Hi everyone. I'm Manish KTA. I'm a manager with Deloitte. I've been in working with Deloitte I didn't access plan practice for a little over 10 years now.
And for, at least for the last couple of years, I see a lot of uptick in the consumer and green space. And that has been my primary focus now, no,
I swap on method from KPMG. I'm a part of the cyber practice and MD in the practice I've been in the identity and access management space for close to about 20 years or so. Been working with the IDM systems for a long time, probably like many of you folks over here. And then I would say about last four years or so, quite a bit of the focus of, you know, the identity and access management work that we end up doing is, is related to consumers.
Thank you. So hello everyone. A Loja I'm part of EY, I'm a senior manager there for last three years before EY. I was in more on the corporate side with Citibank and some of the other larger corporate doing mainly the digital transformation kind of work. And now in Evie for last three years, mainly I've been leading the digital transformation and combining cybersecurity with it and bringing all the solution for our clients. So that's been my focus
And my name is annul sync.
I'm the lead Analyst with a coal, my primary areas of coverage at co a coal are primarily identity and access management. And my focus areas would be ID governance, administration, access governance, as well as ID provisioning, privilege, access management as well.
And yeah, as part of IM, we are definitely seeing drift into how IM can be more relevant to also manage consumer identities, identities for things cetera. So, yep. I'm here to help you understand how it can help you serve you better in terms of CIM and let's it forward.
Well, great. Well, why don't we maybe three out of four, talk a little bit about a case study, maybe, maybe a recent company that you've been working with, you know, in one of your engagements around consumer identity, what are some of the things that you've learned, maybe something that's changed in the last year? Is there more of an emphasis worldwide on GDPR or is there more of an emphasis from your perspective on building out additional capabilities around authentication or what, what are you seeing as the drivers in the market right now?
I can take that.
So rather than zoning in on a specific case study are probably, you know, say, share some of the themes that we've seen, you know, emerging over the last few years or so. Some of the things, you know, are probably pretty familiar for the group over here when we are looking at identity and access management, specifically consumer identity and access management beyond the security aspects and controls aspects, you know, usability or user experience is the critical feature, right.
You know, that everyone's trying to drive the goal is to try and make sure that, you know, you make it as easy as possible for the users to get to the information that they're looking at or looking for, and also sharing information, which is probably much more relevant for the users based on their past history with your organization. You ultimately, the goal is to try and increase the footprint of the overall relationship between your organization and the consumer, so to speak.
And, you know, this is something that everyone's been striving for. You know, interestingly, what has happened over the last two or three or four years is you've seen that is overall across the industry. There's a trend towards modernization of identity and access management platforms, whether it is driven by cloud or whether it's driven by just overall digital transformation or it transformation a number of the organizations that we have worked with or are working with, they are completely revamping their identity and access management platforms, both enterprise and consumer.
And what I would suggest is that's an excellent opportunity for most of you are probably working with consumer identity and access management systems to make sure that, you know, IAM becomes, you know, a core building block of your complete technology stack, right. You know, because what you want is not just the ability to provide consistent controls, but also the ability to leverage identity and use it as a M to potentially drive all of your business processes and business rules around it.
That is one way of you for you to tie in all the data across, you know, business units, across technology stacks, across application platforms. And that's one way also to enrich the experience for the user. So I think, you know, leveraging any, any transformation initiatives, any modernization initiatives is probably gonna be no a key key thing that you should be looking for.
Great point, completely agree with what Nel said. And I wanna go to John's point about the case study.
So as UI we implemented as part of our digital identity access management practice, we implemented digital transformation for a very large hospitality client, which has about 75 million identity and the goal and the objective there, we are very well defined in terms of how you are gonna enhance the experience of the customer of the, and also of the employee and then how you're gonna bring the operational efficiency.
So those, those were the twofold objective and their identity access management played the role of an enabler to get to that where like we had to solve how you're gonna unify the identity, 75 million plus identity for the customer thousands and thousands of identity from an employee point of view, how you're gonna create the progressive profile to do the right targeting from a marketing point of view and so on.
And then how you're gonna bring the operational efficiency into the play, not only from a customer point of view, but from an internal process and changes, which are happening and all of this had of labor of identity access management into it. So rather than thinking of identity, access management from a traditional point of view, from an access certification and all that, it's there definitely there, but how you're gonna enable it in such a way that the experience and the outcome is gonna be at a very, very different level.
And it's a large implementation, which is still going on for a five year. And we have derived a lot of benefits out of it and enabled those objectives, which has certain level of maturity. So it's happening in the industry. And we are seeing that it's, it's getting force multiply into a lot of other industries. And so on
Just to add to that, you know, traditionally we've seen IMF being more of what you can do, you know, using principles of least privilege or, you know, to restrict the access and, you know, very role based access controls, but especially with the, the consumer focus, right?
The, the trend is now not to restrict a user, but to ask really user what do you want to do, right. And do that in a very usable manner, in a very secure manner. So that to really drive the business from a, from a user's point of view, right?
Not, not to focus more from an enterprise point of view because the end goal is to really, you know, convert a user from an anonymous user, to be someone who can be a brand advocate, right? So consumer entity has become more of a journey to really see how you can convert your anonymous users, to somebody who can now become your repeat visitors. And then from there to be your like brand loyalist and Brad advocates,
I might want to add something here. And that's probably how CIM has been evolving and what's really driving CIM.
So if you look at the fundamentals of IM traditional IM, I would say most of most of the concept remains same for traditional IM and CIM. It's really about how now the IM vendors have been adapting to the requirements of consumer entities as well. So how they're adapting to all those various requirements, which are getting generated by the digital business for most organizations, how they want to also cater to the consumers, their requirements, their distill experiences, cetera.
So the, the evolution of traditional I vendors to meet those cm requirements has also changed the entire landscape. The other thing which I'm also seeing in the market is the, the need for IANS to not only support business, but also the interests of customers.
So by far, we have always focused on the digital use, you know, business use cases.
We try to understand who are the primary stakeholders from, from our, you know, disinterest point of view and meet their requirements or cater to their requirements. But now I think it's also important that you understand the customer's interests and also make sure that while implementing CIM, you are able to satisfy their requirements and their expectations as well.
I, I generally, you know, don't give this example a lot, but it's, it's a quick one, which I want to share with you in Singapore. I'm based in Singapore and the bank, one of the banks, if I can take names, it's Citibank who called in and said, sir, we like to have your consent to collect your voice prints so that we can help you when you recognize you and you call in next time, I give a thought.
I said, no, not now, but next time, maybe I'm I was obviously an Analyst.
I understand what's the implications of sharing my, you know, voice imprints with a company like that.
So I, I knew that, you know, if I can call next time, they can recognize me. They can direct me to the call, right. Calling agent when I need to talk with, but the next time when I call, I called in city bank and I said, okay, I'm ready to share my voice prints with you. Nothing changed when I call in still, I have to go through the entire one time password, you know, authentication mechanism. They still ask me for the verification. So I feel like cheated, you know, I mean, the whole thing has changed. I give my voice prints, but now what, I'm not getting the value.
So as part of the CIM, you have to also understand that you don't just satisfy the business requirement, but also, you know, deliver it to the customer as well. So yeah, I mean, that's, that's something which I find as still quite challenging in the, in the CIM world
Being an exc city banker that hurts.
Thanks.
I, I think another interesting aspect to that voice print example that you mentioned is that the terms of service are, are not clearly framed for the end user, as you said, the expectations are not clearly set. So where that voice print ends up, who it's shared with what kind of reputational aspects are accumulated with it are, are completely unclear to that end customer.
And often, you know, we've, we've seen patterns of misuse in some sense that actually expose the cus the, both the end user and the, the bank or, or, you know, whichever agency's using it to potential privacy violations under various regulatory regimes. So I think that's, that's a good caution to, to think about,
Yeah,
Actually some great points there. And as to the topic, I mean, when
You're
Thinking about the cm strategy, what are the key foundational building blocks there? So generally what we do is we say that there are three building blocks.
One is experience, which has to be addressed. The second is the risk management. And the third is the privacy. So to your point about consent and other things, and when you gather someone's data where it'll be used, how it'll be used with whom it'll be shared, there has to be data minimization and all.
So the, when we are defining the strategy for the CRM or overall for the, from a digital transformation point of view, we take into factor this three points or the three building blocks and set the objectives very, very clearly under those three containers saying that how we are gonna do it, not only for the customer part of it, but you got to bring the employee because when the touchpoint happens between the customer and the employee, and if it is not defined, or it is not at the same level, let's say you are better, your customer experience, not the employee experience, then you are gonna see that break, right?
So it is very important that you have to think about your customer experience, employee experience, bring it to the same level and know, especially with the digital transformation, with the way things are reforming. You have to think about omnichannel experience, which has to be consistent across, across the channel delivery channel. So let's say you cannot give a great experience in mobile, but when you, the same customer is coming via IVR there, the voice recognition is not happening, right? So there is a break there.
So the overall touchpoint or the delivery point from an omnichannel point of view is important and it has to be consistent. And that's where going back to the point, which I was earlier making that your foundational building block has to be identity, unification and progressive profile, if that is not well addressed. And overall your identity definition is not well established. You are gonna see this kind of gaps. Unfortunately.
Hi, thank you for being here today, when you're evaluating new new standards or new new technology options, like what criteria do you use to decide to bring that in to your solution,
Bunch of aspects. I'll take that.
So, you know, tools and technologies are also becoming quite smarter, I should say, probably to the needs of the business and needs of consumers, right? One is interoperability, you know, making sure that whatever tool or technology that you're gonna be leveraging is gonna be working well with the overall ecosystem of your technology stack.
It's also going to provide that only channel like channel experience, especially with consumer identity and access management, everything's gonna get exposed through 15 different channels and, and that tool or product or solution needs to have the ability to work across those standards are important by the way. But at the same time, we also make sure that, you know, certain time certain standards could be constraining, you know, certain standards haven't got that adoption that you would expect, right?
And, and you have to be very careful with, you know, how the, how the standards are going to be influencing your overall technology stack.
So standards are critical, but I would probably say interoperability is, is more critical. And that omnichannel experience is much more critical.
There are also things that you could think of, you know, you're not only integrating your CIM tool with, you know, other synergistic security solutions, like say fraud or threat analytics, but you also have to integrate with, you know, data analytics, like, you know, identity analytics and marketing analytics, right. You know, that's gonna be extremely critical to make sure that you are providing the right type of data to the user.
And then, you know, going back to the previous question and previous topic, by the way, one of the things that has happened over the last two years, because of the focus on privacy, you know, businesses have become smarter to the fact that you probably don't want to just keep collecting data in the past. The desire was to try and collect as much data as possible. Businesses are trying to make sure that they're only collecting, you know, the necessary and sufficient data that can help them enrich the consumer experience while also enriching their business potential.
But they're, they're becoming smarter. And we, as technologists have to make sure that we speak with our business stakeholders as well in helping them understand the downsides of just collecting data annually.
Great point and a great question.
I mean, very close to my heart, actually. So what we have learned, I mean, and especially being EY, I mean, we have been doing a lot of assessments and all strategy that earlier.
I mean, when we are doing a normal assessment of a technology on the paper, I mean, things may or may not work, especially in a digital transformation, kind of a journey where things are gonna go for many years. So we have come up with this concept of proof of technology. And as part of that, from a criteria, point of view, we say that what are your functional non-functional non-functional will have all your like, right from data retention to, you know, fail over to everything else. Right? So that's what the, those are the criterias under which we define it.
And then we take standard and all, but what is the different thing which we have started doing is we will identify some of the key business use cases.
And in let's say 8, 9, 10 weeks, either in the client setup in the infrastructure, whether it is cloud or on-premise on, we have created our own lab with all different products, which come into the ecosystem, we execute those use cases. And then we also, as part of that, and supple made a great point that how does this put into your ecosystem, which is there.
Then we demonstrate that also whether this solution, this is how it's gonna work with different tools and technology, because it's never one, right. And how this is gonna fit into your current ecosystem and whether it will scale to some of the ordinary use cases or not. So we try to achieve that in few weeks. And the good thing is like, as we are all in the agile world and all that, it jump starts our development. And then every, like we start sprinting from there. So whatever effort you are putting is real time where rubber meets the road, you know, well, what works, what doesn't work.
And then it is not a throwaway piece because you immediately get into your sprint cycle.
So that's how we have
Evolved ourself to the current ecosystem. And great question.
One thing I'll add to that is if you recognize the current scenario, right? Most of the times the company and organizations are not trying to build cm capability from scratch. They already have existing systems and they've been doing it in parts, in some, some other, other fashion.
Then, then it's important to recognize at which stage in their cm journey they are in currently, right? What, what are their backing systems?
You know, what are their enterprise objectives they're trying to achieve? Right? And in that sense, it, it's not always about a technology problem, right? You have to understand what they really want to achieve. And it's a combination of either people, technology and tools, which will help them get there. So more than just evaluating a product and a product might not always fulfill the, the end goal that they're trying to achieve. So it may be more, more about it could be technology problem or could be more about evaluating where they are and what will help them get there.
Right?
One of the examples I'll take is in a recent interaction with a client, right. What I saw was the problem is not that they don't have data to do consumer energy journey, but the problem is they have too much data, right? The problem is with the amount of data they have, they don't have the right analytics tools to understand what the different types of users are, how they are interacting with the system and how, how they want to actually nudge them and take them to, you know, to be those brand advocates or, you know, to be those loyal customers. Right?
So sometimes it's not just about a cm technology problem, but more about understanding, you know, with the current technology environment that the client already has, right? How, what are the best process to take them to where they want to be?
Sure.
And, and I would,
Which of time to, to again, say the same things, which, which have been talked about here, but one key aspect is also to understand what's the key focus of your cm use case. All of these vendors, they provide, you know, cm solutions, but they are different in terms of offering use experience. They are different terms of offering previously and consent management. They are different and pretty, pretty, you know, I would say diverse in terms of offering security aspects of it.
So what's really the, the, let's say if your use case is providing really good experience for the users, which are more for the marketing and CRM use cases, right? Then there are different vendors for that.
If, if the, your key focus of your use cases to provide better fraud prevention, better auditing and monitoring for customers than there are different vendors who provide a more strength in terms of those kind of key capabilities. So that's, again, something you want to identify early on in your implementation use case and accordingly select the, the vendors. And I think John's slides earlier talked about a lot of functional and nonfunctional criteria that you might want to consider at, at greater depth as part of your evolution process.
So who here has some consumer identity and access management system deployed already, anybody at all? Do you have a consumer identity management system deployed already,
Already? From my perspective, I work for communications company
Speaker 10 00:21:22 Cox communications company, and I've been leading their strategy and roadmap for our consumer identity platform for about nine years now in different capacities.
One of the things I've noticed is the, and we've talked about this in different aspects, are the challenges in helping our business partners, as well as our security partners and care partners, to understand the importance, and then also the prioritization around it, because they don't always understand how identity slash identity security can be an enablement, which is how I drive it forward. My, my standpoint is identity is a way to enable the business as well as the customer so that you can marry the security as well as the experience at the same time.
But again, it, it just takes a lot of politics and negotiation, a across multiple groups. So I end up playing or having multiple hats with security and then product and care to ensure that we're touching all of it.
Hundred percent IDM is more of an enabler now. Yeah. Not just a security tool. Absolutely.
And it's, it's a monetization capability as well. Business enhancement.
Well, you know how for years they told us it's a cost center. You know, we all got tired of hearing. We're overhead, you know, with consumer identity, it could be an opportunity to help make revenue. Absolutely.
Speaker 10 00:22:52 And then ease
Speaker 11 00:22:52 The customer experience as well.
At, at the core, everything is around
Speaker 10 00:22:58 The identity. It's moving more and more around the identity and you want that contextual view of what the user is doing and, and how their interfacing with your, your networks. So you have to combine identity security with your network security, with your privacy. And so there's a lot of hooks and a lot of different ways that you can implement it. It's just getting everyone's perspective and ensuring they understand how to bring them together. Most people don't get it. So I'm the one that's like bridging that gap for them.
Yeah. I just wanna quickly appreciate what you're saying here. And you're right. IM is quite political in most organizations and it takes really good, good effort for any IM a leader to actually go out and, you know, get support from the right stakeholders, business stakeholders, to prove your credibility in the organization, how you can establish an CI program, for example, to the benefits of that. And obviously there are no tools available.
It's, it's probably more how you can effectively present the business use cases and revenue generation out of CRM program and what values it can deliver to, to the stakeholders. So I think a good practice out there would be to identify your key stakeholders, maybe the champions who can present and cm program to the rest of the, you know, stakeholders and business units in the organization and take it forward from there.
If I, if I can just add to it, I'm in, we all have gone through this tough negotiation and discussion. So two things, I mean, first is the right definition of identity educating. And I think we have to start from there because most of the time we say that identity, but we never define what is that identity is that identity a person is that a device that person is using is that other things too, like their trans history and all that. So the definition of identity has to be clearly laid out, which is a composition. And also people UN understand what it means.
I mean, and that solves a lot of other discussion, which will happen because let's say, you're gonna say that for risk management, if the request is coming from this device, I can flag it because it is a compromised device and all that.
So the first and the foremost is define the, or have the right definition of identity, which is a mapping or a composition. The second thing, which I would say in this kind of negotiation and thing, which really works for each of the department, quantify as much as possible what's in it for me. Right?
So let's say if you're talking to the CSO organization or versus you're talking to the marketing department clearly articulate, and if you can quantify it, nothing like that, that let's say with the marketing team, if I put a right progressive profile, you your conversion ratio from when the, I mean to Monash point earlier that in the customer journey from anonymous to being a loyal customer, your conversion ratio would go up by this and this. So those kind of quantification and clear cut objective has to be defined before you meet and start the negotiation.
So they know what's in it for me, then you make it.
I'm just kidding.
No, I'm just kidding. No, but it is, it is, it is. So actually you can get close to it. And what we do is we put some app number. So let's say that in, in, from a CSO point of view, there would be a lot of alerts which would be raised right with your monitoring, with your AI solution and all that. How can I reduce it? How can we make it more factual and all that? And you can say that today, it is this much with this, this kind of thing.
We think that it'll reduce by X to Y percentage and as your data will improve and all over a period of time, you'll get closure to it, but you have to put a stake in the ground. That's my point. Otherwise it'll always be a very, this versus that discussion we
Make that, you know, a CISO would be CI would be interested into understanding how many people would lend on your page. And you have one, you know, 10 questions, long registration page. And half of them, probably more than 60% of them would actually leave that in the middle. And they go somewhere else, right.
They never complete the registration and you can tell them, okay, if I do, let's say this kind of a social oriented integration. What we have seen is that 90% of people actually register completely. So what's really the difference in the coming back to this point is that you are turning up the conversion rate by 90%. And that's something which is a very effective business case for you to take it forward.
Just, just I'm talking about social media integration. And it's not just about, you know, and that's not probably a customer for you at that point in time, but obviously there are aspects behind that, right? That might just a lower risk, you know, profile for the user to register. But when they actually come in and transact and buy more services for you, you have to ask them for additional authentication options, higher risk score. Cetera.
Yeah. Actually put, sorry, I'll put a fact on that, but that was a great example.
We had a client who, who had 80 person abandoned rate at the time of registration. And we started investigating it. There were 35 fields, which we asked at the time of registration. We said that this is not gonna work. And now we think we know it. We reduced it to six. It is going up. And it is more, I mean, now the registration abandon rate has come getting close to one digit.
So that's, and with that it's lunchtime. Okay.
Thank you,
John. So thank you to the panel. There was some question then.
Well, we, we can get together yeah. At lunchtime. Awesome.
Yeah. Cool. Thank you.
