I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…

To grow your skills, you must know your skills. Problem is, that’s harder than it sounds, if only because we rarely carve time out of our hectic lives to do so. Might as well use these next few minutes to do so, and this post will give give a technique to help you along. We cannot think about our skills in a vacuum. It’s a well researched fact that humans are horrible at assessing their own skills. We often inflate skills we do not have. We downplay skills we do have. Simply put, we lie to ourselves about the strength of our skills. We need inner honesty. We need outside voices. We need feedback… in order to examine these skills we have and those we don’t.

In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.

Level 1 - Managed

This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:

In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.

It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing. And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.” Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

[Many thanks to Gerry Gebel for giving me the nucleus for this post] In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

I’ve been collecting questions I get about my thoughts on how to build a presentation. Here are, in no particular order, some of the top ones and my answers.

Does this work for every kind of presentation?

Hell no! It works well, for me, for keynotes. It works well for building talks that are presentation, performances. It will not work well for lectures and workshops. It will not work well if what you actually need is documentation. See Tufte on that one.

A few weeks back I posted my 9 step process for building a presentation. I wanted to share some example of that process in action. What follows are glimpses of my “No person is an island” talk which I delivered at Defrag in November.

Step 1 - Finding the Nucleus

I had two quotes that served as the nucleus for this deck.

With all due apologies to Monty Python and specifically Eric Idle here’s the identity industry’s version of the Philosophers Song. Many thanks to everyone who helped this effort and huge thanks to Eve Maler for all her work on this. What follows is meant with much love and respect to everyone in the industry (mentioned or not). And with that… maestro please: Jeremy Grant was a real pissant Who was very rarely stable iglazer, iglazer was a boozy beggar who could think you under the table Blakley whom could out-consume Madsen, Bradley, and Dingle Pat Patterson was a beery swine Who was just as schloshed as Cahill There’s nothing Wilton couldn’t teach ya’ Bout the raising of the wrist. Cameron himself was permanently pissed… George Fletcher, still, of his own free will, On half a pint of shandy was particularly ill. Nishant K could stick it away; Half a crate of whiskey every day. Patrick Harding, Patrick Harding was a bugger for white lightning Nash was fond of his dram, Really Dick Hardt was a drunken fart “I drink, therefore I am” Yes, Cameron himself is particularly missed; A lovely little thinker but a bugger when he’s pissed! And if none of that made sense to you, here’s the original which also might not make much sense either.

“How do you build a presentation?” I’ve had the question asked of me a few times recently. And I’ve had enough flights recently to spend some time thinking about the answer. As I mentioned, before I could actually answer the question I had to write this other post about clarity and empathy. Go read that and then come back. With that as context, here is my stripped down process – my 9 essential steps to building a presentation.