Good morning everyone.
Good morning.
I've always wanted to be on the main stage. I finally got my chance, so I'm with, as my colleague said, I'm with Lucas Group from Migos, and we're gonna just talk a little bit about his job, his experience and stuff.
But first, before we get into that, can you tell us a little bit about Migo? Am I pronouncing it right? Migros?
No,
We do not pronounce the last s. We only say Migo.
Ah, there you go. Migros.
So what, what is, what did you do there and, you know, what does the company do?
Well, Migros started a hundred year ago as, as a retail in Switzerland. They introduced the, the notion of supermarkets within Switzerland and they paved the way for, for how we do our grocery stores nowadays.
Meanwhile, Negro is a huge conglomerate. We are globally distributed with around 230 operating legal entities, and we cover quite a wide range of activities. One of the, the aspects what we do is we have quite a lot of production sites, manufacturing sites where we produce beauty materials. We produce quite a lot of food within Switzerland. We are the largest producer of bread, but we also, besides the grocery stores, we have many other aspects. Like we run a bank, we have a travel agency. And then besides that, we are the largest healthcare provider.
And I, myself, I am the group cso. I'm responsible for enterprise architecture, security, and operational risk management globally.
Great. Thanks. So let's get into a little bit about access management, which is what we're all here for. You've got 230 different entities around the globe, so that's quite a, quite a federated structure.
How, how do you, how do you begin to manage access and
In a, in a federated manner? Yes.
And, and that's, that's very important for us. We are, for historical reasons, of course, we have very many different methods and, and technologies in place that deal with access. And for the past four years, we have been launching many different initiatives also to consider consolidate all these technologies and these processes and procedures.
Nowadays, we are quite on a quite good way when it comes to controlling the, the internet exposure of, of Negro. And when it comes to controlling access to it, how we manage it, we are on the way to implement a unified platform with unified process landscape, which are operated in a decentralized, federated manner.
You mentioned platform, so you're going for, is that a single vendor platform or is it a platform you are creating architecting?
No, we, we build on, on standard star solutions. Of course, we do not reinvent the wheel. Mm. But for us, it's very important that all the platforms or all the services that we, we buy and, and make use of that they are open and they are, besides being well documented, they rely on, on official standards and are extensible.
Okay. We've been talking a lot about wallets at this conference. I'll come back to that. I just wanted to mention the wallet just to prepare you, but
Back stop thinking. Yeah.
But back to what, what are the, what are the, we talked to a lot of, you know, end users and customers in advisory and we're always talking about their challenges. What are the really, it comes down to allowing your employees to do their job, but how do you do that and to maintain the security at the same time?
What, what have you, what have you learned really in that, joining the dots on that conundrum?
Well, my biggest learning was that security must be really usable and usability, convenience for the end user, that's key to success. As soon as it gets complicated, as soon as processes do not work and single page flows are not logical building on each other, people are lost. And in a company of that size, stringent processes matter because as soon as we get support issues or so our help desks, they are overloaded with requests and we cannot support them there.
And so for us, the, the challenge is that whatever we release must be solid and, and the usability is what matters first, most important, that's the user interface. And for us, there, we, we have, as a, as a retailer by heart, we have the, the clear priority when it comes to differentiating the different aspects that our systems work, our processes must function.
And, and in case of, of, of challenges, of course, we always discuss how to solve exactly these issues.
Actually, before we came on, we were talking about home working and remote working hybrid. Do you have a significant number of employees that work remotely or at home?
It depends how you count it. We being very active in different verticals with customer facing locations, like for example, pharmaceutical locations or grocery stores, but also logistics and also food productions, for example. There you cannot work from home. Mm.
And what we have, we have a, a very flexible policy that however, asks us to work at least 360% of your working time in the office. Also to be available for all the people that are there on site and do not have the opportunity to work from home. So for us it's, it's a, it's, it's a challenge always to find the balance from the new way of working when it comes, working from anywhere at any time in a very traditional 24 times seven company where all the, the, the core artistic processes need to run and work without interruption.
For us, this is extremely challenging because different, different cultures come to each other. Modern workforce, working with it, on the other hand, really core critical infrastructure processes for Switzerland when it comes to food supply and, and finding there the right balance. That's a way where we are still learning of course, but I think people accept it also.
Is there a generational difference? Because there's lots of jokes about how Gen X, gen Z or whatever they're called, or millennials behave, but it's, it's not in reality.
I don't know whether I, I may be honest, but
The, you can be honest here. Okay.
We are nearly between us. Yes.
So the, we have quite a lot of challenges with the young generation and, and for us they're honestly, it's not about really where to work, et cetera. Of course, for them it's important, but it's the attitude, the attitude to work to understand that it's for their living and, and then that they are willing to deliver when it comes to separating or, or, or creating partitions between people that like to work at home and that prefer to come to the office. Age doesn't matter. Okay.
Not at all.
Alright, alright, we'll we'll move off that one now. Okay. Yeah. Back to the, so yeah. Does the type of business you're in, which is obviously food, retail, make any difference to how you design identity and access management and security?
Or is the, is the industry sector not really, you know, important?
It's extremely important and as soon as you realize where you have some kind of outages from ransomware or attacks or, so quite often manufacturing sites are really attacked. And our industry as, as retail, including also manufacturing, it's for us a challenge of course to protect the different processes that are employed within Negro.
As such, from a framework perspective, honestly we do not make any difference. What is challenging for us is that we need to cope with quite a huge installation basis. That is sometimes back from the 1990 with Windows XP or so, but you can't change them. There is really no way of, of introducing new solutions because manufacturers certify their plants. And as such, for us there we need to cope with different threats that need to be addressed. And on the other hand, from the framework perspective, honestly, it doesn't matter.
The challenge is how you apply them and, and what kind of, of risk you're willing to take.
Okay. And do you obvious, do you allow customers, do you see IAM platforms at all in in day to day?
You mean customer identity and access management? Yes.
Yeah, yeah. Yes.
We, we also have customers. And
Do you allow them in the Yeah,
Well it, of course it depends. And Migo is the, the largest private sector identity hub of Switzerland. And as such, our customers, they benefit quite a lot from all the infrastructure that we provide in our grocery stores and in, in our other locations with customer interfaces from all the internet services, et cetera.
However, we separate the, the different types. We have clearly workforce including non-human identities that we manage. And then we have on the other side, the customer part, they are operated by two different teams within Negro, but we of course, collaborate and exchange.
Do Did you experiment with stores that have no staff like Amazon at all? No. No.
You have, you have. Yeah. Yeah.
And, and how was that successful in terms of customer en engagement?
Switzerland is quite dense and, and density of grocery stores is, is is quite enormous in larger towns, et cetera. If you are outside of, of major cities or larger villages, of course supply becomes a challenge. And there where we have these autonomous stores, there, we have initial experiences that show that it's worth investing because people need also to change their attitude and culture, how they do their daily shoppings.
We are not yet there, but it's, it's really beneficial for, for our customers that they can do also their shoppings in the evening and at weekends also in, in smaller villages. And there, I I really see a big benefit within downtown Zurich where we have really some shops that are open also 24 times seven.
It's, but they're, they're not staffed by humans, is that
Yeah, the other stores, yes, they are staffed,
But do you have any like the Amazon Fresh? Yeah. Yep.
This is what I meant by the autonomous stores in smaller villages.
Smaller villages, yeah. Yes. Because they don't have the, the staff. Exactly. Yeah.
They, they of course they would have normal office hours. Yeah,
Because I, I heard that, you know, the Amazon is actually pulling back some of that investment. So it's interesting to hear that you, you're going forward with that.
Well, I, I, of course do not dare comparing with Amazon, but no, but for us, when we experimented also within major cities, it was challenging also to, to, to show the benefit.
Okay. Okay.
Let's, let's, let's do the wallet question now. Okay. You've had enough time to, to think about that, obviously at this conference.
Well, you might have noticed, we've been talking a bit about wallets. If you haven't noticed, and you probably haven't been here for the last three days, but what, what is your, let's, let's just take it at a very high level. What is your view of a wallet or an i, you know, a verifiable id? How would that impact your business? Would it make it easier or harder, or do you not believe in wallets apart from the nice leather one?
Well, the, since we are a closed ecosystem and with our customer and access management situation, we control and manage and authenticate also our users for all our loyality programs, et cetera. Immediately I see a, a big benefit to reduce the, the frictions between different applications, et cetera, in, in a higher level view on single sign on methodologies. But from a pure business perspective, we need to show the benefits in, in a quite strong way also to our business.
In, in the long term. In the long run, I really believe in this self-serving identities and wallets. And for me, it, it's key that all the different governments understand that it works only out if they build on a compatible standards. And if we are there, then we are for sure want to follow.
Do you, do you have a, any timeframe in mind, do you think when the public and governments will finally crack this, the 10 years maybe
Well
Before the robots take it, do it?
No, no, no.
I, I can assume that the robots will be earlier. Yeah.
But the, but my hope, my, my personal hope is that we will reach that point by the end of the decade. Okay. Where we can really start building on, on unified wallets that are interoperable.
Okay. Let's getting towards the, the clothes, but, so I was gonna say you've been in the business a long time, but that sounds a bit rude. So I say you're quite experienced and, but would you say that your job, say the head of security job or ciso, has it got harder or easier in, in the last 10 or 15 years?
Well, I can only speak from, from my point of view, coming from consulting, large, very strictly managed hierarchical companies in financial sector, I learned quite a lot working in a conglomerate of like negro, all the, the awareness and the attitude towards cybersecurity improved quite a lot. So in this dimension it become much easier.
On the other hand, having the responsibility for, for information security in general, complexity increases and, and with all the dependencies that we have to different kind of cloud services, which are distributed interconnected systems with all the complexities that needs to be managed there, the job really became harder, the situation with homework and, and working from anywhere. This honestly didn't really impact us, but the complexity of, of the whole information systems ecosystem, this really came to an enormous, nearly non-controllable state.
And ha has governance become harder to deal with as well, increasing number of regulations. You know, GDPR is just one that,
Well, I I, I totally agree with you that regulatory compliance by nature is always difficult to achieve governance in, in the manner of, of company internal governance. This hasn't changed honestly, because that's a cultural change, which is always difficult.
Okay.
So let's, let's find it, there's obviously a lot of vendors here. There might be some here in the room. So is there anything, I imagine you get talk to vendors quite a lot, they talk to you whether you want them to or not. Is this something that you would say to them to make your life easier or something that they could do that would help the industry as a whole
From a technology perspective? I think the most important aspect is that, that all the services that we get, they build on open standards and, and they are inter connectable.
Meaning that whenever we need to extend some service, they need be, they need to provide open interfaces. Being now on the other side of, of the river and as you mentioned, having quite often exchanges with vendors. For me the important aspect, it is come to the point.
Mm, I always tell my, all the vendors when they get there's slots, bring one slide where you say why you are better than the others. I don't care about references, et cetera. If we go into contract negotiations, then we can discuss about all that stuff.
Okay.
Vendors, one slide. Get to the point. That's the message that, that we're giving here.
So, okay. We, we've come to the end of the my questions, so I don't know if there's any questions from the audience. It doesn't look like it. So without, I would say thank you so much Lucas. Thank you.
Great, Paul. Thank you. Thank you.
