February 27, 2024 • 54 mins
In this week's episode, I am joined by Steve Tout, Practice Lead at Integrated Solutions Group (ISG) and Host of The Nonconformist Innovation Podcast to discuss the intersection of privacy and identity. Steve has 18+ years of experience in global Identity & Access Management (IAM) and is currently completing his MBA from Santa Clara University. Throughout our conversation, Steve shares his journey as a reformed technologist and advocate for 'Nonconformist Innovation' & 'Tipping Point Leadership.'
Steve's approach to identity involves breaking it down into 4 components: 1) philosophy, 2) politics, 3) economics & 4)technology, highlighting their interconnectedness. We also discuss his work with Washington State and its efforts to modernize Consumer Identity Access Management (IAM). We address concerns around AI, biometrics & mobile driver's licenses. Plus, Steve offers his perspective on tipping point leadership and the challenges organizations face in achieving privacy change at scale.
Topics Covered:
- Steve's origin story; his accidental entry into identity & access management (IAM)
- Steve's perspective as a 'Nonconformist Innovator' and why he launched 'The Nonconformist Innovation Podcast'
- The intersection of privacy & identity
- How to address organizational resistance to change, especially with lean resources
- Benefits gained from 'Tipping Point Leadership'
- 4 common hurdles to tipping point leadership
- How to be a successful tipping point leader within a very bottom-up focused organization
- 'Consumer IAM' & the driving need for modernizing identity in Washington State
- How Steve has approached the challenges related to privacy, ethics & equity
- Differences between the mobile driver's license (mDL) & verified credentials (VC) standards & technology
- How States are approaching the implementation of mDL in different ways and the privacy benefits of 'selective disclosure'
- Steve's advice for privacy technologists to best position them and their orgs at the forefront of privacy and security innovation
- Steve recommended books for learning more about tipping point leadership
Guest Info:
- Connect with Steve on LinkedIn
- Listen to The Nonconformist Innovation Podcast
Resources Mentioned:
- Steve's Interview with Tom Kemp
- Tipping Point Leadership books:
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.
TRU Staffing Partners
Top privacy talent - when you need it, where you need it.
Shifting Privacy Left Media
Where privacy engineers gather, share, & learn
Disclaimer: This post co
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Steve Tout (00:00):
The amount of data that is stored about individuals
in the data brokers, there canbe a positive use for that or a
negative impact to its abuse.
The data that's available isoftentimes used for credit
decisions, and the minoritypopulation of the workforce are
(00:22):
marginalized because they maynot have creditworthiness,
because they don't have a credithistory, and so the data that's
out there about them can beworking against them for many
different ways.
So, it really comes down toconsent.
The data is out there, but Ithink what we're trying to get
closer to is a world that peoplecan choose how their data is
(00:46):
used and that it's not used in away that's a weapon against
them, but that it's actuallythere to help improve the
quality of lives of everyone,not just those who have access.
Not everybody has mobile phones.
Not everybody has credithistories, etc.
Debra J Farber (01:01):
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(01:22):
bleeding- edge of privacyresearch and emerging
technologies, standards,business models and ecosystems.
Welcome everyone to TheShifting Privacy Left Podcast.
I'm your host and residentprivacy guru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Steve Tout,
Practice Lead at IntegratedSolutions Group (or ISG), and
(01:45):
2024 MBA candidate at SantaClara University.
Steve is obsessed with helpingtransform businesses by
delivering disruptive insights,reducing risk and enabling safer
online experiences throughstrategy and design thinking.
For over 18 years, he's workedin a variety of roles related to
(02:07):
global identity and accessmanagement, with a focus on
programs, architecture,engineering and operational
excellence at some of theworld's largest companies in
telecommunications, financialservices, high tech and big four
consulting.
Steve is currently anIndependent Advisor and Host of
(02:28):
The Nonconformist InnovationPodcast.
He has produced four seasonsand over 40 episodes on ethics,
privacy, data protection,digital identity, GDPR, CCPA,
entrepreneurship, leadership andinclusive innovation.
As an Advisory Board member tomultiple startups, Steve helps
(02:51):
founders and executives withbusiness development,
nonconformist innovation, whichwe'll talk about, and strategic
marketing.
Today, we're going to chatabout privacy and the
intersection with identity andSteve's experience working with
the State of Washington as itmodernizes consumer identity and
access management for 11million residents and businesses
(03:11):
across the State.
Welcome, Steve!
Steve Tout (03:15):
Thank you, Debra.
It's great to be here.
Thank you for having me.
Debra J Farber (03:18):
Absolutely - my pleasure.
I love the overlap in the workthat you're doing and the gospel
that you're spreading.
Before we dive deeper into whatis nonconformist innovation and
where are those relevantoverlaps, why don't we learn
from you a little bit about yourorigin story?
Steve Tout (03:36):
Sure.
Yeah, I don't know how far youwant me to go back, but in a
nutshell, I'm a California boythrough and through, born and
raised in Northern California,and by Northern I'm not talking
about the Bay Area, I'm talkingabout the north of Sacramento.
So Shasta County, representedhere today (yeah, Anderson), but
(03:56):
living in the Pacific Northwestfor the past couple of decades
by way of finding and marryingthe love of my life, I've come
to know and love, spent manyyears in Portland and I love
that area.
I'm here in the Bremerton areanow and that's where I call
home, professionally speaking.
I accidentally found my wayinto identity and access
(04:17):
management in the early 2000s.
My career aspirations were tobecome a web developer.
Specifically, I wanted to builddatabase-backed websites.
Now that was my big dream, butfast forward.
I'd spent time leading thefirst enterprise-wide identity
and access management system forAT&T Wireless.
(04:38):
I was one of the first two LDAPSun One admins for that
back-end infrastructure andspent time doing architecture
there as well and businessanalysis.
I went on to help deploy thefirst of identity and access
management in 2FA at one of themajor banks.
I got recruited by Oracle tospend time in the field
(05:00):
supporting and consulting theirclients and landed at a little
company called VMware in 2007and spent quite a bit of time
there.
In 2015,.
I really tried to retire fromthis a couple of times and
failed.
I came to a point where Ididn't want to learn anything
(05:20):
more about technology.
I didn't want year 16 to belike the previous 15 years in my
career.
So a bit of an attempt atreinvention.
But here I am.
I currently consider myself areformed technologist about to
complete an MBA program at SantaClara University.
I'm grateful to have theopportunity to help modernize
(05:41):
consumer IAM here in WashingtonState.
I think that's once- in- a-decade opportunity for the
sState and once- in- a- careeropportunity here for me,
considering the scale and theimpact that it will have on
Washingtonians for the nextcouple of decades.
Debra J Farber (05:59):
That's definitely a good synopsis.
It brings us where we aretoday, for sure.
I think that you're right; itdoes have a grand effect on the
State.
I live just outside ofPortland, Oregon but on the
Washington State side.
So, as a constituent, I thankyou; and I can't wait to unpack
(06:19):
some of what you're working onthat does affect the citizenry
of the State and what are wegonna be making easier for us
with the new IAM strategies?
But, first I would love tounderstand and unpack what
'nonconformist innovation' means.
What is your definition of thatand how do you view yourself as
(06:40):
a nonconformist innovator?
Steve Tout (06:43):
You know I get that question a lot.
It happens to be one of myfavorite things to think about
now and talk about.
But we'll get to it.
I have a podcast called TheNonconformist Innovation Podcast
that .
.
.can scare people.
You know, in job interviews ortalking with clients or with
customers or partners, theythink, "okay, you're
(07:04):
nonconformist.
Does that mean you a closetanarchist?
Or, how are you gonna causethem trouble and are you going
to increase the risk profile ofthis project or of my business?
" And it's quite the opposite.
I guess, the way I stumbled uponnonconformist as a form of
innovation is .
.
.
you've probably heard ofdisruptive innovation and the
(07:27):
work that Clayton Christiansendid the past two to three
decades through Harvard BusinessSchool and his study of how
innovation disrupts markets andall of the collateral damage and
opportunity that it creates forbusinesses, the collateral
damage that can happen forsmaller businesses that don't
(07:47):
prepare or go to market right.
I thought about nonconformistinnovation as simply a way to
have the interests of theindividual and stakeholders and
shareholders front and center,and that's I don't know if I
would say that it'scounterintuitive, but it's often
neglected.
And so, for now on, if youwanna think about nonconformist
(08:10):
innovation as a process or aframework for developing
unconventional insight, youcould think of it like that, too
.
It's an attempt for me toexplain a way to design and
build businesses and go- to-market strategies that lead with
shareholder interests andintegrity and driven by ethical
(08:33):
leaders, because I thinkfundamentally that ethical
leaders save lives.
When it comes to privacy andsecurity, regulation and
technology is great, buttechnology is at its core, it's
a manifestation of the valuesand beliefs of its owners, and
so when I look to change thereality or the world that we
(08:56):
live in, I wanna go change thevalues and belief systems that
our leaders and product ownersand business owners have, and I
think the technology will justbe an implementation detail,
right?
And then I like to think.
.
.one guest on my podcast earlyon made a statement, so I can't
claim this as my own, but hetalked about ethics is a better
form of security, which hasreally occupied my thoughts for
(09:20):
the past several years now.
It's important in whether I'mworking with companies in the
private sector or in the publicsector in the state of
Washington.
This message is well- received,right?
Equity is a really importantsubject.
So, yeah, ethics is a majorcomponent of this and as it
relates to being a better formof security and privacy
(09:42):
implications for leaders.
Debra J Farber (09:44):
So, what I'm hearing from you is that for a
long time - and tell me if I'mwrong, this is when I'm like
reading between the lines - fora long time there's been a focus
on disruption and innovationfrom a technical standpoint,
from new technology, and maybean over focus on the technology
as opposed to the technologyfollowing the set of
socio-technical perspective.
(10:06):
So the non-conformist elementis not conforming to almost this
VC view of.
.
.
VC here I do mean venturecapitalists' view of how to
bring technology in market.
Instead, you're kind of lookingmore at like the right way, the
ethical way, and then thetechnology will follow from that
, and that's the non-conformity.
Steve Tout (10:27):
I think you're right when I reverse engineer.
So one of the things that I didafter I left my last corporate
gig in 2015, is I spent timereally depressed, to be quite
honest with you, because I knewI didn't want to stay in
corporate America, and so Iwanted to try my hand at
entrepreneurship and starting myown company.
But, I wanted to do it in a waythat was aligned with my
(10:52):
beliefs and my values; and theproblem was that I didn't really
know what those were.
So, what I stumbled upon was Ireverse engineered technology,
which, if you would imagine,close your eyes and you draw a
circle and you call this a pie.
The first 15 years of my careerwas 100% occupied by technology
(11:12):
.
It was technology- focused, butwhat I worked on building in
terms of vision and values andbelief system was to rewire and
reorient my thinking.
So, I reverse engineered thattechnology; instead of being
100% of this pie, I divided thepie into four pieces.
(11:34):
So, if your eyes are stillclosed and you're visualizing
this pie, the top left beginswith 'philosophy,' the top right
is about 'politics,' the bottomright is about 'economics,' the
bottom left is 'technology'.
Okay now, with that mentalmodel, if you start with
(11:58):
philosophy and you go clockwisephilosophy informs politics,
politics informs economics,economics informs technology,
and my belief is that technologyis a manifestation of all of
the above.
So, we're all politicians.
Right?
I just take this view that whenwe step back and we look at that
(12:20):
framework, when we look atbusiness and technology through
that framework and technology asa derivative of philosophy,
that we need to look at having aform of - you know, not all VCs
are bad.
We have a mutual friend and youknow I have others who are
ethical VCs, I guess, or whovalue privacy just as much as
(12:42):
they do revenue.
And I'm not against revenue I'ma student at a premier MBA
school in the State ofCalifornia and there's nothing
wrong with making money.
Companies need to do that tosurvive and to continue to
produce products and servicesthat we need for our way of
living.
But it's really there are a lotof abuses in the industry where
(13:06):
privacy is the currency.
To be specific, I would takeaim at the way that privacy is
abused to fuel products andshareholders, while it's at the
expense of residents, customers,citizens, et cetera.
Debra J Farber (13:22):
That makes a lot of sense.
Now tell us a little bit aboutyour podcast, The Non-Comformist
Innovation Podcast.
Steve Tout (13:28):
So you know, it started in 2019.
I had just left a role as astartup CEO for a cybersecurity
company in Seattle.
It didn't end as well as Iwould have hoped, but around the
same time, a mutual friend ofours, Tom Kemp, had just sold
his company, Centrify, to ThomaBravo.
So, I was just thinking one daymy experience as a CEO was very
(13:54):
different than Tom's and Iwanted to compare notes.
I just thought, well, I atleast want to have a
conversation with Tom, but Irealized there's not a lot that
he would share or that I couldlearn by just having a random,
impromptu conversation.
So, I reached out to him andthought of having a more
(14:18):
structured conversation where Icould selfishly learn from his
experiences because the nexttime that I'm a startup CEO, I
wanted to end much differentlythan my previous experience.
So, it was one of the bestconversations on the topic of
entrepreneurship and leadership,even after doing this for four
(14:39):
seasons now.
I obviously hear, as a hostand first person, all of my
podcast episodes, but I don't goback and listen to them after
they're produced.
There are a couple of them thatI do.
This is one of them.
When I really need Clarityabout my purpose and why I
started this to begin with, I goback to that first episode and
(15:01):
find a lot of Clarity andmotivation in it.
So you know the podcast isstill in experimental mode.
I'd say I have some prettyambitious plans for season five
that's focusing on experienceand the community instead of me.
It's starting in the spring.
I'm looking at doing amulti-city tour from Los Angeles
(15:22):
to San Jose to Seattle andmaybe a couple of stops in
between, and experimenting witha live podcast format to really
make this more aboutexperiencing non-conformist
innovation and looking at itthrough the lens of the
community and the listenerrather than through me as the
host.
Debra J Farber (15:40):
Oh, I love that.
I'd love to hear how that worksout for you and lessons learned
, so maybe we'll have you backfor that.
That's awesome, very cool.
While I've listened to a fewepisodes, I've not listened to
the Tom Kemp episode on yourshow, so I will definitely go
back and do that.
I mean, especially with theplug you just gave for how
rewarding of a conversation itwas.
I'll also include a link tothat in the show notes for this
(16:03):
episode.
Let's turn now to like the maintopic at hand, which is what is
the intersection that you seebetween privacy and identity and
, generally, where's the overlapin your mind?
I bring this up specificallybecause it's fascinating that
privacy folks and identity folkshave been so siloed and they
don't have as much interactionas you would think they would,
(16:26):
given the overlap.
Why don't I let you first tellus about that overlap?
Steve Tout (16:31):
Yeah, you know that's a really great question
and I've often struggled withthis as well.
The more that I've gottenopportunities to work with
privacy folks, the mostimmediate thing that comes to
mind is, "hey, these people arenot like me.
I'm a technologist; I'm anidentity person and I've been at
(16:51):
the lowest level of theorganization, building data,
managing directories and accesscontrol systems and policies.
But that's the technologist'sview.
The privacy professionals are,especially as professionals
become more advanced in theircareer.
They have law degrees.
They come from differentbackgrounds.
They're not necessarilytechnologists.
(17:13):
So, there's definitely thesilos are there because their
education, their background,their responsibilities are
different.
One is in the realm of policyand the other one is in the
realm of technology andimplementation, and we typically
think of having rights toprivacy as individuals.
Right, that's the ability forindividuals to control access to
(17:36):
their sensitive data andsecrets, whereas identity is
often who we are, the data thatorganizations have about you
that could be your location,your gender, your health
conditions, the privacy ofidentity or anonymity.
Nowadays it's not guaranteedand it can't be assumed that you
(17:58):
have it.
I actually listen to this a lot, but this song just came on the
radio this morning - my Pandoraplaylist was playing some fun
songs for Friday.
Today is Friday morning and'Fight for Your Right to Party'
came on by the Beastie Boys.
So, I think that's a lot likeprivacy today, where we have to
(18:19):
fight for our right to privacyonline.
The overlap is in the ongoingneed for protection, governance,
visibility and management, andthen extending beyond there.
I think there's a need from acorporate or a business
perspective, betteraccountability with how
organizations use and or abuseprivacy.
(18:41):
But today, privacy shouldn't bea luxury only afforded by the
rich.
Debra J Farber (18:46):
I mean, that's true, I totally agree with that.
I think, just to build on whatyou were saying, I think the
fundamental privacy challenge isthat universal identifiers,
kind of, are the root of manyprivacy problems, and those
identifiers are being managed byidentity access management kind
of constructs withinorganizations.
So with the proliferation ofdata across organizations that
(19:11):
involve personal data, theseidentifiers that we assign
people can make it easy for us,through databases, to call up
more contacts, more detailsabout an individual than maybe
that we could in the past.
And so the more data driventhat we have made our business
processes, our technicalprocesses, all of that, now the
(19:34):
potential privacy problems havemagnified as well.
So, you're right.
I do want to bring up with thetopic you just mentioned of
privacy shouldn't be a luxuryonly afforded by the rich, even
in the ad tech space.
You've got now in the EU thechallenge that I think it's Meta
that just decided to addressthe challenges of privacy in the
(19:55):
ad tech space and the problemswith consents and the fact that
third party cookies are goingaway and all of that,
Meta's come out with this whatthey're calling?
Well, they're not calling it,but what privacy professionals
against what Meta is doing -they're calling it consent or
pay or pay and ok.
So, you either consent toreceiving these ads or you pay a
subscription to not receive ads, which is actually an equity
(20:18):
challenge, right?
Because now, you're saying, ifyou don't have the money, you
could either use our services byconsenting to the ads.
It's almost a false choice,right?
Or, you could pay us money youmight not have where you can
have a subscription, where it'sad free, and so there's an
equity challenge there wherepeople could, you know .
.
.
the argument that if the richcould afford to not have their
(20:38):
privacy violated, everybody elsemust consent, it almost feels
like you're forced, if you'renot rich enough, to pay for a
subscription.
If you want to use our platform, you have to consent, which is
definitely going to beinteresting to watch because I
think that will be struck downas violative of GDPR and
potentially other equitabilitystatutes within the EU.
Steve Tout (21:02):
There's another equity issue as well, which is
the amount of data that isstored about individuals in the
data brokers.
You know, there can be apositive use for that or a
negative impact to its abuse.
The data that's available isoftentimes used for credit
decisions, and the minoritypopulation of the workforce are
(21:27):
marginalized because they maynot have creditworthiness,
because they don't have a credithistory, and so the data that's
out there about them can beworking against them for many
different ways, right.
So it really comes down toconsent.
The data is out there, but Ithink what we're trying to get
closer to is a world that peoplecan choose how their data is
(21:51):
used and that it's not used in away that's a weapon against
them; that it's actually thereto help improve the quality of
lives of everyone, not justthose who have access.
Not everybody has mobile phones, not everybody has credit
histories, et cetera.
Debra J Farber (22:06):
You make a really good point.
I've thought about this andI've read a lot of books and
perspectives on like is privacyabout control?
Is privacy about ownership?
And, where I've landed is thatprivacy is about control over
your own information flows, anda lot of that comes down to IAM
(22:28):
and how is that access managed?
Do you control the keys?
Does somebody else control thekeys?
Who's defining what youridentifiers are connected to in
the first place?
Well, today, a lot of that isdone at the identity level
within organizations.
The organizations are definingwhat is an identity and what's
attached to it and what mustthat look like and all that.
(22:50):
And then, of course, there'slike innovations that are still
yet to be deployed at grandscale, like can you decentralize
that identity and turn thatinto you know, whether we're
talking about verifiedcredentials or we're talking
about self-sovereign identity orother architectures of where we
as individuals can controlthose keys.
(23:11):
We can have those in-depthconversations another day, but I
think the larger point I'mtrying to make is a lot of what
you're able to find out anddiscover about someone is
attached to either a token or anidentifier or you know,
basically an identifier so thatyou're able to then query about
that person and like all theiractivities and you know, from a
(23:33):
security perspective, what hasthis person done wrong?
Not wrong, but like, whenyou're logging, has somebody
actually, like you know, accesssomething they shouldn't, and
then put controls around that.
Do you have anything to sayabout that?
Because I know I just broughtup a bunch of topics.
Steve Tout (23:49):
Yeah, I mean, I would sum it up this way - it
comes back to the philosophy.
You mentioned a few thingsabout controls and it comes back
to fundamentally, at aphilosophical level, do
politicians, do CEOs prioritizethe fundamental human right to
privacy or do they prioritizethe right to shareholders and
(24:09):
creating returns forshareholders?
And so you know, in Privacy byDesign, there's a lot of talk
about they don't need to be azero sum game or mutually
exclusive, but oftentimes theyare.
You know we're on a privacypodcast, so it's pro privacy.
I think we often get lost inthe technical minutiae of
(24:29):
conversations, but it's reallysimple: are leaders and
politicians going to prioritizeour fundamental human right to
privacy and, if so, how?
Debra J Farber (24:39):
Well, actually that's a really great jumping
off point, then, to my nextquestion, which is how do you
address organizationalresistance to that change?
We get a Privacy Officer.
We give them resources - in anideal world, because this isn't
always the case.
But let's say, a PrivacyOfficer is appointed and then
they don't necessarily have allthe resources they need and they
(25:00):
need to argue for that.
How can you addressorganizational resistance to
change, especially when yourcurrent resources are lean?
Steve Tout (25:11):
Yeah, that's a really great question.
Recently I spent a lot of timethinking about this through the
lens of game theory and you know, look at the moves of the queen
on a chess board and howadvantageous that is.
That can either be a greatasset or a big target.
But being lean on resources canactually be an advantage in
(25:32):
some cases.
In an organizational context,it can create urgency and
highlight needs.
But there are a couple ofthings that I think are vital to
leading change in anorganization.
That change has to be sponsoredby leadership.
I think that's a given.
If it's not, that doesn't meanit's doomed to failure.
Debra J Farber (25:52):
I don't think that's a given.
I think that that needsunderscoring.
In my experience with privacy,you would think that that would
be a given, but I've had somepretty large companies refuse to
appoint a single-threaded ownerfor privacy that would help in
the block and tackle of gettingthings done.
So, I would definitelyunderscore that without
(26:14):
executive sponsorship, I thinkin a mid-sized to large
enterprise organization veryoften you won't be able to get
things done because it won't bevisible enough to be seen as
something that needs to get doneas opposed to some requirement
that someone lower down can getdone.
Right?
[Steve (26:33):
fair enough] Or, the problem doesn't seem as big or
important or multifaceted ifthere's no executive sponsor.
Steve Tout (26:39):
In the context of privacy, I think you're
absolutely right.
It's a big enough issue withbig enough consequences that it
has to have.
And now, we have organizationsthat have Chief Data Officers
and Chief Privacy Officers.
It can be a good sign.
Sometimes they're used aspolitical tokens without real
intention to affect change.
(27:00):
But you know it at least needsto be aligned with broader
business goals or an OKR Forchange,
there has to be a compellingreason to change.
Right?
If you have a Chief PrivacyOfficer, but you're just doing
that there for compliance, it'snot there because you want to
change.
It's there because you want tomaintain the status quo and
check the compliance box.
(27:21):
But protecting the privacy ofcustomers and employees, et
cetera, that's not an accident.
That doesn't happen withoutintention.
But, on the other side of thecoin, neglecting it is on the
same level of abuse, in myopinion.
We could spend, you know, wecould go down that rabbit hole,
but I think neglect of privacyissues and concerns is not an
(27:41):
excuse.
So an organization's readinessfor change it can be viewed and
measured by individualmotivations, the carrots and the
sticks.
What's the motivation forProduct mManagers and Individual
Contributors to think and actin a way that's unnatural to
them.
When they're trying to get ajob done, privacy tends to come
(28:01):
out of left field or hits themblindsided.
But, what do we need to do asan organization to get them to
think and act like privacyadvocates?
I mean, we've had The PrivacyEngineers Manifesto since 2014,
but there are stillorganizations.
.
.
we have great technology thathelps to elevate their privacy
(28:23):
gain, but there's still a lot ofwork to be done.
Incentives have to be managedand aligned.
Debra J Farber (28:30):
You make a really great point
does need to be aligned.
One of the ways to align thoseresponsibilities is to make sure
that in all requirements andproduct requirements and
engineering requirements thatprivacy and security are
required to, you've required toask for them.
They should be asking for whatare the privacy and security
(28:50):
requirements for this next buildor this next feature?
It shouldn't be are thereprivacy or security requirements
?
It should be like what are they?
And that's just part of thesprint process, and embedding
that in there so that yourtesting criteria is going to be
speaking to whether or not itmeets the privacy and security
(29:10):
thresholds for that.
If we don't actually build intothe workflow of those that are
building products and services,then the alignment can never get
there.
So, I think you make a reallygreat point.
Let's turn to something thatyou talk a lot about and I don't
know a lot about, so I'd loveto learn some more from you.
What is Tipping Point?
(29:31):
Leadership?
Steve Tout (29:32):
I'm glad you brought that up.
That's an area that Idiscovered in the last couple of
years, in the last year really.
I wish I'd known more aboutmuch earlier in my career.
But you know you mentioned leanand lean resources earlier.
Tipping point leadership is atheory of change leadership
based on epidemiology created byChan Kim and Renee Malborn.
(29:57):
They're professors of Strategyat Insead Business School in
France.
The obvious part is that forchange to occur, a critical mass
of individuals need to supportthat change.
So, sometimes you think ofcritical mass oh, like 51%, 60%,
70%, the majority of apopulation where you have a
(30:20):
organization like, let's say,it's 2,500 employees, so you're
thinking hundreds or thousands.
But, the unexpected insight isabout tipping point leadership
is that critical mass can bedriven by a small number of
influential leaders or changeagents within the organization.
The study of this looks at,starting with, if you have a
(30:41):
vision for a change that youwant to like enhance privacy in
my organization or have aprivacy first mindset and shift
from a product first to aprivacy first mindset or privacy
by design as a main dominantway of thinking, and that's your
goal you don't immediatelystart out with a campaign for
(31:02):
everyone to get on board withembedding privacy into their
workflows.
You know the way this theoryexplains to be successful with
the adoption is to engage thoseinfluential leaders first.
That gives you the ability toleverage their authority, their
credibility and social capitalto make it possible for change
(31:26):
to occur at scale.
And that's how it occurs atscale.
You have different departmentheads or business units and if
you get the majority, you don'tneed 100% acceptance of your
idea in order for it to stick,but you do need a majority of
your department heads or changeagents or PA executives to
(31:46):
support your vision for changeand to go forward towards get
closer towards that change withyou.
So tipping point leadershipworks with minimal effort, or
lean resources, as you say,driven by the key figures, to
achieve maximum impact.
Debra J Farber (32:00):
What would you do if you were in a very bottom
up focused organization?
Maybe that is, very engineersare trusted and they can move
fast and run with things.
I think about my experience atAmazon, for instance, where
everything gets bubbled up fromthe bottom.
You write narratives and thenyou win low level executives and
(32:21):
then, if they like it, then youkeep going up and up and it
could take over a year beforeyou could even ever meet a
executive that can move thingsalong and have that top down
effect that you just describedas part of tipping point
leadership.
Basically, does this requirethat there be a good top down or
(32:42):
ability to influence executivesthat can then make top down
decisions?
Or, is there some othermechanism within tipping point
leadership I'm missing?
Steve Tout (32:53):
Well, I think a low- level executive is somewhat of
an oxymoron.
Debra J Farber (32:57):
Yeah, agreed, for lack of a better word.
Steve Tout (33:01):
Yeah, but let's pivot on that for a second.
The executive.
He may be the executive that'sthree levels removed from the
Chief Executive, but if he istruly an executive, that means
he has access to budget, that is, reward power and the ability
to implement policy.
(33:22):
So, there's basis of power thatthat executive can have to
become a leader of change, andhe can do so with small,
incremental changes to howincentives and rewards are
created and implemented withinthis organization.
So I wouldn't really call thatbottom up.
(33:43):
But in your example of, like anengineer at AWS who has a
vision for making privacy moreimpactful in his or her product
line, I think that he or she canbecome a privacy advocate.
But I think there needs to beseparation between "hey, this is
the stuff I need to do to getmy work done," and it's
(34:05):
oftentimes fraught with dangerto become too passionate about
an idea that's contrary to yourleadership values and then go
and try to advocate for that anddo things that rock the boat or
create mayhem.
What I would do, specificallyin that situation, is I would
(34:28):
try to create mind share,starting with my manager.
Does he or she support thatidea?
Am I gonna get in trouble ormaybe get fired if I spend too
much time thinking about thisidea, writing about it, talking
about it internally andexternally at conferences.
Or is the idea - maybe it's notprevalent within the
organization, but would it beperceived as politically unsafe
(34:51):
to advocate for it?
So I would think about it thatway.
Again, this is looking at thisthrough the lens of game theory
and, again, reverse engineering.
Once an engineer steps out ofhis or her technology bubble,
put this pie back in your mind.
Right, you're going, you'rereverse engineering the
economics, the politics and thenthe philosophies.
And an engineer debatingphilosophy with a chief
(35:14):
executive isn't always receivedvery well.
So you have to, as anonconformist in your
organization.
You have to be very pragmaticabout how you raise issues and
concerns and advocate for aparticular way of doing things.
It's not just be outspoken.
(35:35):
I think there's a science and amethodology that supports
anyone, at any level of theorganization, to bring their
passions to their job withoutrisking being ostracized or
isolated.
Debra J Farber (35:49):
Yeah, that's good insight and advice.
I appreciate that.
I do want to turn to all thegood work you're doing with the
State of Washington.
But, just to wrap up thetipping point leadership stuff,
as I was reading some of thewhat you've written on the topic
, I came to see that thedefinition of tipping point
leadership seemed to be aroundsome of the hurdles to overcome,
(36:10):
and so maybe you could justquickly speak about what those
four common hurdles are, becauseI think it helps better even
define what tipping pointleadership is.
Steve Tout (36:21):
Well, you know, as it turns out, I think these
hurdles represent somewhat thepie that I created several years
ago.
They're not the same.
I don't frame them as hurdlesand I won't go into this deeply
because I didn't invent tippingpoint leadership, but I think
these hurdles are something thatreally resonate with us all and
when you think of this, youhear often cybersecurity is a
(36:43):
leadership issue.
Yes, it is, but what does thatmean?
The hurdles and tipping pointleadership that can slow down or
even kill progress at anorganizational and societal
level.
Now, that I can say thatbecause I see how it happens in
the public sector.
So they're simply, they'recognitive.
You know how people learn andnot everyone has the savvy of
(37:07):
the engineer in Silicon Valley.
Political, motivational andresource hurdles.
Motivational and politicalhurdles are the most difficult
ones and prevent a strategy,rapid execution.
Debra J Farber (37:20):
Thank you, that makes a lot of sense.
Okay, so let's talk about someof the work that you're doing
with Washington State working onmodernizing identity access
management for IAM.
Let's start by talking aboutwhat's the driving need for
modernizing in Washington State.
Steve Tout (37:36):
Yeah, so for context , this is for consumer IAM.
So, this is IAM that touchesall residents within the state.
This is not workforce IAM.
I think that should help foranyone that's in this industry
understand what we're talkingabout and the scale and the
impact that this is having.
Debra J Farber (37:56):
So this is if somebody is like they need
services for the state and theysign up for profile online and
then everything attached to it,or you know, help contextualize
what that means.
Steve Tout (38:06):
We have a persona in the project that we're working
on.
Her name is Dani and we havereferred to it as Dani's journey
.
So Dani, you know, has justmoved into the state and she is
really into hiking, so she wantsto go get a permit to do some
camping or hiking at one of thestate parks.
Right?
How does Dani interact withgetting the permit, exchanging
(38:29):
her license plate or phonenumber or email to get the
permit?
So, it's that consumerinteraction.
And then, Dani gets a job andthen she gets hurt and so she
needs to interact with theUnemployment Services Division -
how she interacts with thatstate agency to get benefits.
So that's the context.
At a high- level, I think whatBill Kehoe (Washington State
(38:50):
CIO) is doing is really genius,the approach he's taking.
It's not because of security orcost considerations that's
driving consumer IAM.
The overarching driver isreally about equity, and I think
that touches on the aspirationsof all of us involved on the
project that we're working on,modernizing consumer IAM because
(39:14):
it's going to make doingbusiness with the state easier
and providing more seamlessaccess to resources to the
Dani's of the world or tovulnerable or marginalized
populations.
So, that's one of the coredrivers.
I've seen one of the biggestvendors on the planet fail
(39:34):
miserably because they came tothis opportunity thinking that
free was a compelling offer andit just simply isn't.
So, drivers are in context hereabout improving the quality of
services and enabling digitalequity and then prioritizing
(39:55):
customer and business needs overtechnology.
For service enhancement, thatinvolves transitioning major IAM
systems and compute to thecloud and SaaS for agility and
adaptable service delivery thatimproves operational efficiency
of a government, which could bean oxymoron itself.
(40:15):
Aligning modernization withstrategic goals, there's this
idea of connected government anddata accessibility in the state
that those are majorinitiatives, as well as the
migration to the cloud.
All of those are aligned withleadership's aim to transform
Washington State's ITinfrastructure into it being a
more agile, data driven andinterconnected system that
(40:38):
better serves the needs of itsresidents, and aligned with the
strategic governmentalpriorities.
Debra J Farber (40:44):
All sounds like really great reasons to put such
a program in place.
So great drivers.
Thank you so much for that.
What are some of the challengesto privacy, ethics and equity
that you've come across as partof this effort, and then how
have you approached them?
Steve Tout (41:00):
Yeah, so coming at this from a background of
identity and access managementand someone who's about ready to
complete an MBA, there's gametheory, there's data, there's
analytics or social sciencesinvolved here.
There's change management andtipping point leadership to use
as a tool to look at this; andso, I've encountered multiple
(41:21):
challenges.
Washington State is not on thecutting edge of digital identity
, and the reasons range from thepolitical hurdles.
The ACLU has a pretty loud barkwhen it comes to adoption of
biometrics, even for legitimatepurposes like identity proofing
and authentication.
There's a lack of transparency,which directly relates to trust
(41:44):
as an issue.
As vendors build out their techplatforms, many have or are in
the process of adopting AI, somachine learning using big data
and predictive analytics.
One of the major concerns thatI see here is lack of
transparency and lack ofauditability in these AI models.
Those are rightful concerns,right?
(42:06):
We don't want the AI to be ablack box, and the next concern
is linked to that.
Automation has limits.
The bill of materials that arebeing offered by vendors in this
space provide automateddecision support or automated
access or authorization decision, which can become problematic.
States need to have the abilityto explain why an access
(42:30):
decision was made or denied, andso there has to be that
transparency and visibility intohow the sausage is being made.
And then, simply badinformation; there are some
leaders out there who arecomfortable with the status quo
and would rather stay the courseusing non-speech authenticators
(42:50):
.
They'd rather do that thaninvest in more equitable
solutions and better algorithmsto solve this problem At some
point in recent history and Iwon't go into the details, but I
think it's pretty clear thateven relational databases at its
day and were used for profilingand assisting the Nazi regime
(43:12):
during the Holocaust, and nowdatabases aggregate patient data
and research.
They speed up drug trials anddiscovery.
So I don't think thattechnology itself is the issue
here.
It's the owners, it's how thetechnology is deployed, how it's
used, and it could be used forgood or for bad.
Debra J Farber (43:31):
That's a really great reminder that I think
technology deployment is notpolitically neutral.
While technology itself mightbe neutral, how it's used and
deployed is not.
So in many senses of the phrase, I guess everything is
political when it comes totechnology, right?
So people should be thinking inthose terms think more about
(43:52):
the ethics and does it alignwith your company's ethics and
is what you're doing indeploying aligning with your
company's ethics and and all ofthat good stuff.
That good alignment isimportant because then you'd be
able to see whether or notsomething's deployed in a way
that goes against theorganization's ethics or not.
But you can't do that unlessyou're monitoring, and so all of
(44:13):
these things kind of fittogether beyond the technology
itself around how you'vearchitected and designed it.
It's basically underscores theneed for privacy and ethics and
security by design.
That whole 'by design' set ofdisciplines.
[Steve (44:28):
agreed].
Let's have a short discussionbetween the difference between
mDL, so mobile driver's license,and verified credentials
technology.
I bring this up because, well,first we're talking about
identity management and One ofthe ways that you and I got
introduced by Tom Kemp wasbecause I said to Tom hey, I'm
(44:50):
gonna be working on a contractfor the California State DMV
that is implementing the mobiledriver's license and verified
credentials technology, and I amand that'll be the subject of a
completely different episode.
That's how he introduced me toyou, like, o"Oh, you know, you
need to meet Steve who's workingon identity management for the
(45:12):
state of Washington, and so inmy mind, you know, I'm like
living in the world of the MDLand the AAMVA standards for
implementing.
AAMVA is The AmericanAssociation of Motor Vehicle
Administrators.
Then comparing that to theverified credentials standard,
which is actually in some wayscompeting with the ISO mDL
(45:32):
standard.
So, let's give our audience alittle sampling of, I guess, the
issues of those two standards.
What are the differences?
Why are we even talking aboutthem?
Steve Tout (45:46):
Yeah, well, at its fundamental level, I mean, the
identity is the underpinning forit all whether you're talking
about verifiable credentials ormDL.
It's kind of obvious that mDLsnow are gaining popularity
because of their convenience.
They offer enhanced securityfeatures and the growing trends
(46:07):
towards digital transformationand personal identification.
I mean, vendors are contactingme all the time offering some
kind of preview of their mDLsolutions.
And you're right, I'm notcurrently directly or actively
working with the DMV here in theState of Washington, but the
project I'm working on istangential to that, which is the
(46:28):
residents identity managementor the residents credentials.
So mDL serve as the digitalcounterparts to the traditional
driver's licenses.
By contrast, verifiablecredentials or VCs offer more of
a broader framework for digitalcredentials.
It could be a digital receiptor a digital pass to go
(46:52):
overnight at a campsite, or yourbadge to enter a building.
It could be applied to manydifferent areas, but in this
case, you know the cryptographyand credentials are specifically
related to drivers licenses.
And then VC's offer a moreversatile framework of all kinds
catering to broader needs.
Debra J Farber (47:13):
Thanks for that.
I'll go in depth on anotherepisode because I know we don't
have that much more time today.
But how are state differentstates approaching their
implementation of Mobile driverslicenses, or mDL?
Steve Tout (47:26):
Well, like any technology, Debra, you have
early adopters and laggards.
It's definitely a paradigmshift and if you look at it
through the tipping pointleadership, it's States and
organizations are at variouspoints in their process of
building out the infrastructureand building out the political
support that has to be in place.
So, whether you're talkingabout Colorado or or Oklahoma or
(47:49):
Maryland, early adopters arekind of getting ahead of the
curve, which is great becausethere will be lessons learned
that other States, likeWashington, can study and learn
from to build a confidenceassessment pack and so forth.
So I see these as increasingthe security, increasing the
convenience of their use.
The one that you hear a lotabout is if the age when you
(48:14):
order a drink at a bar, thebartender won't see your eye
color or your street address,that kind of thing.
Debra J Farber (48:23):
So, this selective disclosure, where you
just want them to know you'reover the age of 21 so they could
serve you that drink, but youknow you're not going to share
with them the entirety of what'son your license because they
don't need to know that.
So it's kind of a little bit ofthe security need to know
aspect, but also that it reallyenhances privacy because it's a
minimization of sharing the dataand selectively disclosing
(48:47):
which data you share with whom.
Yeah, and then before we closeour conversation today, what
advice do you have for privacytechnologists so that they can
best position themselves andtheir organizations at the
forefront of privacy andsecurity innovation?
Steve Tout (49:03):
I think the main thing, Debra, is don't fall in
love with the technology.
That can have negativeconsequences for many years and
maybe even a decade, and it candisrupt the trajectory of a
career.
Technology changes all the time, so, real briefly, for privacy
technologists to positionthemselves and their
(49:24):
organizations at the forefrontof privacy and security, I think
they need to stop falling inlove with the technology to
really understand their path tobroader impact, both in their
career and within theirorganization, their community,
their state as change agents,and see themselves as change
agents instead of technologists.
(49:44):
And then, becometransformational leaders who
practice that tipping pointleadership.
I think that you know.
For me, that was a realeye-opener and looking at the
need for change managementversus just implement new
technology.
Debra J Farber (49:57):
Thank you so much.
What books or resources do yourecommend so that people can
learn more about this tippingpoint leadership style?
Steve Tout (50:06):
As you can guess, Debra, there's a lot written on
this topic, just too much tomention.
The one that I read for acourse I recently took on change
management is Harvard BusinessReviews 10 Must Reads, simply
titled, "On change management.
It's a great concise book.
There's case studies.
There's different chapters ondifferent topics that provide
(50:26):
context.
There's a really great chapteron this issue of tipping point
leadership.
That provides the insights thatleaders Need to consider and in
managing change at any scale.
I think that's a good place tostart.
There's another excellentresource.
It's an open source textbookthat I use for the same course
that's published by theUniversity of Minnesota "On
(50:48):
change management.
I could recommend that, too,because it's free, it's online
and the quality is Mind-blowinggood.
It's exceptionally good ifyou're a technologist and you're
trying to figure out how can Ibe more impactful and effective
within my role.
It's not go to a conference andlearn more about technology.
If you pick up that book onchange management or this open
(51:11):
text book, I will provide a linkso you can add it to the show
notes and share with listeners.
It's excellent.
The key idea about path toimpact you need to understand
what is your personal path toimpact, as a professional or as
a leader, to bring about changeand transformation at a personal
level, at a career level and atan organizational level.
(51:32):
You can't have digitaltransformation without identity
transformation.
You can't have identitytransformation without personal
transformation.
And you start connecting thedots, so look for that path to
impact.
I also recommend that thisrecent book, "Ethics in the age
of disruptive technologies it'san operational roadmap written
by Brian Green and Ann Skeet.
(51:52):
They're from Santa ClaraUniversity's Markkula Center for
Applied Ethics.
I mean, I'm going to thebusiness school at Santa Clara
University, but that's anexcellent resource as well
looking to connect the dots oninnovation, disruption and
emerging technologies.
Debra J Farber (52:10):
Well, thank you so much, Steve, for joining us
today on The Shifting PrivacyLeft Podcast.
I think I've learned a lot fromyou and I look forward to
following you and seeing a lotmore of what you write,
listening to a lot more of yourpodcast episodes.
Until next Tuesday, everyoneone when will be back with
engaging content and anothergreat guest.
(52:31):
Thanks for joining us this weekon Shifting Privacy Left.
Make sure to visit our website,shifting privacy left.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with a friend.
And, If you're an engineer whocares passionately about privacy
, check out privado (52:53):
the developer- friendly privacy
platform and sponsor of thisshow.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
The amount of data that is stored about individuals
in the data brokers, there canbe a positive use for that or a
negative impact to its abuse.
The data that's available isoftentimes used for credit
decisions, and the minoritypopulation of the workforce are
(00:22):
marginalized because they maynot have creditworthiness,
because they don't have a credithistory, and so the data that's
out there about them can beworking against them for many
different ways.
So, it really comes down toconsent.
The data is out there, but Ithink what we're trying to get
closer to is a world that peoplecan choose how their data is
(00:46):
used and that it's not used in away that's a weapon against
them, but that it's actuallythere to help improve the
quality of lives of everyone,not just those who have access.
Not everybody has mobile phones.
Not everybody has credithistories, etc.
Debra J Farber (01:01):
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(01:22):
bleeding- edge of privacyresearch and emerging
technologies, standards,business models and ecosystems.
Welcome everyone to TheShifting Privacy Left Podcast.
I'm your host and residentprivacy guru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Steve Tout,
Practice Lead at IntegratedSolutions Group (or ISG), and
(01:45):
2024 MBA candidate at SantaClara University.
Steve is obsessed with helpingtransform businesses by
delivering disruptive insights,reducing risk and enabling safer
online experiences throughstrategy and design thinking.
For over 18 years, he's workedin a variety of roles related to
(02:07):
global identity and accessmanagement, with a focus on
programs, architecture,engineering and operational
excellence at some of theworld's largest companies in
telecommunications, financialservices, high tech and big four
consulting.
Steve is currently anIndependent Advisor and Host of
(02:28):
The Nonconformist InnovationPodcast.
He has produced four seasonsand over 40 episodes on ethics,
privacy, data protection,digital identity, GDPR, CCPA,
entrepreneurship, leadership andinclusive innovation.
As an Advisory Board member tomultiple startups, Steve helps
(02:51):
founders and executives withbusiness development,
nonconformist innovation, whichwe'll talk about, and strategic
marketing.
Today, we're going to chatabout privacy and the
intersection with identity andSteve's experience working with
the State of Washington as itmodernizes consumer identity and
access management for 11million residents and businesses
(03:11):
across the State.
Welcome, Steve!
Steve Tout (03:15):
Thank you, Debra.
It's great to be here.
Thank you for having me.
Debra J Farber (03:18):
Absolutely - my pleasure.
I love the overlap in the workthat you're doing and the gospel
that you're spreading.
Before we dive deeper into whatis nonconformist innovation and
where are those relevantoverlaps, why don't we learn
from you a little bit about yourorigin story?
Steve Tout (03:36):
Sure.
Yeah, I don't know how far youwant me to go back, but in a
nutshell, I'm a California boythrough and through, born and
raised in Northern California,and by Northern I'm not talking
about the Bay Area, I'm talkingabout the north of Sacramento.
So Shasta County, representedhere today (yeah, Anderson), but
(03:56):
living in the Pacific Northwestfor the past couple of decades
by way of finding and marryingthe love of my life, I've come
to know and love, spent manyyears in Portland and I love
that area.
I'm here in the Bremerton areanow and that's where I call
home, professionally speaking.
I accidentally found my wayinto identity and access
(04:17):
management in the early 2000s.
My career aspirations were tobecome a web developer.
Specifically, I wanted to builddatabase-backed websites.
Now that was my big dream, butfast forward.
I'd spent time leading thefirst enterprise-wide identity
and access management system forAT&T Wireless.
(04:38):
I was one of the first two LDAPSun One admins for that
back-end infrastructure andspent time doing architecture
there as well and businessanalysis.
I went on to help deploy thefirst of identity and access
management in 2FA at one of themajor banks.
I got recruited by Oracle tospend time in the field
(05:00):
supporting and consulting theirclients and landed at a little
company called VMware in 2007and spent quite a bit of time
there.
In 2015,.
I really tried to retire fromthis a couple of times and
failed.
I came to a point where Ididn't want to learn anything
(05:20):
more about technology.
I didn't want year 16 to belike the previous 15 years in my
career.
So a bit of an attempt atreinvention.
But here I am.
I currently consider myself areformed technologist about to
complete an MBA program at SantaClara University.
I'm grateful to have theopportunity to help modernize
(05:41):
consumer IAM here in WashingtonState.
I think that's once- in- a-decade opportunity for the
sState and once- in- a- careeropportunity here for me,
considering the scale and theimpact that it will have on
Washingtonians for the nextcouple of decades.
Debra J Farber (05:59):
That's definitely a good synopsis.
It brings us where we aretoday, for sure.
I think that you're right; itdoes have a grand effect on the
State.
I live just outside ofPortland, Oregon but on the
Washington State side.
So, as a constituent, I thankyou; and I can't wait to unpack
(06:19):
some of what you're working onthat does affect the citizenry
of the State and what are wegonna be making easier for us
with the new IAM strategies?
But, first I would love tounderstand and unpack what
'nonconformist innovation' means.
What is your definition of thatand how do you view yourself as
(06:40):
a nonconformist innovator?
Steve Tout (06:43):
You know I get that question a lot.
It happens to be one of myfavorite things to think about
now and talk about.
But we'll get to it.
I have a podcast called TheNonconformist Innovation Podcast
that .
.
.can scare people.
You know, in job interviews ortalking with clients or with
customers or partners, theythink, "okay, you're
(07:04):
nonconformist.
Does that mean you a closetanarchist?
Or, how are you gonna causethem trouble and are you going
to increase the risk profile ofthis project or of my business?
" And it's quite the opposite.
I guess, the way I stumbled uponnonconformist as a form of
innovation is .
.
.
you've probably heard ofdisruptive innovation and the
(07:27):
work that Clayton Christiansendid the past two to three
decades through Harvard BusinessSchool and his study of how
innovation disrupts markets andall of the collateral damage and
opportunity that it creates forbusinesses, the collateral
damage that can happen forsmaller businesses that don't
(07:47):
prepare or go to market right.
I thought about nonconformistinnovation as simply a way to
have the interests of theindividual and stakeholders and
shareholders front and center,and that's I don't know if I
would say that it'scounterintuitive, but it's often
neglected.
And so, for now on, if youwanna think about nonconformist
(08:10):
innovation as a process or aframework for developing
unconventional insight, youcould think of it like that, too
.
It's an attempt for me toexplain a way to design and
build businesses and go- to-market strategies that lead with
shareholder interests andintegrity and driven by ethical
(08:33):
leaders, because I thinkfundamentally that ethical
leaders save lives.
When it comes to privacy andsecurity, regulation and
technology is great, buttechnology is at its core, it's
a manifestation of the valuesand beliefs of its owners, and
so when I look to change thereality or the world that we
(08:56):
live in, I wanna go change thevalues and belief systems that
our leaders and product ownersand business owners have, and I
think the technology will justbe an implementation detail,
right?
And then I like to think.
.
.one guest on my podcast earlyon made a statement, so I can't
claim this as my own, but hetalked about ethics is a better
form of security, which hasreally occupied my thoughts for
(09:20):
the past several years now.
It's important in whether I'mworking with companies in the
private sector or in the publicsector in the state of
Washington.
This message is well- received,right?
Equity is a really importantsubject.
So, yeah, ethics is a majorcomponent of this and as it
relates to being a better formof security and privacy
(09:42):
implications for leaders.
Debra J Farber (09:44):
So, what I'm hearing from you is that for a
long time - and tell me if I'mwrong, this is when I'm like
reading between the lines - fora long time there's been a focus
on disruption and innovationfrom a technical standpoint,
from new technology, and maybean over focus on the technology
as opposed to the technologyfollowing the set of
socio-technical perspective.
(10:06):
So the non-conformist elementis not conforming to almost this
VC view of.
.
.
VC here I do mean venturecapitalists' view of how to
bring technology in market.
Instead, you're kind of lookingmore at like the right way, the
ethical way, and then thetechnology will follow from that
, and that's the non-conformity.
Steve Tout (10:27):
I think you're right when I reverse engineer.
So one of the things that I didafter I left my last corporate
gig in 2015, is I spent timereally depressed, to be quite
honest with you, because I knewI didn't want to stay in
corporate America, and so Iwanted to try my hand at
entrepreneurship and starting myown company.
But, I wanted to do it in a waythat was aligned with my
(10:52):
beliefs and my values; and theproblem was that I didn't really
know what those were.
So, what I stumbled upon was Ireverse engineered technology,
which, if you would imagine,close your eyes and you draw a
circle and you call this a pie.
The first 15 years of my careerwas 100% occupied by technology
(11:12):
.
It was technology- focused, butwhat I worked on building in
terms of vision and values andbelief system was to rewire and
reorient my thinking.
So, I reverse engineered thattechnology; instead of being
100% of this pie, I divided thepie into four pieces.
(11:34):
So, if your eyes are stillclosed and you're visualizing
this pie, the top left beginswith 'philosophy,' the top right
is about 'politics,' the bottomright is about 'economics,' the
bottom left is 'technology'.
Okay now, with that mentalmodel, if you start with
(11:58):
philosophy and you go clockwisephilosophy informs politics,
politics informs economics,economics informs technology,
and my belief is that technologyis a manifestation of all of
the above.
So, we're all politicians.
Right?
I just take this view that whenwe step back and we look at that
(12:20):
framework, when we look atbusiness and technology through
that framework and technology asa derivative of philosophy,
that we need to look at having aform of - you know, not all VCs
are bad.
We have a mutual friend and youknow I have others who are
ethical VCs, I guess, or whovalue privacy just as much as
(12:42):
they do revenue.
And I'm not against revenue I'ma student at a premier MBA
school in the State ofCalifornia and there's nothing
wrong with making money.
Companies need to do that tosurvive and to continue to
produce products and servicesthat we need for our way of
living.
But it's really there are a lotof abuses in the industry where
(13:06):
privacy is the currency.
To be specific, I would takeaim at the way that privacy is
abused to fuel products andshareholders, while it's at the
expense of residents, customers,citizens, et cetera.
Debra J Farber (13:22):
That makes a lot of sense.
Now tell us a little bit aboutyour podcast, The Non-Comformist
Innovation Podcast.
Steve Tout (13:28):
So you know, it started in 2019.
I had just left a role as astartup CEO for a cybersecurity
company in Seattle.
It didn't end as well as Iwould have hoped, but around the
same time, a mutual friend ofours, Tom Kemp, had just sold
his company, Centrify, to ThomaBravo.
So, I was just thinking one daymy experience as a CEO was very
(13:54):
different than Tom's and Iwanted to compare notes.
I just thought, well, I atleast want to have a
conversation with Tom, but Irealized there's not a lot that
he would share or that I couldlearn by just having a random,
impromptu conversation.
So, I reached out to him andthought of having a more
(14:18):
structured conversation where Icould selfishly learn from his
experiences because the nexttime that I'm a startup CEO, I
wanted to end much differentlythan my previous experience.
So, it was one of the bestconversations on the topic of
entrepreneurship and leadership,even after doing this for four
(14:39):
seasons now.
I obviously hear, as a hostand first person, all of my
podcast episodes, but I don't goback and listen to them after
they're produced.
There are a couple of them thatI do.
This is one of them.
When I really need Clarityabout my purpose and why I
started this to begin with, I goback to that first episode and
(15:01):
find a lot of Clarity andmotivation in it.
So you know the podcast isstill in experimental mode.
I'd say I have some prettyambitious plans for season five
that's focusing on experienceand the community instead of me.
It's starting in the spring.
I'm looking at doing amulti-city tour from Los Angeles
(15:22):
to San Jose to Seattle andmaybe a couple of stops in
between, and experimenting witha live podcast format to really
make this more aboutexperiencing non-conformist
innovation and looking at itthrough the lens of the
community and the listenerrather than through me as the
host.
Debra J Farber (15:40):
Oh, I love that.
I'd love to hear how that worksout for you and lessons learned
, so maybe we'll have you backfor that.
That's awesome, very cool.
While I've listened to a fewepisodes, I've not listened to
the Tom Kemp episode on yourshow, so I will definitely go
back and do that.
I mean, especially with theplug you just gave for how
rewarding of a conversation itwas.
I'll also include a link tothat in the show notes for this
(16:03):
episode.
Let's turn now to like the maintopic at hand, which is what is
the intersection that you seebetween privacy and identity and
, generally, where's the overlapin your mind?
I bring this up specificallybecause it's fascinating that
privacy folks and identity folkshave been so siloed and they
don't have as much interactionas you would think they would,
(16:26):
given the overlap.
Why don't I let you first tellus about that overlap?
Steve Tout (16:31):
Yeah, you know that's a really great question
and I've often struggled withthis as well.
The more that I've gottenopportunities to work with
privacy folks, the mostimmediate thing that comes to
mind is, "hey, these people arenot like me.
I'm a technologist; I'm anidentity person and I've been at
(16:51):
the lowest level of theorganization, building data,
managing directories and accesscontrol systems and policies.
But that's the technologist'sview.
The privacy professionals are,especially as professionals
become more advanced in theircareer.
They have law degrees.
They come from differentbackgrounds.
They're not necessarilytechnologists.
(17:13):
So, there's definitely thesilos are there because their
education, their background,their responsibilities are
different.
One is in the realm of policyand the other one is in the
realm of technology andimplementation, and we typically
think of having rights toprivacy as individuals.
Right, that's the ability forindividuals to control access to
(17:36):
their sensitive data andsecrets, whereas identity is
often who we are, the data thatorganizations have about you
that could be your location,your gender, your health
conditions, the privacy ofidentity or anonymity.
Nowadays it's not guaranteedand it can't be assumed that you
(17:58):
have it.
I actually listen to this a lot, but this song just came on the
radio this morning - my Pandoraplaylist was playing some fun
songs for Friday.
Today is Friday morning and'Fight for Your Right to Party'
came on by the Beastie Boys.
So, I think that's a lot likeprivacy today, where we have to
(18:19):
fight for our right to privacyonline.
The overlap is in the ongoingneed for protection, governance,
visibility and management, andthen extending beyond there.
I think there's a need from acorporate or a business
perspective, betteraccountability with how
organizations use and or abuseprivacy.
(18:41):
But today, privacy shouldn't bea luxury only afforded by the
rich.
Debra J Farber (18:46):
I mean, that's true, I totally agree with that.
I think, just to build on whatyou were saying, I think the
fundamental privacy challenge isthat universal identifiers,
kind of, are the root of manyprivacy problems, and those
identifiers are being managed byidentity access management kind
of constructs withinorganizations.
So with the proliferation ofdata across organizations that
(19:11):
involve personal data, theseidentifiers that we assign
people can make it easy for us,through databases, to call up
more contacts, more detailsabout an individual than maybe
that we could in the past.
And so the more data driventhat we have made our business
processes, our technicalprocesses, all of that, now the
(19:34):
potential privacy problems havemagnified as well.
So, you're right.
I do want to bring up with thetopic you just mentioned of
privacy shouldn't be a luxuryonly afforded by the rich, even
in the ad tech space.
You've got now in the EU thechallenge that I think it's Meta
that just decided to addressthe challenges of privacy in the
(19:55):
ad tech space and the problemswith consents and the fact that
third party cookies are goingaway and all of that,
Meta's come out with this whatthey're calling?
Well, they're not calling it,but what privacy professionals
against what Meta is doing -they're calling it consent or
pay or pay and ok.
So, you either consent toreceiving these ads or you pay a
subscription to not receive ads, which is actually an equity
(20:18):
challenge, right?
Because now, you're saying, ifyou don't have the money, you
could either use our services byconsenting to the ads.
It's almost a false choice,right?
Or, you could pay us money youmight not have where you can
have a subscription, where it'sad free, and so there's an
equity challenge there wherepeople could, you know .
.
.
the argument that if the richcould afford to not have their
(20:38):
privacy violated, everybody elsemust consent, it almost feels
like you're forced, if you'renot rich enough, to pay for a
subscription.
If you want to use our platform, you have to consent, which is
definitely going to beinteresting to watch because I
think that will be struck downas violative of GDPR and
potentially other equitabilitystatutes within the EU.
Steve Tout (21:02):
There's another equity issue as well, which is
the amount of data that isstored about individuals in the
data brokers.
You know, there can be apositive use for that or a
negative impact to its abuse.
The data that's available isoftentimes used for credit
decisions, and the minoritypopulation of the workforce are
(21:27):
marginalized because they maynot have creditworthiness,
because they don't have a credithistory, and so the data that's
out there about them can beworking against them for many
different ways, right.
So it really comes down toconsent.
The data is out there, but Ithink what we're trying to get
closer to is a world that peoplecan choose how their data is
(21:51):
used and that it's not used in away that's a weapon against
them; that it's actually thereto help improve the quality of
lives of everyone, not justthose who have access.
Not everybody has mobile phones, not everybody has credit
histories, et cetera.
Debra J Farber (22:06):
You make a really good point.
I've thought about this andI've read a lot of books and
perspectives on like is privacyabout control?
Is privacy about ownership?
And, where I've landed is thatprivacy is about control over
your own information flows, anda lot of that comes down to IAM
(22:28):
and how is that access managed?
Do you control the keys?
Does somebody else control thekeys?
Who's defining what youridentifiers are connected to in
the first place?
Well, today, a lot of that isdone at the identity level
within organizations.
The organizations are definingwhat is an identity and what's
attached to it and what mustthat look like and all that.
(22:50):
And then, of course, there'slike innovations that are still
yet to be deployed at grandscale, like can you decentralize
that identity and turn thatinto you know, whether we're
talking about verifiedcredentials or we're talking
about self-sovereign identity orother architectures of where we
as individuals can controlthose keys.
(23:11):
We can have those in-depthconversations another day, but I
think the larger point I'mtrying to make is a lot of what
you're able to find out anddiscover about someone is
attached to either a token or anidentifier or you know,
basically an identifier so thatyou're able to then query about
that person and like all theiractivities and you know, from a
(23:33):
security perspective, what hasthis person done wrong?
Not wrong, but like, whenyou're logging, has somebody
actually, like you know, accesssomething they shouldn't, and
then put controls around that.
Do you have anything to sayabout that?
Because I know I just broughtup a bunch of topics.
Steve Tout (23:49):
Yeah, I mean, I would sum it up this way - it
comes back to the philosophy.
You mentioned a few thingsabout controls and it comes back
to fundamentally, at aphilosophical level, do
politicians, do CEOs prioritizethe fundamental human right to
privacy or do they prioritizethe right to shareholders and
(24:09):
creating returns forshareholders?
And so you know, in Privacy byDesign, there's a lot of talk
about they don't need to be azero sum game or mutually
exclusive, but oftentimes theyare.
You know we're on a privacypodcast, so it's pro privacy.
I think we often get lost inthe technical minutiae of
(24:29):
conversations, but it's reallysimple: are leaders and
politicians going to prioritizeour fundamental human right to
privacy and, if so, how?
Debra J Farber (24:39):
Well, actually that's a really great jumping
off point, then, to my nextquestion, which is how do you
address organizationalresistance to that change?
We get a Privacy Officer.
We give them resources - in anideal world, because this isn't
always the case.
But let's say, a PrivacyOfficer is appointed and then
they don't necessarily have allthe resources they need and they
(25:00):
need to argue for that.
How can you addressorganizational resistance to
change, especially when yourcurrent resources are lean?
Steve Tout (25:11):
Yeah, that's a really great question.
Recently I spent a lot of timethinking about this through the
lens of game theory and you know, look at the moves of the queen
on a chess board and howadvantageous that is.
That can either be a greatasset or a big target.
But being lean on resources canactually be an advantage in
(25:32):
some cases.
In an organizational context,it can create urgency and
highlight needs.
But there are a couple ofthings that I think are vital to
leading change in anorganization.
That change has to be sponsoredby leadership.
I think that's a given.
If it's not, that doesn't meanit's doomed to failure.
Debra J Farber (25:52):
I don't think that's a given.
I think that that needsunderscoring.
In my experience with privacy,you would think that that would
be a given, but I've had somepretty large companies refuse to
appoint a single-threaded ownerfor privacy that would help in
the block and tackle of gettingthings done.
So, I would definitelyunderscore that without
(26:14):
executive sponsorship, I thinkin a mid-sized to large
enterprise organization veryoften you won't be able to get
things done because it won't bevisible enough to be seen as
something that needs to get doneas opposed to some requirement
that someone lower down can getdone.
Right?
[Steve (26:33):
fair enough] Or, the problem doesn't seem as big or
important or multifaceted ifthere's no executive sponsor.
Steve Tout (26:39):
In the context of privacy, I think you're
absolutely right.
It's a big enough issue withbig enough consequences that it
has to have.
And now, we have organizationsthat have Chief Data Officers
and Chief Privacy Officers.
It can be a good sign.
Sometimes they're used aspolitical tokens without real
intention to affect change.
(27:00):
But you know it at least needsto be aligned with broader
business goals or an OKR Forchange,
there has to be a compellingreason to change.
Right?
If you have a Chief PrivacyOfficer, but you're just doing
that there for compliance, it'snot there because you want to
change.
It's there because you want tomaintain the status quo and
check the compliance box.
(27:21):
But protecting the privacy ofcustomers and employees, et
cetera, that's not an accident.
That doesn't happen withoutintention.
But, on the other side of thecoin, neglecting it is on the
same level of abuse, in myopinion.
We could spend, you know, wecould go down that rabbit hole,
but I think neglect of privacyissues and concerns is not an
(27:41):
excuse.
So an organization's readinessfor change it can be viewed and
measured by individualmotivations, the carrots and the
sticks.
What's the motivation forProduct mManagers and Individual
Contributors to think and actin a way that's unnatural to
them.
When they're trying to get ajob done, privacy tends to come
(28:01):
out of left field or hits themblindsided.
But, what do we need to do asan organization to get them to
think and act like privacyadvocates?
I mean, we've had The PrivacyEngineers Manifesto since 2014,
but there are stillorganizations.
.
.
we have great technology thathelps to elevate their privacy
(28:23):
gain, but there's still a lot ofwork to be done.
Incentives have to be managedand aligned.
Debra J Farber (28:30):
You make a really great point
does need to be aligned.
One of the ways to align thoseresponsibilities is to make sure
that in all requirements andproduct requirements and
engineering requirements thatprivacy and security are
required to, you've required toask for them.
They should be asking for whatare the privacy and security
(28:50):
requirements for this next buildor this next feature?
It shouldn't be are thereprivacy or security requirements
?
It should be like what are they?
And that's just part of thesprint process, and embedding
that in there so that yourtesting criteria is going to be
speaking to whether or not itmeets the privacy and security
(29:10):
thresholds for that.
If we don't actually build intothe workflow of those that are
building products and services,then the alignment can never get
there.
So, I think you make a reallygreat point.
Let's turn to something thatyou talk a lot about and I don't
know a lot about, so I'd loveto learn some more from you.
What is Tipping Point?
(29:31):
Leadership?
Steve Tout (29:32):
I'm glad you brought that up.
That's an area that Idiscovered in the last couple of
years, in the last year really.
I wish I'd known more aboutmuch earlier in my career.
But you know you mentioned leanand lean resources earlier.
Tipping point leadership is atheory of change leadership
based on epidemiology created byChan Kim and Renee Malborn.
(29:57):
They're professors of Strategyat Insead Business School in
France.
The obvious part is that forchange to occur, a critical mass
of individuals need to supportthat change.
So, sometimes you think ofcritical mass oh, like 51%, 60%,
70%, the majority of apopulation where you have a
(30:20):
organization like, let's say,it's 2,500 employees, so you're
thinking hundreds or thousands.
But, the unexpected insight isabout tipping point leadership
is that critical mass can bedriven by a small number of
influential leaders or changeagents within the organization.
The study of this looks at,starting with, if you have a
(30:41):
vision for a change that youwant to like enhance privacy in
my organization or have aprivacy first mindset and shift
from a product first to aprivacy first mindset or privacy
by design as a main dominantway of thinking, and that's your
goal you don't immediatelystart out with a campaign for
(31:02):
everyone to get on board withembedding privacy into their
workflows.
You know the way this theoryexplains to be successful with
the adoption is to engage thoseinfluential leaders first.
That gives you the ability toleverage their authority, their
credibility and social capitalto make it possible for change
(31:26):
to occur at scale.
And that's how it occurs atscale.
You have different departmentheads or business units and if
you get the majority, you don'tneed 100% acceptance of your
idea in order for it to stick,but you do need a majority of
your department heads or changeagents or PA executives to
(31:46):
support your vision for changeand to go forward towards get
closer towards that change withyou.
So tipping point leadershipworks with minimal effort, or
lean resources, as you say,driven by the key figures, to
achieve maximum impact.
Debra J Farber (32:00):
What would you do if you were in a very bottom
up focused organization?
Maybe that is, very engineersare trusted and they can move
fast and run with things.
I think about my experience atAmazon, for instance, where
everything gets bubbled up fromthe bottom.
You write narratives and thenyou win low level executives and
(32:21):
then, if they like it, then youkeep going up and up and it
could take over a year beforeyou could even ever meet a
executive that can move thingsalong and have that top down
effect that you just describedas part of tipping point
leadership.
Basically, does this requirethat there be a good top down or
(32:42):
ability to influence executivesthat can then make top down
decisions?
Or, is there some othermechanism within tipping point
leadership I'm missing?
Steve Tout (32:53):
Well, I think a low- level executive is somewhat of
an oxymoron.
Debra J Farber (32:57):
Yeah, agreed, for lack of a better word.
Steve Tout (33:01):
Yeah, but let's pivot on that for a second.
The executive.
He may be the executive that'sthree levels removed from the
Chief Executive, but if he istruly an executive, that means
he has access to budget, that is, reward power and the ability
to implement policy.
(33:22):
So, there's basis of power thatthat executive can have to
become a leader of change, andhe can do so with small,
incremental changes to howincentives and rewards are
created and implemented withinthis organization.
So I wouldn't really call thatbottom up.
(33:43):
But in your example of, like anengineer at AWS who has a
vision for making privacy moreimpactful in his or her product
line, I think that he or she canbecome a privacy advocate.
But I think there needs to beseparation between "hey, this is
the stuff I need to do to getmy work done," and it's
(34:05):
oftentimes fraught with dangerto become too passionate about
an idea that's contrary to yourleadership values and then go
and try to advocate for that anddo things that rock the boat or
create mayhem.
What I would do, specificallyin that situation, is I would
(34:28):
try to create mind share,starting with my manager.
Does he or she support thatidea?
Am I gonna get in trouble ormaybe get fired if I spend too
much time thinking about thisidea, writing about it, talking
about it internally andexternally at conferences.
Or is the idea - maybe it's notprevalent within the
organization, but would it beperceived as politically unsafe
(34:51):
to advocate for it?
So I would think about it thatway.
Again, this is looking at thisthrough the lens of game theory
and, again, reverse engineering.
Once an engineer steps out ofhis or her technology bubble,
put this pie back in your mind.
Right, you're going, you'rereverse engineering the
economics, the politics and thenthe philosophies.
And an engineer debatingphilosophy with a chief
(35:14):
executive isn't always receivedvery well.
So you have to, as anonconformist in your
organization.
You have to be very pragmaticabout how you raise issues and
concerns and advocate for aparticular way of doing things.
It's not just be outspoken.
(35:35):
I think there's a science and amethodology that supports
anyone, at any level of theorganization, to bring their
passions to their job withoutrisking being ostracized or
isolated.
Debra J Farber (35:49):
Yeah, that's good insight and advice.
I appreciate that.
I do want to turn to all thegood work you're doing with the
State of Washington.
But, just to wrap up thetipping point leadership stuff,
as I was reading some of thewhat you've written on the topic
, I came to see that thedefinition of tipping point
leadership seemed to be aroundsome of the hurdles to overcome,
(36:10):
and so maybe you could justquickly speak about what those
four common hurdles are, becauseI think it helps better even
define what tipping pointleadership is.
Steve Tout (36:21):
Well, you know, as it turns out, I think these
hurdles represent somewhat thepie that I created several years
ago.
They're not the same.
I don't frame them as hurdlesand I won't go into this deeply
because I didn't invent tippingpoint leadership, but I think
these hurdles are something thatreally resonate with us all and
when you think of this, youhear often cybersecurity is a
(36:43):
leadership issue.
Yes, it is, but what does thatmean?
The hurdles and tipping pointleadership that can slow down or
even kill progress at anorganizational and societal
level.
Now, that I can say thatbecause I see how it happens in
the public sector.
So they're simply, they'recognitive.
You know how people learn andnot everyone has the savvy of
(37:07):
the engineer in Silicon Valley.
Political, motivational andresource hurdles.
Motivational and politicalhurdles are the most difficult
ones and prevent a strategy,rapid execution.
Debra J Farber (37:20):
Thank you, that makes a lot of sense.
Okay, so let's talk about someof the work that you're doing
with Washington State working onmodernizing identity access
management for IAM.
Let's start by talking aboutwhat's the driving need for
modernizing in Washington State.
Steve Tout (37:36):
Yeah, so for context , this is for consumer IAM.
So, this is IAM that touchesall residents within the state.
This is not workforce IAM.
I think that should help foranyone that's in this industry
understand what we're talkingabout and the scale and the
impact that this is having.
Debra J Farber (37:56):
So this is if somebody is like they need
services for the state and theysign up for profile online and
then everything attached to it,or you know, help contextualize
what that means.
Steve Tout (38:06):
We have a persona in the project that we're working
on.
Her name is Dani and we havereferred to it as Dani's journey
.
So Dani, you know, has justmoved into the state and she is
really into hiking, so she wantsto go get a permit to do some
camping or hiking at one of thestate parks.
Right?
How does Dani interact withgetting the permit, exchanging
(38:29):
her license plate or phonenumber or email to get the
permit?
So, it's that consumerinteraction.
And then, Dani gets a job andthen she gets hurt and so she
needs to interact with theUnemployment Services Division -
how she interacts with thatstate agency to get benefits.
So that's the context.
At a high- level, I think whatBill Kehoe (Washington State
(38:50):
CIO) is doing is really genius,the approach he's taking.
It's not because of security orcost considerations that's
driving consumer IAM.
The overarching driver isreally about equity, and I think
that touches on the aspirationsof all of us involved on the
project that we're working on,modernizing consumer IAM because
(39:14):
it's going to make doingbusiness with the state easier
and providing more seamlessaccess to resources to the
Dani's of the world or tovulnerable or marginalized
populations.
So, that's one of the coredrivers.
I've seen one of the biggestvendors on the planet fail
(39:34):
miserably because they came tothis opportunity thinking that
free was a compelling offer andit just simply isn't.
So, drivers are in context hereabout improving the quality of
services and enabling digitalequity and then prioritizing
(39:55):
customer and business needs overtechnology.
For service enhancement, thatinvolves transitioning major IAM
systems and compute to thecloud and SaaS for agility and
adaptable service delivery thatimproves operational efficiency
of a government, which could bean oxymoron itself.
(40:15):
Aligning modernization withstrategic goals, there's this
idea of connected government anddata accessibility in the state
that those are majorinitiatives, as well as the
migration to the cloud.
All of those are aligned withleadership's aim to transform
Washington State's ITinfrastructure into it being a
more agile, data driven andinterconnected system that
(40:38):
better serves the needs of itsresidents, and aligned with the
strategic governmentalpriorities.
Debra J Farber (40:44):
All sounds like really great reasons to put such
a program in place.
So great drivers.
Thank you so much for that.
What are some of the challengesto privacy, ethics and equity
that you've come across as partof this effort, and then how
have you approached them?
Steve Tout (41:00):
Yeah, so coming at this from a background of
identity and access managementand someone who's about ready to
complete an MBA, there's gametheory, there's data, there's
analytics or social sciencesinvolved here.
There's change management andtipping point leadership to use
as a tool to look at this; andso, I've encountered multiple
(41:21):
challenges.
Washington State is not on thecutting edge of digital identity
, and the reasons range from thepolitical hurdles.
The ACLU has a pretty loud barkwhen it comes to adoption of
biometrics, even for legitimatepurposes like identity proofing
and authentication.
There's a lack of transparency,which directly relates to trust
(41:44):
as an issue.
As vendors build out their techplatforms, many have or are in
the process of adopting AI, somachine learning using big data
and predictive analytics.
One of the major concerns thatI see here is lack of
transparency and lack ofauditability in these AI models.
Those are rightful concerns,right?
(42:06):
We don't want the AI to be ablack box, and the next concern
is linked to that.
Automation has limits.
The bill of materials that arebeing offered by vendors in this
space provide automateddecision support or automated
access or authorization decision, which can become problematic.
States need to have the abilityto explain why an access
(42:30):
decision was made or denied, andso there has to be that
transparency and visibility intohow the sausage is being made.
And then, simply badinformation; there are some
leaders out there who arecomfortable with the status quo
and would rather stay the courseusing non-speech authenticators
(42:50):
.
They'd rather do that thaninvest in more equitable
solutions and better algorithmsto solve this problem At some
point in recent history and Iwon't go into the details, but I
think it's pretty clear thateven relational databases at its
day and were used for profilingand assisting the Nazi regime
(43:12):
during the Holocaust, and nowdatabases aggregate patient data
and research.
They speed up drug trials anddiscovery.
So I don't think thattechnology itself is the issue
here.
It's the owners, it's how thetechnology is deployed, how it's
used, and it could be used forgood or for bad.
Debra J Farber (43:31):
That's a really great reminder that I think
technology deployment is notpolitically neutral.
While technology itself mightbe neutral, how it's used and
deployed is not.
So in many senses of the phrase, I guess everything is
political when it comes totechnology, right?
So people should be thinking inthose terms think more about
(43:52):
the ethics and does it alignwith your company's ethics and
is what you're doing indeploying aligning with your
company's ethics and and all ofthat good stuff.
That good alignment isimportant because then you'd be
able to see whether or notsomething's deployed in a way
that goes against theorganization's ethics or not.
But you can't do that unlessyou're monitoring, and so all of
(44:13):
these things kind of fittogether beyond the technology
itself around how you'vearchitected and designed it.
It's basically underscores theneed for privacy and ethics and
security by design.
That whole 'by design' set ofdisciplines.
[Steve (44:28):
agreed].
Let's have a short discussionbetween the difference between
mDL, so mobile driver's license,and verified credentials
technology.
I bring this up because, well,first we're talking about
identity management and One ofthe ways that you and I got
introduced by Tom Kemp wasbecause I said to Tom hey, I'm
(44:50):
gonna be working on a contractfor the California State DMV
that is implementing the mobiledriver's license and verified
credentials technology, and I amand that'll be the subject of a
completely different episode.
That's how he introduced me toyou, like, o"Oh, you know, you
need to meet Steve who's workingon identity management for the
(45:12):
state of Washington, and so inmy mind, you know, I'm like
living in the world of the MDLand the AAMVA standards for
implementing.
AAMVA is The AmericanAssociation of Motor Vehicle
Administrators.
Then comparing that to theverified credentials standard,
which is actually in some wayscompeting with the ISO mDL
(45:32):
standard.
So, let's give our audience alittle sampling of, I guess, the
issues of those two standards.
What are the differences?
Why are we even talking aboutthem?
Steve Tout (45:46):
Yeah, well, at its fundamental level, I mean, the
identity is the underpinning forit all whether you're talking
about verifiable credentials ormDL.
It's kind of obvious that mDLsnow are gaining popularity
because of their convenience.
They offer enhanced securityfeatures and the growing trends
(46:07):
towards digital transformationand personal identification.
I mean, vendors are contactingme all the time offering some
kind of preview of their mDLsolutions.
And you're right, I'm notcurrently directly or actively
working with the DMV here in theState of Washington, but the
project I'm working on istangential to that, which is the
(46:28):
residents identity managementor the residents credentials.
So mDL serve as the digitalcounterparts to the traditional
driver's licenses.
By contrast, verifiablecredentials or VCs offer more of
a broader framework for digitalcredentials.
It could be a digital receiptor a digital pass to go
(46:52):
overnight at a campsite, or yourbadge to enter a building.
It could be applied to manydifferent areas, but in this
case, you know the cryptographyand credentials are specifically
related to drivers licenses.
And then VC's offer a moreversatile framework of all kinds
catering to broader needs.
Debra J Farber (47:13):
Thanks for that.
I'll go in depth on anotherepisode because I know we don't
have that much more time today.
But how are state differentstates approaching their
implementation of Mobile driverslicenses, or mDL?
Steve Tout (47:26):
Well, like any technology, Debra, you have
early adopters and laggards.
It's definitely a paradigmshift and if you look at it
through the tipping pointleadership, it's States and
organizations are at variouspoints in their process of
building out the infrastructureand building out the political
support that has to be in place.
So, whether you're talkingabout Colorado or or Oklahoma or
(47:49):
Maryland, early adopters arekind of getting ahead of the
curve, which is great becausethere will be lessons learned
that other States, likeWashington, can study and learn
from to build a confidenceassessment pack and so forth.
So I see these as increasingthe security, increasing the
convenience of their use.
The one that you hear a lotabout is if the age when you
(48:14):
order a drink at a bar, thebartender won't see your eye
color or your street address,that kind of thing.
Debra J Farber (48:23):
So, this selective disclosure, where you
just want them to know you'reover the age of 21 so they could
serve you that drink, but youknow you're not going to share
with them the entirety of what'son your license because they
don't need to know that.
So it's kind of a little bit ofthe security need to know
aspect, but also that it reallyenhances privacy because it's a
minimization of sharing the dataand selectively disclosing
(48:47):
which data you share with whom.
Yeah, and then before we closeour conversation today, what
advice do you have for privacytechnologists so that they can
best position themselves andtheir organizations at the
forefront of privacy andsecurity innovation?
Steve Tout (49:03):
I think the main thing, Debra, is don't fall in
love with the technology.
That can have negativeconsequences for many years and
maybe even a decade, and it candisrupt the trajectory of a
career.
Technology changes all the time, so, real briefly, for privacy
technologists to positionthemselves and their
(49:24):
organizations at the forefrontof privacy and security, I think
they need to stop falling inlove with the technology to
really understand their path tobroader impact, both in their
career and within theirorganization, their community,
their state as change agents,and see themselves as change
agents instead of technologists.
(49:44):
And then, becometransformational leaders who
practice that tipping pointleadership.
I think that you know.
For me, that was a realeye-opener and looking at the
need for change managementversus just implement new
technology.
Debra J Farber (49:57):
Thank you so much.
What books or resources do yourecommend so that people can
learn more about this tippingpoint leadership style?
Steve Tout (50:06):
As you can guess, Debra, there's a lot written on
this topic, just too much tomention.
The one that I read for acourse I recently took on change
management is Harvard BusinessReviews 10 Must Reads, simply
titled, "On change management.
It's a great concise book.
There's case studies.
There's different chapters ondifferent topics that provide
(50:26):
context.
There's a really great chapteron this issue of tipping point
leadership.
That provides the insights thatleaders Need to consider and in
managing change at any scale.
I think that's a good place tostart.
There's another excellentresource.
It's an open source textbookthat I use for the same course
that's published by theUniversity of Minnesota "On
(50:48):
change management.
I could recommend that, too,because it's free, it's online
and the quality is Mind-blowinggood.
It's exceptionally good ifyou're a technologist and you're
trying to figure out how can Ibe more impactful and effective
within my role.
It's not go to a conference andlearn more about technology.
If you pick up that book onchange management or this open
(51:11):
text book, I will provide a linkso you can add it to the show
notes and share with listeners.
It's excellent.
The key idea about path toimpact you need to understand
what is your personal path toimpact, as a professional or as
a leader, to bring about changeand transformation at a personal
level, at a career level and atan organizational level.
(51:32):
You can't have digitaltransformation without identity
transformation.
You can't have identitytransformation without personal
transformation.
And you start connecting thedots, so look for that path to
impact.
I also recommend that thisrecent book, "Ethics in the age
of disruptive technologies it'san operational roadmap written
by Brian Green and Ann Skeet.
(51:52):
They're from Santa ClaraUniversity's Markkula Center for
Applied Ethics.
I mean, I'm going to thebusiness school at Santa Clara
University, but that's anexcellent resource as well
looking to connect the dots oninnovation, disruption and
emerging technologies.
Debra J Farber (52:10):
Well, thank you so much, Steve, for joining us
today on The Shifting PrivacyLeft Podcast.
I think I've learned a lot fromyou and I look forward to
following you and seeing a lotmore of what you write,
listening to a lot more of yourpodcast episodes.
Until next Tuesday, everyoneone when will be back with
engaging content and anothergreat guest.
(52:31):
Thanks for joining us this weekon Shifting Privacy Left.
Make sure to visit our website,shifting privacy left.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with a friend.
And, If you're an engineer whocares passionately about privacy
, check out privado (52:53):
the developer- friendly privacy
platform and sponsor of thisshow.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!