Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
Well, if you’re interested in sponsoring, feel free to get in touch if it makes sense. As long as we can keep it relatively vendor-neutral, I’m pretty open to anything at this point.
I agree. What’s been great, though, has been the feedback from our listeners, and somebody that we’re having on today is a listener of the show, and we’ve been in contact with him. He’s somebody who puts out a lot of content himself, so, Jeff, I’ll pass it back to you to do the introduction, but I think it’s really cool that our listeners are reaching out. They’re people who are active IAM practitioners as well.
Yes. It is super cool, and I’m super pumped to have Carlos on the show. We’ll get to him in a second here. He wrote an article that touched on how to build a successful IAM program, and it was on Enterprisesecuritymag.com. I’ll have a link to the article on our show notes so you can check that out, and part of that article touched on managing organization change, which I thought was interesting. It’s something that sometimes gets overlooked when we’re developing programs and getting things out into the real world. Without further ado, why don’t we bring on the author of that article? His name is Carlos Rodriguez. He’s the director of IT security and risk at Citizens Property Insurance. Welcome, Carlos.
Thank you, Jim and Jeff. I’m happy to be here. I will start with thanking you not only for the opportunity but also for the content that you put out every week. I’ve been listening for about a year, and so I appreciate it on behalf of our community.
When you’re managing change for the organization, no matter what it is, I would imagine that this is not a one-and-done type of situation. If something’s been evolved and you’re going to identify areas that you want to improve on just like anything else, things that maybe got missed the first pass — “OK, let’s remember that for next time” — how do you approach that type of situation, getting it stood up and then getting it ready to go?
Sure. We brought in stakeholders from the entire organization, from all business units, and interviewed them — “What are your strong points? What are your pain points?” — and based on that, we built a holistic strategy. Then, we presented to them for feedback, but there are different techniques for getting started. I was blessed to have an internal organizational change management team, and as soon as I started and found that out, I went to them and said, “This is a multiyear, very impactful initiative. Can you help me?” They brought in some techniques and presented them to me, and what they usually lead with — and the preferred technique here for us is ADKAR. It stands for “awareness, desire, knowledge, ability and reinforcement.”
What does that mean? Well, first, you have to be aware that a change is needed. That’s your awareness. That’s where communication starts — to drive that desire for that change — and that’s the most difficult part. You’re changing someone’s way of working, and that has an impact. “Then, you focus on that knowledge, training: “How’s the change going to impact me? and what-have-you. Again, the training leads to acquiring the abilities that you need to have to support and sustain the change, and then the reinforcement is ongoing. You probably have heard a lot that we’ve seen a lot of technology projects everywhere that we never capitalize on the promised land because it’s a nonpriority, or for whatever reason. Sometimes we don’t finish our projects, and that’s the reinforcement piece, and measurement of the change.
Correct. You’ve touched on a few items that I did go by. One, I look up to my sponsors. Who were the sponsors of the project? In this case, the two VPs in IT — one is my boss, who handles the strategy, architecture, resiliency and security, and the other one is the technology VP. Within those groups, the first thing was understanding, “What is the business process here? Let me follow the money,” if you will. That’s what CISOs always go by: “What are the key processes in the organization?” I partnered closely with our enterprise architecture team, which is a sister organization, and the resiliency team — also a sister organization: We’re all under the same leadership. Then, from there, I went to the process owners of those critical processes.
Citizens is the insurance provider of last resort in the state of Florida. That means we provide coverage for those who cannot get it from a commercial carrier. That means a big part of our mission as a company, and one of our values, is that of service. We have to be there for the policyholders when a storm hits. We have to be on ground zero 48 hours after the event. One of the key processes for us is boarding the independent adjusters that go assess the damage of the storms. That’s one team I went to. We don’t have a sales force internally. We work a lot with brokers and agents. That’s another key: The stakeholders, and we have policyholders, and then our internal users. Through all of this business impact analysis and my partnership with enterprise architecture, I identified those key stakeholders and then brought them in for the conversations.
What happens if you’re talking with the stakeholders, and you get a real stick-in-the-mud? Someone who might be difficult. Have you encountered that? If so, what are some of the tips or tricks you might have for the folks who are listening when that would happen? Not if, when.
First, understand that change is a long process. Studies have shown that organizational change really sticks after three years, give or take. There is a concept known as the change curve, in which you visualize how this process goes. You’re in a status quo for a while. Everything is going well, and then there’s change. We introduce a change. At that point in time, what happens is exactly what you described — you have denial: “Why are you doing this to me?” Usually, people also take a self-denial type of deal: “Why am I not taking on this?” and that type of deal. Then, that status quo has started going down on the curve. Then, there is a little bit of a valley at the bottom, and that is when there’s doubt and confusion and uncertainty, and that’s where I’m looking for, “What’s in it for me?” That’s a big piece of the change process — we’re all looking at “What’s in it for me?” — and for me as a leader, that’s what I need to communicate, because what you want to do is, on that valley, you want to get out of that valley as soon as possible. You don’t want to stay there long.
One of my favorite books is called Peaks and Valleys. There’s a key question that they ask in this situation, which is, “What’s the truth in this situation?” so I help people understand that as much as I can. I partnered at that point with my sponsor and other people that had more time in the organization to understand the other side, because I was then with people I didn’t know for the most part. So, before each conversation, I would prepare with longer-tenured people in the team to understand, “I’m going to have the conversation with this stakeholder. Tell me who he is, what’s going on with this person. What is he looking for, or she looking for?” Then, once you start coming out of the valley, you can start going up to rationalize, to accept the change, and then you get to the reinforcement part of it.
In short, I think I wanted to explain that process, but really, you have to communicate what’s in it for the person or for the business unit — help them understand that — and part of what I do is help them understand, uncover and manage risk so they can make better decisions. Usually, that works well.
You mentioned using established relationships, and I’m curious about your thoughts on this. I’ve been involved in organizations where I’ve been there for a while, and, “Let’s start an IAM program.” I’ve also worked with organizations where it didn’t exist, and I was brought in to create that IAM program, and didn’t have the luxury of knowing anybody. I’m this new person coming in to the org, and I have to stand up an effective IAM program without the benefit of any relationships. I see good and bad in that because you’re also not carrying baggage, potentially, from previous projects, or previous expectations, those sorts of things. What are your thoughts? Would you think one is easier than the other? Are they about the same? What would you do if you were dropped in and you had a choice? Would you go into a new org, or would you try to start up with the current org?
Well, the way I would approach that is, you’re working with someone internally. You are a consultant coming in, in your case, and you’re working with someone in the team in the internal organization. That would be me. My role, my responsibility, is to present those people to you so you can have those conversations, and we did that. We worked with a third-party consultant here, and that was my role. I was the coach, the quarterback: “Let’s bring claims, let’s bring vendor management, let’s bring legal and I’ll brief the consulting team: We’re bringing these folks. We will give them a little bit of background,” and then we really let the business guide the conversation. “Tell me about your process. What matters to you?”
At the end of the day, as I mentioned earlier, this is a business initiative. This is not a technology project, and that’s how we gain support from the board and everyone. You make them feel like you’re listening to them, and all the techniques around listening and reinforcement, and then, when you present the results back, make sure they get feedback again, but for another iteration, and usually, they felt they were a part of it — “This is not IT or security working on a silo and telling us what to do. They actually are considering my input” — and there’s a lot of value to that.
That’s right. Jeff, I’ve got a new analogy that Carlos just gave me, which is that what makes a good IAM program manager is, he or she is a quarterback. They make everybody else look like the star. Carlos, as you’re going through the peaks and valleys of change management, I couldn’t help but draw the analogy to the seven steps of grief — denial: “No, This can’t be happening to me” — but what was coming to mind as you’re talking about that is, you’re helping people accept the change. You talked a little bit earlier about the trainings that you wind up doing and things like that, and what came to mind was, what are the forms of communication? How are you getting this out there? Are you leveraging corporate email newsletters? Are you sending a letter from the desk of the CEO? What were some of the techniques that you used to communicate change in your organization?
Yes. All of the above. We have different ways to communicate because people are busy, so we’ve got to put the information out as much as we can. Obviously, there are certain very formal channels to communicate with the board and the executive team. We used those formed for that. I offered, and it was accepted, to the executive team to come talk to their leadership teams — and remember: boards, executive, these are 10-minute conversations. Fifteen minutes — very short, to the point and “What’s in it for me?” When I went to talk to claims, I modified my message to talk about the claims process, and how this impacts that. When I went to talk to HR, I talked about IGA, and how the HR system plays into provisioning and deprovisioning, potentially, because I knew that was a change that will impact them, and so on and so forth. That’s the business and high-stakeholders level.
Then, we also wrote internal articles that came from our COO, who is my line of leadership. She is my boss’ boss. She put articles out there, my boss put articles, my department, my team put out articles, and then you continue to adjust based on the project you’re working on. When we rolled MFA out, we’ve put out a series that we call “Tech Talks.” It’s an open mic conference call with the technology people in there to answer questions, and a really brief 10-minute overview, and there is a Q&A, and those were a hit with the organization. We had somewhere between five and 10, with maybe 60 people, on average, attending. That’s that.
We also have another venue, which is our agile ceremonies. One of them, for example, is inspect and adapt. That’s when we go and show people what we’re doing, and they give us feedback, because it’s all about feedback. That’s what we try to do. We collaborate a lot, we provide information, get feedback, make adjustments — so, a lot of different ways to communicate, but it’s about reinforcement of the message.
Well, I’m glad that you gave me that translation, right? We have enough time to pick another topic. In another one of your blog articles, you talk about agile methodologies in IAM deployments. My question, bluntly, is, do you find that agile works better than traditional waterfall approaches when it comes to IAM?
I know this is not the answer that we all like, but it depends on who you are. It depends on your organization. For us, we are still growing into the agile transformation. We’ve been in the journey for about three to four years, which sounds like a long time, but for a transformation of that magnitude, it’s actually early. For us, we approach it with an agile mentality, but sometimes we may apply waterfall techniques, depending on the magnitude of the project. For example, payroll taxes — we did a lot of waterfall there early on as we transitioned to being deployed, and then agile after that. For the most part, we work in sprints, two-week sprints, where we’ve tried to realize some sort of value to the organization, but while you get the infrastructure in place, it’s more of a waterfall, so it’s a scrumfall for us in some cases.
A scrumfall — I like that. It sounds like there really is a place for a hybrid approach where you’re not strictly agile, you’re not strictly waterfall, but you take the right approach for whatever project or team that you’re engaging with. Have you found any particular mix that works really well, or is it truly figuring it out as you’re going through it with different personalities — It could be a project personality, or it could be a team personality — that sort of approach.
There’s a misconception or a misunderstanding about agile, and I found that with my team: it’s “Deploy fast.” Well, it’s not that, really. It has nothing to do, or little to do, with speed. It has more to do with delivering value. With that said, our approach is, in our security team, and in many of the IT organizations here, it’s about releasing, and getting feedback: “Was this what you were looking for? Is this what you’re looking for?” It’s a constant engagement with the stakeholders, with the project owners, to make sure that we’re delivering the value they are looking for. There are a lot of competing priorities in any organization, as you know, so you’ve got to make sure that you are delivering value. If not, they’re either going to not care much about what you’re doing or shut down the project, so feedback is the key for that. We lean more toward agile to two weeks of sprint, in our case.
How do you defend the quality when it comes to moving with speed? I think that’s typically one of the areas that a lot of organizations and project teams struggle with. When you get into these heads-down sprints, and you’re running full speed, how do you make sure you don’t run through a wall, instead of making sure that you ran through the door that was already there, and you’re not causing more havoc than you’re creating solutions?
From a security point of view, we try to provide the requirements as early on the portfolio kanban as possible. There are different stages. Once the project is about to take off, we have a pretty solid SDLC checklist, and that’s where we inject our IT security assessment tools — it does a lean risk analysis of what we know at that time, and it gives you an inherent risk that drives your controls and looks at “Based on what you’re telling me, we need these controls,” and that’ll give you a residual risk.
That was very well-accepted — another change that was “Why are you doing this to me? Why do I have to not go through these things?” But once people saw the value that we are not even in the conversations sometimes, because now, what we’re doing is, the enterprise architecture team is running with that tool, and in the future, we envision we’re kicking off our security champions program here very soon. We did last year, but the world changed last year, so we had to talk about agile. We have to pivot and focus on other things, so we’re about to resume that, and hopefully, our security champions can take ownership of that, and the advantages of their part of the business units will be more of security coaches. They love that we basically provide the guidance, vision and requirements and get out of the way.
That’s actually what the follow-up question I was thinking of is, does this change the role of the CISO in project delivery, especially when it comes to security projects? I hear you saying yes. I don’t know if you’re saying that because that’s the changing mind-set that you have in terms of what that role ought to be, or if it has anything to do with the agile versus the waterfall. What do you think of that?
The main role of the CISO in any organization is to build and manage relationships, and then provide a vision, provide guidance on risk management. Our mission statement — I’m going to paraphrase it because we just redid it, but it’s basically, “We’re here to provide data and educate a business on risk so they make decisions.” Well, security doesn’t own risk. We manage it for the organization. We tell them, “Here’s the risk. Here are alternatives to handle them,” and then, usually from an IT point of view, especially in other business units, they come us and say, “How can we remedy this? Is it possible to remedy?” and sometimes it isn’t. That’s one thing.
The other thing that I tried to do is promote experimentation, because that’s part of our job, part of who we are. I had a conversation this morning: “Why are we changing this? The initial guidance that we provided to the team?” This was a conversation among the project owners for IAM: “Well, we’re not saying we’re changing direction. Let me ask you this. Should we listen to what they have to say to see if there is any value and we should pursue that route?” The answer was, “Yes. We should listen to them,” and I go, “Well, let’s do that. Run a small experiment. If it makes sense, we keep going. If not, we’ll just say no.” Some people would say, “Well, you’re wasting time,” but what we’re doing is, we’re learning. That’s the role of the CISO, to me: to manage relationships, and encourage innovation and experimentation, and, obviously, help the team manage risk.
That reminds me a lot of a piece of relationship advice that I once heard, and I wish I knew who it was so I could properly give them credit: “It’s not me versus you. It’s us against the problem.” If you can bring in other parts of the organization and have them have a seat at the table and say, “Well, here’s what we’re trying to solve for. Here’s what we think. What do you think?” usually, multiple heads are better than one when it comes to that sort of situation, and empowering the organization to make those decisions and those changes, and to own things, is a very important part of that too, so I totally agree with that.
We’re starting to come toward the end of our time here, but I wanted to understand from your perspective, what are some of the things that you use to stay sharp? We’ve been in this space for a while, and sometimes there are multiple outlets of information, especially in the age that we live in with the internet — it’s no longer the security magazine that gets delivered to the office so much every week, it seems. What are some of the things that you use to try to not only stay sharp but also understand the perspectives of some of the stakeholders that you’re talking with?
Well, I listen to podcasts like this one. This one, in particular, for anything identity, I keep up with. Then, I have a number of podcasts that I listen to from not only a security but also leadership — I recently started listening to a couple on entrepreneurship because that helps me a lot to jump into these endeavors, but books, I really enjoy the books from Morey Haber: Identity Attack Vectors, Privileged Attack Vectors. Those are really great books on this area. Books on leadership. Also, Bsides conferences. I am a big fan of those — its very relaxed practitioners. I favor those now more than the big, big ones, where I didn’t really get to talk to peers, and that’s that last one — peers, people like you that I can have a conversation with about anything, because at the end of the day, someone has seen the issues that I have seen.
The last thing I do — and that has helped me develop a lot — is, I stay up what with my boss and his boss are reading. I’ve been doing this — even before I got to Citizens — for a while. When I went into meetings in their offices — president, CEO, COO, CIO, any chief — I would look at their shelves and just peek at it, and see what they have been reading, and I went and got that book, because that helps me understand where they are coming from, what they are thinking about. It’s been very helpful to me.
I think that’s a really great tip for folks that are out there: to be able to understand the perspective that the folks who are in positions above, from a leadership perspective — to understand what is their point of view, because I think it’s an opportunity to reinforce what they’re hearing or counter what they might be hearing from an information standpoint, especially if there’s something that is counter to what you’re trying to get done. I picture this back in the old days — sneaking into an office and peering through books and magazines on the desk and things like that to try to get intelligence on what people are looking at so you can better understand the psychology of why they are the way they are.
Well, that’s very cool. We’re going to have links to the different articles that you’ve published out there on our show notes. Before we get things wrapped up for this show, any final words of wisdom, Carlos, that you can throw out there into IAM land for the people who are listening?
Well, if you are building the strategy, or reshaping it, or what have you, remember, it’s a business initiative. It’s a business problem, and in order to solve it, you need the business stakeholders to help you. Let them guide that strategy, and you will get support. Since I’ve been here, because I took that approach, I have yet to find pushback from the business.
I like that. How about Jim? Yourself? Anything you want to close out with before we let these fine folks go?
I’m just so appreciative of Carlos being on the show, and sharing his wisdom and his experience. It reinforces to me that we do have a listener base out there, and that the folks who are listening are, like us, constantly thinking about how to make the business more secure, how to make the user experience better, and, part of the topic we discussed today, how to make it so that the change that we’re inflicting on the organization is accepted as well as possible. These are hard things. Change is hard. Change is hard to implement, and change is hard to be on receiving end of, but just having Carlos on today reminds me that our listener base out there is so strong, and I really love interacting with all of you who listen on a regular basis. Please reach out, and connect to Jeff and me on LinkedIn, and I’m sure Carlos is open to that as well. He’s already prolific in terms of publishing articles and sharing information on his feed, so please feel completely welcome to reach out and connect to all three of us.
That’s a good point. I do think the IAM field is very welcoming. It is not a very competitive field — at least, I feel that —if you’re in the trenches. We’re all trying to solve similar problems — maybe not exactly the same, but there are communities of people out there that are struggling with the same problems that you might be facing on a daily basis. If it’s been solved elsewhere, there is no shame in taking what’s been learned and applying that to the problems that you’ve already seen. You may have to tweak it, massage it, whatever it may be, but I think that’s a great thing. One of the things I like most about the IAM industry itself is, everyone is very welcoming, and I totally echo what Jim said about connecting with any of us. We’re always happy to have a conversation, and this podcast is proof, so let’s keep the conversation going. If there are things that you want to talk about, reach out. Let’s get it on the table and have that discussion.
We totally appreciate it, Carlos. Thank you so much not only for listening but also for being part of the show as well, and bringing your experience and your knowledge to the table for folks to derive benefit from. With that, we’re going to go ahead and call it for this week. You can hit us on the web at IdentityattheCenter.com, or on Twitter @IDACPodcast. There are going to be show notes that have the links to Carlos’ writings and links to connect to any three of us from LinkedIn as well. With that, we’ll go ahead and close it out for this week. Thanks, everyone, for listening, and we’ll talk with you all on the next one.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.