KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Consumer Identity & Access Management (CIAM) is about managing access to customer-facing systems. While organizations have typically focused on using CIAM to collect, store, and analyze consumer data to create sales opportunities and inspire brand loyalty, other potential business benefits are being overlooked.
Consumer Identity & Access Management (CIAM) is about managing access to customer-facing systems. While organizations have typically focused on using CIAM to collect, store, and analyze consumer data to create sales opportunities and inspire brand loyalty, other potential business benefits are being overlooked.
Hello, and welcome to our webinar today, which is on the evolution of consumer identity management. I'm John Tolbert, lead analyst here at KuppingerCole and I'm joined today by Richard Bird, the chief consumer customer information officer at Ping Identity. So we have a couple of other upcoming KC live events on April 28th. We're going to talk about operationalizing Pam on May 11th. We're going to talk about modern IGA. And then on May 27th, we're going to talk about enabling the future of I am. So this will be muted centrally. We're controlling that. So there's no need to unmute yourself.
We are recording and we will make both the slides and recording available after the presentation today. So again, I'm John Tolbert. I'm going to start off by talking about the CIAM market. Some of the issues that we see there, and then take a look at the recently published leadership compass comparative report on CIM and how the different products compare there. Then I will turn it over to Richard and we'll have a discussion afterwards.
So what's going on in the digital consumer landscape today, I see three trends that are happening that many organizations need to think long and hard about privacy for one, you know, we've, we've all been aware and preparing for and dealing with things like GDPR for several years now.
But you know, in the U S we have CCPA, the California privacy law, that's having some updates and then other states are following suit, but even at a higher level between GDPR and CCPA, they're not entirely harmonized because there are differences even in, you know, what types of data attributes are considered personally identifiable information. And that isn't exactly a definition in itself within those regulations.
But then again, in the US if other states are going to be creating privacy laws, this is going to be much more complicated for companies that operate across the us or across the world to be able to deploy consumer identity solutions that can be respective of all these different privacy regulations. And I think there's a real opportunity for CIM vendors to be able to help out their customers by providing the tools to help them comply with privacy regulations in different jurisdictions around the world. Then fraud reduction fraud is a big problem.
It's been a big problem for a while, but the bad news is it's been getting much worse. I mean, throughout the pandemic, there have been numerous brand new types of fraud and new ways to exploit different kinds of accounts. We've seen account takeover, which is, you know, a big problem in many way become increasingly large, different kinds of accounts are being targeted, both consumer facing businesses, government agencies, as you might remember last year, there were lots of cases where fraudsters were trying to go after accounts that might offer a government assistance.
So there's, it's just a variety of fraud out there makes it very difficult for especially consumer facing organizations to deal with it all. And, you know, unfortunately maybe in the olden days, a certain amount of fraud was, was tolerated.
You know, it was viewed as something. Well, you know, you can write that off as a business cause it's some small X percent of what is occurring on an annual basis, but fraud has become such a problem that it's not something that could be written off. It has to be addressed because it's impacting the bottom line.
You know, digital fraud is something that boards of directors and executives are concerned about because it's, it's impacting the way they run their business. So in this sense, really good anti-fraud solutions need to either be built in or something that's easily accessible from consumer identity management systems to help organizations, whether they're in finance or retail or insurance or whatever the industry, because they're essentially all under attack these days to be able to help prevent that fraud. And then lastly, let's talk about the consumer experience.
Not really anyone is getting this ideally right, the way it should be. You know, there are lots of excellent products out there, and we'll talk about that in the leadership compass section, but you know, there's so many capabilities that are in CIM products that organizations are not choosing to use and deploying it's impacting the consumer experience. I feel like usability in itself in many cases is declining and security. And the overall consumer experience is not really improving alongside those capabilities.
I mean, we've got lots of different multi-factor authentication, risk, adaptive, MFA capabilities, the ability to tie on these fraud reduction platforms. I'll talk about in a minute. And there are lots of organizations that are just not taking advantage of the tools that they have to increase usability and improve security and privacy.
And I think this is an area where CIM vendors themselves having the chance to help explain to consumer organizations or even, you know, government agencies that are using their products, how they can improve the overall consumer experience, improve usability and up to security and privacy. So there are lots of different kinds of fraud, but I really want to talk about two major ones today. And one of them has multiple names, a new account fraud account, opening fraud, synthetic fraud. I'll dive into the details on that.
And just a second, and then there's account takeover fraud, which is exactly what it sounds like new account fraud is when a fraudster goes up and grabs a bunch of information about a real person and uses that to assemble a fake account. The kinds of information that they're looking for are your email address, phone number, social security, number, date of birth, address, all that sort of stuff.
And they can use that as you know, from building accounts yourself, what kinds of information are needed, but they go out and they get these records from places like healthcare, government agencies, your old school records, employment records, and can take that information and assemble it into an account that they can then use for various kinds of financial fraud.
You know, a new account fraud can be, you know, more insidious because it's difficult to detect, but the payoff for the fraudsters is often much larger because then they can use it for not just, you know, grabbing credit card numbers and, you know, maybe getting a couple of fraudulent transactions through. But if you create a, a completely fake account, then sometimes they can use that for things like mule accounts for moving money around taking out credit cards and entire lines of credit. So it can be more difficult to discover after the account is created.
And even though it takes more effort on the part of the fraudster, sometimes they can use it for more, more fraud, ATO, we call it account takeover fraud using username and passwords often found in, you know, the breach password dumps that are out there on the dark web. And they can be used for various forms of financial fraud too, but not just banks.
I mean, everybody thinks about banks, but I think we need to be worried about things like pension plans, 401ks insurance, your medical accounts, real estate, you know, before the pandemic and other big target where airlines and hotels, the hospitality industry, because of the frequent flyer per hour programs, really anything that has a reward that is convertible into money is a target. So I think there are six primary fraud reduction methods, and this is what I cover or a man covering.
And the upcoming leadership on fraud reduction, intelligence platforms, identity proofing, and vetting, making sure that the person that registers the account is real, maybe matching that up to, you know, a government issued ID, credential intelligence, knowing where their not their credentials have been used for fraud somewhere else. Recently, device intelligence, you know, has this, has this device been used for fraud as you know, that it belongs to this person, what are the there's lots of parameters that go under device intelligence?
And there are lots of third party sources for that information using behavioral analysis. You know, if you think of it in a financial context, that would be using historical information about what a given person has done and matching that up with current transaction time, you know, are they sending to a payee that they normally send to as the amount within normal parameters? And then you can, your fraud reduction intelligence platform can tell the CIM banking applications, no, this is kind of out of line with what they've done before behavioral or passive biometrics.
This often gets implemented as JavaScript or through a mobile SDK it's, you know, figuring out how does a user normally interact with their phone, you know, swipe, touch screen, or their keyboard, their mouse for on a desktop or laptop. You can build a fairly unique profile based on a normal interaction information. And then lastly, bot detection a lot of the fraud, ATO fraud, especially, you know, credential, stuffing and tax, and even aspects of new account fraud gave me a perpetrated by bots. So it'd being able to detect them and keep them from creating accounts is a very useful thing to do.
So let's look at just a couple of quick scenarios, how API APIs are used to go out and grab this information in this case. And I don't want to show a happy path here. I want to show what happens, you know, if there's a case of fraud. So if you're using a consumer identity management system and you need to put together all these different intelligence sources, you know, at log-in time, let's say, you know, the person has registered with an account, a good account originally, but at, at log in time, you're checking compromised credential Intel sources.
You might find the Hey that that's been used elsewhere. Fraudulently, you may check the device until services and find out, yeah, that's not, you know, a proper device that's associated with that individual. If you've developed a baseline of normal user behavior, you can tell that this particular transaction or this login event, this doesn't match the baseline. And in fact, the, it may wind up that it's a bot.
So you would most likely wouldn't decline a log in event like this, or at least for some sort of step up authentication in this case, let's talk about how you can use consumer identity management to go out, to call fraud reduction, intelligence platforms, accomplish kind of the same thing, but use the fraud reduction platform as a central place to collect all the information. So again, in this case, you've got, you know, they passed the identity vetting, maybe at runtime.
They also, it looks like the behavioral biometrics match doesn't look like it's a bot, no use of compromised credential Intel, but maybe it fails the device, Intel check, you know, a scenario like this might be a user has gotten a new phone, and this is their first time using the phone to log into your site. So you, the, the fraud reduction service and then takes all these factors into accountants as well.
You know, this could, this very well, probably is the user, but you know, the, maybe they come in from a new device. So then you run a workflow that says, let's go verify that this is the right user. And then just associate this device. If it turns out that's, what's actually going on. So I want to jump in to the leadership compass, talk about the methodology for a minute and then show the results. So what we measured this time around with regard to the core CIM functions are our seven that I've chosen here, authentication options.
We talk a lot about the risk adaptive MFA, because we believe that that's really one of the most effective ways for preventing things like ATO attacks. Mobile biometrics are important because users like them, they're easy and they can be more secure, especially if you're using, you know, Fido compliant, mobile biometrics, and then a mobile SDK, having an SDK that allows customer organizations to write apps securely that take advantage of, you know, your core. I E a M CIM backend features consent management. This is where privacy comes into play.
And not only can cam solutions help customers, you know, design compliance solutions, but I think having something like a user dashboard, show them what information that you've collected about them, give them the opportunity to export that information or even deleted. And you know, that view of what does this organization know about me and how can I control it that helps with compliance in multiple regimes.
And it's also a nice consumer feature, IOT integration, more and more, or of us have, you know, lots of consumer electronics, smart home smart automation, kinds of devices, wearable fitness devices, they all have, or many have notions of device identity. It's good to be able to link that with your consumer identity with a given site. So this is a feature that I think really helps sell consumer identity management solutions because the more products that a person has to manage within their own smart home or the devices that they may be wearing, the, the greater that ease of use becomes.
And there there's one good specification out there
You know, in the case of my profile changes, having background information on when a consumer goes to change information about themselves like normal pays or locations, you know, those can raise red flags, you know, at transaction time. So these are important things, not only for the consumer experience, but for providing better security API APIs.
You know, the world is interconnected by APIs today. And I think that's a good thing. As long as they're properly secured and properly authenticated the APIs themselves, then integration with other marketing tools, marketing analytics can happen over the API.
You know, in the earlier days of cam, many of the CIM vendors would build in lots of marketing analytics functions directly into the platform. But I think people realize, you know, Hey, there's lots of good marketing analytics tools out there, you know, no need to reinvent the wheel. Let's just open this up, open the data up and allow marketing analytics tools to take a look at the collected consumer data account recovery.
This is something we probably all have to deal with at one point or another, especially with accounts that we only use maybe once every, a quarter or once every year, even. And if they're password based, especially there's, there's often a need to reset those, having multiple ways, multiple secure ways of recovering accounts is important. And we discourage of course, things like knowledge-based authentication or security questions just because they're usually worse than passwords in terms of security, ATO protection.
So all the talk about fraud before being able to integrate your CIM platform with the variety of intelligence sources that are out there, or overall fraud reduction intelligence platforms to effectively outsource a lot of that risk to the fraud, the Fripp platform is, is something that is something we're measuring in this report as well, leadership compass. So we look at nine major dimensions categories here.
We've got, excuse me, security by this. We mean internal security. Can you require a strong MFA for the admins?
You know, does it support a delegated access control model functionality? Does it have those features that list of seven categories? And you know, how well does it do with those seven categories of information? Does the vendors sell it as, you know, a variety of different parts that you have to license individually? Or can you buy a full service CIM?
And if so, how, how easy is either method to deploy interoperability? This is where standards come into play.
You know, there's lots of good standards and I am in CIM, you know, everything from, you know, jot token SAML, open ID off, all of those are good standards that help promote interoperability between not only identity management systems, but downstream customer applications as well. Korea's ability we manage measure, not just what's it like from the consumer experience, but what's it like for a customer to have to author policies or, or, you know, build out and deploy this solution?
What's it like from a customer perspective, innovation that's pretty straightforward, you know, is it a leading edge product? Are they kind of playing catch up in the market market is, you know, how many customers, how globally distributed are they, how many managed consumer IDs are there?
Do they, does the product, you know, target every industry? Or is it just specific to something like finance, same thing with ecosystem, how many partners are there out there for helping get it deployed and getting it maintained? And then are they globally distributed? Do they have support in your region? And lastly, financial strength, there's lots of different size companies out there everywhere from, you know, fairly new startup to a late stage startup.
That's, you know, very well-funded to, you know, very profitable public companies. And this is reflected in the financial strength element are four categories, product leadership takes a look at the functionality and how complete that is market leadership considers you know, the market size ecosystem. Innovation is just about innovation. And then we group all three of those into the overall leadership category. I won't read through the list here, but you can see there are quite a few different companies in CIM.
Some of which are, excuse me, very regional, maybe, maybe only in the U S or maybe only in Europe or even specific areas within Europe or APAC region. And they're also very well-known global companies too. So this shows, you know, year over year when we update the report, there are more and more vendors in the space because it's a growing space that actually meets a lot of very important consumer and regulatory requirements. So a quick look here at the overall CIM leadership graphic showing, you know, on the, on the right side of the leaders all the way across through the challenge blank here.
And now I'd like to bring in Richard who is chief customer information officer at ping. Hi, Richard. John, how are you?
Good, glad you could join us today. Oh, anytime there's an opportunity to talk about what's going on in the customer access management space I'm eager to do so. So what, what are some of the latest trends that you've been seeing as chief customer information officer at paying?
Well, I think Just as a little background, that's a odd job title. I think it's actually unique in the world and it's what happens when a CEO and founder and some old practitioner like me gets together and decides we need to do something different in the marketplace, but really about 30% of my time as customer facing obviously the customer component of the title.
And I, I do spend a tremendous amount of time with enterprise organizations across about five continents right now, 30% of my time is spent speaking, writing, publishing on trends where the directions are going. 30% of my time then is spent, you know, out in the marketplace, participating in events like this, or working with partners and then 10% I'm a member of the operating team.
So I, I have a, I have an adult responsibility that I have to exercise within thing. And, and it gives me a very unique perspective.
I don't know that there are many people like me that have a foot in, you know, five different continents across multiple different compliance and regulatory regimes, as it relates to customer or citizen access management, regulations, compliance, everything is varied as, as you know, the new digital identity initiatives that we're seeing start to spool up in the EU that are tagged into the digital marketplace initiatives that create a GDPR and open banking and down in Australia, the customer data, right?
And the United States where we still struggling basically to come to an agreement on whether or not it's appropriate to protect customers or not, which seems very, very strange. So there's a tremendous amount of diversity in the marketplace. And I will tell you that what I most frequently is an awakening, certainly a part of it is being driven by, you know, COVID, I always like to phrase it this way. There's nobody on the planet that had a disaster recovery and business continuity plan that looked like this.
All of my customers are going to interact with me on digital channels and all of my employees are going to go home. And, and as a result of that, we saw this huge hockey stick increase. I've got enterprises that I've spoken to saw online channel, you know, e-commerce service, all customer facing activities go up in, in the 300% range. And I've worked with companies where it's gone up in the 4700% range.
And when we, when we look at these numbers and we're faced with this situation, John, you and I talked about it a little bit, we're faced with the situation that I always like to have people do, you know, Einstein called it the thought exercise, you know, take the last 13 months of your consumer experience for everybody. That's listening to this, this presentation and ask yourself how many outstanding digital customer experiences that I have. My answer personally has been none.
In fact, some of my digital experiences have been absolutely horrible. I will not name the airline, but I still have a, a leg of a ticket for a daughter that goes to school in Europe. That I still can't seem to figure out how to use because digital channels don't allow me to access it. And I can't get through on the phone still 13 months later to get these issues resolved. So when we think about the current state of customer experience in the digital world is extremely poor.
And when we think about the security aspects of it, we know that the, the fraud components that you mentioned, we know that the, the fraud transactions associated with customer interactions have just exploded and, and, and companies are struggling mightily to address that issue because I always liked the way, you know, our CEO and founder put it. If you authenticate the wrong person on registration, you're just going to have nothing but bad problems all the way through the rest of that life cycle.
For that, that customer, if we authenticate the wrong person, the outcomes are still bad. And if we verify the wrong person, so we're just seeing a lot of, I would say I'm seeing a lot of thinking. There are a lot of companies that are definitely moving fast and forward, mainly out of necessity where their customer relationship digitally, isn't just a product relationship, but it represents risk and exposure to them. You think about airline industries, you think about ticket brokers, where the fraud aspect of it has real-time in the moment, penalties and problems.
Those are the types of industries that we're seeing move quickly. Obviously, as, as banking, banking always moves first when there's something that needs to get done. But when we're looking at other areas where the customer themselves represent a threshold or risk, a risk where a fake customer rep represents a threshold of risk, we're seeing, we're seeing a lot of changes in a lot of different initiatives sparking up around customer access management. Yeah. Sounds very true.
I mean, there's a lot of good information there. I mean, maybe we should drill down a little bit more on the fraud piece and then move on, you know, in doing research for both the CIM leadership compass and the fraud reduction leadership cavus, I'm working on now, I hear lots and lots of stories about, you know, the exponential growth of fraud and, and the evolution of techniques that fraudsters are using.
Do you have any customer stories, you know, specific to, you know, maybe new forms of fraud or how, how it really is impacting businesses in a way that, I mean, it's always been problem, but, but you know, now it's, it's much more of a paramount concern for businesses. Anything, anything come to mind there?
Yeah, absolutely. I think there are two pieces that come to mind first within the customer space is the, is what the, what I call the rise of the long con as it's associated with synthetic fraud or a fraudulent account takeover. It used to be, you know, that, especially in the fraud takeover, in the FTO space, that the whole purpose for the bad guys was to get in and get out quick. Right. I always like to say that, you know, the goal, there was, you know, a convenience store burglary, right, or a gas station burglary, I'm going to get in, I'm going to get something of, you know, some value.
But now what we're seeing is, is the long con you know, truly, you know, the spin with Robert Redford and Paul Newman, where they're, they're working these, these identities, these fraudulent identities, whether it was frequently acquired by taking over an existing customer's account or the creation of a brand new fraudulent synthetic identity, and, and watching those, those types of identities being used throughout life cycle internally gain more and more, you know, the monetary value of, of that relationship.
We saw this particular specifically with, you mentioned it, we saw the specifically with unemployment benefits and, you know, there's one specific example down in Australia that was related to, you know, this statement by the government that people in financial need could tap into their superannuation accounts. It literally was like putting a billboard out on the street and saying, every Australian can take $10,000 out of their, or their with no penalty. And guess what happened? Lots of frustrates came in and took $10,000 out of customer's accounts.
I think the other thing I would mention about fraud is, is that I do think that we're, we're starting to begin to understand that fraud is not a white collar crime, the, the, the pain and the realities of these things. I, I do a podcast and I had a great conversation with the executive director of the identity theft resource center, which is a nonprofit organization based out of San Diego, California. And she shared a story with me about a synthetic fraud that was executed against a minor, which is a fairly typical pattern.
And, and that miners information was used to craft an identity. Again, the long con use to acquire several different forms of credit. And this young lady came from a family where she was the first person accepted to college and was getting ready to matriculate and found out that she couldn't get student loans because her credit was destroyed. And in that particular case, it took that young lady three years. Like I think about this for a second, all the companies that were associated with this supporting and, you know, enabling this, this fraudulent digital identity, no penalties whatsoever.
The damage done to an individual was this young lady who gets to go, go to college as a first-generation first person in her family to go. And she has to miss her cohort by three years because she has to go fix everything. And this is the, this is the really dark side of our customer access management experiences. When companies mess this up, which has been the historical pattern for 20 years, when companies mess this up, the, the real pain in penalties, don't accrue to the companies themselves, they accrued to the victims of these crimes.
And, and these things are starting to get to a point where you mentioned that where the fraud losses are compounded by the potential of litigation losses by the potential of class action lawsuits, by the potential of, you know, right to action in the, in the CCPA regulations. And now the, now the, the costs of not getting customer security and customer access, correct, are starting to shift back corporations, which I do think is a key driver on why in many companies are really taking a strong look at this. You know, that's a really good point, right?
On several levels because where the responsibility lies, determines what a person or a company has to do. So, I mean, even thinking about, you know, the model for how credit card versus debit cards work here in the U S you know, consumers don't get particularly bothered these days when they see a fraudulent charge on their card, because the company, the credit card company is responsible for it.
You know, that's different in different places around the world where actually consumers get very interested in to prevent that. But yeah, the, the, the full scale identity theft situations that you're talking about are things that are very difficult for end user consumers to be able to solve. And it's very unfortunate that it can take that long to, to resolve it. If you can get it resolved, I'm sure there's cases where it's taken much longer than even the three years. Yeah.
You know, it's, it's, you know, it's an interesting space because when you, when you consider those aspects, because a lot of times when I have these conversations, people go, oh, that's a fringe use case. And I'm like, wait a minute. It's not really a fringe use case. If you consider things like math and probability, all of our curves, right? All of our curves, relative to losses, all of our curves relative to breaches all of our curves relative to exploits and takeovers are not going backwards, right.
Or reducing they're going upwards, which means that these, that these interesting and, and troublesome, troublesome, catastrophic realities for individual victims is going to expand, right. It's not going to reduce because all of the numbers are going in there in the wrong direction. And I think that this is it, it, you know, one of the things that I bring up frequently is is that it, you mentioned IOT, right?
We saw, you know, we have to consider the patient domain as a customer domain. You know, we saw successful breaches initially with WannaCry that impacted the NHS in the UK and caused the, in the real time rescheduling of procedures and surgeries, it needed to be executed because of a complete breakdown of the, of the medical system. We saw most recently, the actual physical death of a human being in Germany as a result of hackers activities.
And, and so we're, we're really coming to that space where this th this brick wall that separated the digital and the analog is becoming much more like a piece of vellum paper, right? And we're, we're getting to a point where the real world consequences of an action in the digital are going to have substantial and painful realities for, for customers, consumer citizens, and human beings. I do think that there are are companies that are really consciously taking that into account. They do not want to be a mode or means of transportation for a bad outcome for, for a person.
And, and, and that's a real change, right. But I will tell you that that's a small percentage, right?
The, the reality is, is that, you know, many of these changes are going to come as a result of demands. You know, I'm not, I'm not a fan of the death of 50, 50 regulatory cuts in the United States. I'd like to see leadership at the national level, but there is a reality where some of these, some of these requirements that are being placed upon companies will be the, the, the real key driver of change.
And, and, and I think that the government recognizes that in the United States, especially there are a number of pieces of legislation on the table around the creation of digital identity standards necessary to protect national infrastructure, cybersecurity infrastructure. There's a bill in the house right now.
And I think that the, the, the feds are realizing that the absolute archaic reality of our cybersecurity infrastructure, which then, you know, obviously has direct connections to the consumer cybersecurity infrastructure is completely insufficient to meet, you know, not just the demands of human beings, but frankly, to meet and, you know, issues of national security and issues of, you know, national support for its citizens. And, you know, we're just seeing dramatic changes. Yep. Very true.
So let's, let's talk about security and, and usability. You know, we w w in this business, we've been talking about getting rid of passwords for years, and yet we all enter passwords every day.
And, you know, I I've seen an uptick over the last year of interest in multifactor authentication, but unfortunately it seems about 90% of the time that just means SMS OTP. And now we all wind up getting, you know, one-time passwords on our phones multiple times a day, which we know has problems.
I mean, you know, years ago, NIS, deprecated, or tried to deprecate SMS OTPs and authentication factor, you know, there's, there's been quite a bit of news lately about SIM swap attacks where, you know, honestly, it's mostly trying to get an insider at a MNO to associate a phone account with a different user so that when you get an SMS OTP, it shows up on the fraudsters phone and you never even see it. So, I mean, there, there are problems with SMS OTP. There are solutions out there that don't involve that. What are you seeing out there in the customer world about adopting MFA?
Surely it's become a higher priority, you know, as a result of COVID. And what do you think about getting customer organizations to use things other than just OTP or, or KBA? Yeah. W what we see happening is, is an interesting change.
And, and the reason that I think it's interesting is this a replay of about 15 ish years ago in the workforce space. So I'm an old identity practitioner, right?
I, I created, you know, centralized identity functions and in some of the world's largest banks ran and led those functions. And I can remember when there was this big shift of recognition where, you know, we couldn't lock down everything, right. We had to take a risk-based approach. And that's what we're starting to see. Right? We're starting to see companies on the consumer side that are going, wait a minute. Like there are, there are risks associated with transactions with flows, with, you know, customer inquiries.
And I should be applying the correct level of authentication protocols necessary to, to be able to manage that risk. And, you know, and I, I always kind of laugh about SMS SOTP right.
Like, I will, I will almost put a paycheck on the table that in the banking industry, in functions such as asset wealth management or high net worth accounts, or, you know, private wealth management, that there's, there is nobody in those businesses on the business side, this is a business problem that goes, we want the least amount of friction and the least amount of authentic authentication necessary right now. Why is that? Because the bank feel a, a very obvious vested interest in keeping these people of high net worth safe and secure.
And we're beginning to see the same kinds of, of beginnings understandings within the business side that controls customer access management. The real problem here is, is that there there's no real standard of structure yet.
You know, when you think about customer access management and most enterprises today, there's nobody that's in charge of it, right? In fact, I'm dealing with a company right now that has 12 different business units that believe each one of those business units believe they own the customer, except what they really own is about one 12th of that customer, their applications, their processes associated with their function and that customer relationship.
So when we, when we think about where, where the, you know, these enterprises are starting to look at these structures, you see some variations of digital transformation offices, or customer experience transformation offices starting to spring up and starting to get funded as independent organizations. But for the most part, we have a highly distributed set of owners of a customer, and each one of them with their own intentions and desires about how much security needs to be applied.
So there has to be a bringing together of a customer vision, a unified customer profile, or, you know, a, a unified customer, you know, data store that begins to actually build a model of that customer, not just, you know, 13 different accounts and passwords. That's not a digital identity. That's not a human being, that's not a customer, right?
That's, that's the keys on their key reign. So when we started to see this, you know, change happening, when you think about a holistic customer's digital identity, you can begin to apply application of authentication protocols based upon the risk of the transaction itself. I think that we're probably a good 24 to 36 months before, you know, a substantial portion of say the global 2000 has even begun to think that way. I think that the real challenge today in customer access management and John you've been around the block long time, you know, like I have, right.
Which is, you know, there's an assumption that the real answer to customer access management is, you know, just buy me a solution. Right.
And, and it, it, the problem with that is, is that we have companies, we have some companies that have business processes that are associated with customer interactions that have been in place for a century like the business processes. Like imagine, you know, just in a time machine, go back and imagine what it looks like trying to pry the triplicate forms away from somebody, you know, and invoicing, or, you know, accounts payable at the lumberyard, you know, and they give the customer the pink copy and they'd have the white copy. And then they put the yellow copy and accounting.
It took us years, years to break that pattern. And when we think about how it's going to take time to break those business process patterns because of digital enablement and the customer access management space, it really means that this, this entire customer access management world is a massive company transformation. It is not a technology organization buying a solution. That's all of your problems.
Well, you know, I want to go back to something you said about friction, because I think, you know, in the identity business, I think some of us have erroneous assumptions about what consumers really want. I mean, we hear all the time and marketing presentations that, you know, frictionless, frictionless, frictionless, but let's imagine for a minute, a wealthy person wants to transfer a large amount of money. I think they expect friction. And if there's not friction, they think something's wrong. You know?
So getting the friction right is probably a better way to state, you know, how you go about doing business with CIM rather than just emphasizing the frictionless nature of everything, because some friction is warranted and even expected. Well, there's a, there's a reality that, that friction has a part to play in trust, right? I'm an old military guy, right.
I, I didn't even, even in my uniform, even pulling up to the gate of a particular military installation, I didn't just get to wave at the guy. I go, Hey, I'm here for work today. Right? I had to go through a process. I was fully vetted. I was fully cleared, but every single time that I entered a facility that has sensitivities, I had to go through a process to prove myself in order to gain what trust, trust of the facility, trust of the chain of command.
And so I'm just having this conversation yesterday, actually, that this, this, you know, this notion of applying friction, where it's necessary in order to build trust, definitely applies in situations where customers have a higher expectation of security. Right? So banking is a great example, but it's not the only example, right?
If I was, if I was going to execute a purchase for, you know, $10,000 worth of home improvement equipment, you know, on a single credit card transaction, this might be a case where a retailer goes, this is where we want to check and make sure that you are who you say you are, and you're doing what you're supposed to be doing. So here's a, an additive step up that we're going to do as a customer. I'm going to be like, Hey, this is cool. Like this company is trying to protect me.
I do come across a lot of resistance to the idea that security can be an enabler for the building of trust, because there's this argument that circulating due to a recently disclosed hack that, you know, what's the big deal. All your information is public anyway. And my response to that from a corporate standpoint is like, if you truly believe that if you truly believe that trust and identity is the core of the way to build trust is, is inconsequential.
It's not necessary release a public media release today that says, we've decided since all your information is already public, anyhow, we are not going to provide any security for your data or for you anymore. And, and, and, and tell me how that marketing catastrophe works out for you, right? Because there's, while customers have the ability to be tone deaf, to, you know, breaches and exploits over the course of time that they work in, what's basically a compromised economy, right?
If, if a breach of information and the damage associated with it is less than the value that I perceive from getting, this is a big play in social media. You know, if it's less than the value of me posting pictures about my best life and you know, my vacations, and I'm less inclined to be worried about the loss of that data, I'm going to continue that relationship. But there is nobody that believes that, that a customer has an expectation for no security and no privacy.
And, and I do believe that we're, we're very much in a space as we've seen what's going on over the course of the last 12 months of breaches. We are very much in a space where consumers are not sleeping on this anymore. Consumers are going, eh, you know what, I'm really tired of my stuff getting stolen.
And, and I'm really tired of people just saying information is public. And I'll just hit on that for just a second. I wish people would understand when it comes to the massive amounts, billions and billions of lines of records, of customer information that was stolen. It doesn't matter if your, if your cell phone number is out there, what matters to the bad guys is, is your cell phone number out there? Is it active? And is it accurate for you right now? That's what they want to know.
It's not the data, it's the quality and the timeliness of information that the bad guys capitalize on, which is why they keep clearing out customer data, information stores over and over and over again, it's a crime in slow motion. And, and until we recognize that it's a crime in slow motion, and it's a long con we're, we're, we're going to really struggle to make good decisions about that. Risk-based application of security controls for customers.
Yeah, I think that's a good point. I mean, I've, I've seen statistics and, you know, they vary a little bit, but overwhelmingly they show if a consumer has a negative experience or negative perception of security and privacy about a prospective company, they want to do business with it's an immediate, okay, I'm going to go find somebody else to do business with.
I think that's something that those who would be, you know, fatalists about it really need to consider you're you, you're going to prevent yourself, not just lose business, but prevent yourself from being able to do business with those who are aware of, you know, ongoing security or privacy issues. Well, I, you know, on that point, I think there's a really critical call-out. We are seeing the beginnings of a true market movement to competitive differentiation based on security and privacy.
The obvious leader in this was just a bit more than two years ago, apple and Tim cook being emphatic about in, in, in the annual apple event. If you do business with us, you'll be safer and you'll have more privacy. That's great.
I'm, I'm actually super encouraged about it, but what about everybody? That's not on apple devices, right?
I mean, he's making a, he's making a competitive differentiation statement, and we know that it was a competitive differentiation statement because alphabet and Google took major exception to this statement that we are better and different has a choice for you to spend your money on if you come to apple. And now we're starting to see, you know, this, this idea that, you know, there is a value that customers perceive and being with some companies that secure their data and keep them private and protect them.
And I always like to say it this way, if you forget about the regulations, you know, forget about, you know, doing the right thing, like what happens tomorrow? If you get a call from the board of directors that says one of our competitors just announced if they do business with them, they'll have more security and privacy, but are we ready to do that? Right. That's the reality that's coming down the pike.
And this is one of the reasons why I love talking about customer X customer access management, because there's an opportunity to give people that nugget of information and say, you probably want to get started now because the worst possible case scenario is you tell the board, no, we're not more secure and we're not more private. And I don't know how long it's going to take us to get there. And frankly, we even know how to get started, right? This is the reality that is coming to all of us and security and privacy will be a feature set that customers demand.
If they're not asking for it specifically, they will differentiate on their choices of, of consumer options based upon the existence of data security and privacy, as promised by companies that are making it as a competitive differentiation statement. Yep. I agree.
You know, I want them to go back to and talking about IOT just for a second. I see this as a big growth area for CIM and potentially a thing that, you know, vendors can show competitive advantages with BI, you know, how well they handle integrating, let's say smart home or consumer electronics devices, you, and just there's ways to get that right. And there's ways to, to not do so well with that. I think that, you know, the more devices that people have, the more they will want to associate that with, you know, one or more digital identities that they own.
And, and that experience, I think has lots of areas for improvement in terms of usability. Do you have any thoughts on that? Yeah. I am a huge believer in consumer of the highest degree of technological integration that I can achieve in my own household. So I want everything connected to everything and, and, you know, even now starting to gravitate into the individual light bulbs and, you know, tell him my phone, what, what color I want them to be.
I, you know, the, the difficulty here is, is that when we look at the IOT space and the coordination of technology, you know, flows and calls and all that kind of thing, we know that we're dealing with a number of competing standards, right? So we're, I always, like, I always like to say we're in the VHS beta max days when it comes to, you know, IOT integration on behalf of the consumer. But what what's really interesting is, you know, something that we don't really put into perspective, we, we talk about, you know, this IOT landscape being a threat and a risk and an exploitable surface.
But what we miss is is that there are really two different types of mindsets when it comes to consumer related IOT integration. The first is, is a high degree of interoperability for the convenience and the benefit of the user, right? And there are several companies that that's, that's their focus, right? There are just as many, if not more companies whose interest in integration, interoperability is the aggregation of the collection of even more data about you that they can monetize. And this is where we constantly see the breakdown in the consumer identity space.
I was just having this conversation with a number of banks last week. You know, it was, it still is like, it's an anathema in the banking industries. And it has been for decades to say, I'm going to spool up all of this behavioral pattern, information about purchasing and all of this, about my customers. And I'm going to turn it into a product and I'm going to sell it to the marketplace. Now that's not to say that in the banking industry, we didn't do all of that for our own purposes. Right.
Upselling for that type of thing, you know, but the idea of, you know, aggregating these, these, you know, component information about a customer set of identities and then selling them, it just, it just doesn't fly. Right, right. Within the banking industry.
However, this is the perception that has, you know, kind of manifested within the consumer world is that all companies do that. Right. But in truth, when we look at the segmentation, so companies that are providing interoperability and IOT integration, you know, to the benefit of the customer, they are less likely to create exposures, relatives and threatened risk.
Whereas, you know, I'm always like, you know, the, the, the Fitbit example is one of my favorite of all time, you know, the law of unintended consequences, I'm going to aggregate all of this information about a wearable device for all these people that are doing fitness. And the next thing, you know, antagonistic nation states have been bundling that data together and took all that anonymized data and figured out where all the top secret classified military installations worked for the United States based upon military personnel that were exercising on those sites. Right.
And, and, and that to me is the classic example of the, the lack of, of duty and care and security and management of, of that IOT and device frontier on the customer side, because I have all other kinds of interests, mainly revenue related associated with that information. This is going to be a problematic area until it turns into, you know, either I would hate to see this space because it's such a logical space to, to do good stuff. And I hate to say, see this kind of space, you know, resolve through regulation. We know that we've seen some, some IOT related related regulations pop up.
I think that the execution of IOT regulations will be a disaster for us to manage because of this, because of the pervasiveness of this device landscape that we have to interact with. But, but when you take a look at it, take a step back and look at that, you know, those categories of companies that are using the data as additional potential revenue or additional Prudential product, I think that's where we need to focus attention on helping them securitize and prioritize that information in a much more effective way.
Yeah, that's, that's a good observation too. And actually the covert that can be given off by utilization of let's say IOT fitness devices, that's, that's a whole different subject. We could spend some time talking about, you know, thinking about what may have been collected or harvested with the intention for marketing and sales purposes has another Intel purpose altogether.
But, you know, I, I guess in order to wrap up, I just want to say, you know, companies in the CIM business could help their customer organizations by fully realizing what their products can do, and then using them in such a way to improve the consumer experience. I think that, you know, consumer identity shouldn't be an enabler. It should be something that, that improves the overall consumer journey and not really hinders that.
I mean, there, there are cases where you've got products that require, you know, online activation and registration, simple things before you can use them. And, you know, consumer identity should not be a roadblock to using a product.
And, and then same thing. It should be there to augment the overall security and privacy of the experience rather than forcing, you know, some license agreements. When you buy a product or use an app more or less, have the, take it or leave it approach, you know, we're going to take your data or you can leave the service. And those are very shortsighted kind of heavy-handed ways of dealing with consumer rights and privileges when interacting with the consumer identity and access management, which is any thoughts on that, or any closing thoughts as we begin to wrap up here? Yeah.
I would pull two threads out of what you just shared. I think they're, I think they're great observations. The first is, is again, I spent 20 plus years in the corporate world as a practitioner, it executive management and operations it before I got into information security and decided to call it cyber security because it was cooler. But you know, in that, in that 20 plus years, like if you're, if you're an it executive management, you do know that subbed out some optimization of your current solution set is, is the bane of all of our existences, right?
We, we go out and we buy solutions and we don't leverage the maximum amount of capabilities that are tied into those solutions because we're, you know, in many cases, a solution buys are executed for, you know, a point problem, right? And I have an audit issue. I have an immediate demand from a customer set that I need to address, and I need to go fix that. I do think that there are substantial amounts of identity related technology in most organizations today that are not being leveraged effectively in delivering customer access management capabilities.
And I do think some of that kind of back to something I said earlier, it's just driven by the high degree of fragmentation on who actually owns a customer. And, you know, we see this tension and I think that leads into the second part of the observation that you made.
You know, we see this tension today where marketing organizations who have classically owned it, a aspect of a customer through a product set or through a relationship channel, you know, with an account and password that the greatest concern in those marketing organizations is that they're going to lose the, the rich, rich context and content related data associated with that customer.
And when we think about the, the evolution of not just customer access management, but identity management and total, it's really interesting that the component pieces of data that are associated with each of the key interaction points that a customer identity has in their journey through a transaction or their journey through a life cycle with you, each of those spaces in places generates extremely valuable and frankly, probably richer content and contextual data that marketing organizations are collecting today. When we think about authentication, right?
Authentication, how a person authenticates, what devices they authenticate, what are their patterns? They're extremely helpful, right? I experienced this with my phone all the time. Now when I get in the car and it immediately tells me how many minutes there are to the gym, because it knows my pattern and expects, that's where I'm going, right.
That's, that's an interesting customer experience for me. It was a little creepy at first. It was interesting customer experience, aggregating information about, you know, my behavior patterns associated with the device that's in that universe. But then when we look at the authorization layer and we, this is a topic we could spend a ton of time on we'll look at the authorization layer. The authorization layer is the new frontier for improving customer experience, as well as improving security.
We have not done much collectively in the world around really creating a great authorization layer that allows me to use a single digital identity for consumer, and then direct them, and as well as protect them to all of the resources and assets that are available to them within an enterprise, we've tended done that with brute force, you know, an authentication call and, and you know, federated applications, but we have opportunities now. And you mentioned them in your compass opportunities now with API economy opportunities. Now with intelligence that just simply didn't exist before.
And I do think the key component there will be using the rich body of information in the authorization layer, across all of assets, all the assets and all the capabilities available to a customer that will be where we see the next big leap in innovation. Yeah, I certainly hope so.
I mean, being in this for a while too, I remember working on authorization many, many years ago, and other technologies and models out there that that will work. They just really, haven't been implemented and used very widely yet.
And, and that's a great growth area, but, but to, you know, in the business, I think we need to stop calling authorization Authentication, or step up authentication. Not everything is authentication.
I mean, step up authentication. Yeah. You kind of want to make sure it's really there, the person on the other end, but you're really saying to you would authorize this high value transaction.
So, I mean, there's, there's this blurring between authentication authorization and it may even be helpful to get that right, conceptually, so that it gets right. Get it gets implemented correctly. Yeah. I agree with you 20, 25 years now. And I'm still fascinated by the fact that we haven't all come to agreement on all of our terms and definitions. It does add to confusion in the marketplace and we probably all need to do a better job to come together on that. Yup.
Well, thanks Richard. Great conversation today. Thanks for thanks for all your insights, John. Thank you very much for having me. I truly appreciate it was a great conversation And we will make the recording and slides available. Thanks everyone for your time today. And this concludes our webinar.
