Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts and again, this is a special episode. This is the final episode for 2023. So we are using that episode to have a look back on 2023 around the areas of IAM and cyber security. So the sweet spots of KuppingerCole Analysts and we want to dare and have an outlook on trends and expectations towards 2024. And for that I've invited Martin Kuppinger and Mike Neuenschwander to this call. Martin is the principal analyst and one of the founders of KuppingerCole Analysts and Mike Neuenschwander, when I asked him who he is, he said, I don't know what I'm doing here. So this is where we start right now. So if we look back on 2023, what starting with cybersecurity, what were the most significant cybersecurity challenges that organizations had to deal with in 2023, and how were they addressed? Did we do well, maybe starting with Mike.
You know, I had this conversation with Eve Maler, actually. And so she she said, why is it that it's 2023 and we're still dealing with the same problems here? And I'm like, you know, that's a really excellent question because a 2023 in some ways looks a lot like every other year since, I don't know, like 2000. Yeah, that we've got some new stuff happening. But, but it feels like, you know, we're still having password reset problems. We still having, you know, just kind of like the issues that we thought we would have solved by now. And so I think that it's a good moment for reflection on that. Like, you know, are we are we doing the right way? Martin How about that?
Yes. So how do I think about it? That's an interesting point. What I see is that an affinity with you? A lot of the problems are not new. I think there are some things which have probably had a bit of a bigger impact in 2023, and some of them may even have a bigger impact in 2024. Supply train or software supply chain attacks. So attacks really coming in through through supporters and then spreading at scale. I think this is a growing problem. It's also not entirely new. We had SolarWinds and Kaseya before we see others happening now. I think that that is one thing and this one that disappear because it's a sort for attackers It's a very logical means for running their attacks. Everything we I see that regulations are impacting the market increasingly. So we saw both sides of hypocrisy, saw something's coming up or see something's coming up, becoming, in fact, in effect now, like the European NIS2 and the CRA regulations. And so we will see, I think, more pressure on a lot of organizations, too, to really improve their cybersecurity posture, which is a good thing. And which is also a challenging thing because we don't have skills available on broad scale, so they're just a lot of work to do.
right? And these these were the challenges and you've mentioned that especially supply chain. Very important topic trust. Right now there are organizations that were in the news for leaking information that you would not expect them to do. So there are still a lot of issues going on in there. But when we look at countering these these challenges, these problems, these issues, did we get better in 2023 when it comes to technology, to the software, to the services we use,
I think it's a continuous evolution. So. So both sides get better, the attackers get better, and the defenders, so to speak, better. So it's not that there's nothing is happening. I think we see quite some some very interesting innovation. You see an uptake of different technologies like CIEM, so managing security and infrastructure as a service. And we see, I think also a lot of movement around applying AI for cybersecurity, improving XDR, so the extended detection and response, managed detection and response, stuff like that. So we see things moving. The interesting question is probably more are we fast enough in innovation and adoption of innovation?
Yeah, that's that's obviously correct. I think that obviously, you know, AI has to sort of show up at this conversation eventually and is going to point out that basically with AI, which seems like a newcomer to it, we talk a lot about that. People are very interested in getting chat bots out there for their own content, like we're doing that, you know? But the thing is, is that it's easy to sort of socially engineer. You can, you can sort of get chat bots to divulge things that you would prefer. They don't or make up things that they think you know. And so I think that where we haven't really felt that in 2023, but I think we will feel that next year.
right, So more AI?
so more attacks via AI, I at the end of the day, so so yeah, I think using, I think that's which is by the way quite normal. We have very fast innovation in the field of AI. using generative AI, using bots that are utilizing generative AI and stuff like that. And as with every, every rapid innovation securities tends to lag a bit behind and the understanding of what we need to do and what we better don't do. So I think this is definitely a real risk and that will be, unfortunately, probably a lot of learnings for us in 2024.
Right. So that was the bigger cybersecurity picture. But of course, keeping a cold is known for being an expert in identity and access management. Is there something that comes to your mind that that was new in 2023? Although this is such a established market, is there something really 2023 in IAM that you would like to mention, maybe starting with Mike
well you know, I'm working on some research right now that's about identity threat detection and response, and it's taking me a little while to see how critical that's become. Right. So that it's already are, you know, in a CISO’s attention, for example. Right. It's not it's not just some kind of cute thing in the corner, right. It's it's actually really center stage and it's something that everybody needs to want, wants to talk about and hear about. And the thing that I think that is most interesting about that is that you have the people who normally work in the SOC and you never know their names and then the IAM IAM people and nobody knows that either. But those two are sort of getting together now, having coffee and stuff. It's, it's, it's, it's been interesting to see the mix of cultures that has developed as a result of the need to solve identity threat detection and response. I'm absolutely with Mike on that. I think this is important and I'm lucky that it's finally happening because I think when all these AI based Identity analytics stuff came out over the past three or four years, I always ask the vendors, so, so can you also analyze what people actually do with their entitlements or what people try to do without entitlements, not just looking at the static entitlements?
I think this is the step forward with ITDR not reversing where it's really observed quite some some innovation. I think there are two areas I see more and more things happening around. Policy based access are still slow, but it's moving forward. And the other area is decentralized identity where where we see innovation both from sort of more, more state driven like in the EU, which is pushing the EUDI, the EU digital identity wallet and also very practical. When you look at Microsoft, it's moving with Entra verified ID. So we see evolution here. This really made me come closer to the breakthrough in adoption 2024 or 2025, which which I would love to see because it will then really become extremely, in a positive sense, disruptive, disruptive in the sense of enabling a lot of the things in Identity Management, doing a lot of things better while not and this is very important, while not breaking existing identity management. So it can be drawn very neatly. So this is what I see in addition to ITDR, but hopefully we see really more ITDR adoption.
Right. So that was already a kind of an of an outlook into 2024. So you say ITDR is growing, policy based access control will be getting more important and will show more of its strengths. When I look back on 2023 at the cyberevolution in Frankfort, I have I did a talk on on on NIS2, and the implementation there and NIS2 is for me one of these big examples of regulatory changes that also have a strong impact on IAM and on cybersecurity. So people are really forced to do risk management, finally risk assessment and react to these risks and work towards a better security posture. Do you expect that to grow and to be more important for cybersecurity and IAM, If we cover both topics,
People need to be forced apparently [...] for some reason. But but I think that it is interesting. The regulatory landscape is tightening. And, you know, weirdly, I in America here, you know, I see people reacting to EU legislation because they're doing business there. Right. And so suddenly in America, we had to start sort of caring this year about what the EU thinks about some of these things. You know, we've been skating a long time. You know, like, you know, there's been kind of this the Internet has been one of those things that was at the beginning, at least pretty unregulated, you know, And what we're what we're finding now is that the regulatory regimes that are coming into place, if they weren't there already, are, I don't know, forcing me, you know, maybe that's the right word. But but certainly making other people aware. Right. That normally wouldn't about you know, and NIS2 is definitely part of that, DORA, others. These these are these are basically words that weren't known a year ago. I mean, you know, earlier this year. Right.
okay. I also see that we have potentially very huge impact here. I think this is also Mathias I think you pointed it out at the cyberevolution Conference and other speakers as well. I think that's also part of the liability thing. So yeah, it really makes the C-level liable for some of the regulations, really bring in the liability for, for cyber risks, which you just can't get rid of by an insurance you have as a manager. So you enter into more personal liability. This is always a huge pressure. Like when we look at the financial regulation, when the auditors come and have findings and these are sort of some of our findings, then the pressure is very high because it goes really at the heart of the business. And I think this is what where the regulations will change a lot because organizations must act. And additionally, several of the regulations, when you look at NIS2, that the notification periods become extremely short. So you need to inform their the authorities within 24 hours. Within 72 hours there must be a first analysis, etc. So you need to be very good. And what you do in cybersecurity. And so I expect that there will be already a massive impact from this
Right. So if we now finally take a look into 2024, I think what you just said, Martin, is already some kind of what I'm aiming at here right now. What would be advice for organizations as we move into into 2024, where to start improving their security posture, how to react maybe, or to be proactive towards upcoming challenges? What would be your recommendations? So one one key recommendations for next year. But both of you, before we close down, maybe starting with Martin.
only one. Then I have to make a recommendation which consists of multiple parts. So across it's is not as popular anymore, but it's a super important principle. Understand what you have and what you need, do a gap analysis. This is something where Mathias and Christopher and the team can support extremely well understanding where are your gaps, What is your investment priority in the space? Understand how regulations map and look at the potential of integrated services like XDR and managed services like MDR. Mike.
yeah, well, I agree with that. It occurs to me we might be sort of at an end of one era and the beginning of another. We're just kind of in that slightly quiet place in between that, because I think that there, you know, when I look back on my career in the industry, there have been a couple of these moments where it's been like, okay, we used to get away with things and it was it's like remembering back when you were kids and being able to get away with things that your parents didn't know. But now you have to sort of mature that and you have to be become an adult in the room, you know? And I think that I think regulate and I think that the notification requirements like Martin was talking about the the just the consequences like the game has gotten a lot more serious now. You know and and it's going to require a very, very serious set of people, you know, to to really respond to it at 2024.
Right. So it's really finally become business and it's no longer just tech. My final question would have been, but we want I want to ask it's I would expect any answers right now that would be the IAM trends for 2024. And why don't I ask that and why do I not expect any any feedback. We are already approaching EIC the 2024 edition of the European Identity and Cloud Conference. It will be in June this year, so this is my outlook into next year and we will do several podcast episodes around AM trends that will be covered also at EIC. So that will be something that we will be doing in the future very soon and that is where we pick up all these IAM trends where you know that KuppingerCole is the expert for so I skipped that part. We have advice for organizations, we have your cybersecurity predictions and IAM also with the topic of of ITDR some final ideas to both of you before I close on what would be the next big thing that you would expect. This is something that we are always getting asked for by... You should know that, you are analysts, so you are the analysts. What would be the next big thing for 2024?
The next big thing, well, clearly AI is going to be on the menu. Yeah that's and for the reasons that we've already stated. So I don't feel like I need to go over that again. But. Martin What do you think?
I think Beyond the obvious AI thing, it is the combination of leveraging the potential and maybe understanding of decentralized identity plus less policy based access controls for really reinventing how we do IAM.
right. Thank you very much. Thanks to both of you for being my guest today. I know, Mike, you are in New York. Martin, You are in Stuttgart. So this was a real long distance podcast episode and it went quite well. So we had lost not that much delay, which is nice. We will talk again next year. So looking forward to that and then we will prepare EIC. If you are watching that episode or listening to that episode and you think you should be talking at EIC. Yes, Call for speakers is open, so reach out to our team and make your suggestion. What to present and how you can also shape the future of IAM with KuppingerCole together at EIC. Thanks again Mike and Martin for your time and looking forward to having you as guests next year Again.
Thank you. Welcome.
Bye bye.
