John: All they’re going to do is say ‘here’s a list of providers that we can talk to on Facebook and a bunch of other ones really’. But that’s really not releasing the identity. It’s just kind of going ‘okay we know who you are, but we still own the identity’.
Richard: Back again to the 100-point check, instead of turning up to the bank with a photocopy of your bank, passport and driver’s licence and so on, and doing a face-to-face proof, there’s a move into online verification, identity verification, which actually achieves the same result.
The integrity of the 100-point check is still there. The banks can rely on it; therefore they can transact and deliver value. If that’s the case, if that capability is available, doesn’t it still apply that the organisation has access to be able to consume that, as well?
John: It depends on the identity. I have a Facebook account. You can look me up as John Jones within the organisation and do a 100-point check. But whether or not I’m actually that person on Facebook is a different thing altogether. So Facebook has addressed this with organisations in the last year or so as more have moved to create their own Facebook pages. It’s only more recently they’ve gone and actually provided visibility of the index file, so now anyone can make anything.
Gabriel: I think we shouldn’t confuse two concepts here. There’s basically the matter of how you establish somebody’s identity in the first place, and I think that’s what Richard is talking about here with the 100-point check. What they’re doing there is accessing things like births and deaths records, to establish that a person of that name does exist and looking at other factors to identify.
That’s how you establish them upfront, but then it’s how you actually continue to prove their identity on an ongoing basis, and to me that’s where there’s far more opportunity to adopt new and emerging technologies – things like the actual phone and other things they bring along to the party to say ‘here I want you to use this to prove I am who I am in future – I’ve established here now that I am who I am and this is how I want to be identified in future’.
Richard: It’s a good point. How much of a market is there for consulting organisations like yours to deliver that to customers, deliver that thought leadership to customers?
Gabriel: I find myself in discussions around that all the time. I think it’s very instrumental for the business we’re in.
Mark: Because we’re at the start of that movement, I think we need to move towards a different way of looking at identity and access, because they’re two different things.
There’s going to be quite a bit of opportunity over the next three years for organisations such as us to go in and hand-hold organisations and guide them through. Where those conversations lie or shift from the traditional technology chat, which is ‘come and play’ for a lot of technology companies, we’ll see more engagement with legal teams and talking with the business front and talking with HR.
CRN: The conversation’s been weighted very heavily around actual security and compliance and all these strategies for risk mitigation, but what about the productivity and efficiency benefits that can flow from an intelligently thought out and deployed IDM strategy. Presumably this is the harder part of the sell?
Mark: Yes, particularly when you’re talking about smaller businesses. So my history is not from technology and info security. It’s from service management, so I set up service desks and IT teams.
One of the biggest drivers for investment in security solutions was the challenge of resetting passwords in call centres. And it still hasn’t changed with all the technology that comes through. There’s an enormous amount of money spent on supporting identities. This is due to a cold-hard fact about business. It’s about retaining customers.
The more time staff are on the phone to a call centre, the less time they are in not generating new business. So getting ‘high-end’ organised and having the 100-point check is an enormous productivity challenge.
Richard: The biggest thing from our experience probably in the last three years, our largest growth in our business, with 50 percent plus year-on-year growth over the last three years, has absolutely been productivity and delivering.
The money is coming from the project; it’s absolutely where the ROI is. The biggest drivers in terms of ROI are customer acquisition and retention, and identity goes to the heart of that through customer experience, meeting customer expectations, exceeding customer expectations and product service delivery. So we’re seeing a huge amount of new money and continued investment. It’s not just a stand-up project to try and resolve this, it’s about continuous investment.
David: So Richard presumably a large part of customer spend is within the firewall? Or is it outside? Are people spending it in their own domains?
Richard: Our experience over the last couple of years has been two thirds one third. One third around governance, provisioning, what I call the plumbing – on-boarding, off-boarding, business process. It’s maturing in terms of governance and gestation onboarding and offboarding, especially around applications.
That segment has been growing at an industry average of 15 to 20 percent year-on year, but our biggest growth is actually in online. I call it online – both internal and external – because of the de-perimeterisation, the blurring of the lines.
I was sitting with the CTO of a telco last week. His major questions concerned his two key constituents: ex-customers and internal. He said ‘I don’t care anymore. They are the same. They are constituents. They are people and identities that I need to work and deliver products and services to’.
They may have different drivers, but from an internal perspective, the products and services being given by the business and productivity in that employee pool, products and services to deliver a new capability and revenue streams and jump on board, before being wiped out by your competitors in speed to market, it’s the same.
CRN: Are partners around the table here seeing exciting opportunities for small businesses with regard to marketing and deploying IDM solutions? Presumably in the enterprise and mid-tier companies there’s a reasonable understanding about IDM, but what are you experiencing further down the chain?
Mark: We are seeing some opportunities. However, at the moment the cost of an ID is prohibitive. So for SMBs to do that, a key option is ID as a service (IDaaS) where they can release that cost, and make it just an item on their ledger.
Rene: Do you think there’s an opportunity for all of us here to look at providing Identity as a Service, or doing more of managed services, where the client still owns the infrastructure, but where our task is the responsibility of managing the infrastructure? Do you see that as a vehicle for getting into mid-market and smaller accounts?