[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It’s got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.
Today on Cyber Work, I’m happy to bring back returning Cyber Work guest, Susan Morrow for her fourth appearance and her first since 2019. Susan simply put is plugged into every aspect of digital identity currently being discussed. She takes us deep into the security ethical, practical and UX hurdles of current identity practices, and gives us both an optimistic and pessimistic version of the digital identity practices that might be coming in 10 years. Keep it right here, we’re Cyber Work.
[00:01:31] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
Today, my returning guest, former Cyber Work guest, Susan Morrow. She’s an ex-chemist who transitioned into the IT security sector in the early 1990s, where she became a founder of a cybersecurity startup. Since then, she has built a knowledge base across diverse areas including encryption, digital rights management, digital signatures, privacy and online identity. Susan has been involved in identity projects addressing government, enterprise and consumer needs. She has helped design and commercialize award winning software solutions used by organizations of all sizes worldwide. Susan was listed as one of the most influential women in technology in the UK in 2020, 2021 and 2022 via computer weekly. She was also shortlisted in the top 100 Women in Tech in 2021. Susan is also involved in the economic injustice project, looking to provide a platform for social change in the UK. That’s economicinjustice.org.uk. Her mantra is, design for a digital life, not just digital identity.
Susan, thank you for joining me again. It’s always great to see you. Welcome back to Cyber Work.
[00:02:55] Susan Morrow: You too, Chris. It always great to see you. You’re looking well.
[00:02:58] CS: Thank you very much. Yep. Very much enjoying the conversations. If you are new to the show, Susan’s told her cybersecurity journey on several previous episodes. There’s early one on passwords. There’s one on GDPR, and there’s one on her many years as a woman in the industry, and I highly recommend you listen to all three to get caught up. So, we’ve known each other for quite some time. Susan’s contributed dozens of great articles for our InfoSec resources site. I highly recommend you check those out. I know you as someone who is both well versed in privacy regulations, like GDPR, Blockchain researcher and more. But right now, it seems like digital identity occupies a great deal of your investigation work. So put simply, what is digital identity and what are the issues and considerations surrounding it? What aspects specifically are interesting to you at the moment?
[00:03:56]SM: I’ve been working in digital identity for about a decade, and there’s been a lot of changes alongside changes in general, sort of cloud computing and everything, all within the perimeter. It’s added lot of challenges to digital identity. Sorry for the air quotes folks, but I have a few issues around the use of the term digital identity. I’m not alone. I’m not alone. The reason for that is because it causes – Language is important. And digital identity has caused a few conflations with different use cases of doing stuff. Because technology’s just there to help us to do stuff, isn’t it? That’s what technology is. Digital identity is no less, no more than just doing stuff.
The problem with adding the term identity to it is that, it starts to get a little bit kind of emotional. People find – people want to make it more than what it is. Over the years, it has caused some kind of painting into the wall of what an identity is, what it conveyed, how it’s used, what it reflects. There’s also a lot of complexity within the landscape of digital identity. It’s really unusual. So I came out of cybersecurity. 11 years ago, I was just doing cybersecurity. I used to. When I came into the digital identity arena, it was like a culture shock, because it was so complicated. I’m not saying that security isn’t complicated.
[00:05:50] CS: Right. It was a whole new type of complicated.
[00:05:54] SM: A whole new level of complexity, because it really is where technology and human beings intersect. It’s that intersection that makes it really complicated, especially when you work in things like Citizen ID and consumer identity driven transactions. That’s where it’s actually messy. Of course, cybersecurity is coming along on the coattails of those same complex issues. But anyway, so to me, digital identity is probably a misnomer. But I will use it throughout this podcast, because people know what that means and we kind of made our battle fit. But there are different ways of looking at the whole thing, the landscape is vast. They are competing and it’s sometimes adverse factions within the landscape. I don’t think it needs to be – I think it’s big enough for everybody. I think the use cases for digital identity are vast, and there’s more than one way to skin a cat, and there needs to be more than one way to skin a cat. Consumer and citizen identity is the perfect example of that, because not everybody has a smartphone, I leave it at that and I’ll bring that back later on.
[00:07:07] CS: All right. I’m not letting you leave it there, because I have a few more questions here. I just wanted to sort of pull in on something you said there that digital identity is maybe being made more complicated than it needs to be vis-à-vis just something that allows us to do stuff. Because the word identity specifically confers with it, this sense of like, not just your digital thumbprint, but almost like your digital birth certificate, or your digital social security card or your – is that it? It says it has this sort of inference of like, this is your whole life and it’s this glowing orb kind of thing, and so people are adding more to it than they need to. Is that it?
[00:07:50] SM: The recent aspect of that, I’ll come more onto that when we talk about – I also do want to talk more in depth about the different use cases for digital identity, the different ways that will be presented. But yes, absolutely, it can become extreme. The thing is, it is extremely complex, and involves need. It does need layers of protocols, and every possible aspect of cybersecurity you can think of comes into play, which I know is like your next question.
[00:08:21] CS: Yeah. It’s complicated, because it needs to be complicated. Okay. So yeah, let’s talk about that. Where does identity interface with the day-to-day work of cybersecurity in your findings? What are the biggest security risks around identity as it’s currently being formed?
[00:08:38] SM: It’s kind of always been a little – because I came out with cybersecurity into identity. The reason I did that, by the way, was because I was doing digital rights management and control of data in a very granular level. Documents and that type of thing, and digital sign and that type of thing. It was getting more and more difficult to actually identify the person who was accessing the document. Hang on a minute, this is getting really messy with cloud computing. People like coming outside the perimeter into it and so on. When I started to get involved in identity, and it was being kind of like – it was being represented as something outside of cybersecurity. I was very confused and still am.
The two are starting to – because, I’ll tell you this, Chris, digital identity overlaps with cybersecurity in every possible part you can think of. I’m trying to think of something that doesn’t impact it. When you design an identity system or do the solution architecture for an identity system, you have so many moving parts, including the human operator. Both the human using it and the administrator, for example, and other people who are working on configuration, and that type of thing. There were so many pieces that need to intersect with cybersecurity, you wouldn’t believe it. I wrote a few down, and I thought, “My God! It’s easier to actually say what isn’t” and then I couldn’t think of anything.
I mean, authentication is one that springs to mind, authentication. That security puzzle of getting usability right and security, right, it’s at the cutting edge, digital identity of that security usability balance, the cutting edge. Secure coding, my God, a lot of identity systems, the skills gap comes into play here. I mean, a lot of people turn to open source for their – I’m using the term identity in the loosest sense here, in creation and access to web resources, I’m thinking. And they turn to all sorts because they haven’t got the in-house skills to do it. But the problem is, you need to be able to understand that open source and the vulnerabilities that could be in it, with respect to its use within a wider identity system. So that’s a problem. Secure coordinate is really important.
Of course, then you have identities at the cutting edge of scams. So various scams utilize aspect or elements of digital identity. Database security, vital. TLS security or transmission of data between the different parts of the ecosystem, getting that right. API security, because everything is connected now in the identity ecosystem through API. API security, both the access to the API and the actual integration of API, and API calls and all the rest of it.
[00:11:59] CS: API seems like it’s like the big attack vector right now, like we’ve already had several people talk about something that was just so back of mind is all of a sudden like that’s the next place where all the sort of the nasties are jumping in.
[00:12:14] SM: Exactly. All these parts are weak, all these parts are attack points. What you design and develop in the architecture for these systems, no matter whose part that come onto the ecosystem. It’s such a big, wide ecosystem potentially, that you want to cover every single little part of this, because we have to be extremely knowledgeable about cybersecurity, to be able to build good and robust identity systems. I could go on. Account fraud, AML and [inaudible 00:12:47] fraud checks. KYC, the old part of identity systems. It literally has fingers in every security pie out there. Of course, phishing.
[00:12:58] CS: And of course, phishing. Yeah. I wanted to just focus on one thing you mentioned with regards to secure coding, because we talked about secure coding sometimes. It’s one of our 12 career roles, and it’s a thing that people are interested in. If I’m understanding you correctly, I mean, secure coding, obviously, it’s a set of best practices in terms of when you’re creating something new. But you’re also saying that knowledge of secure coding can – you can also use that as sort of an auditor of open-source materials. By knowing secure coding principles, you can be the secure coder on your team who can look at, “Well, we’re going to use these five open-source things” and you can say, “Watch for this. Watch for this. Watch for this.”
[00:13:38] SM: Absolutely. If somebody’s good at that sort of thing, that is absolutely worth its weight in gold. It’s where the buck stops. You can cover every other base but if you’ve left a silly hole in your code, then people will find it. Leave it open and they will come.
[00:14:02] CS: Yes, absolutely. We’ve given a laundry list of all the hard work, and identity. What’s the hardest work being done in identity? What are the what are the big problems being at least addressed and considered if that gets solved.
[00:14:16] SM: Right. I’ll come back to the ecosystem. It’s kind of just sort of bubbling up under the surface at the minute, and this is an area that I work in, and that’s why I’m very aware of it. When I was talking about the factions earlier on. Well, it looks from the outside that people who build sort of identity, sort of more traditional identity systems are at odds with the wallet people, like sovereign wallet people, and themselves. Even at non-self sovereign wallets as well. It feels like they’re at odds, but they’re actually not. In fact, I would argue that because digital identity has many use cases, then you need to have something in place that can use all of the identity systems already out there. For example, the use of identity is one of the things that keeps popping its head up. The thing is, is that, we need to stop wherever possible, creating random identity accounts of everybody left, right and center. People are just going to get hacked, let’s face it.
[00:15:37] CS: Yeah, right.
[00:15:37] SM: So we need to avoid that, but people already exist as identity providers. For example, banks. Identity wallets have some pieces of identity data in there. It doesn’t just have to be a bespoke wallet. It could be your Apple wallet, that happens to have your driver’s license in it, for example. Do you need something, some plumbing to allow the water to flow through the lines to get to the right tap? So it’s the plumbing piece, but it needs to be smart enough to be able to do a number of different things. Because this is – because there are loads of different services, want to use loads of different identity pieces. Then, you’ve got people in the middle who need to control, need to be put in control of that as part of a privacy initiative, as well as anything else.
You need to have some planning that can do a lot of different jobs. For example, it can – protocols are very important in the identity space, for the like language between all the different pieces, but not everybody speaks the same language. Or some people can speak a bit of the language, but then they don’t have some other aspects of that language. In deployment, to be able to translate the languages, or to be able to take some of the heavy load weightlifting of the service people, the web developers who don’t have the in-house skills to utilize some of the really beautiful aspects of some of these protocols that are coming out, some really beautiful aspects of protocols coming out in [inaudible 00:17:20], that sort of area. Some of that, I’ll go onto later.
You need someone to do the heavy lifting, because just like some people – let’s say a lot of people don’t have knowledge of secure coding, and check in open-source libraries. Web developers don’t have complex knowledge of protocols generally. You need to make it so it’s dirty. You’ve heard of the no code, low code revolution. Really, there is a reason for that. You need to do the heavy lifting for people, the plumbing does the heavy lifting for people. It can walk, it can search around and find the right type of identifier for that particular transaction. Then, if that’s not enough, it can go off and find a new one from somewhere else. Rather than reinventing the wheel every time, and seeing, okay, “We don’t have this data. Can you please give us and we’ll store it for you insecurely.”
You need to start pulling in all of these accounts that we keep creating, and think, hang on a second, it’s already done. Let’s stop doing this. But you need the right bits in the middle to be able to use all of the different existing wallets, or plants, or government services or whatever and bring all those pieces of data together. Obviously, these middle bits are going to have to be able to do some fancy stuff like privacy enhancement, that type of thing, migration of data. There’s lots of – but you know what, this stuff is already being done. It’s already being done over the past 10 years, the systems are in place, the mechanisms are in place to do it all. We just need to start doing it. So I think that going back to the what’s the hard work. The hard work is convincing the industry that we can all work together to do a better UX for everybody and stop – if you must insist on building wallet, there’s a big push for wallet at the minute. I have reservations about it, but I think it’s going to happen. I don’t think there’s anything I can do about it. The reservations come from the fact that not everybody has a smartphone or wants to use it.
I’ll give you a personal example, which I’ve already told people about before. I was once signing up for crypto platform account, and I had to go through a minimal amount of KYC and I had to do my passport. Picture of my passport, and a picture of me. At the same time, I had to kind of hold them up. Well, I’ve got like this condition and sometimes my hands just don’t work. So I drop things, and I can’t I kind of hold things and it’s really difficult. I couldn’t do it. I couldn’t use it. Not everybody wants to use smartphones. Not everybody has one, amazingly enough. People need options. We need options. Find printout wallets, find printout apps that do one-off jobs with identifies. Do that, but that’s not the end of the story to give people choice. Certainly, you need to give commercial enterprises online choice in how their very wide audience uses their service. Otherwise they’re going to like, they’re cutting a whole sector on there.
[00:20:52] CS: Mm hmm. Now, this might be an imperfect metaphor, but this sounds –speaking of UK versus US, I think of the old VCR, NTSC versus PAL. These identity systems are kind of being developed at the same time, but neither side wants to – or VHS versus Beta, no one wants to step down, so you have all these competing identity systems. Is that sort of what we’re having?
[00:21:20] SM: He was like, “Yeah, I mean, it just feels like – so there’s obviously a lot of investment going into the wallet development. Self-sovereign people came out a few years ago and develop this idea of privacy enhanced self-sovereign. At the time, it was blockchain based. It doesn’t have to be blockchain. Blockchain based, decentralized identities for damn good reason, because people were sick of centralized identities being attacked, or governments controlling them, or whatever reason people have that didn’t want it. Fine, I get that. Nobody gets that more than me, Chris, believe me. You know me well.
However, the reality, the actual reality, they’re still working on it. But I can see it coming, I can see it coming and that’s fine. But what I can also say is, because there’s so much investment going into it, so many companies now invest in wallets, that there’s going to be – if you know how these things should do, just shake out. Just shake out and you’re left with a view. The problem is at the minute, is that their competitors are people like existent incumbent wallets, like Apple wallet, and the Android wallet. Already, they’re making place in that space, so they’re going to have to compete with things that are already there so people don’t have to download yet another app. Yeah, because I’ve already got them, so I’ll just use that. I’ll just use that, can’t be bothered. That’s the problem. That’s the concern about this. It will shake out. There will be some, and I can say that – I can see it maybe, if there were – they’re going to – the AI in Europe, the EU is working on. In Europe, there’s a European wide identity scheme, the ID. They’re now looking at moving that to a wallet. So yeah, AI does, it’s going to be a wallet, and decentralized, probably. I can see that taken off, because it’s a government push, and people are used to in Europe using a central identity type system, but this will be decentralized. But they’re used to using this government identity.
I don’t think I can’t say that happen in America. UK would be a stretch, in the UK, but you never know. The UK changes sometimes, but it depends. Citizen ID actually is one of the things that has an unusual use case. Yeah, that is one of the places where I would say that identity is probably a decent use within that use case context. But the problem is there, is governments are so – the idea of decentralization, one of its kind of Achilles heels, is that very documents that they’re decentralizing, identity documents are decentralized, are issued by governments centrally. It’s kind of like okay, but yeah. But no, I don’t know. I mean, I’ll be attacked for saying this, because – yeah, but bring it on.
[00:24:34] CS: Yes, I got your back, Morrow. We got your back.
[00:24:39] SM: Yeah, but you know what? The market will decide. There’s room for everything.
[00:24:48] CS: Right, right, right. To that end, identity obviously intersects quite a bit with some other topics we regularly discuss on the show, and we’ve talked a little bit already, like data collection, PII, breaches due to mishandling of personal data, those are a little further down the chain here. But, obviously part of this is on the security industry’s lap. But I want to hear what you think about how identity can address some of these issues as well. If we have a robust and secure system, decentralized system of digital identity, the issue of who’s using these credentials to access your health data and financial records is probably going to be a little more narrow. Is that right?
[00:25:27] SM: Essentially, it depends on how you look at it, really. One sort of WBC and YDC sort of kind of initiatives is the use of verifiable credentials, the identity system, just to confuse everybody. Identity credentials means like age, name, that type of thing. Whereas in cybersecurity, it means like password, and username, that type of thing. [Inaudible 00:25:53], that type of thing. It gets a bit confused. When I use the word credentials in this particular sector, what I mean is, name, address, that type of thing. So verifiable credentials is now built into YDC, so that you should as a service, be able to – like health service, be able to check those credentials that are being sort of handed over during the floor, during request response flow or verified by a sort of a trusted source.
I guess this comes down to as well, a little bit of zero trust in there. As long as you can verify that those credentials are as true – I mean, it all concern probability. It’s just as how you feel comfortable as a service, to then allow access, as long as you do it in real time, which you can do. And you make sure that those credentials are verified, the protocols now are set up to give you that data, that information. Or you can do it on the fly. You don’t have to do it through the verifiable credentials route. You could do it alternatively, just do a real time on the fly check of a credential that you need. There’s lots of different ways of doing that. Lots of different – as many wallets coming into the market, there are always so many APIs that do verification checks against things like document ID, and name, address, all sorts of thing, age as well, age apps and that sort of thing to check your age. That’s a positive, because you can do verified real time checks of data before you allow access. Never trust, always verify in action in action. That’s sort of one aspect of it.
Again, this is where the plumbing comes in as well, Because you might decide, it’s not quite enough, actually. thank you very much for that. Can you just give me a little bit extra? They might not have it available in like a wallet, So you don’t want to ruin the user experience by saying, “Well, bye-bye.” You want to be able to do it much more flexibly, where you can say, “I just need a little bit more proof before I give you access.” I mean, risk-based authentication has always been there, so you can start to pull in, you can use rules if you like. Use rules to start to just add more, and more, and more layers of security to really do that, to really make zero just actually happen, rather than just to owe it.
[00:28:45] CS: Yeah, and not just be a marketing term for that. What I’m hearing a little bit too, is it sounds like we have all of the tools to succeed, it’s just going to be a matter of deciding on a large scale, which ones we’re going to choose to use, and adopt and so forth.
[00:29:05] SM: Well, this is where the design of identity systems comes into play. Identity isn’t just about technology. It’s about people, it’s about processes, it’s about liability, because this is all about data, it’s about all of those things. The designers of identity systems, the people who start the business analysts, the solution architects, all of those people have to really truly understand at a really granular level, how the people who are going to be using the system want to use it, and all of the different aspects, and all of the different – I hate using the word, but edge cases. In identity, you don’t have edge cases, you just have use cases and lots of them. People who design these systems need to go through them very thoroughly to be able to get the best out of an identity system, because there are so many choices.
[00:30:03] CS: Right. I want to sort of pivot from that into more of a speculative sort of aspects. Where do you see where we’re going now? Where do you see digital identity changing in the next 10 years? Could you give me like a pure optimist and a pure pessimist version of what it looks like in the next decade?
[00:30:26] SM: Sure. The pessimist one would be that, we still – like nobody’s really making any progress in terms of reducing the number of accounts being created online, and identity cancer already in existence, continue to be at risk all the time. We can’t reuse existing things like bank IDs. We end up in a stalemate between all the different elements of the ecosystem and it doesn’t come together cohesively. That’s the worst-case scenario and that worries me. The best case scenario is that, we recognize that what we have here is a golden opportunity to really make people doing jobs online, make their lives easy, and secure and privacy enhanced. We have the systems there ready to use. People talk a lot about open banking. Open banking is okay. I mean, I’ve done a lot of work in open banking. It’s okay. The rails of it are great. The personal ID [inaudible 00:31:33] and they’re really good. So they’ve got like a lot of flexibility and security built into them, because of the protocols.
But open banking itself is very limited in the data that it can exchange, so you need to go step beyond. There are other ways of releasing the – the bank has the data, and they are looking at releasing that data into the ecosystem, where you need to be able to ameliorate that data to be able to make it standardized to build it as user centric, to have privacy first thoughts when doing this. I think in the future, I think people are going to really take advantage of the data that’s already there, but do it in a very privacy enhanced user centric way. One of the greats in identity died, I think it was earlier this year, or late last year, the days just merge in my life. My uncle, Kim Cameron, he wrote The Seven Laws if Identity back in 2005, I think it was. It was a brilliant piece of work, and he was a great man, Kim. He was the first one, I think, to put forward this idea of people having control over their data, and user centric. That has still carried through, but it sometimes doesn’t get implemented. But that needs, in the future, that will be a core design unit in all of these systems and we’ll be able to reuse data that’s already out there, like open banking, but more premium data.
Existing IDs will be able to utilize the wallets that do fall out of this sort of very fluid market that there is at the minute, has been invested to. They fall out. That we do have an element of decentralization. I cannot believe that decentralization in its purest form will exist, because you know what, you’re always going to have to give someone your address if you want a pair of shoes shipped to you. Then, what do they do with that. Maybe something will come along, to be able to – then have to share it with it. It gets complicated once you have to –
[00:33:56] CS: Yes, surely.
[00:33:58] SM: It gets complicated, but there will be a way of bringing these things together in best – of course, there’s the web3 identity question. The identify form the backbone for web3. Well, let’s see. We’ll see.
[00:34:19] CS: But that feels like a whole extra episode right there.
[00:34:21] SM: Yeah, it’s a whole extra episode.
[00:34:24] CS: Yeah. Turning to the work of identity, l feel like what you’ve given me here is kind of like a Pandora’s box inside a Pandora’s box inside. My brain is throbbing trying to keep up with all these different implications. Tell me about the jobs and identity right now. What are the raw skills either technical or interpersonal that you need to succeed in this area? If people are listening to this, and are like, “Yes, this sounds amazing.” What should current students and people wanting to move into this area and be learning and studying about now to catch up, and what should they be looking forward in the future?
[00:35:08] SM: Well, it’s certainly very much a hot space to be in. If you don’t work in identity, it certainly will touch you at some point if you work in the tech sector. So technically, if you’re not a software programmer, you don’t have to be to work in this space. I’m not a software programmer. God forbid. It is useful, actually. I tell a lot, it is useful to understand – it is useful, it’s helped me a lot, because I got to code a bit. It does help. But understand the protocols. So get involved in – the protocols are all done as working groups within initiatives like W3C or Kantara. Well, they do all of that work. For individuals generally are free to join. Certainly. for students, they’d be free to join, I’m sure. Don’t quote me on it, but I think they are. You can get involved in that. Even if you just watch the email exchanges, between – these are all world experts working in these working groups. So get involved in those working groups in W3C and Kantara initiative.
In the UK, there’s a thing called OIX, where they do a lot of identity projects. You probably couldn’t easily get involved in them, but they publish the results, you can see the kinds of things that people are working on that’s interesting. I’d say, sorts of protocols definitely get involved in those if you’re interested in that kind of thing. You don’t have to be a software programmer to understand protocols. In fact, people who wrote the best will get involved. People who are linguists, for example, who get involved. social scientists that sort of thing. But also developers as well. But also, on the design side, UI, UX, that’s a really important aspect of the identity space. Understanding like human behavior and the interaction. I’m hoping that more anthropologists and behavioral scientists evolved in this space, because we really need to be engaged in these people. Because this is where human beings and technology truly intersect.
[00:37:20] CS: Right. That’s interesting. Yeah. Tell me about the insights that anthropologists could bring to this space?
[00:37:28] SM: At the minute, I’m working on a project with a master’s degree at Durham University in the UK, and I’m working on how proverbs affect human behavior, from an evolutionary perspective.
[00:37:42] CS: Proverbs like, a stitch in time saves nine, or [inaudible 00:37:45] kind of thing.
[00:37:45] SM: Exactly. Right. As I’ve gone through that, I’ve realized how important language is in changing behavior, and encouraging people to act in a particular way. Cybersecurity awareness training in particular would really benefit from this side of – but going back to identity. In the identity space, understanding how human behavior evolves means that you can understand why humans behave in a particular way. When you design a particular – for example, when I when I was working with the UK government design and talented design, user journeys for interaction with their system. That involved a lot of processing of, “Well, would someone do that at that point?” or “Would you do that?”
So understanding people interact with their surroundings, and if something happens to them. So understanding input is a really important aspect of digital identity design and understand how language impacts human behavior. For example, proverbs are really powerful little pieces of information. I’m sure that you could use proverbs to help to encourage people to act in a particular way, within the context of a user journey. Encourage them to – for example, when you are sort of verifying someone is true, or setting up a bank account, or something like that and taking them through a process, which is very long winded and tiring for them. You could use, pithy little statements to encourage them to do something. That I think – I think it’d be something that would certainly be worth exploring anyway. But I think, anthropology in particular because they understand humans and how we act. That would add a lot of information into the design of these systems.
[00:39:57] CS: Now, talking – we’ve come to it several times, but it seems like a big problem with sort of adopting a workable identity system across lots of different sort of competing factions is going to be sort of communicating the importance of sort of making something – do you think there’s going to be a sort of identity translator type role where people – like where their main job – almost like an evangelist where you’re sort of making people understand that maybe, you make one cent more per use if you use your own proprietary one, but it’s going to be ultimately better if we sort of use something that flows across multiple pipelines?
[00:40:44] SM: Oh, that’s an interesting thought, actually. I can see that happening. I can see that happening maybe in digital form. Maybe when we go to web3, maybe that would be actually an intrinsic part of the meal, getting people to interact securely, as well, with their identity.
[00:41:05] CS: Yeah, based on the way people communicate online, it seems like we could use a few more sort of mediators in terms of progressing ideas and so forth. I’m always just trying to sort of find options for people who want to get into this space, but feel intimidated by the sort of tech side of things. But like, if you’re a compelling storyteller.
[00:41:31] SM: Yeah, people who understand language have a lot to give to this particular sector, because it is it where human beings need to be able to use technology seamlessly. The trouble is, is that. We need to – identity in particular isn’t just about technology. It’s about processes by people. It’s about understanding what people want, and how to convey it to them in a way that they understand. Because the mass demographic that citizen ID and consumer ID has to cope with, there’s no one size fits all. I’ve learned that the hard way. I’ve learned that through peers.
[00:42:13] CS: Yeah. A lot of banging your head against the wall for years and years. You sent me a link to a nice organization called Women and Identity. Do you want to talk about them a little bit and other resources, or support organizations in this space? Do you have any advice for sort of networking in the identity space?
[00:42:31] SM: Sure. Although I am a rubbish networker, I have to say. Women and Identity is held by some of the sort of stalwarts of the industry. It’s about trying to – like the cybersecurity industry, the identity industry didn’t seem to have a lot of women in it. I was the only woman in the room, and often of 10s of men surrounding me. It is a little bit daunting sometimes. Although, I am like a bit of a hard case now like so. Not so much, but used to be. But for women that came along, to kind of try and address the balance, and give advice to women in this sector, to encourage women to join the sector. They’ll put out like a regular jobs notice to try and get women to apply for jobs in the sector. They regularly talk at all of these sorts of big conferences in identity.
I mean, I was an active member when it first started, but I’ve sort of fell by the wayside because of health problems and stuff. Just like workload, basically. But they’re still going, doing a massively important job in the industry. Like the women in the security sort of groups trying to get more women, more voices, because one of the important things about digital identity is that it affects everybody. It’s a mass demographic technology, it needs everybody involved in the design of it. It needs everybody to voice an opinion on it, whether you like that opinion or not.
[00:44:15] CS: Going back to what you said before about having – not being able to sort of photograph your passport and your face at the same time. This, especially, I mean, with identity, you’re going to be having people access this from a lot of different sorts of places, and experiences and backgrounds. So yeah, that makes perfect sense.
[00:44:36] SM: So when identity is expanded, since it started and it’s not just about women and identity. It’s about trying to give any sort of like minorities, a voice, like disabled people. People in sort of digital poverty, that type of thing. A bit of a sort of like, “Hello, I’m here. Can you please include me when you design your systems?’ That type of thing.
[00:45:00] CS: Yeah. Love it. All right. As we wrap up today, Susan, do you want to tell us a little bit about Avoco Secure, and your services and some of the projects you’re excited about to unveil later this year and next year?
[00:45:15] SM: Yeah, sure. There’s one big project that I still can’t mention the names of, annoyingly. But we thought – one of the Golden chalices of identity is to be able to reuse already verified data, to be able to reuse it rather than reinventing the wheel, right? We used to do pure identity provisioning. We realized that, “Oh my God, this is a nightmare space to be in.” But people need the plumbing, so we weren’t actually – we kind of – we already had quite pieces already anyway, and so we sort of like created a set of APIs and we use those APIs now to connect the ecosystem. This particular project is using some tier one banks in the UK, connecting them to government a government service in the first instance. We sit in the middle – you can’t say we’re just middle agency or anything, so we’re invisible. It just connects the two pieces together with the end user in the middle. So it’s user centric, privacy enhanced and it allows the data to flow between those two services nicely and seamlessly.
The bank is already doing a lot of KYC checks on that data. It uses the open banking rules and IDC, but it’s a bit more than that, because it’s an open bank and the data points can give you going up to 25 data points, am I right, if requested, if allowed by the person in the middle, you can also obviously, you can obfuscate it, minimize the data and do all of that sort of thing. Then just allow it, basically, just allows data flow. But you know, it’s a little bit more complicated than that. But it’s going to – it sounds simple, but it’s actually quite revolutionary.
[00:47:12] CS: It doesn’t sounds simple. I just want to let you know.
[00:47:15] SM: Like that swan analogy, with the little legs going, you see the little legs doing that?
[00:47:23] CS: Right. Right. Oh my God, fabulous. All right, as plug time. If our guests want to see Susan Morrow’s various work, writings or contact your company, where should they go online?
[00:47:37] SM: So InfoSec Institute resources.
[00:47:41] CS: Yep, resources.infosecinstitute.com, yep. Go talk to us. Check out contributors and find Susan’s many, many great writings on there.
[00:47:50] SM: I’ll tell you one, newsworthy stuff, high level stuff about cyber news.
[00:47:56] CS: About leadership. There you go.
[00:47:57] SM: Yeah. See us online, specifically talking about identity. It’s all over the place. Well, also on our website, avocoidentity.com is where you can contact us. Yeah, kind of all over the place actually, seem to like get around a bit, because I’m better at writing than I am talking.
[00:48:21] CS: Okay. You’re doing fine. Can people contact you on LinkedIn as well?
[00:48:27] SM: Oh, yes.
[00:48:28] CS: Oh, great. Okay, great. We have a lot of listeners that like to connect with our guest and ask few questions.
[00:48:34] SM: Yeah. I’m not on Twitter anymore. I came off because I couldn’t stand it anymore.
[00:48:39] CS: No, we’re not doing that now. All right. Well, Susan, thank you again, for coming back to Cyber Work. It’s always a pleasure to talk to you.
[00:48:47] SM: Yeah. You too, Chris.
[00:48:48] CS: As always, I’d like to thank you all for listening to and watching the Cyber Work podcast on an unprecedented scale. Our numbers have shot through the roof in the last couple of months, so we are absolutely delighted to have you all along for the ride. If you like what you’re hearing, share it with your friends, maybe subscribe to our YouTube page or put us in your podcast feed. Also, go to infosecinstitute.com/free to get your free Cybersecurity Talent Development eBook. It’s got in-depth training plans for the 12 most common job roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is, or customize them to create unique training plan that aligns with your own unique career goals.
One more time, just go to infosecinstitute.com/free or click the link in the description below and you can get your free training plan, That is all. Do it. Infosec.com/free. Thanks once again to Susan Morrow, and thank you all so much for watching and listening. We will speak to you next week. Bye now.