So I I'll put on the agenda. So it's, it's, it's three parts. The journey. What I also think is interesting for reviewers is to see some of the artifacts that we used, cuz we found out that some things really came in handy. Some of them we didn't think upfront and the takeaways, obviously at the end and the journey itself, I started off in 2017, but actually you need to know that in 2016 at a bank was two organizations. So global one and the Dutch or Netherlands based one, and those two were merged.
And that meant that we started off in 2017 with basically a new IM department consisting of two previous IM departments. What we also did in 2016 was an additional effort to make sure that we remained Sox compliant. So the starting point in 2017 was that we had this reorganization of two departments merging WeWork compliance, but the two aspect meant two teams, two cultures, two solutions for IGA mainly, and also two dictionaries.
So what we did in 2017 in order to address that, obviously the first step you take is to see where the similarities or the differences because we need to integrate and on a technical level that led to a comprehensive technical roadmap. So some smart people on our department took the time to really clarify out how the technology looked like, what the elements were. The one relates to the fact that in 2017, we had two main identity management tools and we selected one as the future solution.
So that gave a focal point and being a new department in 2017, you had to do something with agile, cuz that was hot and happening at the time. So for part of our department, we also moved to an adjusted way of working to incorporate agile principles. So 2017 actually was a year of discovery of figuring out how do two different IM departments merge?
How do these processes map together? And that meant in 2018, we started off with agile and a plan.
Yeah, we had the technical roadmap. We knew, at least we thought we knew what steps we were gonna take. And then we got hit by another reorganization. So what happened there is that the overarching self department that we were a part of got reorganized. And I'll come back to that later because that also means something for the management detention on your service. The other thing that happened in 2018 is that we had this plan that we were determined to follow, to integrate and upgrade our IM services. And three business programs were launched or actually three large programs.
One related to Workday was the migration to a new identity feat. That meant that we previously had two feeds for identity information and those were merged to a new one.
So that had impacts because that basically meant our identity feed changed. And that's the leading point for everything we do in identity and access management. The other was that in the business, a new way of working in a new organization was introduced called banking 3.0.
And that meant that we needed to authorize our employees in a diff, which also touched the fundamentals of how we authorized based on what attributes we grant, the authorizations cetera and step was launched, which is our still current cybersecurity program. And the challenge in that year was how do we still realize part of our original plan, which was a good plan. And at the same time accommodate these large programs that happened to us, which we can't avoid and which we need to support. And that gave a lot of struggle in that year in, in managing and adjusting the plans.
But the trick we found out was to see what these business programs need and then take the elements from our plan that would realize that inserted in the business program. And that gave the best of both worlds because we were doing elements of our plan with the push of a large program that meant that in 2018, on a more technical level, we could upgrade our future solution, roll it out to another constituent area. And so in increase the scope of coverage and because of the new way of working the identity feeds the changes in, in the basics of our authorization model.
We also had to analyze our data flows. We already wanted to do that in our plan because we were merging two into one, but that was being sped up. So 2018 was a hectic year with a reorganization, large business programs. But the things that we could cling onto were the plan that we had and merging with the business programs in that then in the next year, we still had that plan.
We now also had step as a cyber security program, which gave really good management attention for security aspects of identity and access management and believe it or not, but we had another reorganization.
So part of our management team needed to struggle and to figure out where we would land in the organization this time, again, dating away a lot of management time and attention on the basically the internal plan that we needed to follow. What we did really early on in 2019 was wrap up on the, on the banking three oh program. We took the remainder of 2019. So actually a large part of last year worked on connecting Workday, picking up that data feed, making sure that all the triggers were positioned correctly, that the data quality was up to speed and that we would do the right things.
And at the same time in that year, we had the realization of, you know, we, we cannot go on being pushed around by business programs because then the core elements of our plan will not be addressed.
We were still suffering of a duplicate infrastructure. We needed to fix that. So we created a master plan and we got buy-in from all the way to the top of our leadership saying, you know, in 2017 we merged in 2018, we did a large business program in 2019, we did a large business program.
We need 2020 to improve, to take a step back and to make sure that the back end is upgraded and de-duplicate it and improved. So this plan was created and formalized in 2019. At the same time, we were able to standardize a lot of the so-called non-technical. So our process architecture, our authorization model, basically all the things that you need in order to strategically position yourself for the next move.
And also what we implemented on the security front was privileged session manager, so privileged access management and certificates management, meaning we, we had two PKIs merging into one and that mean that for this year, our starting point was that we, we had a standard on a more process and functional level.
We still had a cybersecurity program, which gives us a lot of coverage on the security aspects of the services that we need to improve. And this year we wrapped up on Workday and we are working on our master plan and a large part of that master plan.
It's not only technical and security service oriented, but it's also addressing the people and the way we work together and the way the teams work. And I'll get back to that one in the takeaways as well. And in 2020 this year, we see the materialization of one PPI. So basically the multiple certificate management solutions are now getting into one surface in one product with one approach, the same goes for privileged access management. And that is being integrated with IGA as well.
The master plan itself is targeted mainly at simplifying the IGA surface, where we had multiple tools in the duplicate infrastructure.
And at the same time we're doing a pilot with policy based access control. So all the building blocks that we've been working on for the past three years are now in itself getting on par slowly, starting to integrate. And by addressing the backend, we're also preparing ourselves for the next step. And I like that Mr. Reinhard also mentioned the identity fabric. You need to have one picture that ties it all together.
So one of the things that we used is the identity fabric as it's being developed by keeping a call because it greatly positions all your identities and all your resources and how you connect those two and remain in control. So for us internally that also ties into the assumed breach approach, which includes zero trust approach and all kinds of new developments. And with that, we see that yeah, for 2021, we'll be ready, but actually then we're gonna be ready because the services are on par.
They're largely integrated.
And that's when we also start moving with feedback with also with all our pilots that we're doing on, on app based cloud, native working, integrated access just in time access disciplines on how to deliver that from our surfaces. And this is really briefly going through three to four years, each of these little squares and rectangles, I can talk on for another two hours, but this gives you a bit of an impression on, and we worked on technology and process on people, but there's also a lot of planning in the mix, a lot of conceptualizing and, and visioning.
Now a number of things helped us in that journey. And the first one that I want to show you is it really helps to have a simple story. We had lots of governance discussions where people were blaming, I am for not having access or not having a system connected or this and this and that.
And it really took us a lot of time to explain what, what is it exactly that you can expect from I am? And what do you need to do as a business, as a system owner, as a risk owner, as a role owner, and we need to work together.
And we took the story of Joseph bra, who was a, a locksmith who created and sold a lock. But then of course, you know, who gets access to the home is not his problem, but it's actually the home owner who uses that lock well, that, that helps in kind of clarifying by using an analogy on what is E M how to position it organizationally. And that story ties into a user friendly description of the surfaces that we had and that this, this was an animated overview. It always started with the, the top few, the top two lines where it says the basic is that a user wants to access systems and data.
And if we do our job properly, he won't even notice us there because he can log in. And he works. That also means on the flip side, that if you notice identity and access management as an end user, there's probably something wrong. And almost by definition, it's gonna be a negative experience because you cannot work. You cannot log in, you don't have the right authorizations, your token is not functioning cetera, cetera. And if it helps to explain to our constituents, to our end saying, you know, we can help you with onboarding. We can process an authorization request.
We can create a role that you can request, et cetera, but it's, it's a complete picture. You cannot point to one and improve it without looking at the others. And the other benefit of this overview is that it also helps you explain the completeness in the complexity of IM well, the second thing I mentioned that a couple of times you need to have a plan.
And to, for us, there was two parts of the plan was one was a very detailed technical roadmap. So take your time and develop it, put all your elements in place and behind these two slides that I put here are at least 40 other slides. That one by one, transition from a to B, B to C, C to D B two E, and that is augmented with a yearly plan, more in the agile way of working. We have kind of a rolling forecast.
We, we plan for one year and in this one year, the blue elements are mainly external and user driven. So they come to us from the outside. The orange part here is mainly internally. We want to improve our service and improve our way of working. And the green ones are focused by cyber hygiene and cyber security. And this gives the, the, the slides that you use internally to explain.
So what are the, the five big things that we're working on? It also helps to explain externally saying these are the five big things that we're working on.
If you want us to work on something else, we start discussions on what should we drop from this oath, if you, and it really explicits the workload that you have as identity and access management. So number three is then to always help the business, but also be very clear on the amount and the figures, because we found out that almost nobody knows how many identities we had in the bank, how much systems were connected to IM and not.
And these fact based insights really twisted the, a lot of the conversations we had with wishes and demands and requirements to what I am to saying, okay, but what, what exactly do you want to improve? Can we point to it in the data?
What do you want to see? And the last one that we addressed here was especially in 2019, make it really explicit. That the way how we work is top of mind are really important for the results we delivered.
So we try to move away from only a delivery oriented culture to also saying, you know, the, the, the way of working, how we treat each other is important because we do this as a team and safe and optimum working teams produce more, but you shouldn't measure them by only their output, but also the way they work. And we use the quote a lot by Peter drer culture, eat strategy for breakfast. So you can have the best of plans, but the people need to do it. And it's also something that in literature, sorry.
So for example, the, the good grade book by Jim Collins, and you see that step one is the people, step two is then what you're gonna do.
And then step three is the acceleration.
So for us, for example, what we did is we really said, you know, these are seven principles that apply to us as a department. And then how are we gonna go about that? So those are four artifacts for examples of things that were really helpful for us. And from that journey.
And, and some of the artifacts that we used, I had some lessons learned that came to my mind after some deliberation on, you know, what was key in the last three years. And I more and more believed that focus on the people is key, and that's not only the way of working and the culture, but also the teaming. How do you create a team? What skills do you need? And we were very lucky to have some very bright people who were able to do an architecture and a roadmap, but also some bright people were able to processes and the data and some other bright people who could tie the technology into it.
If they're able to work together, then you get a great team. So that meant focus on the people. The second part is that you need to get out there and evangelize in the organization, bring facts and bring the story. So explain to people what, what it is we are actually doing and how big, or how small it actually is, because it's a fallacy to think that the business understands what IM is and what it does. Yeah. We've last week, I've had the conversation and people say, yeah, you do the password reset, right? You the password reset department.
And then I need to go all the way back to the ground layer and build it up saying, you know, what is, what is an authorization and what is your role, et cetera. So, number three, is that what we've seen also with, with piloting and trying out the core of your technological solution landscape is key to how fast you can move and what you can achieve.
So one of our directors now is to standardize it and move away from custom solutions, but also as a bank, we're already a little bit risk averse in nature.
So also trying not to be too innovative because income and technologies and new technologies have teething problems. There's less knowledge of it in the market, which also means less people who are skilled and capable of deploying and maintaining it. And that means that, you know, with leading edge technology, you need to have an eye for it, which you should also be careful not to get it in the house too much, because then it becomes bleeding edge technology, and that's not what you want. And that's, that's the balancing act.
So to pay attention to that.
And the last one on this slide is that realize that I am is driven by data and integrations and data and integrations to me means you're part of a flow. So for example, the HR department, delivering identity data, and it departments delivering application data, you need to really understand how that flow works and also where your dependencies are. And if you can get that picture, then you can start to steer and direct much more effective and efficiently. Cuz then you can monitor the data call report on it on, on the quality of the data, the impact of the data.
And then you move to more of an integrated management of the entire chain of which IM is actually only a part. And this was mainly brought home by one of those three large programs that I mentioned where we were sitting in the middle and we saw all the data passing by and we saw things not going right, because this data was misinterpreted by that person.
And because we had that hub functionality, we also became crucial to the success of that program by delivering that knowledge and that insight to all parties involved now looking at, at identity in the enterprise.
I fully agree with the previous speaker and that, that you need to look at all identities, human and non-human, but I also believe, and that's the quote at the end, that enterprise identity is, is in itself meaningless. You need to tie it into a context or in a use, cuz identity is always contextual on the other way. And on the other hand, it's also, I think a fact that if you go into the digital transformation as an organization, you cannot do that without identity. So we need each other and we need to figure out how that works.
Now I had this nice mountain that we moved up on and we are ready next year for the next step.
Also think it's good to realize that this is an ever ending journey. And I think if you will ask me in half a year, again, if there are any new lessons learned, I will, I will have a few new lessons learned because this is continuously developing.
It's an, it's an infinite game to use another popular term. And it's an Analyst journey. The good part about that is that it never gets boring. And with identity and identity and access management, you're at the core of it. And the more and more business becomes it. You're at the core of business as well. And you can really make an impact.
