Let’s talk about digital identity with Petri Heinälä, Security Offering Architect at Fujitsu.

In episode 85, Oscar is joined by Petri Heinälä who’s aim is ‘bringing digital identities closer to businesses and real life’. In this episode Oscar and Petri explore the importance of organisations understanding and embracing digital identities and identity solutions, including what needs to be considered when investing in identity solutions, how a lack of understanding can put the project and company at risk, as well as discussing how to get businesspeople more interested in identity.

[Transcript below]

“Because people are part of the business, so are identities.”

Petri Heinälä

Petri Heinälä works in global Fujitsu as Security Offering Architect and his area of specialisation is Digital Identities. His aim is to bring Digital Identities closer to real life and businesses with common sense thinking and talking less technology language. He noticed throughout his long career that the only permanent thing is change and understanding that has helped Petri keep up with the development and changes of life, business and technology.

Connect with Petri on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Come and meet the Ubisecure team at the Gartner Identity and Access Management Summit, in London, on the 6th and 7th of March. To find out more, take a look at the Ubisecure events page – https://www.ubisecure.com/events/.

Oscar Santolalla: As our slogan says, the podcast Connecting Identity and Business. We know very well the importance of putting ourselves in business people’s own shoes when we discuss both the challenges and solutions in this identity world. So, today’s discussion is going on deep dive about that. And we have a very special guest who is Petri Heinälä. He’s working in Global Fujitsu, a security offering architect, and his area of specialisation is data identities.

He’s trying to bring other identities closer to real life and businesses with common sense thinking and talking less technology language. Petri has noticed in his long career that the only permanent thing is change and understanding that has helped him to keep up with development and changes of life, business and technology. Hello, Petri.

Petri Heinälä: Hello.

Oscar: Great having you here. So, let’s talk about digital identity. Let’s start hearing about yourself – about yourself and what was your journey to this world of digital identity?

Petri: Yes, I’ve been quite a long time in the IT industry, over 25 years in Fujitsu and I have helped multiple other industries with technology solutions during that time. And I started as a software developer and architect and then step by step, moved to service and offering development. And also, during that time moved from the local level to the regional and now global level.

The meaning of security and identities has raised dramatically during that time. And in early days in my career I, when I developed banking ATM software, I learnt that the user experience is everything and there is a strong relation in security and user experience and users, and their digital identities have a centric role there. So, step by step, identities had a bigger a role in my work and I have learnt more and trying to share my learnings to others now.

Oscar: Yeah, excellent. So, starting from developer, so a very technical role of course. And now we are going to discuss about business, the business side of this world of identity. So, I imagine a big shift through, through the to these years.

Petri: Yes, yes, yes. Very big shift. And when I talk about learning – so, there have been the failures also, more than the successes.

Oscar: Oh, yeah, I’m sure. Definitely. We want to hear more about that. So, when we discuss – why are digital identities important for organisations? In organisations, we normally think of businesses, companies, but it goes beyond that, as you know, sometimes government, can be education. So yeah, what would you say?

Petri: My learning opinion is that digital identities are part of pretty much everything and should not be treated as a separate work of identity. Even the podcast name is the word – Let’s talk about that. But I think they are part of everything. So, people, processes, and data, are the elements of almost every business function. But what we have – it was earlier people process and technology but nowadays we have to understand that business is more data driven than technology driven.

Technology is a business enabler and underpins people, processes, and data. Digital identities represent people in digital world and today, when our businesses are more and more digitalised, identities play a very important role. For example, how our customers and partners experience our business. How our employees experience their work. How smoothly our customers and employee’s engagement processes are, how we onboard them in our business and how we know our business stakeholders and enable access to them and how we ensure that outsiders can’t have access.

So, for example, these kinds of things are included in that. So, I like to keep this message as simple as possible and avoid technology jargon and unnecessary complexity. So, I say that identities – because people are part of the business, so are identities.

Oscar: Yeah, exactly. Identities are everywhere. Yes, and you say there should not be distinction that – this is correct. They are so – well I’ll call it embedded, into any process, any business, any, anything we do today. If we see from the perspective of organisations, when they need to invest. Because at some point someone will tell them, someone typically come from the IT or compliance a bit more technical side, that yeah – I need to invest in identity solutions.

So yeah, what organisations need to consider when investing in identity solutions?

Petri: Like everything else, I like that top-down approach. So, in other words holistic approach, is a good starting point. So, we’ll need to ask what our main drivers are if we invest. What we’ll want to fix or improve – is it customer user experience? What is the solution coverage – is it all customers, employees and third parties? Do we want to improve and enhance productivity, or improve security and compliance, or something else?

What is the, our main driver, what we want to do and could be the multiple of these. Then we need to find the balance between those things. For example, sometimes, user experience and security improvements are not going to get there in the same direction. So, that makes things more complicated.

So holistic approach helps us to avoid investments, to point solutions that won’t integrate easily and cause more harm than the benefits in the long run. So main thing what I want to rise is that holistic – see the big picture.

Oscar: Exactly, yeah. See the big, exactly. When investing identity comes to the table, will think of a holistic way, right? Not only trying to solve – trying to believe that it will solve a specific thing in the in the organisation.

Petri: Yeah. Yeah. Because identities are everything, everywhere. Those integrations are needed before the identity solutions. So, that means that – understanding the big picture and what the business drivers are and so on.

Oscar: Exactly, and now how we make that businesspeople from organisations, get interested in digital identity. So, what is needed to get their interest?

Petri: I like to keep the discussion in a practical level, because the businesspeople are not interested about the technical details. They are interested to, how we can help their business to success, to be more effective and profitable, to be more resilient and trusted. In the eyes of their customers and perhaps the owners of the organisation. This sounds simple, but it’s not that simple, in fact, in practice.

So, quite often the technology vendors are using huge amounts of money to make their brand and technology known in the markets. That’s very, very understandable. It easily drives a discussion in technology level I like and themes like zero trust, identity governance, or privilege access management, etc. So, these themes have multiple acronyms we are using, are not so familiar to the businesspeople. So, if we talk about like technology jargon, we put them in the, outside of their comfort zone, and they lost their interest easily.

So, they need to start the discussion in very high level, find out what are their pain points in their business. Very often these pain points are identity related and then we can focus on how we can help them. So high level and then drill down through the pain points, that are identity related solutions, how we can help them.

Oscar: Yes, it’s true, is all you say. Most of, so many technology companies that are building the products, and others who are integrating the solutions, are talking about in this jargon. Talking about the acronyms, as you said. The trendy words like zero trust, for instance, or many others that come and go. And it’s kind of like, the battle is there, in that language and the battle is there. But very few people, I think, speak in a business language, right. Okay, what are the business benefits or those innovations, because of course innovations are necessary. But I think few people are speaking in the language that businesspeople would understand.

Petri: Yeah, and I think that the trying to find those pain points, what’s the everyday problem in their business and then figure out, how – with our technology solutions and a consultancy, how we can help them to avoid those problems and to improve their processes and business.

Oscar: Yeah, exactly. So how should we speak identity to businesspeople? You just mentioned starting with a pain point, so that’s how you would start a conversation? Or what else is good for speaking identity to businesspeople?

Petri: Normally I start with a story that way – why identities are important, so they understand the relation, people and identities and that, what digital identities are, what they represent in their business. And then practical things, how you feel that your customers built your business? Do you have escalations or reclamations a lot? Or what kind of feedback you have got from your customers, from your employees? New employees, how they got their – when they started the organisation, how they got their credentials, and was it the easy to log in and start to work in the organisation and so on.

These kinds of practical things and then see how, fixing those possible problems, what is the effect to their business? How much they save money, how much they improve their customer experience and get them more business and better reputation in the market, and so on. This kind of discussion.

Oscar: Yeah, indeed. I think it’s a good approach to, to start good questions, simple questions, as the one you mentioned. You mentioned, what the customer says, for instance, and when they communicate to the customer service department, for instance. That’s already super valuable. And how the newer employees, the newest employees, they find it easy to get onboarded into the organisation, so that already could tell a lot. How things are, in terms of their internal identities in that case.

If you could now share some stories, some concrete examples, personal stories, or you have heard some examples in. For that lack of understanding of digital identity can really put in risk, not only one project in particular, but also, as you mentioned, see in a more holistic way, the whole organisation, the whole business. Could you share some, some examples.

Petri: Yeah, I have a couple. So, one example is that if the organisation is doing the investment from security and compliance perspective only. So, for example, organisation invests into privileged access management solution, but they administrators and maintenance people are using – should be used, but the reason to invest, was that they had a compliance requirement. So, they need to have at that control – who is accessing their systems and infrastructure, and investment was made only from that perspective. So, they deployed from very quick, strictly from security and compliance perspective and then in paper everything looks good.

But people who need to use that privileged access system, administrators s and maintenance people, were not informed and trained and they couldn’t access to the needed assets. They did maintain easily, because of these delays when they are accessing or they even lost, their access. This cost the service breaks and other incidents, but these maintenance people couldn’t fix, and these service breaks then affected directly to the business and their customers. So, these kinds of examples have been in – for example, in the financial sector. So still from security and compliance point of view, everything looks good. But admin people need to find a workaround to do their work and then this, very expensive solution, was bypassed.

And they continue to do their work as earlier. And then their unused solution they waste the investment, and they still have a same security and compliance problem. Additionally, they caused the business losses, because the service breaks and so on. So, this is a quite common example of how if we do the investment from the one perspective, like in this case security and compliance.

Oscar: Yes, that’s definitely a very good example, because yeah, it might feel that is the right way to do it. Right. So, you got the requirements from IT, Security, it comes from compliance. It sounds reasonable, we need to invest in that, good technology. Then make the investment, but yeah, forgot to make this holistic approach of involving everybody, who. Yeah, many more stakeholders who might be, of course not the whole company might be involved, but many more teams or organisations inside the company.

Petri: True, and then a second example is that we invest in a point solution, that cannot be integrated. So, for example, one part of organisation has immediate need to manage subcontractors’ identities and they buy the solution for that part of business. So, they buy the separate solution for that and fix the problem. And little bit later, another part of business solves the same problem with a different solution without talking again to each other. Then the organisation, for example, consolidates their internal services and they released a common service for all business parts. And it could be HR or could be ERP or CRM or whatever. And then these two business parts should use the same service and also the subcontractors and then adapting this both point solutions to the new situation might be difficult or even impossible. Anyway, it causes the delays in operations and extra costs.

So again, communication within the organisation and the holistic approach helps here, to avoid these kinds of situations.

Oscar: Yeah, exactly. That’s another really good example, right, kind of – trying to try to find a quick solution from one part of the organisation. Without thinking at that time when the decision was made that, yeah, the whole organisation should have visibility. So, if someone else in organisation needs the same, well there is already a solution so.

Petri: Yeah. Yeah. And these point solutions quite often store the identity information in the one place and then there will be several places where the identities are. So, then the consolidation of those will be another project. So that would be the costly also to clean up everything.

Oscar: Yeah, absolutely, consolidating is costly, and it’s more time because there’ll be one project to do that, in order to get that done, and in the meantime, they’re security aspects right? Having more, more isolated data repositories, that is a bigger risk from a security perspective.

Petri: Yeah. Yeah. And also, the privacy issues are there and these kinds of things. Then I have a third example. So, quite often in the organisation they are thinking that, identities are responsibility of only one department of organisation and often that responsibility is given to the IT organisation. And the expectation is that IT solve all identity related issues on behalf of other parts of organisation.

Then IT people to their job from IT perspective and then it’s also often technology oriented, because IT people are technology oriented. And then to bunch the tender resources, then IT specific, and with those resources we cannot cover all needs that organisations have. So, solution will be optimised from IT point of view and for example, issues in employee onboarding won’t be solved without human resources engagement.

So, learning here is, that within organisation you need to involve all related parts and that responsibilities is a higher level, not in the one organisation.

Oscar: Yeah, exactly. Yes. Another good example this or this different really good example, quite simple and I’m sure they happen all the time.

Petri: Yeah. Yeah. That happened quite often. And when people think that technology solves their problem, quite often it makes their problem even bigger than it was in the beginning.

Oscar: Indeed. Because yeah, you will create a new project. New project to be done.

Petri: You need to start from thinking about the people, processes and data, and then technology helps to solve those.

Oscar: Yes, super interesting, having all this perspective from the business owner, businesspeople, as I said, own shoes. So, it’s an excellent reflection we have had. So, I will ask you finally, for all the business leaders who are listening to us now, what is the one actionable idea that they should write on their agendas today?

Petri: Hopefully this is actionable enough, but people do business with people. Your business, your customers are the most important thing. And second comes your employees and other people who works for your business. Focusing on their well-being in the digital world, will accelerate your business in many ways and create the many, many benefits and simple.

Oscar: Well-Being in the in general. I mean, in the physical world or as you mentioned, virtual.

Petri: Physical world is handled quite well, I think, that’s the important thing also. But the well-being in the digital world, and that means; how their identities are handled, how they get access and how they are onboarded, these kinds of things. And I call it well-being in the digital world. So, how they experience themselves in the business systems.

Oscar: Yes, exactly. Yeah, I agree. I haven’t heard the term – well-being in the digital world. So yeah, I agree. It’s something that the organisations have to help with their employees and also in their partner, customers, to have that well-being in a digital world. Well thank you very much Petri, for sharing this very important reflection and sharing your stories. Excellent, concrete examples, that we discussed, I’m sure have been very often. Hopefully less often, it’s less and less often nowadays. But yeah, if someone would like to get in touch with you or find you on the net, one of the best ways.

Petri: Yeah, if somebody wants to discuss about this, please contact me, via LinkedIn, is a good way to contact me.

Oscar: Perfect, let’s find Petri Heinälä on LinkedIn. And again, thanks a lot Petri, for this very interesting discussion and all the best.

Petri: Thank you very much to you.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.