If something can’t go on forever, it won’t.
I’m an optimist, some might even say a Pollyanna. There’s nothing like contributing to novel Internet standards efforts to demonstrate one’s belief in hope over experience! But after 25+ years in the trenches of digital identity, this maxim of economics is starting to hit close to home.
So many of our current identity paths are unsustainable. Security is still eroding. Privacy is still evaporating. Trust is threadbare at best.
I’m not a fan of the phrase “identity is broken” — but the way we do IAM often leads to a death spiral of negative consequences for experience, user control, security, and even basic online safety. The Internet commentator I think of as the “login rant lady” said:
…and she’s not wrong.
Part of the downward spiral is psychological.
I’m working on a new project1, for which I’ve identified three fatal delusions that leaders often cling to to feel safe.
The first delusion can be stated as:
🚫 More identity = more security
Our identity solutions, automations, checklists — and standards, an ever-growing pile of them — can feel proactive and productive, but none of it is a guarantee of a particular outcome, even if implemented and rolled out.
And the costs for getting things wrong are higher than ever. Have you been following the trend towards personal executive liability for cybersecurity failures? A great new organization called the Professional Association of CISOs (PAC) has launched, thanks to my talented friends Val Mukherjee and Heather Hinton, under the Cyber Future Foundation umbrella. It prepares CISOs for the increasing level of accountability they face in the modern world, including providing CISO-specific professional liability insurance.
But it’s not just CISOs. CEOs are taking direct fire as well, as in the infamous Drizly case:
According to the FTC, Drizly and [its CEO] Rellas failed to implement basic security protections for the collected data, did not use multi-factor authentication, did not limit employee access to personal data, and did not develop adequate security policies. — Security Week, 25 Oct 2022
The Internet, as has famously been observed, was built without an identity layer. All of the layers we’ve been adding on top have gotten more sophisticated over time, exemplified by the recent publication of revision 4 of NIST Special Publication 800-63, the Digital Identity Guidelines.
Do we need brand-new infrastructure to replace the old?
For years, I’ve helped define standards and technologies meant to patch this gap. More recently, I’ve been working with organizations of all sizes, translating identity complexity into language that decision-makers can act on.
What I’ve learned is that today’s identity foundations and innovations can serve as the healthy cardiovascular system of the connected world. They can protect us from exploits and fraud, support our financial transactions, give people choice and control, and even foster healthy digital relationships with businesses.
But only if organizations and their leadership understand their power, value, and full impact. Technical expertise, and a mindset focused exclusively on security, are proving inadequate to the moment.
As the number of executive stakeholders with their fingers in the IAM pie becomes overwhelming, and as detractors proliferate, I believe we need to master identity’s higher purpose so we can make common cause and achieve what we know is possible.
The identity crisis is here. The spiral is accelerating. But crises have a way of forcing evolution.
My question for you is whether it’s possible to help identity fully contribute to a healthy connected world.
Do you see identity circling the drain, or do you believe it can reach an inflection point?
I’m working on a new book! If you take a moment to subscribe, I’ll share more here real soon.
Cut through IAM complexity and transform your strategy with Eve Maler's research-backed insights.
