Let’s talk about digital identity with Heather Flanagan, Principal at Spherical Cow Consulting.

In episode 74, Heather Flanagan discusses making identity easy for everyone – how to explain digital identity to people outside of the identity industry, why is it important for everyone to understand, and what the industry can do to improve the understanding of identity for everyone.

[Transcript below]

“If you talk to any identity professional, they will agree that passwords are one of the biggest, possibly the biggest challenge facing the industry. So how are we solving it?”

Heather FlanaganHeather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.

Connect with Heather on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining us. Today, we are going to hear from an expert in identity about – how from the perspective of, let’s say regular people, most of the people, who are not involved in the identity industry, how much they understand the identity, the methods, the technology and everything that we in this industry are building. So, we’re going to talk about how we can make identity easy for everyone.

For that, our guest is Heather Flanagan. She is Principal at Spherical Cow Consulting, and Choreographer for Identity Flash Mob. She comes from a position that the Internet is led by people powered by words and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the internet, including IDPro as Principal Editor, the IETF, the IAB as RFC Series Editor, ICANN as Technical Writer just to name a few. Hello, Heather.

Heather Flanagan: Hello, Oscar.

Oscar: Nice having you.

Heather: Thank you. It’s great to be here.

Oscar: Excellent. This is going to be super fun talking about how to make identity easy for everyone. Let’s see how our conversation goes. So yeah, let’s get started, let’s talk about digital identity. First, I would like to hear a bit more about yourself, please tell us your journey to this world of identity.

Heather: Oh, you know, very few people actually decide that “You know, digital identity, that’s going to be my career.” In my case, I have a liberal arts degree as a history major, and a library science degree for my master’s degree. I mean, I was supposed to be a librarian when I grew up. But as is often the case, once the person falls into tech, everything ends up touching on digital identity.

So immediately after university, I ended up working for the public research division of a newspaper that was just starting up an ISP. So, this was the mid ’90s, there weren’t a lot of experienced tech people to hire. And that ISP started hiring people who, you know, are you smart? Are you logical? Can you learn from a book? And there, as a sysadmin, I had to worry about creating user accounts and making sure that those users were able to access what they were allowed to on a system and only what they were allowed to on a system.

When I left the ISP, I went to work for a large software company where again, the fundamental reason for even having an infrastructure IT team was to make sure that people could access what they needed to across all the different computers. And this kind of pattern of you come in, you’re working on the infrastructure for an organisation, and it all boils down to do people have access to what they need? Is their identity set up properly so that it can do what it has to do online? That pattern just kept repeating for as long as I had any job that included operational responsibilities.

Oscar: So, you were supposed to be a librarian, you said. And then you are– in the mid ’90s, the beginning of the commercial internet, helping these ISPs, right? Internet Service Providers, so actually it’s a term that not many people use these days, you know, it’s like ISP is taken for granted, right? It used to be a big thing at that time.

Heather: It was. It was. The ’90s was a heck of a time. There were so few people who actually had computer science degrees. I think in the team I worked with, there was me as the librarian. I had Political Science majors, French majors, English majors, Math majors, I think we might have had one Computer Science person and he left early on because he could. And yet the diversity of that team was outstanding.

Oscar: Wow! Sounds very nice. And it looked like you just continued that path, making more step and you never came back. Yeah, fantastic, fantastic, the projects you’re working nowadays, and I know that at least in Identity Flash Mob we work a lot. Yeah, trying to make identity and other tech concepts understandable, easy to understand for everyone. So, I’d like to jump in and ask you how do you explain what digital identity is for a young person, someone who just entered, a college let’s say.

Heather: So, actually wrote a blog post on that topic on the Identity Flash Mob website called What is digital identity (and why should you care)? It’s interesting if you think about explaining this to a freshman in college, versus say how you would explain it to your mom. Because one of them is born digital, right? They’ve never lived in a world that didn’t have an aspect of them online.

And yet, I don’t think I would explain it too differently to either them if they actually asked. I mean, on the one hand, digital identity is the representation of you online. It’s your online access to your banks and your credit cards. It’s your account to your email provider. It’s your presence on social media. It’s your electronic information with your government. It’s your browsing history. It’s the details of your smartphone. It’s where your computing devices are in physical relation to others.

Just like different things make up your personal human identity, brown hair, blue eyes, a lot of different things make up your digital identity. And not everyone has the same characteristics. You may not have a smartphone, or you may not have a social media account, but you almost certainly have some other things that come together to make up what a digital identity is. So, it’s, I think, that kind of explanation, hopefully, bridges all different kinds of demographics, in terms of how techy someone is or isn’t, as the case may be.

Oscar: And what have been the faces after you give that answer?

Heather: Usually, minds start to explode a little bit because it’s a lot. There’s a field of psychology to try and understand the human mind and that field has been around for a while and it’s really complicated, and people get doctorates in it. Digital identity is actually also really complicated. As soon as you start pulling it apart to try and understand it, you realise that there’s a lot there to unpack.

Unfortunately, we’re still in early days, and unlike the field of psychology, we don’t have quite the massive of knowledge and understanding and research that has gone into it yet to make it something that you can study. There’s very few schools out there that actually have courses on understanding digital identity or managing digital identity or being careful with digital identity.

Oscar: Yeah, definitely. And yeah, you know what, it doesn’t happen often to me, at least, that someone, someone who is not in the industry asked me, “OK, what is digital identity?” It’s not that common. But the ones who, for instance, when I give an answer, you have given this answer, it was a really good answer, simple answer, that’s pretty good. So, some people get an idea of that. But beyond that, it’s good to understand what are the consequences, right, of having this reasonable understanding about digital identity for an– yeah, regular person. So, what could be the worst consequences of not really understanding enough the identity for regular people?

Heather: Oh, that’s a good question. And then I’m glad you qualified it with understanding enough because no one’s going to understand everything, you just have to understand enough. Because computers are absolutely everywhere in governments, in banks, in schools, in businesses, everybody has a digital identity. And if you don’t understand that, you don’t even know that you have to protect it. And if you don’t protect it, then people can impersonate you, to do all sorts of things. That’s something that we call identity theft.

There’s a big insurance company in the US called Allstate Insurance. They did a study a few years back and found it took over six months to recover from identity theft. Experian, which is a great big credit agency said that it can even take years, you know, six months might be optimistic. So, if you don’t understand that you have a digital identity, that just because you may not have a smartphone or you don’t have a Facebook account, you still do have a presence that you need to take into account and need to think about how to protect.

For me, that’s like the biggest single consequence. It’s the lack of awareness that it’s something that you need to protect just like you need to protect your birth certificate or your passport, or the keys to your house.

Oscar: Yes, exactly. Yeah. As you put it in concrete and visual examples, yeah, people the key, or the key for your passport, something that you would have it on your pocket very close to you. And if you would lose that, you definitely would feel like “Oh, I’m in big trouble, or I will be in big trouble if that happens.” So, the same way everybody should feel if there is a chance of losing the identity, well, not losing but someone takes over, there is identity theft.

Heather: Yeah, it’s hard to get back.

Oscar: Yeah, exactly six months in some cases, or you say that’s, that’s a lot. What can you do in six months without a digital identity, at least for the most relevant identities that you have, such as the government identity, for instance. Also going into the worst scenario, the worst consequences of not understanding well digital identity, but now the perspective of people who are directly and indirectly building digital services and this can be people, for instance, working in start-ups, in the government, in the health care. They are not necessarily the developers, the technical people but they are working, they are part of the extended team that are building these services. So, what can be the worst consequences of, again, these extended on to people who are working if they don’t understand well?

Heather: So, we just said that people suffer when their digital identity is stolen. But you know, businesses do, too. I was moderating a webinar just yesterday, where the speaker, Tim Cappalli from Microsoft said, “Attackers don’t break in, they log in.” That means, like the majority attacks against businesses come through attackers just logging in, using stolen account information.

If a business doesn’t have a handle on their identity and access management services, and the best practices for the security in that space, they’re going to lose so much money to fraud, just even more money to cyber-attacks. I mean, businesses often think of their IT infrastructure as being this cost centre, because it’s not what’s directly making the money. But wow, messing up that infrastructure can put a company right out of business, or at least put a serious dent into their net worth.

Oscar: Yeah, definitely, as you said, data breaches or just fix something, it can have a huge impact not only financial, but also in, well, reputation, et cetera, et cetera. And how do you see if, again, I ask you the extended people who work building these services, how much do you feel that an average project manager, an average designer is aware about digital identity?

Heather: Usually not very. I mean, this comes back to it’s not like digital identity is as taught as a separate thing, right? In a way, it’s almost when you’re working with computers, it’s almost like air, because it’s just there. Of course, you have to log in, of course, you have to have an account. You hear about having to have strong passwords and all these other things. And so actually understanding that it is more complicated than that, and that there are good reasons for it to be, it’s not as common as it should be. Certainly, otherwise, we wouldn’t be losing all this money to fraud and identity theft.

Oscar: Yeah, indeed, indeed. So, there’s a lot of work for us, the ones who are working in the industry to keep educating, right? Making it easy also to understand that’s super important, and I know you work very hard into that.

Heather: Oh, the identity industry isn’t making it easy, necessarily. So, there is always that to consider too.

Oscar: If– so where the– if you see the identity industry where the identity industries is failing to make itself understood?

Heather: Oh, I have a list. So, let’s start with like one of the questions you asked earlier about, OK, how would you define digital identity? I gave you, my definition. But if you get 10 identity professionals in a room and ask them, you’re probably going to get at least 15 different answers. I mean, that’s among professionals already in this space. So now, imagine how hard it is for people, not in the space to get a handle on what their digital identity is and how to manage it. The terminology used in the industry is imprecise. The standards that we’re developing are incomplete. They’re inconsistently used. And it’s just how we communicate with the rest of the world’s big problem.

I’ll give you another example. Passwords. Let’s just talk about passwords. If you talk to any identity professional, they will agree that passwords are one of the biggest, possibly the biggest challenge facing the industry. So how are we solving it? There’s password complexity rules, password reuse rules, passphrase suggestions, password manager guidance, passwordless guidance, multifactor authentication using authenticator apps, multifactor authentication using biometric data, multifactor authentication using SMS codes, all of these options, all these different guidance, how’s the user suppose to understand all that? When they’re going from one site to the next to the next and they’re just being mentally pummelled with all these different options? How are they supposed to know what the best practice is? What are they supposed to be doing to protect their identity if they’re getting such an inconsistent story, just on the most basic aspect of logging in?

Every site is implementing things differently. A regular user doesn’t know if that’s the current best practice or not. And to be fair, practitioners can barely keep up with it themselves because the identity industry at this point, it’s not just sending mixed messages. We’re just sending white noise and static to our users, because it’s just all over the place. That’s a huge failing on our part.

Oscar: Ah, yeah, yeah. That’s cool in many people’s ear, I believe. Yes, it’s true. So, the way you say it, so if 15 different identity professionals answer the same questions, all of them understand very well the concept, the problems, but yeah, the answer will be different. So that already tells a lot.

Yeah, I would like to hear if there are, there must be, there must be good examples of projects or initiatives that have – well, intentionally or unintentionally have been making identity much more understandable for everyone. So, if you can share some success stories about how projects initially have educated about digital identity.

Heather: So yeah, I definitely have some favourites here. Though I want to preface that educating people about digital identity is hard, because often people don’t want it to be hard, so they don’t want to know about how complicated it is. And that, that makes it a bit challenging to offer education. But that said, I love what I see coming out of the Internet Safety Labs, that was previously known as the Me2B Alliance, they’ve turned into an independent software product testing organisation. And that focuses on online safety standards that company can actually quantitatively measure their software against to see if they’re really offering a safe online experience.

I’m also a huge fan of the FIDO Alliance. And the work they’re doing to finally move the world away from passwords in a way that’s very easy for the end user to understand and respond to. But that said, I see those as success stories that influence the business side of things, on behalf of users, but still, it’s very business oriented, which is great.

But I also want to highlight those groups that are actually– they’re actually getting out there on Instagram, and TikTok to get useful information about digital identity in front of regular people where they hang out every day. So, I mean, that’s something I’m trying to do through Identity Flash Mob, which is a passion project for me. But another one that I’d point to is the Cyber Security Hub. I find their posts on Instagram hilarious and absolutely spot on. And they’re reaching over 343,000 people on Instagram with those posts.

Oscar: OK, so definitely have to check it out. Was it Cyber Security Hub?

Heather: Yeah.

Oscar: And of course, your project Identity Flash Mob. So, you’re already on TikTok?

Heather: I tried to do TikTok, I’m not very good at it. I’m much better at Instagram.

Oscar: All right. Each one of course has their own strengths. Yeah, yeah. I’m not in TikTok either. I have to definitely keep following the work you are doing. But tell me a bit more what you’re doing in Identity Flash Mob now that we are in this point?

Heather: So what I’m trying to do there is, as you say, make the information about identity and security and standards, basically how technology works a bit more consumable to people like my mother, or my friend, Laura, Laura Paglione, who’s partnering with me on this, you know, make it something that her daughter would find interesting enough to actually stop and read. And that means getting the information into accurate and consumable, almost sound bites, you know, very, very short pieces and in front of them where it goes.

We do write blog posts, because blog posts helped me organise my thoughts as to how I want to present an idea to the users. And a lot of the posts offer what can you do in five minutes, in 15 minutes, in 30 minutes to learn more about the space? And also, the regular posting on Instagram just to get ideas and thoughts out there to people?

Oscar: Yeah, excellent. Yeah, I checked your website and definitely it’s super interesting. I read a few of your articles, and excellent job that you are doing there. And yeah, I’ll keep following. Yeah, that’s super interesting for me I was– every time I have the well, the responsibility to give a talk or some, yeah, writing blog, for instance, writing blog posts, I also like, to the best possible effort to make it very easy to understand and to connect with something that people are familiar. So, it is super important, as we are seeing after how this conversation is going really, it’s – that’s a lot to do, yeah, on that aspect.

And now, I’d like to hear more about your work in those standard organisations. And you have been working as a technical writer, editor, et cetera, also leading projects there. Yeah. Tell me about this, this work you’ve been doing writing the standards.

Heather: So, standards development is one of my favourite things. So, a bit about standards, right, is that standards exist to make it so things can actually interoperate. The fact that you can send an email from your mail app, and have it received across the world to someone in India, with a completely different mail app is actually a miracle of standards, you know, that that functions all the way through. I can’t emphasise enough how important it is to get people involved in those kinds of efforts. And it needs all different kinds of people.

I don’t write standards. I’m not that kind of technical. But I’m really good at reading them and offering feedback or helping with the process or helping facilitate the calls. Whatever is needed to help the engineers write what they need to write is how I participate. So, there’s rooms for lots of different kinds of smart, a lot of different kinds of technical, it’s not just system engineers and what they can do.

So, I was the Publisher the Executive Oversight for Publishing Internet Standards for eight years through the Internet Engineering Task Force, and I got to watch a lot of that work being done and help the groups actually get their words out and published to the world. It was very exciting. And it’s also very hard, because one of the biggest challenges that the whole standards development process has, is that to actually achieve interoperable standards, you have to get people from different backgrounds to help write review, test the proposed standards to see if they meet the needs that they are written to address.

I mean, as it stands today, even though there’s companies that sort of donate their people’s time, nobody actually has a full-time job saying, I am a standard writer, right? They work for a company, they have other things they have to do, their “day job”. So, it’s always the best effort really, in terms of are the right people in the room? Or is there enough diversity in the room? And so far, they’re just huge diversity gaps there.

I think most standards or organisations have some kind of diversity effort on the books. But it’s hard to attract new people, when you already have a strong culture in place that itself isn’t attractive to diverse participants. It can be done, but it’s pretty slow going. I think I’ve had it easier, in a way because I embrace the fact that I’m really good at organising people and organising processes. And that was a space that the specification writers themselves didn’t want to do. And so, it was easy to just slot in and say I can help you with this stuff that you don’t want to do. And it made for very good give and take to get things out the door.

But I think other folks may find it a little bit more challenging, because the thing I hear constantly is I’m not technical enough to do that. You use a computer, you can turn it on, you can offer what’s your experience? What did you find easy? What did you find hard? That right there is useful information for spec writers to know.

Oscar: Yeah, I understand the challenge of as you said, most of the people who are writing these standards, well are squeezing their time, right, to work on those projects. Yeah, it’s one, among other tasks of their day job for most of these people. That is correct. And it’s already challenging. So, you have mentioned the challenging in finding diversity, if you can explain a bit more in what about geographically, what about which aspect of diversity are not so well right now, let’s say.

Heather: All of them. There’s the geographic diversity. I mean, if you look at the demographics of who’s attending something like an IETF meeting, it’s mostly US and Europe, and then China and India, but it quickly drops off, right? They try and address this by moving the meeting around. So, you’ll have North America, then you’ll have Europe, then you’ll have Asia, right, to try and get it at least proximate to the geography of who will actually attend. But that’s just one thing.

There’s also gender, tech is notoriously driven by a male dominated field. There’s also age, one of the bigger concerns is the fact that people who write standards are usually more at the tail end of their career, as opposed to the beginning of their career. And so, it’s a group that’s aging out. And not a lot of young folks come into it at all. Often, their company says, “Well, you’re too junior to participate in that.” which is unfortunate. So really, pretty much every dimension has a lack when it comes to diversity.

Oscar: So, you would encourage as you just said now, for instance, one person who is relatively young, and so the boss or someone the company says, “You don’t have enough experience to do that.” So, we need to challenge that, right?

Heather Flanagan: We do. I think of it this way. I mean, the argument I would make is, by the time someone is at the end of their career and coming in and everything that you know, they have very strong opinions, and that’s great, but we’re leaving the junior staff to relearn all our mistakes. Because they’re going to go through this learning process, and they won’t understand the history of why did something develop the way it did. And because they don’t understand it, they’re going to reinvent the same problems. And maybe they’ll solve them slightly differently.

But wouldn’t it be better if we could jumpstart them and say, “OK, this is what we did. This is why we did it. This is you know, how we did it.” But condense that so that earlier on in their career they can say, “OK, I understand what was tried before and why it didn’t work. Now let’s really think new things.” That would be a wonderful thing to see happen.

Oscar: Indeed. Yeah, I hope people who are listening to this episode are – have some curiosity to… so what happened in someone who is right now listening to this podcast say, “OK, maybe I can try it.” So, whom they should contact to, in order to try participating one of these organisations, what are the best way to – whom to contact or how to get started?

Heather: So, the first thing to do, I guess, is to narrow down into at least a little bit into well, what kind of thing, what are you most interested in? Right? And you could actually just post on Twitter or post on LinkedIn or something like that and just do an outreach saying, “I want to help with the standards process, how do I do it?” And see what kind of answer you get, see what’s open.

For organisations like the IETF, they have… oh, goodness, I don’t know how many working groups, we’ll easily say at least 100, possibly more. And you can just look through them and say, “OK, this sounds interesting.” And its public knowledge, well, who’s… you know, what kind of documents is that group working on? Read them, and you’ll know who their authors are. You’ll have their contact information. You’ll have the contact information of the working group Chairs, and you can reach out to them and say, “I’m interested in helping, what can I do?” And sure, that they will be so happy. So happy to hear that there’s interest in that space.

Oscar: That’s great, definitely. I have only once for a couple of years, I participated in Kantara Initiative, definitely, a colleague suggested me to join for a while and it was super nice, definitely. So yeah, actually, anyone who has not participated in any of these standard organisations, yeah, please follow Heather’s advice. Just find something that’s interesting for you and contact them. Because it’s very important, it’s very important for all of us not only to ship the standards, but that process of making everything more and more understandable.

So super interesting conversation with you, Heather. Now, a final question is for all business leaders who are listening now in this conversation, what is the one actionable idea that they should write on their agendas today?

Heather: OK. So, I knew you’re going to ask this, and I gave it some thought. And what I would love to see happen, and I think would actually be fun. You need to strengthen your identity and access management, you need to strengthen that function in your organisation to the point that your marketing team, your finance team, your management team, your dev teams, all understand what digital identity means in your company, and why it’s so important to protect.

And I’m talking about getting creative about it. Not like having an online training course that says, “Make sure that your passwords are 16 characters long, it contains the following.” No, no, that’s not what I mean. I want you to encourage study groups. I want you to create a game day, where you have teams that include representatives from every department acting out a response to an incident involving an identity related security issue.

So, the marketing person would– they would be tagged to figure out what is the communication message that you have to send. The finance person would have to figure out what would the cost of this be? The development person would have to figure out how to research and close whatever vulnerability was used in the system. And that’s not just going to help your company. It’ll actually help your people protect themselves everyday online. So, and I think it could kind of be fun to do.

Oscar: I like it. It sounds definitely fun. So yeah, digital identity can be fun. So, it’s a great idea that you are suggesting to organise a game. So, well, thanks a lot for that. It was super interesting. And again, I commend you for all the work you are doing in Identity Flash Mob and all the standard organisations. So, for people who would like to continue this conversation with you, Heather, or find more about the work you are doing, what are the best ways to find you?

Heather: So, you can always find me on LinkedIn, I’m fairly active there. You can do me a huge favour and follow Identity Flash Mob on Instagram, which is always great. Or, you can go to the identityflashmob.com website and just read about what we’re doing and it will give you a few ways to contact us there too.

Oscar: Excellent. Again, thanks a lot, Heather. And all the best.

Heather: Thank you very much.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up-to-date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]