KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well, good afternoon, ladies and gentlemen, and thank you for joining this webinar this afternoon in Europe called ground control to major chief risk officer is identity governance, risky experience, and we have to thank IBM, who is the platinum sponsor for this? So this afternoon, the webinar will start with me, Mike Small from KuppingerCole and will be followed by a presentation from Andrea Rossi, who is the worldwide sales theater identity governance with IBM. So a few points.
First of all, is an industry Analyst with a special focus on information security areas and especially those to do with identity and access management. And we provide a number of advisory services, research services, and events for both vendors and end users of it systems and some basic guidelines for this webinar. First of all, all the attendees are muted centrally. You don't have to do anything when it comes to question and answer, we will unmute you.
We control the, the, the features the webinar is being recorded and the podcast will be available tomorrow for you to download or to listen to online. And if you have any questions, we will pass these to the end of the webinar. And you can ask questions as the webinar takes place, using the question and answer tool, which should be provided for you. And we will pick up these at the end of the webinar and answer them appropriately.
So, first of all, in part one, I'm going to describe the challenges that businesses are facing. And basically because of the, the, the way in which information is becoming more and more prolific from people and from things that businesses need to adapt to exploit this information. And it is through exploiting this information, which is the, the new currency, the new capital, if you will, of the 21st century, that organizations are going to be successful.
Now, just as a fast car needs, good breaks to exploit information securely, you need good information security and identity governance is a fundamental component of information security. So the agile business connected is what we and COER Cove are calling the new businesses that are exploiting this information. And to give you an example, that is, is a real true story, that there is a UK TV channel that is able to connect and process information, which comes from Twitter, feeds, social media feeds and things of that nature.
And it is able to process this information during the course of a 60 minute television program, in order to identify the demographics of the people that are watching the program and to sell targeted advertising space in real time to customers that might be interested in this. And this is the kind of new agility that, that, that we are seeing now, in order to, to exploit that you need to have information security and information security is founded on identity governance.
And so, for example, in order to be secure, you need to be compliant. You need to be able to securely collaborate and communicate with your customers. You need to mitigate the risks and avoid data breaches that might come from this. And you need to do that in a way which reduces your costs rather than increase system. And those are the requirements for the security tools and technologies and techniques, which we've got to use in order to, to exploit this agile business. Now.
So when we look at the challenges that are faced by these, the, these businesses, in fact, in some ways the challenges remain the same that at the back of this, you have the application and the data, and these applications are need to be accessed by the people that have the right to access them. They need to be compliant and they need to have their risks understood. And this all has to be done in the context of the cloud, bring your own device and the increasing plethora of connected things, if you will, that are, are being used.
And a, a further complexity is that of cyber crime, which increasingly is being targeted on organizations and targeted on the high value information, which organ organizations hold and all of that is being held in the applications and data. Now, when we look at how this changes things, in some ways, things remain the same, that the same processes and technologies underlie access to that information.
And those are the administration of users and their access rights, the authentication of users, the proof that they are, the people they say they are the authorization or the rights that they have in order to access things and the ability to audit all of that. Now, what is changing is that we have this increasing number of mobile and external, both customers and partners who are needing with value business reasons to be able to access these applications and data in order to, to do the, the things that are going to enable the business to carry on.
And at the same time, in order to understand what is happening and to detect data breaches, you need to integrate the information about these people's access to re the real time security intelligence, and to give a concrete example of this. There was a data breach in an organization, which was actually detected by the librarian. And the librarian noticed that a member of the board of directors was accessing a lot of confidential information. And in order to be helpful, he called up the director and said, how can I help?
And the director basically said he didn't know how to access the computer. And he didn't know how to access the information. So a third party, a criminal had managed to masquerade as the, the, the, the director and was using this stolen identity in order to access things. So cyber crime today is detected not by the activity at the network boundary, but by the activity that purports to come from valid authenticated users. Now on top of this, we have the problem of managing entitlements and entitlements can be quite complicated.
And so here is an example of what starts off as a very simple view of entitlements that you have a manager called Alice who has the right to approve her subordinate Bob's expenses. And if that was all there was to it, then role-based stuff would be great.
However, there is a further degree of complexity, which is that Alexei is based in London and her data access has to be governed by UK law. So the geographic location of where a person lives has an impact on the access rights that they may have, then further people don't just have one job. They have many roles. And so here, Alice is also a person who supports marketing activities through her use of social media. She's an accredited person to use social media. So she needs access to the company's social media systems in order to do that.
And then finally you have the problem of dynamic entitlements, which is that whilst Alice can normally approve payments for, for Bob's expenses, if Bob has bought something for Alice, for example, if Bob paid for a meal, then Alice can no longer approve that.
So actually being able to understand what access rights and entitlements people have, can be quite complicated now, from the perspective of authentication, once upon a time, it was very simple that the extent to which people had to prove their identity was based on what would be called a fixed view of risk, which was determined once and remained unchanged. Now, what we find is that with the mobile employee and the mobile partner who may be wanting to access data from a distance and from different devices, you need to have a more risk based approach to that authentication.
So you need to be able to look at the particular circumstances under which the access is being requested. And finally, you have an increasing requirement to, to accept a third party authentications, which in fact involves an element of trust. So even the question of proving who your employee or, or who your, who the person accessing the data is, has become vastly more complicated.
And as I earlier mentioned that cybersecurity now has moved from the perimeter to the, the, the use that is being made of the internal systems, because the, the perimeter at the technical level has become very, very highly protected. And so the criminals are using all kinds of social engineering techniques to find a way of getting into the systems, using legitimate channels, and then exploiting their legitimate access in order to find the information that they think is valuable and to exfiltrate to remove that information. And the challenge is how you can monitor and detect that.
And the answer has to come through an understanding of the identity and access tools. So when we look at governance versus management, one of the things is what does governance mean? And I have taken here the definition of governance, which comes from C, which is that basically governance sets, the business objectives directs and monitors, their achievement, whereas management is to do with the processes involved in actually implementing the technologies and the processes that achieve those objectives.
So it's important to understand the, the fact that governance is related to business objectives and is related to monitoring performance against those objectives.
And so when we look at how we we manage or how we govern entitlements and user access rights, it's really important to be able to relate these back to some business goal or to some business person who understands what they're trying to achieve and is able to see some key performance indicators, which can be measured in terms of the risks associated with users, the risks associated with entitlements and the risks associated with the incitement of those entitlements.
And not only that, but as you can see from this slide, the number of people, the number of stakeholders that are involved in identity and access management processes is very large. And these range from human resources through to auditors and in, in an unplanned and an ill ill supported process, the, these people can find themselves doing things they don't really understand in a process that is very expensive and, and very complicated.
And so identity and access governance has to be implemented in a way which is cost efficient, and which helps the business to reduce the costs whilst at the same time, controlling the risks. And so at the same time, nearly every organization is also finding itself under an increasing burden of compliance. And in order to be sure that it can be compliant and to be able to prove that compliance, it needs to be able to verify the identity of the people that are accessing the, the systems and the data.
It needs to be able to show that they are doing this in a way which is valid, based on their business need, that they have no more privileges than are really needed. And that there is a separation of duties so that there is not a conflict between the things that people do.
So that, for example, the person who is able to order something cannot at the same time approve payment and all of those things take us back to identity governance. Now, when we talk about risk, again, there's often there, there is often uncertainty as what risk means, and I sell 31,000 defines risk as something which has an unwanted impact on business objectives. It's normal to measure risk in terms of the likelihood of something and the impact that it would would have if it were to occur and risk management is all about reducing either the probability or the impact or both of those things.
And in this context, that is what identity and access governance is able to do. And again, to improve the security intelligence posture that you have to counter cyber risks, we need to be able to feed into the security monitoring tools, information about the users, their identity, what they are normally supposed to be doing, what their normal privilege should be and what their normal behavior should be.
Because just like the, the librarian that I described in the earlier example, what is needed is that the tools can detect the abnormal behavior or the abnormal privileges in order to flag up the fact that there may be a data breach or unexpected activity occurring so that people can take action before the data has been lost and before the penalties have been incurred.
So in order to, in, in order to have a secure system, in order to enable the agile connected business, we need identity governance, which is the fundamental component of information security and identity governance is going to enable agility and innovation. It is going to enable the connected enterprise. It is going to manage the risks. It's going to provide the cost savings. It's going to ensure that you have a cost effective way of complying with regulations and provide you with the information in KIOS security intelligence in order to avoid the data breaches.
And so with that, I'm going to invite Andrea Rossi to take over the screen and to present what it is that IBM have to offer in order to help with this problem. Thank you, Mike. And good morning. Good afternoon. Good evening. Depending on the time zone you're on. And let me start first with, you know, a question you might ask yourself why we picked a crown control to major CRO name, as you know, this is the first sentence of space oddity, an album releasing 1969 by David Bowie.
So this movie, sorry, this picture is taken from the following album, but they like, I like the analogy for two reasons. And the first reason is back in 1969, this song space was released 11 days before Apollo landed on the moon. And on those days, there was a lot of fear about Mar attacks and a nutshell, you know, all the good people were staying on the earth and the bad guys were staying on the, in the space. So that's the, the way we viewed the, the overall perception of risk back then at the end of the seventies, sorry, the sixties in a way, identity governance.
It's pretty much like that in the global scenario of cyber crime, there is a lot of risk out there, but still we need to take care of the well beloved known users, employees, contractors, business partners. So that's the analogy, and you might have thought that's an homage to the Britishness of Mike, but in reality, that was the original starting point from selecting getting inspiration from this title.
Actually, there is a second reason for that. And we are now going into a phase where identity governance is, has gone through an evolutionary cycle, and we have seen failures and lesson learned. So there is a risk experience in performing identity at governance projects. And that's what I want to take you through today. I want to tell you what I've seen so far, not just in IBM in my last 10 years and give you some very simple, humble advices on how we see the problem could be better addressed. Let me start from the intervening evolution of identity management. So where are we today?
We didn't get today where we are for getting our history. So identity management, you all know, probably attending this school, started the beginning of the last decade with what I call the big provisioning brother age, the dinosaur it's, some of you might think it's IBM. It's not IBM. It's the size of the projects of those days. The identity management projects very were very slow, expensive, and big and end of the day, what they did was basically to automate the distribution of user accounts in a chaotic way. Then all of a sudden, we went into what I call the compliance.
IH, end of the last decade, the compliance on regulating access to logical application became important for regulators and auditors. This is the period where companies like cross ideas. That's where I come from C IBM acquired little less than one year ago or of Exel point. We came out and by then the only purpose was to understand the dust under the carpet and clean it. It was to just tick the box exercise that wasn't provide much value in term of real cleaning the system, because this access reification tools were not much pretty connected.
We're, we're not that much connected to the applications that we're supposed to govern. So where are we today? We are what I call the socialization of security age.
And to me, socialization of security means three things. First of all, is we can't avoid the business users to be engaged and involved, to resolve and mitigate our risks. And when it comes to identity, Texas governance, the risk of improper entitlements to the wrong people is something that the business can make his call on it. So we must involve that.
The second thing is, as you know, the inside outside boards are blurring, not just cause we have cyber criminals outside, but people, the way companies are working is changing as a result of the cloud as a result of remote working as a result of bring your own device and the number of unstoppable initiatives and last but not least users are expecting what I call the unification of publications. So a new way of consuming application in a usable way.
And to me, the definition of usability today, it's the Amazon website when it comes to governance, if we just scratch under the surface, and we say in one slide, Dr. IBM, try to define identity governance in one slide. It's really about three. What I call life cycles.
It's the, I call the old identity life cycle. So we still need to create change lead account and identity, but there are two important life cycles that are managing the attachment and the risk of moving visas to people. So there is the entitlement, I call it also role life cycle, where you review entitlement, create roles, change it, discover roles based on the status quo. And there is a, a very important new life cycle, which is about modeling, measuring, mitigating, and detecting the risk. And here we're talking about the risk of improper access granted to sometimes the proper people.
So that's in a nutshell, the way to also think to what IBM does in these space, very simple three life cycles. However, as I told you from at the beginning, I don't want to picture science fiction for you today. I just want to go back lessons learned and failures so that we can try to keep that in mind because we tend to forget what went wrong too quickly. So in a nutshell, the way clients are starting their journey into those three life cycles as for people of the iceberg or for symptoms or for starting points. And these are all visible here.
Some clients are still obsessed by just cleaning the mass and they still call governance as a re-certification project. Someone who has been obsessed by auditor, they just want to implement strict segregation or duty controls.
Still a lot of people who failed in the old days of identity management to design proper roles, meaning aggregation of entitlements are still thinking that as this proper angle to address this new identity governance initiative and last but not least, there is a new desire for business users to procure requests and consume access rights and application with a sort of Amazon-like interface, a catalog, a shopping cart, and a very friendly interface. And we know this is not a space that provided user-friendly interface in the past.
So for each of these four starting point, I want to tell you my view on the lesson learned and how we can, what we can do to change things for the better. So access rectification, I call access certification operation was a success, but the patient died. I've seen a lot of companies implementing technically successfully a reification tool, our say point vexa, but the business user was totally not satisfied. And the reason for that was the information that they got displayed with presented with was to cryptic too technical, to unusable for them.
They always needed someone technical to consume the data. And there is no value in consuming technical research to assist the business users to do their job. So that's the very first starting point and what that's, what I've seen very often in the market. The other, the second starting point I was talking about is sod controls. This is very often the case for company that I've been audited, maybe in some very mission, critical applications might be procurement, might be trading, might be, you know, where the money is at risk in essence.
And they have been left by the auditor auditor with a very complicated set of sod policies. They implemented all of that, but the policies were so fine grain that put in the reality, our application and entitlements that were generating a bunch of false positives that they had to mitigate control. So they spend a lot of time to implement super duper fantastic activity policies that were like a, you know, shooting with a, with a, with a rocket to a mosquito. And sometimes the project are so painful that the client is stopping there.
Once they get nice reporting out to the system role management, oh, this is my favorite. You know, as you know, probably some of you have gone through role management design session with the business few years ago. And you know, that these effort was wasn't the second easy. And it led to company today, even with tooling, which is way more efficient and way more speaking, the world of the business, still companies are living in a bipolar approach either. They want only roles to be assigned to users. So they don't assign to users, or they have spent so much time doing that never, ever.
And the last part, not least it's the access request management process. And here, my definition is you implement something. And sometimes the user says that the technical implementers say, oh my God, the business wants an Amazon like user interface really here. It's pretty similar to access reification. The tool might be perfect, but the entitlement, the SAP entitlement, the Iraq F entitlement, if they have to be consumed and requested using their cryptic original name, sometimes the business doesn't simply understand what they are.
And today I'm seeing a lot of trivialization on this very important process of identity governance, which is why don't we use a service service management tool for doing this. So service now, you know, it's very fashionable today. It's the cloud most famous service management system. And a lot of customers expect to do everything with that saying from what's the difference between ordering a mobile telephone, ordering a trip and ordering an entitlement. I tell you there's a whole word of difference because there are a lot of nuances around ordering a role or an entitlement.
And it's based on the policies surrounding that system. So this is the, I wanted to share with you openly what I've seen so far and many years of living in this market. Now I want to give you three very simple pieces of advice because that's the good news or bad news. You still need entity governance for all the reasons that Mike explained before, but simply because external pressures are requiring you to get an understanding on who's doing what otherwise you can live with that. Otherwise it's like a mess. So you need order, but you know, achieving order is not easy. We all know that.
So three simple pieces of advice you have read it. So it's devote significant absolute translation and larger identity governance, vision, and top risk. Let's go one by one. First one is my first advice is, forget for a second about the tool that you're gonna select my B IBM, my be competitors. Doesn't matter. You need to spend a significant amount of your time in translation efforts, meaning that you have SAP active directory, mainframe, you name it entitlements, and you need to make them readable by business users. You can use different techniques.
So the good news is that today the current identity governance tooling, such as IBMs are offering resolution. For example, three scan entitlement set within your organization and come up with advice with understanding on the gold mine, you are sitting on top of it. Role discovery, role discovery is a way to aggregate at entitlements and give them a, a readable name last but not least business activity driven segregation of duty. This is more, you might think that segregation of duty it's doesn't help on relatability.
I can tell you it helps because at least in the way we do it, the way we design S sod policies is based on business processes. And you have to link the business processes or the, the tasks that the company's doing to the application doing that. But we reasonable that you could use, not only for detecting sod violations, for example, but also for again, giving additional ammunition to the required translation that your business users are needing today. So that's the advice. Number one, advice, number two, a larger vision. Still.
I hear a lot in the market that despite having said, or having heard from Analyst consultants, that identity governance is a bunch of things. A lot of people still think that identity governance is end of the day, just rectification or end of the day, just role management. It's way more than that. Okay. And the important thing is you don't have to be shy and now applications, identity governance applications are stretching and embracing complex applications, such as SAP in the mainframe.
So here I don't have much of an advice on such you can today find these capabilities in what IBM calls, IBM security, identity governance and administration platform, which the combination of the cross ideas, identity governance capability, plus with the rock proof, identity management products and capabilities of IBM.
So we've put together words in one solution that as the, the depth required for connectivity integration, with a bunch of adapters and connectors and all the different controls, you need to expose to a number of new stakeholders that today are consuming these type of platforms, such as auditors and risk management. These are by far the two that are consuming. Lot of data, these are producing. The other thing that I wanted to let you know is that don't try to squeeze the identity governance project just in the identity governance product.
If you really want to achieve a better posture, you need to connect other pieces. I'm not going to commend every component on this slide, but I wanted to commend you on two things. The first message is, for example, in IBM, if the client has already implemented a competitor identity management system, such as net IQ, for example, or could be sun or Oracle or CA will be the last requesting them to remove that those connectors for replacing them with hours, it doesn't work like that. These efforts have been tough and customers to leverage that investment.
So first message is we are user provisioning system agnostic, so we can sit on top of it and extend it. But this is not a, a new story. I think one of the values you can get from IBM is if you connect, for example, the identity governance technology, with information that you can get from cm system, from these system producing information and even management correlation, excuse me, there are two use cases that are providing a lot of value. One use case is the one mentioned here. It's about what we call identity injection. Think about that.
A soon system is detecting a violation on, on a malware, on a specific device or application for the Rossi. And this system doesn't have an idea on the identity and that's what the identity governance can provide. I call it identity injection. In a nutshell, it is like providing a sort of criminal profile of that user, okay. Is assessing not just that application, but other 20. And it is today's risk is very high because he has 20 sod violations. So that's an idea of how the system can expand.
So you find here are the components, mainframe security, SAP security, interconnecting governance, with your current service management system. That's right. You still need to think about that. So that's what I call augmented governance.
So, and the basic message here is two messages. First don't think an identity governance, project's just an identity governance product. Second message is you can get all this stuff. That's one of the value being components of all this picture. Last advice is talk risk. If you are an it leader, if you are a security leader and you want your identity governance project to be funded well, unless, you know, you have your CFO, who's really in the good days of releasing money because he was pressed by the push by the auditor auditors to do that.
Well, you need to justify your project. And as a bad news for you, you will never be able to justify an identity governance project simply based on the classic ROI, tooling, lower cost, higher cost. That's not a work. So this picture won't give you a positive result at the bottom. What will immediately give you benefit if you include even a fraction of monetization of risk?
So it's very important to talk risk to the CFO and outside of the it boundaries, not just because that's the language they understand, but because that's the only way to create a business case, which is not sustainable, it's simply fantastic. But without that green light that you see here reduced risk of road and regulatory fines, the other components of the business case are not just defining it at all. And you should think a very simple analogy. What is the cost of order?
Well, the cost of order is higher than the cost of chaos. So an identity governance is bringing order because otherwise you're in a mess. What can we do here? Of course we do have, as you have seen before, a bunch of capability and risk modeling measurement scoring, but we can give. And if you go with your CFO or your, and study, my identity governance project has brought down the access related risk. 30%. I tell you, he will be happier. You won't understand how we have done it, but the simple way that you say that the number of risk has gone down is providing him a lot of value.
And the other thing you can do with risk, you can start prioritizing instead of shooting 360 degrees, you can do focus things. And one other thing you can do is for example, starting access reification on users in application with the higher, highest level of risk. So that's basically it. So we went through the lessons, learned the bad news, but that's reality. We went through three simple advices on, I believe Came what we are today, the third largest player with the highest growth in the security space after McAfee and semantics.
So think as IBM as an enterprise security player, providing every pieces of security, software and services that the antivirus and IBM got there creating a security division and performing a number of acquisition, including cross ideas, the company I'm coming from originally. And as we started talking about space oddity and David BWE and the Britishness of this webinar, I also want to wish you all, another 50 years of satisfaction appreciated my devotion to the British sound, and I end over to Levin for the Q and a session.
Okay, well, thank you. Thank you very much. Thank you very much. And Andrea, for, for that, that presentation. And now we, we, we've got an opportunity for questions and answers. So if any of the, the attendees have any questions to answer, ask, then please use the question tool in order to, to make those questions.
And the, the, the slide, the time showing at the moment shows you some of the large amount of research information that Coppinger Cole has to offer on this subject. And anyone who is interested in more details from Coppinger Cole's point of view, go to the Coppinger Cole website and where you will find this information mission.
Now, I don't see any questions from the audience at the moment. So I'm going to ask one or two questions if that's okay, Andrea.
Now, one of, one of the things that is, is really very important and you touched on it, but it's sufficiently important that I think it's worth more detail. And this is to do with what we mean by risk and how you measure risk, because it's often seems to be the case that the people in the it, part of the, the organization talk about risk in a way that the rest of the business can't understand.
So would you like to just sort of expand a little bit more on how you believe we, we should talk about risk between identity governance and the chief risk officer Andrea Question, and also is in a way it's complicated question. So I try to make it simple. First of all, with the first thing is about access related risk is an important part of what we call operational risk.
Now, the question is, how do you measure it in the financial risk? There are well-established standards and definitions in the upper operational risk side where active risk resides. There are no commonly identified definit of risk. The players out there as, and our competitors are basically adopting two different approaches. Our competitors are saying, well, you need to perform risk tagging. So you take an entitlement on the mainframe and you say our risk is that entitlement.
Well, in some cases, it's easy to say in some others, it's an endless discussion such as defining a role. So we adopted another role, which is we don't ask anyone to, to perform what we call risk tagging. So to say, if that role or entitlement is risk level high, medium, low, but we come up with the data we have in the system in terms of segregational duty violations, last reification age, and a number of other parameters to create an index, a number. So is the absolute value of the number important, not that much. So is our 100 comparable to a thousand of a competitor. That's not the point.
The point is that if you are able to start a project today, measure risk with our two, 106 month down the road. After you start doing something, your risk has gone down 30, 40%. That improvement is an easy way to have a conversation. And sometimes you can also put a, put a, put a financial tag on that because as you, you probably know the CFO allocates money to cover the risk. So the lower, the risk, the lower the money is accrual on the balance sheet.
So I tried to make the story a bit compact, but also explaining the two approaches out there in the market and the way we do over the competition. Okay. Thank you.
Well, there's been a comment was made while you were speaking there, which comes from Elma, Valen, Zula. Thank you very much Elma. And this says, I believe that the business will understand risk if translated to what the financial impact is. And he asks, is there a tool or a standard way to translate it or operational risk to financial risk? And I think you could perhaps talk about that in, in terms of, of, of the access governance. And it's certainly true that, that in general terms, and as I said in, I sell 30, 31,000 risk is defined as something which has an impact and a probability.
And often the way that people will talk about impact is in terms of money. But it isn't the only way, because in some risk systems, you talk about the likelihood of killing people and things like this. If you make devices that, that go wrong, however, it is a good point. And so perhaps Andrea, maybe you have some, some thoughts on that particular question. Yeah. It's a very frequent question. And I will like to say, oh yeah, we do have a stand way of measuring operational risk.
As it's, as, as someone can do on the financial risk. That's not doable as are today. We're still lagging behind, not just in term of algorithm, but in terms of coming to a standard definition. And it's easy to say the financial risk is based on money and money as standards standards are the British pound, the Euro and the dollar, the yen and whatever. So you have a common baseline to define a risk because that's what at stake, the money in the operational risk.
It's, it's more, it's more vague. Okay. The operational risk goes from what is the cost of having your systems down for 10 hours, the risk of so risk and make it comparable side to side with the financial risk. So stay tuned. This market is improving and also the standard bodies helping us to achieve that goal. Yes.
One, one approach. I think in the approach that you were suggesting earlier on is that a one way of looking at at the risk is, is in terms of a relative risk that, that, that, that you say that if I take a set of actions that the score that would be associated after taking those actions would be reduced in some way. And whilst you may not be able to put a particular financial value on that, you can at least say that in relative terms, something has got better.
Is that, is that a fair approach to what you are doing with your tools, Andrea CFO or CEO who doesn't understand the world of an identity governance project, but if you say has gone down, so we are exposed to less risk, I tell you that's a very easy message to understand. Yes, that's, that's a good message.
Now, again, we, we have another area which there is endless confusion over, which is what does separation of duties mean? And so we, we've kind of talked about that and you you've mentioned really in passing that that needs to be related to processes. So could you kind of expand on what you mean by business activities, separation of duties, please? Very good question, too. So separation of duties all know is about preventing conflict of interest or someone who can do a and B in conflict.
The classic example is issuing appeal receiving the bill or in a trading space is placing an order in front office and settling it in back office. So these are the classic examples. There are two ways. Sod segregation is duty modeling and management is performed out there in the market. All of our competitors are using role to roll sod. So first they ask the company to take entitlements and put them into roles. So say corporate buyer.
And then you said, whoever has the role corporate buyer with a bunch of entitlement with it cannot get the, the role of corporate approver, easy to say, easy to understand, but in reality, the model is not deployable for a number of reasons, but in many cases, companies are not can, can be calculated in this definition. And in a lot of situation, this is coming from the old days of identity management. That's how the old system we're trying to address this problem. Our way of doing is totally different. We basically come up with what I, what we call a business activity definition.
So in every company, there is, there are a list of tasks that the company is doing to during a living. Okay. And this list of task is completely disconnected from the organizational chart and the it infrastructure. So a retail bank does certain task that doesn't change very often. And so the task can be, for example, in the F space issuing up your receiving the bill. So we model the, actually That we, more or less the, exactly like the auditors are living on the table of the CFO. So we haven't invented the wheel.
We are simply adopted the way the auditors are thinking and giving audit findings to companies. And, and so that's, that's one value. The other value is that we decrease by two, if not three orders of magnitude, the complexity of managing the so-called segregation or duty metrics. And in fact, we have a lot of situations where we are addressing clients. Having selected few years ago, a competitor product for reification. They started doing sod management and they ended up in manual.
Now they have seen our approach and they see it more, not just more compact, manageable, but also speaking the word of the auditors. Because keep in mind, every time you design an sod module, it's designed to keep nice reporting and information to auditors whenever they come back visiting you. Okay. Thank you.
Well, we're, we're now coming to the, to the end and there are no more questions from the audience, but I'm going to ask one more question. If you, Andrea, kind of to have a final word in, in, I think everybody's experience the whole area of identity and access management is littered with failed projects that didn't achieve what the businesses needed. So many organizations are very reluctant to do anything else in that area because their whole experience around that has been to do with failure.
What would you say to, to those organizations, Andrea, to convince them that this is the right way forward, Right? So my first message is very simple and in a way, not vendor friendly, if you don't have any compliance requirement, an external pressure to achieve a better posture on the way you are managing identities and entitlements, don't waste your time, don't waste your money. So if you're, if your project is driven by it, just for the sake of a better word, come on those days are gone.
Unfortunately, a lot of companies, energy pharma, financial services, insurance trading, few companies, unfortunately are outside of the compliance work. So a lot of have to do don't shoot to the moon. And how can you do that?
Well, there are also easy way to do it set very tight milestone. So don't plan for a big bang after 18 months or 12 months set, six month stages, and every six month try to get something to the business users so that they can be happy with what it is provided.
Second, get rid of a connector obsession still in two, many situations, I have conversation with clients and there is always the discussion are we need to have a bidirectional connector with that application. And I say, why, you know, there are only 10 changes per week. Why don't you send the ticket to the service desk?
And they, the changes, the change manually. So get the bit of connectors, obsession that it's still very often the case because it makes it people happier. And sometimes even it vendors happier, but it's in many situations is not providing much value. So spend your money on something that the business can see and consume. And that's exactly the message I was trying to give you today. Okay. Thank you. So it's value for the business. It's security for the business, and it's enabling the agility of the business to move forward.
So with that, I'm going to say, thank you very much, Chandra F for very interesting presentation, and this, this, this webinar will be recorded and the recording will be available from tomorrow. And if people have any further questions that they want to ask, then they can email them to Levin to organize the, the webinar. So with that, I'll say thank you very much. And the webinar now is ending.
