Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

PODCAST43
 
Both Jeff and Jim each have over 15 years of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
 

In this episode, Jim and Jeff talk about passwords for World Password Day (May 6th) and a Barracuda Networks commissioned study about the security concerns businesses are seeing during the COVID-19 pandemic..

Brought to you by identropy.com

Want to join the conversation? Leave us a message here: anchor.fm/identity-at-the-center/message or email us at questions@identityatthecenter.com .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #43 Full Transcript:

Identity At The Center #43 - Passwords and Phishing in the COVID Era

Jeff: Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim.

Jim: Hey, Jeff. How's it going?

Jeff: It's good. It's Friday and, it's always a good thing.

Jim: Friday is Mother's Day, looking like there's going to be crazy weather throughout the US.

Jeff: Yeah. I think there's a snowstorm hitting the northeast? I think we'll be OK here in Chicago. But it's been kind of rainy in the last few days. The Southeast is look like.

Jim: It's unseasonably cool. Usually it's the time your work starts getting to be uncomfortable. Normally I think you'd enjoy it. It's like every day's high and low 70s or upper 60s, sunny low humidity. And I mean, this is this is great living weather.

Jeff: Yeah. The high heat and humidity is something that really is my kryptonite. And I think you know that.

Jim: Well, I know the humidity is I mean, I might as well share the story with everybody, Jeff.

Jeff: Yeah, why not. Go ahead.

Jim: I always tell you, which is the time we went to Orlando in January. Oh, you're miserable. You're like sweating.

 Jeff: It's Orlando. It's humid. It was it was in the 80s, I think. But the humidity is always the thing that I really hate about Florida and really kind of any human location.

Jim: Pretty sure it was about seventy four degrees.

Jeff: Away, man. It was like 100 degrees and it was like a thousand percent humidity.

Jim: Head injury stories this way, you can't rest solely on people's memory.

Jeff: The truth is somewhere in between, it's all about perception, right? Either way, I was hot and it was not my favorite type of weather. That's for sure.

Jim: That's right.

Jeff: So it's Friday and today is May 8th. Yesterday, though, was May 7th. And that was World Password Day. How did you celebrate?

Jim: It's like Christmas for me. I just celebrate the password.

Jeff: You put up a password tree.

Jim: I just remind myself that quote from office space. I celebrate his entire collection. I celebrate all my password.

I think that doesn't sound so original here. But passwords are crap.

They really should have been eliminated long ago because now the Internet is such an integral part of our everyday life and they're so ingrained in how we authenticate over the Internet. You can almost barely imagine a world without passwords yet. That's where we need to head.

Jeff: Password is not modern authentication. That's for sure, once you get a hold of a password, it's really just a matter of time. Even if it's encrypted, right. You're running. If you got an encrypted hash somewhere, you're running rainbow tables. And once that has been cracked, once it's cracked everywhere. And that's why the guidance is always have a different password for each Web site. But in the reality of the world. Right, that's very hard to do. Most people pick, one, two or three different passwords and they just start adding numbers to it. So it becomes very easy to solve for. I like the concept of moving towards password list, but I don't think we're quite there yet, though it is gaining in popularity.

Jim: I've got a couple of passwords that I've read. So one of the things that I read a long time ago that I thought was kind of good advice was that because I don't use a a password safe kind of framework for how you use passwords and so were really kind of critical applications that I want to make sure never get cracked. I will ensure that, one, they have multifactor or two, that I'm using a unique password. In other words, I invest the life energy and making sure I have a unique password for that site.

Jeff: I like that. The life energy.

Jim: I think life energy to have like, you know, extra passwords that you don't have elsewhere and to remember them. And then there are sites where it's like, OK, I am not going to store my credit cards with this online commerce site. I'm probably going to buy something here once or twice, they're making me create an account, so I'm just going to reuse that same password and use a million times. And so I do that. And one thing I noticed is the Google Chrome now has a feature to kind of shame you. Yeah. And it's I think is a really cool feature, which are like, oh, hey, those passwords already on the Dark Web, you're like, holy moly, wow.

Jeff: I need to go and make a change.

Jim: Yeah, yeah. Like I said, I should stop using that one now on.

But yes, that's kind of been my approach is that for financial staff, for where I stand my credit cards. I'll either insure the multifactor or I'm using a fresh new password.

Jeff: You're really taking a risk based approach then to password.

Jim: It is a risk based approach and it's partially, easily, because I know if I were to use a password, say, if I could be doing something much more secure.

But, I find that there is a certain level of inconvenience involved with doing that, especially when you have many devices and those devices span different ecosystems.

We've got like, some Apple stuff and you've got some Microsoft stuff and some Google stuff. And you want to just be able to log into something.

I'm making excuses, especially for somebody who's in this industry. But it kind of changed the problem, even somebody who understands all the risks of doing things exactly the way I do them, I do it my way anyhow.

Jeff: You've accepted the risks. I fall on the other side of it. I use a password manager. I use last pass and, I wouldn't say I've always done it, but since I'd become more involved with security, I've tried to go more random passwords and the struggle of, cross devices and different ecosystems between Apple and Microsoft. IOS, an Android, I'm someone who is constantly jumping around between all of those services. So I've settled on last pass as my password manager because they have an app basically for everything. And that lets me really kind of tame the beast a little bit. So I use randomize passwords and all the different complexity things. And I've been trying to make a more conscious effort of having a different password for each Web site. If I have it as I come across it, then go into the password change process to kind of get it sinked up. And that so far has worked pretty well for me. You know, my workflow stretches across Windows machines, Mac OS and IOS for phone and tablet. And I found last pass has made it a lot easier for me. So obviously we don't have sponsors on this show, otherwise we'd have a better, greener situation. As Ron mentioned last week. But, it's something that I've been using for years and it's free. At least the version that I'm using and it works well.

Jim: Now we work in the company of under a hundred employees and so we don't have managed devices but I can imagine that, if you were working in a corporation, you could have a number of patchworks for the corporation and personal may or may not be allowed to, so last pass in the corporate devices.

 So that was objection number one, I would imagine you might hear and objection. Number two might be, what if you lose your master password? What if you lose your master password for last pass and 20 has access to everything?

Jeff: Yeah. That's why you've got to make sure that, use MFA even on that. I'm using, a password by itself that is not used anywhere else. Just facility for that. I mean, it is a lot of work and I think it covers up the problem, which is, passwords just inherently are insecure. And I'm excited about password lists, future where you know, how often or how quickly that comes along. You've got things like Windows Hello and, authenticator apps and so forth. I saw recently there was an article that Microsoft's Ignite twenty nineteen, which is about six months ago, there were 100 billion people that were using password list Logins every month. And that includes things like Windows Hello. The Authenticator App push based and then different security type keys like KPK, etc.. And they've saying as of a couple of days ago that it's grown by 50 percent already. So now a hundred and fifty million people are using password. So I think it's great, I think it's a step in the right direction, but I'll be happy when we can finally say, yeah, the password truly is dead. I have a feeling that's going to be you. You're carrying something else. That's your password. Right? It's a lot of companies are focusing on your phone as kind of like your secondary off or, maybe even primary authentication in some cases.

Jim: Right. In a session was with earlier this week and we're talking about the whole idea behind like, why don't more companies or why don't more folks invest in hard tokens?

And part of it is that it seems like something is like there they're taught. It's there now, but the next day is right around the corner. And so how many dollars would you invest through something like that, knowing it's probably going to be obsoleted in a couple of years?

Jeff:  I can imagine, you know, going back to my operations days , having to manage RSA tokens and, having to deal with the logistics of hardware keys is a challenge, right? I mean, you've got to get them out to people. People lose them. They break, they're not configured. There's a whole bunch of things go wrong. Now, that was admitted really 15 years ago, roughly. So, the process got a lot better, right. Now it's now it's more of a app based thing on your phone. But I think it'll be interesting to see how this Space balls, because there's also other things, too, right? That like keyboard analysis, your typing cadence. Right. Can be a way to biometrically authenticate, which I find interesting. I'm trying to remember typing DNA was one the examples that we've looked at in the past, evaluate space. But I'm waiting for,  natural language, when is the computer from Star Trek going to be there available to handle natural language queries and authenticate based on voice patterns and prints, all that good stuff as kind of routine.

Jim: Absolutely. And anything we can do to get closer to what did they have in Star Trek, where there was a room where it was like a virtual reality behind the holodeck.

And that is like. That's our reason right there.

Jeff: Well, that's I think that's kind of where VR is right now. And I've  dabbled around with it here and there, and it is very good. But it's still, for the most part, unless you've got a really good setup, a tethered experience. So you're stuck in a room or you have a wire or something connected to you. And there's wireless versions of it out there, too. But you're still very limited by the space. I have seen that there are some like a laser tag style games. Right. That take place in giant warehouses where it's a VR experience. But, Matt, I'd hate to be running headfirst into a wall or something like that, the boundaries. But I think, it's the beginnings of it. It's like anything else. At some point, it will miniaturize and get cheaper and become standard. Microsoft's been trying to make Howland's a thing for years and hasn't caught on the consumer space.

Jim: VR is going to go the route of 3D TV. I don't know. I know a lot of people were like when 3D TV was hot, a lot of people like, I don't care about that. The one that I thought was the coolest thing ever.

Jeff: I think it's very cool. But a lot of people it makes a lot of people sick,  it's not good enough to the quality where the experience and the fidelity can trick the minds for all people. The other thing, too, is the discomfort. People who wear glasses have to put something over there, over that to be able to see things. It's I use wear glasses, but right before I had, Lasik done. And that's the struggle is real. Trust me, putting a VR mask over your glasses is not the most comfortable thing in the world. And, there's a lot different things that kind of go into the comfort of it. Who knows, maybe,  holograms will become the thing at some point.

Jim: When you and I person are working together. You were really into be. Are you spending a lot of money? What were you saying with now? Are you getting much?

Jeff: I'm staring at it right now. It's in a box underneath my computer desk here. It's kind of a hassle for me to kind of pull out and put together. The technology definitely works, though, but it is, like I mentioned, kind of tethered experience and I really haven't been using it. It's probably time for me to say goodbye to it. But for those wondering, I have the HTC Vive. There's Oculus, which is owned by Facebook. Now, they have another product out there as well. That's pretty good. But yeah, I find myself not using it. And it's not for anything other than, I guess, general laziness. Let's put it that way.

Jim:  It has to be worth the time investing for you otherwise to do it.

Jeff: Yeah. I mean, there's a lot to a setup for that one. I think the newer versions are laughter where you don't have to put these base station ups and, you don't have wires come over the place. I think Oculus has gotten that part right. The experience a lot better. And, who knows from a virtual workspace perspective. Yeah, that might be a method to look at. Maybe your mask, your VR mask will become your device. Right?

Jim: Right. Or let's say with the VR mask. Did they have any kind of facial recognition or maybe a DNA sample or do anything cool to authenticate you or  it like to take them a password?

Jeff: Yeah. I mean, you're still using apps, right? It's not really an authentication device yet. Yeah. I think the one that would make the most sense would probably be some sort of retinal scan because you've got your eyes within this enclosed area, that would probably drive the cost up quite a bit. So, as the prices come down, might make sense that when you put your mask on, it does an eye scan and authenticate you that way. It'd be tough to do a facial recognition because a mask is covering half your face, at least at this point based on current technology. So I think it's the same problem. A lot of people are having wearing masks out right now because the coated face side, he doesn't work because you get a mask covering up. And Apple has recognized as a problem. And, you know, supposedly in the next IOW point update that they're really saying, you know, we'll have a solution for that, which we'll find  interesting to see how they're going to keep the security. But also,  make it still user friendly. So I think that's something to kind of keep an eye on. Pun intended, huh?

Jim: Yeah. Right. Keep us on the password day conversation, I keep thinking that multifactor. Here's the way I look at multifactor is. Yes, usually one of those factors is a password, which is going to be weak.

But then the second factor is usually something out of hand or some biometric.

And while we know a lot of the band methods can be cracked, I take from many use cases, this is still trying.

In other words, you create, pull back, and  Krolicki is too much effort for what you're stealing.

Now, I think your view are national secrets or potentially even like financial data SMS text. There's a second factor is not strong enough.

However, if you're protecting pictures on Facebook or something, it probably is.

The problem with these, Facebook becoming like a provider, not super into so many different things.

The clinical surgery that, Gaensler access as though somebody's Facebook isn't about just deleting their pictures or putting up a, stupid postage.

What can you then branch off to do when you have hijacked someone's Facebook account? So find out the best example, but if you thought of something else, it's more trivial, having a second poppers. So much tax for an authenticator app, these authenticator App, for me and you and probably most people listening to this. We don't think about authenticator app something not foreign. But I keep the personal use them in my world, who is a non-computer person is my dad. I just imagine trying to explain to him how to set up Google authenticator.

Yeah, I get a panic attack even thinking about trying to have that conversation with him.

Jeff: Yeah. There is definitely a hurdle to get to gain entry to be able to do that easily. And I always, pick on Apple as a good example of how they've kind of common MFA, for example, IOS specifically has MFA built into the OS itself. It's very easy to use. And they've kind of people are used to. OK, I'm going to get a code somewhere, right. It's on my phone or whatever it is, whether it's SMS or a pop up on the device. And Android does something similar as well and other devices as well. But are other OS, as I should say. But yeah, trying to explain here, I want you to load the Okta app, right. And register the Okta app with systems. It's easy for you and I because we get it. But yeah, I could see how is people struggle with that. I've been trying to get my wife to use last pass, for years because she's constantly, having her log on to different machines, what’s my Microsoft password was. I don't know. it's your password You know, she's sitting there kind of thinking about it. It's like, well, why don't you use a password manager?

Jim: She's like, well, why don't I just use the same password for everything.

Jeff: She knows that much. I think as far as, educating her, she knows that's bad. And,  when she spots something that's weird at her company, she'll tell me about it like, oh, you won't believe this. So I've kind of TURTUR until a little bit of a password or identity kind of, evangelist's. But it's not easy. Right.

Jim: Obviously, I think the thing that I see every day, everybody sees every day are all these phishing attempts that come through and, the quality.

Then you still get the random one. Whereas like, a prince in Nigeria needs you  to send your bank account information.

I want to send you money or just in scan and say I'm the guy. Delete.

Jeff: Right. The IRS is wants to refund your money and you need to pay them back an Apple gift cards or Google cards. Now, those are obviously legitimate because, the IRS accepts gift cards.

Jim: Yeah, of course. And what would take up on gift cards, at some point there might be more than U.S. currency. But that's another conversation, some of them are ones, especially when they're persisting like, the final warning.

Your Apple I.D. is about to be disabled. What, like seven of these now. Maybe you think now.

And by the way, when you open an email a lot of times it is HTML email. I have a tracking bit, as you usually call it. In other words, it's like some image. It's one of only two one pixel or could be an image. It's like. It's a unique  URL that says, this particular email alluvium by this particular user now that they know they have somebody on the other end who potentially is the least gullible enough to open their email. And now. They got someone they're going to keep sending those spam emails too.

But we'll just have to be diligent to follow certain rules. Not click on links that are in those e-mails.

I mean, if you get something from pay pal, go directly to your pay pal app or go directly to pay pal dot com.

Don't trust in the link in the e-mail. Usually, if you really know you're doing, you can tell if it's a fake URL. But it's just better to presume we're talking about educating. I think this is a big thing that companies do is come up with cyber security awareness, training, education programs to get people, especially around phishing attempts to be able to spot them and not fall prey to them.

And then I know a lot of companies are going out and trying to spear phishing heroin users.

Spear phish Right, that's a very effective over time. Identifying a particular individual and trying to convince them that there's an e-mail from somebody else within the organization that maybe is their boss or somebody higher up and you say it's directed directly at them.  Regular phishing, which is where you consented to everybody in the company for all.

Jeff: Phishing is kind of like I see is like, you're just cast on a line or whatever.

Bites bite, spear phishing. You know, you're going after Big Tuna. Right. It's a very specific, specific thing. You're looking for a specific person.

Jim: Yeah, usually there's somebody who's high up in the organization who would have access to sensitive data or might have some information in their e-mail. Those are usually people who can be tracked.

Some of those who go up their system administrators, social ministers, you would hope, are a little more sophisticated than Paul for a phishing attempt.

But I think that obviously, if your hands on their credentials, you can be much more valuable.

Jeff: Yeah, I'm glad you brought up the phishing thing because came across an article this week and it's from Barracuda Networks and they had commissioned a research company by name, a Censuswide, which I've never heard of. So hopefully this isn't any type of fake news or whatever. But they surveyed they went out and surveyed a thousand different business decision makers across the United Kingdom, U.S., France and Germany. So obviously not global, but enough of a representation, I think, to draw some conclusions. And one of the things that they saw was over half of them. Fifty one percent had seen an increase in phishing attacks since this whole COVID 19 and the shift to the remote working model took place. I think it's definitely on the rise, you've got bad actors who are trying to take advantage of the situation. And, part of that is, the train that goes along with it over half again said that their workforce wasn't proficient or properly trained in cyber risk. Associate with remote working. So remote working is brand new for a lot of companies. Right. This is not something that they've had to consider, in the past. And now all of a sudden, within a span of a week, two weeks right now, they've got most their workforces working from home.

They've had to put in know very tactical probably processes to kind of keep the business running throughout this pandemic. So I think it highlights some of the things that maybe people are already seeing or, should be aware of. But there's always more train that can be done. I thought it was interesting that, over half basically are saying, yeah, we're seeing a rise in phishing because of the whole pandemic. And I would expect that that number will continue to grow because I expect that most companies, at least big ones, have announced that they're going to extend, work from home as a primary method through the at least to the end of this year, some are already saying, through summer of next year, a full year out. So it's something I think that as people in the identity space, we have to make sure that are, communicating to the folks that we work with and colleagues, etc.. To be able to, hopefully improved level security that's out there and at least just make people aware of, hey, you know what, you may see an uptick in phishing attacks.

Jim: Yeah, and a couple thing. I mean, you live on my radar, if a few things are going to pick on the non-security thing. So it's the increase and semi, at least semi-permanent of work from home. I had been a proponent of this for a long time. I worked from home for a decade. And I feel like it's probably not for everybody. And there's definitely some benefit to everybody being in the same place. So I'm going to make that statement. However, from a quality of life perspective and the ability for a company to, I think, retain employees allowing work from home. Look, what's the average commute in the United States to and from work is probably more than a half hour each way. Right. So there's a half hour to an hour each way. People are sending an hour to two hours a day, 10, five to 10 hours a week of their life, sitting in their car, burning fossil fuels, spending money on parking wear and tear on their car.

And it's just a reduced quality of life, I think, vs. the ability to work from home. Now, every job  I understand all the criteria. I'm not going to go through them all. But to me, this they could be a positive development to come out of this is that I think a lot of companies were afraid to even try it.

And maybe companies out there, maybe some situations are finding this is very sub optimal. But I bet you there are some organizations urging or, we can actually do this.

We just save money on commercial real estate and improve the lives of our employees by, allowing work from home either more or all the time.

Jeff: Yeah, I feel like there's a lot of people who I've been told over the years that job that they can do remotely can absolutely be done remotely. And the technology is there now. It is not something that's new or cutting edge. And you're waiting for other people to figure out all the bugs and wrinkles for it, it's like anything else that's out there, it's infrastructure. It's configured correctly in your filing, good hygiene and security and identity management. Then I feel like the most people could probably do some, if not all, of their work from home. And I'm a big fan of it. I've worked for companies in the past that did not have work from home and have slowly know, at least when I was there, kind of come to an agreement. OK. You can work from home one Friday a month, right. And then it became OK. Every Friday. Right. Or something along those lines ends. This has really thrust. I think that decision making. Back to the forefront to say, look, what are we, what do we do here? I think life is a lot easier when you count from home. But it is not definite, not for everybody, like you mentioned. I think there is some discipline that that needs to be there because, you may have deadlines or there's work they can easily get done, within a certain time.

And you may have distractions at home or, there's too many other things that might be competing for time, especially right now with kids at home from school. Right. I can see that being an issue when you're trying to manage children in the house as well as work responsibilities. So I think, fortunately, a lot of companies are recognizing that and kind of working around it. But there is definitely things to consider. Just from that side. But I am a huge proponent of being able to work from home when it makes sense for all the reasons you list.

Jim: I think that the biggest thing that I'm seeing since the pandemic started is that people who maybe the work from home, folks traditionally now have their kids home, either because schools are being canceled or day cares closed and, where they might be able to rely on even, other family members watching their kids or however they had childcare, those things and drive off.

And so now you've got four world by world kids hanging on their parents when they're trying to work.

That's a totally different situation than what I've run into traditionally with people who work from home, who design their life around making sure that that doesn't happen or that only happens on, weird things like snow days or whatever. Well, I'm talking like it's like the everyday occurrence. And even most people that I've been working with who are, working for other companies where they work from home, they've worked out of situations.

So say, mom and dad are both home, working from home now. And now the kids are there. They're figuring out some way to speak or working or say that somebody is watching the kids and keeping them away.

So I saw a really funny video of the day was a guy doing a television interview and one of his kids.

Well, sure, they should show, flailing and dad, the mom like readjusting. She's trying not to be on the camera, like, pulls it out. It was just hilarious thing.

Jeff: I think you're talking about the one from. I don't have his BBC or one of the British ones. Right. It was last year. They. Yeah. That  made it all over the place. I think it actually turned into a commercial for like Skype or stuff like that for like, blurred backgrounds, stuff like that. Right.

Jim: Right. Those were those golden. But yeah. So I mean. And now to put it all together. So I think one of the biggest risks overall with, working from home is. If you rely on passwords as your only form of authentication, you get to services, rather they'd be cloud services or to get back into the internal network. I mean, then it's a huge obviously you've got open to the outside world if those passwords are weak. Because I think what's happening is that companies are now having to open things up. In a way they haven't in the past. One of the things I'm going to point out, I mean, we don't like our podcast to be a commercial, but it moves the king, who is one of our partners. So now an e-mail that I think it's either for the current customers or I'm not sure if anybody can use.

Jeff: Yes, it is for anybody.

Jim: It's for anybody where you can essentially start leveraging their multifactor authentication service for free to help secure your remote workforce during the pandemic.

So, I mean, to me, that apply, if you're in a situation now where you're having a hard time keeping an eye out because, your entry from the outside world is so secure by passwords looking good, whether or not there's free service is something that you could leverage and equip folks.

Jeff: Yeah. If you work from home, I don't think you could seriously say that you're put the right security for Justesen passwords. I think that  is a no brainer. If you're doing any type of remote work. There needs to be that second factor somewhere to make sure you've got the proper level of security. Right, what's something that I found disturbing in that same report? And I'll put this report into the show notes so that people can find it wherever they get their podcasts. There usually is some sort of detail page because we all get questions on that. It'll be in there. Forty percent of respondents have cut their cyber security budgets as a cost saving  measure to help tackle the COVID 19 crisis. So I think that's scary because now you've got more people working from home and theoretically, you're spending less on security to cover those people. And I'm not a direct one to one correlation, but people cutting cybersecurity as time when there's going to be more phishing attacks, more, everything else that goes along with that. I think it's just a terrible combination. And, the other thing I think that was really interesting was half of the companies would consider making workforce reductions if it meant company data protection could be properly funded. So they're cutting funding. But the way that they see clawing back that funding is by doing reductions in an already terrible job market because of all the shutdowns that are happening. So I think it's a really interesting and unfortunate approach to it. I think this is a time when security should not be on the table for cuts, especially if you are doing the work from home type stuff that is become so prevalent.

Jim: Well, I think yeah, airline industry, how can you not uncover or turn over every stone looking for place, the businesses at the same time. It just creates. You need to feel so right. You know, you don't think you do and damned if you don't. I do think couple of things is, you've got to expect this pandemic is going to end at some point and that things will shift back to normal.

And one of the things that we saw was that cyber security professionals were in high demand before this happened, higher than other fields. And so they do wind up coming workforce and by the way, putting workforces in free. It's not like we're paying, you know, 1000 thousand dollars a week. And then we're going to get rid of you and it's going to cost us nothing. There's some kind of residual costs to keep paying, severance or something. You ever know somebody you have to turn around six months later. Hire somebody back into that position. You get the cost of recruiting somebody. Now, I'm being a realist and just seeing what's going on in certain industries. They might not have any choice. So that might create an opportunity for a company that's not as bad a place to you, if you feel like you can hire this price of cyber security people who are pretty good on the streets right now. I don't think there's something the industry is hiring and they really release the unemployment numbers today, something like 16 percent unemployment in the United States.

That's great. There hasn't been that low or that high since the Great Depression, but it feels like it's going to be a temporary number. Things are starting to open back up. I have talked to people who are extremely worried.

I’m person not like, I'm not that worried about it. But I talked to other people.

I know they are truly worried that I'm already going back to the gym and I don't know or just think I'm absolutely nuts going back to the gym and people who live in my own town, who are like, I would never go to the gym.

But I'm starting to see restaurants open up and, the Mexican restaurant, those are my houses. They had a line outside on Cinco de Mayo. And I think people are ready to back to things are. A lot of people are ready to back to things, so I feel like a lot of people I think the next wave will be, less than a month or two months under our belt and see if the pandemic spikes again. And if it doesn't, then maybe it's safe to go out again.

I kind of feel like there's different levels of passion that people are following, depending on kind of their risk tolerance.

Jeff: Yeah, I think everybody's making risk based decisions and, I'm happy staying at home, letting all the guinea pigs out, figure it out.

Jim: I'm definitely wanting a guinea pig.

Jeff: Definitely. But, yeah, I think going back to the point of no talent, I think there will definitely be talent available. But I think security, you know, security has always been a hot market for, positions and for people looking to get into space. And I don't see that dropping anytime soon because I think, if anything. Right, this this current situation highlights the need for good security, especially these companies get hit, whether it's phishing or ransomware, or even just taking and now a flood of, eCom customers that weren't there before because you were a traditional brick and mortar restaurant. Right. Or some other type of business. I've see a lot of companies that have now gotten into the consumer IAM game and have no idea what they're doing right. And are figuring out as they go. So I think, the identity space specifically and security is very strong position right now. And I don't see that going down anytime soon.

Jim: Right here, advice for somebody who just came into this industry would be  to do so.

Jeff: Get some experience on your watch YouTube videos, check out ID Pro, which is an organization specifically for identity professionals that the least that I'm a member of. They have a good body of knowledge that's designed for people to get into and start to learn things, it's not just for newbies. It's for people who maybe focus on one specific area but want to brush up on another area. Maybe your grade on the identity governance, but you need to bone up on authentication or authorization. I think there's kind of something out there, but it's like any other job, you've got to keep your skills relevant and current and be able to adapt to the changes that are part of, the natural ebb and flow of business. And as long as you do that, I feel like you'll have done everything within your power to make yourself marketable and hireable and relevant to an organization.

Jim: Absolutely. And listen to the Identity at the center podcast.

Jeff: That's a no brainer, Jim. I mean, we should obviously be the number one source for all of any information. All right. I think that's probably a good spot to leave it for this week. Anything else you want to bring up, Jim, before we wrap up?

Jim: No, I think you just shout out to all the mothers out there.

Jeff: Yeah. Happy Mother's Day.

Jim: We all have one. And most mothers are freaking amazing. So shout out to all the mothers, especially the identity and access management mothers.

Jeff: Right. So happy Mother's Day. Everyone stay healthy. And I think with that, we'll leave it and we'll talk to you all on the next one.

 

 

Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.