Join us for an insightful conversation about the looming identity crisis in cybersecurity, discussing how the prominence of identity and the impact of AI shape human roles in the field. Listen up to gain insights on managing complex identities and aligning AI with human values and business outcomes.
Guest: Rohit Ghai, Chief Executive Officer of RSA Security [@RSAsecurity]
On LinkedIn | https://www.linkedin.com/in/rohitghai/
On Twitter | https://twitter.com/rohit_ghai
At RSAC | https://www.rsaconference.com/experts/rohit-ghai
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
BlackCloak | https://itspm.ag/itspbcweb
Brinqa | https://itspm.ag/brinqa-pmdp
SandboxAQ | https://itspm.ag/sandboxaq-j2en
____________________________
Episode Notes
In this Chats on the Road to RSA Conference 2023 podcast episode, Rohit Ghai, Chief Executive Officer of RSA Security, discusses the thought process that went into his declaring the looming identity crisis in the cybersecurity industry as the topic for his keynote session. Ghai examines the prominence of identity in cybersecurity and the impact of AI on human roles in the field. Sean Martin and Marco Ciappelli appeal to Ghai to explore the complexities of managing human and machine identities, the evolution of identity professionals' roles, and the significance of aligning AI with human values and business outcomes.
As AI becomes more pervasive and powerful, the conversation highlights the challenges of aligning AI with human values while grappling with the complexities of managing identities in an increasingly automated world. The conversation also focuses on the transformation of identity professionals' roles, emphasizing the need for a shift from hands-on tasks to a supervisory role where they can focus on high-value problems and decision-making.
____________________________
Resources
Keynote Session | The Looming Identity Crisis: https://www.rsaconference.com/usa/agenda/session/Forging-a-New-Alloy
Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw
____________________________
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Be sure to share and subscribe!
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SUMMARY KEYWORDS
identity, ai, identity crisis, human, rohit, people, conductor, problem, access, technology, aspect, sean, marco, micro service, superhuman intelligence, passwords, security
SPEAKERS
Marco Ciappelli, Sean Martin, Rohit Ghai
Sean Martin00:07
Sean, show me your card man.
Marco Ciappelli00:11
No, I don't
Sean Martin00:13
want to know who want to know who you are.
Marco Ciappelli00:16
I wish I knew, you know,
Sean Martin00:18
I can't stop looking at you have to look at a car.
Marco Ciappelli00:21
You know, identity is not what it used to be Shawn. I don't know if I am, if I am, who I think I am or who they say I am. So I don't even know who you are. What I know is that I know our guest. But can you prove that he is? Who is?
Sean Martin00:38
That's that's for us to figure out? I guess let's, let's see if the tests are past. Road guy. It's good to, it's good to have you on the show. It's been a while we missed you. How are things?
Rohit Ghai00:50
Things are great. Sean and Marco, always a great pleasure to be with you guys. And I sensed an identity crisis of some sorts in that opening dialogue. But absolutely, identity is no longer what it used to be. Absolutely. And you guys will just have to guess during our conversation if this is the three of me, or if it's a deepfake of me. And I you know, so keep you guessing
Marco Ciappelli01:17
is not only the idea of really knowing who we are, but also the idea that identity as a concept. It's maybe different now in our digital society where, you know, you could have multiple identity, but the end, you know, how do you even manage that, especially with new technologies, I think this is going to be an interesting conversation. And I know is at the core of your presentation during RSA Conference, which that's why we're here. This is one of our chats on the road to tease. Fantastic talk. keynotes happening there. And so we want to dig in into what why did you choose this topic to start with?
Rohit Ghai02:06
Yeah, no, absolutely. Look, my talk is titled, the looming identity crisis. And the reason I chose this, it's a play on words little bit. Because I think there are two things that are happening in the cybersecurity industry. First, identity is, I think, getting the right its rightful place in the world of cybersecurity. And, you know, it's sort of, you know, gaining prominence vein and prominence and all that. But I think, I think increasingly, people are realizing that and deserves sort of enough emphasis from a cybersecurity perspective. So that's one idea. The other idea, which is not lost on any of us is all the all the rage about artificial intelligence, and this emergence of the AI revolution with, you know, this enormous power, the genies out of the bottle. AI is now available very broadly and pervasively both to the good guys and the bad guys. So the confluence of in the confluence of those two mega trends, identity becoming center stage in cybersecurity and AI becoming a very powerful mainstream, highly available technology. What does that mean for for you, and I and all humans? In the world of cybersecurity and identity, what do identity professionals do? How do they prepare for this sort of future that moves? That's really what I want to hit on. That's what I want to speak to our audience about. And now kind of, you know, I'll put some ideas as food for thought for the audience. I would not prepared to have all the answers. But you know, it's a discussion.
Sean Martin03:53
Marco does Marco has all the answers. So we'll let him roll that. Now, I want to want to take a moment because I've, I've seen this space, transform over the years, and the role of identity and what it is and what it's for and who manages it. And I mean, if you look at business versus personal things change. I know, we've had some discussions where kids have multiple identities, right? For different social media platforms. I know I have a few myself that I do do certain things with, to run the magazine. And the, I guess the old olden days, it was about access. And we talked a little bit about this before we before we jumped on. But what's its role today? How's it transformed? And maybe how has it changed? How businesses and security leaders and security practitioners look at identity when they're building out their programs?
Rohit Ghai04:55
Yeah, absolutely. Look, I think I I think we've gone through kind of an evolution of our expectations from an identity platform. And we've always had to juggle and balance, sort of three aspects of it, you know, there's the access aspect, like, give this actor on the network, you know, access to the resources that they need. And make it you know, the second aspect. So access is one dimension. The second dimension is always and this this, you know, came to, for for, especially when we started to use mobile devices, is the idea of convenience. Okay, give me access, but don't make it super clunky or inconvenient for me to gain access, don't get in the way. And then, of course, the third is security. And, you know, it's a balance between these three dimensions that we've always had to have to navigate. And my sense is similar to the, if you think about the smartphone analogy, again, you know, we call it a smartphone. But the phoning aspect is just a feature. At this point, we use the device to access the internet. So the name belies kind of doesn't do full justice to what the device is, I think the term Identity and Access Management no longer does justice to the core purpose of what identity should be, which I think, is security, the whole reason it exists, is to assure security, because this is identity is the new perimeter. Identity is kind of, you know, the only reason it exists is to assure security, of course, convenience, and of course, access our capabilities and features that are very important. But I think that's the evolution that people are again, when I say identity centerstage. Again, what I mean is people are realizing that we need to take a security first orientation to the problem of identity.
Sean Martin07:07
And speaking of identity crisis, I mean, our is our phone us. And then that kind of leads me to and that might be from a b2c perspective, how do we identify with services when we're engaging with we use that as a second factor? Third factor off, it's how we actually gain access is through that device. And that leads me to into the business for employees and partners and things like that, where we're setting up these complex systems that are yes, access by people. But we're also heavily reliant on applications and API's and services and micro services and open source things that are acting on our behalf. And kind of to your point earlier, we have AI and machine learning, kind of driving decisions for us and then taking action for us. Do we even have an identity in that world? Or is it the machine?
Rohit Ghai08:07
Yeah, no, absolutely. Look, the identity landscape has become enormously complex. And one dimension that you touched on Sean is just this infusion of machine identities, right? There is so much automation in the world, that that is proliferation of sort of these machine identities in the network that are acting on our behalf. And these actors are powerful, we give them a lot of entitlement. So governing the entire those entitlements is a huge, huge is hugely important. The second aspect of complexities are IT resources. They used to be localized, it used to be in the data center, it used to be on our laptops, the resources that be governed, so proliferation of human and machine actors, there's two, you know, probably five of you, Shawn, including an identity that you use to kinda you know, or like my my case, I need a separate identity to, of course, this work and life and other life side, I need a separate identity in order to prevent my teenage daughter otherwise, she wouldn't let me befriend her on any social media platform, right? So I need an identity just for that purpose. So huge number of identities, both machine and human. On the resource side, things are floating things are moving to the cloud. And things are also becoming very granular. We manage things at a micro service level, right? It's no longer about governing access to a server, not a monolithic concept, but within the application even inside the application you want to govern at a micro service level. So it's this explosion of like both on the kind of identity side as well as the resource side and then mapping all those entitlements. It's a massive problem. And I like to say it's a super human part. implement this point, because just a human cannot map all these relationships and manage them in any kind of sensible way.
Marco Ciappelli10:09
You know, I love that you went there, because I want to kind of dissect the title of the talk, which is the looming identity crisis and really looking into what do you mean when you refer to a crisis? And I want to pinpoint this because I so many times when we look at things from a philosophical perspective, I joke that since when we talk about AI, we talk about, you know, the, the application of it. But it's also a moment that we it's not just about the technology, I feel like ethics. And philosophers have never been so involved in technology like it's nowadays. So the fact that you choose crisis, I'm very curious to know what you know, for what angle? Are you? You're gonna talk about it?
Rohit Ghai10:59
No, thank you, Marco. And absolutely. And let me start by saying what I'm not going to talk about. If you're, if you're thinking what I mean by identity crisis is the leakage of a national database of identities or the leakage of, you know, like the high high value individuals identity, like a sort of a president of a nation and their access to all the power they wield. I'm not talking about that. I'm talking about the role of humans in this world of superhuman intelligence, artificial intelligence. And and this confusion we have about our role, the role of humans in that world, are we going to be relevant anymore? If identity is, indeed if we believe that identity is indeed a superhuman problem, then what are humans to do? What is our role? And and that's the kind of the core crux of the topic. It's a very complicated topic. Because I think at this point, the genies out of the bottle people expect machines to have superhuman intelligence, that's, you know, it's just a matter of time until we get to artificial general intelligence, but the problem of how do we align that intelligence to human values in AI literature, they call it the alignment problem. So it's not it's no longer about solving the intelligence problem. We have sophisticated algorithms, we have, you know, huge amounts of data and enormous computing power to drive superhuman intelligence is this alignment issue of aligning that intelligence with human values and objectives is a very difficult problem. And I think we humans have to make sure we pay enough attention to that aspect to make sure we get good outcomes and a world where we remain relevant. And we continue to have a symbiotic relationship with technology and AI.
Sean Martin13:03
Well, for me, that always comes with I mean, I was an engineer and building products. And we always talked about the the user story, right? What, what, what are we trying to accomplish? What are the boundaries with when within that accomplishment? Do we want to stay? Do we need to stay because we're obliged to ethically or morally or lawfully? And so how? How do well, I don't know if you can maybe give us a little sneak peek of the story you're gonna share. But how do users story change in the business? To where security leaders need to say, Okay, this is these are the places where my story no longer looks like it did two years ago? Or, like it will look in two years time. Therefore, here's what we need to do.
Rohit Ghai13:52
Yeah, absolutely. You know, I draw the analogy. You know, as we all grow in our careers, Shawn and Marco, we, you know, in the initial phases of our careers, they're very focused on doing stuff ourselves. We take pride, the way we associate, the way we think about identity and our self worth is about what do we accomplish? That's, we put a lot of emphasis on that as we mature through our careers, we start to change. And we start to say, What did i What did I empower others to do? What did I teach others to do? And I think in this world of identity, it's similar this AI and human identity crisis, I think it's a similar thing where an identity professional today might associate their self worth based on the number of attestations or entitlement changes or kinda, you know, detecting risky or a you know, kind of access or suspicious access network access activity. That's how they define their self worth. I think all of those activities Whether we like it or not, are going to be automated and will transform so that the job of the identity professional will be assisted with AI where instead of the human having to do all this stuff, we'll switch to more of a more of a monitoring supervisory role, where they they look at, okay, here are the top three decisions I need to make, right? So the AI will say, Look, you arrive at your desk AI, says, Hello, Rohit, you as the identity professionals, here's your workbench for the day. Here are the top three internal requests that have the highest impact, right? If you were to approve these, these were with the highest impact one. So I want you to write this as my recommended action. I have a recommended action for you. But I want you to take a look and make sure you agree. And here's why I've made the you know, there is also the idea of explain ability, one of the challenges we face with AI is a lot of times AI comes up with an answer. But we can't discern why. And so we'll need to address that alignment problem and that explainability problem. So in this call it the copilot model where the AI is helping me as an identity professional, it will tell me, here's what I'm recommending, here's here's why. Or here's a why which what you might understand as human, and do you approve or not. So it'll manage my workbench in a way such that I focus on the high value problems or supervise those decisions as opposed to actually doing those decisions. Right. So it's a, it's a mentor, it's a supervisory role, it's a, we have to get comfortable with this new identity of ours in terms of this, you know, our job is changing, whether we like it or not, we have to accept that and find comfort in that and prepare for that. So
Sean Martin16:51
and as you're describing that, Rohit, I'm I'm picturing an orchestra, and there's a conductor, right. And you don't want the brass section to chime in when it's a soft wound woodwind solo. Because it's just not going to work. So you want somebody there. Of course, people, all the people in the orchestra kind of know where they are and how loud they should be, and, and all that. But the conductor really keeps them all together. And, and so you look for the baton wave and it says, it's your turn, go you have your that person you're that they were that role, go for it. And it's not the conductor just standing there waiting for the brass player to play and go. Hey, I did see. So I think to
Rohit Ghai17:42
me, I love that analogy. You know, I
Sean Martin17:44
love analogies orchestration? Yes. Yeah.
Rohit Ghai17:47
That's great. I love that analogy. And absolutely right, it's, you know, one could argue that what is the conductor doing at the end of the day, they're not playing any instrument, but they're so consequential to the harmony of the overall picture, in the music to this.
Marco Ciappelli18:04
Yeah, you reinterpret that I was actually to stick with that. But I have another point. But I was looking at how, if you know, very popular music service, it just started one dedicated to classical music, because the way they were cut out categories, met in catalogs and research in regular music when it's played by an artist. So it's easy. It's kind of like the general but when you talk about classical music, who is the conductor? Who is the soloist? Who are the people because there's not actually the author of the music, that is playing it, you're not searching back, you're gonna you're not gonna find back playing, right? So I don't know, I can see where Sean is going. But I was thinking about it when you use the the smartphone idea. And it makes me think about God, yes, we're still saying smartphone. But we're also still saying horsepower to say how much power there is an engine, which goes back to the 1700 with the steam engine, and then we need a reference in the real world to actually make it an abstract concept to work. So that this brings me to maybe one important question, which is, are we going through this cultural change, embracing technology in our society in the right way, or we're still too driven by technology, and not thinking the way we can help society to absorb this new way to look at AI and not be fearful, but welcoming in a new identity? So I don't know if it's very philosophical, but I would love your opinion on it.
Rohit Ghai19:47
Yeah, I'll take inspiration from this recent dialogue on this exact topic. Marco, which is 60 minutes section with Sundar Pichai, where they talked about AI and Google's AI and And, you know, when Sundar was asked the question, similar question, he said, Look, what keeps me optimistic is that there are a lot of people but wondering about, you know, the ethical aspect of AI or the preparedness aspect of humans. And while I agree with Sundar, that that's a great thing. I don't think there are enough people acting on it yet. There are a lot of people worried about it, there's a lot of media and you guys are, you know, helping out a lot in terms of making sure there is attention being placed on this topic. But that attention needs to translate to action soon enough, because there will be this hunger for power, the power that the AI yields, everybody will be attracted to it, because of the massive productivity gains, if we can do what we could do, you know, what would take, you know, 5000, PhDs 20 years to accomplish in the protein folding example, if you could do that in a matter of three months, of course, we're going to be attracted to it. So it'll, it'll be this massive sucking sound, which will draw all the attention towards that. And as such, while we may be worrying about this ethical thing, or this preparedness thing, we may not act on it enough. So I almost feel like some regulatory activity or some mandatory some some form of mandates to make sure you know, that there is enough action and not just attention placed on that topic actually manifests. And look, I've traditionally been sort of wary of regulatory activity. But in this case, I think we are treading new ground. And, you know, I go back to my timeframe as a kid using sci fi novels and Isaac Asimov's kind of novels about robotics, and the, you know, the Four Laws of Robotics and all that. I mean, we need laws of AI and these governance type things to ensure that action actually happens. Otherwise, it'll not because there'll be so much investment, venture funding and everything else. I'm just productivity that I think we lose, lose focus on other point.
Sean Martin22:20
And do we need laws of identity? I mean, some some countries have taken pretty, pretty forward looking steps even many years ago to have national identities that are digital and, and are we we kind of missing the mark there globally. On that front, do you think
Rohit Ghai22:39
I believe we are I would be very happy with this one law of identity, Shawn, which is, let's get rid of passwords. Just that one law. You know, if you pass that law, I'm happy for you. I'm very happy. Look, we've talked about the death of passwords, we now have password lists, technology that I think is is is industrialized double. And yet the reliance on passwords continues and you know, 83% of cyber incidents on the back of compromised credentials, like what What more proof point do we need to actually, you know, mandate some of this. So again, it's a matter of sort of passion for me and, and, but I absolutely agree on the identity space, there are some clear, clear set of things that ought to be sort of more mandates versus guidelines.
Sean Martin23:34
Otherwise, we're gonna end up in an identity crisis.
Rohit Ghai23:39
You got it. I didn't say it. You said.
Sean Martin23:43
It's looming. It's looming. According to the keynote session title. It's looming that crisis. And Rohit, you always do an amazing job. We've seen you speak many times, and we'd love your stories. And we'd love the the inspiration and the insights. And your points the the action ability, if that's a word, the ability for folks who listen to you and see what you present the opportunity to take action with what you share. And I mean, we're going to be in Moscone West for most of the week, we're in broadcast alley, a lot of the time and, and we wrap up one of our sessions in time to see your keynote. So I'm very excited for that. That is Monday the 24th 333, local time, Pacific time there, Moscone West Street level and the big room there. We're looking forward to seeing any Rohit, any any final thoughts? Anyone anything else you want to tease for folks to go to come when they see you
Rohit Ghai24:43
know, but just appreciate the opportunity to, to meet and speak to you guys. And I'm looking forward to saying hello on broadcast alley. And you know, it's a very exciting time in our industry, and I want to thank you and the broader ecos system for coming together at the conference and supporting, supporting the cause of creating a community of good guys because we need to band together in order to have a shot at beating the bad guys. So thank you again, always a pleasure. And seeing you guys.
Marco Ciappelli25:16
Absolutely and Shawn, don't forget your business card to get your press pass. They want to know who you are,
Sean Martin25:23
then they need my business card. Only I had business cards if I only we had maybe one phone or
Marco Ciappelli25:30
we'll just show a podcast while we're heating it later. We're really looking forward to say hi in person and for those that have never heard you speak it's a real treat. Always less than that. So thank you again. Thank you.
Sean Martin25:48
You don't need an identity to watch this and all the all the coverage we have so stay tuned. I guess we magazine.com forward slash RSA see more many things happening including broadcast led stuff and links to reviews keynote session, his social profiles, you can connect with them there. And again, Rohit. Thanks. See you there.
Rohit Ghai26:10
Alright, see ya.