March 5, 2024

EP 47 – Digital Trust and the Identity Cornerstone

In this episode of Trust Issues, Jan Vanhaecht, the Global Digital Identity Leader at Deloitte Belgium, delves into the intricate realms of digital trust and risk management with host David Puner. The discussion covers topics ranging from the impact of regulations on cybersecurity practices to the pivotal role of identity in building a robust security culture. Unpacking the nuances of digital trust maturity, the episode explores how organizations can navigate the delicate balance between risk and reward. From the emergence of passwordless authentication to the practical applications of Zero Trust principles, the conversation provides valuable perspectives on safeguarding digital landscapes. Join us as we unravel the complexities of cybersecurity and discover how it intertwines with innovation, compliance and the pursuit of trust in the digital age. 

[00:00:00.300] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

[00:00:09.860] – David Puner
The investor, Warren Buffett once said, trust is like the air we breathe. When it’s present, nobody really notices. When it’s absent, everybody notices. To stick with the metaphor, in an industry where an important mantra is Zero Trust, we must never take even an individual breath for granted. Never trust. Always verify. Rinse, repeat.

[00:00:51.710] – David Puner
Assess and refine your Zero Trust strategy against the backdrop of any evolving environments. Make sure the identity of every employee and machine is who and what it claims to be, and that they can only access the data and assets they need in that moment and check each and every time.

[00:01:09.040] – David Puner
On the other side of the equation are brands, organizations needing customers and prospects to trust them, creating and maintaining trust to succeed. This brings us to today’s guest, Jan Vanhaecht, who’s the Global Digital Identity Leader at Deloitte Belgium. Jan shares his insights on his position and the challenges that come with it. It’s an enabling role as he describes it, and he’s enabling a team that enables clients spanning more than 150 countries. There are lots of nuances to consider.

[00:01:43.540] – David Puner
Within that equation is beating the never-trust drum for his clients while helping them build up their own digital trust. It’s an interesting double-edged sword. He also talks about the evolution of the threat landscape and the impact of generative AI, and the role of identity in enabling Zero Trust and digital transformation.

[00:02:05.630] – David Puner
Take a breath. Let it out. Here’s my conversation with Jan Vanhaecht. Oh, and Mr Buffett, you’ve got an open invitation to come on to Trust Issues anytime you want. Please drop us a line at [email protected].

[00:02:20.970] – David Puner
Jan Vanhaecht, global digital identity leader, Deloitte Belgium. Welcome to Trust Issues.

[00:02:31.160] – Jan Vanhaecht
Thank you.

[00:02:31.450] – David Puner
Thanks for joining us. I didn’t realize that you were traveling in advance of this conversation. Where were you traveling before this?

[00:02:38.820] – Jan Vanhaecht
Last week, I was in Las Vegas for a trip of a week, joining up some of the alliance partners and meeting with my US team members. Always very energizing to get some new thoughts, get some other insights on how our practice in the US and other parts of the world is going, and learning new things that I can bring to other parts of our business on a global scale.

[00:03:03.050] – David Puner
Thanks for joining us today on a Monday, toward the end of your day in Belgium. We appreciate it. I guess to start things off, as the Global Digital Identity Leader at Deloitte Belgium, what does your role entail, and what does your team do?

[00:03:17.580] – Jan Vanhaecht
That’s a very good question. The only thing I can really say is that every day is very different, which keeps it very interesting for me. As a global identity leader, I have a team of about 3,800 people that I can guide and steer to discover what is new and trending, what our team should be focusing on, but primarily also making sure that we have the right people assigned to the engagement we have with our clients so that we can keep tackling the issues that we have, the questions that we’re getting from our clients in the best possible way with the best possible team. That is my mission, which I wake up every morning and that I go to sleep with every evening.

[00:04:03.580] – David Puner
Wow. That’s a very large team. Do you have individual one-on-ones with all 3,000-plus of those team members?

[00:04:09.970] – Jan Vanhaecht
Yes, of course. I wake up every morning with a call of 20 seconds per person. No, of course not. We’re luckily organized in a very dynamic way. We’re active in over 150 countries. I obviously have a larger leadership team with me there as well that is focusing on the regional accents as well that we need to put in terms of the real ask, the trends, also responding to the different cultures that we see, both from a geographical culture, but also from an organizational culture, and that we make sure to bring that together.

[00:04:48.940] – Jan Vanhaecht
My main role is an enabling role for that whole community, trying to link them together. If questions arise, that we find the right experts that have tackled that problem before that give some additional industry insights to our clients.

[00:05:06.110] – David Puner
Maybe just to make sure that we’re singing from the same song sheet, as I’ve heard someone say in the business before, and I don’t know whether I like the phrase, but for some reason I’m using it right now. What does global digital identity within the context of Deloitte Belgium mean?

[00:05:23.370] – Jan Vanhaecht
Global digital identity, our main mission is to work as a wider Deloitte cyber team. We fit within the Deloitte cyber risk services business, which is actually cyber and strategic risk that we cover. What we attempt to do there, our main mission is to secure the success of our clients, secure success, which you can see from both angles. We try to make sure that all of the mechanisms that are being implemented in terms of cybersecurity are implemented successfully.

[00:05:56.360] – Jan Vanhaecht
Even more importantly, from our broader perspective as Deloitte, to make sure that we also are able to secure the very success of our clients, making sure that our clients can live up to their own mission statement, to the ambitions that our clients have can be obviously in a commercial setting, but can also be in a government or a nonprofit perspective to make sure that we can actually make those objectives and that mission statement become a reality.

[00:06:28.200] – Jan Vanhaecht
From there, we fit in with the digital identity perspective to then secure the access that are needed in order to execute on that mission statement and tie that together to the bigger mission objective of our clients.

[00:06:43.860] – David Puner
That’s where things stand now. Let’s go back in time briefly to 2008 when you joined Deloitte. Yes, we know this. We’ve got crack team of researchers. That’s obviously this day and age, quite a long run. What brought you originally to Deloitte? What was your first position with the company, and how has your career at Deloitte evolved since?

[00:07:07.600] – Jan Vanhaecht
Interesting question. I need to dig back very deeply. Just before that moment, I was running a smaller systems integrator company, locally active in Belgium, working for one of the biggest software vendors at the time. That was then in the verge of an acquisition. Just before that acquisition happened, I actually joined Deloitte, I felt like I was very capable with the team of delivering the right technical solution, making it work from a configuration perspective, but felt at the same time that something was missing, that we were not able to really hook in to those real objectives to demonstrate the value that we were bringing to our clients with the solution.

[00:07:52.520] – Jan Vanhaecht
At the same time, I was working together with a number of people then at Deloitte that were actually much more capable in understanding those business cases, the drivers, the real needs of our clients. By combining forces, we could just do that much more. At the same time, there was only a very small, almost nil experience within Deloitte Belgium, for sure, on identity management. I thought that the combination of the two would make a lot of sense. I joined Deloitte coming into a whole different environment, a whole different organizational structure.

[00:08:29.460] – Jan Vanhaecht
I worked my way up through the ranks, starting as a senior consultant, and then gradually was given the opportunity to build the Belgian Identity Team, the European Identity Team, and then since a year or two, taking on the global identity leadership role.

[00:08:47.860] – David Puner
You were thinking about identity as far back as 2008. This isn’t something that’s evolved over time.

[00:08:53.890] – Jan Vanhaecht
We didn’t call it identity management back in the days. It was more about portal, direct research services, public key infrastructures, but certainly went on that journey. I think some of the nice part is also that a number of the colleagues that I had back in my previous experience before Deloitte and at the start of Deloitte are still with us, with me today, able to exchange ideas, to keep evolving, keep pushing forward, and keeping each other aware of what those trends are, of what the changing market is, what changing demands are, and primarily what the changing opportunities are with our clients to really generate a business case out of identity, making the value-generating control rather than just a value-costing control at this point in time.

[00:09:42.340] – David Puner
One thing came to mind when I was thinking about your long run at Deloitte, do you have any e-mails in your inbox dating back to 2008?

[00:09:51.200] – Jan Vanhaecht
Our data retention policy doesn’t allow me to keep data that long around, so I have to answer no, I’m afraid.

[00:09:58.810] – David Puner
That was a trick question. I was seeing what you were going to say there.

[00:10:02.590] – Jan Vanhaecht
I’d love to keep some of those messages.

[00:10:05.130] – David Puner
When you look back at what the threat landscape looked like back when you first joined in 2008, how has it evolved, and what would surprise you most back in 2008, if we were talking to 2008, Jan, about today’s 2024 threat landscape?

[00:10:24.250] – Jan Vanhaecht
I think one of the big surprises is that for sure, identity threats are still a thing, and it’s still very much the individual that is being targeted. To move forward, I think back in 2008, we would have hoped that we would have been able to pass along. Throughout that time, I’ve heard 100,000 times that passwords are a thing of the past and passwords are dead, which I’m still hearing today with the promise of pass keys. At the same time, if we look at a lot of the accounts that we’re working with are still very much at the core of the protections we need to put in place.

[00:11:02.790] – Jan Vanhaecht
I think we’re a bit… Things that are going slower, I think. If we were back in 2008, we were also thinking of artificial intelligence, remembering some graduate university courses on the mathematics behind the artificial intelligence. I think we all would have thought that by now, AI would have ruled the world, which today is something that a lot of people are maybe claiming with the recent moves of the last year. If we just look at the workflow today, that is still very much an emerging topic. 2008 repeating itself, I’d say.

[00:11:38.040] – David Puner
You touched upon a couple of things there for sure. I guess let’s start with AI and generative AI. How much bandwidth is that taking up with you and your team these days? Where do you see it all headed?

[00:11:50.320] – Jan Vanhaecht
I don’t have a crystal ball, luckily. The best answer I’ve heard is that we should ask GenAI itself where it sees itself going. That’s not a quote that I can contribute to myself. It was an interesting thought.

[00:12:04.230] – Jan Vanhaecht
I think the main thing we’ve seen the effects happening on two fronts. Today, on the one hand, obviously a lot of work is going on to try to identify ways of optimizing our own work, of not having to dig through big piles of information and having it more distilled to something more consumable by us as experts. That’s not just in the cyber field, that’s obviously everywhere, so more as a workforce enhancement mechanism. On the other side, there’s a lot of talk, and I see a lot of presentations these days about the application of GenAI in those threat landscapes, again, on being parts of phishing campaigns, et cetera. All looks very interesting and worrying on the one hand. At the same time, at this point, that GenAI is still as smart as the information you feed it at this point.

[00:13:02.710] – Jan Vanhaecht
I’m quite confident that at this point, the human factor is still prevailing and is able to identify what is actually happening. But it is at least making our lives harder in terms of automatic detection and some of the controls, the more historical controls that we’ve been putting in place.

[00:13:21.790] – David Puner
I would think, and I could be wrong, you can tell me if I’m wrong, but as far as things that are top of mind with clients in general these days, is generative AI one of their top concerns? And if so, is it from how is this going to affect me from a threat standpoint?

[00:13:41.170] – Jan Vanhaecht
That is certainly a big driver where the topics come towards the cyber angle, but the real value being created also in a number of cases of workforce optimization and enhancing the experience of our workforce and of our clients in a positive setting, I think is dominant at this point. At the same time, a big worry I’m seeing with my clients on the uncertainty, especially in the European theater, but also a bit broader, is also on some of the regulatory impact coming into AI.

[00:14:16.610] – Jan Vanhaecht
European legislator, for sure, is taking a leap forward and is trying to push most many of the digital acts, a specific AI act, where questions are popping up on how will this impact our ways of working, how will we be able when we utilize AI algorithms, how will we be able to demonstrate how they actually work and that there is a fair mechanism, a fair selection happening, a fair and valid reasoning happening, no bias, how can we prove all of that.

[00:14:48.620] – Jan Vanhaecht
Then, of course, also linking that to the cybersecurity part, again, how can we make sure that those ecosystems are working correctly? Which then, again, a step further when we are then looking at workforce enhancement is, again, how do we implement a number of controls to make sure that our AI mechanisms that are very abstract often. Can we be sure that these AI mechanics, these algorithms, only get access to the data that the individuals using them should get access, that we don’t have information leakage happening because any of the GenAI type mechanisms just expose data that shouldn’t be known to the individual that is asking the question that is prompting the algorithm at that point in time?

[00:15:39.840] – Jan Vanhaecht
I do see, again, a shift into my wonderful world of digital identity to make sure that these AI algorithms also are impersonating and are adhering to the information needs and the information qualifications of the individual that is acting at the moment.

[00:15:57.010] – David Puner
Cyber regulation is obviously a huge area of focus right now, and cyber resilience for that matter. How is the increased focus on regulations and compliance influencing your clients? How does how you’re approaching regulations in Europe differ or influence what’s happening elsewhere around the world?

[00:16:16.660] – Jan Vanhaecht
There’s a significant impact, of course, in the day-to-day life of our clients in Europe. We’ve had our struggles over the past couple of years with the predecessors of the modern digital act, digital regulation, which was called GDPR, everything on personal data management. That was a big leap forward.

[00:16:39.930] – Jan Vanhaecht
One of the big shifts that happened there was more of a risk-based approach. For one of the first times, regulation wasn’t telling you exactly what you could do and what you couldn’t do, but made you provide evidence and forced you to think correctly. That’s an important shift that has happened. At the same time, with the more recent digital acts that have been coming out.

[00:17:03.990] – David Puner
Like DORA?

[00:17:04.530] – Jan Vanhaecht
Like DORA, not NIS2, the AI Act we’ve talked about. There’s also more specific regulations, like on health data spaces, et cetera. There’s also very specific ones. It’s an arena of about just under 20 different acts that are actually placed right now or coming out. Main question now is, what is the boundary of each of those different acts and regulations that are coming out?

[00:17:30.890] – David Puner
When you say 20 different acts, is that 20 different acts around Europe or is it worldwide?

[00:17:36.460] – Jan Vanhaecht
That is just Europe. That is just Europe indeed.

[00:17:38.960] – David Puner
That’s a lot.

[00:17:39.880] – Jan Vanhaecht
Yeah, and that’s a never-seen amount of regulatory impact that is coming in the direction of our clients. Primarily, that’s an interesting point for us and for everyone, I think, but also a lot of overlap, sometimes a lot of touchpoints. For example, there’s a specific regulation on electronic identity. IDaaS, too, coming out, shifting, enabling suddenly decentralized identities, wallet-based thinking, verifiable credentials. Sometimes we also call it self-sovereign identity, but that’s a whole other podcast, probably, to talk about the difference between decentralized and self-sovereign identity.

[00:18:22.700] – Jan Vanhaecht
Just looking at that specific one, there’s obviously a big touchpoint with GDPR. GDPR still applies, obviously, when you look at the IDaaS too regulation. At the same time, that is a regulation on the payment service directive number 3 that is coming out, the third generation there, which then again links back to IDaaS and to GDPR. Also in that sense, we need to keep everything moving, and we need to bring everything back together. We can’t expect anyone out there in the field to master all of these different acts and regulations at the same time.

[00:18:58.780] – David Puner
All right. No way.

[00:19:01.100] – Jan Vanhaecht
We also need to find other mechanisms to discuss, on the one hand, with the different regulators that we’re impacted in, which might be in certain countries in Europe, but certainly when we then also look at the impact that has in the US, in APAC, and need to bring all of that together. At the same time, avoid that we have to launch a big transformation and assess a big assessment for each of those different regulations coming out of each of the countries on the impact that has on our IT landscape.

[00:19:33.040] – Jan Vanhaecht
A big part of the work that we’re doing today is trying to come up with more of a control framework, a unified control framework, and absorbing layer in the middle, and like a shock absorber works on a car, can jump in the car and put music very loud that it goes up and down. You don’t want the road to be impacted at the same time. When you hit a bump in the road, you don’t want that to impact the glass of champagne that you have in the back of your car, maybe. That’s not something that you want to have. At that time, you need that shock absorber.

[00:20:06.690] – Jan Vanhaecht
For me, that control framework, unified control framework is acting as that shock absorber, making sure that your regulatory field can move upside down as much as you want and new regulations can come up. At the same time, when your organization is changing and your IT landscape is being upgraded, saying you’re in a big digital transformation project, for example, that also there, you’re reporting out to the regulator, it doesn’t need to be impacted. That’s a very vibrant, interesting feel today, I think, to make those two go together.

[00:20:39.830] – David Puner
Yeah, I should say so. I’m starting to understand why you’ve got 3,000-plus people on your team. That’s a lot to sort through in any given moment. On top of that, the glass of champagne in the back of the car, I can tell that you just got back from Vegas.

[00:20:54.940] – Jan Vanhaecht
I was waiting for that one.

[00:20:58.840] – David Puner
That’s an interesting metaphor.

[00:21:02.970] – Jan Vanhaecht
This morning, it was a cup of coffee, back to real life.

[00:21:07.610] – David Puner
Right, okay. Yeah, there you go. That’s more like it. You’ve touched upon so many things here, and I think one of the things I wanted to go back to for a moment is risk. How are you and your clients thinking about cyber risk? How big a role does risk play in business innovation and ultimately in business success?

[00:21:28.300] – Jan Vanhaecht
We’ve always been looking at risk from two angles, unrewarded risk and rewarded risk, as we used to call it a long time ago. Unrewarded risks are things like pure compliance, the check in the box that you need to have a ticket to the market and to be able to operate it. A lot of the regulation has been typically interpreted of being just there, and you need to check the box.

[00:21:53.770] – Jan Vanhaecht
You need to have an ISO 27000 standard just because you have it. We’re going to do the bare minimum just to qualify. You need to have penetration tests executed on your infrastructure. Let’s just do the smallest, most basic penetration test so that we can sign off. We did a penetration test, we should be good.

[00:22:12.790] – Jan Vanhaecht
Now in that world also of a changing landscape where that is becoming more of a risk-driven approach by itself, you need to demonstrate that you thought about what the level of the penetration test is that you’re looking for and how advanced should that be in the context of the actual assets that you are protecting and the value of your own organization, but especially the value of third parties that you might be mastering at that point in time.

[00:22:41.010] – Jan Vanhaecht
Again, the best example is, while sensitive is the data of individuals that you are sitting on and how well should you have protected that personal data of your customers, knowing how sensitive it might be and knowing how that could be abused potentially by an attacker if they would get all of that information. That is now being extended also into the wider field of all types of data that we have.

[00:23:08.690] – Jan Vanhaecht
Again, bringing it to the digital identity front. That’s where we are primarily looking at fields of how sure do you want to be of the end user that is consuming that data? How is that protected? Where is that sitting? We want to elevate the level of assurance that you get of who you’re dealing with and that you’re not running an interview with a deep fake presenter that is maybe sitting in front of you.

[00:23:34.040] – Jan Vanhaecht
That shifts the mindset to more thinking of reward at risk. What’s the level of risk that I am willing to take in order to implement certain measures and trading that off versus the potential loss that you would be having. That’s then again where our broader risk advisory type of services are very active to bring all of those different angles together, and where we also need to bring an industry expertise, of course, you need to understand the business model of individual clients to really be able to advise those clients on the best way forward in their specific case, knowing the competitive landscape, knowing the adversary landscape, and then finding a good way of protecting while still keeping business running, of course.

[00:24:20.630] – David Puner
Is part of what you do getting clients comfortable with risk, or does that really depend on who the client is?

[00:24:29.190] – Jan Vanhaecht
The risk appetite, we like to refer to it as a term, the risk appetite. The first by client. It’s not up to us to change the risk appetite of any client or any organization. It is one of the input factors that we will use to then come up with an adequate level of protection for those clients, depending on how far they want to go, how complex do they want to have the solution data, how many passwords do they want to put in the folder, do they want the full coverage or is it a limited scope? That’s reasoning that we would need to go through to make that actually happen. That is not up to us to decide. We can only give some benchmarks also of what the risk appetite is with other industry players and how much investments are linked to that part.

[00:25:16.580] – David Puner
Passwordless authentication. What is your take there? Is it going to happen? Do you think it’s a positive thing? Is it possible? What do you think?

[00:25:26.790] – Jan Vanhaecht
It is possible for sure. There’s been a mechanics in the workplace for quite a while. I must admit that today, coming back to my office computer here was the first time in a long time that I had to actually enter my password again, and I had to think very well, which it was on my work infrastructure as well that I have in my home office.

[00:25:49.860] – Jan Vanhaecht
When I travel, I use passwordless authentication. That is a mechanism that works. It was literally three weeks ago that I had to type in my password itself, which is convenient on the one hand, also an increased level of security, like when you’re passing borders, for example, and devices need to get contested. That is only a one-shot that we have.

[00:26:12.460] – Jan Vanhaecht
There’s no way that can be reused. A little or far less risk of someone looking over my shoulder, seeing the password that I’m typing in when I’m on the plane, person sitting closely next to me, seeing what I’m doing. There’s only one shot that they get, and they would have to hurry very quickly. It reduces that risk factor. At the same time, now having to type in my long password again made me reflect also just on how convenient that whole experience was on the passwordless.

[00:26:42.630] – David Puner
It’s a long… It’s not Jan123?

[00:26:45.680] – Jan Vanhaecht
No, it’s not JanForever anymore. There’s also a long story behind JanForever, but I dare everyone to try that out.

[00:26:56.130] – David Puner
All right. Maybe that’s a premise for another episode. We’ll have you back on.

[00:27:01.300] – Jan Vanhaecht
We’ll see. I just take it again on showing that value being created and that ease of use, a workforce, automation, ease of use is an important evolution that we see. I’d love to quickly plug in some of the research that we’ve been doing basically on creating actually value for our clients. There’s been a digital trust maturity survey that we’ve been executing.

[00:27:26.870] – David Puner
What is digital trust maturity?

[00:27:29.040] – Jan Vanhaecht
That’s the very first question to ask indeed. That’s the very first recommendation that we give in the paper, the results, to discuss within your organizations what digital trust really means. Digital trust is the way that you are projecting your image, your brand, your reputation in a digital channel, and how clients are reacting to that one. It goes way beyond just cybersecurity. It goes way beyond identity management.

[00:27:57.820] – Jan Vanhaecht
It’s also about how you build even the look and feel, the level of interaction that you’re doing with your clients, how trustworthy you make sure you become. It’s also about exposure and reputation that has been built up by your organization in terms of digital channels and how trustworthy you are.

[00:28:19.760] – Jan Vanhaecht
Now, what we’ve been seeing in that wide definition of digital trust is that the clients with a higher level of maturity, as it’s been perceived by their business partners and their customers or in terms of governments, think in terms of the trust that the citizen has in the use of digital government channels, the higher that maturity, obviously, the more successful these organizations were in fulfilling their core mission objectives, again, in living up to the expectations that they’ve set with their clients.

[00:28:51.770] – Jan Vanhaecht
Interestingly, from a business perspective, there’s also a direct correlation between that level of maturity, the higher the maturity, the higher, obviously, the cyber investments are with those clients. The lower the maturity, the lower the cyber investments are. So far, no rocket science, of course, speaks to itself.

[00:29:12.680] – Jan Vanhaecht
Then again, linking it to the value that is being created with those clients in the level of fulfilling their mission objectives, then it becomes interesting. Because also low digital maturity correlated to a very low fulfill of those objectives, low customer satisfaction, low citizen satisfaction in the interaction, low workforce satisfaction as well in the economics of how they were working, and a lower revenue when it’s really about these digital channels.

[00:29:41.790] – Jan Vanhaecht
The last correlation that is interesting is that the companies that are scoring low in the digital maturity ranking have a tendency and an expectation to start decreasing their investments in cyber even further. While the companies who are invested in a high level of digital maturity, have an expectation to start increasing and keep increasing their spending in cybersecurity, which leads, of course, to the expectation that the digital maturity gap between low-performing or low-maturity and high-maturity organizations is only going to widen. If you extrapolate that then to the success that has been linked to it, to the profitability and the fulfillment of those objectives, that, of course, will also lead to probably that a higher maturity digital trust organizations are going to increase their success or are going to increase their revenues versus those that are on the low spending side.

[00:30:39.010] – Jan Vanhaecht
That, I think, is an interesting take to also find a way of calculating some return on investment in cyber. We’re always talking about how mad it is like with those passwords. It makes me feel more comfortable. It’s a faster way of authenticating. I don’t have to log a ticket anymore to the help desk. That’s all true. Those are marginal gains. The real value is being projected in that digital trust that you’re projecting to your clients.

[00:31:05.640] – Jan Vanhaecht
I think that’s an important game changer again and tying it back maybe to the regulation part, where regulation will actually help organizations in having to increase their cyber maturity, their digital trust that they’re protecting their images because they will have to start implementing a number of controls in place to make sure that they live up to that minimum bar, that Olympic minimum.

[00:31:30.960] – Jan Vanhaecht
Then hopefully that will give the insight also and give everyone the chance to actually start generating more revenue, more success on their digital channels, and from there break the trend of that decreasing spend that we see with a number of smaller organizations sometimes.

[00:31:48.670] – David Puner
It all does tie together if you think about it. Taking that into consideration, how does digital trust maturity tie into an identity security culture? How does identity security figure into what you do and how you look at the big cybersecurity picture?

[00:32:07.150] – Jan Vanhaecht
Identity is just a cornerstone, really a cornerstone, the foundational element of that whole cybersecurity chain. See that coming back also in a number of those regulations, again, tying, and if you look back to the European theater, how the IDaaS too regulation, for example, is becoming pivotal from a number of the other acts that are really pointing at the core use of identity and data to establish a good level of assurance and trust between individuals and between organizations and individuals.

[00:32:38.780] – Jan Vanhaecht
From that angle, identity is really the core part. If you take a leap forward on protecting the identity fabric on the workforce side, on the privileged side, on the customer side, if you have that under control, you at least have a good foundation to either implement further cyber controls because at least you can make them more tailored to what individuals need, or in the worst case, when something happens, to find back where the cause is, what is your root cause of certain breaches? Again, those root causes still being in many cases tailored to specific identity-centric attack state in place, which is still element in many of the breach reports that are coming out. When we are more certain about the identity of the user, at least we can also take targeted controls in isolating certain of those effects as well.

[00:33:33.610] – Jan Vanhaecht
I think it works in different directions, again, both from an enabling side, making things more fluent and user-friendly, while at the same time also when the worst thing happens, when the breach actually happens, not if, when the breach happens, at least you can find back where it is and take much more pointed, fast action without impacting your whole organization necessarily, if you are soon enough to the action.

[00:33:58.450] – David Puner
How does Zero Trust play into your perspective and how you’re going about your digital identity practice?

[00:34:09.470] – Jan Vanhaecht
Zero Trust is one of those big and trending topics still today. I think many parts of the world are just scratching the surface of what Zero Trust can bring. I’m seeing a number of different cases, again, sometimes in certain parts of the world, more regulatory-driven, where there’s more of a prescriptive way. If you want to apply good practices of cybersecurity, start by applying principles around Zero Trust. I have it sometimes a bit vague, but it at least gives a starting ground.

[00:34:42.170] – Jan Vanhaecht
At the same time, again, we’re looking at more from that enablement side. There’s also a lot of digital transformations that are, again, happening. I think of large ERP implementations that are happening with very hybrid IT landscapes with different providers on different platforms coming out, and you need to tie that all together. If you just want to do that in a classical way, thinking about centralized identity, but also about how data used to reside in our data centers, in core master data management systems with replications happening. That’s not sustainable anymore in that mechanism.

[00:35:22.060] – Jan Vanhaecht
Again, we need to go back to more just in time, usage of data, consuming data as it goes. That’s where actually where the principle of Zero Trust start popping up, but without Zero Trust being the predecessor, being the starting point of the engagement. Those are, I think, the most interesting real-life applications or most successful implementations of Zero Trust never started as a Zero Trust engagement.

[00:35:48.080] – Jan Vanhaecht
They started as a digital trust and digital modernization enablement track, which coincidentally, people ended up at a simplification mechanism where Zero Trust was actually a helping factor to go forward. Then again linking the points together, identity at the core, and then the data that people need to access, need to process, on the other hand, tying those two together and implementing good level of verification that the right data is being consumed by the right individual and the right individual is consuming the right data. That’s where we’ve seen success really happen. Is that then Zero Trust? It often turns out to be way more advanced in terms of adhering to Zero Trust principles than those that start as Zero Trust.

[00:36:34.360] – David Puner
Really interesting stuff, Jan. Speaking of consuming, are you close to dinner now? I guess it’s about six o’clock here in Belgium.

[00:36:44.999] – Jan Vanhaecht
Yeah, it’s almost 7:00, I think.

[00:36:47.800] – David Puner
Oh, 7:00. All right.

[00:36:48.930] – Jan Vanhaecht
The little ones are suddenly waiting for me. As you see, I’m in my office today at a wonderful gateway, I can call it, at Brussels Airport. I only, luckily, have a short drive home to make. Traffic jams, even Belgian traffic jams are surely gone by now. I hope to make that a smooth drive home.

[00:37:10.730] – David Puner
Well, sounds good. Thank you so much for your time today. Really appreciate it. Thanks for coming on to Trust Issues, Jan.

[00:37:16.950] – Jan Vanhaecht
My pleasure. Thank you so much, David.

[00:37:19.170] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcast. Let’s see. Oh, yeah. Drop us a Line if you feel so inclined. Questions, comments, suggestions, which, come to think of it, are comments. Our email address is [email protected]. See you next time.