And we invite Adam Preis from ForgeRock also to the stage and we have a short panel and as an introduction for that panel, I will be half moderator, half contributor, I assume. And we prepared this discussion before and this is a topic that I first got wrong and then I learned what it really meant. And I think that's an interesting topic. The topic is called Addressing Universal Digital Vulnerability with Modern Identity. And usually when I invite these speakers then for a panel, I send out a mail where I say, please introduce yourself first, quickly.
Okay, that we do. Adam, can you do it quickly? You've had your go to introduce yourself.
So yeah, I'm Adam Preis. I'm with ForgeRock. I've been with ForgeRock for three years, tech 12 years, love identity.
And yeah, super excited to be here. And for anybody that just joined the room, my name is Justin Richer. I'm an independent consultant based out of Boston, done a lot of work in identity and security standards and architecture for about two decades. Great. And then the second thing I ask for is, can you give an introductory statement to the topic so that we can start the discussion? But I think we're not yet there because I don't think that we all understand the terminology that's behind that, what we're looking at.
I just read out again, addressing universal digital vulnerability with modern identity. So the question, first of all, is what is universal digital vulnerability? If I look at my notes and yeah, who was this? I'll kick that off. Yeah. So we've developed this concept of universal digital vulnerability at ForgeRock because frequently we've heard this term of digital vulnerability. And mostly when we think about it, we associate people who have lack of access to digital devices, may have permanent or temporary disabilities, or we think of our elderly parents or grandparents.
But actually the concept of universal digital vulnerability implies that it affects us all. And that's very, very true. As our life moves online and the digital world becomes ubiquitous, we need to ensure that we give everybody the right means to access the right service for the right channel at the right time. So this is no longer just about a certain cross section of the population. This is about us all at a given point in time. Right. This is nothing really new. There are other terms for that, but it needs to be tackled right now.
How do you look at that topic of universal digital vulnerability and where do you come across it? So I will say that when I first read the description for this panel, I was assuming that because this is a security conference, this is going to be vulnerabilities like zero day TLS exploits and other fun stuff like that. But it's actually, you know, we're really talking about more of a wider sociological problem of the people themselves being vulnerable because of access to technology, availability, or even the fitness of the technology to the person. In the U.S.,
we had about a year ago an executive order issued that said that all new federal regulations needed to have equitable considerations inside the document. So I highly recommend you go read that executive order, which is a sentence I never thought I would say to somebody. But honestly, it's really good, well-intentioned piece of law that says that when you're putting together these regulations, especially technical regulations, you need to figure out, like, are you disadvantaging some populations? Are you disadvantaging some groups of users?
And as Adam was saying, this is not necessarily a permanent population. You know, this is stuff that grows and changes depending on the context.
So to me, that's the bit that makes it universal is that it's always contextual to what the person is trying to do and where they're coming from. Just to add to that point, so you talk about the executive order in the U.S., it's really interesting because this is no longer just a nice thing to have.
For many, many years, this has been something that's been conceived of as something that sits within a company ESG or CSR agenda. But actually, if you look at regulation that's coming out, in the U.K., we have consumer duty. Consumer duty places obligations on financial service providers to ensure they leave nobody behind. If you look at PSD3, PSR1, that the commission recently published in its policy intentions, it talks about equity of access. If you look at other regulations, like the EU Disability Act, all those things come into play.
So regulation is driving that market, and providers are kind of compelled to address it in a more holistic way than just a piecemeal way. Right. So my next question would have been, why now? Regulations is one reason. Are there other drivers? Jesko? I think that, honestly, as a whole, as a society, we're becoming more aware of the existence and the plight of disadvantaged populations. And you guys are all sitting at a panel with three white guys up on stage telling you about equity of access. Quite frankly, systems are designed for people that look like us in a lot of ways.
I am not going to notice, in any natural setting, the types of things that would disadvantage others by and large, because I'm not affected by it. But I think that, in general, we as a society at large are making strides—we've got a long ways to go—but we are making strides at being more aware of things like this, and the need to pull in expertise, particularly when you are looking about, particularly, the equitable access of systems and things like that.
Because a lot of times, the equity problems in systems and in regulations really just come from the blind spots of the people that are building it, just not realizing that that was a thing that somebody cared about. So if I can give a personal example, my middle child is non-binary. When you're going out and building up an identity database, you're probably going to have a field that says gender, and it says male and female is the only options in the enum. Or if you want to get really, really spicy, have it just be a Boolean that says, is male. I've seen that once.
So for them, how are they supposed to get in a system like that? They have to pick something that doesn't actually express them. They are disadvantaged by this, and that's something that's very deeply personal to me because it affects somebody that I love very much, my child. But 10 years ago, I wouldn't have even thought of it. I genuinely wouldn't have, because it was so far outside of my personal experience.
I think that we're starting to see more and more of this in systems where teams are becoming more diverse, at least good teams are becoming more diverse, because it makes better, more robust systems. It's interesting you say that. Ultimately, until we experience it ourselves, we don't fully understand it. I have an interesting example as well that really kind of spurred this kind of thinking on my end. A very close relative of mine had a critical brain injury and overnight went from being the most tech-savvy person to being completely unable to engage with any form of digital device.
Completely shut out the banking system, shut out the tax system, the health care system. Good luck. Unless you've got somebody caring for you, you're stuffed. The thing is that technology exists and identity is there to provide solutions to these problems. It'd be interesting to make that connection as well, but I'm jumping the gun here.
Yeah, absolutely. But I think also just inviting all of you to contribute questions and to the discussion. But first of all, you already said, OK, there's an identity database, an identity record that says male, female, something else. And how do I address this person? Maybe we need more than one dimension to look at that. And the title of this panel is to address this UDV, universal digital vulnerability. I will use UDV to be faster with modern identity. And you've mentioned identity and you've mentioned identity already.
So where comes identity into play and how can we use technology to maybe address this vulnerability at all? Maybe starting with you, Justin. I think one of the first things that we can do is admit that the sort of traditional schemas that we have written around people in our identity systems are not really sufficient because they're written for specific contexts and they capture things that people thought that they needed at the time. And we get kind of stuck on those schemas.
And I think that modern identity systems have a lot more, have the potential to have a lot more space and flexibility with how we're actually describing people. And I mean, just look at the difference between like in, you know, in an INET org person record versus like the blob of JSON that you get back from an OpenID server that can have literally anything in it.
Yeah, just a second. Just let Adam add to that and then I invite you to the question.
So, yeah, it's a, you know, we at 4Drok, we kind of live, breathe and eat identity, kind of, for want of a better phrase, identity junkies. So we're thinking about this and how do you address this problem? And for us, it's fundamentally about three things. Identity has to be adaptive. It has to know the context. It has to know what channel the user's living in, what their needs are, what the constraints are. That's the first thing. The second thing is identity has to be connected, right?
We, you talked about trust in your previous presentation, within our network or bubble of trust, we have a number of individuals in the professional world, you know, in our personal world who can vouch for us and give access to us when we're unable to access that. So identity has to be connected to enable those connections. And the third thing we would like to say is that identity needs to be balanced. And I principally mean here about security. When my mom is trying to transact £20 sterling to pay for internet, she shouldn't have to be compelled to do SCA, right?
Or if she does, if she is, she should be able to be compelled to do that for a choice and a device of her choice, rather than be given one standard side of its all kind of, you know, approach. So I was interesting. I was at an open banking expo in London a couple of weeks ago talking about this and people were saying, how do you scale up open banking adoption? Ultimately, giving users the choice to be able to more easily access the service at the right time for the right channel. So that's that's kind of our solution to that. So you're saying open banking should be open? Exactly. Yeah.
Coming back to the identity systems and having them flexible, I don't know if this is also a problem which is there in Germany, but in the Netherlands, we have a thing with last names that if we would do it the same way that it is done in the U.S., then 70 percent of our country would be stored under the V because of Van Der, et cetera. And then we would have the rest of the names. So there's always already some customization happening there. So I think that the possibilities from a technical perspective are there, but it needs to be, let's say, people need to give priority to it.
And that is more of a challenge than, let's say, the underlying technology. I think that that's that's a great that's a great point. And it's a wonderful example because I had never thought of that. But I will say something a corollary to that. I worked I consulted with a company a few years ago that worked in health care in south southwestern Texas, and they had what they lovingly called the Maria Rodriguez problem. And so in most of the U.S., we do not have universal, you know, we don't have federal IDs, we don't have universal identifiers for people and stuff like that.
So a lot of times when you look for a medical record, you give the first name, the last name and the birth date. And in much of the U.S., that's good enough. But in this particular community, certain names are so overwhelmingly common that searching for Maria Rodriguez in that community is going to give you thousands of entries. And so it is not a sufficient disambiguator because in the local communities that these people live with every day, it's the relationships between the people and all of this that actually act as the disambiguators.
And our digital systems are not designed to express that or capture it. And just to add to that as well, it's interesting. From my perspective, I think this technology exists to solve this problem. Yet why is the problem not solved? It's like passwords, right? We've got technology to solve and kill off passwords, but we don't. And fundamentally, I think it's about people and process.
There were very compelling conversations this morning, panels where CISOs were up on stage and they were talking about, you know, before you can start reaching out to CISOs across the network, you need to figure out how to make a whole security team work and talk to one another. It's that problem around having the right organization, the right communication and the right profile. You talked about this in the scrums, in the product design lifecycle, in the deployment lifecycle, people who understand that rather than just piss me off.
You know, I work in marketing and a lot of people say, well, this is a great marketing banner. Let's run this. For it to be done properly and for that problem to be addressed, we've got to go deep down. In my opinion, as long as there is the demand is big enough and the pressure is big enough, there is always a solution. And I can give you an example from my home country. I'm from Bulgaria and everybody who is born in Bulgaria gets a ten number unique identifier. And this is a part of your identity. This is even the part of the identity.
So now, well, not now, but in the last 40 years, a lot of foreigners come and want to use the services. But they are not born in Bulgaria. They do not have this identifier. So what did the government do?
Well, they made a new identifier, unique identifier for foreigners. So everybody who is registered gets this identifier and gets access to all the services. So in my opinion, there just could be enough demand and enough pressure.
So I'm actually really glad you brought up the question of demand, because I think it's really tempting to approach this as, oh, well, market pressures are going to solve this because if I leave certain customers on the floor, and I'm picking on Adam a little bit here from a previous conversation, if I leave too many customers on the floor, then all my competitors are going to snap them up. And then that's bad for me as a business. That's not the type of capitalism we're in, though, is it?
Like, if they're not make if that marginal community is not going to make me a lot of money, then it's going to cost me more to deal with that than it is to just let them go to the competitors and just or just let them fall out of the system. And so I really think that this is where larger pressures, to use your term, pressures like regulatory pressure or other types of pressures can really help to push this. This is why even though the executive order made my job as I'm working with NIST in the U.S.
more difficult because I had to now go write a bunch of equity considerations for the documents I was working on, it was it is absolutely ultimately a good thing because it is forcing us to go and actually address these things at that level. But we had this conversation beforehand, right? And here's an interesting stat for you. In the U.K., 27 percent of the U.K. population are what's classed as digitally vulnerable, right? That means they haven't got access to the Internet, they haven't got access to digital devices. That's 27 percent of the population.
There's a significant market there that we cannot ignore. So I think when we talk about this and I've talked about this at different conferences, people talk about regulation, they talk about technology, but also there's a commercial sense in this somewhere as well. And we're not talking about marginalized cohorts anymore. If we apply the concept of universal digital vulnerability, the number grows all of a sudden. And if you lose 20 percent, 30 percent of your business, that could be a game changer in a competitive market that we're in. So I think that's possible.
But if 73 percent of the British population gave me 10 pounds, I'd be OK with that. Well, I mean, that's why British banks like Lloyds Bank, NatWest are investing heavily in this. Not just because it's ESG, it's commercial sense. I think it has to be both. We are now at that point in this discussion that I hated to have. We have three minutes left. I had to cut Sebastian off. And I just want to describe, we have a problem statement in the room and not much more.
So if we if we try to turn this around and say, OK, we need to go towards a concept of inclusiveness when it comes to dealing with our identities. And if you look at the reality, our organization is already well prepared to go on that mission to be more inclusive. Are they doing that? And if people here try to take that home with themselves, what would be good first steps to take? Or are we far, far, far than just the first steps? Maybe just a quick statement, maybe a good thought for the future, starting with Adam.
Yeah, I think I think ultimately the key takeaway is to really look at the cohorts that you're engaging with. It's going back to this very simple concept of user centred design, understanding what cohorts and demographic you're engaging with and understanding, you know, getting data points on where those users are seeking to access services, where those requests are timing out and connecting that with where those customers are either leaving or going to alternative access flows. So that's the first step.
But I think the next step in the journey has to be to really map the technology against those needs and those cohorts. And like I said, modern identity management already provides the tools that are needed to address this problem. But you need to want you want to you need to do it just you need to want to do it. The inclusiveness, you need to build it into the system just by configuring it. So go ahead, go ahead. So I think it actually goes deeper than that.
I think that we need to build the inclusiveness into the system in before we're even looking at deploying it, when we're designing it, when we're building it, the people that are in the room, when they're making the decisions of what makes sense about what data type is the gender field in this database, those are the people that are going to make the important decisions that have this long running effect that out of generally speaking, no malice is going to negatively affect a lot of people without the designers of these systems knowing about it.
So I think we need to act, not just embrace, but actively pursue diverse engagement in our systems. And again, three white guys are up on stage telling you to go be more diverse. We could have done a lot better with this panel. And I hope that Coupinder Cole takes that takes that note away, because this is something that we as an industry aren't very good at yet. We're getting better. A lot of the tooling is there.
And I think that ultimately it's going to be the fundamental culture shifts, both in the technology space and in the regulatory space, that drive not only the capability, but the social desire to actually address these things. Great. Thank you. I hate to cut down this discussion right now. And you're right. We need to be better in that. Also for us, just starting that discussion in that round. But first of all, thank you, Adam, for bringing up the topic.
Thank you, Justin, for providing your insights. And thank you for giving these thoughts into a more inclusive future. Thank you. Thank you. Excellent. Thank you.
