This is a Q&A session Steve had with Gary Zimmerman, CMO and Principal Consulting Analyst at TechVision Research in October, 2022.
Steve Tout: We are coming up on the 3rd Chrysalis conference, everyone is excited to be together in person more than ever this year. What can attendees expect in terms of learning, networking, and keynote speakers this year?
Gary Zimmerman: First Steve, Chrysalis is all about learning. Our presenters invented standards like XML, SAML, UMA, XDI, and OpenID. They defined what we mean by phrases like “computer virus” and have developed advanced defenses to secure the enterprise. They are published authors of several books explaining protocols and security to novices and experts alike. They have built many of the security and IAM products available today. And they have defined and implemented identity and security strategies for hundreds of companies.
Chrysalis is also meant to be conversational. It’s a live, intimate event built around a story. Leaders in the industry (many of whom have keynoted at other events) and experienced users of the technology interact with each other and the audience in panels that connect the different aspects of identity and security. To carry the conversation forward, breaks, meals and evening gatherings are set up to encourage further learning and networking. You won’t walk away with a thousand business cards, but you will walk away with knowledge and relationships you’ll value.
ST: What trends do you see driving innovation and growth in the broader IAM market?
GZ: Steve, we see three trends that are driving innovation and growth going forward.
First, coming out of the Pandemic we’re seeing things are different than they were in 2019. The reality of hybrid work, hybrid infrastructure, anti-fragile supply chains, shifting business models, and changing customer preferences are focusing investments in IAM on interoperability, orchestration, and governance across many identity solutions operating at the edge, on premise, and in the cloud.
Second, enterprises have traditionally implemented IAM “point solutions” as their digital environment, threats, and interactions evolved which, for some, has resulted in an expensive and complex architecture, friction, and fragility. Because of this, we’re seeing the rise of identity platforms which offer flexibility and consistency for the next normal. Microsoft’s announcement of Entra and industry rollups by Thoma Brava and Okta are pointing in that direction.
Finally, we’re starting to see a shift from traditional knowledge-based authentication (KBA) solutions, for example, UserID /Password, and shared secrets, to newer concepts of Decentralized / Self-sovereign Identity, passwordless authentication, and cryptographically Verifiable Credentials —where authentication is not about the spread of personal information (Identity), but proving authorship, provenance, integrity, and control of the information required to establish and maintain trust.
ST: As the costs and frequency of data breaches continue to rise, secure identity is on center stage and ever more important. What themes and hot topics are expected to appear at Chrysalis this year?
GZ: Steve, the industry has been working on answering three simple questions FOREVER…
- Do I know you? (Identity)
- Can you prove you are who you say you are? (Authentication)
- Should I let you to do what you’re trying to do? (Authorization/ Access Control)
And while the questions are simple, the answers are not easy. Every day, security professionals are dealing with new risks posed by negligent users, compromised users, malicious users, and now, synthetic users. The volume of digital connections and the sophistication of the “bad guy’s” tactics test the protective capabilities of the enterprise every day.
At Chrysalis, we’re going to be discussing topics like Enhanced Identity Governance, Decision Velocity through AI/ ML, Advanced Authentication techniques, Pragmatic Zero Trust, and API security to help attendees be better prepared to recognize and counteract these evolving threats.
ST: Most organizations will struggle with the execution of their projects and managing their program effectively. What resources and opportunities will attendees have available to them to help with their day-to-day work?
GZ: Throughout the event, insights, answers, and recommendations on all aspects of identity, security and privacy will be shared. So, every attendee can leverage the knowledge and experience of all the experts at the event.
On the last day, we’ll do something that’s different from any other event you’ve experienced. We’ll get real. For each area, Identity, Security, and Privacy, we’ll present tools, reference architectures, baseline enterprise requirements, and vendor assessments /observations to help you make professional progress and prepare you to execute when you are back in the office.
ST: You revealed TechVision’s innovation reference architecture back in 2019 which brilliantly lays out a practical framework and tools to manage technology more effectively. Can attendees expect to revisit the innovation framework, or any new updates this year?
GZ: As I’ve been researching and building out the details under the Innovation Reference Architecture (Innovation Governance, Innovation Execution, and soon Digital Operating Models, and Innovation Methods) I’ve recognized innovation is about increasing an enterprise’s decision velocity and execution speed. It’s about laying out a strategy, testing it, and adjusting. This year, I’ll review some of the new details of the reference architecture, ways enterprises are using technology, including Web3, to increase velocity and speed, and how that’s changing our perspectives on identity, security, and privacy.
ST: You talked about the need for IT leaders to systematize innovation to maximize the benefit they can realize. Please break it down for us. How can we systematize innovation to make it practical and achievable?
GZ: Steve, this is a broad topic that requires the business to think about how to align business strategy with digital capabilities. The greater the alignment, the more integrated IT and business functions become, and eventually innovation becomes just part of how business is done. Not everyone is at that level of maturity, but everyone is innovating. As I laid out in our Innovation Governance report, you must understand where you are before you can move forward.
Start by assessing your current innovation management capabilities, including mapping of ongoing innovation activities and other existing management systems. Another important activity is to understand the innovation opportunities and challenges facing the organization, including new user needs, technology trends, competitor moves, and other changes in society and the environment, in other words your business/digital strategy. Finally, decide your innovation intent or ambition-level. What is it you are aiming for in terms of innovation activities for your organization, and why?
Next, develop an innovation strategy and policy that describe the areas of opportunity for the organization, the types of innovations that will be focused on, the resources that will be allocated to pursue the opportunities, the people and teams that will be involved, and how results will be measured and followed up. Start with “low-hanging” innovation initiatives, communicate frequently, create awareness, and recognize achievements. Also, focus on competence development and on providing (digital) tools and methods for innovation managers, facilitators, and coaches.
ST: Who needs to get involved to make systematic innovation a reality? Steering committee? Stakeholders?
GZ: I hate the fact that everyone who is proposing a change in the way things are done in an enterprise says, “it must start at the top”, but I have to say that for this one. The digital enterprise must allocate capital to develop its innovation supply chain. I use this term because just like a manufacturing firm, the digital enterprise must source and build digital “products” that support the business strategy. So, the leaders need to support and prioritize those innovation capabilities.
The next step is more dependent on where the enterprise is in its maturity. Everyone should have a governance mechanism, a steering committee if you like, to maintain alignment with business strategy, set policies, establish standards, and define metrics. Finally, someone needs to be in focused on building / improving the innovation supply chain, be that an officer-level position or someone with the authority to work across the business to build capabilities and promote change. It’s not easy, but for most enterprises, innovation is necessary for survival – and being able to invent with purpose and efficiency is becoming a competitive advantage.
ST: We hear a lot about Zero Trust these days, yet most organizations struggle with implementing the least privilege consistently. Is Zero Trust a distraction to the execution of basic security hygiene, or is there real value there?
GZ: In a world where data breaches are rampant and remote work is a permanent fixture, the need for a better security model is apparent. One of the goals of Zero Trust is to simplify security execution. No matter where the user is or what device they are on, you just start with a policy of no trust and have them consistently become trusted through MFA, IAM and data security checks. In the past, the policy differed if the user was in the office or at home, or if they were using a company device or their own. Those lines of demarcation have blurred over time and that created the need for consistent application of security policies regardless of the situation. But that consistency comes with complications.
Our clients have told us that zero trust is hard to set up and maintain because capturing and managing the details necessary to apply security policy to all users and all devices is something that is not needed in traditional perimeter prevention. Implementation isn’t easy either because zero trust components need to work with existing systems and security infrastructure not necessarily replace them because “rip and replace” isn’t an option. Finally, business process and application performance can be hindered if the policies are not implemented properly.
That’s why we say you need zero trust with zero friction.
Zero trust is not a distraction in a world where the enterprise isn’t in control of the networks, devices, and services users need to get their jobs done. In that environment, basic security hygiene cannot be assumed nor enforced so the continual verification and enforcement of a zero-trust architecture is a way to limit enterprise risk.
ST: What is your best advice to conference attendees looking to maximize the value of their time spent at Chrysalis this year?
GZ: From the beginning, we set Chrysalis up to be different from other events. We recruit speakers that are not there to promote their products. They are there to provide guidance and move the industry forward. We develop a story for the conference based on what is happening now and where we see things are going. All the sessions are in a single track and connected to that story, so that experiences and trends are not just academic, but end in practical advice that the attendees can apply as they plan and execute back home.
So, my advice is to come to Chrysalis, engage in all the sessions, ask questions, and build relationships. I haven’t experienced any other venue that gives you this level of access to the leading thinkers and practitioners in identity, security, and privacy.
You can learn more about the Chrysalis Conference and register here
nipod25 for a 25% discount at check out when registering online.
When: 7 – 9 November 2022
Where: Loews Coronado Bay Resort in San Diego