Transcript
with Blake, Micron, Susan from University of California, San Francisco, and Upen, my colleague at Deloitte. Thank you all for joining me. We're going to talk here about just how strategic identity has become to businesses. I'm sure you're kind of seeing that at your own organizations in your different roles. But we get perspectives here from the identity leaders and what they're doing and how they're elevating that conversation and helping business kind of see the value come through for identity as well. So thank you again and we'll get started. And I'll start with you, Blake. You and I have been chatting the last couple of days. We've talked about the unique profile that Micron has and how targeted you are. Talk about that and also then how you're leveraging identity and SailPoint specifically to kind of solve for the different challenges within the organization. Yeah, great questions. So speaking from the semiconductor aspect, Micron is, I would say, one of the most targeted companies in America at least. The high value assets, high risk. And so we're under constant pressure to remediate, remove, and understand the risk. So from the identity perspective, some of the challenges that are top of mind for me is kind of that hygiene aspect, identity hygiene. Just the basics and fundamentals of identity. The continuous validation of our identity and access controls. So just the fundamental of identity and access is one of our key priorities for me. The second is connection to the business, as you mentioned. So continually working with the business to understand the change where the semiconductor industry is constantly evolving and changing. So we need to prioritize our time with them to understand the risk from their perspective. What is the business evolving? I call it the speed of security, essentially. Security at the speed of business. And so that's something that my team has to gravitate towards all the time. We need to be in front of new technology development. We need to be in front of threats. And so that our controls and our identity capabilities need to be proactive in that sense. And I think the third is, you know, the biggest challenge right now is the scale of how identity influences our security program. At Micron, we've made identity the center of our control strategy. So if you have identity in the center, and how does identity tie to the entire ecosystem from network to systems to data to physical control? And so if we consider that scale, automation is super key for us. And there's a lot of dialogue in this whole session this week so far around automation. And so the team's ability to do the fundamentals, but then innovate in identity is super key. There's a lot of talk on AI or data science. I think that's the next part of the challenge that we need to overcome for scale, for completeness. And so top of mind for me on what I think. I think Susan probably has another perspective. Yeah, no, I'll ask you the same. Susan, you've got a unique organization. It's got academics on one side, and you've got healthcare. Pretty complex in themselves, but you've got both of them together. So do you want to share about how you're leveraging identity and the challenges and how it's helping you solve for that? Yeah, at UCSF, we are unique. We have health science, education, research, clinical operations, hospitals, ambulatory care. So we have all of those complexities of patient care and life-saving emergencies. And each one of those mission areas has their own unique technologies, practices, regulations. And so what we're shifting to is really just an enterprise way in which we approach identity. And it's based upon enterprise standards, enterprise risk assumption. And that's a very, very different model than what we have today. So today, identity is turned over to an application owner, and an application owner individually in an isolated way will make kind of siloed, role-based entitlement decisions. And that happens a thousand times over every day. And thinking about where we're moving to is really centralized, standard-based identity governance, entitlement management. And that's just a very, very different way that our organization looks at that. And that takes exceptional executive sponsorship. It takes exceptional cultural shifts. But we found it to be so critical to really justify our investment that we're making in identity. And it's the right thing to do, but it's very much a cultural change for us. And it's a business change for us. Right. So it's important in solving for such a complex business with all these things that you talked about. So identity is one of those things where it's not a once and done, right? You're going to, I think you all understand, we all understand here, it needs continuous care and feeding and improvement. But if there was a vision right now for the next three to four years of the future, and you assume you get there, what does that future look like? And what would you like from partners like us and then SailPoint and that partner ecosystem and technology and services to enable that future? I think for us, we're shifting to a model of identity-based decision-making, identity-based security. So it truly is going to be kind of out the foundation of how we conduct our business. And I think there's a recognition that identity is not just kind of a commodity function, like a router or a firewall. It really is a critical path to business innovation. And I think that was an important part of our discussions with our business leaders is just appreciating that when you think of identity, think of it in the same way that you would look at an ERP investment, or how you would approach that from a total business approach to something. And I think we've been successful at that. And we really do count on our partners and our integrators and Deloitte and our technology to really kind of take that customization out of it and let things be kind of out of the box. So it's ready to go with on-premise legacy applications. It's ready to go with IT orchestration and automation from an entire ecosystem perspective, because if that's not provided for us, then it just becomes more and more customization, which really takes us away from our enterprise standardization approach. Right. And that's part of your journey to ISC as well, right? That's why you've gone with the cloud-based approach and kind of bring that standardization to your business and your identity stack. And Blake, I'll go to you with that same question. How do you see the future and what do you need to enable that future for you? Yeah, very similar to where Susan was describing, we're on a very intensive RBAC program with SailPoint and Deloitte. Upan and I have a great working relationship. He has an amazing team supporting us for several years now. But again, tying everything around identity and what roles that you're defined to and then roles to assets and risk and all that. We're going to focus heavy on continuous adaptive identity, access and authorization, really get that risk-based approach. So not only risk and assets, but the risk and identity so that we have that dynamic control, adaptive control on access and remediation. We're going to spend a lot of energy there. I was excited to hear some of the product discussions here this week that align with that. But the dynamic of it in a global workforce and the people change, the change management around it, the risk signals, the risks are changing all the time. We can't do that manually. So a lot of innovation, an amazing team to really look at that risk engine approach, policy-based approach, similar to what you were saying, and drive automation through that so that near real-time access management is really what our goal is. So another way of saying zero trust, continuous adaptive access and authorization and authentication. But we'll be investing a lot in that. I like how you got to zero trust as the outcome rather than the starting point and just going for zero trust sake. So that's interesting. Bhupen, I'll come to you. You've had a unique career path. You've owned your own company. You've been at CISO and now you're with Deloitte. And you've seen identity being core to security and operations. How have you seen that evolution? You heard from Blake and Susan. In your view, how are organizations leveraging identity now? Yeah, let me tell you about the evolution, right? And this has stuck with me. Like Blake mentioned, I started working with Blake two and a half years ago. He wasn't even in cybersecurity. We would pressure him saying, no, we want to do role-based access. We want roles from you. We want this. We want that. This is critical to our cybersecurity. And he stopped me. He said, Bhupen, this is critical to our business model. Stop talking cybersecurity. And I think that's the evolution of identity. This will be your business model. I work with clients all across industry. We're working with a retailer right now. Identity is the central focal point to them changing their associate experience within their in-store delivery model. So when you order online and you go pick up at the store, it is the in-store identity that is enabling all of that. So I feel the next evolution of identity is to enable business model, enable business ideas. And to Blake's point, it is that zero trust outcome of building that trust. As we have more cloud, more AI, identity is going to be your new perimeter. It's going to be the central focal point of your zero trust circle. Right. That's interesting. And that's an interesting pivot to the business outcomes, right, Blake and Susan? You talked about what you're trying to achieve with identity, but it is serving the larger business. It is towards an outcome. And it's not just security, right? It's critical business outcome. It's critical to that. Let me ask about, is that realization throughout the organization? Are you having conversations where you're having to convince your stakeholders and executives around the importance of identity, why investment is needed? And if so, what are some of the strategies that you could share in having that conversation to bring that realization across the organization? Yeah. I mean, there's different levels of convincing, I guess, you know, the influence of security identity in our organization. There was a conversation yesterday about frictionless security or frictionless identity. This space is one of the most friction based ones that we have because people take it personally. How can I not be trusted? Why are you changing how I have to work around my identity at Micron? I've been here forever, for example. And so, those are conversations that are very unique, and we overcome those every time. It's just a matter of understanding business case, what our capabilities are in aligning that. As we move up through the executive suite and our board of directors at Micron anyway, we're pretty fortunate. We have a very engaged board and executive team, but we still owe them risk and business value. So, we have the opportunity to express that, you know, on a quarterly basis, and we tie current events, things they hear in the news, the unfortunate things that are occurring. We associate that to our internal risk, our internal programs, and we explain risk reduction. Now, risk reduction in business value is time to market, speed of business, protecting IP, insider risk, and all the external threats that we have. So, describing that in business value, while maintaining productivity, team member engagement, adoption. I was in a session earlier this week around the adoption is a big challenge. And the ITDR discussion, for example, was adoption, adoption. And so, gaining that trust, gaining value and adoption through working collaboratively with the business, we spend a lot of time directly in our business. I'm blessed with the team that I have. They come from the business. I have a large team that understands how engineers think, they understand how sales people think, and we can really relate and work with them. And then all the way up is that we are doing well, we will do well here, and this is what it's going to do to our product portfolio, our technology strategy, and really connect those dots. And we're blessed with that. Yeah. Susan, do you want to share your views? I would just add that for us at UCSF, UCSF.edu has value. And that name is something that, and that association with that name is something that we safeguard. And our business leaders may not necessarily understand some of the technical nuance of identity versus MFA, et cetera, but they do understand how identity impacts and identity security impacts time to onboard, or risk, or audit, or cost. And so, we were really diligent about appreciating that this was going to take time. It was a journey that we were going to need to take these leaders on and really have the story build upon itself. And second, I would share that we really did put identity and identity security as a critical path to business innovation, digital transformation. It doesn't make a lot of sense to invest so many tens and hundreds of millions in a new RP system if you're not going to base in the foundational way in which you control entitle management. And I don't think it's hyperbolic to say that identity is a critical path to business innovation. That's where we look at it. And I think that's what we hope to have our executive leaders understand that. It's not commodity, it's not an IT function, it's a business function, and it should be approached as such. And I'll just add to that, right? So, Blake started with reduced risk. Susan is talking about enabled business. And the third aspect of that is take technology out of this discussion. Let's not talk about widgets. Let's not talk about, is it in cloud? Is it on-prem? What API am I going to use? I had this conversation when I was young, and they said, but we don't want to know how you farm the potatoes. Like, don't even give us the recipe, right? Just give us the chips, right? And to that point, take technology out of that conversation. Your board wants to know two things. Are you reducing risk? Are you making more money? Give that to them. Take technology out. Let someone else operate it for you. You'll be that business decision maker, and you'll be successful. If there's one thing you can take today is enabled business, don't worry about technology. Yeah. And even if it's your job and you're focused on it, but from an executive and a board perspective, it's really about the business outcomes, and that's how you elevate that. So, the clock's wound down, and it's actually telling me we've run over. So, I had more questions, but we're out of time. Thank you again. Hopefully, the crowd found it insightful as well. Thank you for the conversation.