Welcome. I'm here to talk with Andrzej Kawalec, who is the CISO of Vodafone, about his perspectives on the, sort of the next big thing around digital identity that will impact the digital business. Welcome, Andrzej.
Thank you. Martin, it's a pleasure to be here.
Yeah. So maybe you start a bit with explaining your role and a bit about your person before we dive into the subject.
Yeah. Of course. At Vodafone, we, you know, identity and people's connection to the digital world is just hugely important. We have over 330 million users around the world, one of the most globally diverse and largest telcos. And we recognize that actually being able to stay connected and to use your, you know, all the digital landscape at your fingertips is critical today. At the heart of that actually is identity. It comes down to it. Whether your identity is a telephone number, it's a fingerprint or it's a passport. We see that as really at the heart of everything we do. Now, I'm responsible for, particularly for Vodafone's set of services and looking after the security of our business partners. So Vodafone Business, that's where we really think about how does this affect businesses?
Yeah. So and I think one of the trends already is the phone to the person to the passport, is a relationship thing. Which is not easy to handle. So you need to bring things together. But going back to the initial sort of question or talking point. So what do you feel is the big evolutionary thing, the one thing you feel is really worth to look at, which is sort of shaping the future.
Yeah. I think the single big thing for me is, for many years we've approached security and technology from a technical control perspective, and I think for many years we've been able to do whatever we want with identity, right? But we've never really focused on the user, the employee, the citizen and how they can use these things. And I think as individuals, we've become, you know, habitualized to operate in a really imperfect world. It's as though that we think it's okay to have a different key for every door window of our house and our car. And we think that's okay in a digital world. Where the complexity is huge. What I think is really important, and I see it starting to transition now, are scaled answers that relate to the big use case. So decentralized identity, the idea of self-sovereign identities where actually you own and control your identity, how it is used and the privacy controls around that, and then the technical controls like a wallet, give you some of the tools to do that. For me, that's a huge shift in moving it into almost a user centric question rather than a technology centric set of controls.
Yeah, I like what you're saying with the user centricity, the, let's say also the business case perspective at the end and then the technology that helps solving us. And at the end I think there's something very important, and we had it in a talk here at the European Identity Conference earlier that day where one said, we should always keep in mind we issue the verifiable credentials to the holder, so for instance to me, not to the wallet. The wallet then is the means which I decide about where to put it. And I think this is very important to take this user perspective and, yeah, I think we can do a lot of things better and easier. And we must not, so to speak, take the keys example, sort of repeat what we but we didn't do super well in the real world, but we can do it much better. Which, by the way, brings me always to one of the things which really drive me mad, that is when we have the human as the weakest link in security. So I always say, you know, first it's discouraging. But the other thing is, who is guilty when someone falls trap to a phishing attack and gives the password away? Is it the human, or is it that there are still passwords? So I think it has a bit the same thing here. We can do better. And I think this is really important. And obviously decentralized identity is really an important thing. How do you envision a decentralized identity then come into play for a company such as yours?
So I think there's two ways this plays out. And I think, you know, I love your... this just to hit that, the user being the weakest link in the chain. Actually I flip that on its head. Use us humans, citizens, individuals, right? They're the first line of defense. Your identity and you, is at the front line of the cyber attack. So being able to protect those users, those identities and enable them to do really exciting things is actually, to your point, that responsibility sits on us as an industry to say, don't use a password, right? You can't be expected to understand and track how all of your logins, credentials, passwords and identities are being used across hundreds of thousands, of minutes. Yeah, I always think about, when you walk along a beach and you sort of, you look back and you can see your footprints in the beach and it's very clear where you've been and what you've done. And then if you've got on the beach with friends, you know, after a few hours, the beach is just sort of a mix of different pieces. I don't think individuals should be responsible for understanding everywhere that they've been in touch and trodden. So we need to give them tools to help manage them. Your question around decentralized identity, I think if we've solved the technical problems, it becomes an adoption issue. And that's where we've also, I think we've failed many people in organizations where we have multiple standards, we have multiple adoptions, we have different states and different member countries all adopting in different timelines at different speeds to slightly different ways. I see that coming together in normalizing in the EU. That doesn't help in the UK and other countries. However, for large businesses like us, we've got the scale to understand and manage. Now Vodafone, employee identity and those components. But I see the real challenges for small businesses. If I look at the EU, it's about 24, 25 million SMEs, so small or medium enterprises. So those are businesses with less than 250 people, [...] for about 99% of all businesses in the EU. So about 86 million people, employees. How do we help small businesses both roll out these tools and then manage them where they're not identity experts and they don't understand the challenges? We have to give them very simple tools to allow them to manage that beach of where all of their employees have been all day and both protect those identities, but then monitor them responding in real time? That's the challenge.
I think we need to make it work for everyone. And I think also telcos are very well suited to play a very important role, both for the SMBs you touched, but also for the consumers. You especially, as Vodafone being very, very global, it means you're seeing, at the end of the day, you also need to make it work in a as uniform way as possible across geographies. And so I think, yes, that's a very important thing. And so I'm, as I've said, I'm anyway advocating decentralized identity for a long time. What I feel is we are currently at this sort of inflection point, where we are seeing the concepts, sort of being applied or discussed and in context of the real business use cases. So which helps with understanding what is there and what is lacking. And I think this is a very important stage right now to fill the gaps, to close the gaps and to further innovate so that at the end of the day, we can cover the use case. And this goes back to what you said at the beginning. We need to think from the user and from the business case and then have the technology to serve this.
I always think, what will this make? What's the difference, the so what, how will this make life of an employee or a business owner different? And that's the key, right? Can we make it simpler work? Can we really help you understand to manage your identity exposure, your sprawl of interactions? Can we reduce your attack surface where people are... You know, again, people are the front line, and most cyber attacks use valid credentials. Those credentials are taken from somewhere and used against people. It's not their fault that their name, their address, their credentials have been stolen and sold to a broker to then used to attack them or somebody else, right? As you said, that's not where the fault lies. But we have to understand that's the reality. And help put those things in place. If we keep approaching the problem, I think from a purely technical perspective, we missed the business case, the use case, and we missed the okay, how will this make your life easier or better? That is going to be the trick. And I think that's where, you know, we really focus on how do you make this simpler for businesses of all sizes, be they, you know, governments, global banks, you know, or a small company just down the road who's, who's starting out and got six employees and wants to allow them to work from home, to use different devices, you know, and, and to manage their identity.
Yeah. So let's continue working on making life of everyone simpler and more secure. Andrzej, thank you very much for spending the time with me. And thank you to everyone listening to us. What pleasure having you here.
Thank you. Martin, thank you.
