Radio LogicCISOs: Take Charge of Identity

Anders Askasen

This is Radio Logic, the show about digital identities — the people behind it, the tech behind it. In each episode we’ll cover what works, what doesn’t, and what’s next. Let’s dig into it.

Anders Askasen

Welcome to Radio Logic, the monthly podcast. Today I’m joined by Michael from CyberIAM. Welcome, Michael.

Michael Ribaudo

Thanks for having me.

Anders Askasen

You’re quite a name in the services industry when it comes to deploying identity solutions for customers.

Michael Ribaudo

That is our specialty. CyberIAM started about nine and a half years ago. We identified a gap in the market after a few acquisitions and started the business. We’ve been growing year on year, specializing in the identity space, focused in the UK and parts of EMEA. It’s a niche for us and it’s what we do best.

Anders Askasen

And judging from your accent, I can tell that part of EMEA is more the southern part, isn’t it?

Michael Ribaudo

Yeah. We do have a team in South Africa — our nearshore team. It’s been a really good balance between the European consultants and the South African team.

Anders Askasen

That’s a pretty interesting mix. In my past I’ve operated across the globe, including projects in Africa, and there’s a notable difference in both culture and how you get things done. If you were to highlight the differences, what would you say distinguishes a bank in London from a bank in South Africa?

Michael Ribaudo

From a requirements perspective, there’s no difference. We’ve worked with large banks in South Africa and large banks in the UK — they all need to get to the same place. Doing business in Africa compared to Europe is a little more challenging in that you have to navigate certain legislation and politics on the African side, while the European side is more heavily regulated, so you’re dealing with stricter rules and compliance requirements.

Anders Askasen

But essentially they comply with the same type of framework — the same requirements, as you say.

Michael Ribaudo

Identity, yes.

Anders Askasen

Identity — that’s true. You’re specialized across a whole range of identity disciplines, aren’t you? You do both IGA and PAM. What else?

Michael Ribaudo

Everything, really. We started with IGA, then moved into PAM and then broader IAM. The identity lifecycle has expanded significantly over the last few years — we now cover EPM, entitlements management, and secrets management. So we cover the full spectrum of everything that touches identity, which is now extending into machine identity and agentic AI.

Anders Askasen

That’s something we look at on a daily basis — what we call the three identity problem: human identity, non-human identity, and agentic AI identities. They are all identities, but they’re governed differently and have different specs. We’ll dig into AI more in a future episode. But the ephemeral nature of agentic AI is genuinely challenging. Have we even solved human identity yet? It’s matured, but have we solved it?

Michael Ribaudo

The biggest running joke in the identity space is when a customer tells you the end date of the identity project — there never is one. It never stops. Applications keep coming. Even if you’ve got all your controls and processes in place — your JML, access certifications, access requests, segregation of duties — another 5,000 applications will come into the business over the next three years. It never ends.

Michael Ribaudo

That must be difficult for customers when they’re procuring this type of project. Let’s say you’re migrating away from legacy technology and want to modernize — how do you even scope that out? What expectations do you set and how do you approach someone like CyberIAM to define it?

Michael Ribaudo

Because identity is so broad and getting your arms around all of it is such a challenge — a never-ending struggle — I think you need to look at regulations, the benefits to the business, and the desired outcomes. We’ve spent too long in the past asking ‘what do you want to do?’ rather than ‘what do you want to achieve?’ An outcome-based approach is the best way to tackle an identity project, and it needs to be grounded in the bigger picture of the business requirements you’re trying to resolve. It could be an audit finding or an ROI case for a major application — you need to start with the outcome.

Anders Askasen

Is that what normally sparks a new identity project — an audit finding?

Michael Ribaudo

Yes, or a change in regulation. In certain industries — take the TSA directive in telecoms — that sparked a whole wave of change. Or it’s a batch of audit findings from external auditors that need to be addressed.

Anders Askasen

And that’s normally the CISO freaking out and saying we need to do something. Who are the typical stakeholders within customer organisations that surface this?

Michael Ribaudo

That’s a loaded question. Ideally, we want the CISO to be the champion and the CEO to be the sponsor. I once worked with a bank where the CEO was the sponsor of the identity project — things got done, because no one could say no without it going back to the CEO. But yes, you want your CISO as the sponsor. You don’t want it sitting purely in IT, because this isn’t a technology problem — it’s a people problem and a risk problem that you use technology to help you solve.

Anders Askasen

I follow the EU regulations closely — NIS2 and DORA. NIS2 has recently been transposed in most European countries, and the UK, though no longer part of the EU, still delivers services to European organisations so they’re very much part of that problem domain. One positive development is that these regulations raise the bar on responsibility — they put accountability squarely on senior executives and board members. That must make it easier to secure funding and attention, doesn’t it?

Michael Ribaudo

The easiest way to get funding is when an audit finding lands on the board’s table and the board takes action. It’s a shame, really, because the best projects we run are the ones where the organisation has been proactive — not waiting for an audit finding. When you have a finding, you have a deadline, you have panic, and you end up rushing parts of the delivery rather than taking the time to do it properly. The best approach is to be proactive. NIST is there for everyone to read — you can see what’s coming down the pipeline. Starting proactively is better than waiting for the order to come in, but that’s easier said than done when it comes to securing budget.

Anders Askasen

I was going to say — is that really how most customers approach this? Is it mostly panic and ‘we need to resolve this ASAP’?

Michael Ribaudo

Yes. Unfortunately it’s not usually proactive — most customers react to an industry change or a finding.

Anders Askasen

You’ve been in this space as long as I have, and we’ve gone from one type of project to the next while essentially solving the same problem. Is there a significant difference between the challenges we’re dealing with today versus when it all started — back when it was an infrastructure problem, with directories that needed to be synchronized — versus now, where it’s more about reducing the risk surface?

Michael Ribaudo

Back when it was called identity management, it was pretty much just provisioning and automation. Then IGA came along, which brought governance — the need to take all that access data and certify and govern it. But since IGA started, the underlying problem hasn’t changed: people need access to the right things at the right time. That reduced-risk objective is still there. What’s changed is how you get access and what you’re getting access to.

Anders Askasen

When your consultants come in, are they focused on risk reduction, or more on resolving specific control failures identified by an audit? How are the projects structured?

Michael Ribaudo

It’s a mix. There are audit findings to address — the first phases are typically about resolving those and satisfying the auditors. But then the next phase often involves assessments to identify how we can further reduce risk across the identity landscape. If the CISO is on a risk reduction programme, we might start with risk — which is what we prefer, since that’s what the industry is really there for.

Anders Askasen

I’ll push you on this a little. The fact that you’re often a returning presence at the same customers — is that because projects drag on, or because the landscape changes, or because projects actually fail at some point? And I’m not singling out CyberIAM here — I mean the wider community putting these solutions in place. Do projects fail?

Michael Ribaudo

Yes. Projects fail because there isn’t honesty and clarity between the delivery partner and the customer — no shared understanding of what they’re trying to achieve versus what’s actually been scoped. We discussed before the podcast a situation where we went into an RFP against another delivery partner. We quoted a certain price; they quoted double. But from day one with that other partner, change orders started coming in and the customer ended up paying double what we had quoted. We pride ourselves on honesty and delivery — not burying assumptions and exceptions in the small print to obscure the true cost. In a small industry where everyone knows each other, integrity is how you survive.

Anders Askasen

That’s exactly why we partner with you — because of that track record and that ethos. But it isn’t universal. I’ve seen so many failed projects. Take role-based access control, for example. The model emerged around 1992, every vendor tried to fit it into their products, and then identity management came along and we used roles to encapsulate entitlements. It’s a great model because it provides abstraction. But does it really work?

Michael Ribaudo

It works when it’s done right.

Anders Askasen

In moderation.

Michael Ribaudo

In a measured way, for the right reasons. I’ve seen a bank with 60,000 employees and 350,000 roles. That doesn’t make sense.

Anders Askasen

How do you even manage that?

Michael Ribaudo

You don’t. Roles work best when you use them to handle the large, well-understood chunks of access. Where projects go wrong is when you try to ensure every single entitlement is part of a role and no individual entitlements can be requested — if you take that approach, you will never finish the project.

Anders Askasen

So what’s the alternative? I know roles will always have a place — they simplify access reviews, streamline provisioning, provide encapsulation. But is that model fit for purpose when dealing with the ephemeral nature of agentic AI, for example?

Michael Ribaudo

I don’t think so — unless AI solves the role problem, which is the other way to look at it. Role mining is essentially about intelligently joining up data, which is something AI is very good at. As the technology for AI-driven role mining improves, and as auditors get more comfortable with AI making those decisions, I think we’ll start to see roles deployed in a much faster and more effective way.

Anders Askasen

This brings me to the topic of authorisation. I’ve seen a growing number of customers looking at decoupling authorisation from the traditional approach — externalising it, moving towards fine-grained authorisation. We both know, having been in the industry a long time, that various vendors and initiatives have attempted this before and they tend to fall short. It doesn’t scale well. Do you think we’re finally going to see something that works?

Michael Ribaudo

That’s one of my bugbears. When cloud came along, I watched organisations that had robust controls and processes for on-premises applications simply not apply any of that to the cloud — because it was too hard. So now we have vast cloud estates with joiners and leavers processes but no proper fine-grained entitlement management. I think the future has to be policy-based access — either at runtime or just-in-time — built on zero-trust principles. Zero standing access. When you go into an application, you pass through a policy engine that defines what you can and can’t do and grants access for that session.

Anders Askasen

At some point you still have to manage those policies, right? Don’t you end up with the same kind of proliferation you get with roles?

Michael Ribaudo

You do, but we’re talking about a much smaller set of objects than individual entitlements and rules. Policy management is defined around a framework of what you want to achieve — it’s ‘your function can do X’, not ‘this one fine-grained entitlement can do X’. And with AI being incorporated into these technologies, the ability to define and interpret policies is going to become significantly more capable.

Anders Askasen

You represent the system integrator — the people who actually put this stuff into motion — and I represent the vendors building the products you use to solve customer problems. What message would you give me, as a vendor? Not just Radiant Logic specifically, but vendors broadly, since we’re all trying to solve the same problem.

Michael Ribaudo

I think vendors need to look at fixing the processes — take certifications as an example. We’ve been running access reviews for years and the business hates them — absolutely hates them. Microsoft, with their B2B technology, came up with a genuinely smart idea: instead of running a certification campaign, they expire access automatically. If you want to keep it, you simply request to keep it, and it goes to your manager for approval. For some reason, that mental shift makes a difference. Doing an access approval, the business doesn’t mind. But when you run an access certification campaign, they hate it — even though it’s functionally the same thing.

Anders Askasen

I suppose that also aligns better with least-privilege and zero-trust principles — so it’s a healthy shift in mindset.

Michael Ribaudo

Exactly — and it’s continuous certification, which the industry has been talking about since I can remember, yet rarely deployed properly. Rather than one big quarterly or annual campaign, you’re continuously ensuring your team has the right access. When access is about to expire, the employee is asked: do you want to keep it? They say yes. It goes to the manager: this employee has had this access for a year and wants to keep it — is that OK? And it all happens automatically, with full reporting and audit trails, without the IT and security teams needing to be involved at every step.

Anders Askasen

Do you think AI will eventually render certifications like this obsolete?

Michael Ribaudo

I think the challenge is the auditors, not the technology or the businesses. Auditors need to get comfortable accepting that AI has made the decision on behalf of the manager. Once they can accept that the technology is performing the function they would hold the manager accountable for — and sign off on that — then I think we’ll see AI taking on a lot more of these decisions.

Anders Askasen

Michael, it’s been a pleasure having you on the podcast. I’ll wrap up by asking: if you were to address all your customers and prospects who are trying to define what they need to do, who have struggled with these projects in the past, and who are facing a new identity challenge — what’s your key recommendation?

Michael Ribaudo

Most of the projects I’ve seen fail are the ones where customers have tried to do it themselves or brought in individual contractors. Whether it’s CyberIAM or another supplier, when you hire a contractor for a piece of work, that person has a limited amount of knowledge. When you hire a company like CyberIAM, you have 90 consultants behind you — your consultant can ask colleagues, tap into our knowledge base and IP. Having that collective expertise and tried-and-tested processes behind you is critical. And the second point: when you put your statement of work and programme together, make sure there is absolute clarity on what you want and what you’re going to get. That way, when it’s delivered, what you asked for is actually what you receive.

Anders Askasen

Michael, that’s very sound advice. For everyone listening: I think we’ve managed to identify why these projects fail, and it comes down to having a repeatable pattern, the knowledge, and the IP to replicate what works. Michael, thank you so much for joining us.

Michael Ribaudo

Pleasure.

Anders Askasen

Thanks for listening to Radio Logic. Subscribe now wherever you get your podcasts.