Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".


Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.

On this episode, Jim and Jeff talk with Luis Almeida, VP of Business Development at Identropy, about how the value proposition for IAM has changed over the years. You can read his take here.

Brought to you by

Want to join the conversation? Leave us a message here:

We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

Podcast #7 Full Transcript:

Identity at the Center #7: How the IAM Value Proposition Has Changed

Jeff: Today we've got a special guest, Luis Almeida. He's VP of business development here at Identropy. And so we thought it'd be interesting to have them on to talk a little bit about how the value proposition of Identity Management has changed. And that this is something near and dear to his heart for a while. And you've also got Jim McDonald here, too.

Jim: Hey, guys, Jim McDonald here. I'm really excited about having Luis on, Luis been a veteran in our industry for many years.

I'm not going to steal asunder by doing his introduction. But, you know, he's worked at several Identity and Access Management companies in the past. And so he has a really good, unique perspective on industry and he's really good at telling stories. So, Luis, why did you do a quick introduction of yourself?

Luis: Thanks, Jim. Thanks, Jeff.

It's a pleasure to be here, because the respect I have for the real practitioners in this space. And especially Jim and Jeff, who have done it, they've been on the other side of the table really managing programs and doing the hard work. So these are people that I have a great deal of respect for. I think the really good salespeople are the ones that try not to speak, try to give the customers a lot of space and listen. So this is a little bit uncomfortable for me, but I'll do my best. And I really appreciate the kind introduction, guys.

Jeff: I think this is a model opening for all of our guests that they can show the appropriate amount of deference to just think it's going to go great.

Luis: And I really mean it. So, thanks for having me. But, as Jim was saying, I've been in this space really 15 years over the over 15 years. I got my start at CA back when it was Computer Associates, I was a storage guy really selling backups that you could do the backup but then you couldn't restore, which was really a horrible business to be in. And a good friend of mine, Mark Potter, who ran identity for the Southeast for CA at that time he heard me on the phone banging away at trying to help customers and he said, I want you to come join the security team. And I looked at him and said, I think you're crazy. There's absolutely no way I know nothing about security. And I picked up the phone and kept dialing in. And he insisted and it was the best thing that ever happened to me in my life. And so I was there for eight years. I was very successful, selling sight minder and CIA identity manager. And, you know, we used to say we'd sell out of a hole because people weren't always pleased with their experience with CIA. So we really had to work hard there. And after eight years, Mark left CA and went to join the team of Quest Software. He started the Identity and Access Management Team, and I was his first hire at quest.

And that was kind of a risk for me because Quest had just acquired Volker Informatics, a German identity and access management company. We knew Quest is a tools company, A-T management and we went over there and we actually did relatively well. We were there for I was there for three years and then we suffered through a process where Vinnie Smith was going to take Quest's private. And then Michael Dell said, No, you're not. We're coming in and buying you. Michael Dell's agent spoke louder and we ended up going to work for Dell and Dell, large sales organization. I felt identity was going to get lost in the shuffle, Identity being such a specific thing, the selling position that I left Dell and I was fortunate enough to come join our team here at Identropy. I've been here five years. It's just been for me just a tremendous experience. And the reason for that is I think in the identity space consulting services is so important. And the ability for us to listen to the requirements, a customer has to be able to position value beyond products.  Looking at programs and the stuff the advisory team does is just easier. It's more flexible. We can be of more service.  So that's it. That's my background. And here we are.

Jim: You're very kind of in the early days of Identity Management and the approach has changed so much over time. And the vendor landscape has changed over time. I think that's been driven a lot by the value proposition for customers. And I was hoping you could maybe talk about was kind of, walk us through the history. So, we're customers getting value of what was driving their investment, say, 10 to 15 years ago and how to change over time.

Luis: Sure. So, I'm somewhat a big fan of the Gartner product hype cycle, right? So that's the curve that, the product increases in hype over time.

And then it dips down into a trough of disillusionment, starts to slowly go back up and then goes into the plateau of productivity. So I would say that I missed the upturn towards the peak. I really joined the identity space really at the peak of the hype. That's when CA acquired integrity. All these other acquisitions were going on and identity. There really weren't identity practitioners, really. I mean, but the people really had high hopes for our identity. And at that time, we were telling customers is we believe this. I think it's really important to say, the people that I know that do well in sales and service providing and helping others, they come from a place of sincerity. The place is one of helping. And you get paid and you're gonna make money, But if your heart has to be in the mode of helping. So I would go out to my customers. When I first got hired and try to help them. And what everybody expected that we were going to help them with was something called auto magic provisioning. OK, we were going to give everybody access to the systems they needed programmatically with the right permissions and entitlements across thousands of applications. And it was really an I.T. optimization value proposition and it was something we were sure we were going to be able to do. We were all setting out to do it.

And you know that really it was a value around making people's jobs easier, and, of course, enhancing security because you're somewhat facilitating least privilege.

Jim: And Luis, if I could jump in for a second. These are the early days of Active Directory, right? So you're going back around 0 3 0 4 timeframe, I think active director really saga with Windows 2000. So it took some time to get established. And within the enterprise walls, it wasn't like, people sit up active directory and they integrated 200 applications into it. So if you automated active directory, you're good to go on. Large part of your I.T. landscape. This is the days where applications for the most part each had their own username and password. Those user names, the very things like that. So from my recollection, it kind of being in that space and being a practitioner. It was about why we've got simeo, this wild west of access is being managed in different ways across different applications. And there was not a central identity store for the most part.

Luis: I do remember it that way and the way I remember it really to me, which is really symbolic of that time, were all the role engineering exercises. People would get locked in a conference room for years and Ernst and Young or Accenture or whoever would come in and just do these huge role engineering exercises to create these buckets of permissions that they would use to provision. I was very fortunate back then that I met a good friend of mine is still a great friend of mine, him and the model who's the CEO of today. And,  I linked up with him. And, remember, I was a storage guy, didn't really know what I was talking about. So I'd let him do all the talking. We always led with this concept of role engineering. You need to know what you're going to provision and.

That's what we led with. I think, Jim, you know, we weren't looking at groups.

We were really looking at what were those entitlements permissions inside of the application was very large services projects in a large enterprise and they were very challenging.

Jim: And a lot of a lot of mainframes, to be quite frank, their legacy systems, applications that were hard to integrate with.

Jeff: that was my background. When I was first getting involved in IBM was with Walgreens way back when. And, there were four of us who were responsible for creating mainframe accounts. Lotus Notes, e-mail accounts, which is a total nightmare to try to do anything with one whose idea was I found out later on in my career. But yeah, it was very it was very account based. And we hadn't even considered really the concept of roles at that point. This would have been in the early, early 2000s; things were going through that process. But it's funny; we didn't really even consider an IAM tool that point, even though we were a fairly centralized team, there were still only four of us, for this entire pharmacy chain, essentially doing the corporate enterprise stuff. It took a few years as we started to really skyrocket from an access need perspective within the organization to recognize that. OK. We really need to start to figure out how to get to scale because, SLA has become a concern. And this is this is back in the old days where, it's Friday and we're all working out of one mailbox and there's literally nothing to do. So we're fighting over tickets to see who's going to grab it, who's going to grab the e-mail because there's something because otherwise you're really just sitting there because if demand was there, flash forward a decade and now you've got thousands of tickets that you're magic people. But it really was a very simple time, from IAM perspective.

Luis: And this conversation is really reassuring, right, because we really didn't know what we were doing. We don't. we had we had a vision and we thought we knew where we were going. And together we tried to solve problems. But what that time became was a graveyard of failed implementations and unfulfilled promises and extremely disappointed customers. And, and a lot of hard working salespeople, a lot of hard working consultants are trying to figure this thing out. That was the vision. And it just wasn't working.

And, a couple reasons for that. You do your roll engineering exercise. It took forever. You tried to do implementations where it was, big bang. You try to do everything at once. There wasn't this concept of delayed perfection. But what is it what is it that Chad says all the time incremental progress, which we really think about today. So there's a lot of field implementations, a lot of money spent.

And, to this day, we still see some remnants of that. I mean, there are some large organizations that are still suffering with a large investment sunk into an identity program that's connected to Active Directory, and that's it after, five years, 10 years. So that was a tough time for all of us, I think.

Jeff: Why do you think from your tears here, your perspective on this? Because I've been involved with implementations that have started off great, being out, having been on the customer side and then they die out. And I know why those died out. It's a very good reason why. I'm curious, from your perspective, where do you see the failure when it comes time to kind of figure out post modem, why? Why is only Active Directory integrated with our IAM system after two years, three years, whatever it may be?

Luis: I think that goes back to what the work you guys do. I always tell clients that if you enter the partnership with us in advisory, our chances of success are much higher. And I think that is because we create executive support and more and push when you see executive support. That's kind of like a buzz word. What does that really mean? What that really means to me is making them understand how difficult this thing is going to be and making them understand that we're going to need the cooperation of the application owners of H.R... We're going to need the application, the cooperation across the enterprise. And I think what happens in our projects, they used to. If you don't manage them correctly, they'll happen now is people get tired. The project team gets tired. They get tired of fighting the political battle. And Active Directory usually goes first.

Jeff: It's the easier ones, right.

 Luis: And the 80s team is one team. You go and you bang team on the head. But do you think about people that are trying to onboard and bring into the identity program hundreds or thousands of applications when that's a long and a lot of difficult conversations for one team to be having?

Jeff: I think that exactly support one is important one because in my mind that's money. And when I think about where I was, a decade ago and really kind of starting to roll out, IAM systems, for the corporations I've worked for. It seems like they were really only funded for a point in time. The next two to three years, there wasn't really much planning beyond that. And that's just something that you kind of have to think about. This is a program, not a project.

Luis: I remember having a conversation with a guy.  he was like a director level professional, super go-getter, he wanted to fix things that he called me. And I was really just giving advice because he didn't want to buy services he wanted by product. It was he had he'd been given by Microsoft, I think at the time was Men or Fem. And he's like; I'm going to do this. And I said, look, man, I'm not trying to sell you anything, I promise you.

But I'll tell you that if you embark on this journey by yourself, you are entering what I like to call a career cul-de-sac, because you're not going to be able to do anything.

And people are going to have expectations because you're like you've got the licenses for free.

Why is this thing done? And you just aren't going to be able to do it on yourself. And I think that really resonated for him.

Jeff: The free enterprise software is not free.

That's right. We see that a lot of times with boys. I've seen it personally with, Oracle licenses are free from an IAM perspective, because they get databases or something like that. But there's a lot of implantation goes on with it. And there is that expectation, so it's free. And we have it up and running already. there's always way more to it than that, really. If I said he suffered.

Luis: That's right. So back in the day, it was super hard. We're trying to solve a super difficult problem. We didn't really understand exactly where we were doing this whole coordination in the in the enterprise was difficult. And we entered into what Gardner calls the trough of disillusionment to the point that it wasn't just one meeting, was several meetings that I went into that my sponsor said, don't mention identity, don't build, don't call this an identity project. I asked a quick you call it and , there was an there was an interesting point in time.

And then I remember being at an event and my good friend, I'll mention him again, Mark Potter pointed to a booth and he said, oh, that's  Aveksa,  So that's hot stuff. And next to Aveksa was SailPoint. And I'd never heard of Aveksa and SailPoint. I had been competing with IBM and Oracle and I came in and exhorted, it's never really a vision, really, I sold the cars that were on the line and did what I had to do. But those dangers are going to become very close to me, too. I really started competing with them and I think they played a major role in changing the story around identity, so I'll keep going, I paused there for you guys interject, but I'll keep going.

Jeff: So I was trying to think of a way to disagree with you, but now you're right.

 Luis: There were two of them. So, And at that same time, which was really interesting, was there was something happened called Sarbanes Oxley was just about at that same time as well. And this isn't my quote. This desire was at a conference and I heard somebody say this, what it must have been 12 years ago or so that the best identity sales guys were Sarbanes Oxley, They really got our space moving.

It the time were Aveksa and SailPoint entered. And pretty much what Aveksa and Sailpoint did was they said you don't want this stuff right here that IBM, Oracle and CA are trying to do that's really hard , and that's not really where the value is. We're not looking for we're not looking to make IP people's jobs easier. We need to keep the CFO out of jail and we need to allow accountability for access to be moved from I.T. down into the business. And that's when the value proposition shifted from I.T. optimization to governance, And the sequel to governance for the symptom of governance is security.

Jeff: Sock's was a huge driver from my background. I mean, it essentially doubled my team trying to manage Sock's compliance. It's basic form. It's very simple, just make sure that the access is approved and that you keep a record of that.

 Keep your records and email and, an older ticketing system that really were easy to search for, like a generic ticket. It was super hard to try and demonstrate that the orders that would come sit down at my desk and say, OK, here are these 30 people. They’ve all been terminated. Prove to me that they've been terminated. How do you prove a negative account doesn't exist? So you have to look back through, sometimes paper at that point. It was just a total pain in the @$$.

Jim: I think one of the things that I remember from that period that Luis was talking about was that those come I don't know who to attribute this quote to, but it's still used today. They talked about who has access to what you need to be able to show, who has access to what. That's what their solutions specialize in. And that's just resonated with everybody. How do you argue with that? Well, I know who has access to what.

Luis: Not only does that resonate from the standpoint of like, yeah, I make sense. Everybody needs to know. But remember; now we're no longer trying to do the really difficult thing.

So it's like every identity guy just ran over that and said, let's do this. Because, Jim, you know, even in our projects today, the aggregation of identities.

The consolidation of the entities into the identity system and then correlation and doing the unique I.D. and cleaning the system, that's I'm not a practitioner, but from what I've seen, that's much easier than trying to automatically provision with entitlements and permissions. So everybody kind of flocked to that, I think.

Jim: Not everybody, though. But that was just the one thing that I want to interject was we spent the previous five years or 10 years training up the ladder that we need to automatically provision because there's no other way. I mean, that's what we can do. That's how we can solve this problem. So there was a a mindset shift, at least where I was my career was happening, kind of grassroots of managing identities that I started to get it. And I had to move that information up as I was working for somebody who said, Sailpoint and Aveksa are great, but I need to know from an efficiency standpoint, I still need to do automated provisioning for thousands of applications. And I think,  my feeling and I feel like I'm going to say what you're going to say next was that I think SailPoint and Aveksa I heard that they started to bolt on to their solution. The ability to manage identity is right at the same time. The big legacy vendors, the C.A. Oracle IBM saw pay sailPoint and Aveksa are stealing our lunch. We need to start doing governance. So you see, for example, I was in a C.A. shop around that time or a little bit later and they had a governance minder product, And then they said, we have governance, minder. So that was a bolt on. And I think the edge is easier to bolt on administration provisioning easier but more sensual and to bolt on governance where you've been pushing out. Now you pull in versus you're pulling in a knife or shell.

 Luis: But that's a really interesting point, Jim, because it's really like kind of the legacy products, how they evolved over time.

It's like all these acquisitions the new drivers would arise. And I remember that happening with full engineering, some bought by you. I think Eureka Five might have been I think Eureka Five was actually the role engineering piece that CA bought. There was another one. It was the Israeli company Ideological that was kind of the governance piece as well. And these things became really hard to manage because it was just bolted on. Even to this day I don't want to criticize too harshly, but IBM has a problem where their legacy products. The two aspects of it don't work through the same interface, as far as I understand. And it was still living in that in the legacy world. And now if you think about it, it's funny how in the software world things repeat themselves. This issue with maturity of the products becoming legacy vendors, we see it going on over and over. One thing I wanted to mention before we keep walking down this line here that the hype cycle is that, Jeff, something you said where your team doubles right when socks happen

 To me, that's a direct indication of executive support. Right. So not only did the problem get easier to fix. The products improve. We're on the second generation of products and they cared because they will want to stay out of jail, exactly. It's a big help, right?

Jeff:  Keep the otters off their back. And, they were happy. And I think every year organization approached a little bit differently.  the most expensive I have.

We decided to create a centralized kind of IAM standers of excellence now, things that were being disparately provisioned all around the enterprise. We pulled into one central group, common set of processes, a way of doing things. And then we had a strike team. Leslie and Ray, you guys were listening. They went out and they were brought in specifically to help pull in socks, applications or applications that were identified as having socks relevance into our group and then sorting through that. So there were, I want to say, at least several dozen that kind of settled into that, when you consider mainframes I-series, and kind of all that stuff. There was definitely support to staff it. What I didn't really see as much support, though, was on the software side until it became a scaling problem where. We’re gonna have to double, triple; quadruple the size of the team just to keep pace with the volume of requests as the business continued to grow. So my first started, we were on store 4000 at Walgreens and when I left I think we're at like 8000. So we doubled just a store count alone. If you imagine that's the hundreds of thousands of users trying to manage all that, we definitely had to make an investment for the technology side just just to keep pace.

Luis: And something Jim said. The provisioning requirements still remained and people were still doing that. Yet I think, these side projects from governance were going on even when people had C.A., IBM and Oracle, they were deploying SailPoint and Aveksa in parallel to that. And we had two magic quadrants, right? We had the Identity Management meant nobody says Identity Management anymore Identity Management Magic Quadrant. We had the governance quadrant.

And then we started to suffer a lot of business disruption in the space. Aveksa got acquired around this time, I think by EMC. And then EMC got acquired by RSA, the RSA. And then he means EMC and then Dell. So things started getting shaken up in this in this space. Meanwhile, BMC was falling off. Remember, Guy, BMC had a product here and Sailpoint, I guess acquired the BMC customer base or licenses.

I wasn't really close to SailPoint at that time, so I don't know exactly how that went down.

I was competing with them, but the next is what Jim was talking about was, the products got integrated and you had a provisioning and governance in the same product that became a requirement in Gartner released the Identity, Governance and Administration Quadrant, which is still what we're seeing today.

And we were on our way kind of moving up that high, back up to where we weren't a bad word towards the plateau of the productivity.

Jim: Another thing that's happening in the background in this time frame, time frame was major public publicly announced data breaches. And so we're also seeing,TJ Max.  Did you imagine Home Depot, things like that Target, you also you’d have the smart executive ten, fifteen years ago would say, well, you want me to invest a million dollars in security. Show me how it's going to save me more than a million dollars. How that is do it. This is your best bet. The shock factor of say, hey, what have you self-worth data breach to cost you 300 million dollars in brand equity, that there wasn't even a conversation back then. Now it's like people know that's a reality, right? I mean, it's all over the news. So that's happening in the background. I think more because one of the other things that you see, Gartner does a really good job. I think all the analysts firms talking about how the investment in security is increasing every year and it have just enabled the industry to grow. And one of the other I think in the sidetracks, I think it's important to point out, is that the identity and access management industry is always being driven by startup companies. So you we talked about CA and Oracle. Neither one of those companies really started their identity management. So I think, I was really more close to Oracle. They had some things. They went out and bought Oblix. Then they went out and bought the Warsaw small companies that grew into big companies and you know, and you still see that today where this is an industry where you start as a very small company, build, a killer technology and then get all out by a larger company and added to a suite. And then sometimes those companies go, take a SailPoint or Okta, For example, they'll start as a startup and grow all the way and become a public company on their own.

Luis: Jim, this conversation is great because I'm remembering things that I hadn't thought about in a long time. So about this time, you're absolutely right.

People would come to us and they say, all right. This sounds great. Can you guys does it? Our why analysis,  and I'm not kidding. I look at that. We as sales guys, we would look at that guy and we would say, no, you're not ready to buy this. We really did not do them. And we ran away because this was a governance play. So security played. You just do this. You'll ask me for an hour lie. So you took me back to the day there, man.

Jim: One of my stories as well. The company is working for eventually won out and we bought Obelix which plaited became workable access manager, but which I am trying to convince an executive they should spend a lot of money on a technology called Obelix that they'd never heard of before.

Explain what it does and why it's a good investment and things like that. And again, data breaches weren't in the news all the time. So we went back to the Obelix sales rep who, by the way, was Tom Neco, who had been Identropy,later up.

Luis: I know Tom was here a little while with him.

He was here at Identropy for a while. He was there. And I asked him the same kind of question I think he gave me to see Cross eyed look. But ultimately they're the way they would build an aura. Why was or how much you guys pay for password reset

 Luis: Now you're digging deep in the album create here man.

Password reset, we so love that because we'd be like that is all a lie. There was tons of would justify the whole identity project with password reset.

Jeff: That's how I got into it. And I spent way too much time writing reports, trying to figure out how many passes are doing.

And it just that's but that’s exactly how our story.

Luis: And that's funny, too, because, you know, that is significant value to the business. Like that's an identity value proposition where the users are grateful. The only thing perhaps better is single sign on.

And if you remember back in this day, I'm mixing Gardner quarters, I'm mixing sectors.

But everybody wanted to do what we called Enterprise Single Sign on, which was single sign on inside the organization, which was a pain that was not easy to do. And then things shifted again, right?

It became more about Web single sign on. It became more things were active directory centric. It was it really single sign on. It was simplified sign on where you just used the same password over and over, but you didn't just automatically have access without authenticating.

Jeff: you'd have good listeners running an ID. They'd have a password change. Right. And then push that out.

Luis:  I was going to say I know you guys don't want to have a two hour podcast. I know we could probably. How are we doing on time?

Jeff: I think. We got a couple minutes. I want to ask you a couple questions.

I've said this and I want to ask you, the first one is from a height perspective. What's something that you see today that is either really over hyped or under hyped, in your opinion?

Luis: A.I.

Jeff: Is it over or under?

Luis: Over, I mean, I think this is really interesting, right?

This is actually now let's get the plateau, so what happened? These things became easier. Applications have programming interfaces now that we can go in the synchronization problem and case in simpler expectations or less. So I don't want you to provision entitlements. Not some do, but, I'm okay with you creating the account. So got easier, the environment got less, got you got more access to build these integrations. And we hit this plateau where we’re working. Like we can look at our clients so we could say it's going to work. We have 30 active projects. a couple of people might not be 100 percent satisfied, but generally we're doing our jobs and we're coming in under budget and they're on all these issues.

So now enter this new area right now, right where everybody knows that the enemy is within. Everybody understands insider threat.

Everybody understands. The walls are gone. People are accessing our data from outside of our data centers. So the old paradigm of firewalls and keeping people out is gone. So what's left for us? Right is identity, if everybody's coming in and out, at least I want to know who's coming in and out, where they're going.

And then, these concepts of deep learning and machine learning and A.I. and all of this stuff that could process data more fat more quickly and look for behavior patterns. That's the big promise. We're all living right now. And to me, that creates now getting us out of this plateau and starting a new hype cycle, right. A new hype towards behavior based automatic provisioning and behavior based authentication and authorization and all of these things that I'm sure you're seeing as well. Would you agree with that, Jeff?

Jeff: I think prior talk about things like Idaptive authentication, conditional logic, you know, those types of things right now, I wonder if it's a AI is because it really hasn't been a really good application yet in the IAM space.

I think there is logic. And you're trying to detect behaviors. I think that's probably just one, isn't it? Looking more from the end user side, right, when am I going to go and say, hey, I don't want to trigger my things here, but, I say Alexa or Google or Siri,  when are they going to that natural language kind of input going to be able to infer, what I'm trying to do? And then how does it help me get access to what I need right now going forward?

Luis: I think what we're seeing in the AI that's not necessarily over hyped is you could apply A.I. with in the product to simplify tasks.  Repetitive tasks no longer need to be manual. There are things inside the product that or are or made easier. Let's say. But the real value spans the product and it really creates spans outside the product that creates new product categories. So we're seeing the opportunity for integration between behavior analytics and identity governance, where identity governance tells us who has access to what. And now we have to start caring about what people are doing with that access. So there is a whole new shift that involves identity, that surrounds identity, that's wrapped around A.I. and intelligence and machine learning that is going to force us to re-evaluate our organizations that say, OK, I had identity over here and I had seen in behavior analytics over there, these teams need to collapse or at the very least, they need to start speaking to one another, which somewhat reminds us. Remember when you said you got your strike team formed?

Yeah, I think this this is happening again. And I think it has to happen.

Jeff: Obviously, maturity in the space as well.

So products need to find some way to how do you make do either get more value out of that or explore new avenues of revenue, other ways to get feet in the door to fix security, things like block chain. Everyone's been watching, for IAM I'm still not quite sure where that’s going to be very applicable. Enterprise situation, I understand the benefits. You've got your distributed ledger, etc. But how does it fit in IAM space beyond just a management of an identity. You know, that's maybe more self-sacrificing things.

Luis: Well, I think that's yours and Jim's job, Right? That's what's so interesting, because we sit somewhere between the vendor and the client.

Our interests are aligned with the client. Always what the client expects for us is to push them or pull them or help. Really evolve, right, and improve.

So once you're doing that, you're not no longer doing meat and potatoes, you're really encouraging people to progress. So in that sense, we're moving towards the vendor, yet we're looking at the vendor and looking back into the customer saying, well, we've never seen that done before.

And I think that that's really our biggest value proposition from an advisory and consultative perspective, executions, huge. Chad Wolcott runs our services, his teams and screwing it in. It's like the two people you gave a shot out to. That's the super hard work. But I think our jobs also are extremely valuable to say. Yeah, you know what? I don't really buy that. I don't really know, if that's going to work. But we can try it and we can mitigate risk. We can do it in a pilot. But we're not just going to sell you that hook, line and sinker.

Jeff: I think you probably start to close it out here. Jim, do you have anything that you want to add?

Jim: It's just the thought that I was having is you guys were talking about that. It seems to me that one of the areas where, Luis identified the A.I. piece as over hyped. I think it might be over hyped from the standpoint of whether or not it actually gets a foothold. But in terms of the promise of what it could deliver. I think that's the biggest threat to organizations, is that they won't even know when they're breach. What the data is there. I mean, all these systems are being log.

It's just you need the technology to piece it all together and put it on a dashboard to someone to say, hey, something fishy is happening over here more to finger some automated action to disable accounts, things like that, potentially either identifying or preventing data breaches before they occur. So I feel like the promise of where, the identification of this is a potential solution to the main problem that we have. I don't think that's over hype of whether or not the technology of user behavior analytics really ever gets there. The thing that I've found that I think holds back technology is really succeeding is any kind of lack of standards. So if the smart people or the big leaders within the industry come together and form a group to set a standard like the Samwell Standard or SAML standard, and there are lot of examples of those standards that haven't been nearly as successful as the ones I just mentioned. However, I feel like that could potentially help drive things, products build around those standards. Then companies have an easier time adopting them.

Luis: I agree. I think the technology's there, right.

And it goes back to the same problem we saw with identity is that, we work a lot with Exabeam a great friend of our great friends of ours. We pick them to integrate with SailPoint because a phenomenal product, phenomenal team. But the experience in the end user is what the use cases are? What are the data sources we're going to bring in? And then the intersection of Exabeam and SailPoint, what are the use cases? What how can we leverage its extremely powerful tool?

So I think it's organizational and the vendors push and lead the way. But, you know, I challenge our friends out there. They're doing the hard work in the IP teams and the security teams, the practitioners to really consider. And they don't have time to do it, but to consider how can we cooperate with these other people?  and how can we get our processes together, how can we make these different tools all a part of our program. I know we're wrapping up. But I'll just say, along those lines is an example of that is pretty much everybody owns M.F.A.... Everybody owns a PAM tool, everybody to some degree kind of has it IGA tool, AD tool like the rule server or Oracle identity manager. The challenge is how are we going to integrate those into our processes and how do we tie all those things together? And I know that's what you guys struggle with and that's why I'll end my piece here where I started it, which I always have a great deal of respect for you guys that are customer facing in the account, challenging and helping people move forward.

I think my job's a lot easier.

Jeff: I agree. I go back to Jim's point is not close out here in a second. there's just so much data out there that's just not being used.

I think AI definite can help with that. There's an old saying and I have no idea where I heard it or when. But there are two types of companies. There's ones that have been hacked and the other ones that don't know it yet. It's just there's it's just the way it works. So I think with that, we'll go ahead and wrap it up here Luis totally appreciate your time. Being able to have a conversation like this is great. I hope you come back.

Jim: Thanks, Luis.

Luis: Hey, guy, it's a privilege, just for the record, this Friday at 4:00 p.m. and, sales guys about this time of day on a Friday. We start wondering what we're doing here in front of a laptop. But to me, this was great. And thank you guys for having me. Have a great weekend.

Jeff: Appreciate it, thanks for listening. Take care.



Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.