Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor with KuppingerCole Analysts. This is the final episode for 2024. And for this episode, I have invited my colleague and one of the founders of KuppingerCole and the principal analyst, Martin Kuppinger. Hi, Martin. Good to have you back.
Hi Matthias, pleasure being here again and thank you for inviting me.
Yes, of course, last episode we have always two choices. Either we look back on 2024, so what happened? This is something that we did already. Much more interesting, especially when we're talking to analysts, which we are, is having an outlook to the future. What will happen? What do we expect in the topics that we as analysts cover? This is IAM and cyber security and a bit more. What do we expect to happen within the next 12 to 24 months? And this is what we want to do. We want to have a quick check on what can we see as trends. So I hope you have your crystal ball available for looking into the future. And I know you did some research already on the topics that you recommend to see those, what they should look at are the main trends? Where should we start? Where should people look at for 2025?
Yeah, so I think when you look at the CISO part, it's clearly a bit more down to earth because as a CISO, you need to tackle also the just day-to-day challenges. So there are things in which just need to be done, sort of groundwork like implementing and continual and a recurring approach for revisiting your cybersecurity tools landscape and optimizing it, but that's not really the forward looking part. When I look at forward looking elements in that world, clearly there's everything around AI and how will AI impact that entity? How will AI impact cybersecurity to the good and bad? There is governance and ethics and whatever else. Then there is which I see really becoming more important as this sort of preparing for crypto agility. So we have this sword of Damocles of quantum computing potentially leading to a situation where traditional encryption can be broken. And so we need to be prepared. That is clearly one of the other things. One of the themes that is also very hot on the list is non-human identities. So finally, I think, and we had in our identity fabric from the very beginning, so since almost 10 years, 80 years at least, we have other identities of things, of devices, everything. But it's really becoming a mainstream topic and we need to tackle it because we're talking about many, many more identities. So the numbers are 40 to 80 times the number of human identities you have as non-human identities and probably growing. So these are some of the themes I see aside of the sort of down to earth themes and the CISO agenda probably go out before this podcast. So it will be published already, CISO agenda 2025 when the podcast is released. So there will be a lot of more detailed information is available.
The good thing is if I now look back to what we did recently in this podcast, some or almost all of these topics we have already covered. I've talked to Alexei about quantum safe cryptography and crypto agility. We have been talking about non-human identities. So there is a theme that continues into the next year, which we already have covered and you've mentioned the identity fabric, we've added all these placeholders for new types of non-human identities into our new identity fabric as well. So this is something that we really, really already covered. And if you are interested as you're listening now to this episode, you can go back in there, just a few episodes. Lots of these topics are covered in depth already. I want to have a look at, and you've mentioned that AI to the good and bad, and I think that's an important part. dealing with AI properly, I think this is a challenge that is not necessarily fully understood in all and every organization, how you can deploy it for the better, for the good, and how you apply it just normal categories of efficiency, cost efficiency delivering results, getting to a proper milestone plan when it comes to including AI in your business and in cybersecurity. Is this something where you think organizations should work more on?
So I think we must get away from the marketing fuss around AI. So right now there's an AI badge on everything, including my webcam. So if I go back a little, will see there's, hopefully you will see in a second, there are some AI which follows me or if I click over there. So my webcam on a good day at least should follow me unless I have set it to the fixed angle which might have happened.
True.
I did a webinar yesterday, maybe I haven't switched back, but my webcam is AI powered. How much AI is it? Honestly. So I think we need to get rid of this fuss because this fussing is really something where I feel this is not the thing we should look at. We should look at where's the real potential. By the way, we also talked about AI. Not that long ago, we talked about AI identity is something I feel is very important. the identity of AI components, bots, et cetera, the relationships between humans and the bots acting on their behalf, all this stuff is, from my perspective, part of what we need to look at. But we also need to primarily look at what is the real benefit? So does it make us better? In that sense, AI is augmenting intelligence incredible potential for that. think many of us who have played around have learned they can do certain things much better. But I think everyone also has learned. So when you use ChatGPT, quickly learn that ChatGPT sometimes hallucinates. So we also need to learn to understand what can be done with that, how valid are the results? When can we trust the AI? When can't we trust the AI? What do we need to do to ensure that the results help us and don't at some point turn out to be so wrong and invalid that we need to repeat the work? And I think this is part of the learning which also goes into explainability, which is not a new theme. I remember I've been a speaker at an event and someone from IBM talked back then, it's probably almost a decade ago, talked about explainability and solutions in that case in IBM Watson on how to do that. We need that. We need these things. But on the other hand, I'm absolutely confident that all this copilot and however you call it stuff can help us tremendously in doing our jobs better. There are so many things where it really can help us by just also delivering some new input or formulating something which we provide to the AI when we use, for instance, ChatGPT. So overall, I'm positive, we need to be very also, we need to be aware of the challenges and that and we need to get better. And this means those processes around AI usage governance processes, also implementation processes. We need to learn how to maintain and improve prompts and have a versioning of prompts in a proper manner, et cetera, to make it reusable. So as long as the problem to something which is invented by someone, stored somewhere and not reusable, the value is relatively limited. So we need much better tools that are totally perfectly aligned with what we use in our work. So getting rid of breaking processes by having specialized tools for whatever my favorite topic markdown breaks the process. Doesn't make sense at all.
Right, and you've mentioned that I agree that we really need to get rid of the notion that prompt design is an art form. It is just a toolkit that you need to use. And you've mentioned versioning and making prompts available within an organization just to spread the knowledge and to improve the overall team performance. If we apply that back to our core, knowledge areas, are IAM, cybersecurity and more. If we apply AI or machine learning or generative AI to IAM, where do you see the real benefits coming in the next 12 months?
So what I currently see happening is building integrations. So how do you set up integrations? AI can perfectly augment. We see a lot of AI, not only in the analytical, but also right now in the generative AI part and in the entire, I would say the or broader SOC, security operations SOC space, where the security analysts are supported, they get the right information they need on, they gain more insights, etcetera. So this is extremely helpful there. But I also see more more things happening around sort of usability. So prompting your IAM system if you want to have a report instead of manually building These things are areas where I see we can really improve the efficiency we get. We can get to them much faster, much better. These are, from my perspective, really super interesting areas. But I think we touched a bit diversioning, etcetera, stuff. think this is one of the maybe the dark hidden secrets we currently have in IT also, when we look at, for instance, at orchestration. So everyone tells me, hey, we have a cool low code or low code orchestration capability. And then I ask, okay, do you have versioning place? Do you have an AI-backed auto documentation capability in place? Do you have a staging process in place? So these are the questions we need to ask because the risk is that like with prompts, that's the same thing. All this no-code stuff will really get out of control. So we probably will have a lot of implementations here, no-code, low-code, a lot of prompts that are there and no one knows where they came from. No one knows what they exactly do. No one knows how to maintain. We need to bring them into a proper process.
Yeah, I would fully agree. And this also has to deal with the fact that the same prompt will not necessarily lead to the same results tomorrow because also the knowledge base and the way the AI is trained will change over time. So there needs to be an adaptation as well. We cannot close down this episode. Sure.
Yeah. A good point I think you've made. Looking forward, what do we need to do in 2025? We talked a bit about opportunities. What we need to do in 2025 is really we need to look at orchestration, but we need to do it right. Orchestration is a cool thing within parts of solution cybersecurity and identity, but also to integrate everything. Superb, but we need to do it proper. AI, great thing. We need to do it proper. We need to prepare for upcoming changes like quantum safe encryption. We need to deal with in a better way with non-human identities. One of the terms I heard quite a couple of times in the past weeks is Vault Sprawl. So yes, if you have a lot of point solutions for dealing with non-human identities from this development area, from here, here on whatever IoT identities, it doesn't help us much. It helps us a bit in the particular domain, but we need to get control about it. We need to have enterprise approaches. This is what we need to do in 2025. These are some of the top areas. So right now you can summarize.
No, we cannot close down before just looking at one single topic that really was also, if I look back to EIC 2024 and I look forward to EIC 2025, I think the topic of decentralized identity, it was a huge topic there and it really raised a lot of attention. Now we are one year, almost one year later and finally seeing decentralized identity in the wild, hitting reality. This will be a topic again. Do we see it in everyday life?
In 2025? Probably not. So I think from the EUDI wallet perspective, the end 2026 is a target date. And we see it clearly, we see it in many countries, we see some of these identities in life, which are not decentralized. Decentralized identity also, comes not only in the EUDI wallet, it comes in other initiatives. I think what is important is that we maybe as the entire community step a bit back and think about how must this concept really look like from a perspective of holder versus wallet? We are issuing credentials to the holder, not to the wallet. There might be multiple wallets and they might be on different types of devices, not only the smartphone. And we need to look at it from a business perspective, from a business model perspective. If you just look at identity verification, a bit of authentication, it's hard to find the perfect business model. If you look at a bigger picture and much more powerful decentralized identity use cases, which really improve the entire backend process. Then we are quickly in an area where we talk about millions, hundreds of millions, sometimes even billions of euros or dollars in savings in the process cost. And then there's no discussion about the business model anymore because then there is a business case. So we need to probably take a bit of a broader perspective beyond what currently is in the scope, especially if EUDI wallet initiatives, there's much more in that and it will very likely, and I'm very positive on that, become successful. The interesting question is which wallets, for which use cases, by whom, when?
Great, thank you. So if we sum it up, if you look into the future, the next 12 months, and we have to name four or five key topics, I come up with non-human identities, I come with quantum safe encryption, you've mentioned AI being everywhere, including modernizing identity processes, and you've mentioned the way how we need to deal with decentralized identities and how they really can make sense. So these are five great topics I think that we should follow up on.
And orchestration, that's now up to six. And that is also of importance because that allows us to achieve the scalability that we need. And that's something that is not fully yet grasped how this really can work for many organizations just to scale things up quickly by doing orchestration automation, AI support here as well. So this is the last episode for 2024. So of course we need to say Merry Christmas, Happy New Year. And of course, hinting at EIC 2025 that will be in May again. This podcast goes on hiatus for two months. So we are doing an extended Christmas vacation. We will be back on the first week of March and then we will cover all these topics and more running up to EIC. Until then, Martin, thank you for being my guest today. And final words, anything you want to share for the audience before we close down?
Thank you very much, guys. Happy holidays.
Good one. Okay. Thank you very much, Martin. See you next year.
Thank you, bye.
