E295 - Marcus Wells, vCISO, WellSecured IT (Identity Security)
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:11] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks privacy podcast, where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.
[00:24] Now, I have a very special guest on the show,
[00:27] Marcus Wills. Here he is, the VCSO at will secured it.
[00:33] Marcus Wells: Thanks for having me.
[00:36] Absolutely. Thanks for. I appreciate being here.
[00:39] I'm flustered if you can't tell. Like, I'm just so filled to the brim with excitement to just be here talking to you right now, so.
[00:44] Debbie Reynolds: Oh, my gosh.
[00:48] Debbie Reynolds: Well, I'm excited to have you here. You call me up.
[00:51] We have a friend in common, my friend, Gina King. She's like a force of nature.
[00:56] And so you called me up and we talked. We had a great conversation. And so,
[01:02] first of all, you're such a brilliant person,
[01:05] and we just hit it off so well. And the thing that I love about you is that you intersect at security and identity.
[01:14] So identity is like a huge thing,
[01:17] and I feel like people don't pay as much attention to it as they should.
[01:22] And I think, especially as we're moving,
[01:25] companies are going in breakneck speed towards digital transformation. They're trying to buy all these AI tools and do different things. And I feel like identity,
[01:35] and I've always said this, like, I spoke at a identity conference in Amsterdam, like, almost 10 years ago, and I was like, this is like, the sick. Identity is going to be the center of everything that we're going to end up doing,
[01:50] like, on the Internet. And I think that's where we're going. But tell me your background, your interest, and this fascinates me, by the way.
[01:59] Marcus Wells: Yeah, yeah. So, I mean, from. From a professional perspective, you know, have a. Have a long history working in tech, working in cybersecurity.
[02:07] And I. I always describe it as this. I say I've always worked in identity security. I just didn't always know I was working in identity security.
[02:17] And the moment that. Well, at least for me, that I realized that it was such a fundamental and foundational part of everything I'd ever done,
[02:25] both in and outside of tech,
[02:28] is the moment it completely changed everything I thought I understood about the world around me. I mean,
[02:34] I found myself literally going back and running the tapes on my mind and just recontextualizing every experience I've ever had. So even now,
[02:42] I run a couple different cohorts or Groups that I'm part of that, you know, I'm training the, the next generation of cybersecurity professionals who want to focus on identity as well.
[02:52] And a lot of the ways that I'm able to talk about identity and even speaking to the business, right, the way I'm able to describe things and break things down, it's.
[03:01] I'm able to do it in such a neutral way that any and almost anyone can understand it. Right? If you want to understand it talking to me, you'll understand it.
[03:10] Like I'm not gonna make it complicated. And a lot of that really comes from something that you mentioned. You know,
[03:15] it's, it's everywhere, right? It's ubiquitous. And I think that is the reason why it can kind of be ignored so often. It is everywhere. And so you kind of take advantage of the fact that it is everywhere all the time.
[03:26] And it's very easy to just not see a lot of times. But I'm getting a little off track, so I'll kind of reel it back in a little bit. That was primarily how I got into it, was that from my perspective, I was always into it.
[03:37] So as I was learning new things, as I was like kind of coming across new information,
[03:41] like at a, at a point in my career, I worked as a mobile device management professional. So like managing mobile devices for like for instance, the Federal Reserve bank system,
[03:50] right. Specifically their office in Richmond. You know, at the, in the moment I was doing it, I didn't realize the implication of what I was doing relative to the greater scope of identity security.
[04:01] But shortly thereafter, leaving is when I started to put those pieces together. Like, hey, these are non human identities, right?
[04:09] These identities have to be managed and to kind of cross over into your lane.
[04:14] One of the key important factors of specifically a non human identity is the data that it has access to and that it carries,
[04:21] right? So with a physical non human identity in particular, which I know is like a new subcategory that I personally haven't heard talked about,
[04:29] there is a very unique difference within that type of non human identity versus a standard digital non human identity. And I know it's gonna get really complex. I'm trying to keep it simple here.
[04:40] But with a physical non human identity, it not only can access data,
[04:44] it is the platform which stores the data into itself,
[04:48] right? So if I have like a laptop or if I have mobile device, if I have tablet, if I have like any kind of Internet connected device that can store data,
[04:58] right?
[04:59] Debbie Reynolds: Yeah.
[04:59] Marcus Wells: The data may be accessed in the cloud, but There at some point is going to be some cached data that's saved to the local device therein, which creates a risk of that data being exposed to parties that may or may not should have access to it.
[05:12] Right.
[05:13] So there's a lot of complexity that I'd kind of learned retroactively from being in some of the environments I'd been in.
[05:20] Debbie Reynolds: Very cool. I just want to explain identity in general.
[05:26] So I think people who don't understand this area think it's. Oh, it's access control.
[05:31] So someone. Marcus gets hired and someone puts his name in the database, and he gets access to email and all this sort of type of stuff.
[05:39] Identity is, like, way broader and much bigger than that. And some of the parallels I see in identity and privacy, to me, is about.
[05:52] I feel like both of these areas,
[05:55] more so than ever now, require a lot more context.
[05:59] So if you're just putting someone's name in access control list, you don't have any context, really.
[06:05] We thought back in the olden days, that was the context. Like, I put, okay, you're in accounting, you have access to accounting software, but we have people accessing all these crazy data,
[06:18] they. Data types and systems and taking actions that they were never doing before.
[06:24] So that context is really important in terms of understanding identity, especially now that we're getting to a situation where we're giving AI identities to do stuff like. So these are not even humans.
[06:41] Right. So. Right.
[06:42] Give me just an idea just for the audience so they understand.
[06:46] Marcus Wells: Yeah. I'm gonna describe it in two different contextual ways to your point.
[06:51] Debbie Reynolds: Right.
[06:51] Marcus Wells: Cause contact is everything.
[06:53] So the first way I describe it is really, I kind of separated it into three markers that you can identify to know if something is or has an identity. Right.
[07:06] Cause there's a difference.
[07:07] Something can have an identity. Right. And something can be an identity.
[07:12] So in the spectrum we're talking about in the business and tech,
[07:16] and even in the business, it kind of goes beyond tech, but just to keep it simple, can it access data,
[07:22] can it store data,
[07:24] and can it connect to a network?
[07:26] Right. Those are the three markers that I'm looking for when I'm looking to identify something that is or has an identity.
[07:37] It's a really simple way, like a really simple mental model that one can use to determine, okay, is this an identity? So, like, of course, laptops, they store data, or they can store data, they can access data, if nothing else.
[07:50] Right. And they can absolutely connect to a network. Humans are a prime example of that. Right. Even if we're not talking about a digital network. We still have networks that we are connected into.
[08:00] We have social networks, like actual social networks, not like your LinkedIns or your Facebooks or what have you. I mean, like, we have connections of people that we communicate with even outside of the bounds of technology.
[08:12] We also can access information that is data.
[08:16] We also can store information that is data. Right.
[08:20] And so in many ways, that's just a universal model that we can use to say, okay, here's something that can be included in that parameter of what an identity is.
[08:32] The other way I like to look at it as the second kind of mental model is using the old practices from my social studies classes in seventh grade.
[08:41] Who, what, when, where, and why.
[08:44] Right.
[08:45] Those five questions can oftentimes help to determine where you may have an identity.
[08:51] So going a little bit further than just, you know, can it store data, can it access data, you know, can it connect to the Internet? Then that helps to define the context, those five questions, because then you have to define who the identity is or what the identity is.
[09:04] Debbie Reynolds: Right?
[09:05] Marcus Wells: When did it exist or when was it created? When was the inception point, you know, or in the opposite direction, when was it removed or deleted? And so those are some of the things that I just use as like a baseline mental model.
[09:17] These are not even things I consciously
[09:18] Marcus Wells: think about anymore, but they influence the
[09:22] Marcus Wells: very nature of what I'm doing.
[09:25] Debbie Reynolds: Yeah. Oh my God, that's so cool.
[09:27] As you were talking,
[09:29] I started thinking about the crazy stuff that people are doing with AI agents.
[09:34] And two things came up, and I want your thoughts on this. Okay.
[09:38] So one, I was talking to one of my collaborators,
[09:41] I chair a work group with IEEE Industry Connections about trusted architecture and fancy words. Right. And so we were talking about AI agents because we're creating like this. We're creating a technology and legal agnostic privacy labeling program.
[10:01] It's kind of complicated. But one of the things we were talking about was agents. And he was saying because we had like a carve out, not a carve out, but we had certain controls related to agents specifically.
[10:13] And one of the people said, well,
[10:16] agents and humans won't be the same within organizations because they'll get access.
[10:24] Just like you're onboarding a new employee,
[10:27] eventually an agent will be onboarded almost like an employee. So then their identity won't be different than a human.
[10:35] And I'm not okay with that. Right. Right at this moment.
[10:41] So that's one thing, that's one school of thought, like, let's enroll them like human and let them do Stuff. Right.
[10:48] But on the other end, this is what I'm reading and we talked about this about the guy who said that his AI agent deleted his company's database in bind seconds or something like that.
[11:00] Marcus Wells: Yeah.
[11:01] Debbie Reynolds: So the issue there was he wasn't onboarding, this agent wasn't onboarding like it was an employee. He literally gave the agent his access.
[11:14] Right. His rights and let it do all types of crazy things.
[11:19] So those are two things,
[11:21] two schools of thought. But I just want your thoughts on those two things.
[11:25] Marcus Wells: I'm going to do my best here. I think there's a way for me to talk about both of those schools of thought within the single strand of comment that I have.
[11:33] And this is going to get really interesting and I'm so glad you brought that up because I have a lot of very strong opinions about this.
[11:40] So firstly, I will say that when it comes to AI agents or AI in general as we know it,
[11:48] there's something that is very unique about that type of software because in reality that's all this stuff is. Right? It's just, it's a, it's a, it's an application, it's software, whatever you want to call it.
[11:59] Right. It's a piece of technology that was built, designed, written, employed for use. Okay.
[12:05] In most scenarios before the age of what we've calling AIs and kind of revert back to what it's what I refer to it as, which is large language models. Because in my mind there is a key difference.
[12:17] But that's neither here nor there. For right now,
[12:20] technology and software has been for the most part what I would consider trustworthy right now. I don't mean to say that every piece of technology that was ever written and developed is trustworthy to every person.
[12:36] What I'm saying is that if I'm a threat actor, for example, and I build a malicious piece of software,
[12:42] I can trust that it's going to do what I intended for it to do.
[12:47] Right. I think that also requires us to actually understand trust in the context. And I'm using it,
[12:52] which is a non moralistic context.
[12:55] It's not to say that trust always equals good, it just means that trust equals a measured and repeatable outcome that is consistent.
[13:04] Right.
[13:06] So with that being said,
[13:08] LLMs and AI in particular are one of the first types of applications and software that we're using as a society of people that is untrustworthy.
[13:21] Right?
[13:22] Debbie Reynolds: Right.
[13:23] Marcus Wells: That in and of itself introduces so many different elements of risk.
[13:29] Debbie Reynolds: Right.
[13:29] Marcus Wells: And what I mean when I say that, I mean like literal risk, like the opposite of trustworthy is risky, right?
[13:36] Or untrustworthy can also equate to riskiness because you don't know what the outcome is going to be. You can't for sure say that the outcome is going to be X.
[13:46] It could be X.
[13:47] There's a high probability that it likely would be X. But I can't say that with a level of definitive measurement, right?
[13:55] And so the easiest way to think about it is like this.
[13:58] Imagine hiring somebody into your organization and you find that on their background check they lied about something consequential.
[14:08] Debbie Reynolds: Right?
[14:09] Marcus Wells: However, this person has a skill set that fits a need within your business that is so desperately hard to find that you are willing to make an exception,
[14:20] right? Whatever was in the background check was not enough for you to say, stop right there. Do not pass go. Do not collect $200 immediately terminated.
[14:29] Debbie Reynolds: Right?
[14:30] Marcus Wells: So you bring this person into your organization and you give them a task that is related to what you need them to do.
[14:38] However,
[14:38] you find that consistently they're doing things outside of the parameters of what you need for them to do. They're doing the job, but they're doing other things as well that are continuing to increase the level of risk your business is taking on.
[14:53] That is effectively what it's like to implement an LLM or an AI into an organization.
[14:58] And it's something that is an uncomfortable truth that we have to come to terms with because if we don't, then we can't effectively get our hands around it to know where the right safeguards need to exist in order for businesses and organizations to continue to operate sustainably.
[15:16] Right? I'm not saying don't do it. I'm not saying hey, poo poo AI. I'm simply saying let's understand,
[15:22] right, what those risks are,
[15:24] what the appetite is for that particular level of risk within an organization, and then define out how we can actually put the right safeguards around it. So to a degree, I agree with the sentiment that these AIs,
[15:39] I'm using the term colloquially, of course,
[15:41] are going to be onboarded as humans. And I believe that that is actually not necessarily the bad idea that people might think it is. Right. I think the consideration needs to occur in what kind of human are you assuming this system is going to be?
[16:01] Debbie Reynolds: Right.
[16:01] Marcus Wells: Right.
[16:02] So there's a. And I'm gonna bring one thing up and it might take us down a different road, but I gotta say it.
[16:07] There's a common linguistic misnomer that exists in the world of our society, but Specifically, I see it more and more in cyber.
[16:18] It's a very simple term. People will say it quite often. I'm sure you've heard of it, trust, but verify.
[16:24] I personally do not abide by that terminology.
[16:30] And it goes to exactly what we're talking about.
[16:33] If I trust this system that I know cannot be trusted or that I don't know can be trusted, which is equally as important,
[16:43] right?
[16:46] Marcus Wells: And I bring it into the inner
[16:49] Marcus Wells: sanctum of my organization and I give it the level of access that it would need to. Have you mentioned that article that happened where this professional gave access,
[17:00] gave his access, abdicated his responsibility. Let's call it what it is. That's right, this AI, Right?
[17:06] And the AI just did what the AI is going to do. It's going to act unpredictably,
[17:11] Right? But if it had not been given that level of access to begin with,
[17:17] it would not have had the ability to do that, right?
[17:20] So once again, going back to that trustworthy verify thing,
[17:23] you trusted it and you verified after.
[17:26] However,
[17:27] what you verified was the deletion
[17:31] Marcus Wells: of incredibly sensitive and important data in
[17:37] Marcus Wells: a timeframe that did not really allow for anyone to respond or react.
[17:42] Right?
[17:43] So is that really the mental model we want to be using going forward,
[17:49] or do we want to invert that mental model and verify first,
[17:54] then measure trustworthiness and then trust?
[17:58] Right.
[17:58] I know it doesn't sound as attractive,
[18:01] right?
[18:01] Debbie Reynolds: Even.
[18:02] Marcus Wells: Even saying the shorter hand version of it like verify then trust doesn't sound as attractive. But it is one of those things where it may not sound as attractive,
[18:12] but it'll sound really good when you don't have to shut your doors, your business.
[18:16] Debbie Reynolds: That's right.
[18:18] Because when we were talking about this, because I read the.
[18:21] Obviously the. The headline is very jarring. So I deleted my database and 9 seconds and I was reading through the article of all the stuff that he said he had done and the way his system was set up.
[18:34] And at some point I just stopped reading when I found out that his live database and his backup were in the same location.
[18:45] You cannot be helped.
[18:47] You cannot be helped. Like, hey, I didn't do this to you. You did this to yourself,
[18:51] right? Like, you're just really. I mean, to me it should be. There should be some structural things that are impossible for them to do.
[18:58] And literally you gave. First of all, you had a bad design of your data system and then you just let this thing loose. And so my thing. I wrote an article and I want your thoughts on this.
[19:10] I'm saying we are moving from risk in terms of probability to risk in terms of possibility.
[19:21] So before we were like, well,
[19:23] how likely is it to happen? You know,
[19:26] so now we need to be asked the question like how, you know,
[19:29] probable, how probable is it not likely,
[19:33] how probable, how possible is it? Can an AI agent delete your database? Well, yeah, if you give it admin access,
[19:41] yeah, I can't do that because you've given it access to do that.
[19:44] Marcus Wells: And I 1,000% agree. And one of the things I want to just take a moment and say, cause I think this is really important,
[19:50] is I appreciate even how you approach that from an analysis standpoint. I see what you're doing as like an interrogation not of the person, but of the framework,
[20:02] right.
[20:03] So if I'm kind of walking you through how I'm thinking about this, you know, the article comes up says, hey, look, this person had their entire database deleted. Nine in nine seconds or whatever the case may be, or nine minutes I think it was.
[20:14] And then, you know, it's easy to just like,
[20:17] you know, take the shock treatment at face value. Right?
[20:20] However, you, you definitely took it like multiple steps forward and you're like looking at, okay, well how was the data even structured? Right. And so I think that is one of the things too that oftentimes gets missed.
[20:31] And this is, I think, a part of just how people operate. I won't even limit it to cyber, just people operate in general, right? A lot of times people,
[20:40] just people in general, not specific to cyber.
[20:43] We like to have an easy option, we'd like to have shortcuts.
[20:47] And I'll kind of, I'll go down a little bit of a side tangent here because this is important.
[20:52] I was,
[20:53] I was actually talking to Gina not, not too long ago and I was telling her about, you know, like,
[20:57] how when I started off on this path of like training others into identity security,
[21:01] I wanted for them to have a better experience than I did. Because everything I know about identity, like I was, I'm all self taught,
[21:07] right? Like the whole process that I've been building out was a series of, okay, let's strip out all the nonsense that you don't need and like just leave in the content that you absolutely would need to be able to be successful.
[21:18] And I was able to get it down to like a really short period of time in order to like train people up and get them out the door and have them know everything you need to know to, to do the job.
[21:25] The thing was,
[21:27] I was thinking about it from my perspective, which was this is a major shortcut, right? And it was,
[21:33] the problem is,
[21:35] to the person who's never lived what I've
[21:38] Marcus Wells: lived through, it's not a shortcut, it's just the long way, right?
[21:45] Marcus Wells: And so I think that has a lot to do with it, right. Like as humans. And once again, I'm not taking myself out of the equation here. We want shortcuts, we want to do things in the most efficient way possible.
[21:58] And there's nothing wrong with that. However,
[22:00] we have to understand what it is we're losing,
[22:03] right? What is the cost of that shortcut when we decide, take that action? And so,
[22:08] you know, same situation here. It's. It might have been easier to have the database for production and database for test and QA in the same, you know, logical environment. I use logical very loosely here,
[22:22] but obviously didn't work out for that person in the end. And,
[22:26] you know,
[22:27] the hope is that that person would have learned a valuable lesson from it and that maybe other people will also learn valuable lessons from it so they don't end up doing the same thing.
[22:35] Debbie Reynolds: Right.
[22:35] Marcus Wells: However, I can tell you, just based off of human nature and humans being humans, it's going to happen. It's going to happen a lot, right? The fact that we're still having these conversations even about identity and the structure of how the identity frameworks, when they're implemented correctly, can do amazing work,
[22:52] not just in your workforce identities, but also in your customer identities as well as like your agentic ident and your AI identities. It's the same framework across the board.
[23:02] And yet, and still as a society, it's been 40 plus years and we still haven't figured it out yet.
[23:08] Every time I watch a television show, right? Like I started watching Halo, the TV show based off the hit video game series,
[23:15] and this is not specific to this show. It happens all the time, like Law and Order, like, I don't know, csi. Like pick any show, just pick a show, any show.
[23:22] And at some point in time during that show, during the run of that show, you're gonna have somebody say,
[23:27] who had access,
[23:28] right?
[23:29] Who had access, who had access to these systems, who access these computers? Who had access to this location?
[23:34] Who had access to the victim? Who had access to like the products? Like that's a question that comes up so often,
[23:40] so many times and so many things that we interact with all of the time.
[23:44] And yet, and still we haven't figured out to kind of bring this all under the same umbrella, the importance of traceability,
[23:51] right?
[23:52] Because that's kind of what? Going back to what I mentioned about you. Like, you're interrogating the framework. You have a traceability matrix that you're using to then understand, okay, well, how do we get here?
[24:01] We didn't just get here by somebody waking up one day and saying, like,
[24:06] Marcus Wells: this is a great idea.
[24:07] Marcus Wells: No. There were a series of decisions that led an individual or group of people to the point where they felt comfortable.
[24:14] Right.
[24:15] They felt that this was a good idea because whatever actions they were taking,
[24:21] they did not perceive the risk.
[24:25] Debbie Reynolds: Right. In a way, it's like I think of it whenever I see things like this and I try to dissect it. It's always,
[24:34] you know, it's never one thing.
[24:37] Like people say, it's a straw that broke the camel's back.
[24:40] It's a cascade of things. It's a multitude of things that compound and lead to that one moment that, oh, my God, they deleted my database. But then you did these 10 other things that created this risk that made it possible that your database got deleted.
[25:00] Right, right, right.
[25:01] Marcus Wells: And even when you talk about like that, that common phrase, like the straw that broke the camel's back.
[25:05] Debbie Reynolds: Right.
[25:05] Marcus Wells: It's like we're still only focusing on that one single straw instead of like the 20 bales of hay sitting on
[25:11] Marcus Wells: that camel's back before this point. Like, are we really gonna ignore that? We just gotta focus one little. One little strand of hay. Okay, got it.
[25:22] Debbie Reynolds: Right. And to me, a lot of times when people are talking about cyber, that's what they're talking about. They're talking about that one straw. It's like, what about the hay? Like you say, the bail hay.
[25:31] What's going on with that? Yeah, right.
[25:34] That is so funny.
[25:36] Marcus Wells: Love it.
[25:37] Debbie Reynolds: I want your thoughts about privacy, how privacy, how it connects into identity. I think they're intimately related. What are your thoughts?
[25:48] Marcus Wells: I agree, I agree. And I have some very interesting takes on this too. So hopefully no one comes to me in the comments,
[25:55] but so I've done a little bit of research. And just a fun fact about me, I am a huge nerd. And I mean that in all manner and senses of things.
[26:07] A while back, I was doing some research and I'm interested in, like,
[26:11] language, linguistics in general. Right. And so I find that in particular, linguistics has a fundamental tie into what we call identity. How we want to be seen by the world,
[26:24] how we want people to perceive us, and in many cases,
[26:27] depending on who you are, how you want to not be perceived. Right.
[26:31] And so many of these things are inextricably linked to the language that we use to then describe the very attributes that make us who we are.
[26:42] Just a little bit of background.
[26:44] So because of that, I'm just really interested in language. And I started looking up the etymology of the word security.
[26:51] And so it comes from a Latin term, securitas,
[26:56] which means free from care,
[26:59] right?
[27:00] And this was incredible to me because it started to unlock so many other different things.
[27:05] And what it really amounted to for me was that security isn't something you have or that you do necessarily.
[27:15] For me,
[27:17] it's a feeling,
[27:18] right? It's a state of mind.
[27:21] So even if I have something of value, and I'm gonna get to like the privacy connection here in a second, I apologize for being so long winded. But even if I have something of value,
[27:31] right,
[27:32] I don't need to have that thing locked down to feel secure,
[27:37] right?
[27:38] I personally internal to me, myself as an individual,
[27:42] I have to feel so confident,
[27:46] right?
[27:47] So secure in myself, right? To not use the word to describe the word, but I have to feel so at peace with myself that regardless of who's around the thing, if the thing is actively protected or not,
[28:02] it doesn't matter,
[28:04] right?
[28:05] It only matters that I have had it at one point and I realize that I may not have it tomorrow,
[28:11] But I've been able to appreciate and enjoy it for the time that I have had it. And that's good enough.
[28:16] That's really what it broke down to for me, right? Kind of like the term, like, oh, it's better to have loved than lost or never loved at all.
[28:24] So tying this back in to privacy, right? So when I think of privacy,
[28:30] that is something I feel like in the understanding of what these terminologies mean, that is something that you can express,
[28:38] right?
[28:38] There's an expression of privacy, not like a verbal expression, but oftentimes like some sort of physical expression. It is in many ways correlated to protection,
[28:50] right?
[28:51] I am cordoning something off,
[28:53] right? I am making something less visible. I'm obscuring something,
[28:58] right?
[28:59] And so even when we think about privacy, privacy can only exist in certain context within a business or even outside of a business for personal privacy, right? Because here's the thing, I want to have privacy.
[29:13] Absolutely right? There are things that I absolutely want to have privacy on. So there's that old song,
[29:18] I'm not gonna sing it. But it's like, you know, sometimes it feels like somebody's watching me. Like that whole song is about privacy, right?
[29:25] Debbie Reynolds: Yeah, totally.
[29:26] Marcus Wells: Being in the shower and feeling like somebody spied on no one wants to be feel like they're being spied on in any of those, like, intimate moments of their life.
[29:33] Debbie Reynolds: Right.
[29:34] Marcus Wells: And so what it really amounts to is this. We all want privacy with an asterisk.
[29:41] Debbie Reynolds: Right.
[29:42] Marcus Wells: I still want to have a line of sight into the things that I want privacy on.
[29:47] Right. I don't want to cut myself outside of that ring of visibility.
[29:52] Debbie Reynolds: Right.
[29:53] Marcus Wells: I may be the only one who feels like they should have access to it.
[29:57] Debbie Reynolds: Right.
[29:58] Marcus Wells: Or I want to have control over who does have access to those things and what they may have access to. So it's really. That's what I mean when I say it's an expression.
[30:07] It's an expression of my consent,
[30:11] to put it plainly.
[30:13] Debbie Reynolds: Right.
[30:14] Marcus Wells: It is an expression of my consent or your consent or any person's consent, depending on, like, what's under their purview for that privacy.
[30:20] And so there is a relationship between privacy and security.
[30:25] However,
[30:27] they are not mutually exclusive.
[30:29] And that's really what it comes down to.
[30:31] Debbie Reynolds: Right.
[30:32] Marcus Wells: Privacy implies that I want to be able to manage and have a level of autonomy over what gets accessed when,
[30:45] why,
[30:46] how, and where security is.
[30:49] I realize that I may have that ability to express that, or I may not be able to have the ability to express that,
[30:56] but in either case,
[30:58] I'm still okay with it.
[31:00] Debbie Reynolds: Oh, my goodness. Goodness, that's deep. That's deep.
[31:04] I like that.
[31:06] I like that. Right. And so for me,
[31:10] I feel like I want your thoughts. I had talked and I've talked for many years about this,
[31:16] especially in privacy, when we're talking about organizations dealing with data people.
[31:21] I feel like in the future,
[31:23] privacy or consent would need to be more incremental or more based on our journey. So, yeah.
[31:31] So people,
[31:32] let's say there was something,
[31:34] I give you an example in law, okay? So let's say confidentiality, okay?
[31:40] People talk about this. Like, people get those things confused with privacy all the time, but it's not the same.
[31:46] Right. But confidentiality is.
[31:49] Me and you agree that there's this thing that we want to keep under wraps or we want to create guardrails around because we're trying to protect it in some way.
[32:03] It doesn't mean that it is a secret.
[32:05] So let's say I'm going to Florida,
[32:09] okay? And I said, okay, I want you to keep it confidential.
[32:12] So the fact I'm going to Florida isn't a secret.
[32:16] It's just something that you and I agreed together that it would not be divulged. Right?
[32:23] So to me, that's where privacy sort of gets into that lane where I'm like, okay,
[32:28] this is something about me that I want to control who has information and what they're going to do with it and have visibility along that path. But they also have control over saying, well, now I don't want you to have that information or I'm not going to give it to someone else.
[32:45] So what do you think?
[32:46] Marcus Wells: Yeah, I like how you broke that down. Because in my mind, when I hear you say that, it makes me think of it in a very similar framework as confidentiality is the.
[32:57] The contract, the agreement.
[32:59] Debbie Reynolds: Right.
[33:00] Marcus Wells: Between one or more people. Right. And then privacy is the act that has to exist as a result of the agreement.
[33:11] Debbie Reynolds: Right, right, exactly.
[33:12] Marcus Wells: So. So. And I think people often don't give enough credit to the lack of action being in action.
[33:19] Debbie Reynolds: Right.
[33:19] Marcus Wells: So if I don't disclose the information,
[33:22] that's still a conscious decision and choice as an action.
[33:26] Right.
[33:27] The same way that if I did disclose the information,
[33:30] I would have broken the contract, potentially. But it is also an act. Right.
[33:34] And so, yeah, the confidentiality is like I said it would be the agreement.
[33:40] And almost like it makes me think about the difference between policy and procedure.
[33:45] Debbie Reynolds: Right.
[33:45] Marcus Wells: To kind of take it back there.
[33:47] Debbie Reynolds: Right.
[33:48] Marcus Wells: Policy is the way that the organization is dictating that they expect individuals to behave.
[33:54] Right.
[33:54] Procedure is the path that. Or the action that they're saying, we expect you to take as a result of behaving in this way.
[34:02] Debbie Reynolds: Right. And a lot of people confuse that. Right. So they think a policy is a procedure. It's like, no, it's actually not. Right. Or a policy.
[34:11] Also, a policy isn't a notice. It's not an agreement. It's basically an edict saying, hey, this is what we want you to do. It doesn't mean it's gonna get done or I'm sorry.
[34:24] Cause I always tell people when I work with companies and they're like, oh, we have a policy. I'm like, well, so what do you actually do? Like, tell me what you actually do.
[34:33] So if your walk and your talk are different, then you have a problem.
[34:37] Marcus Wells: I'll point one other thing out, which I think is. Well, two other things, which I think is very interesting too, because in most organizations, and there's no. I'm not saying this is a bad thing, but this is the case.
[34:45] And it oftentimes has to be the case.
[34:48] There can be exceptions to the policies or to certain policies within a organization.
[34:53] And so that has to be discussed as well. Right. What exceptions exist around these Specific policies. And then the other side of it is when an organization has a policy,
[35:03] do the people within the organization understand that the policy does not supersede the law?
[35:10] Debbie Reynolds: Correct.
[35:11] Exactly. So that's where we're really getting complications or the complexity is getting more strong every day because of the changing laws and landscape. But then also expectations are changing.
[35:29] So customers are expecting more transparency. They're expecting more companies to protect their information in different ways than maybe they had done before or be more transparent about what they're doing with their data.
[35:47] Right.
[35:47] Marcus Wells: And that's, I mean, kind of bringing us all back into the identity vector. Cause it's not that it wasn't already there, but just tying a bow on it and showing, you know, the audience of like how this all connected oftentimes within organizations and it isn't specific to people identities.
[36:04] It can happen across any type of entity within the organization.
[36:09] You may have someone who has a level of access that they had previously received from a different role that they had in your organization or a special project or what have you.
[36:19] You know, and like you said, you know, organizations, their requirements are changing in real time. And so they may need for their employees to protect the data in new and novel ways that they had never really considered before.
[36:31] How can we really expect that to unfold in a way that is beneficial to the organization,
[36:39] the public in general.
[36:41] Right. The customers, the vendors, the suppliers, all these different groups if we don't even have an accounting of how the data that can be accessed,
[36:52] can be accessed.
[36:57] Debbie Reynolds: Right, right. And so this, to me, this comes back to security by obscurity. And this is why AI is like running rampant through organizations.
[37:09] I'll give you an example. Like, and this is hilarious. So there were in certain applications within organizations, the way they would set it up, the certain,
[37:20] let's say it was accounting. Accounting had application and they would give people access right. To the application. And they have roles and different things like that.
[37:30] But then the data,
[37:33] where that application sits and where the data input lives is not secured in the same way.
[37:43] So,
[37:44] so you're assuming that the application and the data is secure because you're assuming that they're going to go into the application and take this path that you created. You're not thinking that they're going to just blow the back door off of everything and just go in and grab everything,
[38:03] regardless of access. And so this is the AI problem where we have and this. And to me, this is the example of this guy who said his database was deleted.
[38:12] Right, Right. So it's like if your database was protected on the back end,
[38:18] AI agent cannot have deleted that.
[38:22] But it did.
[38:23] Marcus Wells: Yeah.
[38:24] So yeah,
[38:26] there's a funny kind of thing that just you made me think about when you said that.
[38:31] There's two concepts. So there's this idea that, that if you show up to a location with a clipboard and a pen,
[38:37] you can pretty much walk through any door you want.
[38:40] Debbie Reynolds: Right?
[38:40] Marcus Wells: Which is mostly true. Mostly true. I mean, generally speaking, like, depending on
[38:46] Marcus Wells: how you outfit yourself, you can pretty much walk into any door you want and no one will question you, Right.
[38:52] I'm not saying anyone should do that, not advocating for that at all.
[38:55] Marcus Wells: But I'm just, I do need to just state that.
[38:57] Marcus Wells: So in a different life, I was a bike messenger in New York.
[39:00] And the, the number of places that I could gain access to because I had some sort of like package on my person and I didn't have a uniform.
[39:09] So it wasn't like, oh, people just knew because I had some like, you see a UPS driver, you know, brown uniform, brown shirt, brown pants, driving the big brown truck or even not just walking down the street like you.
[39:19] Oh yeah, that's UPS guy. Of course, UPS person, right, Duh.
[39:23] Amazon worker, same thing. Nope,
[39:26] just a random black dude walking around downtown Manhattan with a package in his hand asking to talk to a person who may or may not work in your building.
[39:36] And I was able to get through so many different security checks and this is like post 911 by the way.
[39:42] Marcus Wells: So there was no reason why this should have ever been possible, right?
[39:47] Marcus Wells: But I bring it up because as I'm listening to what you're talking about, it made me think it's kind of like the Apple Store, just as an example, right?
[39:56] Popular product people have historically lined up outside the store for hours to be able to get a new iPhone.
[40:03] Now imagine you got all these people lined up outside the Apple Store just ahead of a new Apple major release,
[40:10] right? Some like real game changing type stuff.
[40:13] And here you have an individual who's dressed really nicely,
[40:19] maybe like they've got a nice suit on or something like that. They look like they're some sort of like high level executive, whatever the case is. And they just walk past the entire line just before the opening and they strut right through the front door, skip everybody in line and maybe the product is out just on display,
[40:37] pick it up, go check out the cat register and what have you. And maybe just walk in and grab the phone and walk out,
[40:43] right?
[40:45] Depending on how someone carries themselves can really determine how far they get right. A lot of times in a situation like that,
[40:53] it's been shown that if someone goes in and runs and does a smash and grab, you're probably not gonna get very far. If you walk in confidently like you're supposed to be there, you take what you need and you walk out calmly, the likelihood that you're even going to trigger people's psychological responses to like,
[41:09] oh, this person is doing something they should not be doing is very low.
[41:12] Right. What I'm saying is organizations are in some cases operating as if these criminals are going to come in and stand in line.
[41:29] Marcus Wells: To be able to get their hands on their ip.
[41:33] Debbie Reynolds: Right.
[41:33] Marcus Wells: And that's just not what they're doing.
[41:38] Debbie Reynolds: That is so funny. It's so true. Right. And then I'll just give you an example, like unauthorized access. And I tell people about this a lot,
[41:47] and this happens a lot with AI systems as well. So things are accessing stuff that they're not supposed to access.
[41:53] But a lot of times when people talk about security,
[41:58] they're talking about, they're thinking about this Mission Impossible Tom Cruise hanging from the ceiling thing.
[42:05] And it could be Sarah down the hall has more access than she's supposed to and she's looking at stuff that she's not supposed to be doing.
[42:13] Or Sarah got open claw and put it and has access to her computer and her.
[42:21] The stuff she has access to is not locked down. So now the thing goes in and can do all these wacky things. So that's so funny.
[42:29] Marcus Wells: Yeah, yeah.
[42:30] Debbie Reynolds: How do we get here?
[42:33] Marcus Wells: It's all connected.
[42:34] Marcus Wells: That's the problem.
[42:36] It's not difficult to get down to these, like, fringe little pockets of business and cyber and society when identity is literally the nucleus of all of it. Right. I mean, we, we're talking about identity in the framework of a business.
[42:48] And so the first thing people mostly think about is active directory.
[42:52] Right. But if you step back and actually examine identity as a concept,
[42:57] everything becomes so much more clear.
[42:59] Debbie Reynolds: Right.
[43:00] Marcus Wells: The order of operations even becomes clear because there is an order of operation. Right. Like, and that's a whole other conversation, but I'll mention it briefly before I move on to my point.
[43:08] A lot of organizations,
[43:10] they,
[43:11] when they're starting off on their identity journey, they like to jump into what seems to be the best possible starting point,
[43:20] which is not always the beginning.
[43:22] Debbie Reynolds: Right, Right.
[43:24] Marcus Wells: What I mean is that privileged access management, Pam. Right. You think of that? You think, oh, it's the most sensitive data that we have,
[43:32] so we want to secure that first of Course, obviously that's the best thing we could do is like lock down the most sensitive stuff first.
[43:40] Or is it. That's the real question we have to ask. Or is it? Right, yeah, because,
[43:45] and I'll use an example in my personal life, right?
[43:48] I told you, I'm a huge nerd. I collect Pokemon cards because I'm of that era as an elder millennial.
[43:55] So a lot of times when you open a packed card, just like anywhere between, I think, like 10 cards in the pack, right, and you get random cards or what have you, and I'm going somewhere with this, so bear with me.
[44:07] But some of them can be really valuable. I've pulled cards that are, if graded at their highest ranking,
[44:15] they're like an authorized grader could resell for upwards of twelve hundred dollars per card.
[44:22] Right. Just to put this in perspective,
[44:25] I don't always know what the value of my cards are when I pull them from these packs.
[44:33] So what I initially do is they're all numbered because each set has a certain number of cards in it.
[44:39] So I will start to organize them based off of their number and where they appear in the set.
[44:46] Debbie Reynolds: Right.
[44:47] Marcus Wells: Only then after I've like opened up all of the packs within that set that I'm going to have do I start to go back and enumerate,
[44:56] okay, what's the value of each one of these cards?
[44:59] Once I understand the value of each one of those cards, then I can start to set aside, okay, so these are the ones that are of the highest rarity and of the highest value.
[45:07] I'll separate these ones out and I'll put them in some additional protective sleeving,
[45:12] or I'll put them in a separate binder or whatever the case may be, because these are the higher value cards that I have. Right? There's a logical reason why you may want to do that.
[45:22] Because if I don't do it that way, the likelihood of me missing something that is incredibly valuable in my collection is, is very high.
[45:30] Debbie Reynolds: Right.
[45:31] Marcus Wells: And if I let it sit in that binder with the other lesser valuable items,
[45:36] it's not. It doesn't receive the level of protection that it could have.
[45:40] And so the value of that card can decline over time.
[45:45] That's not a risk that I'm willing to take.
[45:49] And so when I talk about like the natural operating order of implementing an identity security practice, this is what I mean.
[45:58] What we're talking about is Pam versus I am.
[46:01] Debbie Reynolds: Right?
[46:01] Marcus Wells: Those high value cards are the privileged access in an organization's environment.
[46:08] I can't Just go in and pull those things out immediately because I have no idea how much of that stuff I actually have.
[46:14] I have to do a full inventory of everything I have first.
[46:19] Then I can go back through and say, all right,
[46:22] these are the things that I know are high value. And some of the things that I'm pulling are high value. May not necessarily even be high value based off like a monetary finding.
[46:30] It could just be that I really like the artwork on this particular car.
[46:34] And so it has a high value to me personally.
[46:37] Debbie Reynolds: Right.
[46:38] Marcus Wells: And even then, so. So me looking up the value online is not going to help me determine that. The only way I'm going to really determine that is by doing a full inventory first.
[46:45] And it's the reason why I always advocate for businesses and organizations to, when they start off, hey, look, going, paying first. I'm not telling you you're wrong.
[46:53] I'm just letting you know that you will face some challenges that I cannot necessarily tell you what they're going to be or how you need to necessarily react to them or adapt to them right now.
[47:04] Debbie Reynolds: Right, right,
[47:06] you're right. And then that value changes over time. Right.
[47:10] So a lot of times in the moment, like, I knew someone, this is just another example. This is an example show. We're giving a lot of examples.
[47:19] So I knew someone who they, they were like a ferocious note taker.
[47:23] And anything like if they had an article that they say they will like put the date of the article, like the date that they saved the article,
[47:30] they will write down.
[47:32] But I'm like, will that be important in the future?
[47:36] Marcus Wells: Yeah.
[47:36] Debbie Reynolds: Right.
[47:37] So you have people collecting data that they think is important today, but is it important in the future?
[47:44] And to me,
[47:45] I said,
[47:46] you know, unless you need an alibi for a crime, I don't think it's important.
[47:53] The date that you saved an article to me is not important in the future,
[47:58] in my view,
[47:59] unless you need an alibi.
[48:02] Marcus Wells: I would agree, though. I would absolutely agree. And that's the thing. I think there are the thing that's the primary scenario. It's like you may or may not need an alibi.
[48:09] Hopefully you never need an alibi, right?
[48:10] Debbie Reynolds: Right.
[48:12] Marcus Wells: Hopefully. Hopefully.
[48:13] Marcus Wells: Hopefully you never need an alibi.
[48:14] Marcus Wells: However, I'm obviously coming from a different spectrum on this and I'm not saying either way is wrong. I think there are, there are merits to each approach.
[48:22] Me personally,
[48:23] I can at least understand why they might want to do that. Because creating a defensibility matrix,
[48:29] right?
[48:31] So maybe you don't need an alibi. But maybe you don't need an alibi
[48:36] Marcus Wells: because you've documented exactly when you save the article. Maybe that's the whole reason why you don't need. I don't know. I can't speak for that.
[48:45] Debbie Reynolds: Right.
[48:46] Marcus Wells: Look, all I'm saying is we all got to be safe out here.
[48:49] Debbie Reynolds: Yeah. That's so funny. That's so funny.
[48:53] Well, Marcus, if we're in the world, according to you, and we did everything you said,
[48:57] what would be your wish for privacy anywhere in the world, whether that be human behavior,
[49:03] technology,
[49:04] or regulation?
[49:06] Ooh.
[49:06] Marcus Wells: So I'm gonna say two things. First and foremost, do not. Do not put me in that much control or power.
[49:12] Marcus Wells: I reject it immediately. And then secondly, I would say, if I had to answer the question with
[49:21] Marcus Wells: affirmatives, you said, I would say,
[49:24] you know, I would just ask for us to be more considerate.
[49:28] Right.
[49:29] Like everyone, I would just ask for us to be more considerate. There are so many different points in this conversation where you yourself, Debbie, you have questioned or interrogated the actual framework, and that is something that I think is incredibly valuable,
[49:43] not just to societal security, but to business, to just life in general.
[49:48] Debbie Reynolds: Right.
[49:49] Marcus Wells: I think we could benefit more as a society of people, not just in this country, but across the world,
[49:54] in asking more questions,
[49:58] really understanding what we are stepping into or interacting with, even. Especially even when we think we understand,
[50:05] we think we know that's the most dangerous situation that one can find themselves in. But, yeah, I can't ever, and I would never even try to tell somebody how to do anything or how to exist in the world.
[50:17] That is a decision that falls squarely within the entity that is yourself, whomever you may be. And listening to this podcast or wherever you are.
[50:26] However, I would just ask that we be more considerate. I think that's the only thing I could really ask.
[50:30] Debbie Reynolds: That's a good ask. That's a good ask.
[50:33] Wow. This has been incredible. Thank you so much for being on the show.
[50:37] This is fantastic. Fantastic. I love these philosophical discussions. I love. I love linguistics as well. So I think it's wild, especially the way that people are throwing around words and trying to create new words.
[50:50] That's a whole other show,
[50:54] but, yeah, it's been great to have you on the show. Thank you so much.
[50:57] Marcus Wells: Yeah, thanks for having me.
[50:58] Debbie Reynolds: It's been.
[50:58] Marcus Wells: Pleasure. Pleasure's all mine. Yeah.
[51:00] Debbie Reynolds: Yeah. Well, we'll talk soon. Thank you.
[51:01] Marcus Wells: All right, take care.
[51:03] Debbie Reynolds: All right, take care.