Customers increasingly use digital channels to interact with organizations. But these interactions raise new security concerns that must be addressed by IAM solutions, says David Gormley of CA Technologies.
The first challenge is the age-old question of security versus customer convenience. No organization wants to make it more difficult for customers to interact with them in the electronic channels.
But there is also a challenge to get new customer facing applications and services to market quickly with consistent, says Gormley, a director at CA Technologies.
"When we say this space is taking off, what it means to a lot of IT departments is that the business has demands for a much higher volume of applications," Gormley says. "There's a real challenge there to try to set up a coordinated or standardized system so that they can focus on the business aspects of the applications and then just latch on the appropriate security when necessary."
In an interview about using IAM to improve customer engagement, Gormley discusses:
- Today's state-of-the-market and its unique challenges;
- How organizations are approaching security.
IAM and Improving the Customer Experience
TOM FIELD: Could you tell us just a bit about yourself and your role at CA Technologies?
DAVID GORMLEY: I've been in the technology space for about 20 years, worked in industry as a consultant, worked at an analyst firm, and then at both hardware and software vendors over those years. I'm currently, as you said, a director in the security group at CA, where we provide solutions on identity, access and API management. In that role I get to talk to a range of customers, prospects and analysts, as well as other vendors about identity-related security. It's a pretty hot topic right now, and recently we've been seeing a lot more interest in customer-facing identity and access management use cases.
FIELD: What do you see as some of the market conditions that are really driving organizations to use IAM to improve customer engagement across multiple channels?
GORMLEY: I think there's a whole set of market conditions or trends that are kind of playing into this. At the high level, it's really a simple reaction to the increased quantity and type of digital interactions that companies are having with their customers. One example I like to use is banks. In the past, 90 percent of their interaction was with customers who walk into the bank. In that space, online banking has really taken off, and the majority of interactions are online, and mobile applications have been introduced and are quickly rising up with regard to the volume of activities that banking customers do on their mobile apps. So it's just changed, the amount that companies interact with their customers digitally, the variety of applications, whether they be web-based or mobile, or web services that they provide has really expanded. So I think that is what has driven the larger trend.
There are a couple of business and security specific trends that I think have played into this, and one is just how quick customers have embraced these new forms of digital interactions. I see market surveys all the time in different industries about how many people are doing self-service activities and different things online that are calling the company directly or doing any of the older, more traditional interaction formats. I think that's sort of the business perspective, is both that customers want more of this digital interaction, and also that a lot of these interactions for the company when they're done digitally are a lower cost model. It's kind of a win/win for the business and their customers.
Then from a security perspective, the big push for IAM [stems from] some of the threats and breaches that you hear about. We've all heard about the recent one with Target, but there's been over four or five hundred million passwords that have been stolen just in the last year or two. So there's definitely a heightened awareness from the company perspective, as well as from the individual users, about identity theft and breaches.
FIELD: What do you see as some of the unique challenges that organizations face, including security, when they go down this path?
GORMLEY: One of the biggest ones might be balance. When we talk about companies leveraging IAM to include customer engagement and provide security ... at times, they are in conflict. Especially in the past, if you wanted to apply additional security, typically it meant inconveniencing your customers by making them sign in multiple times or do additional steps, etc. I think the biggest overarching challenge is finding that balance between user convenience and security. When we talk about customer-facing applications, especially in a competitive environment where you could be winning and losing customers based on how innovative your services are or how easy they are to use, there is a lot of pressure from the business side to make things seamless, to have the best experience possible for their customers. At the same time, the business knows the risks to their brand, and even their revenue, if there is a breach, and obviously the security side of the house knows all of the different threats that are out there. There is need when you're doing more and more of these remote digital interactions with your customers, and it starts to include more sensitive information or transactions that you need to provide security as well. I think that the real challenge is finding that balance.
I guess one other one that we hear a lot about is companies struggling to keep up with the volume and velocity going on here. When we say that this space is taking off, what it means to a lot of IT departments is that the business has demands for a much higher volume of applications, whether they're web apps, portals, native mobile apps or web services to embed in partner sites. There are a lot more requests there, and it's difficult for them to provide the security. It's definitely difficult if they are doing a one-off basis in each application. There is a real challenge there to try and set up a coordinated or standardized system so that they can easily focus on the business aspects of the application and then latch on the appropriate security when necessary.
CA Technologies Customers
FIELD: How do you find that some of CA Technologies customers are tackling these very specific challenges we've talked about?
GORMLEY: A lot of it has to do with where they are starting from. We work with a lot of large organizations, and they may already have a strong identity and access management system in place for employees, but they may be just creating a new customer portal or adding a lot of functionality to what they're going to provide their customers online. When that is the case, sometimes they look at this and they say, "Do we want all of the identities in one directory, both employees and customers, or do we want to keep them separate?" One of the other options is, where do we want to provide this functionality from? The traditional IAM for employees was done on premise for the most part. Now, CA and other companies offer cloud-based identity and access management services, and so sometimes when you're looking at the scale of customers, you may only have ten thousand employees but you may have five hundred thousand or a million customers and prospects whose identities you would want to track. When you start thinking about scale, sometimes there are advantages to doing that in a cloud-based system.
I guess it really varies on where people are starting from. If it's a smaller company or somebody who doesn't have an established suite of IAM products, they may start with some things like authentication or single sign-on. Start at the beginning of the relationship, they may start with social sign-on. So this is even before it's a customer. When it is just a prospect and you want to make it as easy as possible for somebody to register or give you some information about themselves, you may want to allow social sign-on to get that relationship started. And then as they become a customer, it would be logical to get your different modes of authentication and single sign-on in place to make that a secure and a convenient experience for your customers.
Strategies and Solutions
FIELD: What are some of the strategies and solutions that CA Technologies really bring in to bear for its customers?
GORMLEY: We kind of look at this across a variety of different use cases, and so I did mention a few of those. At the front end of the spectrum, it's almost more of a marketing activity that you are looking to bring in identity information. We see a bunch of companies on the social side who have made efforts to improve their presence on LinkedIn, Facebook or Twitter, and they may have hundreds of thousands or millions of friends, etc., but they don't have access to those identities for marketing campaigns or to convert them into customers. Social sign-on is a way to do that. That's sort of at the front end of the funnel, but as you move through the customer relationship, and we had an automotive company that we did some strategy discussions with, [they] started at that front end because they were trying to get more people into the funnel, that prospect funnel. Then, as they developed a relationship with them, they put in place different forms of authentication. They put in place single sign-on, not only across a whole set of applications that they provided, but they also linked out to [places likes] insurance or movie companies that included their cars. So they moved from single sign-on just on their applications, to federating out to partner domains. Again, for the customer the experience was seamless.
They also got into looking at mobile applications to allow customers to sign up for services or to get deals on accessories, etc. The way they built those mobile apps was through API-based web services. That's another area that when you start to get into creating these applications, whether their web, mobile, or cloud, API web services is the main way that companies are doing that moving forward. In that situation, you need good security and management there too. I guess we are dealing with people who are trying to tackle several of those issues at once, and then we are dealing with some who just start with one piece of it and then grow it from there.
FIELD: What do you see as some of the tangible business benefits that organizations are seeing from deploying your solutions?
GORMLEY: I think it goes back to that high level of commitment that we made; customer engagement is one of them. The example I gave with the car company; the amount of people that you [have with] this social activity going on, but the amount of people that actually click over and register with you, the experience they had was in the past. They put up this big registration form which would take 10 minutes to fill out. When you've got a prospect who is just interested in seeing the latest video of the car or the preview of a new model or something like that, they weren't getting good adoption there. They weren't getting a lot of people that were going through the sign-up process, and what it left them with was friends out there, but not a way to contact them. One area way at the front end is just a quicker registration or a higher adoption or pull-through rate, which includes identity information so that then they could market to them. So that is at the front-end of the funnel.
At the other side or in the middle of the process, I guess, [is] single sign-on across applications. Companies measure how many people go to the partners' sites, when they set up their portal and say, "Hey we're providing you this car, but if you want related insurance or if you want these add-on products, etc...," and they've got links there to partners. Again, it's pretty easy for them to track how many people are going through and what business is being conducted through those partner relationships. If you have single sign-on there, it's a much smoother experience, and so again they are documenting improved adoption rate or hit rates on some of the partner activities, and all that leads back to revenue. In the example I was talking about with the cars, one of their big things was they saw a high success rate if they had more test drives. They had local marketing companies doing these events, and again they provided single sign-on and made it seamless for customers based on their geographic area to sign up for things, and they got a higher level of test drives, which then correlated into a higher level of vehicle sales.
Again, it depends on the industry you're in, but in the financial services side we've seen higher adoption of new services that the banks or investment companies make available when it is a good user experience, and when you make it simple for them. It's kind of an over-arching rule that simplicity wins. I guess one other area that I would mention is the accelerated delivery of applications. What we're talking about here is kind of a standardized way of providing identity and access security across different application types. What we've done is compile a set of functionality that allows you simply create and apply security policies to web applications, mobile applications, API based web services, that spectrum of interaction methods. You can use common policies across them, and it's pretty easy to latch them on to new services or applications that you create. So under this pressure of getting new innovative functionality out there quickly in these competitive customer situations, we're seeing companies have an accelerated delivery time, faster time to market. Which again correlates into a better reputation as well as to revenue if you're kind of leading the way.
FIELD: Where do you see that organizations might find some of those early quick wins?
GORMLEY: I mentioned we do a lot of work with large companies, and one thing we found when we go in and do an audit or assessment of what they're doing is, many times in the rush to get things online companies don't even realize how many websites and portals and different areas have been set up online that customers and prospects and partners use. I don't know if I should call it a gold rush, but during the last 10 years where everyone wanted to put things online and customers were engaging that way, there were a lot of side projects and silos out there. I would say one of the quick wins is to do an assessment of that and get your authentication, get your single sign-on or web access management space cleaned up. When any one of these people are creating the portal or site they were working on, they didn't envision the deeper digital customer relationships that have developed now where a customer wants or needs to cross from application to application or portal to portal. You'd be surprised how it just kind of happens in the background, but when you go back and look at the customer experience, it's uncomfortable for them to go from one to the other if it's not set up and organized so that there's coordinated authentication and single sign-on. As I mentioned before, there's statistics on people moving to different vendors based on how convenient the online experience is, especially with the younger generation. People know what a good interface is and what a convenient experience is and they expect that from their vendors. I'd say a good place to start would be at that front end with authentication, with single sign-on. There's some ways to do authentication that aren't a hassle to users. There is risk-based authentication where you check factors in the background. You don't ask the customer to take additional steps. I think that would be a great place to start to improve the customer situation or experience, as well as, to provide better security for the organization.