Lessons Learned from IAM Transformation in Banking

Shall we start? First of all, thank you very much indeed for prioritizing this meeting over lunch. I know maybe it's not a good idea to listen to some lessons learned while you are hungry, but thank you very much. My name is Patrick Shirai and I'm representing Sweat Bank Here. I'm trying to talk to you regarding what lessons have we learned, why we made our, of course not made, but we are still in the journey of I A M transformation. First of all, who we are, it's simply we are a bank. We are a sweat bank. It means it founded in Sweden but spread to Balti countries as well. So Lithuania that we and Estonia, and if you are thinking of the size of the company, it's about 7 million private users. Private customers let's say, and 500,000 companies that are our customers. Normally, you know, nowadays banks are not just traditional banks that you just put some money there and we lend it to someone else.
Banks are in the front line of preventing financial crime, you know, because every organized crime has to do something with money and then it means we are in the front line to stop that and we are there to just detect what kind of trends do we see. But anyhow, if we go back to our discussion on iam, as you can see on the screen, we have been there since 200 years ago. And what does it mean to be a bank and have 200 years of history? It means it has been evolved during the time. It means legacy, simply legacy. Because in your evolution, procedures keep adding, you know, guidelines keep adding European legislations, UN legislations, sanctions, everything's keep coming. Technology keep coming, but are you up to speed? You know, simply what is legacy, legacy is when you are not up to speed. You have something there which is working, but it's not up to speed.
So here we are going to talk about what lessons have we learned. First of all, make sure if you are doing it in your own organization or you are in the middle of your journey, make sure it is a business console, not just an IT upgrade. You know, it's quite easy. There are some engineers there, they are just trying to upgrade. You know, let's go to Azure ad, it's beautiful, okay? But if it's not a business concern, it won't succeed. We have seen it and as soon as people are start leaving the company and joining somewhere else, everything will be stopped. Make sure you tell your business why you are doing IEM transformation. They need to understand you need to have cto, cio, everyone on your side, they need to ask for it. You know, make sure you are just proving them. What value do you bring yourself?
Make sure they know what kind of business enablement you have. How can an organization work without iam? Make sure you prove to them you have a proper operational efficiency when you are having your transformation. You know, make sure you are placed in your digital roadmap. So CIO is asking for it, CTO is asking for it, and you have to have a place in your take. Radar. Zero trust might be a buzzword for many people, but you know, zero trust without iam. I'm not, I cannot imagine that. And last thing, cloud first. For many organizations it's just beautiful to say cloud first. Cloud cannot be first without IAM on the cloud simply. So I'm not going to talk a lot about this, you know, during these days you have heard a lot simply, and of course I don't know how this laser works, but anyhow, simply on the left side you have some input, you know from hr, you have some events, joiners movers, levers, you have processes, you have guidelines, blah blah coming. You have your entire identity fabric, everything there, which you are already aware of that and you have some consumers, you have services, you have very close devices, everything there. Now how can it work while you are doing it? Your IM transformation. You need to make sure you have a proper impact analysis. You know, how big is this change? And the organization is aware of that.
Maturity assessments, we found them really perceptive. You know, we found them really valuable. It is easy to go blind in your own home because you know, you get used to everything. Everything looks fine. I'm not sure if you have attended the very first day, you know, it was a workshop half a day regarding maturity and you know, it's easy. You might say, oh, our maturity in infra, I just think it's five out of six, 70% after five question you feel like, oh, it's not, it's maybe 20 something. You know, those maturity assessments help a lot. There are many organizations, KuppingerCole is one of them, you know, Gardner, Microsoft, they all provide you and it's really valuable. You don't wanna have the same pain points, you know, for a couple of years. Now after having all of these, then you come to this place after this, there is no turning back.
You take the blue pill, you wake up in your bed and you just keep adding ad hocs. You take the red pill, you stay in Wonderland and you start with your vision and roadmap. Without roadmap you are lost. You know, it's just like Alice in Wonderland. Alice told the cat, where should I go? And the cat asks, where do you want to go? And Ali said, doesn't matter, you know? And the answer is, okay, wherever you look, let's go. So without roadmap, you are lost. Now here, legacy is not just tooling. You know, you might have a very modern tool with a legacy mindset, with the legacy way of working with the legacy procedure. So make sure and you know, just the bad news, these items, culture and mindset are 1000 time more powerful than your tool. You can't just buy the tool, but we cannot buy mindset.
You cannot buy the culture. You know, make sure you have enough impact, you have enough power, you have enough support from your organization on this, otherwise you are lost. So how many times you see, you know, organizations buy very sophisticated tool and just park them for a rainy day, you know, and they'll be expired after some time. Now, next item Suncast fallacy. You might have spent hours and hours and spent a huge amount of money to build some applications, you know, scripts, tweaks, whatever. And one day you say, hey, there is a better tool out there and this tool is legacy, but you don't feel good if you just let it go because you spend a lot of my lot of money on it, then what will happen? You just keep it and you'll be thinking, you know, you don't have to carry this heavy load with yourself, you know, just let it go. If something doesn't work good.
Now this is supposed to be really black anyhow, just imagine this is black. Just imagine you are in a very dark room in China and there is an animal there you have never seen and it's called elephant, you know? And you just need to touch it to understand how does it work? It happened in China. So some people in the dark room, they try to understand, okay, how does an elephant look Like? This guy just said, I feel like an elephant is just a tail. The other one thought it's just a bar, you know, whatever. Why am I giving you this? It was a prophecy. Chinese or Indian or even Middle Eastern, something just to tell you mind. Invisible legacy and mind dark data. You know, invisible legacy is type of legacy that is there. Engineers keep creating homegrown applications that you are not aware of. You know, there is an application somewhere that is working quite fine now, but as you are changing anything in your authorization on authentication, it won't work any longer and it is invisible. So how to work with that, I live the challenge to you, you know, but proper communication and information could help. And also the arc data, a data that you are not aware of, a data which is there but you don't know it. That is also something to think about.
Have I succeeded so far to disappoint you? No. Here we learned maturity first and automation next. You know, if you automate a mess, you will get an automated mess that's just simple, you know, you just speed up crap production and that's simple. I just guarantee that. You know, just imagine. And this is a dummy, we haven't done this honestly. You know, just imagine you build a system that you know, captures some anomalies and alerts some people and you automate it yet after some time you get hundreds of hours and you just normalize that it just looks normal. So better not to do that. If you are not mature enough, don't, you know, automation is a very buzzword. You know, you are going in your PI plannings or whatever, hey, we have done an automation, but if you have not mature enough, you know you need to just, you already build a legacy automation. Think about that.
There are dependencies between cloud and on-prem. Make sure your IAM in general works without on-prem. You know, I'm just giving you couple of examples. You have some iem, infra and IGA and directory service, whatever on-prem, and you have something on the cloud. What will happen if on-prem goes done? Are you still able to do authentication authorization or no? You are just away. You know, if you put everything behind your PAM solution, privileged access management and you have an on-prem PAM and all your cloud is behind that and on-prem goes down, does it work? So think about harsh situations and how you can diminish these type of dependencies before you get trapped. Next one. You know, I liked Mike Tyson when I was teenager. He was a very famous boxer and you know, he said this, everyone has a plan until they got punched in the face.
You know, when you go to a ring for boxing, you have a plan how to do, but you've got the first punch, okay? All plans are done when you get harsh incidents. Nothing works as it's supposed to be. You know, you might say we have a very proper procedure that we can recover this system in five hours. In harsh situation, it might be 50 hours. You know, a stress is just too much in such situation. People keep calling. Try to have a real plan. You know, just imagine tomorrow morning you wake up and nothing works. Okay, can you fix it on before lunch let's say? Or no? If no, don't be afraid of getting help from others. You know, there is a huge amount of threat. I don't wanna bother you with lots of these statistics. You have collected a lot and took lots of pictures during these years.
These days. Sorry, there are lots of threats against Im so take it seriously. There are even those persistent threats that you don't know what happened to your iam, but it seems like gradually some things are changed, some attributes has changed. Are you aware of those type of, you know, crawling type of things? So make sure you have some plan for that. And this one, not just iam, you know, there are many concepts that has to be built in, not bolted on. Security needs to be there by design. I can give you an example. Segregation of duty, sorry, all vendors, you know, no tool can give you segregation of duty. You need to have cation of duty in your processes. Then a tool will realize that. But we just buy a tool and then it'll give us ion of duty. Good luck with that if you are planning for do so.
So segregation of duty, security, many other concepts have has to be there earlier by design. So with all said, our takeaways is that go for assessment then your vision and have a roadmap and implement that Next item, I'm afraid to say on-prem is already a legacy. So speed up cloud journey, you know, cloud will not wait for you take IAM resiliency really serious. It is really serious. And of course always think end-to-end process. I'm proud to say three years ago we got a price from KuppingerCole regarding automation of our digital identity end to end. Why? Because we have made some steps forward and that was the result of it. You know, this is the lessons we learned during that journey. So thank you very much indeed and thank you.
Okay, thank you. Do we have any questions from the audience in the room?
Volunteers,
Otherwise I will ask questions
And I need to leave two minutes earlier because I have a panel on the other room
Also. We have two left.
Okay.
Hello? Yep. Thank you for the great presentation. When you say move I am to the cloud, do you also mean the directory service in the cloud? Like because for a bank, all identities in the cloud, is that kind of,
There are measures to do that, you know, because you are already on the cloud and you need to think of if you are going to put your source of authority there, what steps you need to do. I'm pretty sure you know, we have it in our bank. Every bank need to have it, that you make sure your privacy concerns are properly measured. You know, cloud looks a bit scary in financial in the beginning. Are we losing control? It's just leaving our perimeter. But no, it's possible. Many banks have done it.
Any other question from the audience in the room? So that that's the case. Do you have any insights or lessons learned from, from handling stakeholders and end users? Have you, have you had any challenges with them? What is your lessons learned from that?
Lessons learned was that culture and mindset you need. You need to be very open-minded and you need to be very communicative with people. That's the main thing. That's the main lessons learned.
Okay. Yeah. And do you have any lessons learned that you can transfer to any other organizations that are not banks that are not highly regulated? Do you think that can work for them as well?
The only thing I can say when you are not buying to these type of regulations, just speed up. You know, just go for cloud, don't waste time on developing on-prem, which is not, you know, really future
Safe. Good, good with giving you your two minutes that you require. We will end that very much session a little bit early and start the next one. So thank you for your presentation.