In this week’s episode, I speak with author and former Chief Information Officer (CIO) of Okta, Mark Settle.
Mark is a seven-time Chief Information Officer, most recently the CIO of Okta. He’s a three-time CIO 100 award winner, and a two-time book author. His most recent book is “Truth from the Valley, A Practical Primer on IT Management for the Next Decade.”
I met Mark via Jelena Hoffart and he and I cover his storied career in information technology, the impact the Internet has had on IT in the past 30 years, and how digital identity practices have never been more important in today's remote workforce. We also discuss the concept of “Digital Wake Management” and the impact artificial intelligence and generative media will have on cybersecurity.
RESOURCES:
Connecting with Mark Settle
Mark Settle’s LinkedIn: https://www.linkedin.com/in/mark-settle-293b5/
Mark Settle’s Newsletter: https://discover.workato.com/the-modern-cio-newsletter/
Companies & Resources Discussed
Books, articles, and white papers published by Mark Settle referenced in this episode:
Truth from the Valley: A Practical Primer on IT Management for the Next Decade
Truth from the Trenches: A Practical Guide to the Art of IT Management
Privacy by Design From Principles To Requirements
Okta is an identity platform solution provider focused primarily on workforce identity and increasingly customer identity. Mark Settle served as its CIO from ….
CIO 100 is an annual award that celebrates 100 organizations and the teams within them that are using IT in innovative ways to deliver business value.
Oxy is an international energy company with assets primarily in the United States, the Middle East and North Africa.
Visa is a world leader in digital payments, facilitating transactions between consumers, merchants, financial institutions and government entities across more than 200 countries and territories.
BMC Software works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. BMC helps organizations free up time and space to become Autonomous Digital Enterprises.
IHS Markit was acquired by S&P Global in 2022, was an information services provider headquartered in London.
Jelena Hoffart is an expert in the field of identity and fraud technologies. She was a previous guest on the EXECUTIVE SERIES podcast.
Todd Mckinnon is the founder and CEO of Okta.
Intel creates world-changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, it continuously works to advance the design and manufacturing of semiconductors to help address its customers’ greatest challenges.
Apple is an American multinational corporation that designs, develops, and sells consumer electronics, software, and online services. The company is known for its design aesthetic, attention to detail, and tight integration between hardware and software.
CES is owned and produced by the Consumer Technology Association (CTA)®, CES is the only trade show that showcases the entire tech landscape at one event. It is a major, annual tech event that promotes itself as the proving ground for breakthrough technologies and global innovators.
Privacy regulations referenced during the podcast:
CPRA/CCPA (California Privacy Rights Act / California Consumer Privacy Act)
GDPR (General Data Protection Regulation)
FULL EPISODE TRANSCRIPT
Steve Craig: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, founder and chief enablement officer for PEAK IDV. For our audience, this is a video first, so if you're enjoying the audio version, please check out the full recording on executiveseries.peakidv.com where you can watch the episode, read the transcript and access any of the resources or links mentioned in today's conversation. In this week's episode, I'm honored to speak with Mark Settle. Mark is a seven time chief information officer, most recently the CIO of Okta. He's a three time CIO 100 award winner and a two time book author.
His most recent book is Truth from the Valley: A practical primer on IT management for the next decade (Truth from the Valley: A Practical Primer on Future IT Management Trends). Mark is also the author of CIO Perspectives, a white paper series that explores top of mind technical issues confronting today's CIOs and IT leaders. In Mark's storied career, he has held executive level positions at companies such as Oxy, Visa, BMC Software, and IHS Markit.
I met Mark through digital identity investor Jelena Hoffart, who I also recently interviewed on the podcast. Welcome, Mark. Thank you for making the time to be with us today.
Mark Settle: Thank you, Steve. I'm looking forward to our conversation.
Steve: I'm really excited about this one. Let's get started. For those that are listening to this, they've probably heard of the role of a chief information officer, but as a seven time CIO, can you share your thoughts on this role and the responsibilities of the position?
Mark: We're not going to talk tenure in terms of actual number of years, but I will say like over the course of my career, the role has really changed significantly. And the way I like to think about it, you know, in the old days, kind of, pre cloud, pretty much CIO owned all the IT assets in the company. You know, we own the data center, we own the applications, we own the network. And so that provided a level of control which some people liked and some people chafed at. And the rules of engagement have really changed in a very fundamental way. So now, as you all know, functional departments have the resources and really the authority to go off and buy a variety of IT capabilities on their own. And I like to use the term stewardship. So now I think the CIO role-- you still have delivery responsibilities for certain things, so, you know, the IT shop is like the quartermaster, like in the army. We equip all the employees with their laptops and productivity applications, et cetera. We have some enterprise responsibilities for integrating a lot of these applications, moving data around, enforcing security standards, et cetera.
But the days of, you know, complete and total ownership have passed at this point in time. So the role requires a little more in terms of powers of persuasion than maybe what it needed in the past.
Steve: Very interesting. When I was looking at your LinkedIn background, I saw the least-- the first role you listed on your profile was chief information officer for Oxy. Imagine that wasn't your very first role. Can you tell us more about how you got into that field?
Mark: So I-- actually my formal training is in geology and I worked in an oil and gas company. I've worked for a couple of oil and gas companies. I was with Arco Oil and Gas, which subsequently was bought by British Petroleum. And I was there for about 10 years and I worked in their research lab on the north side of Dallas. And I tell people I, kind of, got a master's in computer science by working in the oil industry. You know, it's really-- when you think of oil, you know, you think of like drilling wells and pipelines and ships and all that kind of stuff but it's really a very high tech industry and the wells-- you know many of the wells are so expensive that there's a tremendous amount of data collection analysis that goes into deciding where to spend capital dollars to drill wells. So yeah, that's-- that's-- I can kind of trace my technology chops, if you will, from the experiences that I have in the oil industry.
Steve: No, it's fascinating. I-- when I looked into your background, I saw the energy company experience and I didn't connect those, but it makes a lot of sense with the amount of data that they're collecting in that process and the need to optimize, so that's very interesting. You just alluded to this with, you know, the change of the role over time and the stewardship to the persuasion side of it across the time that you've been in the role, we've seen data information and really like the internet become so important in how we live and how we work and how we do business. How has that transformation digitally affected the position besides the organizational structures of it?
Mark: Again, the portfolio of assets has multiplied, you know, almost like exponentially there when I joined Okta, and this would have been several years ago, the day I showed up-- I say the day-- one of my first initiatives I undertook was to do a survey in the company to understand how many SaaS applications we were dealing with. And of course, Okta was a cloud native company at the time-- it was not at the time, it's a cloud native company, it grew up, you know, without ever having a data center or without ever really developing any kind of corporate applications. And we had, I believe, I think we had 600 employees and I think we had 400 SaaS tools in the company at the time.
And I'm not going to name names, but I shared that information with another CIO in the Bay Area and she told me, she said, “I did something similar. I found 800.” And she said, “I never told my CEO about it because I thought, you know, he would think I was-- he'd accused me of mismanagement. Like, how could you let this happen? Like we should do something. We-- there's no way we should have 800 SaaS tools.” So, you know, that's between that and then managing, you know, the cloud computing resources and even data storage has moved into the cloud. So-- so the-- yeah, the asset portfolio that you're saying grace over is really significantly greater. And then -- just not to repeat the prior point -- there's a lot of things you don't control anymore, right? So you're really much more in this kind of integration business and then construction business. That's another good way to look at it, actually.
Steve: The barriers to add tools to your stack on the internet, or just a username and password sign up, and you've got a new tool in your shop, and it's very hard to keep track of those.
You mentioned Okta, that's your most recent role. Okta is a pretty known company for those that watch this podcast. Can you share how you met the team at Okta and how you got that position or history there?
Mark: Isn't there something old saying about, it's not how good you are, it's, kind of, who you know, there was a gentleman I worked with at BMC Software, and he became-- I think he had the first title chief revenue officer at Okta, and so he basically introduced me to the team. And the other thing that I, kind of, had working for me in my favor, I was at BMC, I was an early Okta customer, so I had met the two co-founders.
The current CEO and one of the co-founders is a guy named Todd McKinnon. And at the time, you know, Okta was pretty small and BMC was a $2 billion company. And we told them, we said, “well, we're going to, you know, we're interested in this tool. We're, you know, it looks like it can help us out and we'll buy it, but we want you to make some changes. You know, there's some additional features or something that we want to see.” So Todd always used to kid me, he said, “you know, to get you signed up, we went ahead and did that. And then once we had you as an account, then we just like ripped all that stuff out. Like that was stupid stuff that you were asking for. So, you know, we got rid of that stuff after the fact.”
So, you know, the fact that I had experience with the tool, I had met the management team and frankly that was part of my willingness to join. I had, you know, talked to some other startup companies at the time. And, as everybody knows, relationships are so important to being successful in a company. And I just kind of felt like I already knew half the members of the executive team and it would be easy for me to come in and have an impact.
Steve: And you served in that role for over three years. How did it influence how you think about identity and access management and digital identity as a CIO? Because now you're at a provider of these solutions versus maybe in the past you were a consumer of them or a purchaser of them.
Mark: Well, another, you know, another kind of historical perspective, companies like Okta really got into business because we-- and by we, I mean CIOs-- we were all chasing the holy grail of single sign on. So as these applications proliferated, we didn't, you know, employees, the workforce members, they didn't want to have to like log into the SaaS tools, like one at a time, right? And line them up on their toolbar at the bottom of their screens, et cetera. And, you know, we forget about some of this stuff now, it's sort of like you forget with Zoom, how difficult and cumbersome video conferencing was for a long time. But when-- often some of its competitors, you know, were succeeded because they were trying to solve a single sign on problem.
And of course, the sign on procedure is just a kind of a security procedure. Today, identity is really like the primary security perimeter in the company. You know, if you again, if you look at it, we have really solved a lot of security issues. Solved is probably going too far. We have some great safeguards that we can deploy to secure things like networks and devices and all kinds of things that are in common usage today.
But it's with all these assets that I referred to before, you know, leveraging your identity, your digital identity to get access to those things, really makes you the person. The person is the perimeter, you know, that's yet something you have to guard against. So the importance of an identity access management tool, you know, started as really a key means of reducing end user friction, and now it's really become, you know, the first-- the first line of defense in any kind of a security strategy.
Steve: And during your time at Okta, you wrote your first book, Truth from the trenches, practical guide to the art of IT management. Did those discoveries influence the reason why you wrote that book? Or what was the motivation? Can you share why that book needed to be written and what it's about?
Mark: So actually, I wrote the book before going to work for Okta. It was published when I got there. And I'll let you in on a little secret, so I outlined the book in December. I can't remember what year I was in, and I forget how long the outline was. It was a Microsoft Word doc, it probably was like a 20-30 page outline I had for the book. And I sat down in January and I thought, you know, I'm just going to go at this thing and just not going to try to like polish the words, you know, I'm just going to try to get a draft that I can work with.
And I generated a 40,000 word draft document in four weeks in January. So I think the book was like in me, like I-- I was-- you know, the messenger. So the message was there. And so part of the reason I wrote it and enjoyed writing it was that it was a catharsis for me personally. Up until I had created the outline, I used to keep a manila folder and the tab on the folder was, you can't make this stuff up.
And every time something would go wrong in IT. I would jot a note to myself and say, like, you know, you can't make this up. Like who could ever deal with stuff like this? And in a lot of ways-- and I really hate to admit this publicly-- working in IT is a little bit like the movie Groundhog Day or the Matrix in the sense that as new people come up through the profession, they tend to make the same mistakes that we all made, like, over and over and over again.
You know, one of the examples that I put in the book was with a company -- we're not going to say the company -- and we had an engineer that went in and updated the software on the primary network switch in our data center. And he made a mistake and he brought the entire data center down. Like we couldn't communicate with the company that-- and this was, kind of, like pre cloud. I mean, it was-- the data center was a big deal. So the head of data center operations came in to tell me what-- explain to me what was going on. And he said, “well, the guy went in and he made the software change and it didn't take and then we had to roll back and that's why, you know, we went-- the whole company stopped like operating for, I don't know, an hour or something.”
And I said, “you know, I'm not the most technical guy in the world, but like, do we do those things on prime shift? Like during the workday, we actually went in and screwed around?” So he says to me, “oh, his son has a birthday party this-- the engineer-- his son has a birthday party this weekend so he thought he'd get it out of the way so he could like, you know, go to the birthday party.”
And so the point of that whole long parable is, you know, it's just one of those-- those cardinal sins that people, you know, commit over and over again. You can say, “well, don't we have policies in place to not do that?” The guy goes, “sure, we have, that's our policy. He should have never done it, but he just decided he was going to, kind of, go do it.”
So that's a long winded answer to, you know, writing the book. I thought, jeez, if I can-- you know-- some of the younger people that are going to come up and be IT leaders of the future, you can learn one or two things so they don't have to make the same mistake overall, I'll have a great sense of satisfaction.
And I will tell you, it's been one of the most rewarding experiences of my entire career. Even today, I will get a cold call Linkedin reach out from somebody that will say, “I just read this chapter, and I have like a whole new perspective on X, Y, or Z.” I had one gentleman reach out to me who told me he had read the book four times, which kind of floored me.
I've had another CIO reach out and said, “I read it. I took a new CIO job, and I thought I should really read the book and think, you know, about some of the lessons there and how I want to do my new job.” So it's those little-- those little-- you know, diamonds kind of crop up from time to time that are very rewarding.
Steve: Yeah, well, sometimes the things that are stuck in our heads, if we get them pen to paper or we type them out, we could free ourselves of those. And then you have this wonderful asset. And it almost sounds like maybe you've got a swipe file of root cause analyses that are in there that people are like, “Oh, Mark's seen that and we have the same scenario.” Yeah, that's great.
And then you did a follow on book, and this is your most recent book, Truth from the Valley, A Practical Primer on IT Management for the Next Decade. And then this book came out, I don't know when you wrote it, but it was published right before the pandemic. And then what an incredible time for an IT management book to go out there as like, IT management is being ‘shooken’ up. How do these two books relate? Is it a continuation or a complement?
Mark: So it's a complementary kind of discussion. So the first book really talks about personal competencies that you need to become a leader in IT. And in fact, I've actually had a couple of people say when--, one gentleman in marketing, he said, “if you just changed like IT to marketing in the first book, you could sell it to marketing people because it's like just good general management practices.”
The second book is really about organizational competencies. And my thinking there was, you know, a lot of people build their IT organizations in a very reactive way, and then they kind of wonder, well, “why aren't we having more of a strategic impact on the company?” Like, really, you know, see that the executive table really helping to craft some of the longer term financial strategies here. And it's because tactically, we're just kind of lurching from one, you know, burning fire to another burning fire, just keeping the place up and running. And so the-- really the idea of the second book was to look at the people, process, and technology foundations of a successful IT organization.
And I counsel people, you know, in terms of technology, you can't be good at everything. So you really have to look at your company, the industry that you're in, and you kind of have to place your bets, you know, I mean, if. Security is important, but if you're in a B2B business, maybe it's like less important in the context of your business.
I know that's, kind of, heresy, but there may be other things that are, you know, far, far more important. And you can't-- you can't be good at everything. You won't have the resources, you won't have the people, you won't have the skills. And you really have to think pretty strategically beyond the current budgeting cycle about, what do we want this place to look like in three years? You know, what kind of skills do we want and what kind of initiatives do we want to start seeing that, you know, bear fruit in terms of either reducing internal costs or really improving the revenue stream for the company.
Steve: And 2020 for the book to come out right before we had this transformational black swan event were in March and April of 2020. People are going to remote work, you know, everything's being digital, the world's lifeline to commerce is everything that we're doing with IT systems, what was going through your mind as you saw this rapid shift, did you get people contacting you? What-- take me back to that time if, if you could.
Mark: Oh yeah, absolutely. I mean we, I got involved in a lot of online Zoom, kind of, like therapy groups where like CIOs would all talk about, you know, and I-- well-- and part I say therapy group, you know, part of it, there was a tremendous patting ourselves on the back feeling as well. And, you know, one thing I think we all learned, and I wrote a little bit about this, you know, IT organizations can accomplish a tremendous thing-- or they're capable of doing tremendous things, when you can really make clear to them, like, what's the number one priority in the company? Otherwise I say-- otherwise all too frequently, they become like Gulliver and Gulliver's travel where the Lilliputians have like this, like, you know, giant guy, you know, tied down with a million different little ropes.
And, and IT organizations can get diverted into trying to satisfy so many different needs and address so many different complaints, et cetera. And then everybody says, well, we spent a lot of money and they got a lot of people over there. How come, you know, we're not seeing, you know, we don't think of technology as being a very leveraging thing in our company.
So the beauty of that experience was a lesson to a lot of people, I would hope business people outside of IT. If you could just be very clear about like, this is job one, IT organizations can do tremendous things. Another good example is implementing an ERP system. And now, you know, that's something we did more of several years ago before the SaaS revolution.
But again, that would become like job one. And partly because we're spending a lot of money. We have a lot of highly priced consultants in here. We're kind of doing open heart surgery on the business, you know? So-- so again, IT is many cases, part of the principal architect of those-- kinds of-- those projects. And as long as they know that they've got the power to, kind of, drive those things, you know, tremendous things can be accomplished now. So that was what happened at the time, but I'm going to-- I'm going to extend your question a little bit because when I look back on that, I have some very strong feelings about what we did to ourselves from a technology point of view as a consequence of COVID.
And, well, you know, what we effectively did was there were a bunch of 2019 era collaboration tools, you know, like Teams and Zoom and Slack, and we implemented those in a very short period of time on an enterprise wide basis, right? So everybody knows those today, and in fact, we don't so much think about the way that we would like work to be done. We think about the way work can be done in terms of what the tools will allow us to do, or how the tools want us to work and interact with one another. And so, I've-- in writing-- I've referred to this as the Stockholm Syndrome. I think we've become captive to these tools, and we've told ourselves, “well, we like them, and that's what we want to do,” without ever asking, like, do I really want to get this many text messages every day? And do I really, you know, do I have to have this, these many Zoom calls and like, can't we organize a Zoom call better?
So if you really had a blank sheet of paper-- and I've written about this, how would you think about, you know, building the next generation of collaboration tools? And I work with a lot of venture capital firms, and unfortunately there's not a lot of money going into the space because people think, “well, we kind of shot our wad, you know, back in-- back in COVID, like we spent a lot of money.” We gave everybody these tools. We have other spending priorities at the present time, and so people may bitch about the tools, but if it really came down to like buying something new or different or investing in some kind of new capabilities, it's not clear that there would be a lot of market traction for those kind of things.
So I think the legacy of COVID is probably, you know, really limiting productivity and innovation in a lot of-- in a business context in a lot of companies.
Steve: Yeah, yeah, I definitely felt that during the pandemic. I was working at a solution provider and what had happened was just replicating the in office experience and to Slack to Zoom meetings, but without the buffer of walking from one room to the other, it was just close one, open another one. And I don't think people wanted to work that way, but by the time that first six months happened, there was a lot of Zoom fatigue. You know, people were just burnt out on using those collaboration tools in ways that they weren't intended to be used. You know, like you weren't supposed to be on a zoom call literally for 12 hours a day, you're supposed to have natural breakups and that-- and-- you know, it's interesting your point about the fact that there's-- there was a lot of investment. There's a lot of stock pops with things like, like Zoom. But now that we're back to kind of normal and we're in a new normal, the money's not there anymore. And some companies started to merge to try to rethink the collaboration and how we could do better. But now that we're back to some physical, some remote, like it feels like we're stuck with some of these tools. So hopefully there'll be more investment.
During that time, there was also this tremendous investment in digital identity, more on the identity proofing, biometrics, the challenge of how do you know who's on the other side of the computer? If you've got your entire workforce that’s suddenly remote and you're trying to set up new customers, there was this big explosion in late 2020 and through 2021 on these various digital identity tools. While you were at Okta -- and you mentioned this earlier about identity as the perimeter, the first line of defense -- were you already seeing this convergence between, like this identity proofing concept and this concept of access management and authentication? Were you already seeing some of those come together? It feels like it's accelerating.
Mark: Yes, I mean, absolutely. So I mean, what's happened-- you put your finger right on it, there was tremendous focus on the authentication process, and there were a lot of technologies that were brought to bear to make that more bulletproof or, you know, more reliable. And we've all lived through all of these different capabilities, you know, starting with passwords, going on to like authenticator applications that you might have on your phone, to biometric signatures of one type or another, to device signatures, you know, when you log in with this device-- is it a managed device, to contextual factors. You know,
well if you log in from Peoria Monday to Friday between 9am and 3pm, local time, then we're going to let you do one thing. But, if you try to log in from Montreal on a weekend that's not going to work for us, et cetera, et cetera. So, I mean, there's a lot of sophistication that can be built into the authentication experience and really where the action is moving now, in my humble opinion, is more to the authorization side of the world.
And again, it kind of goes back to this, this plethora of cloud assets that we have. Authorization is all about like, what can I do once I get there? You know, what can I get into? What privileges can I exercise? Am I going to read? Can I modify something? Can I add to something or whatever? And are there certain entitlement privileges that I have, which could be time dependent or role dependent or whatever?
So, you know, the example I always use, is I could be an HR rep and during the merit cycle, I might be able to go in and change salary levels, you know, make modifications to salary, but I probably can't do that like all year round. So that would be a time constraint. Even though I'm a rep maybe for the finance department I probably don't have access to the executive, you know, comp records because that's somebody else is doing that. So my entitlement to those is, it never existed. So I just don't share that particular entitlement. And so this-- I'm making this complicated because it is complicated-- you have access permissions, you have these action privileges, and then you have these entitlements and it all revolves around the issue of fine grained authorization at a really fine grain level, you know, what can I actually do across this whole galaxy of different assets that I can, get into. And the security concerns have gone up, you know, the emphasis on trying to make the authorization controls more stringent, you know, has gone up and it's very contextual. It's very-- we haven't solved this problem, like, you know, by a long shot.
Steve: What's the status quo in authorization right now in terms of how companies are solving this or are they rule engines or just a bunch of Boolean logic?
Mark: The classic, IAM access management approach is to create groups so you can get into Salesforce and then there are multiple groups that you get assigned to and the groups have certain privileges. And so -- and the groups can have overlapping privileges as well -- and so the groups can be based on roles that you might have. So if it's Salesforce, you know, maybe you're a salesperson, and sales ops, or maybe you're in outreach, you know, your sales development rep, or maybe you're an account executive in the field.
So you could be assigned to different groups and with overlapping, you know, privileges or capabilities. And that can, kind of, spiral and get out of control. Like it wouldn't be atypical in Salesforce, you might have dozens of groups that people are assigned to. People get assigned to groups on a project basis over this one time project, and then you kind of have to remember to maybe discontinue that group because you wake up and realize that we're not doing that anymore but that person still has a privilege of one type or another. So, the groups are the classic approach to handling this problem, but I think the demand is out there for, again, much more fine grained and contextually based, time based, privileges or authorization capabilities, yep.
Steve: Yeah, or you have people in a group that are no longer in the company and you find [Mark: Exactly] that they were the only person that had that kind of authorization. And now there's this whole governance process of, okay, now we've got to find them the backfill and who's going to get that assignment.
Mark: Yeah, there are tools out there that would actually look-- let's take your authorization privileges, like, let's say you've been assigned in multiple groups almost inevitably, if I look at, well, what-- how did you use those privileges over the last 90 days and you might find that like 30 percent of your privileges have never been exercised. So they're just like sitting there, and again, we go back to the importance of identity because if somebody can authenticate in and be you, they have potential access to the privileges that you're not using, you know, for half a year or whatever. I mean, the classic one is in HR where somebody might have access to some HR systems because they have to, I don't know, like fill out a form occasionally or, you know, go through the performance or annual performance review process or whatever, but they have certain access privileges that are standing privileges for long periods of time that are not routinely exercised. And, you know, I don't need to give you a tutorial on this, the bad guys kind of creep in and then that's what they look for. They're looking for privileges that are just kind of dormant, but awarded. I mean they're legitimate privileges at the time.
Steve: Well, I'd love to shift into an adjacent topic, which is one that you've written on quite extensively as well, which is privacy-- data privacy. You have a white paper, it's called “Privacy by Design From Principles To Requirements” and you highlight these growing concerns over PII management. We saw with the pandemic, with everyone going online and doing transactions, there was this explosion of fraud that came with it. And some of that was programs like the PPP, the payment protection.
There was a lot of money that was stolen from rogue nation states and fraud groups that could exploit our PII system and, you know, get that money. I'd love to hear your perspective on how this is evolving and in your white paper -- I read it -- you cover these principles, there's seven, which we don't have to list here. But what are some new ways that companies should be thinking about privacy as we go into the next decade?
Mark: I'm glad you asked that question. So I think one of the first things we have to get out of our heads… so the regulations like GDPR and, you know, the California CCPA rules and the state privacy rules that are proliferating across the US, I mean, they're good-- I mean, they're great-- I mean, they-- we should have had them probably like a long time ago. But in many cases, the rules use this PII terminology. So for people that might be listening that aren't familiar, it's personally identifiable information, right? So your Social Security number is a personally identifiable piece of information. But with the technology we have today, the difference between PII as defined by the regulations and the more general category of personal information is almost like meaningless. And what I mean by that is, I can get enough tidbits of information about you without ever having what would formally be considered PII to know an awful lot about you.
I mean-- it's--, you know, I don't need your passport number and Social Security number and some other things to, pretty much triangulate on, you know, everything that somebody would want to know if they wanted to either damage your reputation, commit financial fraud, you know, or do some other thing that would harm you in some way. So-- or misuse, you know, information about you in some other kind of context, maybe you, you don't want to be added to some cluster of like minded consumers so that they can reach out to all your friends and relatives or your, you know, and like try to sell them the same stuff that you've purchased in the past, and we lost our short.
I think it's important to think about it in this broader context, and this is a shared responsibility. So I think if you went to the average consumer, they would say, “I am concerned about privacy. I've read all this stuff about all these breaches. Maybe some of my personal data was actually exposed in a breach and, you know, I know it's on the dark web.” They may not know that terminology, or they may have received some kind of an in kind compensation from the company that lost their data, maybe like one year of some kind of a protection service paid for by the offending company, etc. So they would express concern, but they would also be the people that would all too often go to a new website that would say, do you accept all the cookies that we have here? Or, do you want to like look at the cookies and pick and choose the ones they would just say accept because it'll take too long, you know, or the company would say, “Oh, we have a $3 discount on this product. If we could just know the following three things.” You know, and they go, “well, for $3, sure I'd give.”
So people give away information, I think way too willingly. And that's-- they've got to take, you know, they've got to make their concern about privacy more actionable on their own and take that extra minute-- minute-- or extra 20 seconds to really look at what they're agreeing to in many cases. And on the other side, the company side, you know, I really think enlightened companies would do a lot of good for themselves if they really thought about privacy as a differentiate-- differentiating value or source of value to the product or service that they're bringing to the consumer.
And so you may remember this. I haven't seen a lot of Intel ads on TV lately, but there was a period of time when Intel was advertising and they have a little icon that was always in the lower right hand corner of the screen and a little audio icon that was like a, you know, they'd look just lasted like five seconds, but like when you saw that pop up and you heard that jingle, you knew it was “Okay, well, this is Intel.” And I think there's plenty of opportunities, and especially in our more modern times, to come up with some way to ‘iconicize’, if that's a word, you know, this, like, trust value and trust certification that I am communicating to you, that when you consent to me, I have like world class security in place. I can't guarantee you that a breach won't happen, but like we have, maybe we have this certification, you know, we have whatever.
And probably the-- frankly-- the company that has gone the farthest at trying to do this but communicate that value is Apple. And I-- you know, one of the things I have to laugh at is they had a banner at one of the CES shows, the big consumer electronic shows that take place in Las Vegas a couple years ago. They had a banner -- this is now we're in Vegas, so to set context -- and the banner said, what goes on your phone stays on your phone, right? And, what they-- one of the things that that was implying was that, like, when you use your fingerprint to unlock the phone, only the phone knows that fingerprint. There's no, like, Apple data repository of people's fingerprints or whatever that if hacked, you know, would like open up the floodgates to other people to use those biometric signatures for their own authentication purposes.
So, I do think there's a real opportunity on the part of companies to find ways to communicate the emphasis and stringency that they're using, you know, in managing the information that they've been given.
Steve: It's a really clever advertisement from Apple for a Vegas trip and it kind of builds on that other Vegas saying what happens in Vegas stays in Vegas. [Mark: Exactly] And your point about the, you know, saving some money and giving your information away, that's a common thing that I hear in the identity circles when privacy topics come up, that consumers are all about protecting their privacy and their data until you have an offer.
And sometimes it's that $5 pizza coupon that they're willing to give you, you know, full PII stack almost, you're going to give a date of birth for a loyalty program, email, phone, whatever they can get. And they're going to use that mostly for marketing purposes, but where does that go? What databases does it go into? And is it being sold?
You know, we have these laws like CCPA that prevent your data from being sold to others, but they bury those things at the bottom of websites and a lot of consumers don't realize that not all privacy experiences from their technology companies or the services they use are created equal. And I think it's a big challenge.
I think a lot of consumers just see these cookie pop-- pop-ups too, you go to a new website and it's just like the whole thing is taken over and you have to-- it's all very confusing on what you're accepting and you have to do something to get it to go away. And I think that creates a lot of confusion out in the market.
What are some other things that companies can do proactively just to set themselves apart to, to make sure that they are being privacy forward in their thinking?
Mark: I think, you know, like on a more proactive basis, so under GDPR, any consumer can request information about the data holdings of the company; what do you have? And under GDPR, you can modify it. You could say, “well, I'm no longer married.” You can say “I moved to a different address,” you know, whatever. You can delete, you can request certain information or all of your information to be deleted. And you can also issue a do not sell directive to the company. Now I'm not sure that's in GDPR, I know it is in the California laws. But-- so what a company could do would play back to you without you requesting it like here's what we know and here's what we have and here are your options like on an annual basis like here's your hygiene check if you will. You know, “we're going into the christmas shopping season and you know, you might be bombarded by part-- our partners or well--, that's-- let's not go down that road because that's like a very narrow edge case.
But just to say in general, “we're so concerned about holding your information that we want you to be aware that this is what we have. And here are your control mechanisms.” And what's interesting to me is the companies have very sophisticated tools for managing the consent agreements, because they have to, for regulatory reasons. They have to be able to show, you know, what they've done. The ground rules under which the data was collected and that, when asked, they have complied with their regulatory requirements and they have to be able to comply with those regulatory requirements. But as a consumer, if I said, “well, you know, I've stopped doing business with these five retailers and I want them to erase everything,” I have to like go to five different places and generally, they all have, if you've ever tried to do this, they actually have different procedures. There's not like one standard procedure. In fact, I found one website, I think it listed 1,600 different account closure procedures commonly for-- common, you know, retail kind of organizations. And so we're at a disadvantage as consumers.
The big guys, I mean, they have-- they're required to keep, kind of, a library, you know, of the privacy data that they've collected and how it was collected and et cetera. But if-- if we want to like throw an emergency switch and say, like, you know, “get me out of here for any company--” I'd say-- here's a classic thing, what if we looked at each other and said any company that I haven't done business with in more than two years, I want all my information taken away from them. I don't-- there's no reason why they should still have it. That would be a major project for me to do personally that, you know, there's no switch for that.
California has recently passed a law where any data broker that is operating in the state has to comply-- has to subscribe to a one stop API where if I'm a California citizen, I can go into this API and say, I want my data removed from every data broker that operates in the state. I don't have to go to 400 organizations, but that one switch will like wipe me clean. And it'll be interesting to see if that kind of a capability is propagated through some of the privacy laws that are popping up in the other states as well. To date, California is the only one that's done that.
Steve: Sounds like a powerful feature [Mark: Yeah] and being proactive a hundred percent of the thing that we hear from companies most about is when they change their privacy policy, not the data they have on us, which they're required to inform us of those changes, but they're often buried in a bunch of other noise of all the marketing emails and they're doing those updates around times of the year when we're preoccupied with other things.
Mark: Let me dramatize this problem a little bit more. [Steve: Yeah, sure.] One of the data brokers, who I'll not name, they maintain records on 2.5 billion people, that's billion, 2.5 billion people in the US and elsewhere. And for each entry-- record entry-- they maintain 3,000 data elements per record. That's like a lot of personal information.
In fact, you know, I tell people, if I if you gave me like a pad, a graph paper, and you said, like, “can you list 3,000 things about yourself?” I think I'd run out of steam after about 300 or 400. I mean, I don't think I can think of 3,000 things about myself. And I mean, if that's the dimension of the problem, they're selling that data to somebody that's trying to sell stuff to you, or, you know, come after you for a political contribution, or, you know, all kinds of different things. And so it's-- people do not really appreciate the wake that they create out on the internet.
Steve: This is a great segue into one of the final questions I have to close this out is your most recent white paper that you wrote on digital wakes that are created. It's actually called “An investment thesis for digital wake management.” I read this paper; I love it. Can you share an elevator pitch on this topic? First of all, what is-- what is a digital wake?
Mark: So the wake is, you know, the tidbits of information that kind of gets scattered out there. And much like our physical wake behind a boat, your digital wake, you can see some of it and some of it you don't even know is out there, right? Because it's been collected from public sources or scraped off websites, et cetera, et cetera. And right now as a consumer, there are only a couple of piecemeal solutions that are available for cookie management or password management or your privacy controls, you know, on some of your social media sites, et cetera, et cetera.
There's really no holistic way of trying to clean up or manage this wake that you've created partly knowingly and partly unknowingly. And I really-- you know, maybe I don't think Gen AI is the answer to every problem under the sun, but I really think Gen AI in this context could really help the average consumer, kind of, to be this technology translating service, which would say, okay, you want to-- you're worried about this. You've got passwords you've used for 10 years. I can find them all over the dark web. Like you need to go in and do some things. And that interface can be much more conversational. You don't have to have a degree in computer science to go in and start, you know, doing the things that need to be done to manage the wake.
So I really think that. The interest level is there, people are concerned. And if you can make the economics work, I think if there was some kind of a Gen AI service that could be marketed for maybe 10 to 20 bucks a month for the average consumer, and it would match your level of concern. So if you're completely paranoid, you-- it could give you maybe like a weekly checklist of recommendations; you ought to do these three things this week.
And if you are one of these people that say, well, it could never happen to me. You know, I'm really not concerned. I don't make enough money for the bad people to come and do stuff to me. I don't-- let other people worry about that. Then, you know, maybe you have a quarterly or semi-annual checkup or health card and you get some recommendations about the-- and you could say, I'm only going to spend 30 minutes on this once a month. But I'm-- that's all my level of investment in trying to clean this problem up. And then, you know, the Gen AI routine with some back, backdoor logic could figure out, well, the best thing you could do is, you know, your passwords are okay, but you're doing-- you're doing this other thing that's getting you in big trouble.
So I really-- I think there's great opportunity. And I-- yeah, I think the VCs should sit up and take notice and start to funnel some money into this more broadly based approach to giving consumers the tools they really need to address the problem.
Steve: Yeah. I mean, that's a really good use case for this concept of AI for good, you know, using this-- these generative systems and a AI technologies to benefit consumers. On the flip side, do you think consumers are aware? And I'm not talking about people that watch this podcast or LinkedIn professionals that pay attention, but consumers at large. Do you think they understand the ramifications of this data and these transformative technologies like Gen AI, the impact that's going to have on them?
Mark: Let's rephrase that. Do people have a realistic expectation of what's going to happen? And the answer almost has to be no, because nobody really knows what's going to happen, right, in the end. And probably this is a case where it's probably like a bimodal distribution. It's not like a, you know, Gaussian distribution, with a normal curve, there's probably like one group that thinks the world is coming to an end, and there's probably another group that thinks that this isn't going to change anything. It's just a fad that's going to like peter out over time, and the truth will probably be somewhere in between. But yeah, you've got both extremes very well represented in the press and, you know, in public commentary about the Gen AI tools. And, you know, we're just going to kind of grope our way to find out what can actually happen, you know what they're actually good for. There's a lot of calories that are going to get burned; a lot of money is going to get spent trying to figure that out.
Steve: Yeah, yeah. Well, on the privacy topic in the last few years, I've seen a lot of larger companies try to revise how they're using data to train these systems.
Suddenly they have access to things that they shouldn't have had before. And sometimes it blows up. You know, there was a big backlash to Zoom and everyone's doing these Zoom calls with video and audio. And they say they're going to use that for training data for AI systems. It's like, wait, what? And so I think they revised that, but I think the longer term ramifications, like we can see it changing and evolving almost on a, on a daily basis in terms of how photorealistic and video realistic this stuff is getting. And when I think about digital identity, and as I was reading your paper on the digital wake, think about the wakes start immediately. You know, you're born, get a birth certificate a few weeks later, you have a Social Security number or tax ID. And then as you go through life, you just show up in more and more databases. Some of those are private, some of those end up being public. And then you reach a point where you're in social media and you're putting stuff out there. There's no way really to track all of that over your lifetime. And I feel like this digital wake concept even extends into the postmortem, you know, when you pass away, your legacy is now left, it exists on the internet. What do you think-- what do you think about how that will get managed and how that will evolve as these next generations who are like growing up on the internet from day one are going to be impacted by that?
Mark: There are a couple of startups that have appeared that want to-- they want to access like all of your electronic interactions, let's call it that, you know, emails, texts, videos, et cetera. And then after you pass, they want to be able to create sort of like an avatar so that like your great great granddaughter could say, you know, “Gee, I just got out of school. I'm, I've kind of fallen in love with this guy, but I had this great job opportunity in New York, and I really can't decide whether I just need to like focus on my career for the next couple of years or, you know, stay here and see if I can for him and the whole thing.” And so this is kind of based, these startups are based on the premise “Oh, you know, my-- my great great grandmother, Joan, she, you know, she had a similar-- so she decided to go for the career. I wonder how that turned out? You know, what would she counsel me to do?” That's the pitch. One of these startups, they had 50,000 subscribers within, I think, the first month of operation. So there's clearly an appetite to pass this legacy thing down. And the reason I'm kind of chuckling as I get to the punchline here, you know, I can't even get my own kids to pay attention to me when I'm still physically around. The idea that a couple of generations, somebody would say, “Oh yeah, aunt Joan, like, let's like, you know…” my own kids think that anything that happened, you know, before they were born is completely irrelevant.” And so I don't even know how somebody three generations removed would say, “Oh yeah, we need to go back to Victorian times and find out, you know, like how, she or he comported themselves around this issue,” but that's just a comment more for entertainment purposes than anything else.
Steve: Yeah, on the Apple topic, we were wondering-- we were talking about them having all this data on your phone and they're in a really good position to create these systems. They have all your iMessages, they've got your emails, they’ve got your entire photo library with photos and videos. Like if anyone could have this digital legacy tool, it's-- you know, you have a new feature in iOS 20 and you push a button and then now you've got this photorealistic avatar that your family could have to speak with you, which, some of that's morbid. Some of that's fascinating. Like, I don't know the technology exists today to do that. So we'll see.
Mark: The regulators are focusing on that issue about implied permission, if you will. Like that there's some implication that I-- that you can hold all that stuff or you can-- and there's-- it's a fine line. I think there's-- I'm not a lawyer, but I think-- you know, you have to prove the business purpose for which it was originally intended, which to some degree is in the eyes of the beholder, right? But there have been-- there was a recent one where I think, I shouldn't say who the tech vendor was, but one tech vendor had collected a lot of data and the settlement-- the way they got out of paying a fine was to erase all this data that they had compiled.
So I think it's a-- you know, it's a real issue and things will just get more stringent over time. That's the other way you could look at it from a company's point of view is, “Well, where are the regulators going to go in the next five years? Why don't we just like get there first and then get some commercial credit for doing what they're going to force us to do anyway, at the end of the day?”
Steve: I think it's much harder to predict where the regulations will go, then where the AI will go. I think that's a little bit more of a…[Mark: “well, they're not going to get looser. You know, they're not going to get like looser.]
Steve: Exactly. Well, Mark, we're at time. Before we wrap up, if you've seen any of these episodes of EXECUTIVE SERIES, I like to ask a little bit beyond the LinkedIn profile. My last question for you is kind of inspired by it, I see your LinkedIn banner is an image of the Canadian forces snowbirds at what looked like Fleet Week over San Francisco. Are you a pilot? What's your interest in why you posted that as your banner?
Mark: Well, I-- when I grew up, I wanted to be an astronaut, that was my dream. And I did get to work for NASA, but not as an astronaut. And on the way to NASA, I was in the Air Force for four years. So, you know, that was just another path that I traveled partly down and found other things that were more interesting along the way, but you know, I have a warm spot in my heart for the Air Force and aviation in general.
Steve: Great. And when you're not writing or researching, where else do you dedicate your time?
Mark: I am a real fan of military history, I will admit. And so I've been on very-- multiple battlefield tours. And I tell the folks that haven't dabbled in that, that I could probably give a pretty good one-day tour of most major civil war battlefields. Probably in the US, I've probably been to most of them more than once, so.
So Steve, that'll be my-- that's my ending offer to you. If you need a complete break from all the things you normally worry about, and you want to go out and look at a Gettysburg or Chickamauga or Shiloh, I'll be your tour guide.
Steve: Yeah, I love that. Thanks-- thanks for the offer. It's actually an area that I've gotten more interested in as, as I've gotten older, just the history and to your earlier point about things repeating themselves, it's like if you study history and battles and wars, you see the same conflicts? It's just every few generations, there's a different battle being fought with new technologies, but over old ideas. Certainly would love to take you up on that, Mark.
Mark: Yeah, and actually they are great management laboratories, right? They are the breakdowns in communication or the personality conflicts or the misuse of technology or timing errors that like occur. Timing errors that are completely reminiscent of the story I told you about the software update on the network switch, you know, I mean, it's that timing was very unfortunate that that happened. But you can-- the battlefields are-- there's so many, of course, it's all 20/20 hindsight. They're just so obvious, that if only this hadn't happened, the outcome of the battle could have been quite different.
Steve: There's a couple of series-- shows on Netflix. One of them is called Turning Point, where they talk through these different events and they absolutely highlight that, like how singular breakdowns in communication or just misses because someone misunderstood something changes the course of history. Very good point.
Well, Mark, we're going to wrap-up. For those that are listening or watching, what kind of conversations would you be interested to have for anyone to reach out to you?
Mark: Yeah, one of the things I'm working on right now are data operations, and I'm particularly interested in the kinds of activities that can be centralized within large enterprises to basically give data analysts more time to really, you know, work with data in a business context. And try to get out from underneath all of the data quality and cleanup and engineering activities that are required. The software engineers have done this. They have something called platform engineering teams that abstract away a lot of the busy work so that they can get to coding. You know, they want to write code, that's what they get-- ultimately paid for and that's really how they generate value for the company. And people that work with data can go down lots of blind alleys just trying to figure out what they have and the quality of what they have and you know how to, you know, use it from an infrastructure point of view as well. And I think that's a real opportunity in a lot of large enterprises.
Steve: Great. And what's the best way for people to get in touch with you?
Mark: LinkedIn is a great way.
Steve: Excellent. Well, Mark, thank you so much for taking the time to speak with me today. Really enjoyed this conversation, and I look forward to reading more of your white papers as they come out. So thank you for publishing those and continuing to educate us.
Mark: Great. Thank you, Steve.
Digital Wake Management with Mark Settle