Calculus of IT - Season 2 Episode 4 - The Value of Identity

Show Notes

Ok, the Modern IT Paradox is now behind us, and it's time to move forward with the rest of the season.  Or is it?  Did we just uncover more paradoxes?  Is it all just one massive paradox?

In Episode 4 of Season 2, we dive deep into the complex world of identity in IT - not just usernames and passwords, but the fundamental questions of how we determine, protect, and manage value in our digital assets. From questioning why we automatically use our names as identifiers to exploring the paradox of protecting high-value assets while keeping them useful, Nate and Mike unpack the challenges of modern identity management.

We explore thought-provoking questions like: Who really decides what's valuable in your organization? How do you balance security with usability? And why do we keep giving away half the puzzle by using our names as identifiers? Plus, we tackle the eternal struggle of matching security controls to actual risk, and why "trust but verify" might need an upgrade in 2025.

Along the way, we share the latest IT leadership job opportunities, debate the merits of passwordless authentication, and contemplate a future where maybe we can authenticate by simply sipping a protein shake (patent pending).

Support the show

The Calculus of IT website - https://www.thecoit.us
"The New IT Leader's Survival Guide" Book - https://www.longwalk.consulting/library
"The Calculus of IT" Book - https://www.longwalk.consulting/library
The COIT Merchandise Store - https://thecoit.myspreadshop.com
Donate to Wikimedia - https://donate.wikimedia.org/wiki/Ways_to_Give
Buy us a Beer!! - https://www.buymeacoffee.com/thecalculusofit
Youtube - @thecalculusofit
Slack - Invite Link
Email - nate@thecoit.us
Email - mike@thecoit.us

Transcript

Season 2 - Episode 4 - Final - Audio Only
===

Mike Crispin: [00:00:00] In an elevator.

Nate McBride: When was you living out? Drinking your LFG. Gin and juice. 

Mike Crispin: Yeah, it's, um, it's dirty water tonight. 

Nate McBride: Dirty? Oh man, I love it. 

Mike Crispin: It's, uh, dish water from the, uh, dirty, dirty hand sink.

Great Tuesday today, February 4th. You know, there's not much going on in my world, just that it's Tuesday. How about you? 

Nate McBride: Six, six more weeks of winter. 

Mike Crispin: I know, it's a bummer. 

Nate McBride: I was reading about the greatest, uh, hack that's ever happened in the history of, uh, the United States. Data hack, which just happened.

Mike Crispin: Oh yeah. With the, what, the NSA ID? 

Nate McBride: No, with, uh, Musk taking over the, uh, the GSA as an unelected official. [00:01:00] 

Mike Crispin: Oh, I thought you were talking about the, cause he was in the NSA ID as well. Wasn't that the name of the, what was the name of that? 

Nate McBride: Yeah, he's also in that too. No, the greatest hack in the world ever done is, uh, him getting access to the treasuries.

Systems. Okay. 

Mike Crispin: Yeah. Yeah. Yeah. I'm looking at the rug. That's a non steroidal anti inflammatory drug. 

Nate McBride: Yes. Like ibuprofen. He's also probably in charge of that committee to the non steroidal anti inflammatory drug committee. But while, when he's not doing that, he's, Musk is now in charge of 6 billion of assets for people.

Sorry. The U. 

Mike Crispin: S. U. S. AIDS. That's what I'm thinking of. Sorry. 

Nate McBride: Yes.

Oh my God. Yeah. Greatest hack in American history performed by this troll. Who is Kaiser Soze? He is Kaiser Soze. [00:02:00] He's like a mini Kaiser Soze. Um. Who is Kaiser Soze? Who isn't Kaiser Soze, Mike? 

Mike Crispin: We're not Kaiser Soze. We're more like, um. 

Nate McBride: Just by the fact that 

Mike Crispin: you 

Nate McBride: said that? We're like 

Mike Crispin: Team Keaton. That's who we are.

Nate McBride: It already tells me that perhaps you're one of the top suspects by virtue of you declining it. 

Mike Crispin: Oh, that's right. There's so many lines from The Usual Suspects that apply. I can't even name them all. Um, yeah. 

Nate McBride: Can I tell you something that's really weird? Sure. So the Grammys were last week and 

Mike Crispin: Oh yeah, really?

I thought they were like two nights ago, weren't they? Or Sunday night? 

Nate McBride: Do you know who fucking won a Grammy? The Beatles. Yes, Mike. The Beatles won a Grammy. And so I'm telling you They're listening. There is something here. Now, I have not drawn a line [00:03:00] yet. Yet. Between Phil Collins and the Beatles, but I am telling you, Mike, there's some shit going on.

Mike Crispin: There's a line, man. There's a line. Trust me. I think Ringo Starr, look up Ringo Starr practical joke, Phil Collins, and you'll find there's a, there's a link because, um, they played a practical joke on Phil once is what I think I remember that he was going to play. So are you 

Nate McBride: getting it now? Is it finally occurring coverup?

Like what's happening in the, in the music industry? 

Mike Crispin: Armageddon it, man. Armageddon it. 

Nate McBride: Yeah. Yeah, that's who's leading. 

Mike Crispin: That was Def Leppard reference. Sorry, I didn't know if you caught that. 

Nate McBride: Yes, I, no, I got that, Mike. 

Mike Crispin: Okay. I'm not 

Nate McBride: sure, I'm not sure our audience got it. They're a little bit older. I'm sure they 

Mike Crispin: did.

Like, that was horrible. They're like, why did he even say that? That was such a terrible Reference, it's like a . I used to, I used 

Nate McBride: to do this thing back in the, um, late eighties. It was kind of like a party joke where I put my arms inside my shirt and [00:04:00] then pretend to play the drums, but it, it never went over as well as I thought it would.

That's a shame, . Yeah, I know. I always thought I would get more laughs, and it didn't get the laughs I was hoping for. So yeah, anyway, the Beatles won a Grammy, even though only, I think, one of them is alive. Maybe two. I've lost count. And also, they haven't had a song in like a hundred years. And also, all the classic rock DJs continue to talk about them and relate them to everybody else.

There's just something there. I'm going to keep investigating. Also, Unrelated, but maybe related. I was with a, um, a security vendor of mine earlier this evening. 

Mike Crispin: Yeah, 

Nate McBride: having having a beer and my, my accountant rep, uh, who's not, you know, like you wouldn't look at her and say, there's somebody who could kick someone's ass [00:05:00] in a fight.

Um, you know, just more on the petite side. 

Mike Crispin: Okay. 

Nate McBride: But was telling us that when she was in high school, she had to, it wasn't her, it was her friends or people she knew had to carry razor blades inside their cheek in order, in case they had to cut a bitch is what she said. 

Mike Crispin: Inside 

Nate McBride: the you kept you kept it inside your cheek all day in case you had to cut a bitch 

Mike Crispin: So what how do you hold it in there without cutting yourself?

Nate McBride: Maybe it's got a little guard I didn't ask that question like 

Mike Crispin: a little like piece of plastic on it to keep 

Nate McBride: yeah yeah, like a little tiny like you 

Mike Crispin: would need like NSA IDs if If you cut up, if you forgot the 

Nate McBride: plastic card, the plastic card on it, yeah. I never heard the phrase before, cut a bitch, but now I'm thinking that, um, this podcast is going the wrong direction.

We should bring it back to center. We should focus on cutting a bitch. 

Mike Crispin: Sounds dangerous. [00:06:00] I think, uh, IT leadership. We should 

Nate McBride: figure out how that works into, uh, how does that work into IT leadership? Like, I'm trying to find the angle. I'm working on it. And we might not be able to get there tonight, but 

Mike Crispin: You're just trying to get back Trying to bring it back around square it out.

Nate McBride: Yeah, square it out. Like, yeah, if I if we were if we took it into a public high school and we're like, yeah, yeah, what's up? Would it win? Probably not. 

Mike Crispin: Probably not because everyone knows how to use computers and phones now. We had a kind 

Nate McBride: of special power in high school. Like, when I could, I was the only one who could do the VCR reprogramming.

Or like, figure out the projector in class. You know, it's kind of a special power. I don't think that that really works anymore. 

Mike Crispin: I showed everyone how to use VI. In, uh, that was a real highlight when I was in college. So that was a nice 

Nate McBride: You didn't, you didn't have to cut a bitch. You, [00:07:00] um, did the VI thing instead.

Mike Crispin: Yeah, like, why would you use this thing instead of Notepad? Was the question. There were a lot of reasons at the time that I just didn't know, but I know now. I guess then I was kind of like, yeah, it's a good question. 

Nate McBride: Was your nickname Control X? Is that what people called you? 

Mike Crispin: No, it was, um, it was, it was Crispin, I think was my nickname.

Oh, that's my last name. Um, I can't remember what they really called me. Well, the clear 

Nate McBride: question was, was it Crispin with an apostrophe at the end, or was it Crispin? 

Mike Crispin: It was just Crispin, or Crispy, or 

Nate McBride: Crispy 

Mike Crispin: wheat raisins, or

Mike, sometimes I hear that. 

Nate McBride: Wow, Mike? 

Mike Crispin: Yeah. 

Nate McBride: You don't hear that much anymore, do you? 

Mike Crispin: No, not usually, no, not at all. It's too bad, because that's, that's sometimes a short version [00:08:00] of my first name. 

Nate McBride: Yeah, it can be that, it can be that, yeah. 

Mike Crispin: Well, hopefully 

Nate McBride: Yeah, microphone? 

Mike Crispin: I'll bring us back. All right, let's go.

Where we got to talk about tonight. 

Nate McBride: Um, nothing. I was it Have a good 

Mike Crispin: night everyone. Thank you for tuning in. 

Nate McBride: Yeah, that's all we got. I mean don't cut any bitches and um with your razor blades uh, be careful because your money's about to get stolen by the federal government and Invest in bitcoin Invest in Dogecoin.

Oh, Jesus Christ. On a popsicle stick. On a bicycle. Walking dogs. Welcome back to Calculus of IT. 

Mike Crispin: Good to be back with you, Nate. 

Nate McBride: I don't know why we say welcome back. We should say welcome. Because what if someone, what's the first episode? [00:09:00] So welcome to Calculus of IT. And if you're a returning visitor, welcome back to Calculus of IT.

And welcome to episode four of season two. We did decide that last episode was not episode potato zebra. It was three. This is now four, although I think we're on five and I'm not sure, but we're gonna call this one four. And that's that. 

Mike Crispin: I like it. Let's do it. This is 

Nate McBride: as we determined last week. This is the home of all that.

Is it Paradoxa? 

Mike Crispin: Paradoxic, 

Nate McBride: paradoxa? No. Paradoxa or Kai 

Mike Crispin: Paradoxa. Okay. The 

Nate McBride: Paradoxa, the Home of the Sad Salad, the nexus of Neverland. And guys, I miss the 

Mike Crispin: sad salads. 

Nate McBride: Oh, I had one tonight. It was, it was, it was basically chopped cabbage with a big 

Mike Crispin: French bread pizza tonight. I suck. It's fantastic. 

Nate McBride: We're [00:10:00] also your personalized concierge, IT leader, intranet site.

We're also, and I dare I say it, fully CSS compliant. And we perform all of our scripts on the server side.

Mike Crispin: No, 

Nate McBride: no fucking client side scripts here. It's all server side, baby. Keep it all in the cloud. All in the cloud. This is Mike 

Mike Crispin: Christman, 

Nate McBride: I'm Nate McBride, and we are two birds on a wire. Each week we spend our time dodging federal efficiencies and dive deep, deep, deep into it leadership. So deep, Mike, 

Mike Crispin: we're getting in there, 

Nate McBride: just getting in there.

We're just like putting on the gloves, just waiting 

Mike Crispin: there. Just give us unfettered access. Yep, we, we got it. We got access to the server. We're in. Just gimme 

Nate McBride: root. I just [00:11:00] need a root. 

Mike Crispin: Just root. Don't tell anyone. Just gimme root if you know what that is. Uh, I need root, 

Nate McBride: a pair of gloves and a bottle. I think there's probably no 

Mike Crispin: pass.

There's probably no root password on any of those computers anyway.

probably running like Windows 95. 

Nate McBride: Hey, now it's the government N NT four N NT four.

We're that, we're just that deep. We're so deep, we're not even sure we're talking about IT leadership anymore. We're somewhere else. If you're an IT leader and you're still here and you're listening, we're gonna about to, we're about to uncover some like, deep shit. 

Mike Crispin: Thank you. 

Nate McBride: Does it get deeper than this? I don't think it gets deeper than this.

Mike Crispin: Let's go deep. I'm ready to go deep. 

Nate McBride: If you subscribe to one of those, um, analysts companies, annual, um, CIO strategy plans, you won't get this deep. You'll pay [00:12:00] 110, 000 and you get, um, third rate access to a shitty hotel in California or Florida, but you will not get this deep, 

Mike Crispin: right? You'll 

Nate McBride: get, you'll get this deep.

If you go to do karaoke, you'll get the, you'll get deep. 

Mike Crispin: That's the only way to do it. There's no question. 

Nate McBride: So if you missed last week's episode, first of all, what the hell is wrong with you, fucking stop playing this one, go back and listen to that one and then come back to this one because you need to listen to that one and the ones before it, they're all important, but if you did miss it accidentally, or you're just waiting to queue it up and you forgot, it's okay, it's not too late.

We slayed, slayed. Eight modern IT paradoxes 'cause it was seven and now it's eight. So we call it eight modern. Eight IT paradoxes or paradoxa or paradoxa high. We slay the eight modern IT paradox high. 

Mike Crispin: [00:13:00] I like paradox. I like that the way you said that 

Nate McBride: paradox. Okay. It's like Cobra Kai. 

Mike Crispin: I like that. I do like that a lot 

Nate McBride: when you're cutting a bitch and you, at the end, you say paradox, the guy, and they're like, what,

Mike Crispin: I just didn't know you were going to go into that level of detail with the razor blade and everything that was, that's deep. 

Nate McBride: Well, I just heard this and I'm, I was staggered, but you know, sometimes you hear some things, you know, like Phil Collins did what? And you just kind of can't let it go. And so like when I heard that this, this person had to go to high school with a razor blade in her cheek, I was intrigued by that story because that's so, just not like a regular story, you know?

Mike Crispin: Wow. You can't tell me what you've been through, but how did this conversation come up, like right as before [00:14:00] you had a beer or after a beer? 

Nate McBride: Uh, it was like interstitial beer moment, you know, and it was. We were talking about, um, education or something came up and it was just kind of a, when I was in high school and I, we were all like, what, what, how, what, what just happened?

How did we get to, yeah. Like, I'm so glad. And maybe people in my high school had them too. I don't know. That was a long time ago. Did they have razor blades back then? Oh, so anyway. The eight modern IT paradoxes, they were the paradigm shift, why traditional control is breaking down, the new challenges of modern IT, three models of IT control, the real cost of getting it wrong, slash IT wrong, setting up the modern balance, the path forward, and the new addition, lucky number eight, the ecosystem paradox.

When you think you're so being so cool because you're not using Microsoft and then it turns out you actually built your own ecosystem. That's like Microsoft. [00:15:00] That's the paradox, which was your favorite. 

Mike Crispin: I think the modern balance was probably my favorite 

Nate McBride: balance and trust, 

Mike Crispin: but verify the beginnings of that discussion, I think was a good place to begin from modern balance.

I always kind of thought taking the middle road on things is always a Good way to get the best of both worlds, always the, the, the direction that try to take if I can, but it's neutral, 

Nate McBride: you're, you're like the Sweden of it leadership. 

Mike Crispin: She's like, just pounds information from both sides. I don't go there, but you know what I'm saying?

And just get, get a, get a, get a, get a very nuanced and massaged. Point of view,

because that's what I'm into, you know, that's what I'm into. [00:16:00] 

Nate McBride: Well, 

Mike Crispin: good choice of words, totally unintentional. But yeah, that, you know what I'm saying? I like the modern balance. I don't know if 

Nate McBride: I do. I don't know if I do, Mike, but anyway, I'm glad to hear it. Glad to hear it. Um, so, I think we're going to have to revisit some or all of these, these, these, uh, Paradoxicae, uh, this season, because there were some pretty good ones in there, including the ones you mentioned, um, I want to definitely come back to the ecosystem paradox.

Mike Crispin: That was sort of new last week, right? We just, that was a new one 

Nate McBride: last week, which we just kind of added on to the list. Cause, and I thought of another one too, but we're not going to go into that tonight, but, um, we're going to come back to it in the future. I made a note to, to reflect on it in the future.

Mike Crispin: Okay. Uh, 

Nate McBride: so, so this week, absolutely another smash hit this, this episode's going to shadow way above [00:17:00] all the rest. Um, we're going to discuss identity again, but this time. From a new perspective, which is the autonomy perspective, um, we're gonna talk about the old school definition of identity, the new school definition, and there are basically two schools of definition and then discuss how each of those is beholden.

How about that for a word? Beholden to and shapes, uh, the four pillars, the autonomy, risk, innovation, and productivity. So, We need to come up with a good acronym for these, like P. A. R. E, P. A. R. E. or P. R. 

Mike Crispin: I was thinking N. S. A. I. D. D. I can't believe I didn't hear that. D. O. G. D. How did I get that wrong? Did I have like ibuprofen on my mind or [00:18:00] something?

Nate McBride: I don't know, I thought you were like being totally serious and that's why I didn't correct you. 

Mike Crispin: Well, I was, I don't know why I thought about that. I don't know why I didn't get that right. But anyway. That's 

Nate McBride: okay. Mike. Let it go, man. 

Mike Crispin: My acronyms, I just, I can't keep them straight. 

Nate McBride: So we're going with rp.

Mike Crispin: Arrp is P, 

Nate McBride: PR or pair. 

Mike Crispin: I like pear. 

Nate McBride: Alright. Pair. PAIR. Pear. Productivity, autonomy, innovation and Risk 

Mike Crispin: because. And you know why that works is because we talked with the one zero decision. 

Nate McBride: Oh, look 

Mike Crispin: at you, right? So the kind of pairing, I love this. It's all coming together. 

Nate McBride: Honestly, we should stop right now.

This is the best episode we've ever had.

Mike Crispin: Just tell people not to be a dick to it. And we'll just, we'll just shut it down. 

Nate McBride: So don't be addicted to people. Uh, have your pets spayed or neutered.[00:19:00] 

Okay. All right. We're having 

Mike Crispin: fun tonight. This is good. 

Nate McBride: Hair. P a I R. You can use all kinds of, we'll, we'll twist this around a little bit. We can impair, we can repair, we can au pair. What's au pair? Au pair is a nanny. Yeah, yeah, we can, we can make that work. We'll metaphor that in. Let's do it. Like the digital, a pair of your autonomy, ah, autonomy au pair is fucking working.

Mike Crispin: We value autonomy. The calculus [00:20:00] of IT. We value autonomy. Through the code we weave our fate. In the data seas we scape. Zeroes, ones that can't abate. We control it, it's innate.

Nate McBride: But before we get into this, we're just like, I told you, we're going to go deep. This is how deep we go. We've got to do all that. We got to do the job updates. People actually like these. I don't know if they're working or not, but. Okay, so, X4 Pharma, VP of IT. It came out last week. Jump on this one. They got X4 as their name.

I mean, what else do you want? Okay. Global IT strategy [00:21:00] VP. So Calvista Pharma, last week it was a VP role. Now it's the global IT strategy VP. So you've been bumped already. Wait another week, it'll be SVP, three weeks it'll be CIO. So just hang in there, Calvista is going to, going to get you. Uh, Calvista is also looking for a chief information technology officer, a CITO.

Two roles? Is it a CITO 

Mike Crispin: So they're, they're Bo they're, they're, they're hiring a Chief IT officer information? 

Nate McBride: No. In Chief Information Technology Officer. 

Mike Crispin: Well, what is information technology? It, 

Nate McBride: it's CITO. Mike 

Mike Crispin: got it. 

Nate McBride: Not CIO. 

Mike Crispin: So it's like information and technology together? 

Nate McBride: Yeah. 

Mike Crispin: And then there's a strategy person too there.

A separate role? [00:22:00] Global. 

Nate McBride: A global strategy person. 

Mike Crispin: Got 

Nate McBride: it. Who's the VP? And then, uh, but then Ironwood's hiring a VP of I. T. PepGen is still hiring the VP of I. T. I guess they're having, they're still out there. I guess they haven't hired anybody yet. Formlabs, still a CIO. Bunker Hill Community College, home of Matt Damon.

He went there to school. He's still a teacher there. He's an alumni. It's not, not 

Mike Crispin: your fault. 

Nate McBride: Wikipedia. 

Mike Crispin: It's not your fault.

I like they're it's fault, Pete. It's not.

Not your fault. Not your fault. It's not your fault. 

Nate McBride: It's 

Mike Crispin: not fault, Mike. It's 

Nate McBride: not. It's not your fault. 

Mike Crispin: Isn't that Robin Williams last role? No, no, no. Isn't a lot of other things. Okay. Pat Adams. [00:23:00] No, that was 

Nate McBride: before. That was before. 

Mike Crispin: No way. Really. 

Nate McBride: It was before. Yeah, 

Mike Crispin: it was before. 

Nate McBride: Yeah. I think, I think, um, this is important.

I was about to say it's Saving Private Ryan was his last movie, but it wasn't Saving Private Ryan. It was, what was the name we were just talking about? Um, Matt, Matt Davis. Oh no, Matt Davis movie. What was it called? Oh, I think it was Robin Williams. Yeah, that's what I said. His last movie. Yeah. Wasn't it, uh, Scent of Woman?

No, that was, uh. None of this stuff. No, he wasn't anything else after the Matt Davis movie. Yes, he was. What was he in? You're Googling it. I'm looking at it right now. Yeah, what was he in after scent of a woman? 

Mike Crispin: So many places so many movies. I can't even name them all. Let's see 

Nate McBride: after the after the harvard one with matt damon 

Mike Crispin: [00:24:00] Yes, 

Nate McBride: what was he in name one?

Mike Crispin: He was in ai he was in insomnia where he played the villain He was in one hour photo. We played a bad guy on that one, too. This is 

Nate McBride: after the matt damon movie. 

Mike Crispin: Yes 

Nate McBride: Okay. All right. All right, you won Merry 

Mike Crispin: Christmas is another one that he was in. Let's 

Nate McBride: agree to disagree. I think Phil Collins was 

Mike Crispin: in one of those movies.

Who was it? Phil Collins. 

Nate McBride: I wouldn't be surprised. 

Mike Crispin: Because I 

Nate McBride: know there's a tie in there too. We'll get to that. We're 

Mike Crispin: going 

Nate McBride: to unravel this conspiracy at some point. You're hiding something. Uh, VP of IT at Sequel MedTech. MIT still looking for a CIO, and I have a feeling actually it's not as glamorous as people think.

Harvard! Harvard U is looking for a CIO. Mike, this could be your shot. They would be like, [00:25:00] this guy is amazing. You gotta let 

Mike Crispin: this guy in here. 

Nate McBride: Transform those young 

Mike Crispin: minds, Mike. My band played there a few times in the early 2000s. That's as close as I got. And I spent a lot, a lot of time at Bartley's Burger Cottage.

Nate McBride: So you have an in, you basically have an in is what you're saying. Yeah. So if you want to do the Harvard CIO job, talk to Mike. Uh, CompuCom is looking for a CIO. That's a new one. Uh, Clinton Livery is looking for a CIO. I have a feeling that's a limousine service. Otherwise, it's a liver chopping store. 

Mike Crispin: Wow.

That's one. I've never heard of that before. 

Nate McBride: Clinton Livery. Uh, Candela Medical is looking for a CTO. Arena Bioworks has a new role. Director of IT. City of Hope Cancer Research is looking for a new CTO. Kate Farms. She talked about this one last week. Kate Farms last week was looking for a VP of IT. Guess what?

Now it's an [00:26:00] SVP of IT. 

Mike Crispin: Really? 

Nate McBride: Chimera is looking for a Senior Director of IT. Wave Life Sciences is looking for a Senior Director of IT. Discovery IT. Garuda is looking for a Director of IT. Apnemed, Senior Director of IT. Odyssey Therapeutics is looking for an AD IT. Mercy Bio has upgraded their role to a Director of IT from an AD.

BMS is looking for a Senior Director of the Devens Digital Plant. Verve Therapeutics, looking for a Director of IT, GNA Business Partner, and SOX Compliance Lead. That's a mouthful. Viridian is looking for an AD of IT Ops. Noble, still N O U, N O B U L L. Noble is looking for a Head of IT, a top dog role at a major CrossFit merchandise company.

Decipher, looking for a Senior Director of Infrastructure and Ops, and a Senior Manager of IT. Foghorn Therapeutics is looking for a manager of IT infrastructure and ops land. Thais is looking for a [00:27:00] director of IT for corporate solutions and a head of enterprise technology and innovation, which is a new role, kind of cool.

Kyra Therapeutics is looking for an SD of enterprise systems. Triumvirate looking for a corporate director of IT, and Mass Mutual has a new role for SVP of Digital Transformation. 

Mike Crispin: Ooh, that sounds like fun. Yeah. What's Mass Mutual doing? They're in the seaport. They got a good nice little spot over there.

Nate McBride: Yeah, well, they're looking for a SVP of digital transformation, so you can digitally transform them. 

Mike Crispin: And you can go to Empire where Scorpion Bowls have to work. And they got Lola 42 over there. That place has unbelievable sushi and burgers and the whole thing. Very exciting. I used to work in the Seaport and one Marina park drive, and we used to love living there, working there,

We pretty much did live there, but we, we loved [00:28:00] working there too. 

Nate McBride: Okay, well that's the roles. Hopefully your resume doesn't look like a, um, someone cut a bitch on it. And you're going to get those jobs, talk to Mike and I, if you need a reference or connect, uh, so long as you're not going to hurt somebody when you get there with your razor blade in your cheek.

Mike Crispin: Let's talk. 

Nate McBride: Yeah, let's talk. Uh, also with every podcast, we're going to release it in two formats. One will be our format as normal, like us talking right now, as you know, and the other one will be an AI version, which we do now every week. Um, it's usually shorter, and it's done by two AI bots, and it's kind of fun, so you never know what you'll get.

Um, I've been trying to keep our episodes to about an hour, we're getting closer to an hour and 40 minutes, but we're still working on it. So, as Mike would say, take it, um, as it is. We do have a Slack board. It's growing and there's been a [00:29:00] lot of discussion recently. Uh, lots of cool things, especially, um, like where to go for unstructured data storage and what, what solutions to pick.

So good discussion. Uh, I'm glad that it's going the way it's going. And it's a lot of help people helping each other, which is good. If you want to continue the conversations on our show, you can do it on Substack or you can come to our Slack board, um, and just tell us how you feel. Also, if you're listening to us on any of the formats, popular formats, give us five stars.

That's all I'm going to say, or if you don't, we're going to find out who you are. We're going to come in, get the razor blades out of our cheeks. No, we wouldn't do that. We're just going to silently, quietly judge you. If you don't give us five stars. Mike won't, but he, but he will. When he says he won't, what he really means is he's going to twice as much.

You want to buy our merchandise, it's in our store. We have lots of cool, fun things. Also if you want to buy us a beer like other people have [00:30:00] done, thank you Ryan White again for 18 beers. Uh, it's not, it's not that big of a deal. You just press the button, you put in a number, add your credit card, you give it to everybody in the world anyway, and then just go ahead and give us beers because I'm drinking Wild Turkey 101 because that's all I have left in the house.

I have to get more beer. And Mike's drinking swamp water. 

Mike Crispin: Yes. I love it. I love swamp water. 

Nate McBride: Okay. So we finished the eight modern IT Paradoxikai. Tonight we're shifting gears to tackle something that's been lurking in the background of every paradox we've discussed last week, which is identity and not the what's your username and password kind of identity, but the deeper question of what makes something valuable in IT.

How we identify that value and ultimately how we protect it. And there are three points right there. Number one, what makes [00:31:00] something valuable? Who decides the value of a thing? Two, how do we go about ascertaining that value and then maintaining that value? And three, how do we protect that value? How do we keep the value always the same?

It's a question a lot of people ask. But it's important for this autonomy discussion. And then we're going to talk about some more paradoxes because we're going to have to deal with a zero in one decision. 

Mike Crispin: It's like a pair, a pair, a docs 

Nate McBride: pair. Oh, pair apostrophe. Oh, apostrophe docs paradox. Like Tom, instead of Tommy O'Houlihan, it's Tommy O'Paradox.

Oh, pair a docs. You know, good Irish, good Irish last. Uh, so, so that's where we're going to start with and, uh, then things change and blend [00:32:00] kind of after we go. So, you know, I was thinking about like how to frame this and I figured the best way is to go back, to go, you gotta go forwards to go backwards.

Okay. You gotta, you know, exchange a gram. You gotta, you gotta think forward to go backwards and then come back forwards again.

I probably missed the reference. Oh, no, you get the reference. I get it. Yeah. Okay. Yeah. The internal phase. Yes. Uh, so remember the days of Active Directory? Yes, I do. They're still here. 

Mike Crispin: I know. For some. Which is ironic. Necessary evil for some, I think. But, uh, I think that's changing. 

Nate McBride: So, I was thinking, when I got started on Identity, and this was my early, early days now, I was 23 years old.

First job out of college. Uh, we had a first class server. And we had an Apple server running on a Quadra. [00:33:00] A Mac Quadra Tower. 

Mike Crispin: Okay. 

Nate McBride: And so everything was done through the chooser, you know, you kind of set up a file share and it was like school data and teacher data. Um, so identity was like, uh, a username and a password and really nothing's really changed since then.

It's just, it's gotten a little more complicated, but really it was, you got a username, um. Basic conventions, uh, applied and you had a password, no real controls or restrictions in place. Although some systems had like the minimums at that point. Um, I, I think that it's important to state this out because before we dive in the technical bits of Identity and sort of the, uh, more non technical bits.

We need to talk about what Identity means in 2025. Like we're, we're, we're way past Active Directory. I mean, yes, to your point, some people still use it. Um, we [00:34:00] don't, we use Okta, right? But identity, if we're talking about technically, we boil it to its simplest forms is a two, two sets of, um, criteria. There is a username field and then a, some kind of, some, some password or combination of authentication that goes through that combines with that username field.

So before we get into this, let me ask you a question. Have you ever wondered why there needs to be a username? And password field together. 

Mike Crispin: The kind of both passwords. Yeah. 

Nate McBride: Exactly. Um, can't just give them the password. Can't just give them the user ID. So, it was determined and there's lots of great information about why this is.

You can read the history of this. I'm not going to go into all the detail. But, it was determined at some point that if you [00:35:00] take two individual things An individual, what does an individual have? Well, they have all these sort of phenotypical characteristics of their body and their personality and their human mind.

They also have a name, but the problem is that names can be, there's another Mike Crispin out there somewhere. Not as cool as you, but there's another one out there. Another M. Crispin. There's another N. There's another N. McBride. So I actually didn't create a unique identity. Um, even more than that, my identity is not secret, right?

So people know Nathan McBride, so they can pretty much figure out what my identity is. They figured out one part of the equation already. My identity just by knowing my name now the other part the tougher part is my password and again There hasn't been a whole lot of thought applied at least in people Circles, I know and people I know as to why one is so easy to guess and one is so difficult Instead of why not making both of them so difficult That's just an [00:36:00] open like an open point that you should be thinking about.

Why is it that it's not m Crispin 25 Why is it m Crispin and is it? Is it the decision you made? Who made the decision that it wouldn't be mcrisp in 25? 

Mike Crispin: It could be, could be like in CompuServe days, we just had a number. 

Nate McBride: I know, but, okay, okay, that's a perfect example. So, so when you went into, when you went into Cardurian, and you looked at, um, the, the naming conventions that were in place for, for authentication at your company, And you're just like, okay, cool.

And you guys are like, uh, whatever your convention is. There was a convention in place, but it was clearly something someone could guess for your name. 

Mike Crispin: The reason for that is one of those identifiers needs to be easily understood and known by the user. [00:37:00] Why? What's easier than their name. 

Nate McBride: But why? And, and so before you, before you answer that, before you answer that, let me ask you this question.

But, but we also, they also remember, they can remember a password that's complicated. So why, why, um, let's, let's I debate, I debate that. Okay, let me, let me, let me rephrase that statement. People can use a, people can use a phrase that is not their name. Yes. Pass as a secondary, as a secondary authentication mechanism.

So why, but, but, but it's not their name. So why do they need their name 

Mike Crispin: as an identifier? So if someone else looks at that account, they know who it is. 

Nate McBride: Okay, but you can just alias those kinds of things. So why 

Mike Crispin: would you want to do that? 

Nate McBride: So, um, well, I'll give you an example. So we have, we have a role at my company that has [00:38:00] had a few revolving doors.

And so instead of using the name for the login account. 

Mike Crispin: Okay. 

Nate McBride: Of every person that comes in, just keep changing the name. We just genericized it to, um, a name that doesn't matter that that role is a revolving door. Everyone that comes into that role now will just use the same account. But we've also aliased, we've made it so that when someone looks at them in the directory, per se, it shows their actual, it shows their name as an alias.

Mike Crispin: Got it. So someone uses that account and multiple people are using that account at once. How do you know who did what they did?

Nate McBride: Well, it would have been during the tenure of that contractor. So let's say 

Mike Crispin: it is a one person who has access to the account, not multiple. 

Nate McBride: Only one person has access, but it's the person of the moment. So it happens to be, it happens to be a role. That's a technical role for, for a clinical. Sure. And again, this is a role that's hard to keep.

So we use contractors. [00:39:00] And they don't last very long. And so we know, but only one person knows the account. It's that person, but they're not using their name. And so when I started thinking about this episode a long time ago, it wasn't this element that got me thinking about this, but it was the idea that we, we don't challenge the fact that we just use our username.

Our human name as our I. D. We don't challenge that anymore. 

Mike Crispin: I don't I don't usually challenge it because I need to know who it is with. I mean, without another without another field somewhere. So let's take that account that you just mentioned. And in three years, someone wants to know who used it. Would that be, would that be captured with the user account?

Yes, yes, it 

Nate McBride: would be, it would be captured. How? And, well, so, so, so technologically speaking, it would be captured in the new hire and termination lifecycle database that we have that shows that between, say, January 1 and March [00:40:00] 31, this particular individual came in and assumed the role of that particular account.

Then after they left, the next person came in. So there, there's an audit record history of who was using that account at the time. 

Mike Crispin: Privilege access management. A practice with that, right? 

Nate McBride: Uh, pretty much, pretty much, and so But, but, without getting into the technical parts of it, the point is that I started thinking about, well, why does it have to be N.

McBride? Why can't it be X, 9, Y. And I can just give that out. Well, obviously it's not easy to say. Yeah. Okay. Get that part. And obviously it's not easy to, um, to write. But beyond those sort of impracticalities, why do we put a username in the field? 

Mike Crispin: We [00:41:00] don't necessarily have to, as long as you can tie that identity back to another identity that they do know.

So if you take, if you take, for example, what Apple does and some other companies do, and they let you create an alias to hide your email, to log into your, uh, let's say Substack account, which I do. I have a username that makes no sense at all. Uh, the email address doesn't even, it was randomly generated, but I don't really need to know what it is.

But I do need an account that tells me what that account is. So it's, I think that's getting more common where we're, we're using password managers or some sort of identity management system. But I, I think from a, from a simplicity perspective, having one identifier that's known to the wider audience is a value in identifying an account from a visually from a business continuity perspective.

Nate McBride: Okay. Okay. Again, that would be my [00:42:00] argument. Understood. But okay. So everything that you just said is completely valid, but we go back to the original question you didn't challenge when you walked into your company, nor did I, we didn't challenge the standard, right? 

Mike Crispin: Just because there are other, probably other things we may need to challenge.

Nate McBride: Okay. I don't necessarily. I don't buy that one per se, because I also don't buy it for myself. I mean, I like, oh, why would I challenge that now I have bigger fish to fry? But, but, but it points to what's, what's an underlying theme of the season, which is there are some things that we just do because we, We don't, we just kind of like go with it.

It's a zero decision. We're, we're just going to assume that it's Ed McBride or Mike. Crispin. So, so we're okay conforming to identity and now I'm not trying to put you on the spot But ultimately you and I both made this conscious decision not to challenge that that [00:43:00] aspect. Okay. 

Mike Crispin: Yes 

Nate McBride: Okay, so we've given away one piece, one of the two pieces of the puzzle to anybody else who wants to know how to get into us and who can at least attempt.

We've given that away freely. Yes. And there's nothing we can do about that. So we've made it a little bit easier. But that's, that's where our identity value comes in. So we're gonna talk about the true value of every asset. Every, every piece of data, every process, because process is an asset too, we have to think about now every single value that we're ascribing, sorry, every single, uh, attribute we're ascribing to that value.

So, if we have a valuable piece of data, but someone already knows one of the two keys to get into it just by default, did we really truly, um, apply the value that we want? Now, that's a rhetorical question. We'll come back to that in a minute. Um, I think we, we can tend to forget that your identity is [00:44:00] primarily a key.

Mike Crispin: Yes. 

Nate McBride: So identity, technologically speaking, identity is a key. It gets you into the door of the house, but inside the house, there say are thousands of more doors. And sometimes your key will work on some of those doors and sometimes it won't. Everything from which doors you can open to which floors you can go to in that house to what you can see when you enter a room is all decided by seemingly subjective, uh, elements.

Yes. For the most part, and 

Mike Crispin: so the other two keys donate is to prove you are key number one, right? So yeah, how many you add. So if you're trying to prove your XYZ 60, nobody knows who that is to identify you just by your name, or by who you are. So it's, you need those other identifiers. One form of identity is the name you were given to identify you as a person as a human.

Now you s you could spoof that, right? You could, you could [00:45:00] spoof that, you could, you could make that fake or, or whatnot. But the point originally, I think of a password was to verify that you are Nate McBride, or I am my Crispin early, early days. Or that you, I don't disagree this account that's been given, given access because you've paid for something.

So I think, uh, I, I agree. I think that there's identity is the value is value. Um, but it's there's even more factors now, I think than we even know that people certain groups used to identify us when we log into a system where we're given access. And it's even going to get more complex. 

Nate McBride: I don't disagree with everything you said.

Everything you said is absolutely accurate. The problem is Mike, though, we're, we're, we're going to try in a moment to, um, assign a value to an object that's digital and we're going to. immediately give away half of the capabilities to access it, or at least one part of the way to access it. We're going to [00:46:00] say to you, to the person who's trying to access it, we're going to give you half the key just because you exist to get into this door.

We're not going to give you the whole key. There's a part over here that you can't see, but we're going to give you a, we're going to give you a part of it that you can see 

Mike Crispin: and, 

Nate McBride: and we're just, we just do this. We just do this because we do it. We don't do it because there's a, there's a document or a guideline or something.

We just do it because we do it. 

Mike Crispin: Well, I, I don't know if we just do it to do it. That's where I'm, that's why I'm pushing back a little bit. Well, we 

Nate McBride: do it because we have to do it, Mike, because there's a field that says username. User ID, like we have to put something in that field to put anything 

Mike Crispin: you want in that, in that field though.

I mean, you could. Okay, but 

Nate McBride: we, I know we could, but why don't we? Why 

Mike Crispin: do we pick the easiest possible key? Because we need a way to identify people and we have multiple, in a human sense. Like, I think if you take Bitcoin, for example, we want that to be anonymous. We don't want people to be identified.

Therefore, your private [00:47:00] key is completely random. And it's up to you. That's the benefit of the platform. If you want to anonymize your data, I think we, you could create random usernames and have some database after the side that's pulling them all together. But what, what is that? Is that generating a better security footprint?

Is that the goal to doing that? Or is I don't know. We 

Nate McBride: haven't. We haven't gotten there yet because we have, we have to, we have to consider the fact that if your identity is the key to the asset and the asset is valuable, then at what, at what point in the chain do we all of a sudden ramp up the difficulty at which to access that asset and how do we define the value of that, of that part of the key?

Now, again, nothing you said is wrong. And, and I, I, I believe a lot of what you're saying to be absolutely true. But we don't ask the question as to our willingness to give away [00:48:00] half of the, half of the answer and let someone else guess the other half if they, if they're so inclined to do that. So 

Mike Crispin: a third or a fourth of the answer, 

Nate McBride: potentially a third or a fourth, yes, but still a portion is given away for free.

Yes. Yes. It's like, remember, remember that Monopoly game you played with McDonald's where you got like one of the green places. Yeah. Okay. All right. Like, yeah, yeah, here, here you get Pennsylvania Avenue and you're like, Oh my God, I could potentially win a billion dollars. And meanwhile, McDonald's is like, yeah, there's one of the fucking pieces in Arizona.

Good luck. Same principle. 

Mike Crispin: So talking about a balance here to some extent, you know, you're, you're, you get a pretty good balance to put a name on a username versus a, I will question often a username, but I'll say I need it to be something that's, that's standardized and uniform. Across the group. Otherwise, I'm creating some other username or some other field somewhere else with the [00:49:00] name to tie what the username really is linked to that someone needs to remember.

Um, so I agree. We're giving away a piece of it for, uh, sort of for nothing but in the name of simplifying it for the user. 

Nate McBride: Yes, 

Mike Crispin: probably is what why we're doing it is in a balance to, um, to make it activity. Yeah. The one zero type thing is we're trying to find the middle and I, we don't, I don't think we even think about it because we say, well, we can add another factor or we can, you know, we can, there's other ways that we can secure data for people or make it more invisible, but for us not to, to ask the question might be just because, um, like I said, there's probably so many other things that, oh, thank God they have a naming convention.

No, thank God they have a first dot last or first initial dot last. Like, uh, that's just something that I'm more worried about their password complexity or that they. That they don't have, um, that they don't have a password or they don't [00:50:00] have some of the basics in place. Usually I feel like that's what we run into in the first, the first couple weeks when we're in these places.

Nate McBride: That's We're going to peel, we're going to peel us apart a little bit because everything you just said, they're, they're part of the balance. So yes, higher, higher productivity means use your, use your, your God given name or mother given name, but then lower your lowering. You're increasing risk. You're not lowering your risk profile by doing that.

So, so you're, but you're, you're increasing autonomy. So you're like, you're basically, you're, you're, you're dealing with some levers here or levers. I think it's levers. If you're British levers, levers, levers, levers. Uh, you're dealing with some levers here about autonomy, productivity and risk all at the same time, which is a good one.

And it also introduces kind of a new paradox to whenever you do [00:51:00] this, whenever you're triggering so many at the same time, it kind of like introduces another paradox. And this isn't like one of the modern it paradoxes we're talking about. This is. Back to the point about having a key to get into a house and when you get in the house There's a thousand doors.

The question is how do I know what doors this person should be allowed to go into so yeah Let's assume forget that forget the username part forget the password part Mike Crispin has started in my company he's a director of digital Nexus of Forces and I need to give him access to certain doors. Well, what are, what are my options historically?

One, uh, I just kind of know, okay, no problem. And how do I know? Well, I know, cause I know, and there's really no explaining that. It's just the way it is. Number two, I go around and ask people like, should Mike have access to your data, your data, your data? Uh, yes, yes, no. But how do they know? And down the line, right, it becomes a rabbit hole.[00:52:00] 

Or third, I give Mike no access on day one. And as Mike comes along, he says, Actually, it'd be helpful to my job. It'd make me more productive if I could see this and this and this. So he's actually doing the one doing the self justifying. So, how do I know what doors someone should be able to go into? To kill the metaphor completely?

It's a big fucking question and, um, when, when we, when we go ahead and start to answer that, we have to do it with a mental calculation of what's the value behind that door. And I know there's like doors and value and keys and usernames and all this shit, but forget everything we just said and let's just break it down to the most simplest, most simplest terms.

When a person comes into my company and I give them a username and password to access a thing, how do I How do I compare who they are to the value of the thing that they should access? [00:53:00] And that is the identity question. That is the actual security and risk question I think we should be asking. Because, I'll give you an anecdote to this point.

Um, I've been helping a company out recently and I met with their CEO and she and I had a wonderful, wonderful discussion. But she and I both came to the same conclusion that 99 percent of the data in their company is meaningless. Who cares if the person gets access to it? It's irrelevant. It's that 1 percent of data.

And I said to her, well, you know, how is it that you sort of quarantine that data? Like, how do you mark it off with tape? People know that's the most important. She says, we don't. It's trust. We trust people that should know that to go in there. And I didn't say it at the time, and she doesn't listen to this podcast, so I think we're safe, but that's the absolute worst answer to give, in my opinion.

Yeah, least [00:54:00] privilege access, right? Right, least privilege access. And so, how, how, how do we do this, Mike? How do we, it's not like we can pull up a Kelley Blue Book and say, oh, it's this American model, and blah, blah, blah. Um, we ascribe values to things based on all kinds of non standard sometimes semi standard ideals and models based on experience, what we're told, what the company does, who we talk to and their perceptions of it.

Mike Crispin: Sure. Yeah. I, I think in that, in that example, just having, you talked about sort of this option number two, where you're walking around and, you know, figuring out what data people own or do they even know what data they own. Right. Um, yeah. And I think there's going to be a fundamental understanding at a company.

Head of it needs to start to instill that certain functions in the company own certain sets of data. [00:55:00] They ultimately are responsible. They are the data owners. I don't think it's, 

Nate McBride: can I pause you right there though? 

Mike Crispin: Sure. 

Nate McBride: But are they the owners or is the CIO still the owner? CIO is the 

Mike Crispin: owner of all corporate data as from a respect of knowing every single piece of data and its value.

In my opinion, I think that's. Ultimately, there's business ownership. We're supposed to protect the data. But we don't, I don't think we often sometimes know we should know where things are located, but we we need to do the exercise of meeting with the business leaders to learn that information so they have to actually have some idea what data they have and what they don't have.

And that's a huge challenge. That's a huge first year challenge. This we talked about, I think last year is doing that that initial data map right of the whole organization. But that's I don't think that I know Chief Information Officer, you [00:56:00] know, owns all the I. T. in the organization, but it's also a strong partnership to designate and have sort of data governance and data owners.

In which you're able to make base your security model off of, Um, because I don't think you can expect one person or a couple of people to know every piece of data that's being created within a construct, or especially at a larger company. We just have to have good rules and good, good, good protections in place to protect that data.

I think that's why we struggle so much with data classification in our small companies, because it's, uh, It's it's often the CIO is trying to chase everyone down and make that happen. And it's hard for others to identify that data to your point. So I think this is a paradox in some respects is that they're supposed to know their data.

You can help them know what it is, but they're [00:57:00] ultimately need to know what it is. So if you need a risk assessment, you're not just going to ask the CIO. Okay, what What's what's every every bit of data. The CIA was going to have gone out and learned from those groups what the data models are and where things are located and maybe prescribe a path forward.

But they're not just going to know, like you said, a number point number one. I think that's that's setting yourself up a little bit. If you just expect to know where it's supposed to be without going along with the with the interviewing the business. 

Nate McBride: I mean, everything you said again, dead on, but that's what we've been conditioned to say what you just said there about the business should know, but there's turnover.

I mean, there's transfer of responsibility. There's changing of functions. The business. Is going to look to the CIO and say, well, make sure it's all good and saved and put in places and we can access it. But the business isn't [00:58:00] saying, and oh, by the way, we're going to turn over our staff every 18 months.

And it's your, it's your responsibility to make sure that we always have access to the things that we need and the same proper format. I mean, they're going to assume that you're going to do that, but, uh, I 

Mike Crispin: think the big piece of leg of the stool is the partnership, no matter who moves on. You always have to be in touch to understand where that data is and where it's moving.

And it's, it's not just the protect component of it or the, even the data governance component, it's more of a trying to keep a pulse. And if you've got a good framework, then the data shouldn't move all that much. Um, and to your point, the continuity pieces is important, but you should have some semblance of accountability and responsibility on a data owner.

So, yeah, 

Nate McBride: but, but again, we're coming back to the value discussion, which is, um, and again, we're going to get to this in a little bit, but the value discussion point, which is, we're going to go ahead. You and I, it [00:59:00] leaders, we're going to go ahead and take some responsibility in terms of making sure it's available and it's in a stored place and secure, but we don't, we don't still have an idea.

We have just this vague conception of what's valuable and what's not, again, based on our experience and again, what we're, what we're told if, um, I mean, I know financial data is important. I know clinical data is important. I just know this because I've been in the industry for so long. I know it, but if someone came along and told me, um, you know, all of our project management presentation decks are important, I probably.

Say, okay, well, I'm sure they are, but if they got out too, what would they really tell the world? Um, like my, my estimation of value is probably not the same as yours. So let's, let's try to align on your estimation of value. It's going to require some translation, but even the things that we implicitly come to [01:00:00] see as high value, the business may not there either.

Yeah. So are we, are we consciously placing value on assets that don't need it? Or are we using any kind of value metric framework to do this? And I hate to say it, but I don't, I don't think we do very often. 

Mike Crispin: I don't think we do it. Well, I think it's very difficult thing to, I almost assume that maybe I'm overly pushy on this, but I feel like anything that's.

Internal to some extent presentation decks because you just don't have the wherewithal to know what's in these things. People present things. Here's another one. Your ticket system. 

Nate McBride: Yeah. 

Mike Crispin: Hold ton of very confidential data. Sure. People are sending around things, right? And, oh, I need help with this document.

They're sending like [01:01:00] some of these are the most important documents in your company and they're sitting in your ticket system. That may not. That'd be the first place. Someone's going to go look for them that bad guys, perhaps. And it's just the you can't get to some extent. Those are the things you you may have better visibility into.

But unless you're doing you have the tools to scan these documents and sort of flag them for you. It's very difficult to do to trace everything around your organization. So I I'd agree. I think it's something we don't do the best at. And I, I feel like data classification and data loss protection is an incredibly difficult thing to do, especially with very, very fast moving organizations might have a difficult time with the change management.

Yeah. You know, because they're just, Hey, I just downloaded to my computer and I need to work on it. And I've got consultants that I need to bring on board. And I'm just going to email them the document. Now we can put all the constructs [01:02:00] in constructs into stop that. Um, but do we make it so difficult that they just go around it and make it worse.

So it's this again, the word balance, trying to find everything that works best. 

Nate McBride: Sorry. I mean, everything that you're saying, Mike. Is everything that I say, and everything that both of us say is what we've been conditioned to say. 

Mike Crispin: Got it. 

Nate McBride: I'm trying to find a new way to talk about, and it's very, very hard.

Trying to find a new way to talk about identity as value moment. So, or, or, or, or a value object. If I It is a value, it's a huge value object already. It is. It is. But how do we, um, well, let's pause that for a moment because, because the idea of, of putting a, a value next to it. I think we can get into that in a second.

I wanted to [01:03:00] mention that when I, I wanted to think of this from like sort of a hacker perspective. Um, yeah, a data breach experts perspective, which is what are they looking for, for data? Well, they want things that, um, yeah. Uh, have a high business impact and reputational risk component. 

Mike Crispin: Absolutely. 

Nate McBride: And, and that's exactly what we're trying to protect.

They're looking for things that, um, like give them user information, looking for things that are, that are regarding sensitive data, sensitive data, and things that will critically impact operations and, um, to the degree, right. Et cetera, et cetera. They're looking for the same things that we're trying to protect, but their, their, their premise of value is different than ours.

So when I look at, and then this is like a, this is like a key thing to think about when I think about, um, Okay, this, this, uh, document over here, 

Mike Crispin: it's 

Nate McBride: a, it's an, it's an [01:04:00] agreement, let's say, like, let's say I'm working at a company and we're going to buy a company, right? And we have this, this document going on.

Well, I look at that and I say that document's worth the cost of the purchase of this other company. It is worth that much money to have this not be exposed. 

Mike Crispin: Exactly, yes. The hacker is 

Nate McBride: looking at it from a much smaller monetary value. They're saying, well, they don't give a shit if we buy or buy the company or not.

They're looking at it from a, maybe I'm just gonna, this is poor example, but a million dollars. Like if I can just get this document, it's worth a million dollars of Bitcoin to me, to ransom it back to you. They're not looking at it from a $350 million acquisition perspective. They're looking at it from a different lens.

So not that that changes the way we look at it, but we don't have the same perspectives as the people that are trying to get the data we're trying to protect. We have a different lens and we don't apply their [01:05:00] lens to our data. We apply this lens, this ambiguous, amorphous, uh, Well, if this, this got out, it would, it would reputationally hurt us by X and we would not recover for six months, which costs us why we're not like, we're, we're putting these abstract values on that.

The person who's actually going to get the data does not give one about they're simply looking at what, like, Oh, can I get a million dollars out of this company by doing this? So it 

Mike Crispin: comes down to the most common, definitely the most common thing someone's after. Million dollars, couple million dollars ransomware.

Uh, sure. That's definitely, that's probably the most common financial gain, right? This is a big, big one. 

Nate McBride: Great. So we, we want to, we want to keep it in the back of our mind. Last week we talked about, um. Identity as the perimeter is the new perimeter. And we discussed, uh, last week about staying just to the [01:06:00] right of the middle when it comes to identity management.

So we don't want to go too far to the left, obviously, or past the middle, cause that's getting into very lax security, but, but too, too far to the right, people are giving blood samples and urine samples to get into a door or computer. That's not going to work either. We want it to be just kind of like to the right of the center, uh, for the identity, but, uh, we had to.

We had to, we had to also back that up with the idea of trust, but verify, and we talked about this last week, but you know, um, that's been a big staple of my security training for years is making sure that I always conclude my presentations with the idea that you should trust, but verify, but don't trust.

And that trust, but verify component means that you need to have a couple things before you can assign value. I think you have to have a set of principles. Like, so who, who makes decisions? Which isn't always clear you have some kind of automated control in place in the event that you are [01:07:00] not capable of doing the thing There's an automated control to step in and take over for you to do that.

And lastly, you have a risk based approach It's so easy to say this. I'm literally regurgitating 10, 000 people that have said it before me or but a risk based approach Means that you are looking at every single thing from a win or loss perspective It is, is not so much Boolean, it's not one or zero, it is, there's a middle line above it is how much you win, below it is how much you lose, and you're operating on perspective of trying to stay above that middle line as much as possible.

That win loss risk based approach. Then there's implementation. So how do you put in a, um, identity first security? And if you truly think about this, you think back to the original question of, what's the username and what's the user ID? Um, we have [01:08:00] to ask other questions. How should someone authenticate to access a thing?

Should it be username and password? Should it be something entirely different? And if we truly, if we truly want to ascribe value to a document, and we want to let someone access it, shouldn't it be the highest level of identity, identity definement? We have zero trust architecture. Zero trust is a very, very fancy thing to say.

So few are able to do it. Because it is so inhibitive to productivity, but zero trust is the ultimate right side of the middle. Then continuous monitoring. I will be completely honest. Um, I was working with, um, a platform that we use and it allows for monitoring alerts to be sent to Slack. And I turned them all, I just clicked on the button that says turn them all on.

And about 10 minutes later, I whittled it down to [01:09:00] three. And I was like, there's just no fucking way. I mean, all of them are important, but I only, I only, I can only handle and need to know these three most important. And that, the three that were like right below those three. Sort of the next three down on the list, I just placed some subjective value on their importance of notification.

Um,

so I don't want to read this list that I had written down, but really it comes down to principles over rules. Mike. And so, um, let's back up. Let's back up to our previous example. I have a piece of data is sitting on a cloud storage environment. I've given you access to it based on, let's say, some empirically based value assessments I've conducted about your risk and the importance of documents that are let's say I've done all that work.

You can now access that [01:10:00] document. What about everything else that's going on around you, your laptop, the browser, other apps you have open at the time where you are physically located in the world, what a wifi you're on. Yeah. Think about all the other elements now that have come into the, into the game. I do want to challenge the very value and model.

I spent so much time working on developing. What now happens to that value? 

Mike Crispin: You're an incredible amount of risk and you really need to focus on resilience instead of protection,

you know? So I think I completely think that there's a, the most important part of the nest framework, in my opinion, is response and expectation that things. Will and can happen. And that [01:11:00] no matter how much money you throw at it, you're going to whittle down the probability little by little over time, the more you invest, but you're never going to eliminate probability 100 percent from happening.

So you this is the turn up the dial and productivity and take some sort of take more risk. But at the same time, you mentioned alerts and having visibility, there's always something that ping pongs in my head. It's like, okay, I've got all the visibility in the world. What the hell am I going to do about it?

Yeah. Right. So you're getting all those alerts. There are people who work all over the world. There are people who log into different third party sites. There are those third party sites use fourth party services. Those can be breached. They can be hacked. How far down the rabbit hole do you want to go to reduce a certain amount of probability?

And I think that's where [01:12:00] a lot of cyber security people are like, well, it's, you know, if it happens, it's going to be, it's going to be the worst thing ever. And it's going to be awful. And they're right. It's going to be awful. But can we reduce the probability? We can't reduce it to zero. Can we reduce it to a point in which we feel we can respond?

And I think that's the. The kind of key balance that I like to think about is does everyone know what to do when shit happens and well, much on that as we can. Obviously, we need to protect data as best we can. And we need to inform people as best we can. And because one other thing, you know, you talked with the computer and location is social engineering.

It's the most successful way to get one to become compromised, whether it's sitting at lunch in Kendall Square and. Someone personally socially engineers you, or they're [01:13:00] sitting behind you on an airplane, or they just trick you to do an interview somewhere and you disclose some piece of information that you weren't supposed to, but you didn't realize it.

Security awareness is number two. So response, awareness, inventory, or just kind of awareness of your systems. Identify would be the realm. And I put protection at the bottom, even though we need to do it. The problem is protection is a double edged sword. We protect things too much. It gets too hard to work and they go do it some other way.

So I, when I rank it, that was just like, how do I balance protection even more than, you know, even more nuanced about it? Because when people can't work, they will find a way to take it with them. Or they will find a way to OCR that PDF they can take a screenshot of, and, 

Nate McBride: you know. But, so let me ask you a question though.

So, [01:14:00] but do we care, if the rule of 99 percent 1 percent is true, or something close to it. 

Mike Crispin: Yeah. 

Nate McBride: Do we care? That they've gone out of their way to do their day to day work, so long as that 1 percent is still protected? Again, it's a value question, Mike, so Yeah, I 

Mike Crispin: don't see it. So, uh, 

Nate McBride: again, I, people, people, right, if you, if you swing too far to the right, and you cross into pushing down that productivity lever too far People will push back because they want to be productive.

They will come up with their own methods and models. But if you're still able to provide protection around the things that you consider to be a high value based on the ways we indicated you could measure that high value, then what does it matter? Because you're, you're not protecting value at that point.

You're protecting the idea of value. 

Mike Crispin: Yeah. That, that, that. The biggest risk in the equation is the person who has [01:15:00] access. Yes. So let's say you got that 1% of data, that is the crown jewels in the company. The recipe, the, the secret, secret sauce to how we make the Coca-Cola, whatever it is. Right? Don't, don't, don't give it away.

And, and you lock down that data set so badly that they need to log in 10 times to log to get to it. They will eventually find a way to not log in 10 times. 'cause it's a pain in the ass. And what that's, that's the thing 

Nate McBride: that I think is, but is it more important though to let them to make sure that they understand the value the same way that you understand the value that this is the most valuable thing in the world and therefore it requires.

Mike Crispin: And many, many people do. I think many people do. Like it's, I think there's a, there's pride and value. I mean, there should be pride and value and privilege that you have access to privilege. Right. Exactly. Yeah. So I think 1%, I think you [01:16:00] can, you can leverage some of that. I think it's the question of, okay, I need to somehow.

Coca Cola is for a bad example, but you know, somehow I need to be able to. Share 

Nate McBride: this. It's ketchup and mayonnaise, by the way. Those are the secret ingredients. 

Mike Crispin: It's a secret. 

Nate McBride: Ketchup and mayonnaise. 

Mike Crispin: It's like how how do I share this? How do I share this with my manufacturing partner? Okay. You know, where is that manufacturing partners?

So, yeah, sharing is a 

Nate McBride: whole other. 

Mike Crispin: Yeah, but that's the same thing. So now we're talking about, I'm kind of trying to make your point a little bit. No, no, no. I understand what you're going to do. Once you share that with a third party, that's out of, is your CIO now responsible to secure that third party and the fourth party?

Yeah. And we're really nervous about risk. You know, if AWS goes down for a month, that's business continuity. [01:17:00] Yes. The CIO is responsible for that as well. So it's, what's the chance of that happening? 

Nate McBride: That's a productivity hit, not a risk hit. Like your risk hit. It's a risk. Oh, well, it's not, not, sorry, not a risk from identity hit.

It's a risk of like operations, but it's not, sorry. Yes. It's not a, it's a risk for identity that, that, that pillar remains solid. Um, it's the risk, it's the productivity pillar. I mean, again, Mike, everything that you're saying is 

Mike Crispin: correct. It's a tough thing to try and think out, think outside that if you take that piece away, that let's just say that it's not as higher priority than You could, you could debate that if 95 percent of criminals are after ransom wearing that data, just budget, you know, a couple million dollars a year to pay ransomware 

Nate McBride: or whatever you think is the money will be.

That's why we have cyber security insurance is exactly why [01:18:00] these vehicles exist. So that's work. We're, we're, we're, we're consigning ourselves to the fact that, um, there's a value, we feel like there's a number somewhere between one and 10 million, generally, that tells us that's how much what we're doing is worth to pay, um, which in of its own self is a complete loss of autonomy on that mark, because who the fuck came up with that number?

Mike Crispin: So, I mean, I think, I, I think where we're all sort of beholden is into what If you're a publicly traded company, what rules do you need to follow if you've got a certain, I mean, there's certain things that you really should be. In the grand scheme of things, it's like, okay, this is not a big, the world's changing and it doesn't make a lot of sense, but it's kind of, I just, I get 

Nate McBride: careful though, Mike, the, the, the rules were the rules we have [01:19:00] to follow are actually quite vague.

They are, they're not so specific that you and I are literally following a checklist. We are taking, um, several words in paragraphs and we're translating them into what we perceive as the appropriate method. Yeah. We use auditors to do things like SOX controls, but those auditors are running the same fricking questions, company to company, the same sort of 14 objects in the COVID matrix.

They're not doing anything new. They're doing the same shit every year. We're all. 

Mike Crispin: Yeah, right. You 

Nate McBride: have material weakness that damages your company. I mean, 

Mike Crispin: I 

Nate McBride: guess 

Mike Crispin: we're 

Nate McBride: surely could. But again, it's a it's a it's a value question about identity. 

Mike Crispin: Yeah, I think I think you could at a very high level. Identity is probably the most important cyber security principle at your company.

It's very valuable. Maybe the most [01:20:00] important value. I mean, Active Directory, if we go back to that, was the lifeblood of companies for the last 30 years. Probably the most, it wouldn't, you got hacked. They went to AD and got that password database. That was the first place anybody would go. It's the most valuable thing.

And Okta is the same. I know I'm just saying. Things that no, but you just 

Nate McBride: said this most valuable thing, which I find interesting because is, is the list of identities as valuable as the crown jewels, or is it, is it valuable? And in fact, it's a proxy to the crown jewels. I mean, again, it's, it's semantics, but 

Mike Crispin: yeah, so, so from a data perspective, I would say that the data is the, is the most valuable component, potentially the identity system that is a proxy to that data is the most.

Important gateway or identifier for the company. It should be at least. [01:21:00] Um, but yeah, the data that goes out that could affect the stock price or that could cause your product be replicated or remanufactured somewhere else. Um, you know, that's, that's probably the more valuable data data wise, but identity from a, from an access point, I guess, from an entrance, an exit point, an entrance point.

Okay. Would be the most valuable component. Like if I need to protect something, um, let's say an I. T. System. It would be the identity and the user names the passwords. Uh, that would be the top priority. Let me ask 

Nate McBride: you a question 

Mike Crispin: because that that compromises your audit trail, your logs, any information that you need to gather to troubleshoot something to try and figure out what actually happened.

Um, that's, that's, uh, that's, that's a big one. So let me ask you a 

Nate McBride: question. Um, who [01:22:00] named the role in your company or name the role in any company that should handle the decision to grant someone access,

what role should decide that

Mike Crispin: I would say that the data owner, 

Nate McBride: the data owner, so new hire comes in. Mike Crispin joins my company. He's the, again, the head of digital, um, custodianship and. Just custodial services, and he needs to access stuff. Uh, who decides, who should ultimately own the decision to grant him access? IT? Or somebody else?

And who, who should that person be? 

Mike Crispin: I think it's, it's a, I think the, the data owner has to be the one that knows the data. Who, who knows what's in the data. And IT needs to work with that person to grant the access.[01:23:00] 

Nate McBride: In terms of owning the decision, who owns the data owner? 

Mike Crispin: I think the D I think the data owner today, I wouldn't have said that in the past, but I think now in the last two or three years, it should be the data owner who decides who has access to their data. 

Nate McBride: Yeah. Old, old, old, old, uh, framework was it decided.

Yes. Straight up. Now, these days, you're saying, which I agree with, nowadays, you're saying it's the data owner who should have the final say so on access for any piece of data. For data that they own. For data that the data owner owns. Right, right. But for all data in the company, the person who should have final access and say so on who gets to see what is the people who own that particular piece of data.

Mike Crispin: Yes, and the IT needs to be aligned and understand that data, though, at the same time. So they [01:24:00] need to know. where that data is so they can secure the data, but they need to work with the owner. Yes. 

Nate McBride: Right. Okay. I agree with all that. Okay. Yeah. So, uh, so I wanted to sort 

Mike Crispin: of, it's sort of, we talk about the, the, uh, distributed distributed type model is, is also around from a security awareness perspective.

It allows them to be productive, but it also creates a little bit of a, more of a level of accountability. So more attention is paid to data loss protection and data security. If they can, if you can say it's got it, then whatever, whatever they deceit, even you can be extremely pressured. Maybe even someone on the service desk can be pressured.

Just, just give them access or just, just give me access. And then it's sort of. Well, who, what data is this? Why is this happening? Um, and I just think that's all part of the partnership. And like, we need to make sure [01:25:00] we're in lockstep with all the data owners, which comes back to episode four or five or two data governance.

Like that is, um, and that, that data governance, making sure there is a process and procedure in which to do what we just talked about is the CIO's responsibility to start the discussion and then to have. Have a board or kind of a committee or group that owns the data. Governance can framework and decision making process.

Nate McBride: Okay, so, so to sum up what you just said, the I. T. leader is responsible for the process and the technological elements of making sure that access is delivered appropriately. The data owner is responsible for allowing and assigning the rights to the data and the governance council that exists for data management oversees all of these operations.

Mike Crispin: Yes. And, and helps to vet any policy changes, [01:26:00] updates, if it's not working for the business like that, it's a cross functional small cross functional team. And it doesn't have to be super formal, just someone who's looking at it every quarter to that. It's an important aspect of the company's sort of growth and progression.

Nate McBride: All right. Well, we still, we still haven't yet defined who determines the value of a thing, but we're going to get there in a minute. So we've set, we've set one baseline. This is good. So here's where we come back to the season theme of autonomy. The more valuable something is, the more we want to control it.

Okay, we, we've established that, uh, and that value can be determined by a number of factors, but the more we control it, the less useful it becomes because the more it's controlled, the less people can see it, work with it, touch it, do things with it. And therefore, um, the more it's essentially, uh, The more opportunities are lost, I guess, to, to use that data.

It's like having a really expensive sports car that you're afraid to drive. [01:27:00] Um, it just sits in your garage and it's very protected, but no one's really going to do it. And, and we're the ones that are giving it this value. Like we're, we're the ones or the business are the ones, I guess, as you say, that are saying to this.

Data blob that it's very valuable. Um, I mean, it's not like we can say that an important document is not valuable. Like I can't walk into my CMO's office and say, that's not valuable. What are you talking about? Uh, and they're like, no, it's totally valuable. And I'm like, no, that's not valuable. There's no, there's no, like, not gonna be a discussion about that point.

Yeah. On the other hand, if we say, okay, like that's really, really fucking valuable document right there. But then we're like, let's share it externally. Let's invite people to it. Let's go ahead and edit it. We're, we're also having the same sort of issue, like there needs to be alignment, alignment on value.[01:28:00] 

Mike Crispin: So that, that last comment, I mean, I think that I, I, I think because in the smaller pharma organizations we both worked in, there's a, there's sort of an extended virtual model as to how we operate, whereas I bet, you know, to some extent. Some of these very top secret, maybe medium size or larger size, but like there's two people who have access to X, Y, or Z and there's no exceptions and there's no way to download that file ever.

There's no way to make any changes to it. Um, and I think, you know, to, because we're so virtual, a lot of companies are, it's like, there's so many consultants and there's so many contractors and there's so much. Can it move fast, go very fast type method [01:29:00] model that I think the company as a whole has to realize the more you virtualize, the more data risk you're at just through a business decision perspective, if you're going to share the very, very key in corporate data with, uh, a myriad of temporary resources, that's, that's just a business.

That's a risk of doing business. And no matter how much. Security you try and put around data. That's the risk of going fast. You know, you're gonna totally agree. So the question we have. Go ahead. No, no. Go ahead, dude. I'll let you go. 

Nate McBride: Well, I was saying, when we, when we apply value to something, though, when we, when we do this model, we're saying, like, we're immediately saying things like, okay, we're assigning this a high value.

Therefore, it'll be really hard for you to access it. We will hide it from innovation. It will not be part of any innovation workflow. We will say it's a high risk to [01:30:00] even view it. So therefore viewing is restricted because screenshots, whatever, we'll make these decisions for you based on what we were told by people who are themselves told something by somebody else.

Like we're, there's a chain decision making that goes into ascribing value to a thing that when we

keep thinking of every single time, like I was at a company that acquired companies. And we would ask them, okay, like, where's all your data? And they would say, well, everything that's important is over here in this space over here. And I'd say, okay, like, okay, who has access to it? Well, everyone has access to it, but it's, it can only be edited by these people.

And I would say,

Well, view is the same thing as edit these days. I, but again, the point is that, yeah, when we [01:31:00] get it, we are, as soon as we ascribe value to something, we're immediately putting all these other guidelines around it and that's the, that's the control, the control versus productivity discussion again. Yep. Um, it'd be really nice.

It'd be really nice if we could say. Every single piece of data that was generated had a score or had some kind of, um, classification, but, but even more than that classification to is itself a subjective again, by, uh, by us, maybe with a committee, but still. Oh, it's a draft CDA. It's not the real final CDA.

Therefore, it's not as important as the real one. Therefore, it's a lower grade. You know, it just gets into this, this, uh, dystopian idea of data management. Everyone checks out. No one wants to do it anymore because it sucks. Uh, 

Mike Crispin: And it all to AI to do and then, 

Nate McBride: Yeah. [01:32:00] I mean, ultimately, I tried to think of a prescriptive way to, um, respond to this.

And I think that 

Mike Crispin: It's difficult. It's difficult. It's very, 

Nate McBride: there's a lot of people, there's four or five elements here, Mike, that I think if we're going to say that if we're, if we're going to say we're it leaders, no, we're not going to say that part. We are it leaders. If we're going to say as it leaders, that there's data, it's part of our company.

A part of our job is to make sure that there's security around it and access is controlled, but we're going to use the other factors that are maybe different from company to company to control it. Then there's a couple of things we need to do in our identity framework that we're talking about. One, we do need to have a value assessment.

It's hard. I can imagine trying to sit down with my executive team or a group of people and say, okay, here's a scale one to [01:33:00] five. 

Mike Crispin: That's part of the identify part of NIST, right? Is to do your You're scoring your identity, your inventory, not identity, your inventory assessment, your super important, your interviews, uh, which is really probably the biggest thing to get a.

A first first pass grasp at where data is. And then you build sort of a lack of a better term, a heat map to map out where the core data is. And sometimes it's with vendors or it's internal or it's on someone's hard drive. And if there's no data loss protection or data tracking, you kind of starting maybe in the middle where data has already been dispersed.

So it's, um, but that's the big identify pillar of nest. It's a very important one. Yeah, they're all important. But I think before about response is like, I think because you're always [01:34:00] coming in, unless you're coming to an organization just started, um, you have the technical debt to deal with. And perhaps business decisions have already been made to source data to certain places in which you have no visibility.

Um, and, you know, trying to be transparent about where the risk lies is not just the data value, but where the data is or what partners we have or what third parties we work with. It all just spiders together. That's why, 

Nate McBride: well, we can't, we can't just say that because we're trying to give a prescription here.

I mean, I agree with you. I agree with you. It's spiders together, 

Mike Crispin: but it's so important. I mean, that's why you got to follow that scorecard, 

Nate McBride: but the value assessment and the, and the NIST scorecard are, are two different things. Like the NIST scorecard is more of a risk assessment against the loss or, or, or loss of control.

I'm talking about value assessment. I'm talking about. 

Mike Crispin: That's same, same, [01:35:00] 

Nate McBride: same, same principles, but make sure everyone's on the same page in terms of what value actually means. And then the second part was, um, risk calibration. So matching controls that you have in place to actual risk. And then of course, defining what the fuck is actual risk.

So back to the NIST idea of the scorecard. If you and I are sitting in a room together and we're looking at the same piece of data, there's a 99 percent chance that we're going to both, um, say two different levels of risk around that data. We both may understand its importance to the organization, uh, and the criticality and impact of, of what could happen if that was lost at the same time.

Our definitions of risk won't be the same, and therefore our definitions of controls about that risk won't be the same. So matching, like after you've defined a value of your data, then [01:36:00] it's got to, you got to put the controls in place and match them to the risk. And again, this is all, we're trying to get away from being autonomous robots here as people and trying to apply common sense, trying to apply experience and things we know.

So I would say. Don't be so rigid and just use NIST. I mean, use practical thought, use pragmatism, use your experience, but this is also, well, this is the third part, which is understanding how people in your organization actually work. 

Mike Crispin: There's no 

Nate McBride: NIST guideline for this one. There's no guideline anywhere.

How can you assign value to a thing? And once you assign value, how can you then put controls around to protect it? And then after you've done that, how can you do this in the context of somebody who needs that thing every moment of the day [01:37:00] for their job? So. You have to think also not like we're, we're, we're getting deep here now, but we started kind of at the highest level of value assessment and risk calibration.

But now we're talking about user context, understanding how people can work. I mean, this could be a whole episode, just understanding how people work. And then that would give you so many answers about autonomy, productivity, innovation, and risk. If you really truly understood how every single person in your organization worked, it's important for identity because every single person in your company has one.

And then lastly, business alignment, which is making sure the controls you do put in place always support the goals. So if you want to find that balance between productivity, autonomy, innovation, and risk, you have to come at it from all four sides. [01:38:00] She has come at it from the productivity side. Which is user context, the autonomy side, which is that value assessment, the innovation side, which is the business alignment and the productivity side.

I should say that one already. The risk side, the risk calibration part.

Um, 

Mike Crispin: there's a lot 

Nate McBride: it is. And I, 

Mike Crispin: it's also just data integrity, right? Like that coming from how it's being created and it's part of your data scoring, like from a data value perspective, there's that might factor into some of it as well. 

Nate McBride: Exactly. And there's a fifth element too. I mean, it doesn't really go with the other four, but I mean, how do you keep A pulse on value, the business, the business will change what's [01:39:00] valuable today may not be valuable tomorrow and vice versa.

So it's not a one time exercise and it's not so simple to do where you just apply a framework and a scorecard. And then that's that. Cause you're talking about doing this at a, at a very particular moment in time. It's an ongoing effort. You must always be trying to revalue and revalue your assets. And your identities.

But there is hope. I think, uh, there's ident identity as a service. I as, uh, there is the potential to use AI driven access decisions. So if you're ha, if you're able to build an SLM that's intelligent enough to know, um, what the roles are and your company and your types of your data, you might be able to get away with having some additional assistance from an AI driven agent.

There's the idea of continuous authentication, [01:40:00] which is, um, it's kind of where we are actually, which is, uh, you don't get permanent sessions. You're constantly authenticating over and over and over again to get the things that are the most important. For the things that are less important, you authenticate less.

Now, it still requires that I prescribe a value to certain things, and I did it by myself to make these decisions, but I had enough experience to know what was most important versus what was less important. And then honestly, and again, this could be a whole episode, but passwordless authentication. Um, it's a paradox because you can go ahead and get rid of all the passwords.

There'll still be one scientific platform that has one or some so and so that has one. But you know what? You're still saving a username somewhere. [01:41:00] So passwordless, yes, but we haven't gotten to userless, user ID less. We're still saying, yeah, here's, here's half the puzzle. So I think maybe we asked more questions than we answered in this episode, but, um, I don't know what your thoughts.

I 

Mike Crispin: think identity is an incredibly important component of what we do and that we continue to modernize it and make it so that it can live on past our tenures that all of our companies, you know, and then our careers that we work that it needs to stay steadfast and solid. This is my opinion. Yeah. Um, the data value component, I think, is something that's like.

If you would continue on that journey to have some sort of scorecard and being focused on how certain data impacts the company, [01:42:00] um, you know, how it's used in the company. We talked a little bit about, just mentioned a little bit about data integrity, like how that data doesn't get changed. Maybe that's less of a cybersecurity thing, but more of a data access and, and, uh, value perspective.

Nate McBride: Yeah. 

Mike Crispin: You just sort of have to deal with, as I alluded to before, like these, and you're right, Nate. They're, they're, they're, some of them are very, they're not as prescriptive and they're a little looser in terms of how they are interpreted. But the fact that we're in this regulatory, regulated industry, regulated industry and have publicly traded, um, responsibilities at some companies is, um, it's hard not to just go along with the, the framework when someone's asking you, but you should also feel the ability A lot of times to ask questions, you know, when, when you're working with an [01:43:00] internal auditor and auditor, just to be able to say, here's what I have, is this, is this, this is what you, what you should, what you need and let, ask, you need more questions and ask more questions.

But sometimes you're getting sort of the boilerplate and it doesn't even apply to your business, the context of your business. So it's always good to look at those, those things. I think business impact is another one. Like we talked a lot about that. It's hard to measure that. And that requires the, I think the, the, the, the partnership of your peers and the, the company to start to get an idea of like something data gets, if your data gets stolen or gets accessed or visualized, um, what's the, what's the response, you know, how, how do you respond to any of these?

So I mean, we're talking strictly cyber security. That's where I think identity is so linked to sort of the resilience of your organization, your user experience of your organization, [01:44:00] everything. I mean, it's I think it's probably the most important, at least CIO, CIO owned system that that you have to protect.

And it's also you can extend it out to do other other things, not just the tools, but the process you follow to help automate. There's so many different tentacles there, you know, with identity. Verification is a big one, though, and I think that's, especially with third parties, that's, like, I think service desks, for example.

If they're internalized, people pretty much know who's calling, I think, for the most part, and have a good way of identifying them through internal systems. But if you've got a large managed service partner or someone else, they may have their own verification system, but it sometimes isn't really modernized.

So anyway, call and get a password changed or whatever. And [01:45:00] I'm having good verification tools. There's a couple right now that are emerging. I think as an extension of your identity system, incredibly important, you know, that it's just that. Having that having that value value centered approach on on identity and decision making is important.

There's a lot we talked about and 

Nate McBride: I know I know it's uh, and there's some points we're gonna have to come back to, I think, um, future episodes because I mean, just the idea again. Of, um, that new employee who comes in and all, you know, in it is their title, their name, uh, and what lab kind of laptop they need.

Like you don't know much else, right? This is not visible to you. So, so. You have choices right away. [01:46:00] Assign them to a group. Well, they're part of this department so they immediately get to that group's access. But what rights? Like, you have no other information to go on. You're just going by a, um, a process you put in, by the way, to give them access to a whole shit ton of data that they get just by virtue of walking in the door.

So, there's, um, there's other parts of this we have to come back to. We, we, I didn't want to, I didn't want to get to the archetype. For, of this week, but just to keep an eye on the clock, I think what we'll do is we'll push that to next week because it's a good archetype, uh, it's the, uh, identity, identity crisis.

So, um, it'll, it'll be good to cover next week. We can, we can start off with that one, but I think also we're going to have to come back to some of these elements here because we, we [01:47:00] just, I think scratched the surface in a couple of places, which is okay. 

Mike Crispin: Yes. Uh, there's a lot giving, 

Nate McBride: giving value to anything.

I mean, if you asked anybody to give a value to anything, you know, what's the value of this pencil? What's the value of, uh, that, um, special pin you wear on your jacket? You know, the pencil's nothing but the pin. It's a remembrance of my, um, relative, well, everyone's gonna get, everyone's gonna interpret the word value differently.

We we're gonna do the same thing. When we look at a piece of data, we cannot. Look at a piece of data the same way. So how else can we define value? And it starts with who we are and what we're given in becoming the company. And again, to this day I'm still, I'm still bothered and perplexed and mystified by, [01:48:00] but understand, but still boggled and baffled by why we give out our first and last name people.

As our identity that's a redundant, but we do it. So anyway, um, 

Mike Crispin: no, that's a good, that's a, see, that's a good thing. I know we talked a lot about it at the beginning, but that's one to drill down. And I think people would be really interested from an approach perspective to look at what that would look like in the, 

Nate McBride: yeah, maybe the question we have to ask is what happens if we didn't have that.

Yeah. Or what would the alternative, what would the alternative be? And then we start to explore that. I mean, it might be worth it. It might be worth it to take a little bit of time early next week to, to ask what the alternatives might be. Um, because biometrics certainly comes into mind, but biometrics are centered around a name anyway.

Uh, yeah, I 

Mike Crispin: mean, a lot of, uh, there's, I think there's the name, the first, uh, the first [01:49:00] and last name is a, is a sub, is a, in, in any system, but there's a username and I know. I mean, a number of banks and a number of other institutes, it's a number. Yeah. It's just a number, uh, at a, uh, you know, domain name. com.

Yeah. I mean, here's the thing is even, 

Nate McBride: even sequential numbers are guessed. I mean, it had to be so random, like, yes, I understand. That's probably where you're going is random, randomized sort of strings. Uh, But I mean, that's where we're going. And if that's where we're going, then we are really talking about some serious value.

If I'm willing to go to the point where I'm going to potentially interrupt productivity by giving someone a nine digit string for their login, then I sure, I sure should have some valuable stuff to protect. And my value interpretation is going to be different than somebody else's. 

Mike Crispin: I guess if you go down the road of passkeys, right?[01:50:00] 

Passkeys don't require a username, they require a device. So the problem of a passkey, which hasn't been that successful thus far, but really works well, I think, if you've got them working correctly, is just that. There's no username, there's no password, it's all based on your device. Right. But that that passkey is saved, uh, probably saved somewhere where your name is attached, but that's your personal private device.

So, 

Nate McBride: yes, 

Mike Crispin: I think that that, if it, if it can be more open, I think it's the next thing, the next best way to do all these things is through passkeys. The problem is right now is I think pass keys, the way that they are set up, lock you in to a specific device vendor or to a specific software [01:51:00] application. So it's not, it's not open.

So I think there's, there's technology solutions that can get us. Kind of this, uh, 

Nate McBride: would you care about that though? If the value is high enough Would you care that you had lock in or not? I mean again It's a rabbit hole point. We can keep going around and around the toilet bowl here. Um, 

Mike Crispin: it's not it's not so much.

Um, Not so much the value proposition for us to we could at any company if if the software allows it and right now they Just haven't gotten on board with it, which shocks me. Um, just identity providers have not provided a solution to pass keys yet, which I feel like maybe there's some reason that we don't understand.

But, um, no, absolutely not. Like, because we, we use, you know, let's say it's, uh, Microsoft Authenticator or Okta Verify. You're locked into that platform for, for that pass key. If those are the two big companies that are going [01:52:00] to do these, um, Type of engagement. So you're for business respect. I don't think it matters.

But the reason why it hasn't caught on, I think, more personally, is, um, I think in the U. S. Actually, it has caught on quite well, but elsewhere in the world where there's more diversity and devices, um In the consumer market, it's still not as widely known. I think many of us Are using past keys and we don't even know it.

Um, many of our relatives or friends and family when they're when they're logging into a system like Google, for example, um, they might didn't really realize they they've set up a past key and they never have to log in again. It's great. I thought it was gonna be way, way bigger than it is so far. It's just maybe the right solution needs to come.

Yeah, it'd be more widely understood and adopted. But I'm big, I'm really bullish on it. 

Nate McBride: Well, we didn't get into all the other ways we can [01:53:00] authenticate, but I mean, everything from obviously using, uh, tokens, like you said, but all the way to using simply just the phone device towards using voice, uh, only towards using, um, It's like three way, three way matching between, like, you know, using a radius server, so phone to Wi Fi to geographical location.

I mean, there's all different kinds of ways to authenticate who you are that, that are, subtract the user ID element. Although it's still, you know, it's still kept somewhere. Um, but from a front facing perspective, it doesn't actually exist. Uh, there's lots of ways to do that. But I think ultimately, Mike, the reason we choose certain ways versus others.

It's not only a sort of a budgetary consideration, even though that's incidental to the point of it's a decision that we make based on the risk of the value that we have. And if I [01:54:00] truly thought that my company had such critical value, so highly esteemed value. Which we do, but if I thought it was in danger, then I would not hesitate a second to spend however much money it took to Fort Knox the shit out of it, but I would have to do a huge trade off and that That would be my concern.

So 

Mike Crispin: all 

Nate McBride: all good all just good thoughts to think about and We'll just come, we'll come back to the identity, identity, uh, archetype next week. We'll revisit some of these ideas as we go forward. Certainly come on to the Slack board and let us know your thoughts or, um, you know, come on the show. Uh, let us know your thoughts [01:55:00] and we'll see where it goes.

The rest of the season we're going to keep coming back to this idea of identity over and over again because it's absolutely critical for the rest of what we're talking about. So, won't be the last we hear about it. Uh, okay. 

Mike Crispin: I want to be past keys. That's what I want. 

Nate McBride: Ha ha ha ha. 

Mike Crispin: I just want to be 

Nate McBride: able to prick my finger on the needle and get in.

That's all I want to do. Or take a saliva test. 

Mike Crispin: Yeah. You have a saliva test. 

Nate McBride: I just want to be able to suck on a straw and get in. But meanwhile, when I suck on the straw, I get like a protein shake, um, in my recliner chair. I don't want to move. I just want to sit back and suck on a straw and authenticate.

Just 

Mike Crispin: embed the passkey inside a chip in my brain. 

Nate McBride: Subjectable. Yeah, polymer. Yeah, I get it. I'm feeling [01:56:00] 

Mike Crispin: it. Smack my head against a 

Nate McBride: Kind of like do one of these with your head. 

Mike Crispin: Or I just put on my Vision Pro. Hey, that's, that's no password on the Vision Pro, man. 

Nate McBride: Yeah, my, uh Just zaps my eye. Do 

Mike Crispin: you use it a lot these days?

I have started using it again. Yes.

I had taken some time off and then I, it was kind of the haven't used this in a while. And then when I put it on, like, this is fricking amazing because I hadn't used it, 

Nate McBride: but it's like, it's like half as much, half as much now, isn't it? Like it's half the cost. 

Mike Crispin: Yeah, yeah, yeah. It's definitely, I don't. I'm hoping that it becomes vintage and is worth, you know, 

Nate McBride: I saw on eBay for like 40 bucks.

We're next to a rabbit. R one. 

Mike Crispin: The rabbit R one. Oh my gosh. That was the best. All right. So it's like humane pin. That thing was just terrible. [01:57:00] There's your part on it. 

Nate McBride: I blame you forever. 

Mike Crispin: This is 

Nate McBride: fast. 

Mike Crispin: Oh, 

Nate McBride: this is my fart. This is my fart shirt. Uh, we have these, they're in the merch store. I 

Mike Crispin: couldn't see the microphone.

I was like, I'm looking at it. I'm like, does that say fart on it? I couldn't tell. Fast. I like it. 

Nate McBride: That's just me in one word. If I had to think of a word, it'd be fast. 

Mike Crispin: This is, uh, this has been a fun episode. We went to all over the place, and I loved it. 

Nate McBride: It was a good episode. I, I mean, when I wrote the script, I was like, God damn, this is like five episodes, and how are we gonna fit it in?

But, I think we, I think we did get to a couple of the key points I wanted to achieve. I mean, identity Identity as the new parameter, identity as a key token, identity as the point at which we begin to think about [01:58:00] value. Um, I think we hit all those, but I also think, I also think we should come back to do some of these again, as I said.

Mike Crispin: I wish, I wish, uh, there was some good way. Some algorithm that would help kind of extract the, I know there's no magic, magic wand to get the value or the classification of all the data. Even if there was 

Nate McBride: an AI mike, it would still be a human that that made it to, to come up with the idea. 

Mike Crispin: That's right.

That's right. I think we struggle with it now because there's so many, you know, obviously I think that that 1%, like you mentioned, that's probably easier to identify. It's the stuff that's one level. 

Nate McBride: You're right below it. Yes. 

Mike Crispin: It still has an impact and it's hard to quantify. I think that's really where the trouble is.

Nate McBride: That's the suckiest data you [01:59:00] have in the company. The data that's not immediately critical and critical to the company's future, but the data that's also slightly above shit. Sort of isn't that like, ah, this is kind of sensitive or this is kind of important. Can't really, you know, say what would happen if it got out, you know, this person's termination letter, this person's promotion justification, this recipe that didn't work, this financial investment that bombed, like these things right below the level of the most critical.

Annoying, maybe, but also potentially impactful. I don't know, TBD. Alright, uh, so listen, that's um, episode four. We're gonna, we're gonna hit next week. We got, oh my god, we got a big one too. I think we're gonna go back to having to get the Kraken attacks and start splitting them up again. Cause um, [02:00:00] we're, we're gonna, we're gonna be going for a bit.

But um, have your pet spayed or neutered. Don't be a dick. Don't be a dick to old people. Be nice to them. Give them an extra hand. Open doors if they need it. If they don't, get the fuck out of the way. Uh, be nice to people in IT. They work hard. They're doing their best. Um, but then they want to make sure that you're having a good day.

Most of them do anyway. So give everyone a sort of benefit of the doubt. Um, bark less, wag more. Get your credit reports frozen because shit's about to get real on your data. Otherwise, we'll see you in a week or so. 

Mike Crispin: Sounds good. 

Nate McBride: All right, dude. 

Mike Crispin: Awesome. 

Nate McBride: I'll talk to you, 

Mike Crispin: whisper.[02:01:00] 

So I see through the side paths.

We glide in the circuits. We confide no restraints, no need to hide in the system. We reside[02:02:00] 

through the code. We fade in the day. We skate zeros. Once that can't we control it. It's an A by Harry whispers in the night flashing screens. [02:03:00] The glow. So bright in the Matrix. We take

The calculus of I. T. Without you it's only 

me.