Welcome to our KuppingerCole Analysts webinar, IGA, Identity Governance and Administration, and LOB, line of business application access management. What we will see in 2024. This webinar is supported by Pathlock and speakers today are Keri Bowmann. She's Senior Director Product Marketing at Pathlock and me, Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts.
Today, this will be more a fireside chat. So just the context of the housekeeping. So audio controls, the same as usual, you're mooted centrally, nothing to do here. We will run two polls. We will do Q&A. So we may involve questions you you enter into the tool. During our chats, we may answer some of the remaining questions by the end of the webinar. So feel free to enter questions at any time, the more questions we have.
Also, during our conversation, the more lively we can do everything. And finally, we are recording the webinar. And the recording will be made available soon. Download the presentation slide deck in this case is really just a few sort of agenda slides. That's it. So this is of lesser value than it's usually. So before we dive into our topic of today, I'd like to raise the first poll already. And the poll is about responsibility for application access controls for line of business applications, such as SAP, such as others. So are these different departments depending on the application?
Or is it the SAP department? Is it the IAM department? Or others? So we leave this poll open for a bit. And while you parallel may respond to the poll, we are already, I would say, moving forward, having a look at the agenda. And for the agenda of today, as I've said, we will have a fireside chat between Kerry and me, and really want to look a bit into the future of application access control, or application risk management, or whichever term you prefer here. So welcome, Kerry. And maybe you introduce yourself before we move into the conversation. Absolutely.
Thank you, Martin. So as Martin mentioned, I'm a senior director of product marketing for PathLock. And my background has really been growing up in the SAP security space. So I started out consulting about 14 years ago, and had a focus on specifically risk and remediation. So designing security with risk in mind and controls in mind, implementing various access control solutions, and customizing those rule sets for customers in different industries.
So again, really throughout my career, just a focus on how we enable users with access, but also securing it. And then I've moved over from consulting into the software side of the house, and now assist in delivering a software solution to customers to do those things in an automated fashion that I often used to build manually or implement myself.
Okay, great, Kerry. So let's start.
And yeah, everyone talks about AI these days. And so sometimes when we look at what is discussed, it looks like AI is the solution for everything. I've seen AI in the 1980s or so already. And it took a bit until we are where we are. And it will probably take a while until we are where some people talk about it, maybe some areas we never reach.
Anyway, when we talk about AI and access. So the question really is, what do you expect? And I'll bring in also my thoughts about what to expect in terms of AI specifically for access governance. So is this something where we really will see an impact of AI? And I think with everyone also talking about generative ID stays, is there a place for generative AI? When we look at line of business application or access controls? I think so. I think we're already seeing the impact of AI and things like a lot of times we hear it referred to as machine learning, right?
It's that analysis of what we're doing. And we're seeing it throughout the process, right? So it drives not only how we design access, maybe and how we deliver it, but we're starting to see it in how people request access. So the first iterations of this were, I am going to deliver access.
Well, if my solution can do analysis for me on similar users with similar traits, it can identify the most common access that I maybe need to assign, right? That's kind of the basics, the first iterations of it. And that's pulled through into things like how we review access, how much of this access is used based on the title, what's in comparative users, what's the likelihood I'll use the rest of it, you know, things like that. So that's how we're seeing bits and pieces of it today.
I think going forward, we'll see even more around how we, in particular, how we design access and how we design the risks associated with monitoring and controlling. So things like having AI to identify there's been a change in your solution, there's been a change in your application in what is being used or the frequency of use for something it's associated with risk XYZ, you should consider updating this risk to account for this usage. Things like that, I think we will see coming. And I think there are some good points.
I think we are relatively good already in analyzing who has which entitlements. So how do people, which people are similar in their entitlements and stuff like that. What I frequently still miss is, so from my perspective, this is a lot about what they could do part. So what could someone do? But I think the other part of it is what is someone? Doing? And I think this is the part where, and at the end, you said ML, and I also changed between these terms, because they are used in a pretty fuzzy way.
Anyway, and I also, honestly, I prefer thinking of AI as augmenting intelligence, more than as artificial intelligence, because I think what we see these days is it augments as humans and doing things better. By the way, even when you have a modern vehicle, you have augmenting intelligence in it. It's all the assistant services. It's humans building the design, and this helps us to improve that. And I think this is the way to think about it, because then also AI is not scary, in a way it's sometimes seen these days. But back to that, I think ML depends on huge amounts of data.
So the charming thing is, the more you look at what someone is doing, the better at the end of the day ML can work, because it's then about huge quantities of data, looking at what is really happening. And then I think one of the next things also will be correlating. So when you talk about risk, and my thinking is a bit about, we have, what is Martin doing in SAP? What is Martin doing in Salesforce? What is Martin doing in whatever, in the Active Directory or based on Active Directory? So look at the IG part, not only line of business application, what is happening on the network, etc.
And I think this combination also helps us then, again, dealing better with risk, better understanding the risk and taking appropriate actions, or when you go to line of business, along the business process, across all the line of business applications. So how do these things correlate?
Yeah, that's a great point. I mean, you and I've talked about it before that we're seeing this expansion of regulation and audit moving into line of business apps, right? Not just your main ERP, but what is everything that touches and interacts with that. And when we, to your point, if we have a better way of assessing the data that's moving between those applications, in addition to what's just happening within them, we can better understand the potential for risks and for what users are performing across the applications.
And that may help us identify, to your point, what are the other apps that we need to reach out to? What in the network should we be concerned about? Because we'll be able to understand better the interplay between all of those.
So, you know, I find that so interesting seeing where the risk landscape will go and where we'll be addressing things next. Yeah, maybe to a certain extent, even a bit of reverse engineering, business processes, or really understanding things that span multiple applications. So if your supplier management is on a different system than whatever you're invoicing, then understanding, you know, if it's all in the same system, it's relatively easy to understand, okay, the invoice was right after onboarding the supplier. This is strange. This is weird.
If it are two different systems, we need more capabilities to do that. And I see that there's definitely a very big potential of helping us in doing things better. And then I think there's a Chen AI perspective, which is, I think they're the usual thing. So you can probably build certain things better in applications based on good prompt engineering, good prompts, which make you more efficient, like supporting you in coding, supporting you in setting up rules, supporting you in these things. What I also see when I thought about this, I think I'm curious about your perspective.
I think when we look at reporting, the reporting usually has this number element, or just whatever the actual part, so to speak. And then there's the text part. And I could imagine that we get significantly better and more efficient on the text part when we make the right use out of them. When you're saying the text part, you mean like the descriptions that we use?
Yeah, like we need to deliver a report. There's a lot of running text, plus all the other stuff. One of the biggest requests we always hear from the business, right, is can you put this in business terms for me, right? A risk can be very technical sometimes. And so I do agree with that. Not only would there be value in helping to improve or automate, right? We think of ChatGPT, for example, right?
I have coworkers who work with it and love it for the fact that it can collate a lot of information and write it in the voice that they want to hear it in for when they're thinking about how they want to talk through something. So capabilities like that, I think, to your point, taking what's an Excel file, a lot of data points, a lot of technical jargon, and turning that into, one, business speak, business language. What does this risk in reality mean? And how do I explain it at maybe a director or a C-suite level to someone?
But also I like the idea of, without you having to think about it, I like the idea of not just translating the risk, but then translating it in its entirety, the collective of it, into themes, right? So that because right now it takes someone with a significant amount of background to look at all those things and through experience identify themes.
Oh, if I'm consistently seeing this risk and this risk or this type of usage, it may be indicative of this other thing happening. If you can enable AI to, as you said, augment some of that stuff where you take some of that expertise and it can do that for you, I think that could be very valuable for businesses because it helps them to better understand what they're seeing in the data if they don't always have experts on hand with the experience to be able to do that translation for them. Yeah. ChatGPT created me a three-page summary for my manager, so to speak.
It's too short of a prompt, but basically that's the idea. And I think that there are samples where we see some of these things really being made or even create a PowerPoint out of it, what you need, whatever it is. And I think this is definitely a potential.
So maybe, and this is, I think, very, very closely aligned to one of the other talking points we discussed to cover today, and this is skills gap, because we just talked a lot about augmenting people. And I think this is the other side of the coin is we probably don't have sufficient experts in that area with a lot of different applications.
Also, the challenge also is not only that we don't have enough experts, the challenge also is we have so many different line of business applications that few people are experts in all of these applications, not to speak about the non-LOB parts or the standard, so to speak, applications on systems, et cetera. So, and I think there are two aspects on that. The one would be continuing what we just discussed around AI. The other is more generically, can automation help us? Can we get better on this by using the right type of technology? I think so.
I think when you talk about skills gap, that's a great point. I mentioned when we kicked off SAP has been my focus of my background, but in the course of 14 years, I've had customers who are using Oracle, Salesforce, Ariba, various different applications, and you have to learn those in the security capacity if you're going to be able to help them design rule sets for risk and things like that. But that can be unique, especially if you aren't employing a lot of outside consulting or specialized help, how can you in-house develop those skills?
And I think to your point about augmenting and automation, if we can take some of what we know, we know what each application does, and use that AI automation, like we said, to draw some conclusions, help point us in the right direction, right, for what we can focus on, that can help narrow it down so that we have the scope of what we need to be learning about, because it's quite a large thing. For example, when I first started working with Oracle, it's quite a large thing to walk in and try to understand the security structure of that, what can be done in that application.
Same with SAP, and then you have all these terms, which are consistent. I think the only consistent thing with terms is that they are used inconsistently.
Yes, exactly. How do you learn all of that? How do you invest that into the most relevant things so that you can understand and speak on the topic? Absolutely, I think that's such a great point. For every IAM expert, a business role will be a different thing than for an SAP expert, for instance. And how do they work together? Your SAP security admin is oftentimes not your Salesforce or your Ariba admin even, because they have different structures and they're different specialists in building that.
So how do we find common ground and utilize maybe common terminology or established terminology between the two to both understand each other's applications better, and then also how they interplay and how we speak to each other about that work? So I think one element truly is this translation potential of AI, which can help us to put things in other terms that are probably better to understand by different people. I think there's another element, which is important, which is really about the trouble of the vendor to build models.
And I think this is probably something the vendor needs to do probably as part of its work to come up with unified models where you can map different models to. So I think it's probably not all this can be done. But once we have unified models, we surely can do a lot of things better, automate them better, integrate them better, being definitely more flexible than we have been. Yeah. And I think we've seen a little bit of that with the growth of IAM and IGA starting to converge with the access control space, right? We're seeing them trying to standardize some language.
If we're working with multiple applications, do we call it a role and a responsibility, or do we use a generic term like entitlement, right? What does that mean? Rather than speaking in terms of roles, transactions, authorization objects, fields, and field values, and responsibilities, functions, menus, do we speak in terms of entitlements, level one security, level one actions, level one permissions? What's the common terminology? I think that there's been some push to do that, mostly from an IGA perspective, though.
On the access controls perspective, we've fairly, for the most part, kept it application specific rather than application agnostic for the terminology we're using. So yeah, I think if there was assistance, especially for security and audit teams and things, translating that so they understood it in the same kind of way for each application they're working with, I could see a lot of value in that. Yeah. I think one more thing which we need to consider in this context is we have more heterogeneity in line of business applications.
So even when you look at an SAP shop quotas, it's not homogeneous anymore in most cases. It's not that it's the ECC world, basically. It is maybe a migration to some parts in S4HANA already. And then there are these other SAP SaaS services like Ariba and Successful Factors which are very different from an access control and risk management perspective. So even if you're in an Oracle or an SAP shop or so, it's not necessarily that you live in a homogeneous world anymore. Even there, you have these challenges. And I think this is something which is very important.
By the way, just a hint again to the audience. So the first question coming in, use the Q&A part. Ask your questions. Vote for the questions which you find most interesting. And by the way, we can probably bring up this question already because it's one that fits perfectly well to what we were talking about just now. It is about which are the most important skills needed for application risk management? So what should someone be good in for this job? That's a great point for risk management.
So I think to be good at risk management, you need a balance of understanding whatever application tool system it is that you are managing the risk for. But then you also need to understand what risk is in the context of your business and organization and industry, right? The same risk, for example, of shipping and receiving goods in different industries is completely different.
If you're shipping and receiving goods that have to do with making windmills, those things are massive and they go on trucks and no one's walking out the door with them versus someone who's manufacturing maybe computer chips or something that could be highly valuable but very small and easy to walk away with. Even in the same industry, that risk variable is quite different based on the organization and what they're producing and things. So you need to have that balance of I need to understand the application. I need to understand SAP.
And whenever I say shipping and receiving, what does that mean in terms of my system? Where is that being done? Who are the users doing that? Then I need the broader context of the risk. How big of a risk, how severe of a risk is this for my organization, for my company? So I think that's the struggle with the skills gap is that it's not just one thing anymore. You're not just an auditor who says you have a risk for shipping and receiving goods or we're creating and paying vendors.
It's okay, what applications do I have that can do that? Like you said, success factors and Ariba, it's not probably sitting in just one system anymore. So then being able to understand the landscape of the applications as well as the risk landscape and bring those two things together. And I think that is where a lot of value lies and where today we're slowly seeing that skill set built up. We're seeing a lot more. I mentioned I started in the consulting space. I started with designing security, but then I also became an auditor.
I have my CISA because I was doing so much work with audit, right? Because they would come to me and say, we have to check for change management controls. How do we know who has that access in the system? We had to work directly together. So I started to learn that skill set so that I could do both sides of it myself. And I think if we can also bring in people from the other side, teach those who are maybe auditing or managing our risk to get them to understand the security side. So from both ways that we're learning, so we can all be better at it. We already touched automation.
Will automation help us more? I think that's one of the questions. So I think what you brought up regarding skills, and I think this is a very important aspect. In this job, surely there's this part which is about one system, but there's increasingly the need for having knowledge about multiple systems. And there's also a need to be, I think, look at it more from the auditor's eyes. I dare to say from a risk perspective, not just from an auditor perspective, but also from a real risk perspective, which might be a bit different from an audit finding.
So an audit finding is one risk, but other things might be a bit different risks here. Anyway, that's a separate conversation. But I think what we also saw is we have a lot of control in control libraries right now. I think there's also an automation aspect, which is, so I'm a big believer since decades probably in automated controls. Because an automated control, if implemented right, provides you always with the correct information. Humans not only tend to fail, humans tend to cheat. Specifically when things tend to go really wrong, then the risk of fraud and cheat is significant.
So how can we also use this part? And I think this is an interesting question. How can we use the controls library to become really effective? So I think we need to understand which parts of them are relevant. What do we need to adjust? Do they work as expected?
But also, how do we make this work? And then end again up with a limited number of information we present to the right people. So at the end, an endless amount of controls doesn't help you. You need to focus again. So I think it's an interesting area here. I think again, going back to the previous things, I think AI can help us then to bring things together. But it's definitely only one part of the entire thing. So what's your take on this?
No, I like the way that you phrased it, which is automation can help us with a lot of things because human error is a thing, right? The more we're manually doing something, the higher the likelihood that we may unintentionally incur errors. And I think the perfect example of that is why is access control so popular? Because it typically brings a set of features like automated provisioning, like the automation of creating user access reviews and certifications, because that's such a massive help to the business, right?
If I'm not having to manually provision and manually go ask for approvals, I now can work on high value items to support the business as an IT person, rather than me just keeping the lights on, right? Same thing for user access reviews, if I can automate those, I'm not spending a significant amount of time and possibly unintentionally having manual errors in there with just the massive amount of data I have to collect and track down and send to people, right?
Also, the automation is storing my audit trails in one location, which is going to simplify my audit process for me. So I think we're familiar with a lot of that automation. And I think that the more that we continue to use that and with the line of business applications, utilize it in context of those, right? So today I may automate my major SAP system, but what about every other application that has access to it? Not only do I maybe need to be looking at it for risk, but how am I provisioning? And to your point, then how am I doing controls for it? Am I still dealing with that?
And there's one more point, I think, which is happening on both sides of the pond. So until recently, the main focus was on financial risk, financial fraud. What right now is happening is the technology risk part. So we can't limit it anymore to the financial risks and some parts of our system, some business process only, it's getting way bigger, way more complex right now. And it also means we need automation because there's more information to deal with. There are more controls to implement. There's more need for spotting the right risks and also ensuring that we alert on the risks.
And I think this is still a bit of a human thing. So I know for sure that in some of this very large sort of financial incidents around trading, the alarm bells were ringing, but people ignored them still. So we probably won't fix everything there with automation and technology, but I think we definitely need to get better. And I think this is also a good thing looking at one more of the things that we have on our list, which is will 2024 be, so to speak, the year of risk-based access controls become mainstream? And what is the need for that? And can we do things like that better?
I think, again, this is an important aspect in this context. Yeah, I like the point that you made earlier about controls and controls automation. The purpose of controls is to manage our risk, right? And as we mentioned, if you can automate it, that's going to ensure that those controls are in place and operating effectively, right, versus the manual error. So when we think about the risk that's out there, as that risk expands, how do we address it? We still have the same number of people, but now we have more that we have to be looking at and managing and addressing. And how do we do that?
I think it's a combination of all the things we're talking about. And in particular, when we talk about expanding risk, third party and cyber are very, very quickly growing in prominence and importance and how we address those. And a lot of times, because people think of how people are accessing the system, it comes back to us as access controls and security people. How are you going to manage third party access risk? You're giving them access to the system. What are you going to do about it? How does cyber impact what people are doing? How are you going to manage it?
I think going back to the theme of today, automation and AI can assist us with that. Third parties and cyber, if we can identify third parties that are accessing our system, if we can put controls in place and automation in place, for example, prior to them gaining access to our system, they have to go through rigorous different checks. In an automated fashion, we can run specialized and separate reviews for our third parties to ensure that they are being managed and monitored and controlled correctly. I think in all those cases, automation can help us get our hands around what we have to do.
And when you say risk-based, I think that comes back to if we can better analyze all the risk in our environment and identify the most relevant ones, which ones are being used most frequently, which ones have the highest dollar impact to us or operational impact to us, and seeing trends, spotting trends between those and identifying, how do we order the ones that we tackle? I think all of that. I think absolutely true. I think technology helps us in spotting where's the biggest risk of fraud, of losing money.
It also helps us what is happening most frequently or what is an anomaly, what are things that rarely occur? That's a great point. Because anomalies, I think, are another part. So when everything goes the same way as usual, we probably are somewhere within the corridor. Once something is clearly outside of the corridor, this can be just because something is muted, it can be because there's a good reason.
And if you don't have a long enough period to look at it, it could be just that we are at the end of the year, and we do things we only do once a year, or at the end of the fiscal year, depending on what you're looking at. But anomalies are something to look at. That's an interesting fact, though, if you think about, that's almost combining, if we look at event notifications, a lot of times we think of data masking as, I'm Carrie, I sit in Denver, I work for AP here, I should only be able to see this information.
And if I go and I work remotely from somewhere in Europe, I won't be able to see the same information because it's going to realize I'm not in the proper location. But what about, that's maybe stopping it from happening, but to your point, what about event notifications so that we're aware it's occurring? Or I'm logging in with my ID, and we do checks like this a lot for, with our solution for access controls, event notification around logging into multiple terminals or from different systems with the same ID within certain timeframes.
Why am I using different ones to log in with my own access from either different locations, different terminals, or within a certain time period that's close enough together that it's concerning? Are we monitoring that? Are we aware of that risk that it's even there? So we talked a lot about, right now, about automation, the potential of AI and stuff like that. There's one more aspect, and this is, I think, one of the very problematic ones, honestly, which is cost. So compliance always is perceived as a cost thing.
And something also like security hindering, I just today read a number which said that, whatever, 89% of the business leaders are willing to take cyber security risks when they want to achieve something in business. I think for compliance, I have had and have a lot of discussions which are about, okay, we ignore that until we get a finding from our auditor. Unfortunately, I also have seen the other side. There's a finding and organizations tend to start acting in what I tend to call headless chicken mode.
So they're running around without any orientation and spending way too much money into things that they could have solved much easier. So that's the other side of the cost of compliance. If you don't do it ahead, if you don't stay ahead of the curve, ahead of the auditor, you're at risk of spending way more money than you would have needed to spend. Without doing it, except aside of all the automation part, we spend so much time in organizations for manually supporting audit requirements. That is where we can save money. At least this is my take. 2024 being the year where everything changes.
I mean, I would say you nailed it when you talked about cost, right? Think about basic project management. You have cost, you have time, and you have scope. If you want any one of those things to go faster, something has to change. And if we have an audit finding, scope can't change, we have to address it.
Timing, we don't have control over that. It has to be done within a set period. So what's the only thing that can change? It's cost. And that's why it can cost us so much.
So yeah, coming in after the fact is vastly more expensive in multiple ways. Just in what that exact example you just gave, the headless chicken move, the trying to tackle things, we're spending way more money than if we had just been preventative. But there's also the dollar cost of if fraud occurred, what was the dollar cost out of our pocket? And if it was, if we are a large or public-facing brand and people are made aware of that fraud, what's that intangible impact and detriment to our brand that we now have to also overcome? And that's just for the basic day-to-day fraud.
That's not even for some of the more complex things that could be coming. And in many areas, we also have another challenge, which is probably a bit more cybersecurity side, but which also I think is a general tendency in regulations. This is the need to notify the public authorities in very short periods of time.
So when I look at in Europe, we have MIS2, so the cybersecurity credit infrastructure regulations coming up, which has, this is for cybersecurity incidents, but I think it shows a tendency, which says 24 hours for the first notification, three days, 72 hours until you come up with the first sort of real analysis of it. And I think what we are facing increasingly is that if something goes wrong, in many, many regulations, we don't have much time anymore. I think we have similar stuff when it comes to GDPR, so privacy stuff, et cetera. Those are short periods of notification.
This, to me, appears being a trend. And if we don't automate, if you're not capable of really getting all the detail with a click, so to speak, then we are in trouble because we also see the fines going up. So it's not just you have a finding, and yes, in some areas, you get a finding. And then the bad thing, where latest when the management becomes alerted is, oh, you have to add it to your annual report. You have to talk about it. This is where really the C-level starts to panic because they don't want it. But to avoid this, we need to be prepared.
And I think all of these things that have happened afterwards are way more expensive than investing into a well-thought-out approach because the well-thought-out approach brings in AI, brings in automation. It helps us avoiding manual labor. It helps us in staying ahead of all the problems we otherwise have. And this is my thinking. If we look at it realistically, we can definitely save money. It's outside of just avoiding fraud. Yeah. We have a saying, an ounce of prevention is worth a pound of cure.
So it is far less expensive to put the preventative pieces in place than if you don't have anything, and you're after the action occurs trying to address it. And to your point, if you even can, if we have, from the moment we identify something happened, say, the cybersecurity is a great example, stateside, something similar.
If we have 24 hours to notify that this occurred, or even if it's the three-day or the four-day mark, if we only have that time, and we don't have any kind of control or tool in place, even gather all the data, that's why you see these companies that will be dripping pieces that say, within the first 24 hours, we found that it was this much exposure. And then you see them have to come back out a week later with another announcement. It was actually this much. And then you see them another week later, it was this much.
So when we think about what C-suite level cares about, those are multiple points of impact into the scientists they're now having to address. Yeah, it destroys trust. And it takes years to build trust. It takes minutes to destroy trust. So we touched really a number of aspects. And I think basically some key points are AI, ML, including Gen AI, can and will have a huge impact on what we do in this space in 2024.
We should emphasize the automation potential way more, because this is really what helps us to deal with all the upcoming challenges, including more heterogeneity, lower periods for notifications, more different type of information we need to deal with. And there's something where we already can save costs. We will also need to figure out how we address the skills gap.
And again, technology can help us. So these are some of the things we see coming in 2024. So before we go into the Q&A and look at a number of questions we already have gathered here, I just want to quickly run a second poll. That second poll is a very simple one, yes, no, which is just about, is there a common ownership for application access controls with stuff for SAP, other line of business applications, or et cetera, and identity and access management in your organization. So is this split or not?
What we see maybe as a background for this question, we see increasingly starting that the CISO is responsible for both. So that it's not whatever the SAP owners are responsible for SAP and the CISO for IAM, we see increasingly a joint ownership. So looking forward to your responses. And while you respond to the poll, we just go one step further, which is we move into the Q&A session.
So again, I'm looking forward to even more questions than we have, but we will pick right now the questions we already have here. And so I think one, we had about skills and that there's a second question, which is a bit related to skills, but I think it's also a bit different because it looks less or what do we need now? But what do you see as the biggest skills gap in the next 10 years? And maybe what programs or courses can help address this? So what is the big thing to come? I think the biggest skills gap will be, as we just talked about, we need a broader set of understanding.
We need someone who understands risk from a business level who can apply it to multiple applications. So we're going to need our teams to be understanding of both our application landscape and our risk landscape. And when I think about programs to address that, I think about, you know, there are various courses. I lean heavily on my audit background whenever I'm having risk conversations. There are lots of organizations out there, IA and ISACA and these other ones that you can take classes with them, even if you don't want a certification from them.
They offer lots of courses out there that you can take to better understand, like you mentioned, the latest NIS regulation that's coming out, right? All of these different organizations that either manage those risk regulations or that operate in kind of that area, they offer, even if you don't want a certification in it, they will offer a lot of different courses. And then similarly, when you think about your major applications you're working with, SAP, whether that's for Ariba, SuccessFactors, HANA, whatever it may be, they also offer courses that you can take.
And you don't have to take all of them, but you can take the primary ones. And I think this goes back to the cost piece. You have to find out what is the most value for you and prioritize that. So my point on that would be, I'm fully with you, I think some auditor skill set is very important. So you don't need to become an auditor, but I think you need to understand how auditors think and act. This is very important for the conversations.
So one of the things I always bring up when working with clients and touching this area, I think still the most important thing is what you do underpin it with a risk metric. So if the auditor sees you have a concept of risks and you do things differently depending on the risk, then you're always more on the positive side. They may still say, okay, I feel you need to change your risk metrics and stuff like that, but you're not entirely wrong. And so this is what I mean, some level of auditor thinking is important.
I think for the applications, I think it's important not to be the super expert in SAP and Oracle and so on, but to understand sort of the concepts, the basic concepts of the entitlement models. So how do they work? How do they think? And then I think some good business process skills also are extremely helpful to understand this. I think this is what I would bring in here. So next question, when discussing automation, what do you see as the highest focus, most frequent use case by businesses for automation?
I think there's a difference between maybe what I see today and what I see in the future. So I think today for automation, the highest use case I see are the basics. Automation of running risk analysis reports and automation of things like certifications, user access reviews, those are very heavy lists if you're trying to do them manually. So automating them is a big win. Provisioning, we talk about from 80 hours to eight hours or two weeks to two days, that's a pretty typical turnaround for going from a manual to an automated provisioning process. So those are big wins.
So I see that today as the biggest use case. For tomorrow, I think it's some of the stuff that we're talking about. It's the concept of identification and prioritization of risk and trend analysis. So identification of trends or things that we should be concerned about and in the totality of our landscape across our line of business apps, understanding the impacts and the risks there and the controls that we use to manage it. I think we're going to continue to become more advanced, moving beyond the basics into the more complex topics.
One of the things I also foresee for the future, I think this is probably maybe beyond 2024 in a broader adoption. I believe that automation and not only automation, but also the AI part can also help us in sort of the analytics, call it forensics. So when something goes wrong, I think it's usually still a lot of manual investigation and technology can help us to come up with very efficiently with what has really happened. I've seen some of these things in different areas, more in the cybersecurity space, happening with some types of co-pilots. And there are some cool things already out there.
Okay. I think I see one more question here, or maybe two. So how do you see, I've rephrased it a bit, maybe. How do you see the interplay of IGA and traditional application access control? So how do you see these areas converged or not? I think converged is the perfect word. That is where we're headed. And I think that regardless of your size, there's a conversation to be had around IGA and access controls because access controls is a natural extension of IGA. If we think about the basic tenants of IGA, it's users gaining access to the applications within their organization.
Access controls is layering risk on top of that. It's saying you are gaining access to this system. Is there risk involved with that? What are the controls associated with those risks and automating that management of them? So I see them as two things that work hand in hand together.
Now, whether it's within a singular technology base that it's all converged on one, or if you're operating with different solutions for each piece, they still both have a very key part to play in how we manage access to our systems, both manage, meaning grant access, and manage, meaning manage the risk associated with what we've given people. I like that because this is something I probably didn't think that way. So on one hand, we look at on both sides, we look at sort of the access entitlements, for instance.
But in access risk management, we really put this into the context of concrete risks. And I think this is what is commonly lacking in IGA.
So yes, there in IGA, there are also higher, lower level risks. But it's not that it's put in a similar manner into really risk controls and into controls frameworks. And I think by combining these things, we also can get a very different perspective on how do we deal with risks. So the IGA is also in the PAM world, the British Access Management world. So what does it really mean that risk? What is the business impact? And it's interesting, you know, I've spent some time working on things like business impact analysis, stuff like that.
So so really understanding what's the real business risk behind it. And I think we need to all we need to get better on this. So we are running a bit or coming closer to the end of the time for this webinar. So I think I'd like to sum up a little bit, because yes, we touched many points, I will be I think we are very much in agreement on, we need more convergence between IGA and application access control and risk management. Because this is really essential to take a broader risk perspective. Risk perspectives, generally speaking, are very helpful. We need to automate more for many reasons.
But we also have a lot of technology coming and sometimes already being there that will help us in getting better. I think this is something where it's very important to really also spend time and rethink the way these things are done in organizations in the next year. And this helps us it's it's not just that we spend money, we can really save in various places by doing the things right now.
So with that, I think we are at that point where I'd like to to thank you, I'd like to thank all the participants that I think like to thank you, Kerry, for all the information provided the insights, I think it was a very insightful conversation we had. I'd like to thank I'd like to thank past luck for supporting this webinar. And with that, I think for for most of you and us, it will be probably the last webinar ahead of the holiday season. So I like to say happy holidays to everyone.
