Budgeting for Identity and Access Management as an SME with Ian Yoxall – Podcast Episode 58

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Pandora | Email | TuneIn | Deezer | RSS | More

Let’s talk about digital identity with Ian Yoxall.

In episode 58, Oscar talks to Ian about how far a tighter budget can get you on your Identity and Access Management (IAM) journey. Ian discusses the best approaches to steps prioritisation, avoiding scope creep when it comes to time constraints, how to preserve budget whilst maximising time-to-value, and considerations for a gated funding approach.

[Transcript below]

“It can’t be words. It’s got to be metrics.”

Originally from New Zealand, Ian started Intragen in 2006 after working for several companies in the US and London. As Principal Consultant of Intragen, Ian has worked on many of the largest projects in the Netherlands and throughout Western Europe. With a broad experience with small and large-scale implementations, both in the private and public sector, he brings a pragmatic approach to problems that arise around identity & access management projects. Prior to joining Intragen, Ian worked for global infrastructure and security vendors and consultancies.

Connect with Ian on LinkedIn.

Find out more about Intragen at www.intragen.com. Intragen is a Ubisecure partner.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello, and thank you for [joining] the last episode of this year 2021 for Let’s Talk About Digital Identity. We are now talking about how to budget projects, identity and access management projects, and we have very a interesting guest for that.

Originally from New Zealand, Ian Yoxall started Intragen in 2006 after working for several companies in the US and in London. As Principal Consultant and CEO of Intragen, Ian has worked on many of the largest projects in the Netherlands and throughout Western Europe. With a broad experience with small and large scale implementations, both in the private and public sector, he brings a pragmatic approach to problems that arise around identity and access management projects. Prior to joining Intragen, Ian worked for global infrastructure and security vendors and consultancies.

Hello, Ian.

Ian Yoxall: Good morning. Hello. And how are you Oscar?

Oscar: Very good. Nice having you here, Ian.

Ian: It’s great to be here. Thank you for the invitation.

Oscar: Our pleasure. And please tell us a bit more how your career, your life led you to this world of digital identity.

Ian: Right. Well, yeah, that’s a long train wreck of a story. So let’s start off. Originally, I started in consulting as a DBA working for the various database vendors in infrastructure, and then moved across into business consulting, still with an infrastructural angle and infrastructural projects. And one day I arrived in London and sort of fell into banking security. And after that, I dropped into the gravity well that became identity and access management. And once you start down the career of identity and access management, you can’t escape. That’s it. That’s the end. Yeah, you can’t go anywhere else.

I think one of the things that attracts people to stay in it is it’s got a high failure rate. I have a personal hobby of flying, and when you fly a plane, nobody expects you to do everything perfectly, but it’s about making fewer mistakes and reducing your risks. And with the rapidly evolving industry that we’re in, it attracts plenty of bad actors. We’ve seen just recently the Log4j issues that have come up. And already that’s been weaponised and deployed very, very quickly. So when you’ve got bad actors who are so willing to try and make a profit here and attract businesses it’s an interesting field to work in.

Oscar: Yeah, it is definitely. It’s an exciting place to be working in these days, right? There are so many things happening, good and bad, of course, and that’s why we are here to solve the problems.

Ian: Exactly, exactly. And it’s that engaging with businesses to help solve those problems that makes it such an exciting field.

Oscar: Absolutely. I know that Intragen works in several industries, education, we are doing projects together in education, but you also work a lot with SMEs, so medium businesses, not known as large corporations, or some of these who are becoming, but still not there. And often we talk about all the capabilities that advance identity and access management have, everything you can do, but of course that costs money. If there is unlimited budget and time, you can, yeah, achieve everything that the brightest minds of identity have delivered until now. But how far you can go when you have more tighter budget, you don’t have enough budget, but you need IAM? So what would you say about that? So what – with some organisations listening to that in, “Yeah, we need IAM but the budget is tight. What can we do?”

Ian: Yeah, great question Oscar. And it’s something that we try and engage our clients with on a regular basis, is saying “What sort of budget should you set for the upcoming budget period?” And I think it’s – from a CFO perspective, you don’t want to be throwing money away, but you do want to be covering risk from the CISO perspective.

Let’s take the hospital sector. They want to set a budget that delivers as much patient care as possible, but you can’t ignore the cyber threat, whether it’s fines or whether it’s payments that they’re making to unlock hospital systems. There has to be budget spent here because it’s going to be spent either for the bad actors or preferably to defence against the bad actors.

When you look at a lot of projects in the space, they generally will set themselves a relatively large scope and that they’ll have a budget and a timeframe of years. And we fundamentally feel that that’s not a good way to go. Think, what’s the fastest time to business value? So when you’re replacing the old infrastructure, and it might be that you’ve got an old identity management or access management system. Everybody has one. It’s just a question of, is it automated? Is it good? Is it ugly? Or what have you.

And if you’re doing a rip and replace type project, often the question is, OK, we just want it to do whatever the old system did but then against that, when are you going to get new business value in there? People want to see business value enhanced and more engagement, particularly with end users to make their lives easier. So if you turn the question on its head and say, “Look, I want to get some really nice goal. How do I get there? So what’s my first step? What are the big rocks that I need to put together my whole project breaking those big rocks down?”

So when we take access management, probably the first thing you want to do is make sure everybody loves you. So that’s going to involve making sure that the SSO elements, and the easiest SSO elements are there as quickly as possible. So you’re going to need an MVP, a Minimum Viable Product of your infrastructure around access management, getting the user datastore sorted, and then looking at all the web apps that you’ve got in the landscape. Take the ones that are best suited to the technology, take the business owners there that do want to engage and deliver that.

That small budget – that small initial success will create a bigger ripple effect for the organisation, whereby more business units and more applications will want to engage. And that’s what it is, by doing that, that small delivery, you tipped the scales, you’ve shown people what can be done, and you’re able to go back to the CFO and say, “Look, we did X amount of spend. And we’ve delivered this level of improvement in security. And for example, we’ll remove passwords from 10 or 15 applications, improving people’s productivity, making them happier, and enjoying what you get with SSO and multi-factor authentication.”

Oscar: Yeah, as you said, minimal viable product in which you mentioned, I think it’s mostly, well, two main features: single sign-on that is the basic, basic has to be there, and yeah, replacing passwords with some type of multi-factor authentication. So those are the very basic that you think has to be always in mind.

Ian: Absolutely, because if you start, I mean, it is the one thing. I just had my family, and we have, we all have devices here. And you know, whether it’s our Wi-Fi passwords, whether it’s the email addresses for school, whether it’s their – getting into the home network, or what have you, they all have different usernames and passwords. And even in my own home, this is something which falls for some reason under my responsibility.

And users who have 5, 10, 15 applications, they don’t really love security. They want to get on with the job. So if we’re able to make their life better, we’re going to affect organisational change. And really, looking at security, it’s not about the zeros and ones, it’s about that organisational change. And you’re only going to be able to do that if you can make people’s life easier.

If you’re going to make it easy for end users to log on with single sign-on they’ll love you for it. Likewise, if you’re an administrator and have access to privileged accounts, if you can use multi-factor authentication, and the same multi-factor authentication for many applications, or step-up authentication, it’s going to make your life easier, not harder. And that’s what we want to be doing in security, improving the security level and making it easy.

And I see passwords as being the one thing that you ask anybody in the street, “Do you hate your password?” And the answer is yes. And of course by proxy, that means that they hate the security team. And it is kind of annoying when you have a project and nobody wants to sit with you at lunch. So we’ve got to make their lives easier and make them want to engage.

Oscar: Yeah, absolutely. And I can imagine, I’m sure you know better how many organisations already at medium level, not so small, don’t have SSO or they have – yeah, not sufficient, maybe they have, if a software just a couple of their systems and all the rest is not covered.

Ian: Exactly. And on that I have a little follow up thought. One of the things that we try and do is make it easy to decide what to do and how do you prioritise these projects? So normally, they’ll say, “Right, let’s take all of our applications.” “Well, do you really want to start there?” So what we try and do is say, if you start colour coding your applications, and say, “I’ve got black applications, which are super-secret, I’ve got red ones which are finance, and I’ve got green ones, and yellow ones, and purple ones, and blue ones.” And you put them in buckets that way, and then you’re not trying to cover your whole landscape.

And what you can report back, as you engage with those businesses, you can report back and say like, “We’ve covered all of our red applications now, all that stuff, which is in the cloud, or on a web server internally, we now have it 100% secured.” And that is something which you can report back to the board. And they get an insight into saying, “Oh yeah, we’ve asked the security to step in, they’ve come back. And we now know a definable metric that would actually improve our security.”

Rather than say, “I’ve done 20 applications out of 400.” If you do that by colour coding, that in itself, it makes sense to people. If you say I’ve done 20% of my applications. Well, is that good? Is that bad? I don’t know. So knowing what good looks like and using that colour coding system, even for something as a simple step, such as SSO, this is a great way to communicate and engage users.

Oscar: Yeah, I believe that sounds more tangible and easier to explain with someone, let’s say the IT manager of that company has to convince people, others in the company with, this is important. Yeah, it’s definitely a good way to continue the conversation.

Another thing that implies money indirectly is when time goes long. You plan one IAM project or any project, let’s say for six months, and it goes longer. And that means more money. So how would you go about running over time on an IAM project? I’m sure you have a lot of interesting stories to tell.

Ian: Yeah, sadly, both good and bad. You know, every project is always going to give you a new set of challenges. And how do you deal with those challenges? Now, there’s a great quote from the British naval historian and author, Cyril Northcote Parkinson, who said, “It’s a commonplace observation that work expands to fill the available time for its completion.” You know, if you ask somebody to tidy their room, and you give them, I have children so if you give them two hours to tidy their room, they’ll take two hours. If you give them 10 minutes, they’ll do it in 10 minutes.

So how do you again, not just looking at budget but on time, how do you do that with identity and access management projects? I think there was a good report from Gartner a few years back saying that the number one killer of these projects is scope creep. And it’s very, very difficult to rein that in, because there are always things in every project that creep up. So you’ve got to have first off exceptionally strong project governance, not just on the project manager, on the project sponsors, and communicating that.

Let’s say you do increase the project scope for a very good reason, then there is still going to be a delay and will be perceived as a delay. So whether it’s doing things such as saying, “Well, this is the MVP core, and then MVP extra, any way in which you can separate that out and do it as the next step, in the next follow up, absolutely needs to be done.” Because something we talk about is losing the coffee corner argument, where people will talk about a project and about the perception of the project, and particularly around security where even when you’re taking…

Let’s take the passwords example. Up to now people have been using 10 passwords and they knew their 10 passwords. You’re going to replace that with single sign-on. It’s a change. Nobody likes change. And if there’s something that goes wrong, and generally something goes wrong in all projects, they’re going to blame the project. So it’s very important to take small bites at a time, you know how do you eat an elephant? One bite at a time. Small incremental steps that deliver business value for each step and resist the temptation to increase scope. Put that into a tomorrow bucket. Always find a way to define a separate list. And that’s one of the reasons why we really like doing projects in an agile manner.

Again, looking at – let’s take access management. It’s very relevant. You’re going to need to have the relevant service set up, that core infrastructure. But that’s a relatively small part of the project. What’s going to take most of the time in the project is getting the application factory to onboard applications. And by doing that in sprints saying, you know we’ll do five applications this week, or 10 applications this week, depending on how big your factory is, you’re able to deliver business value quickly, and show people that it’s actually progressing.

You can increase the size of the factory by turning the tap up or tap down on funding. And by delivering value in each sprint it’s tangible to the business. They actually get to see from a risk perspective that the attack surface is reduced, you’re reducing costs because you’ve got fewer password resets, and you’re making everybody’s life easier. So step by step, as long as you’re always delivering business value, instead of doing it in three months increments or 12-month increments.

I was talking to a project a few days ago, and they’ve been doing a three-year phase so nothing would be delivered for three years. Now, I don’t know about you, but I can’t remember anything for more than three weeks, let alone in three years. So that sort of approach, we’ve got to move away from these big projects. And let’s be honest, a lot of consultancies like to work this way because it’s got a big budget attached to it. It’s, you know, you can put a lot of people on, it’s very easy to plan resourcing that way.

But it doesn’t really work for clients. And I think we as an industry, we need to make sure that we’re making our clients’ lives easier, not harder. Because the projects do go on, they do become business as usual processes. There will always be new cloud applications coming along. You want to make it trivially easy for the business to say, “Oh, I’ve gone and added a new cloud application. It just came on. It’s fantastic. It does everything we want. Can you tie that in to SSO?”

If that takes you longer than a couple of business days to engage with them, plan it and get it done, you’re doing it wrong. And I think that’s one of the values that companies like Ubisecure bring – standards-based ways to onboard these applications and really integrate the security. I’ve seen so many data breaches from luckily ex-customers, but still they’re data breaches that caused millions of losses and damages, where these orphaned accounts don’t get picked up. And with cloud computing, which is fantastic and great and enables businesses to move quickly, if we as IT security can’t make sure that we’re enabling the business to choose the applications they want, and onboard them so that we’re taking away this problem, we’re really not doing a good job if we can’t do that in a fast and easy way. And make sure that those sprints are done quickly.

So how do you dot on the horizon 100% coverage? Make sure that every single quarter or whatever accounting period you’ve got where you’re reporting progress vs budget, you can actually write down tangible business benefits. And this is what’s been going on. The board needs to know that things are working. And it’s up to us to do a better job of explaining that.

I see a lot of reporting up to the board on these projects where people say the project is now progressing through phase one. But what does that mean? If we can say we have taken out 30 business critical systems and made sure that then there are no simple passwords to be hacked there. They’ve all got password rotation on there, using multi-factor authentication. We’ve got encryption enabled via a single SSO access. This is the kind of stuff that they can say, “OK, I understand that. I can see why we’re funding these things.”

So yeah, sorry about the big rant there. But getting that corporate governance risk framework to match what we’re doing in security, it’s really important to have those communication so that people can see yes, it takes time but that during each of these cycles and time, it’s fixing things and it can’t be words. It’s got to be metrics.

Oscar: Yeah, exactly. Yeah, you mentioned scope creep. So that one of the main… yeah, potential cause of problems starting – trying to start with too big scope, trying to put too much and that will very likely become longer and longer. And as you said, getting this what you call the sprints or phases in which you get results, that’s absolutely great.

You mentioned for instance, reporting to boards. So now we’re – if you think of smaller companies, less regulated companies, mid-market companies, organisations that they also are building products or services for their customers. Yeah, how they can – with the investment they are doing – maximise time to value for the services they are building?

Ian: Yeah, good question. So when I started this a long time ago, back when my hair was a different colour, it was all very artwork to put these projects together. I remember when the SAML standard started getting released. So this is the days before OAuth or what have you.

So the first thing is you’ve got to base your security vision on a standards-based product. So leveraging scalable products that give off the shelf functionality that matches what you’re looking for. So for example, you know, does it have a uer datastore that can be extended to support the various needs you have? What’s the vision of the company? Does it match your own vision? Using these products that are well-defined and well-understood and have clear standards in them, they’re off the shelf. So it should really be a plug and play type approach.

I’m seeing more and more companies want to move away from bespoke development. They want a roadmap that lets them get to those things as… well, let’s take the Joe Biden quote, you know, he’s been talking about single sign-on and cloud computing and zero trust. So defining those components that, you know, you can’t buy zero trust. Defining those components, means you’re going to need to leverage scalable products off the shelf that can be tied together relatively quickly.

So yeah, that’s the first thing that says choose products that aren’t going to require a massive amount of customisation. And I think some of the organisations that we’ve seen have taken a gated funding approach to say, “Well, here’s a ton of money, go and do X and go and do Y and go and do Z.” You learn as you go along on these projects. Every organisation we deal with, it has a vision on security but as you engage with the business, you discover a whole bunch of issues and challenges that are different. And the company’s vision of what security looks like, and what good looks like will change very quickly.

I’m dealing with a customer right now, who’s about to start their project in January. And they’re clinging on to the belief that they can know every problem that they’re going to face for a two-year project on day one. And the short answer is, just can’t do that. So taking a more agile approach, understanding that you don’t know everything that will be, there will be hiccups. It’s just a safer, easier way to go because you can’t know everything around these spaces. So whether it’s, we talked about the profile database, do you know you’re going to need that? Well, in which case then make sure you’re going to choose a product with that. But there may be other aspects you don’t know yet. So be prepared for those unknown unknowns.

Oscar: And who, as I said, in SMEs, in a medium organisation, who, from that side, from the customer side, from the organisation side, who would lead this project? Who is the best person to lead this project?

Ian: Yeah, actually, I’m about to head to a meeting to discuss that. So it’s important, you’ve got to define your stakeholders fairly widely. So of course, IT has a role to play in here. But it can’t be an IT party. That’s the sort of guarantee of failure, I guess. Failure is a strong word, but you’re only ever going to get an initial deployment within the things that IT sees. And IT has a very narrow focus of the business. So it’s important to get – people will say, engage with the business. Well, who is the business?

Whether it’s finance, whether it’s whatever operational units you have that do whatever you do as a business, engage with them, understand their problems. What are the 10 things – if they’re logging on 15 times a day, if they have a problem with people getting access, what are those things? You need to engage with those people. If they’re not with their hands in the steering committee, it’s going to very quickly become a pure IT exercise and that’s, you know, an academic thing which will deliver a project, but it will be, if you will, a successful failure.

You need to engage with the heads of business. If it’s a bank, talk to the head of trading. If you’re talking to a hospital, you want to be talking to the heads of department of the different areas, you know, in radiology or what have you. You need to be talking to those people, what are the real things that happen in their day so that you can match things up.

Oscar: Yeah, so it sounds like, there’s not only one single person in the customer side, so this is going to be you as IAM vendor of consulting, selling the solution, the full solution had to convince several of these persons including IT of course to join forces.

Ian: Yeah. Exactly. And getting that ownership of the systems, who then owns that core infrastructure? Should it stay with IT or should those business processes belong somewhere else? I mean, one of the things, whether you’re looking at customer identity and access management, you know, marketing has a huge role here. And it’s important for them to understand what the user journey is, and what we’re delivering there.

I know we’ve all had that experience where we try and buy something online and you know, it’s like, I want your date of birth, and you’re buying a pen, or whatever it is. Like, why do you need to know my date of birth, if I buy it? Make the buying experience as simple as it is when you go into a shop. You go into a shop, you get something off the shelf, you walk up to the counter, you do a financial transaction. Is it really essential to capture all that information of the end user? Make that the easiest, happiest process ever and you’ll get customers back.

Just this week, I was… rather in the run up to Christmas. I was buying things online. And in some of the customer identity and access management sites I was at, were so painful, I just closed it down. I’d already picked everything, put it in the basket. So making sure that you’re engaging with the stakeholders who are going to be using whatever security system you’ve got in place is fundamental.

Oscar: Yeah, absolutely. And we also know that some organisations already have the policy of a gated funding approach for most of their projects, including IAM, that could be one of those. So what would you say about the gated funding approach? What are the problems you have found? And how organisations who are into this have good results?

Ian: When you look at projects, people are obviously very concerned about this scope creep issue. So they’ll try and define a fixed scope with a fixed set of deliverables, with a fixed budget. That sounds like a good idea. However, you’re always going to, you know, and when you baseline that plan, it all looks great and you start on day one. But whether it’s on day two, or day 10, or day 50, there will be changes come along. And how do you then account for that? Do you want to do exception reports, request for additional budget, and so forth?

So you can control a project that way. We find it’s a good approach. But it’s not the best approach. It tends to lead to waterfall type thinking and thinking that there will be a deliverable and then the project will stop. And as we know, security never stops, it becomes business as usual. So whilst it has the best intentions, no project ever completes the scope exactly as it was set.

So then designing a project with a minimal viable product for infrastructure, and then moving quickly to an agile based approach, where you can have a backlog and then vary the pace of the project according to funding, so you’re still controlling the spend. But the deliverables, again, are, this is what we delivered for this budget. We’re learning as we go, and our understanding of the IT security landscape and how it engages the business is evolving as a company.

There isn’t a company out there that wakes up and says, “I’d like to do identity and access management now.” No. Well, we do because that’s our business. But every other company out there is trying to do some other business problem. And they’re trying to solve that for their customers and their employees, or whoever the stakeholders are. And to get that thing delivered, they need to do identity and access management. So then they come to us and are looking for us as the experts in the field for what’s the best approach.

So again, buy a package, leverage what’s in the package, deliver the minimum viable product, learn as you go, educate the business, and it’s about effecting organisational change. And that can have a budget set, but understand that it will vary and you need to make sure you have good progress reporting, good dashboards on what has been delivered, understanding the key metrics around identity and access management. Maybe it’s about how many fewer password reset you’re doing. Or, again, we talked about what scope of systems are covered? Are all the red and yellow and green systems covered? Rather than just saying, you know, “70% of our applications.” What does good look like? We don’t know.

So again, we need to educate people on what those KPIs and measures are, what they need to do to find their big rocks, put the dot on the horizon, and then say, “We would set a budget of around this amount, but monitor progress versus budget, increasing the velocity of a project by adding more expert services in or decrease your spend and your velocity to stay within the budget you need to do.

We saw the zero day attacks come out with this Log4j. Obviously, people would have been very busy that first weekend, getting all their engineers to start scanning all their systems and patching everything as quickly as they can. That’s going to have a big impact on budget. You can’t know these things in advance. So you have to be able to turn the tap up and down in response to the environment.

Oscar: Yeah, excellent, excellent. Definitely. Very, very tactically important what you said the importance of reporting, knowing the status and yeah, going step by step, sprint by sprint, being agile as you said.

Ian: When we moved from passwords ourselves, because we were originally we had a little, well, data centre is a strong term for it, but we had a room full of computers. And then we moved to 100% cloud, and then you know, with a complete SSO and MFA solution as well. Getting the base infrastructure in place didn’t take long. What took a long time was tying all the elements together. So being able to report on that we know we’ve eaten our own dog food. We know the challenges clients have. So we have a lot of sympathy, and understand that you can’t pick up everything on day one.

So what’s the easy way to apply a budget to something and then monitor that and deliver that and show people that you’ve delivered it? If it remains a secret, it’s no use. If you’re able to evangelise that throughout the organisation, you’re going to get the organisational change you’re looking for. If you look at it from a security perspective, everybody talks about the X Factor. Today, the bad end user. Getting the X factor to understand, hey, security is not here to make your life bad. We’ve got to engage these end users so that they don’t run in fear and they do want to sit with us at the lunch table.

Oscar: Ian, final question for you. For all business leaders listening to this conversation we are having, what is the one actionable idea that they should write on their agendas today?

Ian: Talk to me. No, I’m sorry. Joking.

Oscar: Talk to Ian. Write down that.

Ian: Exactly. I’ve got all the answers they need. No, no. That’s a bit facetious there. So if there’s one thing that you need to do as a business, it’s have a plan here, have an actionable plan with actionable insights. So that’s going to comprise of a couple of elements. You need to know where you are. If you don’t know where you are, then you don’t know how far you’ve got to go. If you just say, for example, he has a ton of money to go implement PAM or MFA or what have you, well, where are you and how has the landscape changed?

So you need an assessment of where you are now, which should take a couple of weeks to get done, measuring a number of aspects around identity management, access management, role management, PAM, and so on and so forth, business alignment. And then say, “OK, looking at these measures, which one item do I want to fix first?” You need to have actionable insights come from that.

And that’s the key thing I’d say, if there’s one thing having actionable insights in security that you can say, “I need to do X now.” Not in a month or in six weeks, because cybersecurity can be a nebulous problem. It can feel OK, I read another hacking story on what have you or that company had a data breach or what have you. You’ve got to have actionable insight that say to the CFO, allocate budget, that give the CISO something to talk about and say, “These items need addressing.” So the CEO can then make the decision, “Yeah, that’s good. Let’s go get those things done.”

And then with those actionable insights, what are the KPIs and metrics associated with that, so that when it’s delivered, you can show how you’d move the needle. Now that the needles done and you’ve solved that problem, go back to the list. What’s the next actionable insight? If you’re not able to prove that you’re fixing things, then you’re just spending money and people kind of wonder, what are those security guys doing in the corner there? They’re costing a lot of money and they’re – half the time we can’t even log on. You’ve got to be able to prove those actionable insights and the delivery of them to everybody in the company.

I was at a company recently. In the middle of the lobby, they have all sorts of dashboards on big TV screens. And I was happy to see that they’d now added the security dashboards on there as well. So people could see things going to green, lines trending the correct way, traffic lights being the right colour. That’s exactly what we need to do to show people. “Yeah, IT security is doing what it needs to do.”

So if it’s just one thing I have to say, I know I said a lot there, define actionable insights for your business that will improve your security posture and demonstrate that.

Oscar: Yeah, and that’s where, for instance, it could be in a visible place in the office. Yeah, that’s something that I like the idea of, what we were discussing today. Well, thanks a lot, Ian, for this very interesting conversation. Please let us know how people who would like to continue the conversation with you, how to find you on the net?

Ian: Well, yes. So please reach out to my LinkedIn profile, it’s an open profile. I’d love to hear from you. Whether you’ve got problems or you want to agree with me or disagree with me, always happy to engage with people. And I’d like to wish everybody a Merry Christmas and all the best for 2022 and happy security days out there!

Oscar: Thanks a lot Ian and for you, Ian, for everybody who is listening there. Happy New Year! Happy New Year 2022 and see you next year.

Ian: Thank you very much, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]