So, first of all, good morning, everybody. And I also realize that I'm standing between your breakfast and the conference. Normally it's the other way around. So I like the, like the opportunity to, to do this today. I'm going to talk to you about how digital identity can help enable your organization's digital transformation and cloud transformation. So on that specific opener, I wanted to start with pointing out that in a lot of cases and a lot of organizations, we see that cloud and digital transformation go hand in hand nowadays.
So we have to really keep considering that when we are thinking about this topic. So first I'm going,
Ah, there we go.
First, let me tell you a little bit around my, about myself. I have about 20 years experience in identity in, in enterprise it, and the last 10 years have been focusing on identity and access management. But before that, I actually was working at the company when I was in the management team and we were supporting clients with what we then called online customer interaction. And nowadays we call that digital transformation in the identity space.
I work in the work workforce space in the customer space, in the privileged access management space and also in the identity of things because all of these things collide in the work field that we are working in. And I lead the impact center for which is a team of business consultants, architects, and engineers, to help our clients to move from their strategy towards their execution.
And when I started in digital identity, one of the things that I noticed also coming here was that there was a lot of talk about the technology part.
And there was a lot of talk about standards and how do we do standardization? But we didn't have a lot of people that were already thinking in, in, in business value. So I formulated an ambition that as a digital identity community, we should get out of the basement and into the boardroom. And sometimes that is already happening because of ransomware attacks and all of those type of things. But I still think that there's a lot of, a lot of gain to get from that perspective. So today I'm going to talk to you about exactly that, but I'm not going to do that, to do that by myself.
I'm going to do that supported by 5,000 CEOs and by 3,600 CEOs, because every year PWC has two surveys that we send out.
One is the CEO survey, where we are talking to CEOs to understand what is keeping them up at night. And secondly to 3,600 CEOs to do exactly the same thing. And both those reports, we have been running for 15 and for 25 years, we also make publicly available. So it is for everybody to see and to use. And I'm going to relate what is keeping them up at night towards how we can deal with that from a digital identity perspective.
And when I say digital identity, I also mean identity and access management, but that's a little bit of a loaded term because if I talk to a lot of my clients and they are talking about identity and access management, they consider that to be the technology team that is responsible for infrastructure. And that is responsible for making sure that we do a lot of the technology implementation.
Well, I look at it as an capability that needs to be driven from both the business, the experience and the technology perspective, but enough about me, a little bit about PWC PWC, digital identity team is part of our cyber security practice. So we consults around risk and governance. We do threat intelligence. We help our clients with crisis management. We do forensics, we have it and OT security operations. And of obviously we also do identity and access management. And this is getting noticed by the Analyst as well.
So we see that we are in the top right corner of the, of the forest away for report. And digital identity is at the core of the cybersecurity practice. So we have globally 1200 people that are focused on a day to day basis building and maintaining identity and access management solutions. And out of that, we have 350 already in Europe.
So we are building trust in society by making identity matter. So let's look at CEOs. Think I already said we do a survey every year.
Last year, of course the pandemic was pretty high up on the radar, but you already saw that cyber risks were considered to be the next near trend. And this year we actually saw that cyber risk overtook the, the, the, the challenges that the CEO keeps up at night and with that have increased now against the pandemic risk. So if we're talking about this and we see that cyber is the highest risk on the agenda of the CEO, we also have to look at what that means.
Of course, those people are being bombarded with news items around ransomware attacks and other type of cybersecurity incidents that could potentially triple their business. But secondly, we also see that there's other reasons for this.
So first of all, what we need to understand is that the promise of digitalization equals a 10 times accelerator for business growth.
And this is very appealing for a CEO because he needs to deliver the value that the shareholders are expecting at the same time through digitalization, the complexity of the organization increases again, and the technical depth increases also again. So having that said, there's a lot of things that they need to consider. So if we drive a little bit deeper in what is then the reasoning, why cybersecurity is so high on the, on the risk list of the CEO, we have to consider what are then the thoughts behind that. And they're not talking about having appropriate access at the right time.
They're thinking a little bit different. And what they're seeing is that CEOs are more most concerned about the impact on the top line.
And that cyber threats are actually seen in the perception of the CEO as the biggest risk to sell products or services in the digital fashion, or to do innovation on products or processes. So if we consider the promise that we as identity and access management people make, we see that we help provide the right access at the right time for the right reasons, and that we are able to report on that.
So we need to consider how can we balance out the story that we tell as a digital identity capability towards, towards this question. And there you see that, there's an interesting, there's an interesting thing going on. So let's look at what happened during the pandemic. All the businesses needed to reinvent their business model again, and their operated model.
Again, thinking how can we provide digital services to both our customers and our employees.
And that was a huge investment in technology in order to make that happen. And in order to enable that, then secondly, they also thought, okay, if we are building all these services, we need to be able to provide access to that as well. And when the business has a problem, they go about and they start fixing it.
So a lot of the new products and new services that were being built have actually circumvented the IM team within the organization and have built something themself leading to point solutions, which is so optimal for a variety of reasons. And the first reason for that is that now those businesses actually have to maintain those solutions themselves,
But there's more to think about.
So thinking about this, we've established that your organization has moved from digital from, from value chain, thinking to digital ecosystem, thinking we also have established that the business have gone about and solving their IM challenges on a product by product basis, leading to inefficiencies, which is hindering them now to start building out more innovation and more products and services, because they also need to spend time on building out those further proprietary identity and access management point solutions.
And on top of that, we see that laws and regulations are actually becoming more increasingly intense. And secondly, also more, how do you call that also more executed upon and forced upon? So that leaves to, to a complete set of other problems, because we as PBC also have an audit practice. And one of those things that is happening, if we're thinking about brand value, and if we think about trust, we con connect that of course, to laws and regulations.
And what we also then see is that the audit practice is typically not really happy with the fact that all these point solutions starting to come about because the business then still needs to prove that they are actually in control. So it's not only the fact that the technology team needs to maintain the IM solutions that they've built, but there's also a lot of more burden on that those teams to actually prove that they are in control of that, of that process.
So having that set with cyber and privacy becoming more complex, we see that there's an increased demand on the identity and access management team, because now in the last half year, we see that a lot of organizations are now starting to look again at their teams, their identity and access management teams to help solve this puzzle. And it's a complex puzzle.
So there's also not a golden bullet solution for this, but I do see a couple of things that I think that are very relevant and where I see organizations actually excelling their, their digital identity journey and really becoming a business partner for their organization. And when they think about identity and access management, they think about three things. The first one is the question, which business risks are we actually trying to minimize? And I'm saying minimize because you cannot take away business risks. CEOs understand that doing business also equals risks.
So the question is, what do you want to do? Which risks are acceptable for your organization, and how do we translate to what we are doing in terms of those business risks and from an identity and access management perspective? I consider three business risks to be the most important to think about the first one is data theft, either being IP data or PII data and risks that are associated with that. The second one is loss of money, either through fraud, from internal employees or extortion from ware attacks and those type of things.
And the third one is considered business disruption and business disruption comes from both a cyber threat perspective, but also from poor IAM processes, not leading to the right digital solutions for your organization.
Secondly, we need to start thinking about how are we going to help our workforce, our third parties and our clients to love interacting with our organization. And this requires a complete different skill set than what an IM team normally comprises. Because here we need to think about business process design.
We need to have the right conversations with our business partners on their topics and how they are partly responsible for doing the same work as what we are doing. And we need to consider business experience design as well. So the team skill sets that you will need in the future in order to remain relevant for your organization, I think is very, very pivotal. And thirdly, we need to think about, of course, the technology part, how do we design and implement the technology to actually support our processes?
And that is something that has changed also quite significantly, because we are living in a new world, the post pandemic world, where we have a hybrid way of working where actually the workforce is expecting to have the same usability and the same interaction as they are getting from companies that are not even in your own market and for customers, it goes the same way.
So really thinking about sort of, how do we make sure that we are not using old identity and access management concepts and technologies in this new world will really help us to drive change?
So at PWC, we believe that integrated design thinking will make the difference in this area. So what we do is we have built the BXT philosophy, which stands for the three lenses that you need to consider when you are doing, when you're doing your identity and access management programs. And it's the business lens, the experience lens and the technology lens. And the reason why we started to do this is because we saw that a lot of clients invested heavily in doing identity and access management transformations in the last 10 years, but not all of them were really successful.
We also saw that we also saw that had the solutions typically were suboptimal. I've seen for example, solutions where we had, where there were solutions that were built for 5,000 employees, but ended up with more than two and a half million roles, which is pretty difficult to maintain on for us, but also not really helpful for our business organizations as well.
So I have a couple of examples on all these on all these areas, just to sort of, you know, get the, the thought process flowing a little bit around that. The first one is you have to be a business peer.
So you have to ensure that you regularly talk to your business partners in HR, in the downstream systems to really understand what are their challenges and those challenges don't need to be identity and access management challenges. It is really about what is keeping them up at night. What are they trying to, what are they trying to organize and focus? Because here we have to understand that identity and access management is a business process. The same way that getting employees in your HR system is your business process.
Getting contractors in an external system is a process doing a contract with a business process outsourcer or with a client is also a business process. And you have target systems like HR that are doing those processes. Then you have us in the middle and then you have, sorry, authoritative systems. Then you have us in the middle and then you have to target systems where your employees actually need to get access to, or your customers need to get access to. And you need to look at that flow end to end in order to really make a difference.
Secondly, we also need to start thinking a little bit differently because yes, it's our responsibility to do, to do identity and access management, but that doesn't need mean that we have to do everything ourselves. We can also look at what can we actually allow the business to do themselves in order to help them to make that work. So focus on building centralized processes, but letting the business also take responsibility for their process.
And that is not telling them there is a great car, go for it and drive it, but also helping them to understand how they actually need to drive the car so that they understand what they need to do. And a lot of times in the programs that we are in, this is one of the most critical factors of the success of an organization in this space, because an operating model is basically the handshake between all the different organizational departments that need to do something and getting that very clear. What the expectations are typically is not a situation.
And also goes far beyond the reach that we as identity teams typically have because we're residing somewhere in it department and then explaining the business, Hey, you need to take responsibility for this. That's a pretty difficult task to do so here, you also need to get the support from your business leaders to make that happen.
Looking at the experience side, one of the things that we started to do as well is we started to build personas and it feels a little bit like we're a marketing department.
The first time that, that, that I was thinking about this, I was actually thinking the same thing, but we, we spent time on it anyway. And we started doing this with clients where we really helped to understand, okay, which personas do you have in your organization? Because we all know the typical office worker and the contractor, but we also have to consider that a lot of the other parties within an organization are also starting to use identity and access management more and more.
So currently we're working for a large global retailer that also has a manufacturing plant that does distribution, that has a whole bunch of personas that are not digitally adept people.
If you're in a factory and you have huge gloves on, and you need to use a system only once a month, because for example, you need to file an incident report on something that happened in the factory. First of all, they will not remember their password because they only go in there once. And second of all, try to get putting a password in if you have an enormous big glove in.
So you really need to think about those solutions and how can you actually build solutions that are helping those personas as well. So we started to do that. And then at a certain point in time, we were talking to the HR department of that organization and they actually liked the idea of those personas so much that they are now using those personas that we build for our identity and access management purposes to actually use, to help to drive their own digitalization agenda within their organization as well.
And this is I think, a great example on why this is a very, very relevant, very relevant topic. And also thinking about the, not only the end user, but also the line managers and also the application owners think about how can you actually simplify the life of those application owners and of those life line managers. And this comes back to sort of not telling them, okay, this is what you get.
Then, you know, go, go away for half a year, but make them part of your journey, show them on regular intervals, what you are actually delivering for them. And the slowly you show it, even if it's in a better mode, the better impact input you get back from them to actually help them to get their lives better so that we are working as, as one team with those, with those departments, from the technology side,
One thing that we all think of course, that we have under control, but I still see a lot of, a lot of challenges there.
The first thing that I really would like you to consider is that all of your digital teams are going DevOps. So we should consider to do the same thing. We started doing this within PWC about four years ago when we did our first DevOps project. And what we now do is we do all our technology capabilities. We build that in a DevOps way, as much as possible because that actually help us to save a lot of time in the development, because a lot of the, the effort that we need to put into is as digital identity people is actually a regression testing.
Understanding if we change something in the system, how will that impact the data flows that we have around this and using DevOps really helps you to automate those builds and to make sure that you are on top of this.
And one of the beautiful things that we can now do within PWC also within the agreements that we make with our clients is we explain to them, we bring in our IP. So that means that we can push our products and our artifacts in our C I C D pipeline towards client pipeline so that we can actually leverage that within those projects as well.
And we see that now with a couple of clients that are, that are doing this, and they're actually also wanting to have the subscription on those artifacts themselves, because it saves them so much time in developing their solutions.
And finally, I would really urge you to decrease your technology depth. And I think if we go back to the start, we saw that CEOs think that cyber risk is one of the biggest threats to the organization's growth.
And the reason behind that is because it's very difficult to get to a situation where you're actually not increasing complexity, but you're decreasing complexity. And I think that cloud is a very important factor here. So the promise of cloud is that we can simplify our business processes. And I've seen a lot of organizations that find it pretty scary to move to the cloud because they have a whole list of requirements that typically an identity and access management solution in the cloud cannot already fulfill. But there's also a reason for that. And that is because this is the market standard.
And if you are talking market standard, then you're talking simplicity.
So I would also urge you to look at that. And of course you need to, you, you know, we, all of us drag a lot of legacy with us, but I do think that organizations that are being successful also change that legacy application landscape and where that moving towards moving towards cloud really can help. So we let legacy deal with the legacy and for all the new systems that are coming in, we're trying to use cloud as much as possible.
So this finalizes my conversation, but if you want to learn more about this, we are here with 31 people today out of 16 different countries. So you can look us up at our stand or during the thing. And we also have a new set of cloud transformation articles that we are pushing on LinkedIn, that you can also, that you can also read and see some thought leadership from PWC on the engineering side as well. So thank you so much for listening to me and I hope this was really helpful, and I wish you were very pleasant confidence today as well.