IAM and Cybersecurity Insights and Trends in 2024

Hi, everyone. Welcome to Sailforward 2024. We've got a special guest with us here today, Martin Kuppinger from KuppingerCole. Martin is a long-time industry analyst, luminary expert, Martin. We love talking with you and I certainly appreciate you spending a few minutes with us here today.

Thank you, Matt. Pleasure to talk to you again. Thank you for inviting me and giving me the opportunity to share some of my thoughts. Yeah. We look forward to it. I think our teams here that are all out in the audience listening here today, would love to hear a little bit maybe talking about the overall industry, the market, maybe trends that you're seeing in the customers and prospects you're talking to. That would be a great place to start here today. Yeah. A lot of things going on and some are probably closer, some are probably a bit further away.

One of the things I think where we always can start with is the impact of AI. AI, mostly called artificial intelligence, I personally like to see it as augmenting intelligence. It's something which is having a huge impact. You at some point, you have solutions. When you look at your analytics that are powered by AI and ML. The generative AI, I think it also has a huge potential because it really can help end-users and also the administrators performing tasks much better by getting the right information they need, getting advice on what to do.

This is really the augmenting part, making people better and this helps also addressing the skills gap. That would be my number 1. You surely also have some ideas around AI, and I am, I believe. Yeah.

Look, we've seen this coming for quite some time. As you know, we've had AI in our products from about 2019. We've seen this coming. I think when you look at the challenge of identity security, as a mechanism to secure your enterprise, it quickly becomes too big to be able to keep up with it and properly secure your enterprise if you're doing it with the traditional method of hands-on keyboard. It becomes a very necessary technology to secure your enterprise. Yes. The complexity is exactly the point. It helps you dealing with the complexity in a much better way.

I'm very positive to see a lot of things happening there. When I look at another very important evolution, then this surely is the potential impact of decentralized identity.

In Europe, we have this discussion about the UDI wallet, the EU Decentralized Identity Wallet, where the European Union is driving initiatives. We see a lot of things happening also in the market around this. I think this is also a very interesting thing because it can help us to solve some of the challenges around user onboarding, but also authentication and authorization in a much smarter manner than we can do today. The interesting point is a lot of people think decentralized identity is disruptive.

Yes, it is because it enables us doing things in a different and better way, but it's not disruptive to our IAM stack that we have. Because at the end, it's just some proofs coming in. It's saying, this is Martin with his wallet. He can prove that he is Martin. We can improve the onboarding process. We can use this and probably get rid of some of the challenges. We have this HR to IGA integration, doing things better. We should really think about that as something which can make IAM better. That would be probably a bit further away trend, but one I also like.

Martin, I think you and I have talked about this in prior conversations, but it's very easy to get sucked into the way we used to do things. There's been a lot of talks about convergence of the swim lanes.

But at the end of the day, we believe that what got us here will not get us to where we're going, and that with the emergence of AI, machine learning, deep learning, there's a much, much more efficient, productive, and secure way to handle some of the challenges that we've handled in the past, but also how we're going to handle these new challenges of these digital enterprises which would complicate things as you know. Yeah.

It could in addition, for instance, having prompt books in generative AI that help us in application onboarding across the entire stack, which is one of these recurring challenges specifically for the legacy side of applications. We can do things better, but you touch the swim lanes. This is an interesting thing because I don't see this convergence as a real trend.

I see, yes, there are vendors that deliver a broader set of integrated capabilities. There are others which are specialists that do one thing or a few things, but they do it at a level of excellence, at least some of them like SailPoint.

For me, I'm in the IT industry for more than three decades. Now, I've seen a lot of unified approaches, and all of them became too complex, and usually not good enough when it came to the desk, and sometimes also the press because they didn't like features. I see that there's a need, and there's also sometimes a misconception. When we introduced the idea of identity fabrics a couple of years ago, this concept never was and isn't about one solution that serves everything.

It is about a comprehensive blueprint, about a unified perspective across all areas, across all types of identities, and then filling it with the right tools. It's about understanding which are the common capabilities, which are specific capabilities, which services do you need, and which tools to deliver this.

This usually will be backed by a small set of tools at a core plus several complementary solutions, such as IGA might be done the SailPoint part, and a special add-on might be what you got from ERP Maestro, so the SAP and line of business access control application risk management, and this is the right way to think about it. Some things which are sometimes mentioned as a trend, I don't believe in. Convergence isn't what I see as an overarching trend. Yeah.

Look, we couldn't agree with you more. You and I had a chance to speak just before our Navigate conference in this past October, and we shared a little bit with you about what we were going to announce, and we don't believe traditional convergence solves the overall problems, the challenges of the new modern enterprise. We'd like to talk about outcome convergence, these big problems and the new big problems that are coming, to be able to challenge them with, as you said, some of the most important pieces, and not necessarily, I'll use the technical term, glom.

Glom all this stuff together in a next-generation legacy is what we call it, that we want to avoid. I also like your focused approach on your taking on teams or the Cloud infrastructure entitlement management piece, and on the privileged access management piece with your recent acquisition, because I think what you're doing, to my understanding as an analyst, is really you're adding, so to speak, the governance layers and the layers that help using and managing these tools in a controlled manner.

Really increasing what you're doing, where your strengths is, and keeping control about the things and implementing the governance and enforcing the controls, and adding the areas that pop up. Yes, we have this challenge that nowadays, it's not just about humans accessing applications or servers when we look at privileged access management. It's also about a lot of services, accessing resources in a very dynamic manner. We need new additional approaches here. But on the other hand, we need also a consistent governance approach.

This is, I think, a very smart thing you're doing here. Yeah.

Look, I think for us, the thing we're really excited about is the platform itself, Atlas that we announced, and this idea. You talked a little bit about unification or unified.

Basically, having a consolidated or unified data model that becomes the receptacle, if you will, for all of this identity data to be able to do different things with it, solve different problems with it. We think that right there, getting the foundation right is so important, to be able to do these things that are still coming down the pipe. We're excited about that and excited to getting that out to market here in the coming year. Yeah. I think this is a very important area because at the end, we have this, and this is, I think, very important also to see.

We have this massive regulatory pressure these days on both sides of the pond. Yes. We have in the US, we have new regulations coming up or having arrived already.

In Europe, we have things like this too. The next version of the critical infrastructure regulations and many, many others. I think this is also interesting because at the end, all of these are about strengthening your cybersecurity posture, which includes strengthening your identity management posture.

What is, from my perspective, extremely important here is that everyone, I think, knows that identity management is one of the things that are essential because it's about, at the end, who can access what, who is accessing what. So this monitoring perspective. For each or every of these regulations, we need to get better in identity management. This right now doesn't only affect a few industries and a few large organizations. When we look at the European critical infrastructure regulations, sometimes organizations starting with 50 employees might already be affected by that.

A lot of industries are in, a lot of manufacturing is in, utilities, etc. That means at the end of the day, there will be a huge demand in many areas around cybersecurity, including identity and access management or for identity security when we take this term coming up. But this is definitely also one thing which is, in some way, it's trending. What also is interesting, for instance, in Europe, and that's, I think, not known by many.

One of the things is, for instance, that the C-level, the board, becomes personally liable if they make major mistakes around the critical infrastructure regulations. So your manager insurance, your liability insurance will not help you. Even that is there, and this will drive the market. Yeah.

Martin, I'm hugely appreciative of us getting a chance to talk about this because I do believe one of the biggest challenges we continue to have is educating the marketplace. I think most companies think about cybersecurity and enterprise security, traditionally from an outside in, with a firewall and endpoint. Then maybe they think about the network security. When they think about the whole comprehensive cybersecurity of their enterprise, they're still lagging and not fully understanding just how important identity security is. I see this often in many of the customers' prospects I talk with.

Would love to hear your perspective on this. I mean, do you feel like people are really starting to understand the importance of identity security as it relates to the overall security posture for your company? Yes. I think good news in that context is that we see more and more CISOs, the Chief Information Security Officers, being in charge of IAM. IAM is increasingly shifting into the realm of the CISO with a unified perspective.

I think this is important because it means we're breaking, or we are at least changing the silos from IAM being more on the infrastructure side historically frequently, so it's really shifting into this realm. The other part of that is, when I do talks about Zero Trust, and yes, Zero Trust isn't the most hyped term anymore, but I think it's still important as a concept. It's still very valid. Makes sense. Maybe look at Zero Trust. What does it mean? Where does it start?

It starts with Martin, me, the identity, being authenticated, using a device, so device and identity integration, to go over a network, which might be not that relevant because usually, I use TLS or VPN or so, so I go end-to-end. More important is, is it Martin? Is he using a device that he has been used before? Then I access a service, which is about the service authentication, the authorization, and authorization is all the policy stuff is at the very core of Zero Trust architecture.

When we look at this, then Zero Trust is very, very much about identity security, far more than about network security or something else. I think this way, when you look at the story the right way, then it is very evident that identity security must be, and it's increasingly understood from what I see, must be at the very core of cybersecurity. Yeah.

Obviously, I feel the same way. I think people are starting to understand it. I think these things you talked about earlier around regulation, I think that is really going to accelerate people's need to know and understand exactly how this plays out. I think these SEC regulations actually started, I think they announced them in September of this past year, and I think they became in effect here in January. We're going to start seeing that.

I've read a number of research articles where they actually believe the budgets are raised this year, upwards of 25 percent in cybersecurity to be able to deal with these additional expenditure, if you will, to ensure breaches are not occurring in the enterprise. Yes. It may be a bit too late, but at the end of the day, late is when the first fines are raised, when the first organizations get in trouble, then it will happen, or when the audits take place.

I think it's so interesting to see as well in the US, as in Europe, the transition period between releasing the regulation and becoming a defective becomes extremely short. In the past, we frequently had them, whatever one or two years to implement. This is not the case anymore. Yeah. Yeah. That will drive the industry. Yeah. The language they announced here in the US says, you've got to announce four days after a breach.

I think you've got a little bit of a wiggle room there if it's deemed to be a security risk by announcing it that quick, you've got some mechanisms to actually delay it a little bit. But you've got to announce it if you're a publicly traded company in your SEC documents, and everybody knows.

In Europe, we also have extremely short notification periods for that. It's interesting. At the end, it helps us doing things better, and identity security is at the very core.

Yes, what you're doing at SailPoint has a very central place in that journey. Yeah. We like to think so.

Look, I will just say in closing here, being able to have these conversations with you, share your insights with our teams, really helpful. Our teams are building product, but they're also delivering product, and they're trying to help people solve their identity security problems, and certainly getting your perspective is helpful to all of them, and I hugely appreciate you spending time with us. Thank you for inviting me, and all of you listening to this. Yeah. Enjoy the conference, enjoy the event.

Thank you, Martin. Thank you, Matt.