Digital identity and cybersecurity are inseparable

[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it, infosecinstitute.com/free. Now, on with the show.

Today on Cyber Work, I'm happy to bring back returning Cyber Work guest, Susan Morrow for her fourth appearance and her first since 2019. Susan, simply put, is plugged into every aspect of digital identity currently being discussed, and she takes us deep into the security ethical, practical, and UX hurdles of current identity practices, and gives us both an optimistic and pessimistic version of the digital identity practices that might be coming in 10 years. Keep it right here on Cyber Work.

[00:01:31] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

So today is my returning guest, former Cyber Work guest, Susan Morrow. She's an ex-chemist who transitioned into the IT security sector in the early 1990s, where she became a founder of a cybersecurity startup. Since then, she has built a knowledge base across diverse areas, including encryption, digital rights management, digital signatures privacy and online identity. Susan has been involved in identity projects addressing government, enterprise, and consumer needs. She has helped design and commercialize award-winning software solutions used by organizations of all sizes worldwide.

Susan was listed as one of the most influential women in technology in the UK in 2020, 2021, and 2022, via Computer Weekly. She was also shortlisted in the top 100 Women in Tech in 2021. Susan is also involved in the Economic Injustice Project, looking to provide a platform for social change in the UK. That's economicinjustice.org.uk. Her mantra is designed for a digital life, not just digital identity.

Susan, thank you for joining me again. It's always great to see you. Welcome back to Cyber Work.

[00:02:55] Susan Morrow: You too, Chris. It’s always great to see you. You look well.

[00:02:58] CS: Thank you very much. Yup, very much enjoying the conversations. If you are new to the show, Susan's told her cybersecurity journey on several previous episodes. There's an early one on passwords, there's one on GDPR, and there's one on her many years as a woman in the industry. I highly recommend you listen to all three to get caught up.

We've known each other for quite some time, and Susan's can contribute to dozens of great articles for our InfoSec resources site. I highly recommend you check those out. So I know you as someone who is both well-versed in privacy regulations like GDPR, blockchain, research, and more. But right now, it seems like digital identity occupies a great deal of your investigation work. So put simply, what is digital identity, and what are the issues and considerations surrounding it? What aspects specifically are interesting to you at the moment?

[00:03:55] SM: So I've been working in digital identity for about a decade, and there's been a lot of changes, alongside changes in general sort of cloud computing, that type of thing or [inaudible 00:04:08] perimeter. It's had a lot of challenges to digital identity. Sorry for the air quotes but –

I have a few issues around the use of the term digital identity, and I'm not alone. I'm not alone. The reason for that is because it causes – Language is important, and digital identity has caused a few conflations with different use cases of doing stuff. Yeah. Technology is just there to help us to do stuff, isn’t it?

[00:04:47] CS: Yes.

[00:04:48] SM: That’s what technology is, right? Digital identity is no less, no more than just doing stuff. The problem with adding the term identity to it is that it starts to get a little bit kind of emotional. People find – People want to make it more than what it is. Over the years, it has caused some kind of painting into the wall of what an identity is, what it conveyed, how it's used, what it reflects.

There's also a lot of complexity within the landscape of digital identity. It's really unusual. So I came out of cybersecurity. So 11 years ago, I was just doing cybersecurity, and I stopped. When I came into the digital identity arena, it was like a culture shock because it’s just so complicated. I'm not saying that security isn't complicated.

[00:05:50] CS: Yeah. Right, right.

[00:05:51] SM: Obviously –

[00:05:51] CS: There's a whole new type of complicated.

[00:05:54] SM: New level of complexity because it really is where technology and human beings intersect. It’s that intersection that makes it really complicated, especially when you work in things like citizen ID and consumer identity-driven transactions. That side of things can get messy. Of course, cybersecurity is coming along on the coattails of those same complex issues.

But anyway, sort of main digital identity is probably a misnomer. But I will use it throughout this podcast because people know what that means, and we kind of made our battle fit. But there are different ways of looking at the whole thing. The landscape is vast. They are competing, and it's sometimes adverse factions. And I don't think it needs to be – I think the use cases for a digital identity are vast, and there's more than one way to skin a cat, and it needs to be more than one way to skin a cat.

Consumer and citizen identity is the perfect example of that because not everybody has a smartphone. I’ll leave it at that, and I'll bring that back later on.

[00:07:06] CS: All right. I'm not letting you leave it there because I have a few more questions here. So I just wanted to sort of pull in on something you said there that digital identity is maybe being made more complicated than it needs to be vis-à-vis just something that allows us to do stuff because the word identity specifically confers with it this sense of like you're not just your digital thumbprint but almost like your digital birth certificate or your digital Social Security card or your adult – Is that it? It’s something that it has this sort of inference of like this is your whole life, and it’s this glowing orb kind of thing. So people are adding more to it than they need to. Is that it?

[00:07:50] SM: That is an aspect of that. But I'll come more on to that when we talk about – I also do want to talk more in depth about the different use cases for digital identity, the different ways that it could be presented. But, yes, absolutely, it can become extreme.

The thing is it is extremely complex, and it does need layers protocols and every possible aspect of cybersecurity when you think of comes into play, which I know is like your next question.

[00:08:22] CS: Yeah. No. So it's complicated because it needs to be complicated. Yeah. Okay. So yeah. So let's talk about that. Where does identity interface with the day-to-day work of cybersecurity in your findings, and what are the biggest security risks around identity as it's currently being formed?

[00:08:39] SM: So it's kind of always been a little – Because I came out with cybersecurity into identity. The reason I did that, by the way, was because I was doing digital rights management and control of data in a very granular level, right? And documents and that type of thing and digital sign and that type of thing. It was getting more and more difficult to actually identify the person who was accessing the document. Yeah.

Hang on a minute. This is getting really messy with cloud computing, and people like coming outside of the perimeter into it and so on. So when I started to get involved in identity and it was being represented as something outside of cybersecurity, I was very confused and still am. The two are starting to – Because I'll tell you this, Chris. Digital identity overlaps with cybersecurity in every possible part you can think of. I'm trying to think of something that doesn't impact it.

When you design an identity system or do the solution architecture for an identity system, you have so many moving parts, including the human operator, both the human using it and the administrator, for example, and the other people who are working on configuration andthat type of thing. Just there were so many pieces that need to intersect with cybersecurity. You wouldn't believe it.

So I wrote a few down, and I thought, “My, God. Easier to actually see what isn't,” and then I couldn't think of anything. So I mean, authentication is one that springs to mind, authentication. That security puzzle of getting usability right and security right, it's at the cutting edge digital identity of that security usability balance, the cutting edge. Secure coding, my God. A lot of identity systems. The skills gap comes into play here. Yeah.

I mean, a lot of people turn to open source for the – I'm using the term identity in the loosest sense. Yeah, the term ‘creation’, yeah, and access to web resources, that type of thing. They turn to open source because they haven't got the in-house skills to do it. Yeah. But the problem is you need to be able to understand that open source and the vulnerabilities that could be in it, with respect to its use within a wider identity system. So that's a problem. So secure coding is really important.

Of course, then you have identities at the cutting edge of scans. Yeah. So those scams utilize aspects or elements of digital identity. Yeah. So database security. Yeah. Database security, vital. Sort of TLS security of transmission of data between the different parts of the ecosystem. You’re getting that right. API security because everything is connected now in the identity ecosystem through API security, both the access to the API and the actual integration of API and API calls and all the rest of it.

[00:11:59] CS: API, it seems like it's like the big attack vector right now. Like we've already had several people talk about something that was just so back of mind is all of a sudden like that's the next place where all the sort of the nasties are jumping in.

[00:12:13] SM: I love it. Exactly. All these parts are weak part. All these parts are attack points. When you’re designing and developing the architecture for these systems, there is – no matter who is coming into the ecosystem, it’s such a big, wide ecosystem, potentially, that you want to cover every single little part of this because you have to be extremely knowledgeable about cybersecurity to be able to build good and robust identity systems. That go on. Account fraud, AML, [inaudible 00:12:47] fraud checks, KYC, the old part of identity systems. It literally has fingers in every security pie out there. Of course, phishing.

[00:12:57] CS: And, of course, phishing. Yup, yup. I want to just focus on one thing you mentioned with regards to secure coding because we talk about secure coding sometimes, and it's one of our 12 career roles. It’s a thing that people are interested in. So if I'm understanding you correctly, I mean, secure coding, obviously, it's a set of best practices in terms of when you're creating something new. But you're also saying that knowledge of secure coding, you can also use that as sort of an auditor of open source materials. By knowing secure coding principles, you can be the secure coder on your team who can look at, well, we're going to use these five open source things, and you can say, “Watch for this. Watch for this. Watch for this.”

[00:13:39] SM: Yes, absolutely. It’s also great. If somebody is good at that sort of thing, then that is absolutely worth its weight in gold.

[00:13:48] CS: Yes, absolutely.

[00:13:49] SM: It's where the book stops. It’s where the book stops. You could have every little bit. But if you've left a silly hole in your code, then people – They’ll find it. Leave it open, and they will come.

[00:14:02] CS: Yes, absolutely. So we've given a laundry list of all the hard work that you’ve done in identity. What's the hardest work currently being done in identity? What are the big problems being at least addressed and considered and finally gets solved?

[00:14:17] SM: Right. So I'll come back to the ecosystem. It’s kind of just sort of bubbling up onto the surface at the minute, though, and this is an area that I work in, and that's why I'm very aware of it. You know when I was talking about the factions earlier on.

[00:14:37] CS: Yes.

[00:14:37] SM: Well, it looks from the outside that people who build sort of identity, like sort of more traditional identity systems, are at odds with the Wallet people. Yeah, like the self-sovereign wallet people. And non-self-sovereign, you get non-self-sovereign wallets as well. It feels like they're at odds, but they're actually not. In fact, I would argue that because digital identity has many use cases, then you need to have something in place that can use all of the identity systems already out there.

So for example, the use identity is one of the things that keeps popping its head up, and the thing is that we need to stop wherever possible creating random identity accounts of everybody left, right, and center. People are just going to get hacked. Let's face it.

[00:15:36] CS: Yeah, right.

[00:15:38] SM: So we need to avoid that. But people already exist as identity providers. For example, banks. Yeah. Identity wallets have some pieces of identity data in there, and it doesn't just have to be a baseball wallet. It could be your Apple wallet that happens to have your driver's license in it, for example. Yeah. You need something, some plumbing to allow the water to flow through the lines to get to the right tap. Yeah. So it's the plumbing piece, but it needs to be smart enough to be able to do a number of different things.

Because loads of different services want to use loads of different identity pieces, and then you’ve got people in the middle who need to control that and need to be put in control of that as part of a privacy initiative, as well as anything else. You need to have some plumbing that can do a lot of different jobs. For example, it can – Protocols are very important in the identity space for the sort of language between all the different pieces. But not everybody speaks the same language, or some people can speak a bit of the language, but then they don't have some other aspects of that language.

So in the plumbing, to be able to translate the languages or to be able to take some of the heavy load weightlifting of the service people, the web developers who don't have the in-house skills, to utilize some of the really beautiful aspects of some of these protocols that are coming out, some really beautiful aspects of protocols from IDC, that sort of area. Some of that I'll come on to later. You need someone to do the heavy lifting because just like a lot of people don't have knowledge of open – Sorry, secure coding, and checking on source libraries.

Web developers don't have complex knowledge of protocols, generally, generally. You need to make it – So it's a study. You've heard of the law called revolution. It's really – There is a reason for that. You need to do the heavy lifting for people. The plumbing does the heavy lifting for people. It can walk. It can search around and find the right type of identifier for that particular transaction.

Then if that's not enough, it can go off and find a new one from somewhere else, rather than reinventing the wheel every time and saying, “Right. Okay, we don't have this data. Can you please give us it, and we'll store it for you and securely, and securely.” We need to start pulling in, pulling in all of these accounts that we keep creating and think how, “Hang on a second. It’s already done. Let’s stop doing this.” But you need the write bits in the middle to be able to like use all of the different existing like wallets or plants or government services or whatever, and bring all those pieces of data together.

There's obviously – You could – These middle bits are going to have to be able to do some fancy stuff like privacy enhancement, that type of thing, analyzation of data. There's lots of – But you know what? This stuff has already been done, right? It's already been done over the past 10 years. The systems are in place. The mechanisms are in place to do it all. We just need to start doing it.

So I think that going back to the what's the hard work, the hard work is convincing the industry that we can all work together to do a better UX for everybody and stop – If you must insist on building wallet, there's a big push for wallet at the minute, right? I have reservations about it, but I think it's going to happen, and I don't think there's anything I can do about it. My reservations come from the fact that not everybody has a smartphone or wants to use it.

I'll give you a personal example, which I've already told people about before. I was once signing up for a crypto platform account, and I had to go through a minimal amount of KYC, and I had to do my passport – A picture of my passport and a picture of me. At the same time, I had to kind of hold them up. Well, I've got like this condition, and sometimes my hands just don’t work, right? So I drop things, and I can't hold things, and it's really difficult. I couldn't do it. I couldn't use it. Yeah. I couldn’t work.

Not everybody wants to use smartphones. Not everybody has one, amazingly enough, right? People need auctions. Bring out wallets. Bring out apps that do one off jobs with – Identify us. Do that, but that's not the end of the story. You need to give people choice. Certainly, you need to give commercial enterprises online choice in how their very wide audience uses their service. Otherwise, they're going to like – They’ll cut out a whole sector on it.

[00:20:54] CS: Now, this might be an imperfect metaphor, but this sounds – Speaking of UK versus US, I think of like the old VCR, NTSC versus PAL. These identity systems are kind of being developed at the same time, but neither side wants to step – Or VHS versus beta. Like no one wants to step down, so you have all these competing identity systems. Is that sort of what we're having?

[00:21:21] SM: Yeah. I mean, it just feels like – So there's obviously a lot of investment going into the wallet development. So you think – Self-sovereign people came out a few years ago and developed this idea of privacy-enhanced, self-sovereign. At the time, it was blockchain-based. It doesn't have to be blockchain. Blockchain-based, decentralized identities for a damn good reason because people was sick of centralized identities being attacked or governments controlling them or whatever reason people have. They didn't want to – Fine. I get that. Like nobody gets that more than me, Chris. Believe me. You know me well.

However, the actual reality, they’re still working on it. But I can see it coming. I can see it coming, and that's fine. But what I can also say is because there's so much investment going into it, so many companies now invest in wallets, that there's going to be – You know how these things do. They shake out. They shake, out, and you're left with a few. The problem is at the minute is that their competitors are people like existent incumbent wallets like Apple wallet and the Android wallet. Already, they're making plays in that space.

So they're going to have to compete with things that are already there so that people don't have to download yet another app. Yeah. Because we’ve already got them. So we’ll just use that. I just use that. So that's the problem. That's the concern about this. It will shake out. There will be some, and I can see that maybe if there were – They’re going to – So the AI in Europe. Yeah. So the EU is working on. In Europe, there's a European-wide identity [inaudible 00:23:04], PID, and they’re now looking at moving that to a wallet.

So, yeah, the IDAS is going to be in a wallet, decentralized, probably. I can see that taking off because it's a government push, and people are used to in Europe using a central identity type system. This will be decentralized, but they're used to using this government identity. I don't think – I can't say that happened in America. UK would be a stretch in the UK. UK changes sometimes. But it depends.

Citizen ID, actually, is one of the things that has an unusual use case. Yeah. That is one of the places where I would say that identity is probably a decent use within that use case context because – But problem is governments. So the decentralized idea of decentralization is one of this kind of Achilles heels. Is that very document that they're decentralizing. Identity documents are decentralized and are issued by governments centrally? It’s kind of like, “Okay. But, yeah.” But no. You know?

[00:24:24] CS: Yeah, totally.

[00:24:25] SM: I mean, you know what? I'll be attacked for saying this because – Yeah. But bring it on.

00:24:33 CS: Yes. Yes. I got your back, Morrow. I got you back.

[00:24:39] SM: Yeah. But you know, what? The market will decide. The market will decide. There’s room for everything. There’s room for everything.

[00:24:47] CS: Right, right, right. So then, identity obviously intersects quite a bit with some other topics we regularly discuss on the show, and we've talked a little bit of already like data collection, PII breaches due to mishandling of personal data. They're a little further down the chain here. But, obviously, part of this is on the security industry's lap. But I want to hear what you think about how identity can address some of these issues as well. If we have a robust and secure system, decentralized system and digital identity, the issue of who's using these credentials to access your health data and financial records is probably going to be a little more narrow. Is that right?

[00:25:27] SM: Potentially. It depends. If you look at it from – It depends on what you're looking at really. So one of the sort of [inaudible 00:25:33] and YDC sort of kind of initiatives is the use of verifiable credentials in the identity system. Just to confuse everybody. Identity credentials means like age, name, that type of thing. Whereas in cybersecurity, it means like password and username, that type of thing. So it gets a bit confused.

So when I use the word credentials in this particular sector, what I mean is name, address that type of thing. So verifiable credentials is now built into YDC so that you should, as a service, like health service, be able to check those credentials that are being sort of handed over during the request response flow or verified by a sort of trusted source. Yeah.

I guess this comes down to as well a little bit of zero trust in there. Yeah. As long as you can verify that those credentials are as true – I mean, it all comes down to probability. Yeah. It’s just show us you feel comfortable as a service, yeah, to then allow access. As long as you do it in real time, which you can do, and you make sure that those credentials are verified, the protocols now are set up to give you that data, that information. Yeah.

Or you can do it on the fly. You don't have to do it through the verifiable credentials route. You could do it alternatively. Just do a real time on the fly check of a credential that you need, and there's lots of different ways of doing that. Lots of different – As there are as many wallets coming into the market, there are always many APIs that do verification checks against things like document ID, name, address, that type of thing, age as well, age apps and that type of thing to check your age.

That's a positive because you can do verified real time checks of data before you allow access. So it's never trust, always verify in action, in action. Yeah. So that's sort of one aspect of it. Again, you can – Again, this is where the plumbing comes in as well because you might decide, “You know what, it's not quite enough, actually. Thank you very much for that, it’s not quite enough. Can you just give me a little bit extra?”

They might not have it available in like a wallet. So you don't want to ruin the user experience by saying, “Well, bye-bye.” You want to be able to do it looking more flexibly where you can say, “I just need a little bit more proof before I give you access.” So all you can – I mean, risk-based authentication has always been there. So you can start to pull in. You can use rules, if you like. Use rules to start to just add more and more and more layers of security to really do that. To really make zero trust actually happen, rather than just talk about it.

[00:28:46] CS: Yeah, yeah, and not just be a marketing term for that. So what I'm hearing a little bit too is it sounds like we have all of the tools to succeed. It's just going to be a matter of deciding on a large scale which ones we're going to choose to use and adopt and so forth.

[00:29:05] SM: Well, this is where the design of identity systems comes into play. So identity isn't just about technology. It's about people. It's about processes. It’s about liability because this is all about data. It’s about all of those things. So we’re designers of identity systems. The people who start the business, analysts, the solution architects, you're all of those people who have to really truly understand at a really granular level how the people who are going to be using the system want to use it and all of the different aspects and all of the different, I hate using the word, but edge cases.

In identity, you don't have edge cases. You just have use cases and a lot of them. People who design these systems need to go through them very thoroughly to be able to get the best out of an identity system because there are so many choices.

[00:30:04] CS: Right. Okay. So I want to sort of pivot from that into more of a speculative sort of aspect. So where do you see where we're going now? Where do you see digital identity changing in, say, the next 10 years? Could you give me like a pure optimist and a pure pessimist version of what it looks like in the next decade?

[00:30:26] SM: Sure. So the pessimist one would be that we still – Like nobody's really making any progress in terms of reducing the number of accounts being created online. I mean, identity counts are already in existence, continue to be at risk all the time. We can't reuse existing things like bank IDs, sort of the – We end up in a stalemate between all the different elements of the ecosystem, and it doesn't come together cohesively. That's the worst-case scenario, and it worries me.

The best-case scenario is that we recognize that what we have here is a golden opportunity to really make – People doing jobs online, make their lives easy and secure and privacy-enhanced. We have the systems there ready to us. People talk a lot about open banking. So open banking is okay. I mean, I've done a lot of work in open banking. It's okay. The rails of it are great. They're based on OIDC and FAPI, and they're really good. So they've got like a lot of like flexibility and security built into them because of the protocols. But open banking itself is very limited in the data that it can exchange. So you need to go a step beyond.

There are other ways of releasing that. The bank has the data, and they are looking at releasing that data into the ecosystem. But you need to be able to ameliorate that data to be able to like make it standardized, to build it, as well as user-centric, to have privacy-first thoughts when doing this. In the future, I think people are going to really take advantage of the data that's already there but do it in a very privacy-enhanced user-centric way.

One of the greats in identity died. I think it was early on this year or late last year. The days just merge in my life. My uncle, Kim Cameron, he wrote the seven laws of identity back in 2005, I think it was. That was all – It was a brilliant piece of work. He was a great man, Kim, and he was the first one, I think, to perform this idea of people having control over the data, and thing was user-centric. That has still carried through, but it sometimes doesn't get implemented.

In the future, that will be a core design remit in all of these systems, and we'll be able to reuse it. That's already out there like open banking but premium, more premium data, and existing IDs. We’ll be able to utilize the wallets that do fall out of this sort of like very fluid market that there is at the minute. It has been invested in to the fallout, that we do have an element of decentralization.

I cannot believe that decentralization in its purest form will exist because, you know what, you're always going to have to give someone your address, if you want that pair of shoes shipped to you. Then what do they do with that? Maybe something will come along to be able to – After that, they have to share it with it. It gets complicated once you have to --

[00:33:56] CS: Yes. Surely, yeah.

[00:33:58] SM: It gets complicated. But there will be a way of bringing these things together in best – Of course, then there’s the Web3 identity question. Identity form the backbone for Webs3. Well, we’ll see.

[00:33:58] CS: Yeah, yeah.

[00:34:17] SM: We'll see. We'll see. But –

[00:34:19] CS: That feels like a whole lecture episode right there.

[00:34:21] SM: Yeah. It’s a whole lecture. Extra episode.

[00:34:24] CS: Yeah. So turning to the work of identity, like I feel like what you've given me here is kind of like a Pandora's box inside a Pandora's box inside – My brain is throbbing, trying to keep up with all these different implications. So like tell me about the jobs and identity right now. What are the raw skills, either technical or interpersonal, that you need to succeed in this area? If people are listening to this and are like, “Yes, this sounds amazing,” like what should current students and people wanting to move into this area be learning and studying about now to catch up? What should they be looking forwards in the future?

[00:35:08] SM: Well, it's certainly very much a hot space to be in. If you don't work in identity, it certainly will touch you at some point, if you work in the tech sector. So technically, if you're not a software programmer, you don't have to be to work in this space. I'm not a software programmer. I code a bit. It is useful, actually. I'll tell you, it is useful to understand. It is useful. It's helped me a lot, I’ll give you that, it does help.

But understand the protocols. So get involved in – The protocols are all done as working groups have been initiatives like W3C or Kantara. Well, they do all of that work. For individuals, generally, they’re free to join. Certainly, for students, they’d be free to join. I'm sure. Don't quote me on it, but I think they are, and you can get involved in that. You can just – Even if you just watch the email exchanges between – These are all world experts working in these working groups. So get involved in those working groups in W3C and Kantara Initiative.

In the UK, there's a thing called OIX, where they do a lot of identity projects, and probably you could easily get involved in them. They publish the results. You can see the kind of things that people are working on that's interesting. I'd say – So protocols definitely, get involved in those, if you're interested in that kind of thing. You don't have to be a software programmer to understand protocols. In fact, people who wrote the best will get involved. People are linguists, for example, who get involved. Social scientists, that type of thing, but also developers as well.

But also, on the design side, UI UX, that's a really important aspect of the identity space, understanding like human behavior and the interaction. I'm hoping that more anthropologists and behavioral scientists are involved in this space because we really need to be engaged in these people because this is where human beings and technology truly intersect.

[00:37:20] CS: Right. That's interesting. Yeah. Yeah. So what would – Tell me about the insights that anthropologists could bring to the space.

[00:37:29] SM: At the minute, I'm working on a project with a master's degree at Durham University in the UK, and I'm working on how proverbs affect human behavior from an evolutionary perspective.

[00:37:42] CS: Proverbs like a stitch in time saves nine or the request type ones kind of thing?

[00:37:45] SM: Exactly. Yeah, yeah. Exactly. So as I've gone through that, I've realized how important language is in changing behavior and encouraging people to act in a particular way, right? Cybersecurity awareness training, in particular, would really benefit from this side of – But going back to identity, so in the identity space, understanding how human behavior evolves means that you can understand why humans behave in a particular way.

So when you design a particular – For example, when I working with the UK government, designing user journeys for interaction with their system. That involved a lot of processing of – Well, would someone do that at that point? Yeah. So understanding people interact with their surroundings, and if something happens to them. So understanding behavior is a really important aspect of digital identity design and understanding how language impacts human behavior.

For example, proverbs are really powerful little pieces of information. I'm sure that you could use proverbs to help to encourage people to act in a particular way, within the context of a user journey. Yeah. Encourage them to – So for example, when you are sort of verifying someone is true or setting up a bank account or something like that and taking them through a process, which is very long-winded and tiring for them. You could use pithy little statements to encourage them to do something. I think it'd be something that will certainly be worth exploring anyway. But I think anthropology in particular because it understand humans and how we act. That would add a lot of information into the design of these systems.

[00:39:57] CS: Now, talking – We’ve come to it several times. But it seems like a big problem with sort of adopting a workable identity system across lots of different sort of competing factions is going to be sort of communicating the importance of sort of making something – Is there – Do you think there's going to be a sort of identity translator type role, where people – Like where their main job would be almost like an evangelist, where you're sort of making people understand that maybe you make one cent more per use if you use your own proprietary one, but it's going to be ultimately better if we sort of use something that flows across multiple pipelines?

[00:40:44] SM: Oh, that's an interesting thought, actually. Yeah. I can see that happening. I can see that happening maybe in digital form. Maybe when you use – When we go to Web3, maybe that would be actually an intrinsic part of getting people to interact securely, as well with their identity. Yeah. That’s –

[00:41:05] CS: Yeah. Based on the way people communicate online, it seems like we could use a few more sort of mediators in terms of progressive ideas and so forth. I’m always just trying to sort of find options for people who want to get into this space, but feel intimidated by the sort of tech side of things. But like if you're a compelling –

[00:41:28] SM: People who understand language. Yeah. People who understand language have a lot to give to this particular sector because it is where human beings need to be able to use technology seamlessly. The trouble is that we need to – Identity in particular isn't just about technology. It's about processes. It's about people. It's about understanding what people want and how to convey it to them in a way that they understand because the mass demographic that is citizen ID and consumer ID has to cope with. There's no one size fits all. I’ve learned that the hard way. I've learned that through the years.

[00:42:12] CS: Yeah. A lot of banging your head against the wall for years and years. So you sent me a link to a nice lean organization called Women and Identity. Do you want to talk about them a little bit and other resources or support organizations in the space? Do you have any advice for sort of networking in the identity space?

[00:42:31] SM: Sure. Although I am a rubbish networker, I have to say. Women and Identity, it’s held by some of the sort of stalwarts of the industry. It’s about trying to – Because like the cybersecurity industry, the identity industry didn't seem to have a lot of women in it. I was the only woman in the room and often tens of men surrounded me. It is a little bit down sometimes, although I am like a bit of a hard case now, so not so much. But it used to be.

But Women and Identity came along to kind of like try and redress the balance and give a voice to women in this sector, to encourage women to join the sector. So they put out like regular jobs notice to try and get women to apply for jobs in the sector. They regularly talk all of these sort of like big conferences in identity. It’s this – I mean, I was an active member when it first started, but I've sort of fell by the wayside because of health problems and stuff and just like workload basically.

But the stalwarts are still going, doing a massively important job in the industry. Like the women in the security sort of groups, trying to get more women, more voices because one of the important things about digital identity is that it affects everybody. It's a massive demographic technology. It needs everybody involved in the design of it. It needs everybody’s voice and opinion on it, whether you like that opinion or not.

[00:44:15] CS: Yeah. Going back to what you said before about not being able to sort of photograph your past art or your face at the same time, like there's going to – This especially, I mean, with identity, you're going to be having people access this from a lot of different sorts of places and experiences and backgrounds. So, yeah, that makes perfect sense.

[00:44:37] SM: Women and Identity has expanded since it started, and it's not just about Women and Identity. It's about trying to give any sort of like minorities a voice, like disabled people, people in sort of digital poverty, that type of thing. A bit of a sort of like, “Hello, I'm here. Can you please include me when you design your systems?” You know that type of thing.

[00:45:00] CS: Yeah. I love it. All right, so as we wrap up today, Susan, do you want to tell us a little bit about Avoco Secure and your services and some of the projects you're excited about to unveil later this year and next year?

[00:45:14] SM: Yeah, sure. So there's one big project that I still can't mention the names of. But thought – So one of the golden chalices of identity is to be able to reuse already verified data, to be able to reuse it, rather than reinventing the wheel, right? So we used to do pure identity provisioning, and we realized that, “Oh, my God. This is a nightmare space to be in.” But people need the plumbing. So we weren't actually – We already had quite pieces already anyway. So we sort of like created a set of APIs, and we use those APIs now to connect the ecosystem.

So this particular project is using some tier one banks in the UK, connecting them to a government service, in the first instance. We sit in the middle. You can't see us. We’re just middle way. You don't see anything. So we're invisible. It just connects the two pieces together with the end user in the middle, so it's user-centric, privacy-enhanced. It allows the data to flow between those two services nicely and seamlessly.

So the banks have already done a lot of KYC checks on that data. It uses the open banking rules and OIDC, but it's a bit more than that because [inaudible 00:46:39] only gives you a few data points. This can give you up to 25 data points, if I’m right, if requested by the – If allowed by the person in the middle. Obviously, you can obfuscate it, minimize the dealer, and do all of that sort of thing. Then it'll just allow it. Basically, it just allows data flow. It’s a little bit more complicated than that, but it's going to. It sounds simple, but it's actually quite revolutionary.

[00:47:12] CS: It doesn’t sound simple. I just want to let you know.

[00:47:14] SM: Yeah, that one analogy, the little legs. The little legs doing that.

[00:47:23] CS: Yeah. Right, right. Oh, my God. Fabulous. All right. It’s plug time. If our guests want to see Susan Morrow’s various work, writings, or contact your company, where should they go online?

[00:47:38] SM: So InfoSec Institute resources.

[00:47:41] CS: Yup, resources at infosecinstitute.com. Yup. Go talk to us. Yup. Check out contributors and find Susan's many, many great writings on that.

[00:47:50] SM: I tell you what, use all this stuff and use this stuff, high-level stuff, as cyber news.

[00:47:56] CS: Oh, leadership. There you go.

[00:47:58] SM: See us all online specifically talk about identity. It’s all over the place. Well, also on our website, avocoidentity.com.

[00:48:08] CS: Avoco Identity. Okay.

[00:48:09] SM: Yeah. avocoidentity.com is where you can contact us.

[00:48:12] CS: Got it.

[00:48:14] SM: Yeah. Kind of all over the place, actually. I seem to like get around a bit. It’s because I'm better at like when I am talking.

[00:48:21] CS: Okay. You're doing fine. Can people contact you on LinkedIn as well?

[00:48:27] SM: Oh, yes.

[00:48:28] CS: Oh, great. Okay, great.

[00:48:29] SM: Yes, yes. I get to –

[00:48:30] CS: Yeah. We have a lot of listeners that like to connect with our guests and asking questions.

[00:48:34] SM: I’m not on Twitter anymore. I came off because I couldn't stand it anymore, doing nothing.

[00:48:38] CS: No, no. No, we're not doing that now. All right. Well, Susan, thank you again, for coming back to Cyber Work. It's always a pleasure to talk to you.

[00:48:47] SM: Yeah. You too, Chris.

[00:48:49] CS: And as always, I'd like to thank you all for listening to and watching the Cyber Work podcast on an unprecedented scale. Our numbers have shot through the roof in the last couple of months, and so we are absolutely delighted to have you all along for the ride. If you like what you're hearing, share it with your friends. Maybe subscribe to our YouTube page or put us in your podcast feed.

Also, go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in-depth training plans for the 12 most common job roles, including SOC analyst, penetration tester, cloud security and engineer, information risk analyst, privacy manager, secure coder, and more. We took notes from employers and a team of subject matter experts to build training plans that align with the most in-demand skills. You can use these plans as is or customize them to create a unique training plan that aligns with your unique career goals. So one more time, just go to infosecinstitute.com/free. Or click the link in the description below, and you can get your free training plan. That is. All do it, infosecinstitute.com/free.

Thanks once again to Susan Morrow, and thank you all so much for watching and listening, and we'll speak to you next week. Bye now.