Merritt Maxim Principal Analyst Forrester Martijn Loderus Director & Global Practice Partner for Advisory Consulting Janrain
Merritt and Martijn will share insights on Digital Transformation & Drivers Global Privacy and Security Standards GDPR & Investment Trends Customer Identity Access Management Trends 2
Digital Transformation Trends 3
What is driving digital transformation? https://www.forrester.com/report/your+digital+transformation+is+not+bold+enough+five+signs+of+trouble+and+key+fixes/-/e-res137950 2017 FORRESTER. REPRODUCTION PROHIBITED. 4
The Five Areas Of Change Needed For Successful Digital Transformation https://www.forrester.com/report/your+digital+transformation+is+not+bold+enough+five+signs+of+trouble+and+key+fixes/-/e-res137950 2017 FORRESTER. REPRODUCTION PROHIBITED. 5
The Three Fundamental Components Of Zero Trust In Digital Transformation https://www.forrester.com/report/futureproof+your+digital+business+with+zero+trust+security/-/e-res137483 2017 FORRESTER. REPRODUCTION PROHIBITED. 6
Identity drives Digital Transformations BUSINESS IMPACT Identity Innovation and Acceleration IDENTITY MARKETING Markets Industries Market Segments Channels Journey maps and lifecycles Customer storyboards and personas Learning maps Motivation models SERVICE Customer Relationships Value Propositions Offering: Service/Products Value maps Product and offering maps Design models OPERATIONS Processes/Value Chains Capabilities Business Service Functions Data Applications Technology Value chain analysis Cross functional models Capability/business anchor models Process models Application models Data and information models Technology models 7
Transformation In Customer Engagements From single touch to multi touch Product Centric Customer Centric Product and Sales Objectives Customer Insights Channels Channels Channels Channels Channels Offers Preferences Channels Channels Customer Segments Response Customers Differentiated Value Propositions Product, Promotion Price One-Way Monolog vs. Continues Dialog Product Focused vs. Customer Relations Focused Campaign Oriented vs. Value Based Management 8
Recent Global Privacy and Security Standards: General Data Protection Regulation (GDPR) Trends 9
GDPR: Key Challenges Business Consent required for data that is collected Strong breach notification Data can only be used for purpose it was collected Technical Must support right to be forgotten IP address can be PII Data has to be available 2017 FORRESTER. REPRODUCTION PROHIBITED. 10
Data Subject Rights Access Objection Portability Restriction Erasure Profiling/ automated decisions 11
GDPR Key Principles: 1 Lawful basis for each processing activity Consent - freely given, specific, informed and unambiguous consent to purpose (can be gained with informed checking of box or click) Necessary to enter into or perform contract Necessary for compliance with EU or member state legal obligation Legitimate interests - set out in privacy statement/notice Processing for direct marketing (subject to objections) Processing to prevent fraud Processing to ensure network security Additional bases by member states connected with national law or related to public interest 12
GDPR Key Principles: 2 Consent and purpose limitation Separate consent required for different processing purpose Further processing permitted as compatible with original purpose under certain circumstances/protections. (See Art. 6(4) for factors to consider in determining compatibility.) Data minimization, accuracy, and retention limitation Take only the personal data needed to meet permitted purpose and only keep it for the time being Transparency Clear, concise, and timely notice, including retention periods 13
GDPR Key Principles: 3 Personal Data Breach Notification Required for a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Processor must notify Controller. Controller to notify supervisory authority generally within 72 hours after having become aware of it, if there is risk to data subjects. Notice not required if the personal data breach is unlikely to result in a risk to affected data subjects (such as if data is encrypted). Article 33(1). Controller to notify affected data subjects without undue delay if controller determines the breach is likely to result in a high risk to the rights and freedoms of individuals. Article 34. 14
GDPR requires a crossfunctional approach https://www.forrester.com/report/identify+companywide+roles+and+responsibilities+to+support+your+gdpr+compliance+efforts/-/e-res138191? 2017 FORRESTER. REPRODUCTION PROHIBITED. 15
GDPR Budgets & Priorities https://www.forrester.com/report/assess+your+data+privacy+practices+with+the+forrester+privacy+and+gdpr+maturity+model/-/e-res122836? 2017 FORRESTER. REPRODUCTION PROHIBITED. 16
GDPR Obligations And Data Governance Impact: Building A Culture Of Privacy Obligation Description Data governance impact Organizational alignment Companies must assign a data protection officer (DPO) with appropriate resources and authority when they engage in regular and systematic monitoring of data subjects on a large scale or where their core activities consist of processing special categories of personal data. Implement a privacy management process. Enable privacy audits for regulators, including GDPR lineage controller and processor lineage. Publish privacy audit for data buyers. Data protection by design Risk management Organizations must build the concept of privacy into the fabric of their data practices and their information platform architectures. Companies must manage transparency, lawfulness, data minimization, and data quality at each stage of the data life cycle. The GDPR discusses a code of conduct as a mechanism for formalizing practices. The GDPR states that organizations need to implement technical and organizational measures to ensure a level of security appropriate to risk. https://www.forrester.com/report/enhance+your+data+governance+to+meet+new+privacy+mandates/-/e-res135462 Establish data flow lineage along the data life cycle. Create dashboards for CIO, DPO, and chief data officer to demonstrate data protection (security and transparency) for private data. Provide data protection auditing guidance to diminish the costs of such audits. Centralize the management of private data security policies executed in many apps. Deploy these policies in the execution platforms (ECM, ecommerce, and cloud platforms). Estimate enterprise impact or risks to managing customer private data. Manage the evolution of impact assessment best practices from industry consortiums. 2017 FORRESTER. REPRODUCTION PROHIBITED. 17
Customer Identity Access Management Market Trends 18
Trends affecting identity landscape Analytics Mobile Security Personalized Customer Journey Cloud Passwordless Internet of Things Social 19
Customer Identity Trends Enterprise Dynamic ID Based Content Consumer BYOI ID Market Signaling Capability IAM - CIAM Blending IT Admin Data Subject Rights Compliance Data Scientist Fraud Scoring Increased Complexity Granular Controls Policy based Automation Increased Self Service Data Controls Increased Intimacy Network Aware Digital Fingerprinting Siri / Alexa interoperability 20
Customer Interaction Fatigue Overcome Fatigue to ensure customer engagement Registration Fatigue Login Fatigue Password Fatigue Over-communication Fatigue 21
Cyberattacks are a board-level concern Companies do not want their breach to appear on CNN. Security is shifting from a director/vp/ciso/cio IT problem to a CEO problem. Data protection is a key concern. Mobile and IoT present new challenges. BYOD/user-owned devices are here to stay. 2017 FORRESTER. REPRODUCTION PROHIBITED. 22
CISOs are Dealing with a a range of IT Security Initiatives Which of the following initiatives are likely to be your firm's/organization's top Information/IT security priorities over the next 12 months? Improving security monitoring capabilities Improving advanced threat intelligence capabilities Improving application security capabilities and services Leveraging cloud-based or managed security services Enhancing business continuity/disaster recovery capabilities Improving mobile security capabilities and services Achieving and/or maintaining regulatory compliance Improve incident response and forensics capabilities Creating a Security Operations Center Securing Internet of Things (IoT)/M2M within the enterprise Establishing and/or enhancing ediscovery practices Critical or High Priority (4,5) Improving the security of customer-facing services and Complying with security requirements placed upon us by Ensuring business partners/third parties comply with our Establishing or implementing a formal technology/it risk Rolling out effective security training and awareness for 66% 66% 66% 66% 65% 65% 65% 65% 65% 63% 62% 61% 59% 59% 58% Other 69% 34% 34% 34% 34% 35% 35% 35% 35% 35% 37% 38% 39% 41% 41% 42% 31% Base: 2,314 Security technology decision-makers Source: Forrester s Global Business Technographics Security Survey, 2016 2017 FORRESTER. REPRODUCTION PROHIBITED. 23
2017 FORRESTER. REPRODUCTION PROHIBITED. 24
The Enterprise Security Team Is Taking On More Customer Risk, And CIAM Can Help Which of the following activities are you and your team actively working on? Where can CIAM Help? Ensuring the security and privacy of customer data sold/exchanged to partners Identifying new sources of data-driven revenue Protecting data warehouses and other data repositories typically used in customer intelligence Embedding security into your organization's end products or services Enabling rapid adoption new technologies and/or services to help acquire and maintain customers Responding to breaches of customer Pll in a responsible and timely way Developing secure customer-facing mobile and web applications API management and security Managing the risks around social media engagement Protecting our customers' personal information from privacy abuses Authenticating customers across channels Protecting our customers' personal information from cybercriminals and fraudsters Base: 1,543 to 1,550 Security decision-makers responsible for security activities (1,000+ employees) Source: Forrester s Global Business Technographics Security Survey, 2015 & 2016 2017 FORRESTER. REPRODUCTION PROHIBITED. 25
2017 FORRESTER. REPRODUCTION PROHIBITED. 26
61% My mobile/online behavior could be tracked 52% My data could be permanently recorded and accessible to anyone 58% 65% I do not understand who could have access to my data 45% 52% Base: 33,471 online adults Source: Consumer Technographics North American Online Benchmark Surveys (Part 2), 2016 and 2017 2016 2017 2017 Forrester Research, Inc. Reproduction Prohibited 27
Concerns about personal data privacy and security when using social media to access other sites increase for consumers 45% 43% 40% 2015 2016 2017 Base: 4,505 4,636 online adults Source: Forrester Data Consumer Technographics Technology, Media, and Telecom Survey, 2016 & 2017 (US); Forrester Data Consumer Technographics Consumer Technology Survey, 2015 (US) 2017 Forrester Research, Inc. Reproduction Prohibited 28
Customer Identity Access Management Recommendations Know your customer a bit before you select and deploy a solution Balance usability with security Plan for scale Plan for multichannel 2017 FORRESTER. REPRODUCTION PROHIBITED. 29
Your End-Goal: Move users from anonymous to known/verified identities over time in unobtrusive manner 2017 Forrester Research, Inc. Reproduction Prohibited 30
Questions? 31
Thank you Merritt Maxim mmaxim@forrester.com @merrittmaxim Martijn Loderus martijn.loderus@janrain.com 32