In this week's episode, I am joined by Steve Tout, Practice Lead at Integrated Solutions Group (ISG) and Host of The Nonconformist Innovation Podcast to discuss the intersection of privacy and identity. Steve has 18+ years of experience in global Identity & Access Management (IAM) and is currently completing his MBA from Santa Clara University. Throughout our conversation, Steve shares his journey as a reformed technologist and advocate for 'Nonconformist Innovation' & 'Tipping Point Leadership.'
Steve's approach to identity involves breaking it down into 4 components: 1) philosophy, 2) politics, 3) economics & 4)technology, highlighting their interconnectedness. We also discuss his work with Washington State and its efforts to modernize Consumer Identity Access Management (IAM). We address concerns around AI, biometrics & mobile driver's licenses. Plus, Steve offers his perspective on tipping point leadership and the challenges organizations face in achieving privacy change at scale.
Topics Covered:
Steve's origin story; his accidental entry into identity & access management (IAM)
Steve's perspective as a 'Nonconformist Innovator' and why he launched 'The Nonconformist Innovation Podcast'
The intersection of privacy & identity
How to address organizational resistance to change, especially with lean resources
Benefits gained from 'Tipping Point Leadership'
4 common hurdles to tipping point leadership
How to be a successful tipping point leader within a very bottom-up focused organization
'Consumer IAM' & the driving need for modernizing identity in Washington State
How Steve has approached the challenges related to privacy, ethics & equity
Differences between the mobile driver's license (mDL) & verified credentials (VC) standards & technology
How States are approaching the implementation of mDL in different ways and the privacy benefits of 'selective disclosure'
Steve's advice for privacy technologists to best position them and their orgs at the forefront of privacy and security innovation
Steve recommended books for learning more about tipping point leadership
The amount of data that is stored about individuals in the data brokers, there can be a positive use for that or a negative impact to its abuse. The data that's available is oftentimes used for credit decisions, and the minority population of the workforce are marginalized because they may not have creditworthiness, because they don't have a credit history, and so the data that's out there about them can be working against them for many different ways. So, it really comes down to consent. The data is out there, but I think what we're trying to get closer to is a world that people can choose how their data is used and that it's not used in a way that's a weapon against them, but that it's actually there to help improve the quality of lives of everyone, not just those who have access. Not everybody has mobile phones. Not everybody has credit histories, etc.
Debra J Farber:
Hello, I am Debra J Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans and to prevent dystopia. Each week, we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding- edge of privacy research and emerging technologies, standards, business models and ecosystems. Welcome everyone to The Shifting Privacy Left Podcast. I'm your host and resident privacy guru, Debra J Farber. Today, I'm delighted to welcome my next guest, Steve Tout,
Debra J Farber:
Practice Lead at Integrated Solutions Group (or ISG), and 2024 MBA candidate at Santa Clara University. Steve is obsessed with helping transform businesses by delivering disruptive insights, reducing risk and enabling safer online experiences through strategy and design thinking. For over 18 years, he's worked in a variety of roles related to global identity and access management, with a focus on programs, architecture, engineering and operational excellence at some of the world's largest companies in telecommunications, financial services, high tech and big four consulting. Steve is currently an Independent Advisor and Host of The Nonconformist Innovation Podcast. He has produced four seasons and over 40 episodes on ethics, privacy, data protection, digital identity, GDPR, CCPA, entrepreneurship, leadership and inclusive innovation. As an Advisory Board member to multiple startups, Steve helps founders and executives with business development, nonconformist innovation, which we'll talk about, and strategic marketing. Today, we're going to chat about privacy and the intersection with identity and Steve's experience working with the State of Washington as it modernizes consumer identity and access management for 11 million residents and businesses across the State. Welcome, Steve!
Steve Tout:
Thank you, Debra. It's great to be here. Thank you for having me.
Debra J Farber:
Absolutely - my pleasure. I love the overlap in the work that you're doing and the gospel that you're spreading. Before we dive deeper into what is nonconformist innovation and where are those relevant overlaps, why don't we learn from you a little bit about your origin story?
Steve Tout:
Sure. Yeah, I don't know how far you want me to go back, but in a nutshell, I'm a California boy through and through, born and raised in Northern California, and by Northern I'm not talking about the Bay Area, I'm talking about the north of Sacramento. So Shasta County, represented here today (yeah, Anderson), but living in the Pacific Northwest for the past couple of decades by way of finding and marrying the love of my life, I've come to know and love, spent many years in Portland and I love that area. I'm here in the Bremerton area now and that's where I call home, professionally speaking. I accidentally found my way into identity and access management in the early 2000s. My career aspirations were to become a web developer. Specifically, I wanted to build database-backed websites. Now that was my big dream, but fast forward. I'd spent time leading the first enterprise-wide identity and access management system for AT&T Wireless. I was one of the first two LDAP Sun One admins for that back-end infrastructure and spent time doing architecture there as well and business analysis. I went on to help deploy the first of identity and access management in 2FA at one of the major banks. I got recruited by Oracle to spend time in the field supporting and consulting their clients and landed at a little company called VMware in 2007 and spent quite a bit of time there. In 2015,.
Steve Tout:
I really tried to retire from this a couple of times and failed. I came to a point where I didn't want to learn anything more about technology. I didn't want year 16 to be like the previous 15 years in my career. So a bit of an attempt at reinvention. But here I am. I currently consider myself a reformed technologist about to complete an MBA program at Santa Clara University. I'm grateful to have the opportunity to help modernize consumer IAM here in Washington State. I think that's once- in- a- decade opportunity for the sState and once- in- a- career opportunity here for me, considering the scale and the impact that it will have on Washingtonians for the next couple of decades.
Debra J Farber:
That's definitely a good synopsis. It brings us where we are today, for sure. I think that you're right; it does have a grand effect on the State. I live just outside of Portland, Oregon but on the Washington State side. So, as a constituent, I thank you; and I can't wait to unpack some of what you're working on that does affect the citizenry of the State and what are we gonna be making easier for us with the new IAM strategies? But, first I would love to understand and unpack what 'nonconformist innovation' means. What is your definition of that and how do you view yourself as a nonconformist innovator?
Steve Tout:
You know I get that question a lot. It happens to be one of my favorite things to think about now and talk about. But we'll get to it. I have a podcast called The Nonconformist Innovation Podcast that . . .can scare people. You know, in job interviews or talking with clients or with customers or partners, they think, "okay, you're nonconformist. Does that mean you a closet anarchist? Or, how are you gonna cause them trouble and are you going to increase the risk profile of this project or of my business?" And it's quite the opposite.
Steve Tout:
I guess, the way I stumbled upon nonconformist as a form of innovation is . . . you've probably heard of disruptive innovation and the work that Clayton Christiansen did the past two to three decades through Harvard Business School and his study of how innovation disrupts markets and all of the collateral damage and opportunity that it creates for businesses, the collateral damage that can happen for smaller businesses that don't prepare or go to market right. I thought about nonconformist innovation as simply a way to have the interests of the individual and stakeholders and shareholders front and center, and that's I don't know if I would say that it's counterintuitive, but it's often neglected. And so, for now on, if you wanna think about nonconformist innovation as a process or a framework for developing unconventional insight, you could think of it like that, too. It's an attempt for me to explain a way to design and build businesses and go- to- market strategies that lead with shareholder interests and integrity and driven by ethical leaders, because I think fundamentally that ethical leaders save lives.
Steve Tout:
When it comes to privacy and security, regulation and technology is great, but technology is at its core, it's a manifestation of the values and beliefs of its owners, and so when I look to change the reality or the world that we live in, I wanna go change the values and belief systems that our leaders and product owners and business owners have, and I think the technology will just be an implementation detail, right? And then I like to think. . .one guest on my podcast early on made a statement, so I can't claim this as my own, but he talked about ethics is a better form of security, which has really occupied my thoughts for the past several years now. It's important in whether I'm working with companies in the private sector or in the public sector in the state of Washington. This message is well- received, right? Equity is a really important subject. So, yeah, ethics is a major component of this and as it relates to being a better form of security and privacy implications for leaders.
Debra J Farber:
So, what I'm hearing from you is that for a long time - and tell me if I'm wrong, this is when I'm like reading between the lines - for a long time there's been a focus on disruption and innovation from a technical standpoint, from new technology, and maybe an over focus on the technology as opposed to the technology following the set of socio-technical perspective. So the non-conformist element is not conforming to almost this VC view of. . . VC here I do mean venture capitalists' view of how to bring technology in market. Instead, you're kind of looking more at like the right way, the ethical way, and then the technology will follow from that, and that's the non-conformity.
Steve Tout:
I think you're right when I reverse engineer. So one of the things that I did after I left my last corporate gig in 2015, is I spent time really depressed, to be quite honest with you, because I knew I didn't want to stay in corporate America, and so I wanted to try my hand at entrepreneurship and starting my own company. But, I wanted to do it in a way that was aligned with my beliefs and my values; and the problem was that I didn't really know what those were. So, what I stumbled upon was I reverse engineered technology, which, if you would imagine, close your eyes and you draw a circle and you call this a pie. The first 15 years of my career was 100% occupied by technology. It was technology- focused, but what I worked on building in terms of vision and values and belief system was to rewire and reorient my thinking. So, I reverse engineered that technology; instead of being 100% of this pie, I divided the pie into four pieces. So, if your eyes are still closed and you're visualizing this pie, the top left begins with 'philosophy,' the top right is about 'politics,' the bottom right is about 'economics,' the bottom left is 'technology'. Okay now, with that mental model, if you start with philosophy and you go clockwise philosophy informs politics, politics informs economics, economics informs technology, and my belief is that technology is a manifestation of all of the above. So, we're all politicians. Right?
Steve Tout:
I just take this view that when we step back and we look at that framework, when we look at business and technology through that framework and technology as a derivative of philosophy, that we need to look at having a form of - you know, not all VCs are bad. We have a mutual friend and you know I have others who are ethical VCs, I guess, or who value privacy just as much as they do revenue. And I'm not against revenue I'm a student at a premier MBA school in the State of California and there's nothing wrong with making money. Companies need to do that to survive and to continue to produce products and services that we need for our way of living. But it's really there are a lot of abuses in the industry where privacy is the currency. To be specific, I would take aim at the way that privacy is abused to fuel products and shareholders, while it's at the expense of residents, customers, citizens, et cetera.
Debra J Farber:
That makes a lot of sense. Now tell us a little bit about your podcast, The Non-Comformist Innovation Podcast.
Steve Tout:
So you know, it started in 2019. I had just left a role as a startup CEO for a cybersecurity company in Seattle. It didn't end as well as I would have hoped, but around the same time, a mutual friend of ours, Tom Kemp, had just sold his company, Centrify, to Thoma Bravo. So, I was just thinking one day my experience as a CEO was very different than Tom's and I wanted to compare notes. I just thought, well, I at least want to have a conversation with Tom, but I realized there's not a lot that he would share or that I could learn by just having a random, impromptu conversation. So, I reached out to him and thought of having a more structured conversation where I could selfishly learn from his experiences because the next time that I'm a startup CEO, I wanted to end much differently than my previous experience. So, it was one of the best conversations on the topic of entrepreneurship and leadership,
Steve Tout:
even after doing this for four seasons now. I obviously hear, as a host and first person, all of my podcast episodes, but I don't go back and listen to them after they're produced. There are a couple of them that I do. This is one of them. When I really need Clarity about my purpose and why I started this to begin with, I go back to that first episode and find a lot of Clarity and motivation in it. So you know the podcast is still in experimental mode. I'd say I have some pretty ambitious plans for season five that's focusing on experience and the community instead of me. It's starting in the spring. I'm looking at doing a multi-city tour from Los Angeles to San Jose to Seattle and maybe a couple of stops in between, and experimenting with a live podcast format to really make this more about experiencing non-conformist innovation and looking at it through the lens of the community and the listener rather than through me as the host.
Debra J Farber:
Oh, I love that. I'd love to hear how that works out for you and lessons learned, so maybe we'll have you back for that. That's awesome, very cool. While I've listened to a few episodes, I've not listened to the Tom Kemp episode on your show, so I will definitely go back and do that. I mean, especially with the plug you just gave for how rewarding of a conversation it was. I'll also include a link to that in the show notes for this episode. Let's turn now to like the main topic at hand, which is what is the intersection that you see between privacy and identity and, generally, where's the overlap in your mind? I bring this up specifically because it's fascinating that privacy folks and identity folks have been so siloed and they don't have as much interaction as you would think they would, given the overlap. Why don't I let you first tell us about that overlap?
Steve Tout:
Yeah, you know that's a really great question and I've often struggled with this as well. The more that I've gotten opportunities to work with privacy folks, the most immediate thing that comes to mind is, "hey, these people are not like me. I'm a technologist; I'm an identity person and I've been at the lowest level of the organization, building data, managing directories and access control systems and policies. But that's the technologist's view. The privacy professionals are, especially as professionals become more advanced in their career. They have law degrees. They come from different backgrounds. They're not necessarily technologists. So, there's definitely the silos are there because their education, their background, their responsibilities are different.
Steve Tout:
One is in the realm of policy and the other one is in the realm of technology and implementation, and we typically think of having rights to privacy as individuals. Right, that's the ability for individuals to control access to their sensitive data and secrets, whereas identity is often who we are, the data that organizations have about you that could be your location, your gender, your health conditions, the privacy of identity or anonymity. Nowadays it's not guaranteed and it can't be assumed that you have it. I actually listen to this a lot, but this song just came on the radio this morning - my Pandora playlist was playing some fun songs for Friday. Today is Friday morning and 'Fight for Your Right to Party' came on by the Beastie Boys. So, I think that's a lot like privacy today, where we have to fight for our right to privacy online.
Steve Tout:
The overlap is in the ongoing need for protection, governance, visibility and management, and then extending beyond there. I think there's a need from a corporate or a business perspective, better accountability with how organizations use and or abuse privacy. But today, privacy shouldn't be a luxury only afforded by the rich.
Debra J Farber:
I mean, that's true, I totally agree with that. I think, just to build on what you were saying, I think the fundamental privacy challenge is that universal identifiers, kind of, are the root of many privacy problems, and those identifiers are being managed by identity access management kind of constructs within organizations. So with the proliferation of data across organizations that involve personal data, these identifiers that we assign people can make it easy for us, through databases, to call up more contacts, more details about an individual than maybe that we could in the past. And so the more data driven that we have made our business processes, our technical processes, all of that, now the potential privacy problems have magnified as well. So, you're right. I do want to bring up with the topic you just mentioned of privacy shouldn't be a luxury only afforded by the rich, even in the ad tech space. You've got now in the EU the challenge that I think it's Meta that just decided to address the challenges of privacy in the ad tech space and the problems with consents and the fact that third party cookies are going away and all of that,
Debra J Farber:
Meta's come out with this what they're calling? Well, they're not calling it, but what privacy professionals against what Meta is doing - they're calling it consent or pay or pay and ok. So, you either consent to receiving these ads or you pay a subscription to not receive ads, which is actually an equity challenge, right? Because now, you're saying, if you don't have the money, you could either use our services by consenting to the ads. It's almost a false choice, right? Or, you could pay us money you might not have where you can have a subscription, where it's ad free, and so there's an equity challenge there where people could, you know . . . the argument that if the rich could afford to not have their privacy violated, everybody else must consent, it almost feels like you're forced, if you're not rich enough, to pay for a subscription. If you want to use our platform, you have to consent, which is definitely going to be interesting to watch because I think that will be struck down as violative of GDPR and potentially other equitability statutes within the EU.
Steve Tout:
There's another equity issue as well, which is the amount of data that is stored about individuals in the data brokers. You know, there can be a positive use for that or a negative impact to its abuse. The data that's available is oftentimes used for credit decisions, and the minority population of the workforce are marginalized because they may not have creditworthiness, because they don't have a credit history, and so the data that's out there about them can be working against them for many different ways, right. So it really comes down to consent. The data is out there, but I think what we're trying to get closer to is a world that people can choose how their data is used and that it's not used in a way that's a weapon against them; that it's actually there to help improve the quality of lives of everyone, not just those who have access. Not everybody has mobile phones, not everybody has credit histories, et cetera.
Debra J Farber:
You make a really good point. I've thought about this and I've read a lot of books and perspectives on like is privacy about control? Is privacy about ownership? And, where I've landed is that privacy is about control over your own information flows, and a lot of that comes down to IAM and how is that access managed? Do you control the keys? Does somebody else control the keys?
Debra J Farber:
Who's defining what your identifiers are connected to in the first place? Well, today, a lot of that is done at the identity level within organizations. The organizations are defining what is an identity and what's attached to it and what must that look like and all that. And then, of course, there's like innovations that are still yet to be deployed at grand scale, like can you decentralize that identity and turn that into you know, whether we're talking about verified credentials or we're talking about self-sovereign identity or other architectures of where we as individuals can control those keys.
Debra J Farber:
We can have those in-depth conversations another day, but I think the larger point I'm trying to make is a lot of what you're able to find out and discover about someone is attached to either a token or an identifier or you know, basically an identifier so that you're able to then query about that person and like all their activities and you know, from a security perspective, what has this person done wrong? Not wrong, but like, when you're logging, has somebody actually, like you know, access something they shouldn't, and then put controls around that. Do you have anything to say about that? Because I know I just brought up a bunch of topics.
Steve Tout:
Yeah, I mean, I would sum it up this way - it comes back to the philosophy. You mentioned a few things about controls and it comes back to fundamentally, at a philosophical level, do politicians, do CEOs prioritize the fundamental human right to privacy or do they prioritize the right to shareholders and creating returns for shareholders? And so you know, in Privacy by Design, there's a lot of talk about they don't need to be a zero sum game or mutually exclusive, but oftentimes they are. You know we're on a privacy podcast, so it's pro privacy. I think we often get lost in the technical minutiae of conversations, but it's really simple: are leaders and politicians going to prioritize our fundamental human right to privacy and, if so, how?
Debra J Farber:
Well, actually that's a really great jumping off point, then, to my next question, which is how do you address organizational resistance to that change? We get a Privacy Officer. We give them resources - in an ideal world, because this isn't always the case. But let's say, a Privacy Officer is appointed and then they don't necessarily have all the resources they need and they need to argue for that. How can you address organizational resistance to change, especially when your current resources are lean?
Steve Tout:
Yeah, that's a really great question. Recently I spent a lot of time thinking about this through the lens of game theory and you know, look at the moves of the queen on a chess board and how advantageous that is. That can either be a great asset or a big target. But being lean on resources can actually be an advantage in some cases. In an organizational context, it can create urgency and highlight needs. But there are a couple of things that I think are vital to leading change in an organization. That change has to be sponsored by leadership. I think that's a given. If it's not, that doesn't mean it's doomed to failure.
Debra J Farber:
I don't think that's a given. I think that that needs underscoring. In my experience with privacy, you would think that that would be a given, but I've had some pretty large companies refuse to appoint a single-threaded owner for privacy that would help in the block and tackle of getting things done. So, I would definitely underscore that without executive sponsorship, I think in a mid-sized to large enterprise organization very often you won't be able to get things done because it won't be visible enough to be seen as something that needs to get done as opposed to some requirement that someone lower down can get done. Right? [Steve: fair enough] Or, the problem doesn't seem as big or important or multifaceted if there's no executive sponsor.
Steve Tout:
In the context of privacy, I think you're absolutely right. It's a big enough issue with big enough consequences that it has to have. And now, we have organizations that have Chief Data Officers and Chief Privacy Officers. It can be a good sign. Sometimes they're used as political tokens without real intention to affect change. But you know it at least needs to be aligned with broader business goals or an OKR For change,
Steve Tout:
there has to be a compelling reason to change. Right? If you have a Chief Privacy Officer, but you're just doing that there for compliance, it's not there because you want to change. It's there because you want to maintain the status quo and check the compliance box. But protecting the privacy of customers and employees, et cetera, that's not an accident. That doesn't happen without intention.
Steve Tout:
But, on the other side of the coin, neglecting it is on the same level of abuse, in my opinion. We could spend, you know, we could go down that rabbit hole, but I think neglect of privacy issues and concerns is not an excuse. So an organization's readiness for change it can be viewed and measured by individual motivations, the carrots and the sticks. What's the motivation for Product mManagers and Individual Contributors to think and act in a way that's unnatural to them. When they're trying to get a job done, privacy tends to come out of left field or hits them blindsided. But, what do we need to do as an organization to get them to think and act like privacy advocates? I mean, we've had The Privacy Engineers Manifesto since 2014, but there are still organizations. . . we have great technology that helps to elevate their privacy gain, but there's still a lot of work to be done. Incentives have to be managed and aligned.
Debra J Farber:
You make a really great point: everything does need to be aligned. One of the ways to align those responsibilities is to make sure that in all requirements and product requirements and engineering requirements that privacy and security are required to, you've required to ask for them. They should be asking for what are the privacy and security requirements for this next build or this next feature? It shouldn't be are there privacy or security requirements? It should be like what are they? And that's just part of the sprint process, and embedding that in there so that your testing criteria is going to be speaking to whether or not it meets the privacy and security thresholds for that. If we don't actually build into the workflow of those that are building products and services, then the alignment can never get there. So, I think you make a really great point. Let's turn to something that you talk a lot about and I don't know a lot about, so I'd love to learn some more from you. What is Tipping Point? Leadership?
Steve Tout:
I'm glad you brought that up. That's an area that I discovered in the last couple of years, in the last year really. I wish I'd known more about much earlier in my career. But you know you mentioned lean and lean resources earlier. Tipping point leadership is a theory of change leadership based on epidemiology created by Chan Kim and Renee Malborn. They're professors of Strategy at Insead Business School in France.
Steve Tout:
The obvious part is that for change to occur, a critical mass of individuals need to support that change. So, sometimes you think of critical mass oh, like 51%, 60%, 70%, the majority of a population where you have a organization like, let's say, it's 2,500 employees, so you're thinking hundreds or thousands. But, the unexpected insight is about tipping point leadership is that critical mass can be driven by a small number of influential leaders or change agents within the organization. The study of this looks at, starting with, if you have a vision for a change that you want to like enhance privacy in my organization or have a privacy first mindset and shift from a product first to a privacy first mindset or privacy by design as a main dominant way of thinking, and that's your goal you don't immediately start out with a campaign for everyone to get on board with embedding privacy into their workflows.
Steve Tout:
You know the way this theory explains to be successful with the adoption is to engage those influential leaders first. That gives you the ability to leverage their authority, their credibility and social capital to make it possible for change to occur at scale. And that's how it occurs at scale. You have different department heads or business units and if you get the majority, you don't need 100% acceptance of your idea in order for it to stick, but you do need a majority of your department heads or change agents or PA executives to support your vision for change and to go forward towards get closer towards that change with you. So tipping point leadership works with minimal effort, or lean resources, as you say, driven by the key figures, to achieve maximum impact.
Debra J Farber:
What would you do if you were in a very bottom up focused organization? Maybe that is, very engineers are trusted and they can move fast and run with things. I think about my experience at Amazon, for instance, where everything gets bubbled up from the bottom. You write narratives and then you win low level executives and then, if they like it, then you keep going up and up and it could take over a year before you could even ever meet a executive that can move things along and have that top down effect that you just described as part of tipping point leadership. Basically, does this require that there be a good top down or ability to influence executives that can then make top down decisions? Or, is there some other mechanism within tipping point leadership I'm missing?
Steve Tout:
Well, I think a low- level executive is somewhat of an oxymoron.
Debra J Farber:
Yeah, agreed, for lack of a better word.
Steve Tout:
Yeah, but let's pivot on that for a second. The executive. He may be the executive that's three levels removed from the Chief Executive, but if he is truly an executive, that means he has access to budget, that is, reward power and the ability to implement policy. So, there's basis of power that that executive can have to become a leader of change, and he can do so with small, incremental changes to how incentives and rewards are created and implemented within this organization. So I wouldn't really call that bottom up. But in your example of, like an engineer at AWS who has a vision for making privacy more impactful in his or her product line, I think that he or she can become a privacy advocate. But I think there needs to be separation between "hey, this is the stuff I need to do to get my work done," and it's oftentimes fraught with danger to become too passionate about an idea that's contrary to your leadership values and then go and try to advocate for that and do things that rock the boat or create mayhem. What I would do, specifically in that situation, is I would try to create mind share, starting with my manager. Does he or she support that idea? Am I gonna get in trouble or maybe get fired if I spend too much time thinking about this idea, writing about it, talking about it internally and externally at conferences. Or is the idea - maybe it's not prevalent within the organization, but would it be perceived as politically unsafe to advocate for it? So I would think about it that way.
Steve Tout:
Again, this is looking at this through the lens of game theory and, again, reverse engineering. Once an engineer steps out of his or her technology bubble, put this pie back in your mind. Right, you're going, you're reverse engineering the economics, the politics and then the philosophies. And an engineer debating philosophy with a chief executive isn't always received very well. So you have to, as a nonconformist in your organization. You have to be very pragmatic about how you raise issues and concerns and advocate for a particular way of doing things. It's not just be outspoken. I think there's a science and a methodology that supports anyone, at any level of the organization, to bring their passions to their job without risking being ostracized or isolated.
Debra J Farber:
Yeah, that's good insight and advice. I appreciate that. I do want to turn to all the good work you're doing with the State of Washington. But, just to wrap up the tipping point leadership stuff, as I was reading some of the what you've written on the topic, I came to see that the definition of tipping point leadership seemed to be around some of the hurdles to overcome, and so maybe you could just quickly speak about what those four common hurdles are, because I think it helps better even define what tipping point leadership is.
Steve Tout:
Well, you know, as it turns out, I think these hurdles represent somewhat the pie that I created several years ago. They're not the same. I don't frame them as hurdles and I won't go into this deeply because I didn't invent tipping point leadership, but I think these hurdles are something that really resonate with us all and when you think of this, you hear often cybersecurity is a leadership issue. Yes, it is, but what does that mean? The hurdles and tipping point leadership that can slow down or even kill progress at an organizational and societal level. Now, that I can say that because I see how it happens in the public sector. So they're simply, they're cognitive. You know how people learn and not everyone has the savvy of the engineer in Silicon Valley. Political, motivational and resource hurdles. Motivational and political hurdles are the most difficult ones and prevent a strategy, rapid execution.
Debra J Farber:
Thank you, that makes a lot of sense. Okay, so let's talk about some of the work that you're doing with Washington State working on modernizing identity access management for IAM. Let's start by talking about what's the driving need for modernizing in Washington State.
Steve Tout:
Yeah, so for context, this is for consumer IAM. So, this is IAM that touches all residents within the state. This is not workforce IAM. I think that should help for anyone that's in this industry understand what we're talking about and the scale and the impact that this is having.
Debra J Farber:
So this is if somebody is like they need services for the state and they sign up for profile online and then everything attached to it, or you know, help contextualize what that means.
Steve Tout:
We have a persona in the project that we're working on. Her name is Dani and we have referred to it as Dani's journey. So Dani, you know, has just moved into the state and she is really into hiking, so she wants to go get a permit to do some camping or hiking at one of the state parks. Right? How does Dani interact with getting the permit, exchanging her license plate or phone number or email to get the permit? So, it's that consumer interaction. And then, Dani gets a job and then she gets hurt and so she needs to interact with the Unemployment Services Division - how she interacts with that state agency to get benefits. So that's the context. At a high- level, I think what Bill Kehoe (Washington State CIO) is doing is really genius, the approach he's taking.
Steve Tout:
It's not because of security or cost considerations that's driving consumer IAM. The overarching driver is really about equity, and I think that touches on the aspirations of all of us involved on the project that we're working on, modernizing consumer IAM because it's going to make doing business with the state easier and providing more seamless access to resources to the Dani's of the world or to vulnerable or marginalized populations.
Steve Tout:
So, that's one of the core drivers. I've seen one of the biggest vendors on the planet fail miserably because they came to this opportunity thinking that free was a compelling offer and it just simply isn't. So, drivers are in context here about improving the quality of services and enabling digital equity and then prioritizing customer and business needs over technology. For service enhancement, that involves transitioning major IAM systems and compute to the cloud and SaaS for agility and adaptable service delivery that improves operational efficiency of a government, which could be an oxymoron itself. Aligning modernization with strategic goals, there's this idea of connected government and data accessibility in the state that those are major initiatives, as well as the migration to the cloud. All of those are aligned with leadership's aim to transform Washington State's IT infrastructure into it being a more agile, data driven and interconnected system that better serves the needs of its residents, and aligned with the strategic governmental priorities.
Debra J Farber:
All sounds like really great reasons to put such a program in place. So great drivers. Thank you so much for that. What are some of the challenges to privacy, ethics and equity that you've come across as part of this effort, and then how have you approached them?
Steve Tout:
Yeah, so coming at this from a background of identity and access management and someone who's about ready to complete an MBA, there's game theory, there's data, there's analytics or social sciences involved here. There's change management and tipping point leadership to use as a tool to look at this; and so, I've encountered multiple challenges. Washington State is not on the cutting edge of digital identity, and the reasons range from the political hurdles. The ACLU has a pretty loud bark when it comes to adoption of biometrics, even for legitimate purposes like identity proofing and authentication. There's a lack of transparency, which directly relates to trust as an issue. As vendors build out their tech platforms, many have or are in the process of adopting AI, so machine learning using big data and predictive analytics. One of the major concerns that I see here is lack of transparency and lack of auditability in these AI models. Those are rightful concerns, right? We don't want the AI to be a black box, and the next concern is linked to that.
Steve Tout:
Automation has limits. The bill of materials that are being offered by vendors in this space provide automated decision support or automated access or authorization decision, which can become problematic. States need to have the ability to explain why an access decision was made or denied, and so there has to be that transparency and visibility into how the sausage is being made. And then, simply bad information; there are some leaders out there who are comfortable with the status quo and would rather stay the course using non-speech authenticators. They'd rather do that than invest in more equitable solutions and better algorithms to solve this problem At some point in recent history and I won't go into the details, but I think it's pretty clear that even relational databases at its day and were used for profiling and assisting the Nazi regime during the Holocaust, and now databases aggregate patient data and research. They speed up drug trials and discovery. So I don't think that technology itself is the issue here. It's the owners, it's how the technology is deployed, how it's used, and it could be used for good or for bad.
Debra J Farber:
That's a really great reminder that I think technology deployment is not politically neutral. While technology itself might be neutral, how it's used and deployed is not. So in many senses of the phrase, I guess everything is political when it comes to technology, right? So people should be thinking in those terms think more about the ethics and does it align with your company's ethics and is what you're doing in deploying aligning with your company's ethics and and all of that good stuff. That good alignment is important because then you'd be able to see whether or not something's deployed in a way that goes against the organization's ethics or not. But you can't do that unless you're monitoring, and so all of these things kind of fit together beyond the technology itself around how you've architected and designed it. It's basically underscores the need for privacy and ethics and security by design. That whole 'by design' set of disciplines. [Steve: agreed].
Debra J Farber:
Let's have a short discussion between the difference between mDL, so mobile driver's license, and verified credentials technology.
Debra J Farber:
I bring this up because, well, first we're talking about identity management and One of the ways that you and I got introduced by Tom Kemp was because I said to Tom hey, I'm gonna be working on a contract for the California State DMV that is implementing the mobile driver's license and verified credentials technology, and I am and that'll be the subject of a completely different episode. That's how he introduced me to you, like, o"Oh, you know, you need to meet Steve who's working on identity management for the state of Washington, and so in my mind, you know, I'm like living in the world of the MDL and the AAMVA standards for implementing. AAMVA is The American Association of Motor Vehicle Administrators. Then comparing that to the verified credentials standard, which is actually in some ways competing with the ISO mDL standard. So, let's give our audience a little sampling of, I guess, the issues of those two standards. What are the differences? Why are we even talking about them?
Steve Tout:
Yeah, well, at its fundamental level, I mean, the identity is the underpinning for it all whether you're talking about verifiable credentials or mDL. It's kind of obvious that mDLs now are gaining popularity because of their convenience. They offer enhanced security features and the growing trends towards digital transformation and personal identification. I mean, vendors are contacting me all the time offering some kind of preview of their mDL solutions. And you're right, I'm not currently directly or actively working with the DMV here in the State of Washington, but the project I'm working on is tangential to that, which is the residents identity management or the residents credentials.
Steve Tout:
So mDL serve as the digital counterparts to the traditional driver's licenses. By contrast, verifiable credentials or VCs offer more of a broader framework for digital credentials. It could be a digital receipt or a digital pass to go overnight at a campsite, or your badge to enter a building. It could be applied to many different areas, but in this case, you know the cryptography and credentials are specifically related to drivers licenses. And then VC's offer a more versatile framework of all kinds catering to broader needs.
Debra J Farber:
Thanks for that. I'll go in depth on another episode because I know we don't have that much more time today. But how are state different states approaching their implementation of Mobile drivers licenses, or mDL?
Steve Tout:
Well, like any technology, Debra, you have early adopters and laggards. It's definitely a paradigm shift and if you look at it through the tipping point leadership, it's States and organizations are at various points in their process of building out the infrastructure and building out the political support that has to be in place. So, whether you're talking about Colorado or or Oklahoma or Maryland, early adopters are kind of getting ahead of the curve, which is great because there will be lessons learned that other States, like Washington, can study and learn from to build a confidence assessment pack and so forth. So I see these as increasing the security, increasing the convenience of their use. The one that you hear a lot about is if the age when you order a drink at a bar, the bartender won't see your eye color or your street address, that kind of thing.
Debra J Farber:
So, this selective disclosure, where you just want them to know you're over the age of 21 so they could serve you that drink, but you know you're not going to share with them the entirety of what's on your license because they don't need to know that. So it's kind of a little bit of the security need to know aspect, but also that it really enhances privacy because it's a minimization of sharing the data and selectively disclosing which data you share with whom. Yeah, and then before we close our conversation today, what advice do you have for privacy technologists so that they can best position themselves and their organizations at the forefront of privacy and security innovation?
Steve Tout:
I think the main thing, Debra, is don't fall in love with the technology. That can have negative consequences for many years and maybe even a decade, and it can disrupt the trajectory of a career. Technology changes all the time, so, real briefly, for privacy technologists to position themselves and their organizations at the forefront of privacy and security, I think they need to stop falling in love with the technology to really understand their path to broader impact, both in their career and within their organization, their community, their state as change agents, and see themselves as change agents instead of technologists. And then, become transformational leaders who practice that tipping point leadership. I think that you know. For me, that was a real eye-opener and looking at the need for change management versus just implement new technology.
Debra J Farber:
Thank you so much. What books or resources do you recommend so that people can learn more about this tipping point leadership style?
Steve Tout:
As you can guess, Debra, there's a lot written on this topic, just too much to mention. The one that I read for a course I recently took on change management is Harvard Business Reviews 10 Must Reads, simply titled, "On change management. It's a great concise book. There's case studies. There's different chapters on different topics that provide context. There's a really great chapter on this issue of tipping point leadership. That provides the insights that leaders Need to consider and in managing change at any scale.
Steve Tout:
I think that's a good place to start. There's another excellent resource. It's an open source textbook that I use for the same course that's published by the University of Minnesota "On change management. I could recommend that, too, because it's free, it's online and the quality is Mind-blowing good. It's exceptionally good if you're a technologist and you're trying to figure out how can I be more impactful and effective within my role. It's not go to a conference and learn more about technology. If you pick up that book on change management or this open text book, I will provide a link so you can add it to the show notes and share with listeners. It's excellent.
Steve Tout:
The key idea about path to impact you need to understand what is your personal path to impact, as a professional or as a leader, to bring about change and transformation at a personal level, at a career level and at an organizational level. You can't have digital transformation without identity transformation. You can't have identity transformation without personal transformation. And you start connecting the dots, so look for that path to impact. I also recommend that this recent book, "Ethics in the age of disruptive technologies it's an operational roadmap written by Brian Green and Ann Skeet. They're from Santa Clara University's Markkula Center for Applied Ethics. I mean, I'm going to the business school at Santa Clara University, but that's an excellent resource as well looking to connect the dots on innovation, disruption and emerging technologies.
Debra J Farber:
Well, thank you so much, Steve, for joining us today on The Shifting Privacy Left Podcast. I think I've learned a lot from you and I look forward to following you and seeing a lot more of what you write, listening to a lot more of your podcast episodes. Until next Tuesday, everyone one when will be back with engaging content and another great guest. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shifting privacy left. com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, If you're an engineer who cares passionately about privacy, check out privado: the developer- friendly privacy platform and sponsor of this show. To learn more, go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.
Debra & Steve discuss the benefits gained from 'Tipping Point Leadership,' where business transformation can occur by gaining a critical mass can be driven by a small number of influential leaders or change agents within the organization
Steve describes how the States are approaching their implementation of mobile drivers licenses (mDL) in different ways and articulates the benefits of 'selective disclosure'
Steve's advice for privacy technologists so that they can best position themselves and their organizations at the forefront of privacy and security innovation
.jpeg)
