Event Recording

Panel: CIAM Strategy Best Practice


When dealing with consumers and customers directly the most important asset for any forward-thinking organization is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance. Handing over personal data to a commercial organization the consumer typically does this with two contrasting expectations. On the one hand, the consumer wants to benefit from the organization as a contract partner for goods or services. Customer-facing organizations get into direct contact with their customers today as they are accessing their products and services through various channels and deploying various types of devices. It is essential to know the relevant attributes of that customer at the right time: An improved user experience leads to customer satisfaction and thus to returning customers.

Good morning still everyone. My name is Yvan act. I'm representing Deloitte. I'm a partner based in Belgium and on the Emil level, I'm responsible for the identity services that we run personal background, primarily been in public sector, actually. So very happy to see the it's me being presented right in front of me gives you a feel of the, the type of things that I've been working on on the government side. So the integration of it's me on the Belgium side is something that I've been participating in personally the last couple of years. And it's actually, I see quite a spill over happening from the work that we've been doing in government, from Belgium to the private sector. So that's a specific setting that we have on our site.
Okay. Interesting. Thank you.
Continue. Very welcome. My name is Aika F fro. I'm an director from EY from the cybersecurity community I'm working with. I, I, I IM since about 12 years, especially with consumer customer identity management during the last years in the banking in the financial sector and also in the automotive sector. So I'm a little bit ambivalent. Okay. What concerning my, my sectors. So I'm very interested in what you pres, what you have presented this morning. We worked a lot with giga as we are on strategic partner of SAP. And as you know, giga is now part of the SAP com company. And I'm very interested in my colleagues have to share and experiences in the cm part. So,
Okay. So my name is Gerald Horst of PWC. I've been, I have the privilege of working in this space for just about 18 years, first, 15 to 16 years as owner and CEO, a company called Everett, which I sold to PWC two years ago. And I'm in a similar role as young, basically responsible as digital identity partner across the EMEA region. So in the last, I think four years, four to five years, we have been focusing much more on the consumer identity. Having worked for clients like Solano in the retail sector, a wide variety of banks, not so much in the public sector, only just a little bit. Currently we are involved in Scandinavia working also in the public sector, but we'll talk about these experience in a minute, I guess. So it's up to you. Okay.
Thanks. So my name ism, I come from KPMG, Finland, I'm their practice lead for the consumer access management. I think KPMG might be a big different company compared to this other big force so that we are pretty independent countries. So every, every country has like independent independent company and, and we do collaborate together, but, but we have kind of these centers of excellence and, and in Finland, we have one of the biggest, biggest IA practices in, in Finland, in, in KPMG. Totally. So,
Okay. You mentioned that you have been working on one hand in the governmental part on the other hand in banking and in usual eCommerce, which is a bit different than banking. Is there a difference when it comes to cm, needs to be, does need to be done differently across the sectors and which are the differences who wants to start? I don't want to assign the answers.
Yeah. Shall we kick it off? Well, I think there's, there is indeed differences. I think a lot of the innovations are happening in the financial services, especially banking sector, of course, under the pressure of legislation like PSD two, the whole, what we call smart authentication part is something that's really happening in the banking sector. As an example, we are working for currently, I think we are doing two projects for challenger banks. Challenger banks are typically coming from, you know, the larger banks here in Netherlands. For instance, we work for Monu, which is part of AB Nemo, 100% owned. And basically they have stated that they want to become a European bank by providing ease of use. So they call it no hassle at the same time, there is the legislation like GDPR and PSD two. So I think that's where we are using a lot of in innovating new technologies. I mean, you, you mentioned G we are working there with a combination of, for truck and income security and transmit security, very innovative solutions. But across the board, you know, we work with companies like IWE, which is also in the room here in, in retail and in, even in public sector.
And I think it's kind of, if we talk about consumer right, and access management, it's kind of big subject because if, if we compare like financial services to, to retail, it's totally different field. It's totally different motives why to invest in consumer, right access management, of course there's like GDP or GDPR in the behind, but, but why you do it in finance and sectors, it's probably more like you want to increase trust. You want to reduce risk and, and probably probably have good customer experience. And, and in retail sector, you want to probably collect data, collect content. So, so you can use the data and make the authentication as easy as possible. So it's kind of different, totally different case business case behind
Speaking, particularly for the, for the Bel market. First, I think the situation was a bit peculiar there. So about a dozen years ago, more, about 15 years ago, I think now time goes very fast and there was the big lounge of the electronic identity card to a previous speaker already referred to basically a chip cart that was handed over to all of the Belgian citizens that gave a huge boost in, in digitization of the, of the markets and primarily of the e-government sector. So there, the, the, the government sector public sector took a leap ahead of the private sector and caused the rest to try to catch up to the same level of digitization of digital online services as the, the government could offer at that point. Now, obviously by government taking a step ahead, the rest was catching up and it took quite a while, still for the private sector to, to offer that same level of services.
And they now Sur passed. I think the government we can, we can surely see. And we see now the government trying to leap ahead again and looking for ways to better service the end user. And I think a big move that I've seen the last year and a half for sure is the true omnichannel servicing. So not just focusing customer identity on an online channel, but how do we really cross all of these different communication channels that we have? How do we cover the last mile? How do we cover the last 20% of users that have a high resistance to using digital means and think of elderly people or, or the way we call them the, the digital digital Laken we call them in, in, in Dutch. So the people that are not born with, with digital assets in their, in their day to day life, how can we service them?
How can we, can we operate there? And so we see a bigger crossover again, between online channels, offline channels, and trying to create a single user experience for your users, whether they are in an office. And that we see that also happening in banks now. So we did quite a nice engagement in, in the middle east where we offer, where we started up a digital bank, but with officers still there, cuz customers wanted this proximity. They want somewhere to go to and have this interaction with their bank, but you first really stepped through a number of stages. And the first stage is a digital authentication that you do to, to do as many of the transactions as you can online, but in their Porwal in their physical Porwal and only then you step through the gate and you go to an even closer and closer human aspect of the, the engagement. I think those kind of aspects are, are the way forward and where we will see things, things moving.
So we talked about the differences between automotive and retail and financial business or banking services. I had acquired some interesting projects and automotive banks, so that we have a little bit the, of the lens of the financial service and all the restrictions they had also the automotive or the retail service. They are interested in collecting data as, as many, they are able to. And we had lot of strategic discussions between the banking and the automotive part, how to handle all this data, how to become secure, how to become innovative in this, this area. So it's quite interesting what happened during the last year, especially in this kind of business. So
Yeah, I think relating to that, and this is also, I mean, one of the things that I would like to get across, we call it the best practice or something that we've learned over the past years, that cm is, is it's about business, right? It's about digital transformation. It's about doing business online and yes, it's about ease of use balancing with privacy and security. But I think a lot of customers that we work with, they come with a specific request could be, you know, in terms of GDPR automating concept management, or it could be doing business with a specific user group. And we feel that it's very important, first of all, to engage the business, not see it as a technology play or a solution play, but it is about engaging the business people, understanding what the priority should be, what the patient's case and the relevance is at the same time.
It's also about thinking more in terms of a strategic play, like not going for a point solution for addressing a specific requirement or a specific issue, but also looking at it from a more longterm perspective. So think more in terms of platform for cm instead of a solution. Those are the things that we experiencing, especially in the early days, like four or five years ago, we only were talking to CIO and it people, and it was all about features. It was about competitive advantage based on features, ease of use. And nowadays it's much more about thinking in terms of where are you taking this? What's the dot on the horizon and how does identity play a role there that has changed over the past
Years? Is this something that you would agree upon really getting the business on board and get doing a real requirements analysis? What is the business about what other risks on the other side, but really have the business on board,
Quiet, necessary to have the business on board have discussions on their strategy where they want to go, what is the business model of the future of their future? And not only to talk to the it guys or to security guys, especially. Yes.
Yeah. We kind of, I say CMS specialists, we tend to talk about, about like customer experience, which CIA is about, but we are talking like, like showing some, some picture about, about long registration form and, and say that this is bad. I do it myself as well all, all the time. But kind of, as, as you mentioned, it's not like a point solution it's about, about your, your customer experience strategy. How are you, how, how the customer organization is implementing it. And it's about the data strategy, how you, how you provide the single source of truth, truth about the consumer information. It's, it's not that you can, you can put some solution top of everything and say that, okay, now it's now it's good. Now we have good customer experience. Now we have good data. You have to integrate it in, in those other, other strategic initiatives was,
I think it's, it's a big challenge at the same time to involve business, cuz talking from the classical more it background, it's easy to talk business versus it. But as we all know, it is a difficult crowd, a lot of diversity, but business as well. Of course, we're talking there to, to the, the finance departments, marketing pure business channels. And that's where an industry focus comes really into playing. And that's something that I think I've, I've seen certainly recently that the true industry knowledge of, of, of the people in my team that, that, that becomes more and more important that we have people that have been working in the industry with a client that have done certain engagements in automotive, in banking, in chemicals, in, in pharma, in whatever industry you can imagine. But that industry angle is, is getting just that much more important.
Just not that the solutions are different. I think everyone that has been named here, I think we didn't name Okta yet as a, that one on the list as well. So I'll name drop those as well, but, but all of them that, that have been listed, they can offer solutions, but it's how do you deploy them and what, what is the real problem you're trying to solve? And for me personally, the, I like to stay, take it a step further. And that is what is the next problem that, that you want to see solved. It's not just stop at what you know now, but where do you, where do you grow through? What is, what is really your change in, in, in, in business strategy itself in, in new channels that they're trying to open up new products that they want to, to get launched, how are they organizing their back office to respond to those changing and increasing requirements of their users? And that's a much bigger challenge. I think that we have and where I see my team now being just embedded within a broader business transformation effort as a cyber expert, as an identity expert. But we are just one of the many people involved in, in that engagement. It's not just about an identity engagement anymore. That's, that's the least of everyone worries, but at the same time, luckily they can't do without us. And luckily for us, then there's still still a lot of work to be done cuz they, they need us to, to be successful.
So it's integration with business, but it's also integration with many other departments within the organization from help desk to marketing automation and all this kind of stuff far beyond the traditional IAM things that we used to do as IAM people. But it's really much more about business, but also about compliance and, and the legal things.
Yes. And I mean, it's also, I mean we sitting here and we, I think we are even named the big four and that's, that's not for nothing. I mean, we are big firms. It's also the nature of our business because yes, we do digital transformation, but it starts with strategy consulting. And in the end it's consulting it's architect and it's designing, it's implementing and then there's even running solution. So we can do the whole shebang. And I mean, that's the nature of our business, right? I mean, starting from strategy all the way through execution, which, which sets us apart, I think as a big, for, to a lot of other more system integration, focused firms or business consulting only focused firms. And one of the things, I mean, yes, we have mentioned technologies that are, you can see them in the metropolitan of Gartner and you can read all the stuff about them, but please be aware. There's a lot of dynamics in the markets today, choose wisely, do POCs understand what they really bring and if they fit your strategic agenda, not so much the point solution that you're looking for in the next six months, I think that's also one of the lessons we've learned in looking at these technologies from a more strategic view.
Okay. Any further comment from your side, is there a common denominator across all industries that you have identified that is a key starting point for a CIM strategy that, that never, never differs. For example, if you do traditional IM you always have this joiner mover lever thing, and people are joining the company, leaving the company, that's all the same, no matter which industry you
Are, single sign on is very important for cm, I guess
Also for the customers, for the consumer single sign on okay. As a platform or you mentioned not to solutions.
No, you're right. But you're asking is, are there specific denominators or specific functionalities? Of course they are. I mean, it's, it's, it's ease of use through easy authenticating yourself. It's single sign on it's personal data. Of course, controlling personal data. There are a lot of things that are now getting a necessity across the board, but the, you wanted to comment
No to, to compliment that it's more on the, the low friction aspect is, is an important area. How do you lower the bar for your users, for your customers to engage with you? Faster time to market is still an important play there. And that's single sign on is, is there, is, is it typically a quick winner? That's low friction. You don't have to confront your customers with the complexity of your own organization. And that's something, again, talking bit from my personal public sector background. If you have one real diverse big sector, it's typically a public sector with a lot of different agencies and everyone around, but you have exactly the same issue in, in small corporates and in banking you have the insurance for branch and loans and personal banking and private banking, and they're all diverted. They're all bit separate, but how do you engage your client in a single single way?
Same in automotive, you have your dealer network. On the one hand, you have your corporate central assets on the, on the other hand, how do you create a single customer experience across even just as simple as two different garages, like resellers that you have that are typically independent companies. How do you bridge that and how do you create, how do you make your, your customer feel at home? No matter in which garage is, is ending up. And that's the same thing they've been doing for quite a while on the physical side. So they created a common store from the common, common logo, common experience, and it took quite a while and bit surprising looking back maybe, but a bit surprising how long it took to get that same kind of ambition on the online world to really go out there with a single client experience. I don't know how you see guys,
You guys. Oh yeah, absolutely. Right. I think I'm, I'm thinking about the fact that there's a lot of, you know, a common denominator. It's the scale, it's the amount of users, right? Getting a, a solution that performs really well for 50 million accounts is totally different from getting it from getting a solution up and running and performing well for like 100,000 employees. So I think those things, I mean, scaling interoperability, standard protocols, these things are all very relevant. If you are implementing a solution in the cm space,
Okay. I demanded this morning in my opening keynote, don't be creepy, be trusted, foster trust and, and really tell people what you're doing with your data. This is typically something that business is not looking after. Or how do you build that into solutions that you help your customers to also cover that aspect so that they don't run away. And in government they have no choice. They have to come back, but in every other solutions they might go away. They change banks, they change your, their, their service provider. They change everything once they have the feeling they got sold. So how do you build that into solutions and how do you address this within your customers? Do you?
Yeah, I think if we think about GDPR, it has been enforced like for six months or so, and not, not much has changed in those, those digital services. If you go to any, any, any digital service provider, be it, it, your energy company or, or some retail retail store, you don't see as a consumer, you don't see any changes. It's like, you still accept those, those terms of quotations. You just tick a box and, and, and with that one in the box, you accept everything. They, they want to use your data for. Mm. I think that's going to change quite a lot in near future. And, and, and some companies are already like putting, putting the bar, which will be the, the, the level customers are expecting to have, like in, in, in having control over your information, having control over your contents, you have given and so on. And actually one, one very good example. I, I'm not sure who has actually done that, but BBC, they have really nice way to, to, to approach really nice approach to dialect design and, and content content collecting. If you haven't seen that, just try it out, go and begin the registration process to be a BBC user. It's really nice.
Okay. Thank you. I would've never said that because I know who has done that.
No, it's really good. That was Accenture by the way, your information, but I guess, yeah, very well done. I think, I mean, we, I mean, PWC, our mission statement or purpose is bringing trust to society and solving important problems. So the trust aspect is really important for us, which means we have a role to console our clients on, especially the privacy and security part. But I guess it's true for all of us at the same time. That's very difficult because the business case for the larger CR implementations is mostly coming from the marketing side, the business development side. And then basically you start implementing a solution because the, the customer wants a competitive advantage once to set themselves apart from the competition, by introducing ease of use, et cetera, et cetera, like with BBC, but we have a role and it's often called privacy by design or security by design, starting with the fact that you, I mean, clients get it basically a lot of the times for free. If they implement a C solution, the consent management automation part is already there. So this is basically what the status is right now, that when we are implementing cm solutions, we consult them on the fact that they need to be addressing, especially the CSO community need to be addressing the GDPR PSD two security legislation as well.
This is often my role in the project. So while I coming from security side and talking with our UI business consultants, so it's often my role to, to make them aware of privacy by design and all these staff content and all the GDPR action they have to, to consider while they start their strategy. So I think it's very, very necessary for us. And it's also the expectation to us to, to make this kind of compliance of trust, to bring this trust in, in the project and then the implementation of a cm solution, not only the marketing aspects. Sure.
I've been, I'm gonna revert to a couple of presentations and keynotes. I've been given more in the, the beginning of the year during the launch of GDPR. At that moment, I predicted three waves of GDPR hitting. So the first wave we saw that one coming and we experience it. We just need, we want to check box. So we want to check in the box that somehow claims that we are GDPR compliant. No one had any clue at that moment in time, what it meant a lot of people sold full GDPR compliancy solutions. And I see the strangest solutions on the market that claim to bring you to get your company GDPR compliant in a few mask clicks, but as just the check in the box behavior and that normal behavior that you have on the legislation comes up. Now, the second wave is it's hitting it's it's, it's growing it primarily after the summer vacation.
And that is the company's realizing that the whole GDPR story and getting compliant, it's not something that's gonna work on the longer term and just making GDPR by nature. The way it is written, the way it is, it is conceived is not a check in the books legislation on a contrary reads, something that you need to have embodied that you need to live day by day and show in anything that you do. And you don't know what evidence you're gonna have to provide next week when a breach is discovered. And you dunno when that breach really happened, did it happen yesterday? Does it happen now? Is it happening tomorrow? You just dunno. So there's a wave of more sustainable compliance. And that's where I see solutions like consent management and integrating that into the, the, the user journey, the customer journey being, being perceived. Now, I think that we'll go through actually for a another year and a half, and then we will see a shift.
And I think couple of early adopters are already there where the whole privacy ID becomes a non-negotiable for, for customers so that your, your customer that is interacting with you as a company, will not engage in business with you, unless you can really demonstrate that level of trusted level of assurance that you are doing the right thing, and that you really are in control. And I don't see a lot of, of movement there on the technology front. At this point, we see rather a number of companies, again, more telcos that are jumping ahead and want to embark on the free market for telcos and want to differentiate themselves as being the most privacy aware telco on the European continent. That's big claim to make. And that's also where they hitting their first limits. Of course, it's a big claim to make. As soon as you fail, there is one failure, your whole claim falls apart. So I think that's a big struggle that we're seeing, but that will be a very interesting move when that wave takes off and, and where we see the market going at that point.
Well, yeah. And commenting on that or adding a little bit on that. I think what you see now, especially in the banking sector already stated that innovation takes place a lot. There is that risk management systems focusing on preventing fraud are actually incorporated in the, in the user journey as well. So that's it in the back in the back end of, of especially the new challenger banks that I mentioned are using those risk management systems in order to understand if things are out of the ordinary and then introduce not so much a kilo transaction, but introduce a second factor or third factor even to authenticate the specific consumer or client at that point in time.
Okay, great. Thank you. That actually wasn't answered to my final question. We have just two minutes left or so I believe it in that, please, if you have one small part of best practice, if there are many people in the room that have cm programs running, not the big ones, the small ones, what would you for different ones and recommend for when they come home to lift the lid and look inside and what to check, what to change, where should they, where should they look at? Where should they start just a small, what would be a recommendation? You said the second factor, or make sure that you are prepared for a second factor for authentication for
Step. I think it really depends on the requirements of the company at hand lifting the lid, as you said, I don't think that's absolutely that's necessary. It really depends. Are there requirements that are asking for a more platform oriented approach or is that solution already doing everything? What they want
From my side, from what I see happening right now, it's, don't forget your offline channels. And don't, don't forget the fact that you will still have a human to human interface at some point in the lifecycle of your customer, whether it's during onboarding, during onboarding, having a complaint coming in, how are you gonna service that client in the same way as you're doing online? When he, when you finally get him in a face to face or in a, in a vocal communication? That's my, my prime advice from that point.
Anybody else?
Yeah. Well, probably one thing which should be checked is that is your like CIM aligned with data strategy. What I mean is that GDPR kind of brings customer access management solutions. They, it changes the role of, of CIM. It becomes a trusted source. And if you don't have like your data strategy and data architecture in place, so that you have kind of broken those CLOs data silos, it, it kinda get messy when, when you need to enforce concepts. So that's kind of to check,
Yeah, something more in this, in this strategy is not only data, not only from the data side, from the information side. I think it makes sure that your information security management the same does the same way as your cm strategy. So you should have one goal and one secure one strategy to, to work on, I think.
Okay, great. If I add one thing, I think prepare for data breach, have everything prepared, all, all forms filled in all context, identified where to send the information when the data breach happens, cuz 72 hours are very short. Thank you very much for your time. We did not have the time to answer questions, but it was a great discussion. Yeah. Thank you very much. It was really, really best practices. Thank you very much.
Thank you. Pleasure.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00