacy to the intersect of security space. And my observations are really spot on relative to, the current state of privacy regulations in the United States. We like I like to call it the death of 54, death by 54 cuts, 50 states and four territories.

Each one of has a different privacy law. And some of them have been amped up. We don't have a federal privacy law of any kind. And we have an interesting dynamic within the US population about our personal relationships with privacy. Right. Are our personal relationship with privacy. So really great, interesting observations about kind of the current state of both, privacy in the United States as well as around the world. And I spent a lot of my time working in the intersect of security with privacy, which is a relatively new notion. We'll talk about that as we go along. But in the privacy space, one of the challenges that we really struggle with in the United States is, we suffer the death of 54 cuts in 50 states for possessions. Everybody has a different privacy law. There is no data national data privacy standard, although one did come out of committee in December for review and comment. And then, Americans themselves have a complicated relationship with privacy. Right. So we tend to think of ourselves as very private, but that tends to be in light of our expectations around government oversight, government agencies.

We don't behave in a way that our information is private when we give away all of our information to a retailer that's going to give us 15 percent off of our next item if we give them permission to collect all this information about us.

And that complicated relationship with privacy is probably one of the bigger issues over the next several years that we're going to face here in the United States in trying to craft privacy regulations that are actually meaningful, that deliver reduced risk both to the consumer as well as to the corporation that's handling their customers data. But our behaviors are definitely going to be a challenge and a hurdle to creating that kind of effective legislation and regulation.

 Jeff: Well, I just don't know if regulations can be effective if they're not focused on the right things.

I think too often it focuses on data collection and what are you gonna do with it? And consent and all that stuff is just it's just stuff. Right. And we're generating so much data now that how do you keep up with all that? It doesn't it seems like it in my mind, it should focus more on the human right side of things instead of how are you going to manage the data that you're collecting about that human?

Richard: I'm pretty well-known, when it comes to my speaking around the world, I spend a lot of time in Australia, the UK, the EU, as well as the United States for having a pretty maybe a contrarian, sometimes a bit of a harsh tone, relative to the reality of where we're at and the points that you make are just spot on. Privacy regulations. Let me back up for a second. Nobody wakes up in the morning when they're kidding ago. I want to be a regulator when I grow up. Right. Regulation is not innovation. Regulation is not moving the ball forward. Regulation is not creating know better outcomes for people. All regulation that has developed over the course of kind of civilized history is a manifestation of people making laws to try and prevent something that's already happened, happen that's happened from happening again. But it's all retroactive. Right. When you look at seat-belts, seat-belts were a massive argument in the automotive industry. They didn't become maybe it won't even install the standard equipment until seventy one. And then all the laws that came about you got to fasten your seat-belt. And this whole idea of, you know, making a consumer do something was met with massive resistance.

But all the actual actuarial information showed the reason that we needed to pass that is because fewer people would die. Fewer people will get injured. There'll be fewer overall claims in all that kind of stuff.

Retroactive. Nobody thought to put a seatbelt in a car when the first ones rolled down the streets in the early nineteen hundreds. So this notion of the retroactive nature of regulation is its Achilles heel, as you mentioned, it's weak. It will always lag behind innovation. And when we see this manifest in the privacy space, I've said it multiple times, this country in a position that I take all privacy regulations are dead on arrival. And the reason is, is because there is not a single privacy regulation on the planet, regardless of country right now that requires anything relative to specificity as it relates to security. So my favorite quote in U.S. based legislation is you must keep your customers data private and you must do so by exercising reasonable security. And I'm putting up here when I say that. Right. It's explicitly stated in the California Consumer Protection Privacy Act, reasonable security. And I get it. I think that the entire security community should just get indignant about that, so with the California Consumer Privacy Act, we see this notion of its explicitly stated, we expect you to exercise reasonable security and I think that every practitioner of security on the planet should just get indignant when they see that, because to me, it's disrespectful to the practice.

It's basically saying, you really could figure out what to do as a company relative to security if people hadn't put time and effort into creating, standards or they weren't quasi-governmental agencies like NST that developed an entire cybersecurity framework or, ISO, just a bunch of engineers hanging around that, might craft some direction for us.

It's like all of that is invalidated. Right. It's like none of it exists because in the law we just go and just practice reasonable security. And the problem with that notion is, is that reasonable security is reasonable all the way up until the time it's breached.

Right. Nobody ever gets breached and goes, you know what? We were practicing reasonable security. Like it's always after the fact. And this is what's flawed with privacy regulations, no tight coupling of privacy with security. And the way that I always like to phrase it is that you can say over and over again and regulations that your job is to protect my data because it belongs to me as a consumer, which is, parenthetically what GDPR are and CCPA and all of them say and why DFAC. But the reality is, is that you can protect my data all day long. But if you don't protect me, all I have to do is be you and I get your stuff. And that is the architected flaw in all privacy regulations.

Jeff: That definition of reasonable right varies a person, a person and a fine. If I am a legal counsel, I am open to interpret that. However, I think it may be interpreted because what's reasonable for me is maybe not reasonable for you and it leaves just too much open. And I think it also opens up another avenue where. OK, well, now we need to define what reasonable is, right. And then that becomes a regulation in another some sort of governing law that we put out there. You just end up with a whole bunch of mismatch of laws that it becomes obfuscated. What are you supposed to comply with? How are you supposed to comply with it? And who does it apply to becomes this tangled web?

Richard: Well, it's fascinating to me because one of the biggest arguments that I get from executives, even in corporations, when I make this point about privacy regulations being DOA. Is, they say, well, what you really need to understand, Richard, is that, it's not the job of the government to be prescriptive. I mean, if they're prescriptive, that's going to create a whole other class of problems. Like you said, some of the issues that you'd have to go through with definitions of standards and taxonomy and all that kind of stuff. And I'm like, that's cool. So here's what I would suggest then is like, let's make all of this overhead go away. And when you and I are traveling, let's just tell everybody in the airline industry to exercise reasonable safety.

Right. Because we don't have any examples in the United States government where there are prescriptive regulations in order for people to be safe like that, and that's where the whole argument just falls apart, is that we have big broad swaths of our life that have very prescriptive regulations in place that yield positive benefits for the consumer as well as for corporations. I'm not saying, regulate, it's not a big brother thing. Right. If air safety was not prescriptive in term of right in terms of regulations, then every state and every airport and every airline manufacturer would be able to operate to a differentiated standard.

And if we have differentiated standards, bad things happen in the gaps between those standards. Right. So the whole argument, once you start to apply any kind of, logical reasoning, magnifying glass to it falls apart rapidly. And yet we don't see any  substantive or meaningful movement towards regulations that actually protect the user, as well as protecting the consumer or the citizen, as well as protecting their data.

Jim: One of my things, Richard, is, we talk about privacy itself and privacy and consent. And consent seems to be the way that you get approval for whatever you're going to do with some private information. I don't think many people would have an issue with it. You, Richard, wanted to create T-shirts with my face and my name and my email address on them. And we both agreed that I'm going to just sell these to whoever I can. Said, that's great. Go ahead and do that. You've got my consent. I don't think it would have an issue with that. What I have an issue with is that the hidden ways that can be obtained my consent or, whether it's like hidden in the fine print or if it's almost coercive. So to me, I need to use online banking to do my banking or I need to log in to my electric utilities Web site. And I have to agree to their privacy policy. And it allows them to share my data with third parties. I have a problem with that actually coercive or if it's hidden in the fine print that when I go for an auto loan and, page 54 of the contract just says that they can sell my data to third parties. I have a major issue with that. What are your thoughts on that?

Richard: I think that my thoughts are driven by a couple of really interesting personal experiences just recently. And so there's two parts that I think are encapsulated into the scenarios that you just talked about. I mean, the first is, again going back to regulations being retroactive, sometimes we just need to be honest with each other. Right.

And the reason why this notion of consent has come up is because businesses, large corporations, over and over and over again have shown themselves to be irresponsible and incapable of managing customer data in the right way.

Right. They just don't. Right. In fact, you can make the argument that the regulations haven't been onerous enough for them to get their acts together and stop doing it. And that'll be the second part, which is my personal experience. So we have all of the issues of kind of this, the onerous and challenging processes necessary to grant consent and retract consent. All of this on an individual level, because once again, companies aren't doing the right thing with data to begin with. So now we put all of this burden.  I think I saw something just recently, a news article quoting somebody in the US government saying our problem is, is that all of these privacy regulations continue to put the onus of responsibility on the consumer. And that's not right. The corporations themselves are the ones doing the wrong things, not the customers. I think there's a lot of truth to that, but there's a really nefarious kind of reality that is happening that people are really not aware of that I got exposed to just recently. So a few years ago, I suffered a family tragedy, I lost somebody and we'd been together for 20 plus years. And in the course of losing, that person added me deal with all the mechanics and not sharing the story for any kind of sympathy. I'm sharing it specifically to this notion of consent and privacy. I went through that process where, we had lived together in the same house for 16 years. And I sold that house and I went and bought a house on my own in my name only.

Nothing. It was there with both of our names on it. And then within about two years after remodeling that house and everything, being under my own name, my insurance and everything. I didn't just sell that house. I sold that house. And I picked up stakes. And for the first time in 26 years, I moved cities and I moved out west. And I got out west here. And I bought another place about just the week before RSA, actually that weekend before a piece of mail came to my house. And that piece of mail had my late wife's name and this address on it. She's never lived in Colorado. She's been gone for nearly five years. She's never had anything that was titled and or even indicated to be in joint ownership with me in that same five year period. And guess what? Marketers crafted a synthetic her. They've created out of private information, right out of information that other companies have been holding on to. And in now several years later, they don't have a need to hold onto it. They've crafted an entire fictional person out of data that they should have never been allowed to use. And I actually sent an email to the marketing agency as well as the organization that use that information. And I sent them to the CEOs. And I said, given my position, what I do for a living, I demand to know right now where you got this information from. And I got nothing, nothing, no responses, nothing at all. And I think about it, there's nothing about that story that makes me special. Right. The only thing that makes me special in that equation is understanding the realities of how companies are so badly mishandling data that they actually created a fictional person. That creates anxiety and stress for me when I go to my mailbox in a home where neither of us ever lived together, like that's messed up. That is really, really messed up. But it's also emblematic of two things. First, I will give credit where credit is due. This is a complex problem for us to figure out together. I can't be mad at companies that are just trying to get the next click or find the next buyer for their stuff. And they're casting everywhere that they can possibly cast for information that's already so ubiquitous in everybody's systems. And being managed so poorly can be mad about that. Right. But what I can be frustrated with is really a lack of acknowledging the problem to begin with. And I think, again, going back to what I had said about the person that was quoted in this story recently, we continue to put all of the responsibility for the management of the privacy and security of data onto the consumer. And that's just wrong. There is an obligation and responsibility that companies have to do right by their customers, by their citizens, by their people. And regulations are not proving effective in doing it. I'm not exactly sure what event will cause it to change, but hopefully driving for more demands around security and privacy, I'll yield results.

Jeff: And when you remember the story, I'm kind of glad you brought it up because I think you wrote an article on this and Linked-In and I'll be sure to find the link and put it in our show notes. But I thought it was a very powerful and relatable thing that you experience.

I experience the same thing because I share the same name as my late father. And he died a few years ago. And I get mail every so once in a while because we share the same name, for things that are obviously related to him, versus  me at this at my address, which is the house that I bought after he passed away. So it struck home for me. I thought it was really well written and relatable. And I hope, people listening will go out and read that article because I thought you hit around the head, if you're responsible for managing all the data and you don't even know where all that data is or how it's being used. It's an impossible situation and you'll never be successful.

Yeah, I think, on top of that is this lack of recognition that these actions that are being taken with our data have negative consequences for human beings. Obviously in this story that I shared and linked in and my personal experience, obviously, the marketing organization that compiled that information, I'm going to spend a considerable amount of my time trying to make them stand up and be accountable because that is very personal. But the reality is, that the industry in total was specific to marketing, only sees the opportunity for another sale. They just don't see the reality of human beings on the end of that chain and that process flow. And that's got to change. The more that this becomes the pervasive two way of doing business because of the speed and the ubiquity and the instantaneous realities of the digital world. There's just more and more opportunity to create more and more hardship, frustration, emotion and bad outcomes for poor human beings as these practices continue.

Jim: Richard, I think that a lot of our listeners who are listening to this conversation probably really interested in this topic, may even be interested in progressing their career to become something like the chief privacy officer. I'm sure you interact with folks like that all the time. What kind of advice could you give them on how to become an expert in the space?

Richard: Yeah. It's really interesting that the changes that are currently happening have the potential to open up real career pathways for people in the privacy space. We look at the history of privacy in the way that it kind of originally rose up in the corporate setting. It really has orient itself for a long time in kind of the legal space in that created kind of a bottleneck relative to people being able to be engaged. Right. A law degree or a legal background. And, the expectation was, is that, you needed to understand all the legal realities about privacy, but that's getting to be less and less the case. I really give credit to NIST for this. They took on the task last year of creating a new privacy standard. That is the integration of the NIST Cybersecurity Framework and New Privacy Standard, which was a corporate and public collaboration effort to say, hey, look, you can't have privacy and not have security. So you need to bring them together. And they did. In their NIST version 1.0, it's available on their Web site. I highly recommend anybody has interest in this type topic as when your first places to go stop and read. But I do think that this is going to open up a career path that is people with security backgrounds that have a consciousness and understanding intuitively of privacy and how those two come together.

So I think about people who have worked extensively in security spaces where they've got, background exposure to data level controls and database security and encryption at rest and in transit. And you know how data actually works in a secure environment. And that transition to being able to understand the privacy aspects of it is an actually a much smaller leap, I think, than going out and getting a law degree.

So I would say that the career progression in this new world of privacy and security is really nascent, is just beginning. But I see security practitioners even at all levels, we know lots and lots of security folks come in and at analyst level, where they're working, tightly with data. Expand your understandings and privacy, become conversant in the language of data privacy regulations, go out there and read them. They're like all regulations are really dry. It takes a lot to get through them. That's why I really like bourbon. I obviously read a lot of regulations. But you you'll easily be able to start connecting the dots the more and more you immerse yourself in the privacy related documentation if you're already a security practitioner coupling the two together. I can't make it more plain. It is so intuitive for me. It's intuitive along the lines of identity. I believe that identity is the key for all of this. If we tightly couple privacy and security at the discrete digital identity layer for each individual human being, we are going to have massive changes in the space. But digital identity isn't the only pathway. I mean, it isn't the only control. So if you're educated, knowledgeable in a particular security function, go find the privacy corollary and counterpart by becoming a student of privacy information that is really readily available on the Web. And that would be what I would recommend.

Jim: It's excellent, you mentioned something interesting, which was the linkage between identity and privacy. And I obviously thinking of our industry identity and access management. And I'm wondering what are some of the things that you think that the industry can do or is doing to help practitioners improve their privacy posture of their organization, internal enterprise or the customer identity, what are the things that IAM vendors are or could do to help?

Richard: I think without a doubt, the biggest thing we can do and this is a  big tent coalition kind of thing that touches every sub-domain within the  Identity control domain, which is moving forward and building true digital identity, which is not just a summation of accountants or, you know, an individual sign on. It goes to the technologies that are currently available that allow us to be able to accurately authenticate a human being, whether that be a compilation of information that is associated with Geo location or device ownership or if it was so far beyond the days of a static certificate and a log in. But one of the challenges that we have is that people still treat identity like that. And as opposed to how do you create a digital you out of out of analog information? And that's really the thing that moves the needle. The way that I always like to phrases identity as a function identity as a group of solution providers was gonna do anything. It would be to move the needle to a point where in any given moment I am ninety nine point x nine's not driving for Six Sigma 1 9 would be great, but ninety nine point x nine percent sure that you are who you say you are.

When I get to that level of authentication veracity, when I get to that level where I am that certain that you are who you say you are, things change dramatically. All the overhead that I introduce in the systems and processing because I have to put all kinds of other overlapping technologies to keep everything safe because I can't answer that simple question. Are you who you say you are right. That's the world we live in today.

Like it or not, denigrating any of my other security solution providers and any of the other security control areas. But the reason that we have database monitoring is because I can't tell that you are who you say you are. The reason that we have threatened vulnerability management is I can't tell who the people that are trying to get my act in my network are, who they say they are.

When we all come together and make authentication of a digital identity, a one to one match of the digital identity, to an analog you, things will change dramatically. Most importantly, they will change exponentially when it comes to the management of private data because of it, you can't get it.

Jim: I think the authentication time to access management system becomes an opportunity of kind of a front door, a way to unify the experience and give people a single place to manage your privacy concerns data. The real challenge then is for the rest of the organization to be able to leverage that data. So if you've got multiple applications or read properties in the back and you're pulling all that together with a single identity and authentication platform, that's great. But each of those applications starts to build information about the identity. At some point there should be a come and chokepoint or come and governance around. This person has as set up their privacy, has given their consent or taken their consent away, and that needs to flow through. But, it starts with having one place, as a consumer shouldn't have to concern myself with the fact that your organization has 10 different places for me to manage my concern that should be centralized and kind of spoon fed to me as a consumer. I think that's providing the right user experience and whether or not it's kind of legally required at this point. That's seems like not in most cases, but with the advent of GDPR are and I can tell you from working with a lot of different clients, I see that all those hands are taking it very seriously. And I want to ask question about GDPR, because I'm wondering, are there, every once in a while running into an organization where they feel like, well, we don't do business in Europe or we don't have European people in our in our system, that you don't really feel a GDPR applies us, the head seem like a valid rationale even close?

Richard: No, I don't think it's a valid rationale at all because the Internet knows no boundaries. The Internet is no respecter of nation state, little lines on the map. And so the idea it's a very parochial position to take or the idea that I'm not part of a global. It's called a world wide web. For crying out loud, it's not called the state of Kansas Web. So this this idea that you want to transact in a global environment, but you don't want to be responsible for meeting global obligations. Again, it just falls into the category of that's wrong. Right now, enforce ability and, prosecute ability and all of that. That's a different thing, it's one thing to say I'm not bound by it from a legal standpoint, it's another to say I'm going to enjoy the opportunity to sell my stuff all over the world. But I don't have any responsibility to meet the obligations that are expected in that country. That's a frustrating attitude to take. It really doesn't. At the end of the day, though, I don't know that it really matters. I think that, GDPR is take on privacy, is certainly Eurocentric by design and by name, but it's also reflective of kind of the nature of economies and societies in the European Union. There are a different construct than the US's and then that Australia is or China. So there will be these variations. But ultimately, I don't know that. The way that I phrase this to customers and especially people that have that type of position, well, I don't need to abide by GDPR. Like but do you understand when you woke up this morning that today is the easiest it's ever going to get relative to your expectations to be privacy requirements? They're just gonna keep coming. They're just gonna keep coming because the reality is we're just gonna keep failing.

And as we continue to fail, legislators are gonna make a decision that they think that they can figure it out even better. And they're just gonna simply iterate a next version of the same regulation that didn't work before, but it's gonna get tougher. Right. And so today's the easiest it's ever gonna get. So maybe you don't have to the GDPR, but maybe you're gonna have to do CCPA. I don't see CCPA. Maybe gonna have to state in Nevada or the state of Colorado. It isn't stopping, it isn't slowing down because frankly we're just not making the kind of progress that we need to keep people safe and secure.

Jim: I think that's a great point. I think we could keep going for all day and start to wind down.

Jeff: Yeah. And this is not a topic that can be summed up in forty five minutes. But I also want to be respectful of Richard's time. I think I've already solved it. And Jim, you brought it up last week, and that is we just need become the Borg.

Right now we're all part of the same collective. We're all just Mac addresses as part of the Big Board network. And, we can solve the authentication problem there, at least until, some crew of humans and their android comes along and decide figures out how to hack into our network.

Jim: I was at a conference, at least five years ago. And Scott McNealy was speaking as Scott was the CEO of Sun Microsystems. And his big statement was, you have no expectation of privacy. I got really mad at that. I didn't like that. And I think that most people probably be bothered by that. It. Right. Whether I think he was just saying this is a reflection of reality is that you have no privacy rights that a marketer needs to respect. Well, I think things are changing. I think they are heading in the direction of where governments are getting involved. And I think, if we have Richard back on the podcast in a couple years, things will change quite a bit by then.

Jeff: Yeah, maybe there'll be a digital bill of rights or something for digital identity.

Richard: So. Well, thank you so much for your time. I truly appreciate it. And, letting me just go on and on. My mom always gets the most puzzled look on her face when I remind her that I get paid to talk for a living because she couldn't pay me enough to not talk when I was a kid. So I truly appreciate the opportunity.

Jeff: Well, we appreciate you having on. And if you want to hear more about Richard and what he has to say, his Web site  richardbird.com has a ton of videos and of his speaking engagements that he's done. And I'll be sure to take a link down from LinkedIn where that article written about early about the data privacy and that story you shared so that we can people check it out. And I highly encourage folks to do that. Jim, anything when I wrap up with now.

Jim: I just really appreciate it. I can certainly sympathize with Richard's challenge of having to explain to his mother what he does. I have the same challenges of a day in access management consultant. I know what it's like. I know the challenge.

Jeff: Well, my father in Lost thinks that I still turn the lights on and off for Walgreens. And that's not something that I've done for at least sixteen, seventeen years now. So that's my background. The challenges that I work with. All right. Well, I think with that, we'll go ahead and leave. Richard, thanks for your time, Jim, thanks for joining, as usual. And with that, stay healthy, everybody. And we'll talk to you guys on the next one.

 

 

 

Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.