Executive Panel: Identity … Who Owns It? (IT, Security, Legal, HR?)



Mark Settle:  So what we might do is get off to kind of a soft start here. I'm going to let the panelists introduce themselves and talk a bit about the organizations that they represent, and to start those conversations about identity management. I've asked them in advance to particularly focus on some of the more unique identities that they deal with within their respective companies and organizations, as well as maybe some of the harder to manage identities that cause problems over time. So with that I'm going to let Jazz introduce, start the introductions and we'll just go down.

Jas:  Do you want to do all three sort of questions at the same time? 

Mark Settle:  No. Just first, just about identities in your organization. I think that provides some insight into the business model as well.

Jas:  Hi everyone. Jas Hayre. I'm the CISO for Dow Jones. Most people sort of recognize the brands some people don't. Any readers of the Wall Street Journal in the room? So the Wall Street Journal is the most well-recognized part of our product portfolio. But we're really a very big media information business. We've got a lot of B2B products as well as a lot of B2C products under that portfolio and umbrella. So in terms of the types of identities and different identities we deal with, I think it's very similar to what you're going to hear on the panel. 

A lot of internal customers my users, I'm responsible for both enterprise security as well as customer facing product security. So I'm dealing with internal customers, and then of course external customers, consumers of the Wall Street Journal, consumers of market watch and Barron's, all of our personal all of our are Internet facing brands. And when it comes to what's the most challenging parts, I think for us the employees. I probably started this, some of the easiest identities to be able to deal with. I think it gets a little bit harder when you start moving into contractors, which are much more flexible moving in and out of the company. 

The other thing that folks might not know about the Dow Jones company is we're a part of News Corp. This is a very, very large media brand that has a very international presence and we try to foster a lot of collaboration. I'm very supportive of it. That is probably our most challenging identities to manage, is when we've got developers and engineers from some of our media brands in Australia or the UK, and there and we want to collaborate with them. That gets, I think some of the most challenging work comes from they're trying to collaborate with them, and manage those identities for folks who there are privacy regulations that are getting in the way. There are different HR departments, different legal departments and keeping on top of those identities is some of the toughest work that we've got. 

Christine:  Good morning everyone. My name is Christine Sullivan and I probably serve at City or headquarters, which is in Boston, Massachusetts. We have 28 sites across the US, so hopefully some of you are familiar with our program, but if you're not we work with AmeriCorps volunteers on annual basis sending, focusing on school teams to serve with students in underserved communities.

Most of the students that we work with have some sort of early warning indicator of where they're at a deficit, or a risk of not graduating from high school. So we target those kids to work with them either with curricula based activities, or social emotional learning to keep them on track, on time to graduate from high school. So on a daily basis we're serving over a hundred thousand students across the network.

Internally we have about 4,500 people. About 1,200 of those are staff members and the rest of the AmeriCorps members that join us for a year. So as you can imagine, we have a particularly challenging time, two times a year on-boarding and off-boarding people that are coming to serve with us for a school year. 

So that's one of our unique challenges it's why we love Okta. It's returned an enormous amount of time to our team in technology. We're all cloud based and Okta helped us get there from an identity standpoint. Identity is a huge opportunity for us internally. We're stewards of a lot of data that comes in from school districts around the country, and it's our job within IT to be good stewards of the data, but also offer easy accessibility to the folks that need to see that on daily basis to drive our mission. So I would say the two unique ideas internally really are the staff, and then the core members that are serving with us on an annual basis. 

Mark Settle:  Great. Thank you.

Steve:  Hi, good morning. My name is Steve Callison. I'm with cardinal health. I'm a VP responsible for enterprise platforms, so I mean our IT organization kind of a shared service, a component of it. In my role I have responsibility for a broad portfolio of platforms from our big data hadoop platform, our business intelligence applications, integration platforms, and also identity. 

So that's my space and my role. About cardinal health or about $130 billion company, so pretty significant in size. I always remind our partners to sell to us. We're pretty low margin business so I don't have deep pockets, but a pretty significant pre on large transaction processing organization. The legacy of our businesses is around distribution. So we service about 28,000 pharmacies in the United States doing daily deliveries to replenish. Whether it's a hospital pharmacy, your CVS pharmacy on the corner or, a Mom and Pop retail independent. 

We also have medical surgical component of our business that distributes principally to hospitals and other acute care settings. I'm focused on med surg products, drapes, gowns, gloves. We are the largest nuclear pharmacy network in the country. So we have ... I forget how many buttons are ... About 300 nuclear pharmacies scattered around the United States to deliver doses for patients on a scheduled basis, because we're dealing with half lives or we call them melting ice cubes.

So that's kind of the business. It's changed pretty substantially. Healthcare has changed pretty substantially, so we're changing with it. A lot of pressures and some of the things have changed. We've moved closer to the patient, so we have patient facing components of the company. Now doing more home health focused distribution. We also have shifted component to the business to be a more of a products company. 

So we've done quite a few acquisitions over the past few years to build out our product portfolio and our manufacturing capabilities. So with that came kind of moving out of what I would call it, principally domestic company to where we have manufacturing plants scattered around the world, and also now are distributing product to serve our customers around the world. So fair amount of change.

From an identity perspective. First off, I always have a disclaimer. I'm pretty new to this space but the areas that are ... The populations that are challenged are the identities that challenging are two that jumped to mind. Employees, relatively simple because we have a centralized HR organization that's a shared service and [inaudible 00:07:41], so that seems to work pretty well. As with Dow Jones, contractors are difficult for us to manage just because they're spread and how they're managed is not centralized in the organization. So, you've got a lot of points of opportunity for people to forget the process and not do it correctly. 

And then the other one that's interesting for us is customer identities. When we think of customers at cardinal we think we're a B2B company principally. So we think of ship to's and where are we distributing products? So it's a CVS store, it's a hospital, is the emergency room in a hospital. We don't talk as much about the individuals that are doing that those identities. And also the way we operate while we try to play well together, we're really separate business units. So everybody kind of defines the customer differently. And our master data problems with customer pretty challenging and daunting. That trickles down to identity is pretty difficult with customers. So blood duplicity, a lot of applications require multiple logins depending on the persona you're in. So things like that are what we work with. 

Mark Settle:  Thanks. Welcome to our new guest for joining us. We just started the introductions so far, I can see who we have on the panel [inaudible 00:09:14] introduction. So the first question that you know is around, what are some of the more difficult or unique identities that you have within the context of the business model for Rodan and Fields? 

Ralph Loura:  So for those of you who don't know Rodan and Fields is premium skin care company. And we're a direct selling company. So the best way I describe it, the most tech people is we're sort of like dollar shave club meets Mary Kay. All right, so we've got an online E-commerce space business. Everything is direct to consumer but, we have set of in our case a quarter of a million consultants in the field. They represent and sell and service our brand and care for our customers.

So one I have to keep track of those quarter million consultants. I've got to effectively connect into various assets. The other thing that's challenging is they're all independent consultants. They run their own business. They're essentially our business partners as we go to market. So they're using other tools in many cases, they're not an individual they're a company. There's a partnership that's been put together that's joined the business, and so has got some complex nuances of how I have to validate identity and manage identity across that landscape. 

Mark Settle:  So when identity mismanagement occurs, how does it manifest itself within your model? Ralph, we'll start with you and work our way back. 

Ralph Loura:  So when you have a quarter of a million people for instance, someone's ... There's a lot of people that have the same first and last name and that business, there's a few people who may have picked the same similar sounding name in their business. So ensuring that I'm getting connecting a consumer to the right consultant that they really wanted to connect with. 

So managing identity and the attributes around that to really get that right. Ideally we have people connect directly, but oftentimes the consultant [inaudible 00:10:54] will connect. They'll look up someone, they think they got the right person, they'll connect and bind that way. That's one of the issues we have. If it goes wrong then I have to go unwind not just the relationship, but I have to go unwind the transactions that occurred under that, and the computation models and things like that get complicated pretty quickly.

Steve:  From an identity mismanagement perspective. I'd say a couple of things. First, it's the front door. It's the first thing that people experience. Whether they're coming to work in the morning to log in, or whether they're a customer logging in and it's the first interaction with cardinal. Most recently we just finished a huge acquisition and adding about 10,000 new employees to the organization. So it's about the experience and the interaction. So when we have problems with onboarding it's all about the productivity and the experience and the impression of Cardinal to the stakeholders. 

So that's one. And then say second it's a reputation legal risk. So we deal with a patient data, which has HIPAA regulations on top of it. So controlling that data and making sure we have the correct safe guards in our onboarding and off boarding appropriately, and allowing access appropriately is a huge deal. And while there are legal and penalties that go with it, probably the largest is reputation if we don't manage things correctly.

Christine:  I'll second that for us. I mentioned earlier we're stewards of a lot of data that's coming in from school districts across our network and as you can imagine. If you're a parent and that data is special to you and it's special to us. So definitely provisioning correctly and making sure that the folks that need that data to help us demonstrate the impact that we serve across our network is vital to us. It's about credibility. It's about safeguarding that data. But at the same time, it's the balance of who needs access to what to make sure that we're delivering the right level of services to the students that we serve.

So we've been fortunate enough to ... We're now all cloud based, but we've partnered heavily with OCTA. We also use Workday, so the automated a lot of the provisioning tasks within our organization. It's still a balance of making accessibility easy, safe guarding the data, but also based on our culture and our sort of very heavily collaborative group, educating people on not mismanaging their own ID's out in the field. And in trusting us to provision them correctly, and have access to what they need on a timely basis. 

Jas:  Yeah. I think being the head of cyber, the cyber risks, obviously around mismanaging identities is obvious. I won't go into that. But I think the other one is that's been touched on already is just a productivity loss from identity mismanagement. I had the pleasure of listening to the founder of Atari talk and he said something that was really sort of interesting and resonates with me, which he said, "Why isn't it that today when I got into Las Vegas I didn't get off the airline, getting off the airplane, didn't have a car waiting for me when I got to the hotel? Why isn't it that my phone didn't know which room I was going to when I got to my room? Why isn't my phone telling me when my friends have checked in? And, and when the table at the restaurant isn't ready?" 

And I actually think one of the biggest inhibitors of that great awesome experience that you just laid out there is actually identity and security. So I think the lost productivity and innovation from really screwing up identities I think can't be understated. 

Mark Settle:  Just to kind of echo that Okta is a thousand-person company. But at any point in time you may have 200 or 300 contractors without even knowing, there's lost productivity on the part of the contractor, but there's also the entropy within the IT organization because, the minute we have a highly paid consultant on site, there's not proper bigger practice systems. There's a maybe a little escalation to our management chain and you know, any process we try to put in place to do this in a rational manner is thrown overboard and left chasing your tail constantly. So I think there's a dark shadow. So just a couple more questions I'm going to open it up to the audience.

I thought this was kind of an interesting way to think about identity management relative to the historical responsibilities that the IT organizations have. So many folks as you know every IT group that is responsible typically of mastering certain kinds of data within the company. Whether it's managing customer data, or product data, or other organizations to kind of have their finger in that pie one way or another. But sooner or later the warehouse team has got to lay down the law and say here's some golden fields you know we've got to control. This is the customer's name, customer's billing address. This is the kind of skew that we actually sell in practice in the field and you know, you don't really go the 20 days like this where you think about master identity management. That's kind of like an evolving concept of going out quite adaptive to the customer and product maximum. So just to kind of ask the panel to reflect on how those concepts apply to your organization that came up mastering the ultimate source of truth identities. So Jas we'll start with you.

Jas:  Sure. I think there's nothing we technologists would like more than really reliable data. We know our systems work well when the input into our systems is reliable, because that's when we can make sure that the output of our systems that are reliable. So in the identity space at Dow Jones I can certainly speak for, we have more than one master to serve, right? So I think when we take all of our identities and personalities and put them into broad buckets, I think each of those broad buckets we've identified masters for, but there is no one masters rule them all if you will. So for employees, the HR department, we look at them as sort of the masters of that record. They, for all intents and purposes don't exist until they're in Workday and have a name, and I can look them up, and I've got a picture for them. 

For contractors, we look at them as sort of the relationship owner of that relationship with that partner. Usually is the owner of that. And now the most interesting one that I mentioned during which is, we're trying to really get people across the entire News Corp family. 30,000 employees all across the world. A bunch of companies that do the same thing in different parts of the world. Getting them to talk together. That's where we haven't really identified a master if you will, because we've got too many different companies. That News Corp has 12 companies and we can have 12 different sort of masters in that space. 

So that's, that's a proven to be the most sort of complicated use case. But at least I've got two masters that I can rely on for our contractors, and our HR employees. And the contractors we looked at and say hey, can we also sort of get HR to own some of those relationships? But HR has said, hey, we don't ... They don't go, they don't get benefits from us. We don't process their pay roll right there being cut through invoices and through different business processes. So it really didn't seem like a good fit. They didn't really feel like they were, they could control those business processes. And so we said, you know what, these two have to be two different masters, if you will. 

Christine:  So at City Year, I've had the privilege of working through sort of a three year technology overhaul plan. And identity was early on in that period when we started sort of lifting out of legacy applications and moving into SAS based platforms and it became evident not only from a productivity standpoint like we've been talking about, but accessibility on safeguarding data, that we needed something to help us shepherd people into systems and safeguard the data that we have access to. So we think of Okta as our identity management tool and our master data center for who's coming into the organization and who's been provisioned for what.

So I think I probably have it easy because we have a lot of control and a much smaller organization, and it was part of our overall strategy when we started lifting into scalable applications. But from a sort of a master data slash identity standpoint, we partner heavily within our organization with business partners for not only what you have access to in inside enterprise applications. But we as technologists don't necessarily have an opinion on who should have access to what. So I would say we have a very collaborative approach internally through our governance processes, and working with business partners on defining master data sets and then applying whose identity you should have access to that information internally. Thanks. 

Steve:  It's interesting. I'm sitting here thinking how much dirt to share and how honest debate. I'd say employee. We've got it's clear that HR owns the employee and governs it and owns it's identity. I'd say we as an organization, Cardinal struggle with master data period. So regardless of which component, whether it's supplier or a customer product, it's a tough putt for us to get the organization focused on pulling it together. 

And it's mainly because we operate as business units within segments in each one has their own P and L and their own agenda and striving hard to grow their business, prey on customers and drive their strategy. And that umbrella of trying to pull it together is pretty difficult to justify and get accepted in the organization and get the investment and effort and the mental energy around. 

So when you then extend it out to identities, I would say it will be a new topic almost for us to start talking about identities. We're much more comfortable talking about customers and ship to's and things along that. But it'll be interesting to see us try to evolve it. It's, it's fun for me because I just came over from owning our customer facing application, so all of our commerce sites and I didn't appreciate to be quite honest, identity and the governance over it and whatnot.I thought entirely about customer ship to. So it's enlightening it'll be fun to start rolling up our sleeves and trying to figure out how we get identity as mark more a component of our dialogue and what the governance looks like. But uh, it'll be a tough putt for us. 

Ralph Loura:  Yeah. So we're in the middle of a digital transformation of sorts. One of our big insights was sort of the old. But the great thing about master data is I have so many copies of it to choose from. So it's great to be in the cloud, but I ... So I've got Salesforce where we use marketing cloud and service cloud. We use a tool called Cognition that we use for learning and development. We use another tool called Medallia that we use for loyalty. 

I can SSO all of them, that's great. But they all have a different copy of or different idea of who that person is once I'm there. And so for us, Okta and using identity as the core of that rethinking and re factoring the way data works, is allowing us to really centralize some of that thinking, build a ... Again it's not to be too buzzwordy, but build a kind of a microservices API based environment where I can consume the right thing when I need it, where I need it versus cloning and copying and syncing data all over the universe. 

And again, there's that population of consultants is large and getting larger, that just keeping things in sync becomes a problem. So having a sort of canonical authoritative idea of what identity is manners. So, because there's no one function in the org, the one function on wanting to develop another owns a logistics and so on. And it ends up being ... We've made the decision that the tech organization owns identity, both the platform and I'm managing the, mastering that data for the external side. For employees of course, that's a ... Like most people would be in HR ownership model. 

Mark Settle:  So the other organization that obviously has a significant vested interest in identity and actually a corporate oversight responsibility, is the information security team. Wherever they are situated within your organization. I think so I'm [inaudible 00:24:29] impression that IT and Infosec are always at odds, and it's kind of a tug of war and kind of like a big mud thing in the middle of the two. It's going to, you know, can we pull them into the mud, give up what they want to do and, or vice versa. 

And in a theoretical sense, security organizations there to establish policies and then IT kind of gets the opera, the assignment to operationalize those policies through tools and controls in the way of tools get used to be able to adhere to the policies. And that's kind of a nice theoretical way to think about the way the world should work. But there's tension I described before, and the injection of human behavior can make it a whole different phenomenon that the theoretical view of how things should work. 

So that's a long-winded introduction to say. I'm sure in all four of your organizations, you work closely with your counterparts within the security organization or IT organization. So based on your experience and your companies, what would you think of is like best practices to establish a more collaborative relationship, as opposed to an adversarial? So Jas we're going to start with you on that one. 

Jas:  Yeah. So I own the security organizations. 

Mark Settle:  That's fine. So you can take the ... 

Jas:  Front seat at that. I think as you hear from everyone here on this panel, and I'm sure you've experienced the same thing, this identity thing isn't easy. It is a very sort of fluid concept. I don't think identities in 10 years are going to be the same thing they are today. But when I'm bringing people kicking and screaming to the table to talk about identity and further our understanding of identity from HR to legal, to privacy to attack, I'm really trying to just kind of put a few things into their heads. 

One is actually just keeping it simple. I think the more and more complicated these identity systems get, the technologists often feel like, no, don't worry about it. We can have 10 copies. I'll get milli seconds syncs between all of those and that type of stuff. So I tried to calm the technologists down a little bit, and I try to say, hey, let's keep things simple. Even if that, even if that means that I might get a delay in something or someone might need to wait 20 minutes to get something, I'd rather that and over engineer the crap out of our identity systems.

So keeping it simple I think is quite central. I use that almost once a day. A guy that works for me says he should, he wants to get paid for every time I say keep it simple in my job but I do keep repeating because it is quite central to the security ones. That's the one I put out there. Whatever your identity governance processes that you're going to put together and the technology that is going to underpin that, keeping it simple is probably the ultimate goal for me. 

Christine:  Saying one of our guiding principles we use a lot when we roll out new technology, is keeping it simple. As you can imagine in our organization were highly collaborative. We have a bunch of end users that love to click on everything and that comes through an email. So security is top of mind. We have a very interested audit committee that we meet with on a regular basis. That is always interested in what our security roadmap is, and what we're implementing, and what we're doing to demonstrate that we're being good stewards of data.

But on the flip side, we need to get people out to schools to serve our mission and when you have 3,500 people coming in over the course of three weeks, you can imagine that onboarding and safeguarding of data and accessibility becomes a huge challenge. Which is one of the reasons I'm really not selling Okta, but why we chose Okta because it really returned a lot of time not only out to the field and users but to us. 

But again I think the simplicity, the challenge for us has been keeping it simple and as simple as it is, it's really sometimes entertaining to see how people can forget what their passwords are all that good stuff. But the simplicity factor and I think the experience. We have a lot of young people coming in to join us on an annual basis, they're not necessarily interested in the security aspect of things, but interested in getting access to artifacts and tools that they need to go do their jobs for the students we serve. So I would kind of second the keeping it simple advice. 

Steve:  I don't know that I've ever seen anything that we've kept simple sometimes. But I won't play to that one. I'd say from us, our structure is, identity is in our shared services. The platforms are in our shared services organization, and then that reports up to our CIO and then we have our CSO that owns a security architecture. And also policies and some of the processes are executed and he also reports into our CEO. That's our fundamental structure.

I'd say we have kind of rules of engagement and kind of domains and know what each is responsible for. But I'm say we are fortunate and sometimes we're called to Midwest Nice as an organization, but culturally we're pretty collaborative so we flex those boundaries and work together, and seek to understand perspectives pretty well. I'd say also our HR discipline, we've done a fair amount of rotations over the years. So the VP in charge of security today is used to have my seat in the organization, probably about three years ago. So she understands things from different perspective. I used to have commerce and now I have identity.

So those rotations have been tremendously helpful to kind of go both garner relationships in the organizations, but also have understanding of perspectives. So we're fortunate that the company operates that way and that's the culture in our IT organization, and I think it really benefits us in this space where things get muddy. And we also probably in IT have more of a magnitude of resources than some of the organs. So it's important that we contribute to the thought process beyond just the execution perspective. 

Ralph Loura:  So I have corporate IT reporting to me. I have engineering reporting to me as we build and deliver a number of applications directly to our consultants. And then I also have a enterprise risk management, which includes our CISO. And then a digital team and in part what we do is we keep them separate. Because I don't want the fox in the hen house but it's very collaborative. So when we started with the engineering team or the digital team writes a user story in JIRA, the security team is involved in ensuring that user story has a security component. What's part of the ... How is this going to manifest so that from the beginning of understanding what we're designing for, we're at the beginning. And then we run like everybody does the typical kind of audits and code inspection runs in an automated thing so that we're aligned on a similar set of goals. 

What good looks like, what acceptable looks like, what our ... When we consider the balance being met. And so on, and that's aligned across the entire org. So everybody shares in that same goal. So engineering isn't goaled on getting a product out the door, they're goaled and ... And security isn't goaled on making sure that all the tests pass. Everybody's goaled in the same thing, so that we're aligned at the beginning. 

Mark Settle:  Great. Thank you so much. We've got a little under 10 minutes. So let me entertain questions from the floor. Anybody want to try to question on group up here. Somebody, yes. There's a mic right there if you want.

Audience:  Hi everyone. Thank you for the excellent panel. My name is [inaudible 00:33:01] I work at McKinsey and we're doing [inaudible 00:33:04] I'm the [inaudible 00:33:05] manager for MFA and we're working for IAM as well. One of the questions that I had in mind, especially for this session is. Within that organization did you say everyone reports to you? For example, like who owns the actual project of delivering IAM ? Because there's so many angles that are touched by this. So it could be engineering, it could be security, it could be a different product team, it's a product team itself. So what is that structure within your organizations to actually own how was the decision process to get to that structure? Thanks. 

Ralph Loura:  So for us we have a ... At least the way I think of things, I wouldn't have an IAM initiative. My view is the way I address identity or the way I dress multifactor is as part of an application upgrade or roll out as part of an overall program deployment. Because when I'm trying to create a different experience in some process you're doing or some end user experience. 

So as part of that work, I would integrate the work that's now trying to move us forward from an IAM or MFA perspective. To have one on its own it distracts the organization because first of all, I'm constantly improving the digital experience of an app or a tool or an environment that I deploy and run and that's both internally and externally. 

So to me, it's better to tag onto one of those programs, then it becomes integral to the way I'm changing user experience or upgrading or deploying an app or a website. I still track that horizontally and my CSO organization has a set of initiatives around improving our posture over time. But I wouldn't have an independent program that I am all by itself. 

Mark Settle:  Anyone else?

Jas:  Yeah. For Dow Jones security tends to sort of a lead at least the discussions around identity. So two and a half years ago when I joined the organization at Seaside Dow Jones, one of my first big things was MFA as broadly rolled out as possible. And so what that means is when you're sort of championing that cause I try and find partners and then go to the CIO and say, hey, look at the customer experience side of things. Why is this good for the user? Get HR involved in that, as many sort of win-wins as you can. 

But sometimes that gets really difficult. I remember being in a call with a senior editor from our newsroom at the Wall Street Journal when we went into a real lot MFA. And they told me the story of Jas. I'm in Iraq, I've got guns blazing all over the place. I need to file a story. It's timely. You want me to wait for my MFA token to come in via OTP. So how do you respond to that? 

So I think those kinds of things do happen, but at Dow Jones but I try and find partners and win-win situations for us and identity. I'm the one who got sort of privileged identity management, stood up, things like Cyberark and all these kinds of things. I'm an MFA for end users, trying to get our kind of current remote access to get away from PKI hard tokens to click of a button on your phone and you're in. So it's usually security that champions that. But we try to find friends along the way and there's usually something in it for everyone I find. 

Steve:  I'd just say it's never quite clear cut who owns something, it depends on where it's coming in from and where the demand is. So new capabilities, when we did an MFA with CSO that drove it. Driving out technical debt and trying to simplify our environment I'd say is generally a partnership between my organ, the CSO, but then new acquisitions and whatnot, or adding new applications and capabilities, the partnerships with whoever's driving those initiatives. So it kind of varies. 

Mark Settle:  I think it's kind of a legitimate question, because if you're not careful you can solve these problems with a bunch of point solutions, and you'll kind of ended up with a crazy quilt of tools, I would endorse Ralph's perspective. You may not roll everything out at the same time, but somebody needs look at that full range capability. Otherwise you're going to find yourself managing a pretty cataract portfolio of capabilities. Anybody else? Please.

Audience:  Hi. My name is Joe from a company called Clear. You might have seen us in the airports in the sports stadiums. 

Ralph Loura:  I'm a customer. Thank you.

Joe:  We have a ground truth about 2 million metric identities. We expect it to be around 20 million in two years. Where do you see within the enterprise, both in front of and behind the firewall biometric identities at a natural token? 

Mark Settle:  That's a great question. Panel? 

Jas:  I'm super excited about biometrics. I think the future, I think its time has finally come. We've talked about it for so long. I think the enabler sort of where we started jumping over the tip here is everything that we're walking around with our in our pockets with a smart phone. I think smart phones are going to make biometrics a reality.

In what form TBD. I spoke to a company recently that sort of taking ... We've all seen the whole picture of your face kind of concept and then we've all seen fingerprint. And Lo and behold, a few weeks ago I had a company talk to them about taking a picture of your finger for a fingerprint. So I think there's a lot of really cool stuff that's going to happen. And I think the time is now, how we're going to utilize that is going to be very interesting. 

There is no doubt that the privacy implications haven't been figured out, especially for companies like Dow Jones, which I've got offices almost everywhere in every jurisdiction globally. So I do. I really want people's fingerprints on my servers and the state. I'm not so sure about. I don't think I do. I'm obviously, we still have everyone's pictures right there on their badges. They took it when they came with the company. So I think there's going to be opportunities for biometrics. I don't think they're going to be as invasive as sort of the movies or pinching with Iris Scans and things like that. But we're going to step into biometrics very, very quickly and now's the time as opposed to the last 15 years that we've been talking about it. 

Mark Settle:  Anybody else? I worked for Visa back in the late 1990's, and actually we were very excited about the use of biometrics. So that retail point of sale terminals. And we just looked in the mirror and said, we'll never get the retail industry of the United States to change up the infrastructure that's there. It's just impossible.

So once again, apple who's achieved what was considered to be up-sold absolutely impossible. And just my other observation is the people who live in the Silicon Valley bubble heritage, spend a lot of time around startup companies, there'll be some that would argue that IOT capabilities will trump biometrics in the sense that people have wearables and carry around IP addresses on their person. 

And there's a concatenation of 9 out of your 10 most commonly associated IP addresses, when you go through the terminal or whatever and that has to be you, without keeping track of a fingerprint or anything else. You just register a physical device, whether it's your belt buckle or your shoe or your watch or your laptop, et cetera. And there's just enough triangulation to be able to say, that's got to Mark Settle.

Joe:  I think it will be. 

Mark Settle:  It will always be. Yeah, absolutely.I think we have time for one last question. If there's anybody who ... If not thank you panel so much. Thank you so much.

The epitome of cross-functional, Identity has the distinct pleasure of impacting every single department, business owner and user within an organization. Yet it’s not always clear who owns it. Often times, it’s jointly owned across IT, security, legal and HR. But as the old business adage goes … ‘if everyone owns it, no one owns it.’ Join Okta's CIO Mark Settle with Jaswinder Hayre, Dow Jones, CISO; Ralph Loura, Rodan + Fields, CTO; Steve Callison, Cardinal Health, VP, Enterprise IT; and Christine Sullivan, City Year, VP of IT Services in a panel as we explore the intricacies of IAM ownership across today’s modern enterprise.