Mitsubishi UFJ Financial's Mastering Compliance with IAM & PAM

Presenters

Nicholas Brown

Bravura Security

CEO

Nick is passionate about providing organizations with the depth and breadth of cybersecurity solutions they need to empower their organizations. Nick comes to Bravura Security with over 25 years of experience in enterprise software with innovative startups and large companies like SAP and Oracle. 

Eric Fouche

MUFG

Vice President, Information Technology

With an illustrious career spanning two decades, Eric is a seasoned IT professional whose expertise converges at the intersection of IT operations and fortified leadership. Eric has honed his skills in steering IT operations towards unparalleled excellence with a track record that includes orchestrating intricate undertakings with meticulous planning and seamless implementation of network upgrades. Eric’s strategic management of multifaceted IT teams has fostered an unwavering cyber resilience ensuring optimal performance. At the core of Eric’s proficiency is a command of Active Directory, even amidst the complexities of multi-domain and multi-forest environments. He has demonstrated mastery in sculpting Microsoft's Enhanced Security Administrative Environment (ESAE), and expertise across Microsoft's expansive product spectrum from Office and Windows iterations to Exchange, SharePoint, CRM, ADFS, SCCM, and Lync underscoring his expertise in fortified identity and access management. Armed with battle-tested experience and relentless innovation, Eric empowers IT security leaders to embrace the future confidently. 

Review the Full Session Transcript

No time to watch the session? No Problem, Take a read through the transcript.

Carolyn Evans (00:00):

Let everybody else join and catch up. Thank you for joining this fireside chat today with Eric Fge, the vice president of IT at Mitsubishi, UFJ Financial Group, and Nick Brown, who is our chief executive Officer at Perverse Security. Today, Eric and Nick are going to be chatting about how to master financial services compliance with identity and privilege access management. Eric has quite a bit of experience here and has a lot of lessons learned and stories to share with us, so we're excited to hear those. Over to you, Nick.

Nicholas Brown (00:34):

Yeah, thanks Carolyn. Thanks Eric for joining us and thanks everybody who's online in the webinar. Really appreciate your time and hope you find this to be quite valuable. So always excited I think, to talk with the clients. I think listening to previous discussions with a lead, it seems like Eric, you're in a job where you're either infamous or nobody knows your name and I think it's a tough business, so maybe you could just open it up with, well, how did you end up here? Was it your dream when you were in high school or how did you end up getting into a career in identity and cybersecurity?

Eric Fouche (01:22):

Well, yeah, my journey is probably a little bit unique. My degree is actually in psychology, and so I started out as a social worker and did that for about seven years, but this was many years ago when computers were still new-ish and it turned out I was one of the few that knew anything about them at the agency I worked at and I realized I had a bit of, excuse me, a talent with them. So I thought, hey, this might not be a bad field to go into. So I switched careers and once again, because everything was new, I joined at a time when networking and all that was still at its infancy. So I was able to get my hands on quite a bit of between setting up users, managing email, all of that where I didn't need to be specialized. So as time moved forward, I found that my talent really lied with operations and managing identities with active directory, as I mentioned with email and exchange. Then going into managing security as far as password management, things like that. It all kind of grew organically for me and that's how I got to where I am today.

Nicholas Brown (02:35):

Well, I mean I think that's excellent. I hear that journey a lot from folks who started early in IT doing user setup and all the manual processes before automation other things came in. Don't know a lot of 'em that started as a psychologist, so that's a new twist for me and probably for the audience, but maybe you can start to do some of the consultations with these new AI bots that are going to come into the business as well. So it could get really interesting. Haley, why don't we move to the next slide. So I think I hear this a lot in the industry that identity and privilege, it's not really a project or a destination, it's kind of a journey and it's lifelong and it's ever changing and new challenges, new regulations, new threats really we talk a lot about and we will hear compliance and regulatory requirements and penalties and things, but really what I think we're trying to do is create a secure environment to execute our business for our users to do it confidently and securely and know they're not violating policy and it can't happen accidentally. We put good things in place. So maybe you could talk a little bit about your approach to identity and privilege and what is the current peg you're on in your journey, I guess with your journey here?

Eric Fouche (04:15):

Right. So as you mentioned Nick, it's absolutely a journey. Even if you set it up as a project initially, you're trying to get your feet underneath you with identity and with privilege, but it doesn't stop because as you mentioned, the landscape is ever changing and in my field where I work now, we have compliance and regulatory requirements that also are ever changing. So we have to stay on top of all of that. We have to make sure that as we provision identities, as we set up privilege, access, all that meets those requirements going forward. And as best we can, we try and anticipate what may be coming down the road so that as we set up our processes and look at the tools that we're prepared for what's coming along and we have to stay committed to the whole thing, we have to stay on top of it, which also means not just for my team and what we do, but also educating our users and speaking to my superiors about what might be needed so that they can be prepared for what might be coming along. And as you kind of mentioned before, in this field, you're generally not well known unless something bad happens. So I try to stay anonymous, if that makes sense. So that's why this is very important to stay on top of how all this is managed, being in line with compliance and audit requirements on all that. So I can stay anonymous and when my name does come up, it's they're asking me for data and I provide it, and that's all.

Nicholas Brown (05:49):

Yeah, that's great. Well, I appreciate you taking the risk of exposing yourself a little bit in our webinar here, but can't agree more I what you do in your industry and financial services and what other companies should be doing is almost the same other than there might be some different motivators that you have in different things that come at you, but I think the beauty of cybersecurity and talking to a variety of different companies, we had a natural plant-based food company on, we have you in financial services, you can learn a lot from each other as a group and as a consortium of cybersecurity experts about how do we keep going down this journey and learning from each other and applying those things that might be a compliance requirement for you to my business in a different sector because it's just as important to stay secure and stay safe. Right,

Eric Fouche (06:47):

Exactly. Exactly. And it doesn't really matter really what industry you're in. In my industry, as you said, financial services, yes, we do have some compliance requirements and all that, but it doesn't really matter what company you're work for, what industry it is, because you want to keep your company secure. You want to make sure that people who have access to things are the right people so that you don't run into a problem, whether it be a breach or just someone doing something that they shouldn't.

Nicholas Brown (07:17):

Yeah, great points. Next slide. So maybe as we look at this slide, Eric, it might be a nice opportunity to provide a couple of things. Maybe you can provide the audience with a little bit of background of the size of your piece of the organization and the size of the overall organization that you work within. I think it's probably the second largest financial group around the globe as I understand it, but maybe that kind of will set the stage for then what kind of demands are put on top of you within the organization as well, if that makes sense.

Eric Fouche (07:57):

Right. So as you mentioned, I work for a very specific division of the bank and our division is pretty small, but the overall parent company, as you mentioned, it's very large. However, even though we're small, we have the same requirements as a much larger organization because of the field we're in with banking, the government for example, doesn't care about your size. Everyone has to follow the same rules. So that means all the processes and tools we put in place have to make sure that we can meet those demands. So with be compliance or audits that happen after the fact, we are under that same scrutiny. So anything that we put into place has to be able to meet that doesn't matter, the sizes, quite frankly, irrelevant. We just have to have those processes in place. We have to have the tools that can allow us to meet those demands.

(08:52):

And as I mentioned, banking is highly regulated, which probably a good thing. So we have to make sure that certain things are in place, the phrase the Chinese wall where certain divisions can't talk to each other, which is very important and I have to help enforce some of that by the access that we provide when we get requests, things like that. And also things like being able to report, as I mentioned with audit, and anyone who's been through an audit, whether it be through financial services or any other industry, auditors want what they want, they want to report, they want to see it for this timeframe, they want to see these users have access to this application or the security group, and I have to be able to provide that and show the evidence of who requested what, who approved what, when, all of that. And that's where the tools really come into place. You can have all the processes in the world and you should, but if you don't have a tool that can give you that information, it becomes very, very painful very quickly. So that's in a nutshell where we are with the size of our organization.

Nicholas Brown (10:03):

Yeah, that's great. I mean, I think we see the same demands and needs for all of our customers to a different degree, but certainly having great process and adapting your processes to really industry standards and best practices is super important for any successful project I think moving forward.

Eric Fouche (10:24):

Absolutely. Absolutely.

Nicholas Brown (10:26):

Okay, next slide, Eric. So as you look at, I think this is one thing that a lot of times when we work in security, we're not really looked at as the most, as it pleasant people to work with or seen as drivers of innovation and positive outcomes. But when I think when you operate a great identity program and have really well-defined processes and a lot of support from management, you can actually enhance the experience for your employees, make it a delight to be onboarded and have everything you need at your fingertips the day you start because there's not a manual process or somebody's on vacation. You've got it all kind of locked and loaded and can really actually help enhance the business. It's a side that we don't talk about a lot. We always talk about compliance and security and challenges that people have with that, but I think there's so much to talk about when you look at how you can create operational improvements. So maybe you could share a little bit about what you're seeing as you work within Mitsubishi as to how your program is actually driving improvements in the operation of the business.

Eric Fouche (11:50):

Absolutely. If I can borrow a phrase from my boss, automation, automation, he's always pushing that because let's be frank, you can do the work using spreadsheets and files and all that, but there's the human element that causes error and you don't want that, as you mentioned, onboarding a user. You don't want a person to forget to add someone to a security group that they should have day one. So it's best to have things automated. Obviously the automation has to rest on top of the processes you already have in place that you've already verified and meet your needs, but then you want to have it when you take the human element out as much as possible. And that's one thing we strive for at my organization. We want to have it so that the request comes in, for example, for a new user and the workflow just takes care of everything, and then maybe a verification is done at the end, but we don't have to worry about, like you said, someone's on vacation or someone forgot to do something.

(12:51):

That's really key for us. The other part, the other end of that quite honestly, and I know I've talked about compliance and audit, is that once you have that in place, then when you get requests for evidence from audit, for example, they trust the evidence you provide them because they know the system is automated. They know that a person is not adding people to security groups and why did this person not get added to this group versus this other? They know everything is a workflow and automated, so all I'm doing is producing that evidence and they trust that evidence. I don't have to spend my time explaining the reports and how everything was generated and how, excuse me, a person was onboarded, all of that because I have established that we have automation, I've established those workflows, and I'm able to provide that evidence and show that to them. Once I do that, it makes things much smoother. And I've experienced that not only in my current work environment, but previous places I've worked at as well.

Nicholas Brown (13:54):

Yeah. Do you find it in the operations you've worked at before or even here? I talk to a lot of customers. They love spreadsheets, but spreadsheets when it comes to audit are pretty difficult to do the track and trace and kind of provide clear evidence of how the data was moved. Was it manipulated in any way? Exactly. It just becomes, I mean, so hard to manage these kind of processes with spreadsheets without being able to walk through the flow of the process and say, this is exactly how we did it. In fact, I could repeat it right now in front of you if you want to be guaranteed that nothing happened in between the origin and destination, so to speak.

Eric Fouche (14:38):

Exactly. And in my experience, what I've found is once you go through that effort the first time with audit, explaining how the workflow works, showing them a little bit behind the scenes, maybe giving them an example, then perhaps the next or later that year when they come asking for similar evidence, they trust what you give them. You don't have to do that explanation again versus spreadsheets like you mentioned. You constantly have to explain it. You have to show the data wasn't manipulated, all of that, that just becomes very hard, becomes a chore when you have the automation in place. Trust me, your life becomes much easier dealing with that. And even other areas that we use, not only just for audits, but one of the requirements we have is certification reviews, so some of that also automation, automation, automation. Trying to do that with spreadsheets, which is something that was done years ago here, very difficult.

(15:32):

It is doable, yes, but very time consuming, very hard to track. Once again, you have to prove the data wasn't manipulated, but once you have it in a tool and you have automation, your life becomes so much easier. Not only for us as the team, we have to execute, but the end users who have to provide the actual certification, they get an email with a link, they go in, they click some boxes and they're done, and that's all they have to think about versus them having to crosscheck against spreadsheets, filling out forms, all of that.

Nicholas Brown (16:06):

Yeah, I mean, I can't agree more. I think that making it easy for a manager to validate that information about their employees and the access they have, we found that some other companies I worked at that access was bloated for a lot of employees because it was just too tedious for the manager to go through and kind of really update it. And they just kind of said, well, it's fine. I trust this employee. So yeah, they can have access to that stuff. Even if they had moved, they were a mover and you accumulate access and it's hard to clean up. But now with the reporting we're able to do, we can go in and show, hey, just say they don't need it. And it's easy I think to automate that and remove it. So it's really, I think, important that we move to tools that not only give us the track and trace, but put the power in the hands of people closest to what's needed in the business and stand behind what they say. And now we have tools to call 'em out on it and say, well, I don't understand why you're leaving this person with all this access. Is that really what you want to do? And we can focus on the outliers instead of the bulk spreadsheet processes of the past.

Eric Fouche (17:17):

Right. One other point, Nick, is that at the beginning of that rainbow, when a person initially needs the access, we also use the same tool for the manager and then in our case, the owner of the application to approve that access. So the manager's involved at the front end with the initial approval for their person, but then when we do the pre certification reviews, they're also signing off on it so they're aware on both sides. And once again, it's easier for the person request gets put in, the manager gets an email to approve, they approve it, or they deny either way, but either there's a trail going either way and the manager's aware of what's going on. And also if the manager happens to leave or gets transferred and someone else takes their place, we have a trail of how did this person get the access, who approved it? So that if person, if the new person has questions, we can provide that answer very easily.

Nicholas Brown (18:09):

Yeah, I think the one other thing I noticed about your business too is you probably have non-employees that need access to some of your financial tools and capabilities. And what's really helpful, we find people doing it with their employees as well, as well as kind of partners, et cetera, is they time bound? The access, right? So in other words, we'll give it to you for a period of time and then revoke it. And when people want access and need it for the business, they'll definitely come and tell you they need it and you can justify it again, but you're just not leaving it hanging out there for convenience, so to speak, as another tool to use in the arena.

Eric Fouche (18:44):

And then also you talk about time bomb access that also goes for a person just leaves, goes to another organization or whatever as part of disabling the account, the tool in an automated way, not only disables, but it removes them from, for example, all the security groups they're in automatically, I don't have to worry about this account still is a member of this group. Until it gets deleted, it's gone, the mailbox is gone, the security groups are all gone, it's clean. And once again, that's automated. So taking the human element out makes things much more simple.

Nicholas Brown (19:17):

Yeah, agreed. Next slide, Haley. Well, I mean we've talked a lot about process. Do you need to fix it? Do you need to change it? What's your thoughts there? I think a lot of times people especially coming up, I think the way you did too, you kind of do things because you were forced to do them potentially in the early days and now tools are coming on to help automate that. But still, sometimes change is hard for people. Sometimes you need to fix processes or change them. Sometimes you need new processes. What's your experience with working with the business and trying to really make sure we can have processes that support the business and at the same time provide maximum security and as little risk as we can make happen?

Eric Fouche (20:13):

Well, the first thing I'll say is, and I've seen this with other places, when you decide there's a process that you need, something that you're trying to accomplish, don't look at the tool first, establish your process, understand what the requirement is from the business, from your management, whomever, and get that process down. Get it on paper. Make sure everyone understands what the process is, what you need to accomplish, what those steps are. Even from a manual point of view, if I had to do this manually, what are my steps? This is my process. And then will this meet the requirement? Then look at your tool and make sure your tool can do what you need to do. And go back to what I said before, automate, automate, automate. But your core is the process that you have to create and understand what the need is.

(21:04):

That's because I've seen other places where they start with a tool and then they're like, okay, we have to make the tool do this. Well, did you know it could do that before you purchased it? Did you anyone even think about that? Understand your process first and then look at your tool and if you have a question, if the tool can or can't do something, ask the vendor. Most vendors are happy to discuss with you about the abilities of their tools and making sure it fits what you need. And even if the tool may not be able to do 100%, many times vendors such as yourself will take those questions into account and possibly build them into the next versions or ask more questions to understand what their customers need. But that sounds like a lot, but really it's not, to me it's common sense. Get your process in place, then understand what tool you need to meet that process, work with your vendor and test it, get it rolled out and your life is so much easier than going from the other end, trust me.

Nicholas Brown (22:09):

Yeah, I think as we think about this, fixing the process, one thing we talked about Eric earlier on was sometimes you can't automate everything. So I think there's some balance there. I think you told me you spent, I don't know, some number of years trying to automate more connectors or different aspects of a business, maybe not here, but in other businesses you've been in as well. And sometimes it's not really adding value, it's just adding complexity that creates more risk even potentially in moving forward with the product, staying current, et cetera. Because you're trying to maybe overload something where, hey, it's not a sin to have some manual processes in your solution. Is that your view as well?

Eric Fouche (23:00):

Yeah, that's true. Where it makes sense. Like you said, sometimes you want to go through this effort of automating and as they say, the juice is not worth the squeeze. So it's alright to have a manual process, but once again, you have to have that process defined. You can't, that's not a license to fly by the seat of your pants. You still have to have your process very well defined, make sure everyone understands what the process is, what you're trying to accomplish, and you have to do it manually. Great. But as we talked about earlier, make sure you build in how do you validate what was done, all of that, which is not difficult, but you just have to remember to do it. You absolutely want to do all of that early as you're inventing it versus when someone comes ask you for a report and then figuring out, oh, how would we validate this? Do it at day one when you're writing it all on the blackboard or the whiteboard I should say.

Nicholas Brown (23:53):

Yeah, and I think that whole process map you talk about just adds so much value of a library of these processes. You can constantly use them for your compliance reporting, how your processes work, and just lay out a map to anybody who's coming in to audit you so they really understand what you're doing and how you're doing it and then how the system's supporting it either manually or through automation. Automation to kind of deliver on that value for you.

Eric Fouche (24:20):

And you talk about laying that out. So at my organization, we are required to have such a document and with all of our processes listed and anytime we make any kind of change, we always reference that document, do I need to make a tweak? Do I need to add a step, remove a step, do I need to update the Visio document? Because once again, if I need to show that to someone, I need to make sure that it's current. Heck, if I hire someone else from my team, I need to make sure that they have the current steps and processes as well. And they know what's required. And I know we're talking about this in a bit, but we're in the process of upgrading our products here. So that's one of the things that I'm doing is looking at as the new version rolls out, is there anything that changes with our process that not only do I need to train the team, but do I need to update that document so that everything stays in line?

Nicholas Brown (25:13):

Yeah, like you said, it's a total journey across all aspects of the projects. So it great to hear, appreciate the dialogue. All right. Maybe next slide, Haley. Yeah, I guess maybe this is a bit more open-ended, but I think it's always great when people are attending these to maybe get some key advice. What do you think, and maybe we talked about some of these, but just any advice you can offer folks who are on the line to look at how do you stay current as you talked about, and what other advice would you give somebody who's starting or on this journey and didn't realize it was a journey until now and need to pick up and carry on? Yeah,

Eric Fouche (25:56):

So as I referred to when you have whatever you're trying to accomplish, create that process, but we talked about it being a journey. It's not a one-time thing. Check in with the business or whoever gave you the requirement, whether it's your leadership or another business unit, make sure that your process still meets their needs. Do that periodically, once a year, once a quarter, whatever makes sense for your organization. So you want to stay on top of that. And then also occasionally look at your processes. So we talked about it's okay to have things that are manual and it absolutely is, but maybe in a year or two down the line, when you have a new version of the platform out, maybe automation becomes easier. You want to make sure you evaluate all of that as well. Also, if you're using a tool, make sure you stay with the most current version.

(26:45):

Don't fall behind on your versioning because that will also cause you pain, not only from a support perspective, but also you miss out on new features. So you want to stay current with your version as much as possible. And I know for my organization, we do have a requirement. We can't use a product past this end of life, so we have to stay upgraded. And that may sound like a pain for some people, but trust me, it's well worth the effort. And also stay contacted with your vendor, with the tool that you're using, talk to them regularly, whatever mechanism they have, if your account executive have regular meetings with them and make sure you understand what product you have, what the new version offers, or maybe they come out with another product that might meet another need that you have. And your vendor not only about the product, but your vendor.

(27:42):

Just like you, Nick, you're talking to people across multiple companies, so you're going to hear things that I may not hear, people are having problems that I'm just now encountering and they solve. So your vendor's going to be the one who's going to be able to say, oh yeah, we have another client that ran to the same thing and this is how they approached it. Well, great. I don't have to reinvent the wheel, I just have to look at implementation. Look, it may sound a little preachy, but I'm telling you I've been on the other end and it's not a fun place to be. And taking the time to do those things is so well worth the effort, trust me.

Nicholas Brown (28:20):

No, that's great advice. I really appreciate it. Don't really have much to add there. I think for us it's stay engaged with your customers. So we have the flip side of that so we can better service, better, provide solutions that have a meaningful impact and add value to our customers. So that looks great. Appreciate it. Next slide. I guess, what are the things you're focused on for the future? Are there things you're seeing in the marketplace that are interesting to you that you think are going to help you improve what you're doing? Would love to hear your thoughts there and if there's anything that you have to offer

Eric Fouche (29:08):

For us, one of the things for the future is as we start to use other applications, let's say we're going to Microsoft 365, so obviously that's the latest, that's the greatest. A lot of companies use it, but what does that mean for me, an identity? Do I need to manage it a different way because now I'm kind of going out to the cloud. Now there are different requirements for connectivity, all of that kind of stuff. So I have to stay engaged with what applications our business is going to use and how does that impact identity and making sure those things are managed properly.

(29:46):

Some vendors we deal with, they've totally scaled back and there's less to do from an identity perspective, it's simpler. Other vendors are going the other way. We're now have to invent all new processes to do the same amount of work. So when I think of the future, that's what I look at. I engage with the business, I see where they're going, where they want to go, and make sure I can stay in step with them or at least have an idea of what's going on. So I'm engaged all the way. And then I talked before about constantly talking to the vendor. So our rep James from Vera, he and I talk pretty regularly and he's telling me about new things that are coming down the line. And I also tell him about some pain points we have and seeing what might be available to help us out or things that we might be thinking about.

(30:34):

So that's also part of the future. It's having those regular conversations. I'm not running to him, it's like, oh my goodness, this isn't working. Oh my gosh, I've got to get this done. This is the last minute request. No, I'm trying to stay ahead of the game. And I try and do that not only to make my life easier, to make my team's life easier, but to make it easier on my organization, as many organizations are, you have to plan ahead for projects and things like that. You can't just go to your bosses and ask, for example, a budget just to roll something out at the last minute. You have to plan ahead. You have to prime the pump, as it were. And all of that makes it easier. If I know what the plan is, my boss knows what the plan is, here's my approach on how we can address it. So now let's put the wheels in motion and get that done.

Nicholas Brown (31:21):

No, I appreciate those comments, Eric. I think a lot of people when they think about financial services, they say, oh, totally risk adverse last to adopt cloud last to look at this last, to take this risk. But I think what people don't realize is probably financial services more than anybody actually puts risk into their financials. They already know there's risk. They know some number of transactions are going to be fraudulent or whatever. They kind of know this, and their job is to move that two percentage points in the right direction to increase their profits. But it's part of the culture, and I think it might be interesting for you to share. Does that influence you that you're able to go and say, look, we can help reduce risk through this project by doing this, and we already know the financial impacts that that could have on the business, which might be really hard for somebody in a different industry, right?

(32:14):

Because they're just sitting there saying, we don't have anything like that that we measure. But I think what you do, how you talked about me talking to different customers and different industries and learning from them, this is a great learning for other businesses to say, Hey, maybe you should start to monetize your risk and understand what the value of risk is in your organization, therefore, how much you're willing to take and the value that it's going to generate if you do, and how much you want to reduce it, right? It's just a really interesting thing because working at other companies and working with financial services in particular, I mean, they're very rapid to adopt cloud because they need it. I mean, the scale and the cost savings for going in that direction is far outweighed the risk that they saw. Right?

Eric Fouche (33:01):

Exactly. And we do have an exercise every year where we examine all of our, what we call controls against their risks to make sure that we're addressing all the risks that are out there and any new risks that may have come up over the past 12 months. And all those risks have monetary values associated with them, just like you mentioned. So we do have an exercise where we go through that, and one of the, I'll say it's a joke at our organization is that the identity team have the most controls of any other group. So we have a lot of things to look at and a lot of risks to mitigate, but that's all right. That's part of the business, it's part of the job. But yes, we absolutely have that exercise. And now for us, it's very good that it's very organized, very structured, very driven a particular way. But it does help me keep an eye on what do I need to think about? What processes do I need to modify? What do I need to change so I can stay on top of these things? So yeah, that's kind of how we approach it here.

Nicholas Brown (34:06):

Yeah, that's great. Great feedback. Alright, next slide. Maybe I think Eric, again, want to really thank you for taking the time to talk to us today about your journey, the journey you're still on, and hopefully we'll continue to keep you as least famous as possible in the market or famous for doing a great job in the end. So hopefully we as a partner to you can continue to help you do that. But maybe we'll open it up for any questions folks might have.

Shelby Whalen (34:44):

Yes, we do have some questions here. Eric, you had mentioned throughout your presentation the fact that you had gone from a manual to an automated process in this identity journey. How much time do you think you save by having this process automated?

Eric Fouche (35:03):

Oh goodness. So just to, I don't have an exact number for you, but let me give you one process that maybe that'll help illustrate it. So I talked about the certification reviews and that literally took five months to do one of them. Now we're down to two months and half of that is data we have to get from an outside source. That's part of that, which we can't do anything about. But the actual review once it kicks off very quick. So we saved three months just the gate with that and we're looking to improve. We've got something else up our sleeve. We're looking to try and cut even that down. So that's just one example. I can also tell you that with onboarding new users and in coordination with our HR department, this was a little bit before my time, but as I understand it, they did everything with forms and literal signatures that people had to scan in from one of the copiers and send it around to email and make sure it was okay to hire someone.

(36:06):

Now it's just a ticket. The HR person opens, it goes right into the approval workflow and then it automated creates the account, creates the mailbox and all the things. So it saves my team tremendous amount of time for all the manual things we used to have to do, but it saves time for all the other people who have to approve it, who have to submit it. They don't have to do paper forms anymore. It's amazing and people love it. In fact, now we're getting suggestions from HR about how we can make that even faster, which fine bring it on. We're happy to entertain that. So I hope that answers your question.

Shelby Whalen (36:42):

It does. I also have another question here, and it piggys back a little bit off of the thought of seeing improvements across the organization. Have you noticed that the identity and PAM part have helped other teams in other ways? I know you just mentioned the simplified JML. Has there been anything else?

Eric Fouche (37:06):

Yeah, so other teams have requirements on knowing what their people have access to. Things that may not come to me directly. Maybe they're being asked from audit or from whatever entity. So they know that they can depend on my team because of our processes and the reports that we provide can help them out. Also, just knowing that they can say like, okay, I have this person on my team whose job has been changed, now I need them to have access to this and this. It's simple. They just put a request in, we execute, it's done. They don't have to worry about back and forth with forms and figuring out who has what. We have all of our applications inside our identity tool with all of the roles that are available. It's just checking a few boxes and within a couple of days the person has the access. Very simple, easier for them. They don't have to run around and ask a lot of questions or deal with a lot of paper forms or even spreadsheets.

Shelby Whalen (38:06):

Thank you. And here's another one for both of you. What would you say is one of the most challenging parts of your role?

Eric Fouche (38:19):

I'll go first. I'll just say staying current with everything. Because everything is changing, not just it, but the requirements from the industry I'm in and just in general. So making sure I stay current with everything. It can be a challenge. You have to meet with multiple groups, multiple teams, understand what the requirements are, understand how it might impact you, understand how you might be able to add value. So that does take some time, but as I said, it's completely worth it because if you don't do that, then at the other end it becomes a problem.

Nicholas Brown (38:58):

Yeah, fair enough. Eric? I mean, I think if I look at the biggest challenge in my role is we have a pretty broad footprint of cybersecurity capabilities from password management through to identity and privilege. I think it seems to me privilege is becoming a standard requirement across the organization. Everything is really privilege. And how do you provide access to local laptop system accounts to add a print driver or whatever it might be to reduce friction and enable your employees? And for us, how do we focus, how do we stay focused on the real needs of our customers where we can add the most value and not dilute ourselves too much as we go to market and as we work with our customers to say, Hey, we don't need to solve problems that you already have answers for. We want to go solve the problems that you don't have an answer for and you need help with. Right? So I think for me, it's listening less to ourselves and more to our clients and our partners about what we should be doing to help you guys be successful in the marketplace. So I think that's the ongoing challenge we have is just staying focused. We're engineering led organization with a lot of bright people. We can solve a lot of problems. Let's go solve the right ones together, I think.

(40:21):

Alright, Shelby, if we don't have any other questions with that, Eric, just once again, it was delightful with Fireside chat here talking to you. Appreciate your time, appreciate you as a customer and if anybody needs to reach out to us, I think our LinkedIn profiles are available. So super exciting and thanks again. Thanks everybody for attending.

Eric Fouche (40:43):

You're very welcome, Nick. And I had a great time. Thank you.

Nicholas Brown (40:46):

Yeah,

Shelby Whalen (40:52):

Thank you everyone. And please join us later for our next session upcoming with Identity. Thank you so much.