a good thing!
At the Hello User podcast, we've established a reputation for speaking with folks outside of the identity industry whose notions of personal identity are formed in part because they're big identities themselves—people like actor and former NFL linebacker Terry Crews and Mick Ebeling, the founder of problem-solving innovator Not Impossible Labs. Their perspectives can teach us a lot about the actual human voices of those who are impacted by the decisions that companies make around identity.
But it’s also instructive to explore what those deep inside the identity space are thinking, feeling and doing. Those experiences and insights shed light on an existential subject that shapes the lives of each and every one of us. At the end of the day, the thousands of practitioners in the identity industry must figure out how to deliver digital identity that can keep users secure, protect their privacy and engender a high level of trust.
This week I sat down with Mike Kiser, Senior Identity Strategist at SailPoint, to explore some of the questions around digital identity and talk about where the industry is headed. Here are the highlights of our conversation.
“It’s important not just to make things more secure but also to make people feel less vulnerable.”
Mention “digital identity” and “trust” in the same sentence, and you’ll find the thoughts of identity practitioners often go right to Zero Trust: the strategic concept that puts identity at the core of security rather than relying on network perimeter controls. But trust is a two-way street. Not only do organizations, businesses and other entities need to verify the identities of those accessing resources, they also need to establish trust with those end users by giving them reason to believe that their data is secure and that their privacy is protected.
Why is this type of trust sometimes tenuous? Because, as Mike puts it, identity practitioners tend toward doing what they think is “best” for people instead of addressing their perceived needs. Coders aren’t interfacing with people directly, so they focus on the safety and security of the digital person instead of focusing on the “emotion” of the person: their feeling of vulnerability. But we’re starting to see a shift in this thinking, as evidenced by Apple’s 2020 campaign "What happens on your iPhone, stays on your iPhone." The more the identity industry can invest in establishing trust and creating a true relationship, the better off it will be.
"Accept the cookie or move on to a different website is not a real choice."
The old privacy paradox says that human beings want security and protection, but their behaviors are opposite of those desires because they freely give away their personal data anytime they’re asked. (Want a 5% off coupon? Just hand over your personal information through this website!) But lately we’ve seen evidence that the privacy paradox was probably always a biased outcome from a long-ago analysis, because until now people have never really had meaningful choices. Accept a cookie or leave is not a choice.
But recent developments demonstrate that real choices are happening because people are starting to understand what’s happening to their data. Take the recent report that 96% of US users opt out of app tracking on iOS 14.5, or Andrew Yang’s Data Dividend Project, which would require social media, big tech and other companies that traffic in personal data to pay users for using their personal information. Regarding the latter, people don’t have a true valuation of their own privacy yet, but I believe they’re starting to have a better understanding, especially as the topic gains steam in news headlines.
"Identity is woven into every aspect, every thread of fabric in a security framework, and we spend our careers fighting to make that clear."
Throughout my career, when I was in corporate trying to talk to business executives about the importance of identity, it usually resulted in them visually and mentally checking out about 13 seconds in. My experience has been that people who work in identity are harsh critics and both pragmatic and cynical when it comes to the state of security in the world. We work in a security segment that is discounted because it’s not as exciting as, say, vulnerability management or application scanning. It’s simply giving people access to stuff, so how hard can that be?
But recently I’ve seen strong interest in the security industry exploring why cybersecurity frameworks, as they exist today, are—frankly—failing. The numbers clearly show losses are continuing to escalate, and when you look at ransomware and phishing and straight hard hacks, you see a hockey stick headed in the wrong direction. And as long as we operate under a cybersecurity framework for security architecture that puts a database in the forefront instead of a human being, the damages will continue to mount. So it’s encouraging to me that in this last year I've heard significantly more talk about identity, since we cannot turn back to the days of willful ignorance.
At Ping, we’re working to help IT and LOB realize the business value of identity.
"Whatever we have going forward can’t be centralized. It has to be distributed and out where it's being used."
Here at Ping we've amped up the conversation around the notion of personal identity—where individuals, not companies, have jurisdiction over their own identity data—so it was fascinating to hear Mike’s take on where identity control is heading. He sees the days of centralized control, where an organization collects data to know their customers and their employees in order to protect them (often with the intent to shield them from fraud), as winding down, with things becoming more and more distributed.
So, for example, someone can use part of their digital identity in lots of different places, not just at work but at a tennis club or a knitting circle or a concert, all of which will have some kind of digital component that makes use of some form of a person’s digital identity. What form that ultimately takes still remains to be seen, but identity will be at its heart, and whatever the industry has going forward will be distributed and out where it's being used.
"Companies are calling themselves identity companies when they’re really just a utility."
One of my concerns around the future of our space is that there are a growing number of companies that say they are in the identity industry but are simply acting as utilities, selling tools without creating solutions or innovating around fuller notions of what identity is. That has led to consumers conflating identity tools being easy to use with identity as an approach being an easy concept. There’s nothing easy about identity, but as we see massive amounts of money being poured in on the investment side of the equation, I yearn to see an advancement of innovation as it relates to identity.
"We're going to see the rapid adoption of a pocket-based digital world."
We wrapped up our discussion delving into an area in which Mike and I are both excited about: the possibility of mobile devices being a way to enfranchise people. It’s a common argument in the identity industry that we can't progress around mobile-based authentication because people without smartphones are going to be left behind. In the meantime, people are currently being left behind—and we need to do more to fix that problem.
Mike would argue that in a lot of cases, mobile-based identity can enfranchise people who have been disenfranchised. For instance, in West Africa, it has opened up micro loans to a whole new population that have mobile phones but don’t have broadband or even home addresses. It may be massively expensive to scale, but it's still relatively cheap to get a device compared to getting a Windows or Mac machine. And given that there are massive amounts of business transformation, business process change and human behavioral changes involved in using a digital version of the identity card in your wallet, I think it's going to be a really interesting time for the next several years.
Thanks for joining in on the conversation around where the identity space might be headed. To listen to the full discussion and find out about other episodes, please head to the Hello User podcast page.