Customer Zero: Okta on Okta

Lorraine:  Let's get started. My name is Lorraine. I run the Customer Success Programs Team at Okta.

I'm really excited to bring this pretty cool story to the Oktane Customer Success Track stage. We wanna share with you how Okta uses Okta. A novel concept, there, both from the Business System perspective, but also from an IT standpoint.

How many in the audience are IT Administrators for Okta? Sweet, that helps. Okay.

I wanted to introduce our speakers. We've got Stephanie Dwight, who's our manager of Business Systems, and Chris Flynn, who's our VP of Employee Experience.

Chris Flynn:  Enablement.

Lorraine:  Enablement and experience. It's their job to make sure that we have a great experience with Okta, as employees.

Without further delay, I'm gonna hand off to both of them, and then we'll wrap up with a couple of minutes for questions at the end. I'll pass the mic around.

Just as a courtesy reminder, let's silence phones and avoid going in and out. We've got the video running in the back.

Alright! Take it away! Thank you.

Chris Flynn:  Alright, thank you!

Hi, guys. Welcome to the Customer Zero talk, here. For those questioning what the heck Customer Zero even means, we have an internal program called Okta On Okta. Customer Zero is the concept of "IT should be the best and first customer of Okta." Whether that's for inputs on the products or customer support, or all the other aspects that we do as Okta, we, as IT, partner with our developers, engineers, product managers, to help make everything better. We call that group Customer Zero.

For more, longer introductions here, why are we actually gonna be speaking to you guys about this at all?

Chris Flynn. I'm the VP of Employee Enablement. Normally this would be more like a VP of IT Ops kind of job, but we are 100% Sass on our internal side, so the only Ops we really have are Networking. My job, really, is to make sure that our employees have everything that they need.

The Service Desk areas are my areas. Productivity applications like G Suite or 365 or that kind of stuff, Okta engineering and Okta On Okta programming. All that falls underneath me. And I'll let Stephanie...

Stephanie Dwight:  My name is Stephanie Dwight. I'm the Manager of People IT, Business Systems, and People Systems.

I manage, basically, everything to and from Workday. Whether that's modules being implemented at Workday, change in business processes, controls, compliance standards, as well as some other systems, like Learning-Management System.

I am here, today, because I'm one side of the puzzle of Okta. Workday, or your HR system, has to basically partner up with Okta. That's why we're here today.

Chris Flynn:  That's why we're here.

Really, the point of this Track is to give you a peek into what we're actually doing internally. Real life, this is what we're doing, this is what we're planning, this is what we're looking for. This is not a sales pitch in any way. That's not who we are. This is literally our situation, this is what we're doing, this is what we've done. Hopefully we can share some experiences. We all share the same challenges that you all have. Hopefully this resonates with you guys.

Let's talk about the current environment first. Okta, about 1,000 people. It's not a huge company, but it's not a tiny company. We're at that stage of a company where you start actually having processes, build, growth, scale, and do things successfully. In our business systems, portfolios, about 150 Sass applications that are supported. All of those are represented inside of our Okta implementation. In total, we have over 350 actual chiclets inside of Okta.

For dev environment, to IT environments, as well as production environments ... All that stuff is the single [inaudible 00:04:22] is going to Okta for everything. This is actually been one of the cool stories.

I joined Okta back in February, and didn't really have a lot of experience with the product, itself, before I joined. One of the really neat benefits of this is, we don't have to tell people where to go to find their applications. Don't have to send people URLs, emails, or call Service Desk. You just go to your Okta and you're there. Everything you need is already in one place for you. Even that, from the productivity side of things, has been a great boon for me, coming in. It's actually very helpful, going through this process.

Just want to talk about this briefly, and then talk about where we're gonna focus today. As Todd talked about this morning, there's seven aspects to the entire cloud, if you would. Whereas the SSO part, which everyone's familiar with, the single sign-on, adapted multi-factor ... We're gonna talk about that more today. Mobility, the APIs, Universal Directory, Lifecycle Management, and your developer kit.

For today, I'm gonna focus on adaptive multi-factor, the ability to give context to where somebody is, and then forced multifactor, rather than just ham-fisted, everyone gets hammered with this, and this makes the experience as awful as possible, to let's really turn it on when we need to turn it on. We'll talk a little bit through that. Also, on mobility, what we're doing to handle the fact that everyone wants to go mobile, and how we're working through that.

Stephanie's gonna be talking about the Universal Directory and Lifecycle, and how that works with Workday to do some provisioning. Awesome pieces around that. That's gonna be the focus for today, and what we're gonna be talking about.

The challenge is, like every other company that's happening today, we have serious challenges around a couple aspects of going mobile and having ... Let me say it this way. With everyone trying to bring their own devices in now, back in the day, if someone did have a device it was usually given to you by IT. It was locked down, whether it was a pager or a phone. Now, everyone can bring their own smart devices in. They wanna work on their own smart devices.

How do you handle that? You have phones you can take with you around the globe. They're not tethered to anything anymore. How do you deal with that? How do you deal with the fact that countries around the globe aren't always so friendly and safe environments to plug your stuff into? How do you handle that? How do you deal with the fact that half of the spam coming in today are phishing attempts? They're trying to get information from you, and get your passwords.

If they do get your passwords, how do you deal with that? How do you protect the second layer of protection? How, from a traditional point of view for IT ... I come from an IT past. Most of the environments I've dealt with, we've had data centers, and you had firewalls, and you had VPNs to get into that. As Todd was talking about this morning, the egress into your systems was actually pretty small. It was a pretty concentrated area that you could fortify.

We're basically 100% Sass. We have no data centers, we have no on-premise system servers or anything to deal with. How do you handle that all your sensitive data is out in someone else's world? How do you handle that?

For today, we want to really focus on these four areas of concerns that we have, and that we're trying to deal with. Let's talk about mobility first.

Two platforms that we support, Android, iOS, the two main platforms that you'll see out in the world. Inside of Okta, these are the two that we've chosen to focus our time and effort on.

For Android at Work, this rolled out, I think, internally, in April. April? The adoption on this wasn't really what we expected, at first. The benefits of using something like an Android at Work, is once you enroll, your email profile then gets built for you. We send it up, so they'll build your email profile. You didn't have to go in, know all your settings, try to figure out how to get to Okta On Okta or your Okta email. It automatically comes down for you.

We also push down the most important applications to you automatically. Your Box, Workday, Concur Expense, those kinds of things. Enabling those, or other applications that you can choose to bring down if you want to, they're part of a protected store. You can choose to pull them down if you want to, but you don't have to if you don't want to.

At least we were able to get somebody up and running, a new onboard person, almost instantaneously, 'cause everything is there for you, ready to go.

We also push down all of our wireless profiles. Any of our corporate offices, you go in there, you can connect with your phone. You don't have to worry about passwords, you don't have to worry about understanding what their wireless situation is. That's already taken care of. When you go in, you have to log in.

We thought that was gonna be the best thing in the world. "Here you go! Here's everything you need to go do work." Everyone took a step back and said "Whoa. You're gonna do what to my phone? I don't think that's gonna happen."

At first, we're like "Well, maybe we shouldn't push this out to everybody? Let's think about how we really roll this out, and work through the hearts and minds." We'll talk about that in a minute.

The number one thing, as we've started going through and talking to people and trying to get adoption, was the fact that the Android at Work, we can't delete your phone even if we wanted to. We can't see your photos. We can't see your private information. None of that's available to us, as admins. The product, itself, doesn't even allow it. That was a story that helped, at least, gain some momentum as we started going through this.

With all those benefits, on the Android side, on the iOS side, you'll also get all of that, with some certificates. By adding the concept of certificates, and then being able to push that down to the phones, it took one of the biggest challenges that we had, with people locking out their email accounts.

People would come down, and you put your email profile on your phone, and then you go change your Okta password, which changes your 365 password. You haven't changed it on your phone. Your phone keeps trying to log in. Locks you out. With certificates, that all goes away. You don't have to manage passwords anymore. The certificate takes care of all that for you. We've actually had a really great adoption, on the iOS side of the equation, and we're getting much better on the Android side.

For the risk part of it, which we've talked about ... Again, no data centers, nothing on premise, everything's Sass-based, travel restrictions, doing business in countries that are what we would consider higher-risk, I think. I wanna say there's 18 or so different countries on our risk list, if you would? We didn't want to just blanket latch everything down. We wanted to make the experience was safe where it needed to be, but frictionless also where it needed to be. We created some rules and some internal policies around this.

For example, SOX application? Multi-factor. You're not getting in, unless it's multi-factor, so we can do that at the application level. If you're on a team that handles particular IP that's sensitive, we can lock you down based on the team you're in, not just the application.

For countries where you do travel, and we consider them high-risk countries, we put in the same thing. It forces multi-factor and has a two hour session time, where it stops, dies out, and you have to kick back off again and go through a multi-factor.

It's really given us a much more flexible way to solve a lot of problems that we have. We ended up being really authoritarian, in locking everything down, and creating a really bad end-user experience. The last thing we wanna do is get in front of this, and create a system that nobody wants to use, and starts to actually resent you for.

These are some of the things that we did to help get through enablement of mobility, and get through the enablement of locking down risk. Wanted to share a couple lessons learned. I hinted at this a little bit. It was a little bit surprising, when we thought we were rolling this out and everyone's like "Great! You're gonna help with all this server stuff."

Nobody wants to give you their phone. They don't trust you. They don't like you. Hasn't been running for us, but we are going to get more stringent and strict about how we roll these things out. Our plan turned out to be get buy-in first. Opt in. Let people opt in. Get your champions, say "Hey, it really is great. It really is helpful. It's not as bad as everyone thinks it is." So when we do actually go for the push, to roll it all out, there'll be a lot less resistance to making that happen. Less noise that comes back through that.

For our security friends that are in this meeting, when you're doing these kinds of things, make sure you're in lockstep with your security groups and go together, so you're not fighting the battle all by yourself. Make sure you have somebody at your side, saying "This is really what we need to do. We know it's gonna be painful for some people. It's really the right thing to do." You're not fighting that on your own. Also get your top-down. Make sure your executives sign off. This is really the thing to go. If they don't buy in, if they don't get their organizations to buy in, it gets really bad really quickly.

The final part, I think everyone's aware of. Culture's hard. People been doing it this way for ... Okta's, what, eight years old or something like that? It's been a fast-growing company. It's had a lot of developers, a lot of free thinkers that elect to do things the way they wanna do it. Trying to harness that energy and maturing as we go. All that stuff needs to be taken care of. That culture change definitely takes time, but it can be done.

I'm gonna hand it, now, over to Stephanie, who's gonna talk to you about Workday and how that works with our Universal Directory and Lifecycle stuff.

Stephanie Dwight:  Thanks, Chris.

Hi, everyone. This is my favorite subject, I will say, managing Workday at Okta. It's quite the experience. We are, very much, just like everyone else's company in the room, when it comes to actually deploying our own product.

What you'll see here is some major challenges that we have on the IT Team, are manual processes. You might be a little shocked by this. We're Okta. Why would we have manual onboarding and offboarding processes, when that's what we sell?

Basically, when I joined Okta a couple years ago, we hadn't had the opportunity to just sit back and think to ourselves, "What can we do with what process we're going about right now? What can we automate?" We were running fast, and not taking a step back and taking a deep breath and said "Okay. Oh, hey. Here are these few things that we can do to make our IT Team's life a lot easier."

You'll see up here, we do manual imports. All of our onboarding for new hires, literally manual. You all know the functionality in Okta. Push the manual import button, imports all your brand new users. It's great! It's easy when you're a company under 1,000, but when you're growing so fast and maturing, you're going from a teenage company to a adult company. Pre-IPO, post-IPO, really great things, but your processes also need to mature.

Not just manual imports, but manual provisioning of groups, of applications. Through attribute linking, we can actually automatically put you in a group, where you get your applications right away, automatically. I see you guys shaking your head, like "Yeah, duh. Of course. What the heck?"

Deep revisioning and provisioning. Provisioning is great. You can still do that manually, no big deal, but the deep revisioning piece is what we really care ... We care about both, but the deep revisioning piece is the security side that really matters to us, as a security company, essentially. Making sure that you're offboarding your employees properly.

Where do we start? We have these challenges. What does that mean? How are we gonna fix them? The way we broke it up, is we have really two sides, two pieces of the puzzle.

Who are you? Anna, what do you need access to, to be productive? What application security access do you need?

The first side of the house, you'll see, I'll use HRIS and Workday interchangeably. I'm sure there's quite a few people in the room that don't just use Workday. There's other great HRIS systems, too. I, personally, love Workday.

We have Workday. You get hired on your first day of work. What does that mean to Okta? What does that mean to our People Operations Team? To our IT Team? It means that you're in a certain call center. You have a certain hire date. You belong to a certain manager. The attributes are endless. How can we actually use those attributes to link you to the automated provisioning piece that we sell today? We've got the people, we've got where you belong, what you do for the company, your role. Are you an individual contributor, are you a manager? Then, how do we link those certain attributes to Okta? To the actual access? To the security pieces?

Took those two sides. We've got Okta, we've got Workday, we've got our people, our attributes. We've got Okta Identity Management, and how we're going to actually link those applications to our people. This is our journey, really. Just take it in, but I'm gonna talk through each one of these five steps. The approach to solving our problem is, you understand we had our challenges. We've got two awesome systems that can do amazing things. What does that mean?

First, we reviewed our onboarding and offboarding processes, like I touched on a little bit. What can we automate? What makes sense to automate? Where do we still want a little bit more manual control?

Then, second, we reviewed Workday, the capabilities of Workday. Workday is a master real-time sync. What does that really mean, and what does that mean internally for IT, for business systems, for people systems?

Then, what can Okta do to solve our problems? We talked to our Business Value Management Team. Awesome guys, they did a full assessment on us. Yes, there's definite opportunity here. We took that, and we said "Okay, cool. We know these systems can do exceptional things. They talk, they're built to talk. How do we know, as IT organization, why our sales teams give certain apps to certain people on their teams, but not other people?"

Wouldn't you think that all of sales would get the 15 applications to make them productive? No. We've got renewals, we've got account managers, we've got SDRs, we've got sales leadership. All different attributes. We figured this out through our data discovery.

Number four, here, you'll see a little metrics. I understand that you guys can't see this from there, but what this is really showing is, application list from just one group, from sales. We've got applications in one column, and then along the rows we have all the different groups. We got this exact diagram, this exact metrics, from our internal sales team.

What we got from this was, our sales team is splitting up their application access by call center. Easy. For me, it's easy, because I live in call centers every day.

How does that tie back to our current business processes? How does that tie back to the business, and how we can actually move forward and automate our onboarding processes? This is where we came up with the solution.

Back on that metrics, that's when I started to dive down by department. How am I going to link these attributes back to the slide where I said "We've got our people and our attributes, and then we have our Okta Identity Management, Access Management"?

Through that, I discovered, it's more of the 80-20 approach that I took. I understand there's lower levels that I have to dig into, but right away, it's kind of like crawl, walk, run. We're crawling, just to be honest. We're still crawling, but we're getting there.

We have actually built into our hire business process, to actually assign certain call centers to provisioning groups in Workday. That way, at the moment of hire, you're assigned to a provisioning group. Makes sense. It makes sense if you're an Okta admin. You understand how those groups actually work when you tie them to different applications.

From here, I realize we've got all these provision groups. We have about 45 different call centers at Okta. Like Chris said, we have over 1,000 employees. I understand there's probably people in this room that have 20,000 plus people at their company. We're not there yet, obviously, but hopefully we will be. There's other ways that you can go about that.

You can do call center hierarchy. There's different attributes that you can link during the hire and changed op process, where you can tie these groups together. When I said crawl, walk, run, we chose one business process: onboarding, which is hire.

I've kind of been laughing quite a bit about this. One of our current employees, IT guys, he owned Okta at Okta, just the admin setup. He goes "Steph, just turn it on."

Like "What? How do you just turn ... What do you mean?"

He's like "Yeah, just turn on real-time sync."

Like "You can't just turn it on."

I laughed, because I've had to reconfigure a hire business process to actually rope in real-time sync, which I'm saying here, is had to build out new sub-processes. Once you add in that real-time sync piece into the hire process, how do you know that all the data's accurate? How do you know that everything that you're sending over through that integration, that it's going to be consistent? I built out a process that our People Operations Team signs, seals, delivers, data's accurate, and goes straight over to Okta for provisioning.

That ends this whole designing the solution, from the beginning to the end. Auto-provisioning with the hire process, and de-provisioning with the termination process. We're not at the termination process yet, because voluntary and involuntary terminations are very sensitive for us, and for everyone in the room. We're still working on that, but the hire process is great, and it truly ropes in all the different attributes that you can use within Workday.

I understand this is a little bit of an eye chart, right? But I'm going to walk you through it. What I just told you, the whole solution? This is it, in a flow. This is our onboarding process, ideal state. You'll see ... I dunno if I need the pointer.

Top left, that's when we've got our HR activities. You start out with candidates ready for hire and our applicant tracking system. Once it's ready for hire, then it goes into your HRS systems. For Okta, it's Workday.

From there, magical real-time sync. Get to that point, spits all of those attributes that you need into Universal Directory, which is at the point in time that Okta realizes "Okay, here we go, let's start the provisioning process."

O365 has a different type of provisioning process, versus our SAML applications, as well as our SCIM-enabled applications. All of these things, depending on the type of applications that you use at your company, is all automated. Then, of course, you've got those simple web applications that are not set up for provisioning, and you still have those manual pieces of the puzzle.

So let you digest this a little bit. This, currently, is ideal state, since we've just launching our higher real-time sync process.

So what's next? I talked everyone through what our challenges are. Yes, onboarding and offboarding challenges, from a people operations, IT, Service Desk standpoint. The road map to get there. Still have quite a work to do, but I feel like we're actually starting to walk. It's great. It's really great. Public company, successful public company. We're growing, just like quite a few other companies in this room.

Where does that leave us? That leaves us here. This is more of an ideal road map for me. I've got my People Operations Team here. They're probably like "I dunno about that."

We planned close to June. That might be a little bit of an exaggeration, right there. It was probably more around six weeks, four to six weeks. Real-time sync hire process, like I said, it wasn't as simple as my coworker thought it was.

Doing the whole real-time sync implementation for the first time, as a Workday admin, I had to re-evaluate the process. It wasn't just about impacting our IT and Business Systems Team, it was impacting all of HR as well. We had to pause and wait, and actually get buy in more from the business. That's probably what has taken us the longest period of time, about two months. Now that we're going to really see the positive impacts of this real-time sync and how it's going to free up time for our IT Service Desk onboarding team, reviewing the termination process and understanding the impact there and how much it's going to impact Okta as a security company, and how we're going to have tighter protocol around people being offboarded...

Then provisioning groups. Provisioning groups, right now we have the 80% dialed in. It's that 20% that really matter now. You're in a SDR call center. Are you an SDR manager, or are you an SDR individual contributor? Those types of questions, that I have to go back with my team, and say "Hey, what do we need to dial in for our applications? License management."

Once we get our provisioning groups nailed down, which will continue to evolve over time, then we'll throw in their changed op process and other real-time sync processes. There's, I think, about ten that Okta and Workday deliver, and that would impact your people at your company.

Having said that, this is the whole life cycle for Okta and onboarding and offboarding processes, and what we are currently doing today.

Having said that, that concludes our presentation. Thank you, everyone. We've got fifteen minutes for questions.

Lorraine:  Questions from the audience. There we go.

Speaker 1:  Yes. How are you handling contractor and contingent worker onboarding?

Chris Flynn:  It was right there. He doesn't even wait.

Speaker 1:  I think it's a big issue for, probably, most people.

Stephanie Dwight:  It is. Hire, right? Got real-time sync for hire. Great, it's perfect, little box. Contingent worker, that I'm still investigating heavily on. We do, to be completely candid and open about it, that's probably number one or number two on our list of process fixes.

Chris Flynn:  Yeah, so we can identify them in Workday. We can pass that information over and put them into contractor groups versus FTE groups. For certain sensitive communications or applications, we can separate out who gets access to what at that level.

There's a lot more work we need to do, on the business process side, around contractor hiring, itself, before we're comfortable even looking at automating that and pushing that through.

That is one of our next major challenges to go tackle, but it is definitely ... At least we can tackle it at the provisioning group level, in an automated way. Once we manually put somebody in, the attributes can get pushed over and it can be handled on the Okta side, as a contractor versus a full-time person.

Stephanie Dwight:  I'd love to brainstorm, too. Especially you Workdays masterfolks out there, always wanting to know how you handle that, too.

Speaker 1:  Thank you.

Lorraine:  Any other questions? Here we go.

Speaker 2:  Back to the same question, but where are you guys struggling at? Reporting issues, stuff like that?

Chris Flynn:  Through the contractor side of things?

Speaker 2:  Yeah, contractor and contingent.

Chris Flynn:  We have a pretty well-defined onboarding process for FTEs. There's a whole applicant tracking system, everything is pushed through there. There's lead time and there's stops along the way that define that out.

Our contractor process is still much more scattershot, as a process. It's very difficult, or it's a bad idea, to automate a process that isn't well-defined and well-rounded, if you would. Until we can nail down and have much more certainty on the quality of the data being brought in from the contractor side of things, we're still more nervous about automating that, at this point. From my perspective.

Stephanie Dwight:  From the Workday side of the house, I would say the process that hasn't been completed on that software side ... Maybe you have the solution for this. The actual contract to hire, as well, conversion. Not only do we have to solve for just the contingent worker piece, but we also have to solve for if you're currently, today, a contingent worker in Workday, and then we hire you, you have a brand new, different profile. You have a brand new employee ID. Our IT Team has to hand-hold those individuals that make that conversion, as well. That, to me, is more of the headache than anything.

Chris Flynn:  Did that answer your question?

Speaker 2:  Yeah. I talked too long.

Chris Flynn:  We'll think of that as a no. We'll take it later on. We'll dig that one up fine.

Stephanie Dwight:  Got somebody here in the back.

Chris Flynn:  In the back.

Lorraine:  Get my fast walk on. There you go.

Speaker 3:  You talked a little bit about the struggles of turning on real-time sync on the Workday side. I'm curious about the advantages you saw on the Okta side, and what makes it worth going through the pain. We're currently Workday as a master, but we do not have real-time sync turned on.

Stephanie Dwight:  Interesting.

Chris Flynn:  I think the biggest value is, we have a hiring cycle, where we used to have people waiting for Friday afternoon to start turning all these things on. We can now start that process way earlier, so it's not a mad rush at the end of a week. Some weeks, we have a lot more people joining than other weeks. It's the same resources that do our Service Desk work, also do our onboard provisioning stuff.

The ability to bring that out and give visibility much further up in the chain, much earlier in that process, has been very valuable for us. That's the biggest takeaway for us.

Speaker 3:  One thing I'm not clear on, is it seems like a lot of attributes get updated right away. How does real-time sync change that? Are there additional attributes that you get sooner, or...

Stephanie Dwight:  It's two sides. At the time of hire, we're looking at the attributes in Workday, to assign them to the provisioning groups. Once you pass over that provisioning group, then you have all the applications that should be assigned to that provisioning group.

That is the true value, because in my perspective, if you go back to what Chris was saying about we have that seven day window that we actually are able to onboard people, it's not just that. I understand that once we turn that off, people are gonna be automatically passed over through the scheduled import, as well.

When you're saying that the attributes automatically get updated, they do through the scheduled import, yes. But the true value is to be able to not even have to worry about that. In the hires business process in Workday, automatically assigned to the provisioning group, the employee's off and ready to go. I don't care if they start today, or in three months. They're there.

Speaker 3:  Thanks.

Stephanie Dwight:  Yep.

Speaker 4:  You currently support real-time sync with Workday?

Stephanie Dwight:  Yep.

Speaker 4:  Are there other HR masters that you have on the road map, or are there others that you know of that have been in contact with you about it?

Chris Flynn:  I think the way we'd answer that is, we only have one HRS master into Workday. From the IT side of things, that's really the only thing that we're looking at.

As Stephanie showed, there is an applicant tracking system that we want to wanna put into the front end of that, to even automate that process as well. During that whole interviewing process, we can gather that information and not have to pass that over. From a HRS mastering perspective, it'll be Workday for us.

Lorraine:  There's one more in the front.

Chris Flynn:  In the front.

Speaker 5:  I believe I saw a reference to Active Directory in one of the earlier slides. Do you guys have Active Directory in your infrastructure? If so, do you plan to continue using it?

Chris Flynn:  We have no AD at all.

Speaker 5:  Thanks.

Stephanie Dwight:  Big question.

Chris Flynn:  Yeah, I know. We get that one a lot.

Speaker 6:  How are you guys handling machine off, for use of all your machines?

Chris Flynn:  Machine off?

Speaker 6:  Yeah, like your applications...

Chris Flynn:  Oh, like device trust?

Speaker 6:  Yeah, your desktops or...

Chris Flynn:  We haven't turned on device trust at the actual device level yet. Outside of the certs that we put on iOS, that's as far as we've gotten so far.

Speaker 6:  So how do you have ... You log into your Mac, you're using a password. Where is that mastered?

Chris Flynn:  The local passwords are on the local machines. We haven't ... We are looking into that. We have, actually, a couple really good conversations with some other folks around that, early last night, actually, the network in session. We haven't implemented that yet.

All of the local logins on Macs ... 'Cause we're about, I think, 90% Mac in our world. All that's still managed locally, and then the Okta's a separate password.

Speaker 6:  Okay.

Lorraine:  We have time for one more question, and then we'll wrap up. Alright.

Speaker 7:  First of all, I wanted to say thank you for being so transparent. This was very interesting.

I actually have two questions related to change management. Can you just talk a little bit about what the driver was for starting this work? Was it strategy, compliance? Was it part of your tech road map for this year?

And, can you talk a little bit about who your stakeholders were, from a role level, in your organization?

Chris Flynn:  Sure. Do you want ... I can talk about the driver, and you can help with stakeholders.

Stephanie Dwight:  Okay.

Chris Flynn:  I was hired in February. Part of the background I had, was I ran a similar program at another company, in terms of just the Okta On Okta program, that concept.

Part of the onboarding and taking a look at how the processes worked ... There were some pretty clear opportunities for some efficiencies to get. We broke that down.

As Stephanie talked about, one of the first things we did, we actually took a look, holistically, at the end-to-end process of how does someone come on and how do they offboard. The driver was, we need to get way more efficient. We're growing. We are transitioning from that stage of it was okay to do everything by people, to now, the mistakes, they are ... Mistakes is a good word.

We would bring someone on, and we could put them in the wrong DLs. We could put them in the wrong application groups, 'cause it's all done manually. The impact, not just IT, from the productivity ... Especially with the actual people coming on board, it was not a great experience. We really wanted to focus on automating the onboarding experience from any perspective, not just from the IT perspective. That was, really, the two big drivers on that.

Any other questions? There was another question like changing management, too?

Speaker 7:  Just stakeholders.

Chris Flynn:  Stakeholders, oh yeah. I'll let you talk about the stakeholders.

Stephanie Dwight:  The truly impacts, both Chris's side, and also basically all of our Service Desk. It increases their productivity, but truly our people side as well. We're really impacting their day-to-day business processes. Our VP of People, as well as our Director of People Operations, they're big stakeholders, as well as Chris and our CIO, Mark Settle.

Chris Flynn:  We sat down with the VP of Global Operations, for Sales Operations, for example, to get that list. We met with all the business operations teams and said "How do you guys work through and figure out who gets what applications on your side of things?"

We have a pretty strong operations groups inside of those areas. We're able to work with Engineering Operations, Vicky, and go "Hey Vicky, how does this work for you? Who gets what? How should this go? How do we lay out all this information to go make this right?"

Literally worked through the operations side, where they existed inside the company.

Lorraine:  Great. We'd love to hear your feedback about this session, good, bad, or other. Take a moment to rate and provide feedback in the Oktane 17 app.

Just wanted to take a moment to thank both of you for sharing the Okta story. Why don't we give them a big round of applause?