Hello, my name is Nitish Deshpande and I'm a Research Analyst at KuppingerCole Analysts. And today I'm joined by Anirudh Sen. Hi Anirudh, do you want to introduce yourself?
Yeah. Thank you, Nitish. My name is Anirudh Sen. I am VP Products here at Saviynt and happy to be on this webcast with you.
That's perfect. I mean, today’s topic is also very interesting, it's Third Party Access Governance and I want to start by just... there's this question; Is this really different from IGA? And from my perspective these are two related concepts. But there is a difference between the focus and scope that is with Third Party Access Governance. And Third Party Access Governance, it deals with the relationship with external employees as compared to IGA that is more about internal employees. It's about identity lifecycle management, self-service. So in your view, has there been any changes in corporate Access Governance in the last few years, or is that still the same, that what I mentioned?
No, I think the point that you make is great. Yes, there is a lot of similarities between IGA and third party management. I mean, the primary thing that we are at the end of the day managing, are identities. But at the core of it, there is a lot of difference in terms of the risk involved with managing third parties. And if you look at some of the recent breaches that have occurred, a lot of them have to do with suppliers and their access being compromised, which then affects the company itself. So the two key differences are that, with third parties, usually it is not centralized. A line of business will need to manage their own third parties. They have their own unique needs, every department may also outsource their work. Whilst with IGA, you still have like some sort of central HR sourcing, which may be regional based on the country, but in third parties, the non-employee management, the risk is very, very distributed. Every department will meet to decide whether they have a need for outsourcing, how they want to give access so that the risk is distributed. So that's one key difference. Second of all, one of the recent, proposed rather, SCC changes may actually bring third party into more significance in third party management, because one of the proposed changes is that this may be something where every single company is required to report on their third party relationships and how they're managing that. That's the second thing. And third, I would mention, the risk that you see with third parties is significant because they may be remote, they may not be coming into office. You don't know if the other ones actually doing the work. So it's easy to lose sight of that. So, yeah.
I completely agree with what you said, like when it comes to third party, the risk is much higher. I mean, with third parties, you have a large number of supply chains as you have new vendors coming in. And I think in the last couple of years we have seen that now organizations are trying to increase their resilience on supply chain. And it's not focused on just one geographical location, but on many geographical locations and that brings a bigger attack surface and also that means more cybersecurity threats. So, yes, that's definitely what is happening in this current state. And also with compliance, you mentioned the SCC. In sectors such as healthcare, finance, technology, the regulatory requirements are evolving and it's important to make sure that these third party vendors comply with that and organizations also comply with that. So I mean, sometimes organizations sort of rush into selecting a vendor, but I think that's one of the ways that they need to... they can avoid easily. They should do better due diligence of the vendor, do better risk assessment and I think that is one of the easy ways to tackle the risks through third party. But when it comes to the benefits that customers see after applying third party, what are the benefits that you have seen in your experience?
Yeah. So I again, I think the motivations for every customer, you rightly pointed out like some of the recent trends that you've been seeing, the motivations for customers to really pick a solution or the need that they identify is very different. But I think ultimately, the benefits that we provide our customers with our solution, I can kind of sum it up in three broad areas. Number one, you lined up with a single source of truth for all third party relationships. That single source of truth. So I know you've published a few articles and research on this as well. And most companies don't know. If I had a company, Hey, what's your, what is the inventory of your third party users? Most companies will not be able to give an accurate number or, figure. So that's the first benefit that customers see with that. Second of all is that we make it easier for customers to collaborate with third parties. There's a reason customers are outsourcing work, right? Or have a need for non-employees. So I don't want to just limit it to contractors or suppliers. It could be, machine IDs etc. that they are using and we would kind of [...]. But what happens is that you want to make it extremely easy for somebody to collaborate with suppliers when there's third parties without introducing risk. So that's a second benefit, like how do you invite them? How do you bring them onboard, get them productive on day one? And then the third, but not the least. I think this the most important thing is that you enable lines of businesses to really own their own third party relationships and risk. So these are like, if I were to sum it up, these are the three benefits. And of course, regulatory and compliance needs and other things that come without mention. But these three are the main things that customers see in terms of benefits. And yeah, and I'd also like to hear from you as well in terms of what do you feel are steps that customers can take. You did mention vendor selection, but anything else that you're hearing in terms of what customers are doing in that, managing a third party ecosystem.
Yes, definitely. I mean, it's evolving right now and we are seeing better encryption protocols being put in place, so preventing data breaches, data leaks and we also have better access controls. So we avoid unauthorized access to vendors who are not going to need that level of access. And another thing which we also see is that when it comes to third party, most of these third parties that are [...] they are for a limited period of time. And in large organizations, it's so complex to have good management of this vendor ecosystem. But sometimes when some vendor leaves, some third party leaves, the account still exists in the organization. There's not good account termination methodology still in place. So that's one thing which organizations can focus on, is addressing real time, maybe account termination and making sure that we can avoid any issues of unauthorized access. So these are some steps which we have seen that customers are taking to make sure that they can provide better third party governance to the framework. And I think one of the major changes that is coming soon, it's quite evolving very fast, is the integration of AI and automation and machine learning, and it's becoming a challenge now to secure this autonomous world. And more and more companies are now moving towards digital transformation or AI and machine learning and these new trends. But that means then, I think we will have a bigger attack surface as well, right? So and what I also have observed is that when you... everyone is rushing towards automation and AI, but AI and automation, I think it's currently lacking contextual understanding. sometimes they do not have the exact critical decision making that we humans have. So is that also something that you have seen when it comes AI and automation?
Yeah, that makes sense. I think that's a great point about, that AI, everybody's jumping on it. We need to adopt it, but nobody's thinking of, Hey, what risk does it introduce? Because it will always come off the back two years later. We will have research papers coming on saying, Hey, this is what we should have done and we need to get ahead of the problem. Like anything that is on the bleeding edge of technology, always is going to move us forward but we need to make sure that we are not introducing any new risk. So I think we need to tread with caution. So I completely agree with you.
And when it comes to Saviynt, what is Saviynt offering its customer when it comes to third party governance? Are you also aware of all these issues and you’re helping and customers, or do you have a different approach for the next 6, 12 months, or how is it you're doing it?
You know, it would be kind of very naive to say that we have all the problems figured out. What we are doing is that we are taking a very, very close, hard look at what's happening in the market and industry, regulatory changes surrounding third party ecosystem. But ultimately what we are seeing is that as far as our solution goes, there is a lot of traction with our customers, right? We have lots of customers who are large enterprises going through mergers and acquisitions and transformation, like you said. And we also have a lot of media companies, like they see all of these industries where you are seeing a lot of churn. This churn may be introduced because like I said, because of an M&A or you have in the media companies, they constantly work with like 90% of that user base, is some sort of contractor, vendor, what have you. And with these companies, when we talk to them, this is like the number one problem they're trying to solve. Like how do we make sure that we secure these non-employees? In fact, we were recently having a user group with the higher education sector, we have user groups. And every single customer was like, how do you manage volunteers? How do you manage alumni? They are non-employees, how do you deal with that? So, like I said, with our solution, we are really looking at, on the ground what problems customers are having, which tend to be, like I said, like how do you bring these third party users on board? How do you collaborate with them? How do you maintain a single source of truth for them? And third, how do you make sure that our department or line of business is able to securely collaborate? And because this is on a converged platform, as a user goes through lifecycle changes, they don't need to walk away from the platform itself. If I were to take an example, you may have somebody, there's a short term need from staffing to hire somebody as a contractor. You bring them on board, you do that through an invitation, start with a third party product. Now, you may need to give them privileged access to a certain servers. What you don't want is to give them another tool. You could, but if they stay with that platform, now they can easily access a server and then we can go put them through an identity verification process. And then let's say that they are doing well. And you want to convert them to an employee. Now, in a traditional setup, you would need to now make this identity transfer to the IGA system. So you have... in a traditional system, you go through the same very standard lifecycle of a user. And instead of three systems now all of that stays within a single system. And then if they continue to be a third party, we are still security managing them, right? So our customers are definitely seeing the benefit but we are constantly working with them to see what are the challenges they are facing and see how our solution evolves as the world evolves with us.
That's a very nice example that you gave about onboarding an external employee, and it shows the convergence between third party and IGA solutions. And I'm very happy to hear that there's something going on in that space. So that's nice to hear. Talking about, I think now the next step that we have, like what would be your advice to the organizations moving forward when they want to implement third party governance? Is there any some pointers that you can provide?
You know, again, it's a great question, first of all. And I think, [...] I have been a practitioner for 15 years, so I'm going to put I'm a practitioner hat on. And honestly, when it is... the main thing I would advise customers is that the problem is not the same as IGA, it is related, but it's not the same. And I think we need to understand what the problem is, is the first advice I would give to customers. The second thing is a lot of customers I ask, why can’t I just use my HR tool, why can’t I use my IGA? Well, you can, you can, but it is not built to manage third parties, right? We have a media customer, who is using an HR tool for managing third parties. The problem is, you have centralized it and you have made it HR’s problem to manage that. HR doesn’t own the risk of managing third parties. HR has no relation to how..., they have no benefits, nothing. So you kind of centralize the problem. So the advice I always give to my customers, is like, Understand how you're managing your risk with third parties. Are you treating them any differently? How do you make sure that you are managing their contracts of the vendor suppliers and use the right tools for that job? Customers could create their own tool if needed, but they need to use the right tool for the right problem. And I think that that's the main thing. And they need to stay ahead of these regulations that that are coming in as well. So, overall, we are very excited because this is, like you said, a very, very evolving, rapidly evolving space. And we are one of the first solutions on the market. So we are definitely seeing a lot of traction when we talk to our customers about these problems.
Right, that's really good advice from you. And I hope and some of us who are listening to this, they can take something away from today’s videocast. And I also like the point you made that of providing centralized visibility. So that's quite important to provide a centralized solution that could provide visibility, who has access to what, who has accessed why, and who has provided this access as well. So then you answer these three questions. I think you can go closer to providing good, secure solution to third party in organizations. So thank you, Anirudh, for your time and...
Absolutely. Very, very happy to be on the call and I think I should finally just end the call by saying that the second part is the hardest, which is the “why”. Third parties need to be onboarded, and usually that's a line of business. It's not nonessential. So I think that's the problem. But you have articulated it really, really well and thank you for having me here today.
Thank you.
