How do you overcome the inherent challenges of deploying digital ID technologies?
Cameron D’Ambrosi, Managing Director at Liminal, explains why having a robust digital identity framework can help you implement the right solutions while protecting against cybersecurity breaches.
What are some of the biggest challenges around digital identity that you deal with day-to-day?
Let’s pull it back to thinking about the customer journey. When a company is looking to establish a relationship with potential customers, that usually starts with, “How do I market to X?” For example, they might want to reach CEOs or senior executives under the age of 40 in Sydney with an income of X and interests in Y. Let’s say the company wants to reach you via an ad on your Instagram feed. Once it gets in front of you and you click on it, what information do they need when you sign up for your account? How is that data parsed? How do they make sure you’re really the person you are claiming to be, and not some hacker or scammer or disgruntled ex-friend who’s stolen your identity. And then once the company has made those determinations and onboarded you, how do they handle your login to the platform on an ongoing basis? It could be through a username and password, or biometrics, or other multi-factor authentication mechanisms.
As a company, they have to handle a range of identity and access management challenges across the platform. So being able to create a holistic sense of identity across all of the critical units can unlock tremendous value in terms of enabling and enhancing the customer experience, as well as helping you reduce risk – because your ability to identify and root out bad actors will be multiplied many times.
You’ll also hopefully save a ton of money because oftentimes you’re duplicating efforts – you’re asking people to provide data that you already have. That means you’re spending money to buy data you already possess, and you’re creating a tremendous amount of risk with these internal data lakes that were once were so in vogue and have now fallen out of vogue because of data privacy regulations. Understanding what data you have, where it came from, and who consented to share it with you is fundamentally critical to meeting this next generation of regulatory constraints around data privacy.
Where are we are in terms of the adoption you’ve just outlined?
I think we remain in the very early days. It’s pretty rare for companies to have to have someone whose main domain is identity. But I think it’s something we’re going to see in the future – the creation of the Chief Identity Officer as the new addition to the C-suite. Leading organisations are already starting to think about who within their organisation is going to take that mantle of collaboration, of interoperability across their systems.
As we begin to see greater and greater penetration of next-generation customer identity and access management platforms into businesses, this is going to become easier. Why? Because there can be an overarching framework that allows us to slot in some of these point solutions. But it really is still early days. In my conversations with executives who are trying to sell products that don’t necessarily fit into a neat point-solution bucket, one of the main headwinds they are facing is that their budget must come from two, three or four buckets internally. It’s a struggle to get that alignment so they can speak to a single decision-maker who is able to make the decisions – this remains a really fundamental challenge.
We are seeing the evolution happen before our eyes, but it’s slow going. Businesses, especially large global enterprises, are to some degree set in their ways. This transformation and this new way of thinking that’s centred around identity is going to take time to permeate.
In the context of remote work being more commonplace after COVID, what are the risks around workforce identity and security – particularly those who may be hired for a role and then get someone else to fulfil their work duties rather than actually performing the job themselves?
I’ve seen a handful of anecdotal reports about people who effectively outsourced their own jobs once they shifted to remote work. But more broadly, forward-looking organisations that want to hire in a purely remote fashion should – and I believe must – be thinking about these types of challenges for numerous reasons. Not just by virtue of the fact that someone could be outsourcing their own job, but purely from a regulatory-risk perspective. Is this a sanctioned individual? Is this someone who has the right to work in the country I’m hiring them in? Do they have the requisite skills and/or licences they claim to have? Did they really go to university all the way through to graduation, as they claim? Are they really a qualified doctor looking to practise telemedicine?
Remote work is rapidly expanding from something that was once a bastion of a few select industries. It now includes telehealth and other high-risk applications, so getting a really good handle on the true identity of your applicants is going to be so critical. Three years ago, if you told someone in the C-suite that they would need to hire 30% of their workforce completely remotely – and that they would never meet them in person before onboarding – they would have called you crazy. A global pandemic has a way of changing things pretty rapidly and in pretty fundamental ways.
Remote work is here to stay, and a lot of businesses are hiring workers in remote ways. If those methods aren’t being exploited right now, the fraudsters will soon catch up. If there’s one thing we know about fraudsters, it’s that they can – and will – sniff out vulnerabilities and weakness, and then exploit them ruthlessly until they become economically inefficient to do so.
If businesses don’t position themselves defensively to protect against these types of fraud, it’s a vector that will be ripe for exploitation. And we’ll continue to see these scams emerging in the near future.
Where do we go from here? What’s the endgame, in your opinion?
I fundamentally believe there is an opportunity for something we refer to as ‘personal identity ecosystems’, which are defined as user-centric networks that connect multisided platforms. They are designed to provide users with control over their digital identities and enable privacy, reputation management, as well as the resulting commercial transactions and data-protection functionalities that both consumers and enterprises need.
We’re very bullish about the market opportunity in bringing these personal-identity ecosystems to fruition. Exactly what shape they’re going to take, that remains to be seen. If I have an overarching prediction, it all anchors back to the cliche of: digital identity is not a what, but a how.
Where we have seen platforms fail is in attempting to be a solution with a value proposition of digital identity. Consumers don’t want a digital identity wallet. They don’t want an application that just does digital identity. They want to do things. They want to send money to their friends, message with their friends, apply for jobs, log into their bank account, borrow money, buy cryptocurrency.
The platforms that will succeed are those that are able to establish consumer relationships and build out a meaningful user base of trusted digital identities. Start with a use case and work backwards from there. The best platforms don’t say, “Hey, we’re going to give consumers a digital identity. We’ll get a bunch of consumers, and then we’ll give them something to do with those identities.” That’s putting the cart before the horse.
Put the user first. Think about what value you are adding to the user’s life and let the rest flow from there.
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.