KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. So many of you have probably read the high, the headlines that there's been a what's called the great resignation or the big quit. As some people call it, lots of people changing their jobs. So maybe a show of hands. How many of you in here have changed jobs in the last 18 months? Wow. That's like 70% 65.
So, and that, that is the trend. I think, from COVID everyone was thrown out of their normal work environment where every, you were used to your day to day, you're used to your commute. You're used to going to the office, everything was structured. You're thrown into this more chaotic world where you didn't know how long it was gonna last. You didn't know what was gonna happen.
We were, everyone took restock or rethink thought what they, what they wanted. Once COVID started to look like it was going to be over. I've heard a lot of stories, people leaving it and becoming hazelnut farmers and all kinds of interesting things. People just reevaluating how they wanted to live their life. After COVID. Many of us don't want to go back to the office. Every remote work is the new normal. So a lot of headlines, I mean, in the United States, people were stampeding toward the exits. We were over 4 million employees leaving voluntarily, leaving their jobs every month.
So records like we'd never seen. And of course in it that's that can present a lot of challenges. Of course. So quitters market, you see the, the statistics, it's not just us. Germany actually leads Europe as far as voluntary levers people leaving, leaving their jobs.
But again, it, it started during last year peaking around four and a half million per month. And that's gonna have a dramatic effect on all, all businesses. And for those, even those that weren't leaving a huge percentage of them, even if they haven't left yet are thinking about it. So it's not over, we're still seeing this big transition right now. It it's not related to any particular industry. Some industries are hit harder. Some of them management consulting, internet enterprise software, probably a lot of us here are experiencing that services. Industries got hit pretty hard as well.
And what, so we're losing a lot of people leaving their jobs, changing what they're doing, and that the impact from us on us from a cybersecurity perspective is that that's leading to a big gap in trained and qualified people to run and protect our infrastructure. Now it's not like we didn't already have a huge skills gap. They estimate what 65%, we need a growth of 65% to actually be at an effective level of staffing to secure our organizations, you know, with all of the new nation state hacking and everything else that's going on. We were already in a big deficit.
And the, if you, if you look at the studies, it, it's not a new thing. We already, even before COVID and the, the big quit, we already had a huge gap and it's not. And the sad thing is it's not improving. So they've been working on it for years. It's not improving. We can't really recruit or train people fast enough to keep up with the growth. And what does that lead to? We all know what that leads to, you know, things get rushed into production. They're unsecured.
No, one's. We don't have enough staff to add adequately managed and look for vulnerabilities. So things happen. You get hacked, you lose data, lose your reputation takes ahead. And of course, what is the effect of this on the people who did stay those of us that are still in their jobs, when everyone else left, it's basically just more work, you know, same amount of work, the work, the workload didn't decrease. It's just that now you have fewer people or you have new people that you're training a new person takes, you know, half your day.
It doesn't really help you for, for six months to a year. New people are more of a hindrance than they are a help. And of course, this is cause a lot of like existential angst and emotional crisis where being overworked and, and being in an industry where, you know, problems can be very dangerous to the company. There's a lot of pressure on us. It's led to a lot of people just having a tough time.
I mean, even 28% of people surveyed knew someone or was someone who'd had, you know, it led to really bad consequences, drugs, alcohol, depression. So what do we do about it?
We'd say, well, let's just ramp up the hiring, but we've been trying to hire and train and skill people up for years now. And it's just, it's extremely difficult. Not enough people that are, have the adequate background to get into cybersecurity, not enough. I don't know, knowledge or PR getting people into cybersecurity. I'm not sure. Maybe people think it's too difficult. I'm not sure. Yeah.
But, but it it's so trip hiring and training. Isn't the solution in the short term, you know, it's something that everyone needs to do in the long term, but it's not a short term solution. So the question is what, what can we do about it? What are some of the things we can do to try to get through this mess or, you know, survive this post COVID transition.
So looking at some of the things we can do centralizing on cloud service providers, at least putting, you know, you are putting your eggs all in one basket, but at least it's easier to secure and to understand what's there, if it is in one basket. So if it's fewer people, it's, you know, it's less complexity because you're not managing so many different systems. It's one platform, you know, you're, you're trying to try to centralize on fewer infrastructure providers, try to, you know, use the, the vendors, DevOps pipeline and not a separate product.
Try to use the vendors, Kubernetes platform and not a separate product. Try to at least reduce the complexity, the number of systems you have to log in to get a view of what's out there and who has access to it. Automation, you know, lots of products out there to using creatively using AI and looking for automated detection of attacks, risk analysis, sore, you know, automated responses as well. That that's a big area, but what I'm here to focus on is just one, one particular slice of it, which is so we need more skilled people. We can't hire enough skilled people.
We can't train skilled people quickly enough. It takes years and years and years. So what can we do to be creative about de-skilling? So some jobs require a lot of skill, but why do they need so much skill?
Why, how can we simplify in de-skill? Which is the idea that you make a job less complicated by using, you know, your, you see all seen this slide in my talks, basically you engineer your way out of the complexity used to be difficult to make a coffee. You had to be an expert. Now you don't even need to know how to make a coffee. The robot can make the coffee for you. So de-skilling is the idea that you, you add engineering muscle and ingenuity into making a job easier. So the person doing the job could be anyone. You don't have to hire specialized people. You add guardrails, so it's safe.
So they can't really screw anything up and they don't have to know as much. So that's obviously gonna be a combination of humans being helped and assisted by better technology.
So that, that thing processes were, are not gonna be just the human. Does the process or the bot does the process. They're really gonna be this handoff to where some complicated processes humans will be doing part of it. Bots and other intelligent agents will be doing part handing back to the human famous example.
One, not famous, famous for me, but cause I, cause when I heard I was pretty astounded. When the cable guy shows up at your house, he shows up on this little iPad tablet and a bot had already realized that he was scheduled to arrive at your house. It's already pinged and gathered all the logs off of every device and all your history. So when he pops in there, he has all that data. So the he's being basically augmented by the bot, but still the humans doing the important thinking part of the job. It's just going into all these systems and trying to look around and gather all the data.
You know, the grunt work is being done by the bot. So really humans are being augmented or extended by technology. So how can we get creative? How can we descale how can we make the person less ha require less training or less knowledge? And how can we make them less risky in the process? So we want to reduce the risk. So actually, how would this apply? Zero trust? How does zero trust apply? How does zero standing privilege apply to de-skilling?
So this is something that is I've I've been thinking about for years and, and I see it in, in all our customers, they have typical model, user needs access. They go to ServiceNow. That's great. We have this one interface where we can request access and write this generic request. I need access to something in SAP. I have no idea what it's called, blah, blah, blah. And then that ticket gets routed for approval. It's great. It's a single interface, but it's not a very intelligent request typically. So it gets routed to someone, someone approves it.
And then most companies outsource this fulfillment to India or another offshore spot where it's cheaper. So you end up having that, these requests to get fulfilled for someone to get granted the access, you have someone offshore that is, has privileged access because if you're managing access, you have to have privileged access. You're an admin, you're a privileged risk user. And these companies will have huge numbers of people. We have one customer to just fulfill SAP access request form. They have 800 people in India. So it's 800 people that high volume of rotation.
They don't have those people very long. So lots of orphan accounts, lots of privileged admins in lots and lots of systems and they manage hundreds or thousands of applications. So the way it works is, and I've, I've talked to a lot of my people I've hired recently who had experience in this? You get the service now ticket. Somebody proves that it gets added to you. You pull up SharePoint or some site and you try to find the standard operating procedure document for how to grant access in that system, Salesforce, ServiceNow, SAP.
And then you've been, you've had some basic training, but you're, you can't know hundreds and hundreds of systems. I mean, it's not possible. So you read the doc, you try to follow through, you know, standard operating procedure. Here's how I set up a world.
Okay, click here, click there. You know, it's not very efficient. It's gonna take you a lot of time. You may make mistakes, click here, click there, and then finish a request. And now they also needed access in this system. Pull up the doc, log into that system as an admin find, how does that system do it?
Oh, that system has this other tool and user interface, which again, isn't very friendly. Another room. Then I got to go to Google and I have to go to Azure. So I'm an admin everywhere.
And I I'm, I mean, I'm, I'm, you know, not a highly trained professional, but I have administrative access. So zero trust, zero standing privilege, you know, very risky situation here. So how could we make that simpler? How could we do more of a zero trust model when you have so many applications, so many out there and so much training?
Well, and I don't know why I didn't click that. I didn't think, but so there's a big change in approach.
Now, a big focus on low code citizen developers, the idea that you can develop really useful business automation, even if you're not a developer, it's basically the people who understand what the business needs. It's basically, I, I think about it.
If, imagine if Picasso could not paint, he had to talk to someone and tell that person what to paint would we have ever had the beautiful works that we had from Picasso. So now the people who know the business and know what would it be to automate a process? What would it be to really squeeze out the value they're getting closer to where they actually can participate and create the automation.
So this all is gonna rely on having a great identity fabric, of course, because if you're automating something in one of these low code tools, if you don't actually have access to effect the systems and be authorized to perform in action, then your low code automation isn't really gonna do anything. So it all plays into identity fabric, but you can involve more people with more organizational knowledge to really create some cool stuff that adds value for your company.
So simple example could be any product, but imagine if instead of the user logging into hundreds of systems of the privileged admin, this user sitting here fulfilling these requests all day long, they just have one workflow. They manage account access. So they just live in this workflow. They never leave this workflow. They log into this ridiculously simplified interface and that's all they see.
They say, oh, I'm managing an account. I have a ticket. Do I need to add one account to something or multiple?
I pick, if I add multiple, all I'm allowed to do all day long is I can choose to disable accounts, enable accounts delete or something else. Whatever my list of authorized actions are, maybe if I'm not allowed to enable, I only see the disabled. If I'm managing one account, I'm gonna add 'em to the group. So same scenario instead of me pulling up ServiceNow, Salesforce, SAP, and logging in as admin, I have no admin access. If I go to those systems, I can't even log into the admin. I may not even have a user account.
So this even data privacy issues, we had a Swiss bank where they outsourced file share management to Costa Rica. But because that data could contain Swiss data, they could never have native access. So in a zero trust model, I can provision your file shares and manage the access without ever having the possibility of having access. So same idea here. I can manage adding users in any system. So SAP AAP system, a ServiceNow system, an Azure system, a SharePoint online I'm in my simple little bubble.
So I'm, de-skilled, I don't need to know what that ServiceNow has this security model or SAP's, you know, Byzantine complex security model or, or Salesforce permission sets. I, I can, I can pick the users. I know that I have a ticket that RT ServiceNow account or SAP account, I picked SAP. In this case, it needs access that they said it needs this particular role. I can see the risk scores and I can submit it.
Now, based on the policies might go for risk approval, might I might be able to execute it and then it executes it logs. It, I can, it can force me to do MFA every loop if you want, because you know, you have complete control. And then I'm back to the beginning.
Hey, I got another ticket. Let's manage another account. So low code approach consuming, you know, a, an identity fabric that can actually affect change on systems and enforce authorization and risk analysis, low code approach. You can have these really easy simplified de-skilled user experiences. So you can hire commodity people to do risky tasks without the risk. So thinking about this creatively, that's one of the ways that could solve some of the challenge and help us not have to.
So you'd hire the skilled people to do the skilled tasks and not have them bogged down by overseeing or worrying about the other tasks. So again, this is the only way this is gonna work is if you do have a good identity fabric that can integrate in via APIs. So these tools can all use APIs very easily, rest APIs. So what are they gonna need? They're gonna need authentication.
Of course, multifactor, you're gonna need multifactor. You're gonna need authorization because you're gonna have to control which data I can see. So if I'm only allowed to cover, let's say Swiss identities and access, I should never see UK. You need that authorization layer. You need approval approval engine. So if I can do some things in it that requires approval.
But so, but you can have someone who understands the business, put their intelligence into automating the processes that are very organization specific. So it's, we fought against customization for decades, but this is kind of the opposite of that. It's embracing customization, but it's not customization. It's it's low code organization, specific process automation. So really not cookie cutter. Everyone's the same. This is really make something that's gonna give a lot of ROI for your particular company and, and tweak it.
And then last thing is along that parallel track is that was a scenario with simplified de de-skilled human interface is, well, what could you in your team be creating bots in the background that just do the tasks automatically.
So, you know, when we're actually creating right now called the, the what call, the optimizer, they all have code names, but optimizer is so it goes out and it, and it's a single bot that has a mission that it looks at risky access and it goes out and it pesters and bothers the people who have the risky access and it reports them, their manager, if they don't agree, but for them to convert their standing permanent privileged access into just in time access that they can ask the bot to activate anytime they need it. But it's not that they have domain admin or global admin all the time.
So the bot can optimize, it can report its status. It can track progress over time of how, how it's doing as far as its job and automating. And de-risking your company from that perspective. So the idea to get creative and use bots that are not just there to service human requests, which is great, but that are pursuing some mission. Another one working on called Azure Tata like cattle tail in United States is the kid who would always tell the teacher every time someone was doing something that they shouldn't do in the classroom. So Azure cattle tail basically monitors Azure admin activity.
And anytime it sees an admin start doing something, it then launches its own bot workflow to follow them around and keep reporting out to a team channel. Here's what he's doing. Here's how they, here's how they got the access. Are they logging in from a normal location? Is this something they normally do? And then your admins can be following that and have an audit trail. And they also decide to terminate the session. If they see something they don't like.
So, so that idea, getting creative, using the technologies that are out there now, the low code approach for the automation of the bots to try to fill in the gaps that we can't fill fast enough with people or that the people overworked and, you know, they should be doing more important things, planning strategy. What are we doing next instead of just the operational day to day? And that's it, that's it. Any questions.
