June 24, 2025 • 26 mins
Interested in being a guest? Email us at admin@evankirstel.com
Every chip in every device around you has at least one identity associated with it. Machine identities now outnumber human ones online. AI can replicate your face and voice with frightening accuracy. Welcome to the brave new world of identity security.
Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), brings over 45 years of security experience to this fascinating discussion about why identity has become ground zero in today's cybersecurity battles. The perimeter has shifted dramatically — from physical computer rooms to worldwide networks, and now to every connected device. With this expansion, traditional approaches to security have become dangerously inadequate.
Through vendor-neutral research and collaboration, IDSA is addressing critical gaps in our identity security practices. Their findings are sobering: 98% of organizations experienced identity-related security incidents. While most organizations have implemented basic protections like strong passwords, sophisticated threats like ransomware, identity theft, and deepfakes continue to evolve faster than our defenses.
Reich offers practical wisdom for security leaders navigating this landscape. He distinguishes between mere compliance and actual security, noting that "every major credit card breach occurred at organizations that were PCI compliant until the moment the breach occurred." For overwhelmed CISOs, he suggests focusing on communicating in executive language rather than technical terms, and accepting that sometimes the role functions as "Chief Scapegoat Officer" — concentrating on doing what's right rather than just protecting one's position.
As technology advances faster than our ability to adapt to it, non-human identities and AI-driven threats will dominate security concerns in the coming months. Organizations must look beyond checkbox compliance toward substantive, thoughtful approaches to identity security that can withstand the complex threats of tomorrow's digital landscape.
Discover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
More at https://linktr.ee/EvanKirstel
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Hey everybody, fascinating chat today as we
dive into the world ofcybersecurity and identity
Fascinating topic with the IDSA,the Identity Defined Security
Alliance.
Jeff, how are you?
I'm doing really well, evan,and how are you today?
Amazing organization.
We're going to dive into lotsof interesting topics.
(00:24):
Before that, maybe introduceyourself your bio and background
and how do you describe theIDSA exactly?
Speaker 2 (00:31):
Sure, and thanks for that opportunity and for the
invitation.
I really appreciate being here.
My name's Jeff Rich.
I'm the executive director ofIDSA.
As Evan indicated, I have ahistory.
I've been doing security workfor about 50 years, information
security in particular, for alittle over 45.
I started the security programsat Arco Oil and Gas Company and
(00:54):
at Dell and at Brackspace and afew financial services
companies, worked in a couple ofstartups.
So even though security hasalways been the spine of what I
do, I've always been able tospread out and do additional
things as well.
And for the last couple ofyears over two years I've led
the IDSA and had an even deeperdive into what identity security
(01:19):
means, and it couldn't havecome at a better time because it
is in the forefront ofeverything now.
Speaker 1 (01:24):
It is indeed such an amazing topic, and what gap were
you trying to fill in theidentity and security world when
you launched the IDSA?
What was the mission at thetime.
Speaker 2 (01:34):
Well, to be clear, I didn't launch it.
Julie Smith was the foundingexecutive director, she retired
and they came in about two and ahalf years ago, but the gap, as
you say, to be filled, reallyhasn't changed.
In fact, it's widened.
Because, you know, I could readthe whole mission statement.
But, briefly, our mission, ourgoal, is to raise the level of
(01:55):
identity security and identitysecurity awareness and the
security of identity, and I canexplain what the difference
between those three are.
And that gap really existsbecause everything we do now
depends on what your identity isand how it comes across.
You know, if you go back 50years, identity was easy.
(02:17):
It was easy.
You said your name, you mighthave a passport, you probably
had a driver's license, which myfirst driver's license was a
piece of paper with my name,which was not a really good way
to identify someone.
So, as we had more capabilities, we started to apply those to
advance how identity works, gotin a pretty good place, and then
(02:39):
the cloud came, in particular,and AI.
That has now exploded to thepoint where, with all the
different machine identitiesthat we have and all of the
artificial intelligence behinddifferent types of identities,
it's now almost impossible todetermine who's who.
In fact, there's been manyresearch surveys indicating that
(03:02):
there are more machineidentities on the Internet than
there are human identities.
Speaker 1 (03:08):
Yeah, what a brave new world, to say the least, and
we hear a lot about identitybeing the new perimeter.
What does identity define?
Security really mean inpractice, sort of on a
day-to-day level.
Speaker 2 (03:19):
Well, you could look at it as identity as new
perimeter.
There's a large contingent thatbelieves that very phrase and
there's almost as large acontingent that says no, that's
the wrong way to look at it,just like any sort of new
technology or how we're going todo it.
But the concept behind that isthe same for everyone, in that
you have to be able to protectidentities or you can't protect
(03:41):
anything else.
Now I get where identity is newperimeter, and I've often used
that phrase because in my careerin information security, you
know, the perimeter at one pointused to be the computer room,
then it became the data center,then it became the local network
, then it became the worldwidenetwork.
Now, especially with the cloud,the perimeter exists in every
(04:03):
device that does everything.
I'm looking right now and I havemore equipment than I need.
I have six screens in front ofme right.
I have a microphone with a chip, I have a soundboard with a
chip and a phone, and you knowthat list goes on.
Every one of those chips has atleast one identity associated
with it.
(04:23):
So with all of that going on,when you go back to the standard
identity phrase, who goes there?
You can't answer that easilyanymore.
So that's the gap.
That's the gap that we arebringing our members together to
fill.
Speaker 1 (04:40):
Let's talk about your members.
You're a sort of vendor-neutralorganization.
Why is that important thesedays when it comes to bringing
partners together?
Speaker 2 (04:53):
Well, we're a nonprofit first of all, so by
definition we have to stayvendor-neutral and almost
everything we do is offered freeto the public.
We do have some member-onlybenefits.
Public, we do have somemember-only benefits.
But specifically the reasonthat we are saying
vendor-neutral really benefitseveryone is that when we get
something in front of the publicor our members, we're saying
(05:15):
here are some facts, there maybe some missing, there may be
more, but here are some factsand here is an unbiased view of
what needs to be able to happen.
In some cases it's going to behere's some best practices.
Other cases it's going to behere's a case study of what
doesn't work or what does work.
And in all cases we like to beable to say and when you look
(05:36):
for a solution for yourorganization, for this problem,
don't look necessarily to onevendor.
Certainly don't go buy thesolution and then figure out
what your problem is, whichhappens more often than I think
people want to admit.
But specifically, we'retogether, we can see what the
different issues are based onyour environment, and then you
(06:01):
can take a look at whatsolutions do you need.
And in fact, often we have twoor three members that will
collaborate and say you know,all of these three products we
have working together may workwell for a customer, so we can
guide people towards.
Hey, here's some organizationsthat are willing to work
together.
Take a look at that.
Speaker 1 (06:20):
Wonderful, and I'm looking at your website,
idsaallianceorg, and you do someamazing research around
identity-related securityincidents.
Maybe give us a state of theunion.
What's happening at the moment?
What can we do better?
Speaker 2 (06:46):
In addition to our working groups and other things,
we have an annual researchreport, which, I'm guessing, is
what you came across.
Typically, this has beenpublished in May and beginning
this year we are doing aSeptember release.
So we're in the process ofdoing that research as we speak,
actually, but I can still giveyou a pretty good state of the
identity, which I'm not sure ifI just coined that phrase or not
, but you know, we're kind ofpast the is everyone using
(07:11):
strong passwords?
Almost everyone is.
The good news is, more and morepeople aren't even using
passwords.
They either use a token I'msure I have one hanging around
here somewhere, in fact, here'sa couple of them.
If they're going to use a tokento be able to authenticate
themselves, to log in, they mayuse a fingerprint, they may use
a facial scan.
(07:32):
They may still have a password,because you still need
something to say.
When I originally signed up,this is who I said he was and
here's how I can validate that.
But, beyond everything else,you're going to say only accept
my authentication when it comesfrom this machine, from this MAC
address.
So all of that is there now,which is good.
(07:53):
That being said, everyone wouldsay oh good ransomware is done.
No, no, no, no.
Data can still be stolen and itis and when that happens, but
denying access to individualswith identities can sometimes be
worse than simply stealing anidentity.
Identity theft still occurs,but more and more now it's
(08:16):
ransomware.
In control, use repeat IDs and,in some cases, repeat passwords
to get into different sites.
It's easy to be compromised andtherefore have all your data,
(08:37):
whether it's for yourself or forthe organization you work with,
be stolen, sold or unavailable.
So that's probably the bigthing right now.
We also have deep fakes.
We have fake identities we haveto deal with.
There's a lot going on aroundthat, ransomware and stealing.
The availability and use ofdata and identity, I believe, is
(08:59):
still the number one issue.
You know we ask questions as weprepare for our research.
It's through a third party, sothat we're not aware of who's
answering or what companies areanswering the questions on
purpose, and some of thequestions we had asked that we
dropped this year are you know,has your company been affected
by a cyber incident involvingidentity?
(09:22):
Last year it was 98%.
We knew what this year wasgoing to be, so we didn't bother
asking that question.
However, there are some thingswe're working on now, such as
how many organizations believethey aren't using AI for
identity.
We have to ask it that way,because simply because the IT
department says we're not doingthat doesn't mean it's true.
(09:42):
How many organizations aredoing it on purpose and how many
organizations have efforts inplace to defend against the evil
AI and machine identities thatare out there?
That number is still pretty lowand that's the current gap.
If I want to go back to theoriginal question you asked,
(10:03):
that's the current gap thatneeds to be filled.
Blend that in with Zero Trust.
Zero Trust is a framework.
It's not a product, it's not asolution and it shouldn't be
applied everywhere because it'sfar too expensive in many ways.
But where Zero Trust does needto apply, identity is the very
(10:23):
first pillar, and organizationsthat want to implement Zero
Trust but want to take ashortcut to I'm just going to
use the identity we use foreverything else and not worry
about it is are going to runinto problems.
So these are the.
If you're asking for a state ofthe identity, I think, in
general, we're doing better.
However, I think the potentialfor fraud and and doings is
(10:48):
growing and we run the risk offalling into that pit, rather
than keeping ourselves in apretty good position.
Speaker 1 (10:56):
Interesting.
So you mentioned AI and we'reall super hyped about AI and
automation, gen AI, et cetera,for good reason.
But what does it?
What do those technologies meanfor identity management,
especially when you think aboutbots and machine identities and
this tsunami that we're facing?
Speaker 2 (11:22):
So there's a number of ways it applies.
They do their identitymanagement, whether it's
provisioning a new account orgranting access to a given
resource or decommissioning anaccount.
That all takes time and it'sdone by people who I'm sure, are
all competent, but for the mostpart, they follow a script and
(11:44):
we're at the point now.
Anything you do that isscript-driven is a really good
candidate for automation, soautomation should really be a
good thing for people dealingwith identity.
You can also use automation torotate identities, and that's a
concept that I believe in butnot everyone's doing yet.
To say whether it'sauthentication methods or
(12:07):
identity, I don't want to appearto be the same as I did a few
minutes ago.
I need a way to reference thatso whoever's authenticating me
knows.
But by changing, I'm kind of amoving target.
I don't know if you have acredit card, for instance, and,
by the way, which is a form ofidentity.
A lot of online places say giveme your credit card and I
accept that as your identity,right.
(12:29):
I don't know if you have thekind of credit card where you
can easily change your creditcard number.
I do two of them and it's onethat I rotate every month.
I just say give me a new number, and I'm okay with that,
because I can't remember thelast time that I got a.
(12:49):
Hey, your credit card numberhas been compromised and I feel
good about that.
Plus, if someone even wanted totry, good, please waste your
time, go right ahead.
That number doesn't even workanymore.
So I think the more we can useautomation to do the things that
we know need to be doneroutinely, the better off we're
going to be, as long as we knowit's the right process.
In addition, we should be ableto use AI, and automation AI in
(13:12):
particular, to start identifyingwhen is the person that
identifies themselves as Evannot Evan?
It looks like Evan, it soundslike him and, because of what
you do, there are hundreds, ifnot thousands, of opportunities
for someone to grab your facialfeatures and your voice.
All right, so you are in thathigh risk range.
(13:35):
I don't know if you knew thator not, but congratulations.
Speaker 1 (13:38):
Yes, thank me very much.
But yes, I see that, with botsimpersonating me all the time,
yeah, and how do you defendagainst that?
Time.
Yeah, and how do you defendagainst that?
Difficult these days.
Now scale that to an enterpriseand I can only imagine so.
One challenge is you knowthere's a flood of security
tools out there.
You talk to banks.
(13:59):
Sometimes they have a hundredvendors plus.
Isn't unusual.
How does the IDSA helpcompanies make sense of what
they need versus what's noise,versus what's proven, tested, et
cetera?
Speaker 2 (14:13):
Well, first of all, we don't have a silver bullet.
If we did, we wouldn't be anonprofit, we'd be doing
something else.
But seriously, we have workinggroups that, like we have one
that works on know your customer.
Right now, banks have a lot ofextra emphasis on that because
(14:35):
the perimeter of the bank hasmoved.
The perimeter of the bank is nolonger the four brick walls
that hold the building.
As an example, if you go to adry cleaners and you write a
check for the service, that drycleaner is now a part of the
bank.
They go through the riskmanagement process as to whether
to accept your check or not.
Even though it's a system thatgoes back to the bank that says
(14:57):
we don't see any problem withthis, there's still a number of
things they need to do to securethat.
So the perimeter of the bank ismoved, so banks have to put a
much larger emphasis on whotheir customer is.
If any organization that doesany consumer-based work works in
the EU, just as an example, youare required by law now to have
(15:23):
a Know your Customer program inaddition to GDPR.
That says you know who theperson is, you can validate them
, you know they're not beingimpersonated and you know their
history.
So that's one example.
That's a working group thatworks, and working groups have
deliverables that could be blogs, webinars, white papers, and
(15:45):
we've done that.
We have a frameworkarchitecture right now that
we're going to start fillingwith white papers and
supplementing with webinars onKnow your Customer.
We have another one with AI andidentity, which we've already
talked about, and we have onethat we're starting now
non-human identities, since theynow outnumber us, we figure we
(16:05):
now have a working group aboutit.
Speaker 1 (16:08):
Brilliant Important topic.
So give us a peek behind thecurtain at the IDSA.
You got so many differentvoices involved vendors,
security pros, analysts, etcetera.
How do you keep theconversations productive and on
track and not off the rails?
Speaker 2 (16:27):
You know, sometimes it's good to go off the rails
and I'm very serious in that,because if we always stick to
the well, we need to talk aboutidentity and authentication and
what tokens are going to work.
I mean, those are importantdiscussions, but the novel idea
that's going to break throughthe next problem is only going
(16:49):
to be discovered when someonedoes something that might be
crazy and then when someone elsesays, hey, wait a minute, that
may not be a bad idea.
We get a lot of those.
We like those discussions.
So what we do?
We have some member meetings, wehold webinars where members
they can't sell their productsin webinars but through thought
(17:10):
process and good webinarsgenerate a lot of questions.
And we like off the rail.
You know, as long as they'rereasonable.
We like off the rail questionsbecause it makes the speaker in
the webinar think about what itis they're presenting.
And we've had that's a goodidea.
I'd like to get yourinformation because I think
that's something we may want totry.
(17:32):
So I like off the rails.
The only thing I do.
I'm a time keeper when thishappens.
That's it, and I think that's agood thing.
Speaker 1 (17:41):
Great point.
So just in the last few minutesyou mentioned some key trends
You're keeping an eye onpasswordless login, zero trust,
decentralized IDs.
What are the other key themes?
We can't go into all of them,but you're tracking at the IDSA.
Speaker 2 (17:58):
Well, I think, without question, non-human
identities and AI, those two aregoing to take most of the
oxygen in the room for the nextsix to eight months, I believe,
because there aren't enoughsolutions or not enough
knowledge yet, and we havereached the point where
technology can move faster thanwe can.
(18:19):
Now, it's always been that acomputer can do computations
faster than a human can, butwe're at the point where the new
breakthroughs on capabilitiesis happening faster than humans
can keep up with it, in myopinion, at this time.
Yet another gap.
I really liked your question Ifyou don't mind, I'm going to
start using that more and morethat we we have to see the gaps
(18:42):
and what do we do to bridge orcover the gaps or jump over them
?
Um, and and I think those twoare going to really drive, um,
what a lot of identity,organizations in particular, are
going to want to do, becauseorganizations, you know, big
retailers, everyone else they'regoing to be stuck with
(19:03):
technologies out there.
The bad guys know how to use itand they really have no rules.
And we are trying to catch up.
How can we close that gap?
And I think you're going to see, especially coming out of our
research report and our workinggroups, you're going to see a
lot of good thought leadershipon either what the problem is or
what sort of not technology,but what sort of process and
(19:25):
philosophy is going to get usthrough it.
Speaker 1 (19:28):
Wonderful.
Well, speaking of philosophy, Imean a lot of CISOs are, you
know, pretty overwhelmed withthe challenge they're facing.
Not that you can be apsychologist here, but what do
you think when it comes toshifting the mindset, changing
the mindset when it comes tosecurity priorities and identity
and other issues, becausethere's a lot of burnout,
(19:51):
there's a lot of overwhelm andthere's a lot of just checking
the boxes versus truly changingthe way you're thinking and
acting.
Speaker 2 (20:01):
So good compliance is worthwhile.
Compliance for the sake ofcompliance, which is a checkbox,
is actually a false sense ofsecurity and it's not only not
good, it's bad for you becauseyou get the feeling well, I did
everything I was supposed to.
I'm going to give you anotherexample of that.
I'm guessing you might be awareof the PCI standard.
That's the security standarddealing with transmission and
(20:25):
use and storage of credit cardinformation by merchants.
Every single credit card breachwith very few small exceptions,
but every big credit cardbreach that occurred that
organization was PCI compliantuntil the moment the breach
occurred.
Speaker 1 (20:41):
Wow.
Speaker 2 (20:43):
And, by definition, when you have a breach you're no
longer compliant, which is whyit works that way.
So simply being compliant isnever enough.
Pci standard's good, but youneed to have good security that
results in compliance ratherthan being compliant and
thinking you're secure.
So there's certainly that and Ithink CISOs need to keep that
(21:05):
in mind that simply having agood GRC program, which is good
and needed, isn't enough.
And I came up way back from lawenforcement, then through a
technical background into a CSO.
Actually, I've never had a CISOtitle.
I've been a chief securityofficer, I've been a chief risk
(21:26):
officer, a number of things butI never officially had the CISO
title and at this point in mycareer I don't think I ever will
.
I'm fine with that.
But the stress that I see onCISOs now are I came up through
the technical ranks and I'm notgetting the support I need from
the rest of the executive team,if they even are on the
executive team and they'rehaving trouble bridging that gap
(21:49):
.
And that's because althoughthey may be great technically
and they may be goodcommunicators, they never learn
to speak the language of theaudience and they're not all
good at reading a room.
And that adds a lot of stressbecause, no matter what you do,
you end up, you know, in thefood line, you're last in line
and you get only what's leftover and the security
(22:13):
organization needs to have anequal part.
I'm not convinced that identitymanagement needs to be part of
a security organization.
In the past it was separate,then it's been folded in.
It may be time for it to moveout again and have security
focus on security and have anidentity organization focus on
identity.
So I think that could helprelieve a lot of stress.
(22:35):
And as a CSO at a coupledifferent organizations early on
I learned that CSO stood forchief scapegoat officer and you
have to recognize that kind ofcomes with a job.
You know you're not catchingbullets, which is a good thing,
but you have to recognize thatwhen something bad happens on
your watch, you run the risk ofhaving to take the fall, for
(22:56):
that shouldn't have happened,whether that's justified or not,
I think as more CISOs acceptthat that can happen, they can
get more comfortable in doingthe right thing rather than
worrying about am I going tolose my job?
You know having a job isimportant.
I'm not trying to minimize thatbut they need to focus on doing
the right thing and not let thepressure of am I going to, you
(23:20):
know, am I going to get sackeddrive what they do, and and you
know I'll I'll repeat the firstone they need to learn the
language of their executives andread the room, that they need
to take them to lunch and justhave a conversation, because
until they do that, they won'tknow who they're dealing with
and they're going to be lookedat as overhead and the enemy,
(23:42):
and that doesn't help at all.
I really think that that helpsbring down the temperature of
CISO stress in a big way.
Speaker 1 (23:49):
Wow, such an important and overlooked insight
.
Thanks for that.
So, as we head into this hotsummer, especially for you down
in South Texas, what are youlooking forward to personally
and for the IDSA?
What's on your radar?
Speaker 2 (24:02):
Well, we're focusing on the research report this
summer, so that's important.
We're always looking to bringin new members because the more
voices we have whether you're anidentity vendor, a consuming
organization like a retailorganization or an individual
contributor the more voices weget, the better the the messages
(24:23):
that we can get across andeveryone benefits from that.
So we're looking at those twothings.
The presentation of that reportwill be at identity week in
washington dc in september, sothat's really like the next
focal point for us.
I have a couple other securityconferences that I'm going to be
engaged with after that inSeptember, mainly some that are
(24:47):
hosted by our members, which isgood.
We facilitate some events forour members as well, bringing on
you know here's a third party.
Look at what we're doing ratherthan you're only going to hear
vendor pitches.
I happen to be.
I'm going to put a real pitchinto this real quick.
I'll be at B-Side, san Antonio,this Saturday.
(25:07):
Chances are, if you're near acity, there's a B-Side at some
point during the year that'snear you.
I can't recommend it highlyenough because it is still the
original grassroots organizationand it's great that in my
opinion, it really hasn'tchanged much.
So I'm volunteering there.
Besides, this Saturday, go findone if you haven't yet, and
(25:28):
that's, I think, going to bepretty much the summer.
Speaker 1 (25:31):
Well, have a great one, so informative and
insightful, and keep up thegreat work, really important
mission.
Speaker 2 (25:38):
Well, thank you very much.
It was a pleasure being hereand I really appreciate the
invitation.
I look forward to coming back.
Speaker 1 (25:43):
Thanks and thanks everyone for listening and
watching this podcast and checkout our new TV show as well
techimpacttv now on Fox Businessand Bloomberg TV.
Thanks everyone.
Thanks, jeff.
Speaker 2 (25:56):
Thank you.
Hey everybody, fascinating chat today as we
dive into the world ofcybersecurity and identity
Fascinating topic with the IDSA,the Identity Defined Security
Alliance.
Jeff, how are you?
I'm doing really well, evan,and how are you today?
Amazing organization.
We're going to dive into lotsof interesting topics.
(00:24):
Before that, maybe introduceyourself your bio and background
and how do you describe theIDSA exactly?
Speaker 2 (00:31):
Sure, and thanks for that opportunity and for the
invitation.
I really appreciate being here.
My name's Jeff Rich.
I'm the executive director ofIDSA.
As Evan indicated, I have ahistory.
I've been doing security workfor about 50 years, information
security in particular, for alittle over 45.
I started the security programsat Arco Oil and Gas Company and
(00:54):
at Dell and at Brackspace and afew financial services
companies, worked in a couple ofstartups.
So even though security hasalways been the spine of what I
do, I've always been able tospread out and do additional
things as well.
And for the last couple ofyears over two years I've led
the IDSA and had an even deeperdive into what identity security
(01:19):
means, and it couldn't havecome at a better time because it
is in the forefront ofeverything now.
Speaker 1 (01:24):
It is indeed such an amazing topic, and what gap were
you trying to fill in theidentity and security world when
you launched the IDSA?
What was the mission at thetime.
Speaker 2 (01:34):
Well, to be clear, I didn't launch it.
Julie Smith was the foundingexecutive director, she retired
and they came in about two and ahalf years ago, but the gap, as
you say, to be filled, reallyhasn't changed.
In fact, it's widened.
Because, you know, I could readthe whole mission statement.
But, briefly, our mission, ourgoal, is to raise the level of
(01:55):
identity security and identitysecurity awareness and the
security of identity, and I canexplain what the difference
between those three are.
And that gap really existsbecause everything we do now
depends on what your identity isand how it comes across.
You know, if you go back 50years, identity was easy.
(02:17):
It was easy.
You said your name, you mighthave a passport, you probably
had a driver's license, which myfirst driver's license was a
piece of paper with my name,which was not a really good way
to identify someone.
So, as we had more capabilities, we started to apply those to
advance how identity works, gotin a pretty good place, and then
(02:39):
the cloud came, in particular,and AI.
That has now exploded to thepoint where, with all the
different machine identitiesthat we have and all of the
artificial intelligence behinddifferent types of identities,
it's now almost impossible todetermine who's who.
In fact, there's been manyresearch surveys indicating that
(03:02):
there are more machineidentities on the Internet than
there are human identities.
Speaker 1 (03:08):
Yeah, what a brave new world, to say the least, and
we hear a lot about identitybeing the new perimeter.
What does identity define?
Security really mean inpractice, sort of on a
day-to-day level.
Speaker 2 (03:19):
Well, you could look at it as identity as new
perimeter.
There's a large contingent thatbelieves that very phrase and
there's almost as large acontingent that says no, that's
the wrong way to look at it,just like any sort of new
technology or how we're going todo it.
But the concept behind that isthe same for everyone, in that
you have to be able to protectidentities or you can't protect
(03:41):
anything else.
Now I get where identity is newperimeter, and I've often used
that phrase because in my careerin information security, you
know, the perimeter at one pointused to be the computer room,
then it became the data center,then it became the local network
, then it became the worldwidenetwork.
Now, especially with the cloud,the perimeter exists in every
(04:03):
device that does everything.
I'm looking right now and I havemore equipment than I need.
I have six screens in front ofme right.
I have a microphone with a chip, I have a soundboard with a
chip and a phone, and you knowthat list goes on.
Every one of those chips has atleast one identity associated
with it.
(04:23):
So with all of that going on,when you go back to the standard
identity phrase, who goes there?
You can't answer that easilyanymore.
So that's the gap.
That's the gap that we arebringing our members together to
fill.
Speaker 1 (04:40):
Let's talk about your members.
You're a sort of vendor-neutralorganization.
Why is that important thesedays when it comes to bringing
partners together?
Speaker 2 (04:53):
Well, we're a nonprofit first of all, so by
definition we have to stayvendor-neutral and almost
everything we do is offered freeto the public.
We do have some member-onlybenefits.
Public, we do have somemember-only benefits.
But specifically the reasonthat we are saying
vendor-neutral really benefitseveryone is that when we get
something in front of the publicor our members, we're saying
(05:15):
here are some facts, there maybe some missing, there may be
more, but here are some factsand here is an unbiased view of
what needs to be able to happen.
In some cases it's going to behere's some best practices.
Other cases it's going to behere's a case study of what
doesn't work or what does work.
And in all cases we like to beable to say and when you look
(05:36):
for a solution for yourorganization, for this problem,
don't look necessarily to onevendor.
Certainly don't go buy thesolution and then figure out
what your problem is, whichhappens more often than I think
people want to admit.
But specifically, we'retogether, we can see what the
different issues are based onyour environment, and then you
(06:01):
can take a look at whatsolutions do you need.
And in fact, often we have twoor three members that will
collaborate and say you know,all of these three products we
have working together may workwell for a customer, so we can
guide people towards.
Hey, here's some organizationsthat are willing to work
together.
Take a look at that.
Speaker 1 (06:20):
Wonderful, and I'm looking at your website,
idsaallianceorg, and you do someamazing research around
identity-related securityincidents.
Maybe give us a state of theunion.
What's happening at the moment?
What can we do better?
Speaker 2 (06:46):
In addition to our working groups and other things,
we have an annual researchreport, which, I'm guessing, is
what you came across.
Typically, this has beenpublished in May and beginning
this year we are doing aSeptember release.
So we're in the process ofdoing that research as we speak,
actually, but I can still giveyou a pretty good state of the
identity, which I'm not sure ifI just coined that phrase or not
, but you know, we're kind ofpast the is everyone using
(07:11):
strong passwords?
Almost everyone is.
The good news is, more and morepeople aren't even using
passwords.
They either use a token I'msure I have one hanging around
here somewhere, in fact, here'sa couple of them.
If they're going to use a tokento be able to authenticate
themselves, to log in, they mayuse a fingerprint, they may use
a facial scan.
(07:32):
They may still have a password,because you still need
something to say.
When I originally signed up,this is who I said he was and
here's how I can validate that.
But, beyond everything else,you're going to say only accept
my authentication when it comesfrom this machine, from this MAC
address.
So all of that is there now,which is good.
(07:53):
That being said, everyone wouldsay oh good ransomware is done.
No, no, no, no.
Data can still be stolen and itis and when that happens, but
denying access to individualswith identities can sometimes be
worse than simply stealing anidentity.
Identity theft still occurs,but more and more now it's
(08:16):
ransomware.
In control, use repeat IDs and,in some cases, repeat passwords
to get into different sites.
It's easy to be compromised andtherefore have all your data,
(08:37):
whether it's for yourself or forthe organization you work with,
be stolen, sold or unavailable.
So that's probably the bigthing right now.
We also have deep fakes.
We have fake identities we haveto deal with.
There's a lot going on aroundthat, ransomware and stealing.
The availability and use ofdata and identity, I believe, is
(08:59):
still the number one issue.
You know we ask questions as weprepare for our research.
It's through a third party, sothat we're not aware of who's
answering or what companies areanswering the questions on
purpose, and some of thequestions we had asked that we
dropped this year are you know,has your company been affected
by a cyber incident involvingidentity?
(09:22):
Last year it was 98%.
We knew what this year wasgoing to be, so we didn't bother
asking that question.
However, there are some thingswe're working on now, such as
how many organizations believethey aren't using AI for
identity.
We have to ask it that way,because simply because the IT
department says we're not doingthat doesn't mean it's true.
(09:42):
How many organizations aredoing it on purpose and how many
organizations have efforts inplace to defend against the evil
AI and machine identities thatare out there?
That number is still pretty lowand that's the current gap.
If I want to go back to theoriginal question you asked,
(10:03):
that's the current gap thatneeds to be filled.
Blend that in with Zero Trust.
Zero Trust is a framework.
It's not a product, it's not asolution and it shouldn't be
applied everywhere because it'sfar too expensive in many ways.
But where Zero Trust does needto apply, identity is the very
(10:23):
first pillar, and organizationsthat want to implement Zero
Trust but want to take ashortcut to I'm just going to
use the identity we use foreverything else and not worry
about it is are going to runinto problems.
So these are the.
If you're asking for a state ofthe identity, I think, in
general, we're doing better.
However, I think the potentialfor fraud and and doings is
(10:48):
growing and we run the risk offalling into that pit, rather
than keeping ourselves in apretty good position.
Speaker 1 (10:56):
Interesting.
So you mentioned AI and we'reall super hyped about AI and
automation, gen AI, et cetera,for good reason.
But what does it?
What do those technologies meanfor identity management,
especially when you think aboutbots and machine identities and
this tsunami that we're facing?
Speaker 2 (11:22):
So there's a number of ways it applies.
They do their identitymanagement, whether it's
provisioning a new account orgranting access to a given
resource or decommissioning anaccount.
That all takes time and it'sdone by people who I'm sure, are
all competent, but for the mostpart, they follow a script and
(11:44):
we're at the point now.
Anything you do that isscript-driven is a really good
candidate for automation, soautomation should really be a
good thing for people dealingwith identity.
You can also use automation torotate identities, and that's a
concept that I believe in butnot everyone's doing yet.
To say whether it'sauthentication methods or
(12:07):
identity, I don't want to appearto be the same as I did a few
minutes ago.
I need a way to reference thatso whoever's authenticating me
knows.
But by changing, I'm kind of amoving target.
I don't know if you have acredit card, for instance, and,
by the way, which is a form ofidentity.
A lot of online places say giveme your credit card and I
accept that as your identity,right.
(12:29):
I don't know if you have thekind of credit card where you
can easily change your creditcard number.
I do two of them and it's onethat I rotate every month.
I just say give me a new number, and I'm okay with that,
because I can't remember thelast time that I got a.
(12:49):
Hey, your credit card numberhas been compromised and I feel
good about that.
Plus, if someone even wanted totry, good, please waste your
time, go right ahead.
That number doesn't even workanymore.
So I think the more we can useautomation to do the things that
we know need to be doneroutinely, the better off we're
going to be, as long as we knowit's the right process.
In addition, we should be ableto use AI, and automation AI in
(13:12):
particular, to start identifyingwhen is the person that
identifies themselves as Evannot Evan?
It looks like Evan, it soundslike him and, because of what
you do, there are hundreds, ifnot thousands, of opportunities
for someone to grab your facialfeatures and your voice.
All right, so you are in thathigh risk range.
(13:35):
I don't know if you knew thator not, but congratulations.
Speaker 1 (13:38):
Yes, thank me very much.
But yes, I see that, with botsimpersonating me all the time,
yeah, and how do you defendagainst that?
Time.
Yeah, and how do you defendagainst that?
Difficult these days.
Now scale that to an enterpriseand I can only imagine so.
One challenge is you knowthere's a flood of security
tools out there.
You talk to banks.
(13:59):
Sometimes they have a hundredvendors plus.
Isn't unusual.
How does the IDSA helpcompanies make sense of what
they need versus what's noise,versus what's proven, tested, et
cetera?
Speaker 2 (14:13):
Well, first of all, we don't have a silver bullet.
If we did, we wouldn't be anonprofit, we'd be doing
something else.
But seriously, we have workinggroups that, like we have one
that works on know your customer.
Right now, banks have a lot ofextra emphasis on that because
(14:35):
the perimeter of the bank hasmoved.
The perimeter of the bank is nolonger the four brick walls
that hold the building.
As an example, if you go to adry cleaners and you write a
check for the service, that drycleaner is now a part of the
bank.
They go through the riskmanagement process as to whether
to accept your check or not.
Even though it's a system thatgoes back to the bank that says
(14:57):
we don't see any problem withthis, there's still a number of
things they need to do to securethat.
So the perimeter of the bank ismoved, so banks have to put a
much larger emphasis on whotheir customer is.
If any organization that doesany consumer-based work works in
the EU, just as an example, youare required by law now to have
(15:23):
a Know your Customer program inaddition to GDPR.
That says you know who theperson is, you can validate them
, you know they're not beingimpersonated and you know their
history.
So that's one example.
That's a working group thatworks, and working groups have
deliverables that could be blogs, webinars, white papers, and
(15:45):
we've done that.
We have a frameworkarchitecture right now that
we're going to start fillingwith white papers and
supplementing with webinars onKnow your Customer.
We have another one with AI andidentity, which we've already
talked about, and we have onethat we're starting now
non-human identities, since theynow outnumber us, we figure we
(16:05):
now have a working group aboutit.
Speaker 1 (16:08):
Brilliant Important topic.
So give us a peek behind thecurtain at the IDSA.
You got so many differentvoices involved vendors,
security pros, analysts, etcetera.
How do you keep theconversations productive and on
track and not off the rails?
Speaker 2 (16:27):
You know, sometimes it's good to go off the rails
and I'm very serious in that,because if we always stick to
the well, we need to talk aboutidentity and authentication and
what tokens are going to work.
I mean, those are importantdiscussions, but the novel idea
that's going to break throughthe next problem is only going
(16:49):
to be discovered when someonedoes something that might be
crazy and then when someone elsesays, hey, wait a minute, that
may not be a bad idea.
We get a lot of those.
We like those discussions.
So what we do?
We have some member meetings, wehold webinars where members
they can't sell their productsin webinars but through thought
(17:10):
process and good webinarsgenerate a lot of questions.
And we like off the rail.
You know, as long as they'rereasonable.
We like off the rail questionsbecause it makes the speaker in
the webinar think about what itis they're presenting.
And we've had that's a goodidea.
I'd like to get yourinformation because I think
that's something we may want totry.
(17:32):
So I like off the rails.
The only thing I do.
I'm a time keeper when thishappens.
That's it, and I think that's agood thing.
Speaker 1 (17:41):
Great point.
So just in the last few minutesyou mentioned some key trends
You're keeping an eye onpasswordless login, zero trust,
decentralized IDs.
What are the other key themes?
We can't go into all of them,but you're tracking at the IDSA.
Speaker 2 (17:58):
Well, I think, without question, non-human
identities and AI, those two aregoing to take most of the
oxygen in the room for the nextsix to eight months, I believe,
because there aren't enoughsolutions or not enough
knowledge yet, and we havereached the point where
technology can move faster thanwe can.
(18:19):
Now, it's always been that acomputer can do computations
faster than a human can, butwe're at the point where the new
breakthroughs on capabilitiesis happening faster than humans
can keep up with it, in myopinion, at this time.
Yet another gap.
I really liked your question Ifyou don't mind, I'm going to
start using that more and morethat we we have to see the gaps
(18:42):
and what do we do to bridge orcover the gaps or jump over them
?
Um, and and I think those twoare going to really drive, um,
what a lot of identity,organizations in particular, are
going to want to do, becauseorganizations, you know, big
retailers, everyone else they'regoing to be stuck with
(19:03):
technologies out there.
The bad guys know how to use itand they really have no rules.
And we are trying to catch up.
How can we close that gap?
And I think you're going to see, especially coming out of our
research report and our workinggroups, you're going to see a
lot of good thought leadershipon either what the problem is or
what sort of not technology,but what sort of process and
(19:25):
philosophy is going to get usthrough it.
Speaker 1 (19:28):
Wonderful.
Well, speaking of philosophy, Imean a lot of CISOs are, you
know, pretty overwhelmed withthe challenge they're facing.
Not that you can be apsychologist here, but what do
you think when it comes toshifting the mindset, changing
the mindset when it comes tosecurity priorities and identity
and other issues, becausethere's a lot of burnout,
(19:51):
there's a lot of overwhelm andthere's a lot of just checking
the boxes versus truly changingthe way you're thinking and
acting.
Speaker 2 (20:01):
So good compliance is worthwhile.
Compliance for the sake ofcompliance, which is a checkbox,
is actually a false sense ofsecurity and it's not only not
good, it's bad for you becauseyou get the feeling well, I did
everything I was supposed to.
I'm going to give you anotherexample of that.
I'm guessing you might be awareof the PCI standard.
That's the security standarddealing with transmission and
(20:25):
use and storage of credit cardinformation by merchants.
Every single credit card breachwith very few small exceptions,
but every big credit cardbreach that occurred that
organization was PCI compliantuntil the moment the breach
occurred.
Speaker 1 (20:41):
Wow.
Speaker 2 (20:43):
And, by definition, when you have a breach you're no
longer compliant, which is whyit works that way.
So simply being compliant isnever enough.
Pci standard's good, but youneed to have good security that
results in compliance ratherthan being compliant and
thinking you're secure.
So there's certainly that and Ithink CISOs need to keep that
(21:05):
in mind that simply having agood GRC program, which is good
and needed, isn't enough.
And I came up way back from lawenforcement, then through a
technical background into a CSO.
Actually, I've never had a CISOtitle.
I've been a chief securityofficer, I've been a chief risk
(21:26):
officer, a number of things butI never officially had the CISO
title and at this point in mycareer I don't think I ever will
.
I'm fine with that.
But the stress that I see onCISOs now are I came up through
the technical ranks and I'm notgetting the support I need from
the rest of the executive team,if they even are on the
executive team and they'rehaving trouble bridging that gap
(21:49):
.
And that's because althoughthey may be great technically
and they may be goodcommunicators, they never learn
to speak the language of theaudience and they're not all
good at reading a room.
And that adds a lot of stressbecause, no matter what you do,
you end up, you know, in thefood line, you're last in line
and you get only what's leftover and the security
(22:13):
organization needs to have anequal part.
I'm not convinced that identitymanagement needs to be part of
a security organization.
In the past it was separate,then it's been folded in.
It may be time for it to moveout again and have security
focus on security and have anidentity organization focus on
identity.
So I think that could helprelieve a lot of stress.
(22:35):
And as a CSO at a coupledifferent organizations early on
I learned that CSO stood forchief scapegoat officer and you
have to recognize that kind ofcomes with a job.
You know you're not catchingbullets, which is a good thing,
but you have to recognize thatwhen something bad happens on
your watch, you run the risk ofhaving to take the fall, for
(22:56):
that shouldn't have happened,whether that's justified or not,
I think as more CISOs acceptthat that can happen, they can
get more comfortable in doingthe right thing rather than
worrying about am I going tolose my job?
You know having a job isimportant.
I'm not trying to minimize thatbut they need to focus on doing
the right thing and not let thepressure of am I going to, you
(23:20):
know, am I going to get sackeddrive what they do, and and you
know I'll I'll repeat the firstone they need to learn the
language of their executives andread the room, that they need
to take them to lunch and justhave a conversation, because
until they do that, they won'tknow who they're dealing with
and they're going to be lookedat as overhead and the enemy,
(23:42):
and that doesn't help at all.
I really think that that helpsbring down the temperature of
CISO stress in a big way.
Speaker 1 (23:49):
Wow, such an important and overlooked insight
.
Thanks for that.
So, as we head into this hotsummer, especially for you down
in South Texas, what are youlooking forward to personally
and for the IDSA?
What's on your radar?
Speaker 2 (24:02):
Well, we're focusing on the research report this
summer, so that's important.
We're always looking to bringin new members because the more
voices we have whether you're anidentity vendor, a consuming
organization like a retailorganization or an individual
contributor the more voices weget, the better the the messages
(24:23):
that we can get across andeveryone benefits from that.
So we're looking at those twothings.
The presentation of that reportwill be at identity week in
washington dc in september, sothat's really like the next
focal point for us.
I have a couple other securityconferences that I'm going to be
engaged with after that inSeptember, mainly some that are
(24:47):
hosted by our members, which isgood.
We facilitate some events forour members as well, bringing on
you know here's a third party.
Look at what we're doing ratherthan you're only going to hear
vendor pitches.
I happen to be.
I'm going to put a real pitchinto this real quick.
I'll be at B-Side, san Antonio,this Saturday.
(25:07):
Chances are, if you're near acity, there's a B-Side at some
point during the year that'snear you.
I can't recommend it highlyenough because it is still the
original grassroots organizationand it's great that in my
opinion, it really hasn'tchanged much.
So I'm volunteering there.
Besides, this Saturday, go findone if you haven't yet, and
(25:28):
that's, I think, going to bepretty much the summer.
Speaker 1 (25:31):
Well, have a great one, so informative and
insightful, and keep up thegreat work, really important
mission.
Speaker 2 (25:38):
Well, thank you very much.
It was a pleasure being hereand I really appreciate the
invitation.
I look forward to coming back.
Speaker 1 (25:43):
Thanks and thanks everyone for listening and
watching this podcast and checkout our new TV show as well
techimpacttv now on Fox Businessand Bloomberg TV.
Thanks everyone.
Thanks, jeff.
Speaker 2 (25:56):
Thank you.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.