Q&A: SailPoint CEO Mark McClain Discusses Enterprise Identity

During last week’s SailPoint Navigate conference I had a chance to sit down with SailPoint CEO and founder Mark McClain. In our conversation, we spoke about the evolution of identity management, its role in enterprise digital transformation and the expanding definition of enterprise identity.

McClain has 20 years of experience developing and leading technology companies, including Waveset Technologies, an identity management company founded in 2000 and sold to Sun Microsystems.

Cloud Native Now

Below is a lightly edited version of our conversation.

Security Boulevard: What do you see as the role of identity management in digital transformation efforts?

McClain: I think at the end of the day, no matter what kind of industry you’re in, you’re in some state of digital transformation. It’s either to try to gain competitive advantage or to try to keep from getting disintermediated. It’s a time of rapid change, for a lot of organizations. I don’t know if you saw it, George, there was a survey, not that far back and they surveyed a bunch of Fortune 500 CEOs about what are they worried about. There was Trump and South Korea as concerns, there was the economy, but the No. 1 for most of them was Amazon. They are worried about market disintermediation.

I think that every organization is dealing with transformation at some level. A lot of it involves shifting technology into more nimble and agile modes. This often means cloud and mobile. It says you’re getting things away from more static, more stable, traditional ways of doing things and becoming very agile and nimble as part of the transformation.

The idea is to get people to do whatever they want to do, quickly, efficiently, from anywhere, and provide the ability to adapt to change rapidly. But this is especially challenging for larger organizations because they still have to protect their existing franchise of technology and all that it does to run their business while simultaneously adapting to a bunch of new technologies. This creates a very complicated world for the management of identity. It makes it much more challenging to answer three fundamental questions: Who has access to what? Who should have access to what? And are they doing the right things with it?

Getting this right is helping to manage enterprise risk, but it’s also about efficiency. In this speed of light world we’re living in, the longer it takes to get people access to what they need to do their job the worse off that company is. If people spend weeks or months waiting to gain access to something new, that’s a serious issue, and a competitive disadvantage to the organization that can get new technology out and delivered and enabled quickly.

Security Boulevard: Many of these challenges seem similar to those of years ago when corporate networks were opening up to the web and applications were being made available more broadly online. What’s different today from then when it comes to identity management?

McClain: Speed, scale and complexity would be the three, I think. In other words, the speed of businesses, we all get that, everybody feels that all the time. That’s just how fast products get introduced and obsoleted, and how everything is just moving at high speed almost all the time. Then there’s scale. I think some of that is related to complexity and what I by that mean is that there was a time 15 or 20 years ago when people in our industry talked about identities, and they meant employees essentially. Those were the people that had access to your systems. That started to shift to certainly include contractors as a whole lot of outsourcing and out-tasking. The challenge with this scale of identities is how one manages all of those interconnected value chains where business partners, both your distribution and your supply chain partners, may be tied entirely to your systems.

Another emerging trend is not just about humans anymore. The identity used to equate to a person. Now we have robotic processes and some forms of IoT. Not every IoT device will be an identity or be managed as an enterprise identity. But many will. A process controller in a factory that’s kind of making the same type of decisions that a human might have made in the past probably behaves like an identity: it accesses systems, it gets data, and it acts on that data. Certainly, these robotic processes will need to be managed as an identity.

Security Boulevard: Considering all of this change, how should enterprises consider managing their identities so that they are successful in these efforts?

McClain: Things have certainly changed. A couple of decades ago this industry used to be a back-office IT function. It was about automating away some of the identity work. All companies had to this work, and at the time it was mostly called provisioning. Some of it was repeatable and automatable, and that was important. The aspect of how provisioning could reduce risk was not yet part of the conversation.

Most people assumed it was an operational function and we were looking for operational efficiency. Now there’s a security implication and increasingly, again, there are empowerment and enablement implications. If a company can do this fast and well and keep it accurate, that’s a competitive advantage. But that’s not the only thing. Enterprises still have to build great business applications and make smart business moves.

I think it’s those areas where people see the multifaceted benefits of identity. It helps them be more efficient, reduce risk, help to keep the regulators off their back and become better at adapting to change, which is a massive competitive weapon these days.

George V. Hulme