Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Now with no further ado, I'd like to have Jackson Shaw come up here. He's our next speaker. What's that?
Martin, my fault. You should click on this, but I've left here. Sorry about that. We should have, oops, free wifi tracks. There we go. Okay.
Sorry, Jackson. I was a little worried when I saw the title of Jackson's slide about mortality and morbidity, but he assures me that he's not about to kill off any protocols. Thank you. We'll hold you to that. Thank you. Cable testing. Hello.
Well, good afternoon everybody. Since the last time I spoke here, the company has changed, but I'm still me and interesting conversations. I'm not sure how much I want to. I want to get into this whole Zal thing. I'll say that it's hard to say that something's dead if it's never been alive, but that's a different story.
So I, you know, this is, this is always an interesting event for me. You know, I try to think a little bit differently about what I'm gonna speak about. It's very difficult with, you know, so many names in the, you know, in the field that are speaking. I kind of disappointed that, that Dave had to shut off his introduction of me. I heard 14 years ago and I thought there was gonna be all kinds of latitudes about me, but we miss them. So this is kind of a very different topic. Let's see if I can make this work. And this is how I came to it.
I was, I don't get to watch much TV, but for those of you that may not know Sanjay Gupta, he's the medical correspondent for NBC news in the United States. And I watch NBC news quite a lot. And they interviewed him one day and were talking about this book that he came out with and it was being turned into a TV program, a TV series it's called Monday mornings.
In fact, so I watched a couple of episodes of that, and it was really funny just to, you know, sit through that and see what these medical professionals were going through when they killed a patient, you know, and how they would get grilled and how they would get talked to and asked questions about what they could've done better to perhaps, you know, keep the patient alive. So, you know, it, it, it, I don't know why, but it just made me think a little bit about, you know, our own industry and what they call these mortality and morbidity meetings.
And they're basically all about trying to educate you about your mistakes. And it's really hard thing to talk about or hard thing to think about that, you know, you could be killed, you know, on the operating table.
And you're the subject of a meeting a few days later, we were trying to get that doctor that killed you to understand that perhaps he should have looked at your patient record a little bit more, or perhaps he should have done a history a little bit better, or perhaps he should have tried the procedure, you know, on, you know, a, a cadaver before he tried it on you for the first time. So like I said, I was, I was watching this and then I was thinking a little bit about, you know, our own industry and how could this relate to us.
So a little bit of a different take on some of the things, you know, of course the first thing I had to do is I had to look up what mortality, I mean, I understand mortality, but mortality and morbidity in the sense of, of medical terms and what they meant and how I could sort of translate that. So I said for mortality, you know, the definition is, is the number of people who die within a population and, you know, from an identity and access management perspective, I said to myself, well, what does that mean?
You know, to me, and you know, I've been doing this kind of work for quite some, some time now. And you know, one of, one of the things I thought of, well, you know, mortality is, is you've basically replaced your IM infrastructure. And I don't want anybody to, you know, volunteer information. They don't want to volunteer, but how many people in the audience are on their second, third, fourth, fifth, or sixth identity infrastructure? I see one gentleman is, is, is honest enough two, okay.
Two, two out the audience I'm willing to bet it's more, but that's alright. And morbidity refers to the state of being diseased or run healthy. And your I am infrastructure is unhealthy, is kind of my, my parallel to that, I think fairly easy to, to get from those two things.
And I wanted to talk a little bit about both of these, you know, different situations and, and, and you know, some of the learnings, you know, we've, we've spent a lot of time as identity and access management experts at these conferences and other conferences talking about the high level things that cause failures in IM projects, you know, not having an it driven project, not having the right requirements, you know, having dirty data, you know, the big bang approach where you spend two, three years working on your IM project and everything's supposed to come out at the end.
And by the time you get halfway through your funding is gone and your project is canceled. And then of course, misaligned expectations. I can't tell you the number of times I've seen a, a CIO say something like, well, I, I thought I was getting single sign out of this. Where's my single sign on. And there was no alignment of expectations with the executive team with what you were doing.
And of course the standard prescription we get for these things, which again, if you've gone to some of these conferences, if you've read information from, from KuppingerCole or other Analyst firms, you, you, you know that you have to be business driven, you have to have a business sponsor. Again, something that Martin was talking about earlier, you have to document and validate your requirements. You have to do discovery and clean up of your directories. You have to have quick win milestones. Let's get self-service password reset implemented right away. So we can show some value.
Let's have a strategic and tactical plan. These are all things that we have as business people, or as I am experts that are part of our sort of prescription, but, you know, it's like everything else. My doctor has already told me all of these things, okay. He's told me I should lose weight. He's told me I should reduce my salt intake. He told me I should, you know, exercise more and get more sleep.
But yet, you know, is still the possibility that tomorrow I might not wake up because of one of one of these things. So despite all this advice, whether it's health advice or whether it's identity and access management advice, we still fail. We still get sick or we still continue to be sick.
And, and why is that? So let's take an example. I actually mean a last minute change, cuz I did have the company name here. And even though I didn't think it would be too much of a problem to put the company name. I decided at the last second that I, I wouldn't, I wouldn't really wanna embarrass anybody more than I need to, but all of these are real examples.
And, and I'll, I'll give you some examples of, you know, some of the things I've seen. So this was an identity lifecycle management solution at this particular company that, that in fact, I'll admit we were implementing now, since I've worked for a lot of companies, you won't know which we, it is.
And it's, I'll tell you it's not Dell. So it was prior to Dell. So the phase one of our project, this should be very familiar to you. If you've implemented an IAM project, you know, let's start with the HR data feed. Of course, you know, the HR people wouldn't trust the IAM people that never happened. So it's always a one way feed. Then you need to join that information to active directory include the organizational structure.
And everyday HR gives you a new feed with the number of people who've been fired and the number of people who've been hired and you're supposed to, you know, do all, do all that life cycle work that an IM project is supposed to do. So with any company, this one was an, they, they went through an interesting organizational change on their way to bankruptcy. And they had quite a large rationalization of people and a lot of changes in departments.
And you know, sometimes at companies, if you can't, you know, save, save by firing people, you saved by reorganizing everybody and calling them in different departments. So this is exactly what happened at this company. And what ended up happening is the way their system operated, the way it was set up. They basically deleted all the employees from the old departments and created them in all the new departments. So at face value, the patient looked healthy.
You know, Jackson was no longer in sales. He was now in marketing and the people who were in marketing were now in sales, et cetera, it all, it all looked fine. The problem was that because this system actually deleted the people and then recreated them. There was a complete loss of all the, the, the global unique identifiers in windows for those people, they all lost access to files that they had to group memberships and they had, they had, and basically the cleanup and everything else that that had to happen was was something that basically we killed this, this, this, this customer.
Fortunately, we happened to be smart enough at the time that we took a backup of their, of their directories. But, you know, my point being that an experienced doctor can still kill a patient, you know, by forgetting about a few basic things. And just a, you know, a couple of examples on morbidity. This one is one that is a personal experience of mine.
In 1996, I worked for a little company called zit corporation. And I mean, this is literally, you know, I just moved houses. So I went through all this, you know, when you move houses, you always getting all your things and you're throwing things out.
Oh, I had these old notebooks that, that when I was at zoom it, and I happened to open it up and I saw this, you know, some notes about this company. And I thought, geez, wow, that's really interesting. Cuz in 1996, these guys called us up. We were a little company in Canada, not very many people. And they said, Hey, we really like to try your software out. We're looking at IBM, we're looking at Noel, we're looking at world talk. If anyone remembers world talk from those days or ISOCORE there you go. All from the, the late nineties.
So, you know, we supplied our software a little while later, we heard we weren't successful. I actually said at the time, well you'll call us again someday. They did in 1999, they called, they said, we'd like to try your software. We're looking at IBM Noel world talk and ISOCORE. And I said to myself, oh, let me look back in my notes. I think I talked to these guys a few years ago.
We did, we weren't successful in 2001. They called us again and they didn't call us because they hadn't implemented a product. They called us because they had bought a product and weren't able to implement it.
So, oh one they called at the time I was at Microsoft. We'd like to try your software. Here's who the competition is. We'll see if we can be successful with these, with, with you. Of course they didn't, they didn't choose us at the time in 2006, they called again. So you get the point. They actually called again recently, this is the same company. This is number 1, 2, 3, 4, 5 times. Now that we've been bidding on identity and access management software for this company. And you know, I, as I say here, I think this patient is sick, but doesn't know it.
You know, how many millions have they already spent? My, my point being again, that a lot of companies just, sometimes they don't even understand what they're trying to do. It's almost like you're watching, you know, those infomercials at night where, you know, you can buy the, the gizmo that you strap around your abdomen and you lose, you know, 50 pounds overnight or, you know, some other kind of pill that does whatever, whatever wonders. But in this particular case, you know, this, this company has literally spent millions and millions of dollars, which is, has been quite surprising for me.
I I'm, I'm not sure if it's, if it's, if, if they're just not firing the right people or what's happening, but it sometimes amazes me that, that despite all of this, they can continue to do this. And it's, they're not the only company that I see this this happen with about a year ago, year and a half ago, I had the pleasure of going on a three day tour of some seat with some CIOs. And it was really interesting for me because I really got to spend some personal time with some folks that were making some big decisions around identity and access management.
And this, these were all folks in, in Calgary, in Canada. The interesting thing out of the six people I asked each one, you know, are you happy with your identity and access management platform with what you're achieving with? I am five of them told me they weren't, which was pretty incredible to me. These were, you know, big companies, small companies, but very surprising to me, the one that was happy was a Noel direct XML customer.
And yeah, and you know, he was a very honest guy. He said to me, well, I, I I've made it work because I used to work at Noel and, and I'm not ever gonna upgrade it because it's working as it is. But the interesting thing for me was this, this quote and I, I, you know, honestly tell you, this is exactly what the CIO said to me.
He's a, a CIO of a 4,000 person oil and gas company in Calgary. And he said, Jackson, we've spent $9 million so far. And we aren't even deep provisioning, active directory. That to me was, you know, flabbergast. It just floored me. And he said, and they've just asked me for 13 million more. So it was one of those things that, again, from a whole aspect of, you know, can we be successful?
You know, we can have these difficulties. Anyway.
I just, how many people are familiar with the Calgary stamped? Do you know what the Calgary stamped is? Cowboys and all that jazz. So I saw the co CIO the next day at the Calgary stampede. That's him right behind the barrel there. Another quick example company I dealt with very large company, very influential company in our industry. They were hacked, had their source code stolen. After a one hour meeting with us, they spent $3 million over 3 million privileged account management, directory consolidation, auditing software, identity management, the whole kit and Kubota, the whole nine yards.
I mean, awesome. You walk in, you sit down, you talk to somebody. Yes. We can solve your problems.
Look, the person in the face, shake the hand, get the software. Six months later, we talk to them. Nothing's deployed not a single thing. It just totally, totally blows me away. That here's the situation of being given the prescription, but this company doesn't even wanna doesn't even wanna take the pill. So as I say, here, they'll be back in the hospital or dead. So what is the prescription?
You know, we've got all kinds of information about what we need to do. You can go out there and cruise the internet. You can find all these pieces of information about do this, do that, do the other thing. But I think one of the thing is, is it's not enough. We don't live in an unchanging environment.
You know, we have new diseases, so we have new mortality and nor new morbidity, if you're, if you're familiar with the Twitter hack and associated press, how could they have prevented that our tools today aren't necessarily built to prevent a lot of these things. So we're gonna see more and more of this happening. So my final thoughts are, well, we reward successful IAM projects. And I think tomorrow night we're rewarding, successful IAM projects. And we learn a lot from successful IAM projects, but in all honesty, to me, one of the biggest things that we can learn is from our failures, right?
Because failures help to teach success. So as I say, here, learning from a failure is success. So I'm asking Martin, and I'll ask you guys the same thing. Why don't we talk a little bit more about failures? Because I think people can really learn from how we've made mistakes with some of our, our, our, our projects. So let's celebrate and reward failure, whether it's, you know, we're gonna do IM next year in an access governance and intelligence project, a cloud security project. But how about the best failed project for a change? Right? Remember failure. You can't spell it without you.
So thank you very much. Thank you, Jackson.
Yes, sir. That was, that was wonderful. Especially the fact that you showed us how through your failures, you had to keep coming back to the same company five or six times before they, they did eventually buy the product. Right? I Think they're still Looking.
Oh, okay. Well there's hope then for the rest of you.