Welcome. Good morning. Good afternoon. Thanks for joining our and Cole webinar today, today I'm joined by my from AIMA and our topic is how leading brands build trust with cm, balancing privacy and security with the user experience. So a little bit about us keeping our call before we begin, we have a, we're an Analyst firm global, but headquartered in Europe, we offer a number of different products and services. We are specialists in the fields of identity and access management, cybersecurity and artificial intelligence. Some of our services and products are research events such as this webinar or conferences. And we also do advisory projects.
Our research formats, we have four major products. We have the leadership compass, which is a comparative report on all the different vendors in a specific market segment. We dive down into many technical details to be able to make it leaders make the right decisions. We have executive views, which are shorter papers that are focused on a specific product or service. Usually like a one page overview of the market, three or four pages on how the product or service works. And then an objective strengths and challenges at the end, our advisory notes are more like a research paper. They can be longer. We take a look at specific areas of technology. They're not limited to any particular products, but, but technology areas, and they provide some advice for it. Professionals who need to solve very specific problems. And lastly, we have a leadership brief, which are much shorter. They give guidance to executives on those same kinds of issues. They're not really product recommendations or overviews of products at all, but again, tied to a specific business challenge.
Recently, recently we launched a new service called KC plus it's our content and research platform. It's designed to be much easier to search for content it's directly available to end users. You, you don't have to download PDF files anymore. You can look at just the content you want and it's a subscription model. So pay once, read everything that you want for roughly 800 euros or a thousand dollars a year. You get access to our research, including the leadership compasses. On the advisory side, we do strategy assistance for companies, you know, both on the end user organization side, as well as software vendors, we'll do assessments requirements analysis. Then we can also help with portfolio compasses portfolio analysis. If anything's missing from your portfolio, we can help identify that. We can also drill down deeper with our tech compass and do things like looking at the use cases and technologies in in much more detail and then help with the selection of services or tools to meet those business requirements. And then lastly, we can provide some project guidance at a high level. We don't do staff augmentation or things like that, that we tend to be more limited and, and more direct on the, on the projects.
On the event side, we have a number of events coming up. We just had consumer identity world in Seattle. The next one will be in Amsterdam and October. We have cyber next cybersecurity conference in Washington, DC next week, followed by cybersecurity leadership summit and access summit in Berlin and November. And then AI impact later in November in cybernetics world early next year. And our flagship event is EIC European identity and cloud conference, which is in Munich in may. So logistically everyone is muted. We control that and no need to mute around, mute yourself. We're recording the webinar, the webinar, and the slides should be available on the website by tomorrow. And at the end of the hour, we'll have a Q and a session. And at any time during the webinar, you can type your questions into the question blank in the go-to webinar control panel over here on the right.
So I'll start off talking about what we believe consumers want and businesses need in terms of security and privacy for consumer identity management solutions. And then I'll turn it over to Meyer. And then, like I said, we'll save some time at the end questions. So how can you build trust with cm, a consumer identity and access management solutions? I think first and foremost is security. We may even have breach fatigue, you know, of years and years of hearing about different kinds of data breaches, identity theft, leaks, and, and fraud is quite rampant today. Being able to provide your consumers with not only a feeling of security, but actual security can be a, a competitive differentiator.
Privacy. Privacy's very important from a legal perspective. Now due to an increasing number of privacy regulations around the world and consumers feel like they're more valued. If you protect their information, only use it for legal purposes and purposes for which they've given consent. CIM solutions can make doing business with your organization easier. It can facilitate marketing and sales, but again, the focus has to be on the user experience at that point. And then lastly, it should be invisible or at least transparent to the end user. They, they don't want to have to think about digital identity. They shouldn't have to care about the underlying technologies, SAML, OAuth, or any of that. They just want to transact business with your site. And so keeping the, the technical details away from the end users is exactly what most of us want, where when we're in that capacity.
So let's drill down on the security side. Just a little bit. The reason we're talking about it is because unfortunately, cyber crime is a real growth industry. It's estimated that in 2015, there was about 3 trillion us dollars drained out of the global economy due to cyber crime. That that's all kinds of cyber crime, identity theft ran somewhere, all that stuff lumped together. And it's estimated that it will be 6 trillion by 2021. So it's a, a very real and large problem. So by volume, there are four major kinds of fraud. There's new account fraud, account takeover, fraud, insider error, and fraud and transaction skimming. So I thought I'd drill down a little bit on account takeover fraud because it's one of the most prevalent. And one of the types that, that lots of different kinds of businesses are, are dealing with and worrying about today, but on the new account fraud, I'll just say a little bit about that now that's where you take publicly known information.
Let's say usernames, email addresses, physical addresses, sometimes even in the us things like social security numbers that may be found from, let's say breached healthcare records, because they happen to have a lot more personal information. And then than let's say retail sites would need, but the, the bad guys take this information and they create financial accounts elsewhere in the hopes of being able to take their ill gotten gains from let's say ransomware, something like that, where they may have been paid in Bitcoin, and then translate that into some sort of currency that they can then use more EF. So that's sort of the background on new account fraud. It's a huge problem. It can be automated. There are bots to do that as well as the account takeover fraud. So having an effective fraud reduction intelligence platform is a key component for consumer identity and access management as well.
So let's look at some of the account takeover methods. We're all probably familiar with phishing, you know, getting a suspicious, well, it may look suspicious to us email that has, you know, a bad payload or a link to a bad site. The idea is to entice users, to come to that site and give up their credentials so that the malicious actors can then take that and, and then use it drive by downloads. Maybe, maybe websites aren't as diligent about keeping their websites clean. So they wind up with malware that people pick up unsuspectingly, which can compromise their machines and their accounts, fake websites, you know, website that looks like a legitimate one, but isn't again, designed to capture username passwords from unsuspecting customers. All these methods might wind up using things like keylogger or root kits, malware that sits on a victim's machine and collects keystrokes, and then sends it back to the malicious actors, spyware stealing IDs from cookies, credential, stuffing attacks.
This would be like number eight, their compromised credentials from the dark web. Maybe there's so much of that available username, password combos. So bad guys will automate, you know, taking known usernames and sort of matching those to other sites. And then using those passwords to see where they might be able to get in. This is one of the main reasons why security professionals tell people not to reuse passwords, because if a password username combos found on the dark web, then, you know, malicious actors will start trying to use it against all sorts of other sites and then BR force password guessing just what it sounds like using rainbow tables or, or other means to just brute force the password guessing moving on to look at privacy. So privacy is big concern and many jurisdictions around the world now are enacting various kinds of regulations to help protect specifically consumer privacy.
So many people are talking about the CCPA today, and that's the California consumer privacy act. It was passed last year. It'll come into force on January 1st, and there's about a six month timeframe in early 2020, where businesses will be coming up to speed to be able to enforce the, and it imposes different kinds of civil penalties for the consumers. They're given some interesting rights. They're given the right to learn about what kinds of information the businesses are collecting, selling, or disclosing about them. And then also, where is that information going? Who are, let's say if you're a, a consumer facing business and you're collecting that information and selling it elsewhere. Now, CCPA will say, you need to disclose that information to the consumers. If you meet certain criteria listed below, it also gives consumers the right to prevent businesses from selling or disclosing that personal information and, and gives them, you know, the redress of being able to Sue the business for even security breaches of consumer data.
And even if the consumers can't prove injury, there are some possible penalties and recourse available to them. Now, businesses in order to be subject to this, have to meet specific criteria. That's of course doing business in California, but otherwise it's a pretty low set of criteria. If you're collecting information on California residents up to 50,000, or, you know, if a majority of your business involves that kind of operation, then you can be subject to it. So, you know, really this is gonna have much broader applicability to businesses inside the us in general, not just California, because if you're operating some sort of consumer facing business in the us, chances are you'll have a, you'll have some California resident information within your databases. So you'll need to figure out if you're subject to CCPA.
So the criteria are a bit more detailed than that. And we can certainly go into that in more detail later, you can ask questions about that later. I know, but so businesses have to meet the criteria. They can't discriminate against consumers who exercise those rights. This means, let's say you find out a business is collecting information, and you say, I don't want you to sell it onward businesses. Can't say, well, I'm gonna charge you a higher amount because I can't make money off of your information. That's specifically prohibited under CCPA. And this applies to both online and brick and mortar businesses as well. And it allows for enforcement by not only the end users, the consumers, but whistleblowers and even other public agencies.
Let's do a little bit of a compare and contrast with GDPR. So GDPR, the general data protection regulation in Europe went into effect last may, and it covers all the European union countries. And it's, it's a bit different in scope and magnitude than CCPA. So the protection principles under GDPR, let's start with, it has to be lawful fair and transparent. Now like CPA, you have CCPA businesses that are working in Europe are gaining information about European residents need to make sure that they're collecting that information in a lawful fair and transparent way. And the purposes have to be limited. This is where consent really takes a much larger role than simply about where the information can be sold. So in GDPR, in order to be able to collect the information, consumers have to give their consent. And it has to be limited to the specific purpose that the company states that they're going to be collecting it.
One of the nice things from a technical perspective, the GDPR sort of forces upon companies or organizations working in Europe is to minimize the data that they collect. So if you're not collect, you shouldn't collect data that you don't need. So if there's no purpose for it, let's, let's not keep it. Let's not collect it in the first place, data, data protection impact assessments, or one of the mechanisms the companies have been using to prepare for. And, and, and since the implementation of GDPR, make sure that they're not over collecting. This is a good principle, just from a security perspective, as well as privacy to not collect any more data than needed. The data has to be accurate, which from a, a technical or user interface perspective means that companies or organizations that are collecting data about European citizens and residents need to provide some sort of facility for the users to say yes or no about the data collection or update, you know, change incorrect information about themselves. So this says essentially mandated a pretty robust user interface for companies or organizations that are working in Europe, GDPR also places, some limitations on storage, what can be stored for how long, not necessarily specifically where some, a bit that's undefined about that yet integrity and confidentiality.
Two important principles of security in general, also find themselves instantiated in GDPR here. Being able to make sure that the data that is stored is kept confidential. This, this puts security requirements too on companies that are doing business in Europe, to make sure that the personal information that is collected that is collected, you know, and given consent to for the purposes that the company states is also protected. So against accidental disclosure. And then there is some interesting accountability features to GDPR. So companies above a certain size, the data protection officers who then report to national level authorities. And, and then when let's say a breach happens, there's a 72 hour rule for making that known to the wider public, to those who may have been impacted by the breach. So again, quite a few differences between CCPA and GDPR. And these are just two examples of privacy regulations around the world that affect consumer privacy.
So convenience, it's all about the user experience. I think it's safe to say that consumers want options that are sort of right sized for their use cases. And specifically, I think we're all kind of tired of passwords. We know how bad they are. We know that they're insecure, but you know, what's even worse in many ways is what we I've got here in the center image, in knowledge based authentications security questions. You know, a lot of people interact with sites kind of infrequently and, and personal strategies might involve, well, I can't remember the password to that site. So I'll just answer the security question. So this effectively takes the security level down to just knowledge based authentication, which, which is terrible, because a lot of the common security questions that sites have people answer are things that can be found the answers to which can be found in social media. So, you know, knowledge based authentication is the least common. Nominators just a, a really bad plan in an insecure method.
Not all these options work in consumer facing environments, you know, aside from maybe using national IDs on smart cards, in some cases for consumer purposes, it's unlikely that many businesses are gonna issue smart cards or USB keys for consumer use. I mean, maybe in cases of, you know, let's say banks for high value customers, they might do that. But in general, that's not something that, that we see a lot of. On the other hand, I think mobile applications, mobile push notifications, social logins, more likely to be preferred. So we do see businesses moving away from username and password, mostly due to security concerns, but also for convenience. And again, they're taking advantage of things like social logins. Mobile is a channel and then using risk adaptive, they're evaluating a lot of different available bits of a attributes for multifactor authentication, such that you don't have to interrupt the user every time they wanna do something.
This allows us to get rid of passwords more effectively. So some best practices here for consumer authentication. First of all, minimize fraud. This is not only good for the business, but good for the consumer can help build that trust. It can help you comply with regulations. Also in Europe, the revised payment service directive, more commonly known as PST two actually requires strong customer authentication. So the use of multifactor, and so having a consumer identity solution that can provide, you know, MFA options will help you meet those regulatory requirements in Europe. PSD two also actually requires transaction level analysis. So it can help reduce fraud by doing the continuous, the silent risk adaptive authentication in the background.
Another best practice is make it risk appropriate, only introduce friction when it's needed. So if you can evaluate various environmental attributes and only let's say require some sort of step up authentication, when, when something deviates significantly from the norm, then you can provide a better consumer experience. Some organizations might choose to, if they operate in lots of different regulatory jurisdictions, they might decide let's take a least common denominator approach and use the most restrictive regulatory jurisdiction, you know, across all of our business CIM solutions allow you generally allow you to have pretty granular control the policies and allow you to implement the kinds of policies you need for both security and privacy based on, on different locations in which you're operating, ease of use the better the customer experience. The more likely you are to do business with them and have them come back and do repeat business and diversity. And by this, I mean, not, you know, we, we are increasingly relying on mobile as a channel, but it's important to remember, not every user has the latest model smartphone. So don't build to, you know, the latest technical specs, not every user will ever have the latest smartphone. So know your user populations and what kinds of devices that they come and will use.
And then lastly, invisible consumers really don't want to think about digital identity. Like I said, it's not, it's when we are consumers, we're not interested in the technical details. We simply want to get stuff done. We wanna buy things. We wanna pay our bills or whatnot, remembering usernames and passwords or understanding technical details about consumer identity are not something that interests the most of us in those cases. So getting rid of passwords is a good first step there. So to sum up consumer identity, the key to building trust, I think deliver value to consumers, first of all, but meet consumers where they are in terms of technology and their own risk appetite, same thing with the end user organizations or businesses, you know, don't apply friction more than needed and make it convenient. And then lastly, that will help to build trust and loyalty by delivering that value and providing a secure and privacy perverse preserving experience. And then, you know, consumers of all kinds expect brands to have a digital presence. Businesses really need to get consumer identity, right, in order to deliver that value, increase their business and enhance their brand reputations. And with that, I'll turn it over to my ear.
Thank you, John. That was sort super insightful industry perspective on sort of the challenges around trust and customer and access management. What I'd like to do is just slightly flip the lens to, to the consumer and so organizations and some of the expectations that consumers have and some of the challenges that organizations are gonna face to meet those expectations. I think for all the rest of us, just to, to really think about this relationship between consumer and the organization as a, a trust relationship or, but also a contract of trust that that can be broken and the impact of, of reaching that trust. And so, firstly, I really wanna talk about sort of customer expectations around as they sort of interact with organizations, brands, and properties. And so one of those, the first sort of questions I think for a consumer is if you do give a brand or organization any of your personal information, and that could be a password, it could be data birth, it could be gender, you really are entering into a, a trust relationship and that that contract or trust between you, the consumer and the brand, that that data won't be abused.
It won't be shared and it won't be breached. And so that becomes that, that first sort of real sort of cornerstone and that relationship, secondly, as a consumer and any data I, I give to a organization, I should have control and choice over that. And my awareness as a consumer is really elevated now, thanks to, to a lot of the regulations going on in Europe and around the world. And so if, as a consumer I have given you data and that data is, is not under my control. That's gonna begin to erode my trust in your brand. Thirdly, and this is quite interesting is, is digital transformation. Now, the reason why I bring that up is consumers. They don't actually care what's in our it landscapes. And so the, the reason that that becomes quite Ponant is if you think about, say for example, the, the demographic of a 18 to 21 year old, they've never existed in a world without apple, Google, or Amazon.
And so they're very much used to a sense of immediacy that you get from these digital first brands. And when they start to interact with our heritage brands where we have, you know, very complicated, it LCAPs, and there's, you know, a nicely con drop between a one system and another system to update consumer preferences. Now customers don't care. And if a consumer goes onto your site and changes their preferences and on sales of an email, and then suddenly an hour later, they get an email from you. That's gonna erode trust. And they expect the same things from us as heritage brands as they do from digital first brands, such as Uber. And so that becomes a real challenge. Now, if we then think about, okay, the value of change and, and John talks about this, you know, what, what makes it convenient to the consumer?
So why are they, why are they trading information? Why are they creating relationship with you and the brand? And that has to be a value exchange or a gift to get. And that could be for omnichannel, you know, being able to extend your experience from a kiosk to a mobile app, to a, a site it could be for personalization so that you are getting relevant content based on your preferences, or it could be, you know, use cases where you are controlling devices with your phone. And so ultimately what we're trying to do here is make sure that we are delivering value. And that really is what this trust relationship is brokering is that, that value that we're giving on top of the information we're getting from consumers. Now, if we start to, to flip that from an organizational perspective, this is quite challenging. So if we think, you know, now half the world is online.
And we also think about sort of the last sort of 10 years of, of historic digital transformation, where we've all been trying to market to one and trying to move away from those sort of broad brushstroke campaigns to slightly more targeted campaigns so that we can better serve our customers and our, our marketing teams. Now, what that's led to is a, a much greater collection of data. And that creates a whole new sort of data governance problem on top. And as we start to collect more data around consumers, across more dispar systems, that creates a much bigger challenge around identity and security. And so looking at those together creates a whole new level of disciplines that organizations now need to, to address.
And so we look at that and what's happened and what we used to see, certainly seen over the last couple of years for the first time we're seeing this, this much tighter collaboration between the privacy teams and the security teams. And we are seeing that those disciplines are galvanizing around identity. And so that's creating a new focus around customer identity. I think that's what we are seeing here is that's driving sort of more of a consumer-centric approach for, for brands and organizations, which can only be a good thing. Now on the privacy side, we talked about GDPR and John alluded to emerging standards in, in, in America, but it's not just a challenge in, in Europe and America. We're seeing the emergence of privacy standards across the globe. I think more, more notably in, in, in Canada, which is recently releasing and also in India in China.
And so this becomes a, a global, a global requirement, and there are nuances between each of these and, you know, tools can definitely help in terms of how you serve that sort of global constituency. And so on the privacy side, and you know, what organizations need to deliver to consumers. I think there's a, there's a number of, there's a number of challenges here just outside of compliance. Now it's very, you know, you take an approach where we just deliver tick box compliance and we can, you know, we can go comply in Europe. We can comply in, in California, in, in Tokyo, in Canada, etcetera, but really that's not really serving the consumer if we go back to that, that first slide, when we look at that value exchange between the consumer and the brand. But what we want to do is, and as John was alluding to, is to turn trust into a competitive differentiator.
And as we look to sort of new consumer behaviors and a more ethical buyer, as consumers do start to vote with their wallets, we're gonna see a trend towards consumers sort of electing to, to ops, to, to spend with privacy ethical brands. And so the first thing is to be beyond checkbox compliance. The second thing is, you know, where you are starting data around our customers, give them the, the option to, to control how that data is used. And now what we're not talking about is sort of unwilling systems where you have to put all data one place. If you start to think about consensus as metadata, then you can start to expose it to consumers in a way that can grow as your platform sort of mature to a more sort of privacy by design sort of approach, you know, make sure customers can, can revoke or change their consent.
But, you know, the other thing to sort of really think about is, and, and going back to John's sort of points around around passwords is removing the amount of friction that customers have around passwords and allowing them to perhaps bring their own identity, which we'll talk about briefly. And so the, the other sort of benefit of addressing sort of how you are maintaining this data is the security footprint around this identity data. And, you know, John sort of talks about the, the risk of breaches and we're seeing certainly a lot of breach fatigue from consumers, but also a lot of lines in, in mainstream media about some very high profile travel brands who have been impacted, you know, the, sort of the ongoing impact of that breach data and how that exposes consumers to density use to credential stuffing, and then to account takeovers. Now, for those that aren't aware around Akamai and sort of our services of outside of identity Akamai seeds seeds around about two thirds of the corporate enterprise internet traffic.
And so last year across our, our, our network, we saw a huge number of credential stuffing attacks. And this is where essentially, you know, as John was saying that you have consumers who reuse passwords and credential stuffing is basically targeting different identity directories to see if they can verify that some credentials have been reused. So last year in Akamai states with the incident reports we recorded around about 30 billion credential stuffing attacks. There's a terabytes of data with about 25 billion credentials in a dictionary. And essentially, you know, you got attackers just hitting open, open directories and identity providers to see if they can verify if those credentials are valid. Once they have those credentials that are valid, you can, then they can then basically sell them on the black market or dark net. And, you know, we've seen instances where there are brokers selling reach credentials for around about $3 a credential.
And if those credentials aren't, aren't valid that they're offering a warranty and reissuing new credentials, the challenge we then have with breach credentials is that can leads to a full blown account takeover. So if you imagine that, you know, let's imagine that you've had credentials that were perhaps breached in some of the high profile breaches over the last five years, and you haven't recycled. So re re rechange your password. If those credentials are then found to be, to be on, on stuffing sites, whether being purchased, and then, you know, you as a consumer, have your account taken over, there's a number of things that can happen. So, you know, you could have your personal data could be, could be scraped or changed now from a consumer's point of view, if that happens to you, that's gonna ironically Aero trust between you and that brand. And so that creates sort of a huge problem around sort of that huge dataset of reach credentials currently out there, which is why sort of the security around organizations and how they treat customer density is, is really crucial.
You know, we need to make sure that they're really addressing strong encryption, both in the transmittal data and in the rest of data. So where data is stored. And one of the things that from a privacy pub by design point of view, and what really all organizations should be considering is really sort of scoped access and the idea of data minimization. And so, for example, if you have an application that is used by mobile app, and that application is needed to authenticate a user, that's really all the scope you should have. It shouldn't have access to any data. If you have an application that needs access to a loyalty, a loyalty number, again, that's all that it has. And if you have applications or APIs that you need to make available to third parties, you need to really scope down the attributes that those third parties have access to both from a read or right perspective, to make sure that you're never, overexposing your customer's data.
And that's sort of one of the key tenants that we see sort of addressing a, a privacy fire design model. And, you know, one of the challenges certainly that we see in sort of the interpretation of GDPR is the state of the art security, which is 32. One of the things that we advise is to consider sort of, if you do look at, and as a service provider, there's a higher chance that that service provider will be constantly investing in the security controls around their technology. And thus can offer a high level assurance than you can, perhaps on your own in-house solution. Another question that you have to ask yourself as a brand is, do you want to be another identity provider? And so do you want to be a, another provider that, that holds passwords? Now you can either outsource that to a, a point point vendor or, or you can start to think about allowing customers to, to bring their own credentials and maybe avoiding that whole yes, another password and allowing consumers to bring credentials with them from other places now, historically, and we, we know very sort of typically that this is done with social login and that's very synonymous with modern internet usage, but there's a lot of other different applications and use cases for bringing your own identity that is certainly maturing.
And what we recommend is sort of really sort of consider your, your science or your application as a, as a storefront and allow customers to have choice around identity possibility and their ability to bring their identity with them. Now, you know, for example, if you went to a shop today that took cash only, you may not be in a position to transact and you might be looking for more choice. And so as bring your identity has been more as being matured from social ID. There's a number of initiatives around there. And some have been certainly accelerated by the payment service directive. Number two, as we're seeing more bank IDs, we're seeing more government IDs, and there's definitely mobile IDs and, and some great initiatives from the GSMA of mobile connect. And so if you allow a customer to, to take one of those entities with them, then it makes it easier for them to transact with your site and have a much lower friction, lightweight relationship that doesn't include any personal density or personal data or PII.
And that allows them to build up a trusted relationship with you as a brand. And so another thing to consider again, and if we talk about friction and what the customers expect is the performance. Now I wanna talk about performance from, from two, two sides, one, which is sort of the customer experience, but then the other is from organizational adoption point of view. So, first of all, if you say, for example, you are an eCommerce size or a media or a media property or a bank, and you have a high profile high traffic events. One way to very quickly overall trust is to have any latency in your authentication journey. I mean, you, as consumers, if you think back to your own experiences, if you are authenticating with a site and you see sort of a wide screen or some latency, that's certainly gonna give you pausable thoughts about whether that's that traffic or that behavior is expected.
And so, you know, really sort of focus on making sure that there's no degradation service to your customers at high track events, definitely uptime availability is sort of really table states here, but from what organizational point of view, one thing to really consider is if you have silos of identity. And so we know today that most organizations have several data stores where they have different consumer data, it could be an eCommerce site, it could be a lousy site, it could be email marketing. And so one of the performance gains that organizations should look at is how quickly can you consolidate, can it be done in months, or would it be a multi-year project? Because if you're a consumer and you interact with a brand and you authenticate into perhaps your preference in consent hub, and then suddenly the, those credentials don't work in your loyalty scheme, that's gonna concern you and that introduces friction.
And so the ability to quickly consolidate will serve you gains both from a organizational perspective, but also from a customer expectations perspective. And so really where we want to strive to, and as organizations where we want to get to in terms of sort of building that right level of trust between you and you as an organization and your consumer is to, to move to perhaps something that we are calling privacy, assure marketing, and that's sort of make sure that, you know, end users are comfortable sharing data review in your brand. And so making sure that your organization's commitments to security and privacy is explicit, and it's not just checkbox, checkbox compliance, really sort of making sure that users always have constant control over consent and preferences and making sure they can do that for all touch points, not just, not just web that they can do it in, in store as well as mobile.
And so to do that, you need to start a de silo, your, your identity stores, excuse me, make sure that, you know, the systems that the downstream systems that use customer data are honoring choice and control. And that's really about starting to think about how consent feeds into your enterprise service bar, how that sorts of feed downstream systems, how control and choice really is part of that mandate. And you're not really sort of looking at this legacy technical day of all these sort of consent unaware point solutions that frankly sort of undermine all your privacy initiatives and, and finally, to, to make sure that you're being really considerate about synchronization. And so that you're not overexposing customer data to systems that frankly, either aren't secure enough or don't have any rights holding that data.
And so, okay, we've talked about a lot of this, but the, the reason why this has become a, a point of interest for, for Akamai. And it really is, you know, Akamai is a sort of a very strong Providence as a security and performance brand, and this, this strategic alignment between security, privacy, and identity entity really cause AMI sort of to look at the landscape and the market and evaluate its own portfolio. And earlier this year, Akamai acquired Jan Janrain is a market leader in customizing access management top performer on the customizing access management leadership compass. At the end of last year, I believe it was the, the top ranking vendor. And so Akamai acquired Janrain and sort of took the sort of the Jan rain platform and sort of boards it into the AAI portfolio and in a way so that Akamai can offer its customers and, and to the market, a solution that enables customers to very easily address a lot of the tenants that John and I have sort of talked about in this, in this webinar around sort of the privacy and giving consumers control and choice of their data around the protection.
So at the high level of assurance around that, you know, securing customer data and the performance to make sure there's a very scalable solution that has a very low time to market. So that sites and brands and organizations can very quickly de and that's been taken to market as the Akamai identity cloud. And so sort of moving away from sort of the product side, I mean, ultimately where I want to sort of leave this audience with is really thinking about sort of one key sort of takeaway from the session, which is whatever you do in regards to customer identity, focus on being customer centric, make it easy, keep the customers in control, make sure the experience is lightning fast and whatever you do, make sure it's secure. Thank you.
So yeah, if you have any questions, please feel free to enter into the questions blank on the go to webinar control panel and we'll take them down.
And, and John, whilst we're just collecting questions from the, the listeners, I, I was wondering if perhaps you had any advice for, for some of our international customers that are embarking on new sort of regulations, whether there's any, perhaps learning from sort of the Europeans and global brands addressing GDPR, whether there's some sort of key takeaways that perhaps those looking at CCPA could start to sort of learn from orate from.
Yeah. You know, I think it was kind of hinting at that with some of the slides. This is really one of the main drivers for needing a good comprehensive consumer identity and excess management system to be able to keep up with the regulations. You know, I guess it depends on an organizations strategy and or policy. If you're an organization, that's got a lot of it experience in house and you're, you're comfortable with doing the coding that's necessary to be able to provide or implement ju specific policies around privacy and security. Then, you know, you may be comfortable with tackling the regulations as they appear around the world. One of the advantages, I think that some of them more complete cm service providers have to offer is that they're taking a lot of that customized work and doing it on behalf of their customers. So looking at things like GDPR, you know, last year with the, the various leadership campuses I did over the last couple years around cm, I saw a big difference between let's say, 2017, the readiness for cm solution providers for GDPR versus the, the latest iteration I did that came out in 2018 at the end of 2018.
And the reason being is I think they were trying to get ready for GDPR to make it so that their customers didn't have to put as much effort into it. I won't say that it was effortless on the parts of organizations that were trying to do business, or might have contained information about European residents. Obviously there's gonna be things like D Pia that have to be done and naming DPOs and things like that, but trying to take some of the, the detailed technical work away from end user organizations and being able to, to certify some, some degree of compliance with that, you know, the same thing applies to CCPA. I, I see a lot of forward thinking cm solution providers today, you know, rapidly trying to ramp up and, and understand what CCPA requires at the technical level and building in those kinds of features into their user interfaces.
You know, one of the things about CCPA is it says it's got a, you know, businesses that are subject to it, have to provide either a phone or, or a website so that people can review the information about themselves and decide whether or not it can be shared with which third parties. So, you know, the, the vendors that are sort of on top of that are, again, trying to make it easier for organizations to comply with those two particular laws. But as you were pointing out, there are lots of different laws that are coming into effect in different places around the world. So depending on where your business operates, there's a lot of variation in how they're gonna be implemented. And, and I think just from a ease of administration perspective, it's probably a lot faster to work with CIM solution providers to make sure that you're at least beginning to comply with some of the minimums in all these different areas around the world with differing privacy regulations.
Yeah, I think John, that's what we see a lot as well. So there's a lot of prospects and customers that we've been working with over a number of years who have built an in-house solution and really sort of the changing privacy landscape and the bar being raised so high from consumers expectations is, is sort of making these organizations reevaluate their historic investment into their in-house and look to, to externalize not only because it starts to meet sort of more, more contemporary customer expectation, but also that ongoing level of efforts to meet sort of the different regulations as this becomes more of a, a global mandate. I, I wonder from an Analyst point of view, if you are seeing a similar trend of organizations and brands who have historically made quite a large investment, either in in-house solutions or augmenting sort of what might have been designed for workforce use cases, sort of shifting to more sort of point or best of breed customer density and access management vendors such as Akamai.
Yeah. You know, I think that that let's say large multinational corporations, maybe that did have lots of internal IM experience and, you know, built their BDE IM years ago, our finding that it is increasingly difficult to meet those regulatory requirements. I mean, thinking back, you know, just over the last 10 or 15 years or whatever, and in it in general, whenever a major regulation has appeared, it's really changed a lot of how products get implemented. I mean, if we think in the us of things like stocks or in broader, you know, PCI DSS or HIPAA or things like that, it's taken a while for the tech world to adapt to that. So with, you know, GDPR is kind of the big making a big splash over the last few years. There's been a lot of interest, not only by technical people in how to comply with this, but I think it's spurred other areas around the world to think about consumer privacy.
So the, what we're seeing now, I won't say it's like the tip of the iceberg, but I think there are lots more consumer privacy regulations that are gonna come into effect. So to get back to answering your question, I think, yeah, the companies that, that have big, I am presence for workforce are finding that it's easier. They don't have to become subject matter experts necessarily at the technical level for all these different regulations around the world. If they go with a service provider that that can abstract some of those details away, you know, that that may be to their advantage in those cases. But, you know, we also see that the big stack enterprise IM vendors have come a long way in the last couple of years, too, in terms of offering, you know, more fully featured consumer facing identity management solutions as well. So yes, the industry's kind of repositioning on a number of different fronts to be able to handle security and privacy challenges. So let's see, we've got, got a couple of questions here does spending on consumer IM come under the purview of chief digital officer or customer experience officer or with CIO CS O
What's been your experience there, Myer.
Yeah, I think it's, it's very varied. And I think, you know, we typically don't see the, the budget coming from the, the CSO organization. We definitely see them as strong stakeholders typically because, so it's, you know, 2019, almost 2020, this is never really a greenfields opportunity. And so often we're sort of very tightly working with the CTO or CIO office who potentially have the, the budget, but I think what's sort of critical is that they are servicing the business. And so whether the business being, being marketing or, or privacy in, in this scenario, we often see a shared services model from it sort of delivering value back into the organization. An emerging title that I'm sort of coming across in organizations is sort of chief product officer or product officer. Who's sort of looking at the digital economy or digital business in, in these organizations as a, a competitive advantage and either that's to do with how they are offering digital services to consumers or to, to operationalize those, those services in house. So either cost savings benefits. So we're definitely seeing a much higher consolidation actually, of, of vendors. A lot of the opportunities that we've certainly seen since becoming Akamai versus Jan is a consolidation of sort of points, small sort of niche identity vendors as sort of customers have looked to make strategic procurement decisions and reduce, reduce the number of vendors in their staff. And so that initiative is typically driven by the, these CSO office.
Yeah. You know, the only thing I would add to that is, you know, we do occasionally see spending coming out of CIO budgets for CIO, you know, and I think CIOs probably welcome that to a degree because it's an opportunity for the it organization to be part of the, the revenue or value add chain, instead of being told that we're overhead a lot of times, but we also, I mean, beyond the original question where the Oscar was asking, is it the chief digital officer customer experience officer? Sometimes we see CMO chief marketing officer being the person with the budget for that. So the, the second, and the last question we've got here is do we have a sense of spending by companies as a percent of it budget that we expect on cm given the pace of digital transformation Mayer, would you like to take a first shot at that?
I actually, to, to confess I don't have full visibility in what that margin might be. I mean, I obviously have a bias of what I would like it to be, but I guess John, you've probably given more, slightly more insightful answer.
Yeah. You know, I, I think it really, and in the interest of time, we'll have to cut it a little bit short, but we could definitely follow up afterward. You know, it really depends on the nature of the business. If it's a, let's say a retail business or, you know, travel something where you really can maximize revenue by offering a premium digital experience, they're gonna put a higher percentage of their budget into CIM than say, well, and unfortunately, in this case too, like healthcare companies or insurance companies, you know, that's not to say that those kinds of companies shouldn't increase the amount that they budget for CIM, because there are some problems that those industries have, but it does tend to vary by industry. And with that, we've reached the top of the hour. I'd like to thank everyone for attending today and thanks Myer for supporting, and we will have the recording and slides available by tomorrow. Thanks everyone. And have a good day.
