In this episode of The Identity Heroes, Chris Rich, the Business Information Security Officer at MassMutual, joins Aldo Pietropaolo for an insightful discussion on modern identity and cybersecurity leadership.
Chris shares his unique career journey—from sales and theater to leading IAM at a Fortune 100 financial firm—and explores the difference between customer and workforce identity, the importance of stakeholder trust, and the balance between risk and user experience. This conversation is full of real-world wisdom for those navigating the identity space.
Disclaimer:
The views expressed in this episode are solely those of the guest and do not represent the opinions of their employer or family.
00:00 – Welcome to Identity Heroes
02:12 – From Theater to BISO
06:02 – What Even Is a BISO?
08:50 – Identity = Trust (Especially in Finance)
11:03 – Build Your Own IAM Curriculum
14:46 – Make Security Invisible
17:00 – Tech ≠ Strategy (And Courage Matters)
20:52 – Customer ≠ Workforce Identity
24:30 – Stakeholder Trust Starts with Listening
32:00 – Don’t Solve a $1M Problem with $2M
34:57 – Cybersecurity Is the Flour, Not the Icing
38:00 – AI, Frameworks & the Road Ahead
43:09 – Mentorship & the IAM Community
46:06 – Final Thoughts & Identity Optimism
Chris Rich [00:00:00]:
You don’t spend $2 million to solve a million dollar problem. Everything has a certain priority order to it.
Mark Callahan [00:00:15]:
Hey everyone. On this episode of the Identity Heroes videocast, we’re joined by Chris Rich, who’s the BISO at MassMutual bank. And he shared some really interesting insights about how art and identity are starting to meet this intersection and how technology should really fade into the background and be seamless to the user. And last but not least, he also talked about what the heck’s a BISO? It’s a brand new title, it’s a new role and a lot of people want to know. So tell you what, let’s go listen what Chris has to say and join us on the episode now. Hey everyone. Welcome to this episode of the Identity Heroes videocast. Today we’re joined by Chris Rich, who’s the biso of MassMutual.
Mark Callahan [00:00:53]:
Chris, welcome. And today’s co host is Aldo Pietropaolo. So Aldo you and I have done this quite some time, we love having these conversations. And Chris, thank you so much for joining us to share your story because really, as we’re digging into what it means to be an identity hero, I don’t want to say that you came to us by any stretch and raised your hand, we sought you out, but nevertheless it’s how do we help people in our industry sort of up their game and really elevate themselves. And that’s the point of what we’re doing today. So I’m your co host, Mark Callahan and Chris, thank you so much for joining us today.
Chris Rich [00:01:26]:
Very happy to be here. Thanks for inviting me.
Mark Callahan [00:01:28]:
Awesome, awesome. Well, you know, as we think about the hero’s journey, we typically break the episodes into four parts. And those four parts, Chris, as we do this is kind of like we arc a little bit around your journey, so a little bit of how you got to where you are today, you know, leading identity for MassMutual, some of the challenges and obstacles that you ran into, sort of the gauntlets, so to speak, along the way, learning somewhat about the team that you’ve done work with and how you’ve really up leveled the team. And then also because there’s not a degree in identity and access management, what are some ways that our audience can self educate and self learn and bring up their own professional career. So sound like a okay way for us to get going today?
Chris Rich [00:02:09]:
Sounds great.
Mark Callahan [00:02:10]:
Cool, cool. Well, Aldo, you know, when we were talking with Chris before we started the episode, we had a chance, you know. Chris, thank you for sharing your cv. One thing that’s Kind of fun to do is I’ve got a list of basically all the titles that you’ve held for the most part since you finished school. And I’m just going to read in sort of a rapid fire path here because that way we can get a feel for where you’ve been along the journey, if that works for you.
Chris Rich [00:02:33]:
Sounds good.
Mark Callahan [00:02:34]:
All right, so I know that you began your career in sales and you were working quite a bit on and actually almost in printer sales at the time. And from there, because of the knowledge that you brought to bear, you worked your way into becoming a sales engineer. Then you also were a network architect. You’ve moved forward and become a senior product manager several times in your career at a couple of different companies. You then moved on to becoming a delivery lead. You up leveled from there to the head of customer identity and now you find yourself as the biso of an amazing bank. And so this is one that seems a little bit linear. Would you call it maybe a little bit of a straight line yourself, Chris, or how might you describe that path?
Chris Rich [00:03:14]:
I would say at times very intentionally linear, but at times more a matter of doing what needs to be done to get to that next step, whatever that is, and also to, you know, taking opportunities to explore things that maybe were adjacent to what I was doing at the time or that really piqued my interest.
Mark Callahan [00:03:31]:
Do you have an example by chance.
Chris Rich [00:03:33]:
When I had made sort of like the professional leap into identity and access management as a practice full time, it was because I had, I was working at a company and my boss and mentor at the time had introduced me to the whole concept of product management. And the way he had described it just sounds sort of so fascinating to me. I said, wow, that really sounds like a role that takes advantage of all these different skills that I’ve acquired over at that point, you know, maybe 10 years or so experience. And it was just because I identified, pardon the pun, with that type of role that kind of sort of led me down that path.
Mark Callahan [00:04:09]:
Got it. Well, you mentioned, and if I may, you know, one of the things we talked about also before we began the recording today was the fact that you had a theater background by education. So you had this business degree and also a theater degree. A lot of times people watching us think everyone’s got a computer science background to be leading identity at a major financial institution. You didn’t. What might you share about that experience?
Chris Rich [00:04:32]:
Well, it was an opportunity to, you know, in your college years to explore those topics that are interest of interest to you. And I felt like being able to do that as a minor with a business major was an interesting way to kind of satisfy two different sets of curiosities. And looking back on that now, I can say I probably use more of my theater art sensibilities working with people, especially when you’re talking about presentations and influence and we kind of meet people where they are. If you heard that expression, that was incredibly invaluable. Especially, you know, when I went into sales and sales engineering, I always felt like I. I was comfortable speaking to adults even at a very young age. I always had this, like, just natural, raw curiosity for things, which I honestly, I think any professional, especially a technologist, you have to just have a very raw passion for learning. It doesn’t necessarily mean you have to be, you know, cutting edge, but you have to have a natural curiosity for how things work and why.
Chris Rich [00:05:32]:
And why did this innovation take over versus that. So it just felt very natural to me as an individual at that time in my life. And so, yeah, rest is, as they say, history.
Mark Callahan [00:05:43]:
I love that. Although, as you lead a team of solutions engineers and sales engineers yourself, do you see some of the theater background being a benefit in your role, too?
Chris Rich [00:05:53]:
I do, sure.
Mark Callahan [00:05:54]:
Of course.
Chris Rich [00:05:55]:
Yeah.
Mark Callahan [00:05:55]:
I was going to say look at the shirt. I mean, look at the shirt. It just says it. All right, There’s.
Chris Rich [00:06:02]:
Yeah, that’s very cool. But, Chris, my first question is, what’s a biso? What do you do as a biso?
Mark Callahan [00:06:08]:
Yes, please. Yes.
Aldo Pietropaolo [00:06:09]:
A lot of people don’t know what that is, and I didn’t pronounce it right.
Mark Callahan [00:06:11]:
You know, that sort of thing. Like, what is a biso?
Chris Rich [00:06:13]:
Yes, what is a biso? So, great question. BISO stands for Business Information Security Officer. So everybody’s pretty familiar with the term. CISO Chief Information Security Officer. There’s a lot of similarities there. And every company that has a BISO program, they tend to run it slightly differently. For us, BISO is a cybersecurity expert consultant, a concierge into cybersecurity that serves one or more different business areas and maybe even some technology areas within the organization. Our role is to advise business stakeholders and technology stakeholders on all things cyber risk.
Chris Rich [00:06:47]:
And we also, like I said, act as. For us, we act as a concierge to the various cybersecurity programs within the organization. Ultimately, we’re there to help the business succeed in as safe a way as we can possibly achieve that, and all the while helping coach these folks while they’re trying to pursue these business objectives where cybersecurity can show up, and not only for me, it’s about showing how cybersecurity can be a differentiator as an organization as well as an enabler.
Chris Rich [00:07:16]:
That’s awesome. In your role as a biso, do you find including business driven outcomes with Identity more and more now, meaning you know, I need to do X to reduce Y, it could be reducing cost or reducing risk of compliance, findings, et cetera. Is that part of your internal advisory or do you just stick to technology advisory?
Chris Rich [00:07:40]:
So Identity is certainly something near and dear to my heart because I’ve been, I refer to myself as an identity, a cybersecurity practitioner first and foremost. But the majority of my time in cybersecurity has been in identity and access management. And while that has been a predominant track within my professional cybersecurity career, I believe from my experience that you do Identity well, it can compensate for a lot of other things you may not do so well because every organization can’t do everything perfectly well. But identity is one of those things that if executed really well, it by itself can be a really transformative capability for an organization. And when I think about like a financial and institution, like a MassMutual, and there are plenty of others out there that will operate very similarly when you’re able to confidently and successfully identify the customer or that business partner that you’re working with, it creates trust. It creates those essential things that every brand needs in order to be successful. And when I was the head of customer identity at MassMutual, what was really, really important to me was the customer experience. Sure, security was incredibly important.
Aldo Pietropaolo [00:08:50]:
But if that experience that that customer, that business partner was engaging in while interacting with us as a brand, if that was not good, then that really took away from the value of not only the work that we were doing, but also the organization as a whole. So in that journey, I wasn’t necessarily so obsessed with the latest technology for a variety of reasons we can get into depending on how the conversation goes here today. But it was one where I was incredibly, incredibly inspired to tackle as a project because I saw the potential.
Chris Rich [00:09:26]:
That’s awesome. And in fact, just a really quick mark to that point, I recently ran a little mini study by actually opening accounts in different financial services firms, all the top ones, you could just name them. And I opened accounts, CDs, checking, savings, I mean, you name it, to see how the siam, the Customer Identity Access Management Experience and ID verification processes were. And some shined in certain aspects of siam, some shined in other aspects, some shined in journey orchestration, some in authentication verification. But yeah, you can see the major difference between different financial services institutions and the folks who are kind of giving them inside baseball on and coaching and advisory on their SIAM initiatives. And some are definitely pleasurable than others, I would say. So it shows up from a business perspective, which is an interesting kind of small little project for me to undertake and say, yeah, this stuff actually matters from an external customer driven experience. And same in the workforce, but different ways.
Chris Rich [00:10:33]:
So I’m glad you brought that up. That’s amazing.
Mark Callahan [00:10:35]:
Yeah, well, I’d love to get back to that in just a moment. One, you know, just a little bit. Additional question kind of on the initial journey side of things for you, Chris, is there really isn’t a degree for identity access management right now? We’ve said that many times on all the episodes. But as we’re thinking through what might be like a perfect set of curriculum for understanding where you are now as a bso, what sort of coursework might you prioritize if you were thinking about like a perfect structure for an IAM degree?
Aldo Pietropaolo [00:11:03]:
Wow. Academic coursework specifically, maybe academic.
Mark Callahan [00:11:07]:
And I love the theater arts because that one too carries a lot of weight. I mean, and communication.
Aldo Pietropaolo [00:11:12]:
Yeah, I think the theme know thyself is really important because if you’re not, say, you know, very technically minded, taking advanced algorithm class, it’s really not going to suit you really well. You have to lean to the things that you’re interested in. Because I personally have found when I’m interested in a subject, I tend to show up better, you know, for it because I’m getting some sort of, you know, not only professional, you know, recognition out of that, but I’m also getting some. I’m feeding something personal too at the same time, as far as like becoming an identity practitioner. The curriculum involves a couple different aspects. One is understanding that when I was a product leader, you have to try really hard, a deceptively amount of effort to unbiase yourself from data and from the way that you see the world. You have to almost separate yourself to a degree from what you think things should look like. And that’s a really difficult thing to do, especially as the years draw on as a professional, because I think we’re ingrained with this notion like, well, you’ve been doing this for so many years, you had better know all the answers.
Aldo Pietropaolo [00:12:12]:
And I think the opposite can actually be more true more often than the opposite. So there’s understanding what is the data telling you, what is the exact space that you’re in. Cause when I was building out this program in my time at MassMutual, one of the things I had realized was if I tried to push the technology envelope too far, was actually going to have the opposite effect because. Because I also had a time window that I was working against a clock and it was a clock that I had self imposed. So I had to really right size the ambition to the resources I had available and most importantly, most importantly the time. And then there’s the technological aspects of what it is that you’re trying to do. When I was going around and sort of sharing, doing a roadshow of what it was that we had built, I would introduce it as this is cutting Edge technology by 2006 standards. People would kind of look at me like this is back in 2017.
Aldo Pietropaolo [00:13:02]:
And they would kind of look around each other like is this guy for real? And I said, you know, the reason for that is when you look at the customer base, the actual people who are going to be interacting with this thing day in and day out, if you go too far to the technological edge, you’re going to lose a lot of people. You could have a great experience for someone who’s born with an iPad in front of them from age 5. But for a lot of our customers, technology is something that they weren’t terribly accustomed to. So it was really important that our sensibilities were weighed and measured against things that people were already familiar with. I wanted to make sure that the experience was something that was familiar. So you have to understand, it’s kind of like understanding your audience who are the people that are actually going to consume this. It’s really important to understand that academically the technology you can pick up as you go. At that time it was kind of convenient in that SMS text messages and voice calls with a one time passcode were something that had been around for a number of years.
Aldo Pietropaolo [00:13:55]:
Actually the reason why I said 2006 because that was when SMS was introduced as a second factor and was recognized by NIST as an acceptable form of two factor. That guidance has since long since changed.
Mark Callahan [00:14:06]:
But it was the best we had at the time.
Aldo Pietropaolo [00:14:08]:
But exactly, it actually is still relatively effective. The vulnerability comes when your telecommunications carrier gets tricked into porting that number to a different phone or you’re a victim of some sort of smishing attack and you click on a link you shouldn’t and it ends up forwarding your message. So yes, the old adage in cybersecurity is nothing is entirely safe. But when you’re thinking about Defense, in depth, strategy, identity and access management can provide you with multiple layers of protection at that front end. And also too, with all like the detection capabilities we have behavior analytics. Right. There’s all these other technologies you can bring to bear. And also too, it was really important to me too.
Aldo Pietropaolo [00:14:46]:
And this is a theme that I would share with the team. Security is the kind of thing that it shouldn’t be like right in front of your face. Right. It shouldn’t be creating fiction for the sake of creating, creating friction. I said the best work we can do is when the security fades into the background and it’s there, but the customer doesn’t know that it’s there. Right. That can sometimes be a really difficult thing to sell too because we live in a world where like, you have to see those clicks, you have to see those numbers, you have to see that data. It has to be in front of you, in front of you, in front of you, constantly hitting you with, you know, with data and information.
Aldo Pietropaolo [00:15:14]:
I said no, no, no. We have to take the opposite approach. Security is not something we want to get in people’s way. We need to put the friction where the risk is, which means we have to have a user journey that aligns with that. We don’t want to necessarily just hit every single person with the same amount of friction. If we’ve seen them 6,000 times. This person’s coming from an IP address we’ve never seen in a country. We’ve never seen this person.
Aldo Pietropaolo [00:15:35]:
Right. Like these are all things that you bake into the background. But it all contributes to this broader landscape of identity and access management, which I believe if done really well, the end consumer doesn’t see 98% of it. So there’s all these sort of like principles that you can draw from other experiences that people are familiar with digitally. Another important aspect of what we were doing and as an identity practitioner is what is the channel or channels through which people are going to be interacting with the service? Is it a mobile only experience? Is it a web based only experience? Is it a device only branch?
Mark Callahan [00:16:08]:
Yeah. Where are they doing this? Yes.
Aldo Pietropaolo [00:16:10]:
Where are people going to be interacting with this? That too also gives you a lot of information about where you want to prioritize energy and effort when you’re building out an overall solution. So I think going back to your curriculum question, if I can try and land this, please.
Mark Callahan [00:16:22]:
No, no, this is great.
Aldo Pietropaolo [00:16:24]:
It’s a lot of different aspects. No single one will necessarily be more important than others at any given time throughout a journey. It’s there’s going to be different times where different sensibilities needs to show up and you can get those sensibilities variety of different ways. I mean, in fact, a lot of times I think about really good solutions are ones that are just so simple, that just feel simple but yet they’re so incredibly complex behind the scenes. So when I think about that, I get inspiration from like art and from nature. I think that’s where like my theater arts kind of sensibility comes into play too. A really well written song just flows effortlessly. I feel like applications need to have that same sensibility.
Aldo Pietropaolo [00:17:00]:
We have a lot of emphasis on user experience and all kinds of applications. Just because it’s an identity and access management service doesn’t mean it can’t have some of those same things too. So it was kind of like setting that bar to say, hey look, this isn’t just a technology play, this is an experience play for which technology is playing a really important part. But it’s not the front and center, it’s not the purpose of it, it’s meant to serve. And as a technologist, I’m kind of like anti technology technologist. I look at technology as a tool. It does one of a few things, generate revenue, reduce cost or a combination of the two. If it doesn’t do any of those things, it’s for entertainment value.
Aldo Pietropaolo [00:17:32]:
And hey, there’s nothing wrong with that, but you just got to be clear about what it is that you’re trying to do. And this is where I think being courageous as a practitioner studies encouraged too. I read a bunch of books sometimes to get inspiration at different times and sometimes one of the most courageous things I think an identity practitioner can do is to speak to the leadership and to say, hey, I understand that you want to go in this direction, but here are some data points and here are some sensibilities that I think are worth considering before we full on commit to this. Because where I see a lot of programs go awry is they try and boil the ocean. Try and do too much. Right. I’m also a lifelong agile practitioner. Sometimes I don’t like to use the A word because it has a tendency to have a certain effect on people.
Aldo Pietropaolo [00:18:13]:
But I’ve seen it work really, really, really well. But I will say it working well is probably the minority of occasions, not the majority of occasions for a variety of other reasons. For another talk another day.
Mark Callahan [00:18:23]:
Well, you mentioned a word, courage. I’d actually like to take that a little bit further because that’s perfect in line with you as an identity hero. As we’re digging into this a bit more, although as we’re thinking through that arc, the idea of the challenges and the gauntlets. Is there any particular thing along the way for you, Chris, that you think about? That was like a defining moment that I don’t know if it was an incredible obstacle that you overcame along the way or even perhaps, I hate to say but resounding failure. But you learned so much because of it that you were able to look back in hindsight and realize it really helped set you in a different positive direction. Anything that come to mind there?
Aldo Pietropaolo [00:18:57]:
There’s two occasions where I felt like courage was really showed up in what I was doing. You know, one was a time when I was getting feedback from senior leadership that there were some customers experiencing some problems which didn’t come as a terrible surprise. I think I was reluctant to prioritize investigation into that work because I felt like there were. I felt like there were more important things to address along the lines of scalability, flexibility, making sure technical debt was under control. I was really trying to look out for the longer term viability of that service. I really wanted to build something that would stand the test of time, but would also be flexible enough so that as technology evolved, so too could the service. But I actually started to dig in the data and I realized, yeah, okay, that was something that I was, I was maybe a little too focused on, like what my vision was. And that’s why it’s important to always be open.
Aldo Pietropaolo [00:19:43]:
I feel like always be open minded to the fact that you could be wrong. In fact, a good probability you are wrong. But, you know, sometimes the courage comes in being brave enough to say, yeah, you know what? I think I might not have that quite right. Which is why I’m a very collaborative, professional, collaborative leader as a B. So I try and be collaborative. I’ll fill whatever gap needs to be filled. It doesn’t have to be the hat I wear day in and day out. But the other occasion I thought was really warranting of courage was I was getting pressure from some internal partners to build a capability into the product.
Aldo Pietropaolo [00:20:13]:
There were some that wanted to integrate identity verification using like passport, driver’s license. And I said, you know, at the time, we were already being very, very successful at how we handling that process. And we were really satisfied with the numbers around, you know, account takeovers. They were incredibly, incredibly, incredibly low. But there was still a lot of pressure to do that. And I, and I felt like I had said, look, I hear what you’re Saying, I think that path has value and I think there’s definitely a future for that in what we do. But I don’t think that’s now. And it was being able to say, I don’t think the house is on fire enough to necessarily justify the work.
Aldo Pietropaolo [00:20:52]:
And it was gonna be a significant amount of work to incorporate that into what we’re doing. And I was also saying, hey, look, yeah, like account takeovers and that type of attack vector is definitely something we’re concerned about. But we have a wealth of other technologies that allow us to build confidence in the person that’s at our digital doorstep. And there was another philosophy too, that I think was very, very contrary to popular thought at the time, which is, as cybersecurity practitioners, I will say I feel as an industry, one of the things I think we do a disservice to practitioners is we’re constantly being conditioned consciously and unconsciously, to treat everything out there in the world as a threat. And when you’re talking about customer identity and access management in particular, I feel like it’s important that your bias should be more the person at our digital doorstep, odds are, are exactly who they claim to be. So it’s kind of like innocent before proven guilty. Right. Whereas I think practitioners, we have an opposite way of thinking.
Aldo Pietropaolo [00:21:47]:
You’re guilty, you got to prove to me, you got to show me a credential, you got to show me this, you got to show me that, and then maybe I’ll believe you who you are. Right. And then so I think philosophically it was important to say, no, this is different, this is not workforce identity. And I will say this is another sort of industry problem. I think a lot of identity practitioners may not be able to articulate the difference between workforce and customer identity. And I think there is a lot of similarities. Absolutely. But there’s also some really important distinctions that separate.
Mark Callahan [00:22:14]:
What are some key ones that you think of between those between the two?
Aldo Pietropaolo [00:22:17]:
Well, one is experience. When you’re in a workforce situation, the devices are most of the time being issued by the company, so they have that they have an acceptable use.
Mark Callahan [00:22:25]:
I’m getting paid, so you’re going to use the thing that I’m told to do. So I get paid.
Aldo Pietropaolo [00:22:29]:
Exactly. So when you’re in a workforce situation, you have a lot more guardrails available to you. Typically now bring your own device. Introduces another whole set of nuance. You know, use cases around workforce for sure, but, you know, for the most part, your attack surface in a workforce situation is much more controlled you also have a certain expectation that the person using the tools issued to them for employment, they have a reasonable level of expectation to know how to, they know how to use those tools and use them appropriately. Customer no. All bets could be off the table. As a financial services company, we have customers that have been with us for decades, right? These are not people who natively gravitate towards technology, if at all.
Aldo Pietropaolo [00:23:04]:
I mean, there’s a lot of customers out there who don’t interact with us digitally. We obviously like to change that, as would any company. We want them to interact with us digitally because we believe it allows us to give them a better experience. It allows us to give them more value, more features, more capabilities. And it’s also self service. If you wake up in the middle of night, want to check your balance, you can do that. You don’t have to wait till the call center opens at 8:00 Eastern Time.
Mark Callahan [00:23:25]:
Or 8:00am to walk into a physical branch and talk to a teller in the old model.
Aldo Pietropaolo [00:23:29]:
So all the benefits are obvious, right, for the digital experience. But there’s, we could pay people to sign up for an account, they still might, might not do it because there’s just people who just don’t want to. So that’s a sensibility. You have to just be brave enough to go, hey, we’re not going to get everybody, that’s okay. But the ones that we do get, we’re going to do our darndest to give them a really good experience. That’s, it’s a good balance between friction and the risks associated with doing that.
Mark Callahan [00:23:55]:
I love that. Aldo, you took us down a path a moment ago that I want to get back to here because it’s actually really important to think about financial institutions now. Aldo, your experiment where you were opening different accounts and doing these things 10 years ago, that would have been three or four weeks worth of work. Nowadays you did that at your desk. In a couple of hours you could do that. You could just bounce. And Chris, I think as you’re thinking about the impact on the consumer, we have this ability to move. Certainly there’s customers who have been with MassMutual for decades, but there’s also new customers who could realize how easy it is to go from one bank to another.
Mark Callahan [00:24:30]:
Because just like Aldo, he was able to move in an appropriate way between institutions. And so that experiences everything right now. And too much friction as maybe a measurement. Are there other things that you use as a measure, as a BISO, that are KPIs or just outcomes like measurements of success of your team.
Aldo Pietropaolo [00:24:48]:
So I have to draw a distinction between an identity and access management practice versus the BSO role which covers a variety of different cybersecurity disciplines. And really as we’re acting as consultants into the business on a whole array of cybersecurity topics, identity and access management may just be one of them or a potential solution to one of those things. So really we’re, I feel like when we show up our best, it’s when we’re listening really closely to what are the businesses objectives, what are the goals that they’re trying to achieve and then we need to take our expertise and also bring other people in. Listen, it’s like I look at cybersecurity as kind of like medicine. You have chiropractors, you have radiologists, right. There’s all these different practices within medicine. You’re not going to get a surgeon that’s going to be awesome at reading X rays, right. So there’s areas where I feel very strong, but there’s areas where I don’t.
Aldo Pietropaolo [00:25:33]:
When I don’t, you bring people in that’s okay to provide that sort of curated service to those business stakeholders so that they have the confidence that when they go live with that new program or they iterate on this strategy or they continue to build features and capabilities into this platform that they’ve been investing a lot of time and energy into, they’re doing so in a way that they feel confident that they’re not going to run into any snags. They’re not going to be exposing the business to risk unnecessarily. So that’s something that the people building those solutions and operationalizing those solutions need to have a certain level of sensibility about. But it’s an addendum to the things above and beyond just getting something to function. I kind of look at operational capabilities as does the feature do the thing, does it meet the need? I come in and say how do we get it to meet the need? But also do so in a secure way. And that also includes things like data privacy, right? Like throughout the journey, like why do we need the entire Social Security number? Why do I want to store all this PII as part of our service? It doesn’t make any sense. There’s better places more appropriate to reference this information. I also look at too identity and access management.
Aldo Pietropaolo [00:26:41]:
I actually do my own self reviews. If I don’t need access to an application, I want to revoke that access.
Mark Callahan [00:26:47]:
Agree.
Aldo Pietropaolo [00:26:47]:
I want to as narrowly scope my access to things as much as possible. There’s plenty of systems out there that I have, you know, levels of access to that I voluntarily said, no, I don’t need that anymore. It’s not appropriate in my function. So I’m kind of rambling on the topic. But understanding situationally what it is that the business is trying to do is critically important because you can’t show up and add value if you’re not speaking their language and demonstrate to them, hey, I’m here to help you be successful. And these are the tools that I can bring to the table that will help you be successful.
Chris Rich [00:27:16]:
Chris, along those lines, do business stakeholders, do you find they are a little bit more cybersecurity savvy and come to you and explain the risk or need or concern or worry that they have? That’s the first question. Second question, if they do try to explain it, what are the top two kind of risks or worries that business leaders have, and how would you go about providing a solution to them? And how do you make the translation from technology to, I guess, a business explanation of what you’re consulting them on or advising them on?
Aldo Pietropaolo [00:27:55]:
I should say, to answer your first question, it spans the entire spectrum. I have stakeholders who are very concerned, who we can have really great conversations about the current future state of things. And then I have others where, for whatever reason, it’s not something that’s necessarily top of mind. And there’s a lot of reasons why that’s the case.
Mark Callahan [00:28:17]:
Well, I mean, you talked about the surgeon not needing to be a radiologist. There’s a team that works together and specializes in their respective areas.
Aldo Pietropaolo [00:28:23]:
Sure. And I don’t think it’s uncommon for, you know, in financial services. It’s been around for a really long time that’s undergone a tremendous amount of digital transformation. But there’s a lot of people still in that industry who were before all this digital transformation. And their sort of worldview is informed by maybe practices and behaviors and patterns that preceded and that are still very valid, but how they’re executed has changed a bit. Right. But in their minds, they may still think of, well, hey, this is a relationship. I’m building trust with this customer or building trust with this business partner.
Aldo Pietropaolo [00:28:57]:
That to them is on a priority scale. More important, when I’m showing up, I’m showing up. And to try and start to answer the second part of your question for those people, I’m saying, well, hey, how important is that transaction in terms of trust? How important is it to the person that you’re talking to that when they’re doing business with us, they’re doing business with a company that’s secure. They’re interacting with an application or a platform that you’ve built for them to give them the value thereafter. Right. How important is that to you? I want to try and just get to the part of the conversation where I can see what’s really important to them and then I can say, well, these things are really true, but have you also considered the fact that the registration process asked them to divulge all this information? How do you feel about that? What are some experiences you’ve been through that you thought were really great ones that you didn’t think were really great? Well, and then I try and pull the rope to, okay, well, this is something that if you were to address strategically, you might be able to improve that experience. Do you think that that would be of value to your customer base and to the people that you answer to? So that’s sort of like, well, I’m not really sure what things I need to worry about. Then there’s sort of the current state of the threat landscape.
Aldo Pietropaolo [00:30:06]:
Today we have, we see third party breaches being a really big problem. So we want to talk to them at length at times about, you know, some of the third parties that we’re doing business with. And, you know, hey, how often are you talking with them? When was the last time you saw a roadmap from this vendor, you know, that we spend, you know, good money with? Right. You almost to say, like, hey, your relationship is not just about, do they provide the service? It goes a little bit beyond that. Because at the end of the day, it’s still a trust thing. It’s our brand that they see. It’s not that third party. You can say, well, they weren’t able to say, patch this system in time.
Aldo Pietropaolo [00:30:40]:
And then there was an issue that’s not on them, that’s on us.
Mark Callahan [00:30:43]:
That’s mutual customer. Mark Callahan doesn’t know that. That doesn’t mean anything. It’s. It’s your problem.
Aldo Pietropaolo [00:30:47]:
So the more technologically inclined folks, our conversations come down to more of a. What are some strategies for us to get perspective on the landscape of things that we use to derive business value and to serve our customers? What are the things that we need to prioritize in terms of strategic value, not only now, but in the future? I ask stakeholders all the time, Listen, I can’t react all the time to issues when they come up because they inevitably do. I’d rather be involved in the strategic conversations of what the future is going to be what you would want the future to be because there is our opportunity to improve the overall posture of the thing that you’re trying to build that’s going to give customers value. So going back to formal education, I have my cissp. I found that incredibly valuable as an identity practitioner for a long time. But I wanted to expose myself in a formal curriculum kind of arrangement on all these different areas that I either didn’t know anything about at all or knew a little bit about maybe was a little dangerous. And one of the concepts that I had gathered from one of the instructors I had, which I found incredibly value was, well, first, you don’t spend $2 million to solve a million dollar problem. Everything has a certain priority order to it.
Mark Callahan [00:32:00]:
Vendors take note. Yes, that’s.
Chris Rich [00:32:02]:
Yeah, that’s a big one.
Aldo Pietropaolo [00:32:04]:
Defense in depth is important. Third party suppliers managing those relationships. We see phishing attacks, we have conversations about how do you prioritize the issues that are coming in the wild and what are the ones we need to pay attention to, which are the ones that we don’t need to pay attention to or pay attention to less. No organization has the resources to fully fund every single program. So prioritization becomes actually a more important skill because you have a limited set of resources.
Mark Callahan [00:32:30]:
I love that one. And if I pull on that thread just a little bit more with you, Chris, is just that no organization has unlimited resources. And a lot of times teams are being challenged to do more with who they have or what they have already in the existing investments. Other places that you’re able to find efficiencies or just to really maximize the value of, of the team that you have right now that, that you could share.
Aldo Pietropaolo [00:32:53]:
So when you’re faced with the prospect of not having all the resources and funding that you need, prioritizing again, like where you’re spending your time and energy is really important. And being able to have metrics that help you manage where and when you need to adjust where you’re focusing your attention. I think again, as practitioners we can sometimes, you know, look at every gap and treat it as equal. And that’s. And that’s not really the case. You have to be able to prioritize because if you don’t, then you’re never going to see projects and programs to the level of maturity that’s appropriate given the set of situations and circumstances you find yourself in. And that’s constantly evolving. And that’s also really challenging too because the threat landscape continues to evolve.
Aldo Pietropaolo [00:33:34]:
It’s a challenge to over or under invest in certain initiatives and programs so that you’re not over investing in something that maybe not doesn’t need it, or under investing obviously in something that doesn’t.
Mark Callahan [00:33:45]:
I’m hearing a little bit of improv almost a little bit too on the theater side, where it’s just like being able to. You might have a plan at the start of the year and the budget was set out as X, but you’ve really got to pivot is and know when to pull back to refocus and prioritize. And although we talk about this all the time, just about that ruthless prioritization and how do you do it most effectively is really important, you know. So any tips that you might have, Chris, as you’re thinking about, like what helps keep things at the top of the big list and when you decide it’s time to move down, I think.
Aldo Pietropaolo [00:34:12]:
Again you go back to what is the business objectives. And if you have to make sure that there’s that, that, that, that alignment there and it is constantly in motion. That’s why building good relationships and being in constant communication with the people that you’re working with from a stakeholder perspective is, Is really important. You have to show up in a way that they believe that you are there for their best interest, which is ultimately, at the end of the day, the strategic initiatives of the company. Which is why I’ve felt like cybersecurity needs to be. Can be a differentiator and is a differentiator for any brand because it’s a source of trust. But I do remember the thought I was trying to say earlier about security and why consulting with stakeholders strategically early on in the process is important. The instructor I had would say, and I don’t think this is anything necessarily new, I don’t think they originated this term.
Aldo Pietropaolo [00:34:57]:
But you need to think about security as not the icing on the cake, but the flour. Because the cost of bolting on security after the fact is a lot more expensive than just building it in at first. And I think that that’s when you know when you’re running a program. I don’t care what it is because I say this too. Like, cybersecurity skills have long been life skills. I think I kind of push back on the notion that like cybersecurity necessarily has to be this very nuanced thing. There’s certainly aspects of it that are. But it’s like your general health as a human being, right? Good diet, exercise, sleep, hydrate.
Aldo Pietropaolo [00:35:31]:
Right. You do those fundamental hygiene things. You’re already ahead of half the people out there. Right. It doesn’t have to be something like, oh, well, I have to go see. Everyone has to go see a nutritionist and everyone has to go see a personal trainer. Not necessarily the case. You, you can actually achieve a very high level of security.
Aldo Pietropaolo [00:35:47]:
Not a perfect because there’s no such thing, but a very high degree of confidence. This is when I’m going around and I’m talking to different stakeholders in the business at all different levels. I try and encourage them to internalize cybersecurity concepts and principles that they’re already very well aware of in their lives, but just don’t make the connection between what they’re doing with their nine to five. And in so doing, I’m trying to influence the culture overall so that I don’t have to show up to tell someone to do the right thing. I want them just to know it. I use this analogy. Does a stop sign make drivers more safe or pedestrians more safe? Now, the sign forces you to comply with the behavior that has been conditioned in you to stop and to look both ways before you proceed. Right.
Aldo Pietropaolo [00:36:32]:
So the sign by itself doesn’t make you safe. It’s your recognition and internalization of, oh, that means there’s a behavior that’s expected of me here. Cyber security needs to have the same thing. But you know, what does the industry do? It, I feel like at times it tells us. Well, no, well, you know, you have to put this stop sign up and then you have to also build. What do they call those things that come up out of the ground to stop them?
Mark Callahan [00:36:52]:
Pylons. Yeah, whatever they are.
Aldo Pietropaolo [00:36:54]:
Yes, the rampart. Whatever they are. Right. No, and then you have to have a chain, then you have to have lights, and then there needs to be cameras. And it’s like, well, this goes back to, don’t spend $2 million to solve a million dollar problem.
Mark Callahan [00:37:04]:
That’s it. You just over index the wrong way.
Aldo Pietropaolo [00:37:06]:
If you’re in a community of bicycles, you don’t need all these compensating controls. So in a way, being a cybersecurity practitioner who has that sort of worldview and set of sensibilities, it can create for some interesting conversations with who might just treat every situation as, oh, well, you have to apply all these different controls to it. And I say, well, that’s not sustainable.
Mark Callahan [00:37:26]:
Right, that’s it. I mean, and thinking about you as a working in the role that you have, especially with a financial institution, as a banking customer myself, I think about two things. Is my money safe and Are you easy to do business with? And that’s. Although you were able to open however many accounts and test this out with that. Those two things, though, on the flip side, that’s your daily activity for you, Chris, that’s that balance of safe. Are my funds secure, always protected? By the same token, are you super dead easy to work with? Because I want to make sure it’s just easy to access those funds. Well, that’s phenomenal. So if I may, just as we’re getting, I just want to keep an eye on the clock, thinking about future direction.
Mark Callahan [00:38:02]:
So I wanted to just lend with a couple of questions for you. You know, as you’re looking forward, are there any topics right now that you’re personally reading up on or that you’re having your team lean into a little bit more? We don’t want to go too far into the future. Just as you said, your banking customers, it needs to work in their daily lives. But what’s on your bedside table, you know, for technical reading right now or professional reading?
Aldo Pietropaolo [00:38:22]:
Oh, wow. So for technical reading, I actually, I had long not invested time and energy reading up on various frameworks like NIST and csf. There’s a lot of really good information to be had out there. When I think about educating myself as a practitioner, I like to first start off with like, hey, that interests me. I’m curious about that mostly because I feel like when I look at technology, I see where’s the opportunity there? What is the value that this could potentially bring? One of the great books I read a long time ago, which still inspires me to this day, is the Innovator’s Dilemma. Oh, yes, I wanted to say product manager’s dilemma, but no, Innovator’s Dilemma. Really interesting case on how a technology can be built to perform a certain function. But over time, there’s these very interesting and diverse uses, you know, for that same technology.
Aldo Pietropaolo [00:39:17]:
If it’s put in a different place under a different context, it solves a.
Mark Callahan [00:39:21]:
Different job to be done for a different audience.
Aldo Pietropaolo [00:39:23]:
That’s why I go back to, you know, I look at technology as a tool. It’s a hammer, it’s a screwdriver, it’s something intended to produce some kind of result. But what happens a lot of times we tend to get, you know, information overload about, you know, well, this is this innovation that. And it’s meant to solve this problem. Well, yes, that is partly true, which is why, like, when I seek out something, I want to know what am I interested in? What’s the value in that particular technology, if I apply it in maybe some different ways. I like looking at market research. Right. There’s a lot of think tanks out there that produce a lot of really great stuff, but that’s also just only one part of it.
Aldo Pietropaolo [00:39:57]:
And then there’s the practitioners that have their blogs and have their perspective on things. And then there’s the vendors always have a certain perspective. They spend a lot of time, energy, you know, digging into. So I try and get like a 360 degree sense of, you know, where is this going? The thing that I’m really interested in right now, like many others, is, well, what is AI really going to mean for us not only as a security practitioner, but what does it really mean as far as opportunities to the business? And I’m excited to see that explored. I think like many people are saying it’s a double edged sword. There’s some benefit, but there’s also some risk there too. It’s not unlike any other technological innovation. The automobile, no doubt, incredible innovation.
Aldo Pietropaolo [00:40:41]:
But what happened when we introduced the automobile? We had to build roads, those got expensive. What happened to all the people that maintained the horses that we used to use? Right. I was reading a book not too long ago that drew a correlation between the Great Depression and the introduction of the automobile. How the economic forces of those things ended up producing some desirable but yet also some really undesirable results. All technology has these effects of it. I think AI is the first thing in a number of years since, you know, maybe the cloud that forces us to really think long and hard about. I go back to, you know, the Jeff Goldblum quote in the original Jurassic park, you know, when you were thinking.
Mark Callahan [00:41:18]:
About fly and I wasn’t sure where we were going, but okay, yes, Jurassic Park. Yeah.
Aldo Pietropaolo [00:41:22]:
While you’re thinking about could we do it, did you ask yourself, should we do it? Right. I think that’s the question a lot of people are involved in AI are right now. But when I’m consulting with business partners, they’re getting bombarded in our organization and so many others out there. Right. There’s vendors out there introducing AI capabilities. They’re amending their end user license agreement for those things. But you know, who reads those, right? They’re 80 pages long, written by attorneys and no one’s reading that stuff. Sorry, attorney.
Aldo Pietropaolo [00:41:45]:
So my attorney finds up, actually I saw a really interesting art exhibit that took the end user license agreements from like the top five technologies and it.
Mark Callahan [00:41:53]:
Looked like a CBS receipt or something.
Aldo Pietropaolo [00:41:55]:
And they were in different colors and they turned it into an art exhibit. I just thought a really interesting take on it. But there’s all these different use cases for some good, some bad. But I think too beyond like, what are the potential consequences? And when I’m advising people, I try and broaden the aperture a little bit more than just the information that they’re being fed all the time to say, hey, look, there are some other considerations maybe to be had here. It’s not very different than introducing cybersecurity concepts about a new platform. Let’s say that the business is very interested in adopting to get them these various benefits from a business perspective by kind of opening that aperture a little bit more to see what are some of the cybersecurity tie ins to this and what are some of the things to keep in mind. That’s where I see a role of the modern cybersecurity practitioner. Not just to be so, but anybody in that, in any type of cybersecurity role really has a great opportunity to educate, bring awareness, advocacy, evangelism to whatever you want to call it, wherever you’re at.
Aldo Pietropaolo [00:42:51]:
Everybody can do it, Everybody can do it. It’s just a matter of just really understanding where you are in that moment and having the courage to have some foresight and to put some possibilities out there and then have a good engaged conversation about, okay, how do we partner to move forward together in a safe way.
Chris Rich [00:43:09]:
Sweet, Chris, it’s been awesome. I am watching the clock here, but I think when we get to the end, we like to ask a couple of questions. One is who in your identity career, cybersecurity career, has been your mentor? That’s number one. Then number two, what other hero should we interview in your mind? What other identity hero? Don’t say Mark.
Aldo Pietropaolo [00:43:31]:
There was one individual that I had come to meet over the past few so many years that every time I talk with them I was blown away. Like, you know, when you’re in like the presence of someone, you’re just like, they’re on another level, they’re on another, they’re on another planet. So the gentleman’s name who has sadly since passed, his name is Vittorio Bertocchi. I believe he was at Microsoft for a while. He had established, I forget what standard, but his worldview about an optimism. He had this optimism that just radiated from him about how technology really could be used for good and could solve problems. And that just resonated with me just like to my core. Because again, I look at technology, it is a tool, full stop.
Aldo Pietropaolo [00:44:14]:
That’s all it Is it’s a tool. It’s to increase revenue, decrease cost, combination of the two. It’s for entertainment value. They’re all good reasons, but you got to know where you’re at. Are you building something for entertainment value or are you focused on the increase of revenue or decrease of cost? So he was incredibly inspiring to me. Just his entire just worldview and just his raw, unbridled optimism. He was incredibly inspiring. And as far as, like, you know who to interview next.
Aldo Pietropaolo [00:44:42]:
Gosh, that’s so hard to say, because I think I’m very active in the cybersecurity community. I am a huge advocate for get out of your four walls. Go engage with other people that are doing similar things to what you’re doing and really talk to them about what works and what doesn’t. Be vulnerable. Admit you don’t know everything because none of us do. It’s only through that, I think, really expose yourself to opportunities to learn. And then I’m always in the lookout for people whose sensibilities are adjacent to mine. Similar to mine.
Aldo Pietropaolo [00:45:17]:
Same as mine is Nice, because then, you know, that’s usually a very pleasant conversation. Right. We get to kind of rant about this, that, and the other thing. But I actually do appreciate you have to challenge yourself from different viewpoints, even the most uncomfortable ones, because even in the most uncomfortable juxtaposition of conversation, there’s always opportunities to learn. And it also is an opportunity for you to test and weigh and measure your own sensibilities, which have been developed over a lifetime of personal and professional experiences, good, bad, and otherwise. I think that’s just really important to grow.
Mark Callahan [00:45:51]:
That’s great. Well, I have a hunch that our audience is going to watch this, Chris, and I think you’ve probably shared quite a bit that people are going to learn from themselves. So thank you so much for joining Aldo and I today. This was an absolute pleasure having you here.
Aldo Pietropaolo [00:46:03]:
Thank you. I was happy to be here. Thank you.
Chris Rich [00:46:05]:
Thank you, Chris.
Mark Callahan [00:46:06]:
Aldo, as always, thank you for joining us as well, and to our audience. We look forward to having you on our next episode. All right, well, with that, we’ll bring this episode to a close. Chris. Thanks again, Aldo, as always, and to our audience. We’ll see you next time. Thank you.
Aldo Pietropaolo [00:46:37]:
Sam.
Use Identity Orchestration to integrate, automate, and secure identity and apps across hybrid and multi-cloud environments
Media kit 