Keeping data secure amid digital transformation
Mark McClain, CEO of identity governance company SailPoint, discusses the importance of keeping tabs on data access and the company’s journey from US startup to billion-dollar multinational corporation
Who has access to what, who should have access to what, and how is that access being used?
These three key questions are critical (and often headache-inducing) for any company when it comes to managing its data – and they are precisely the questions identity governance platform SailPoint looks to answer.
In an increasingly cloud-based world where end-users as well as staff and companies are rightly becoming increasingly concerned with what happens to their data, SailPoint aims to help companies manage digital identities so that access can be clearly defined and securely managed.
Having grown into a $2.2bn NYSE-listed company, Austin-based software developer SailPoint dates back over a decade but went public in November 2017, achieving a value of over $1bn on its first day of trading, with an IPO that raised $240mn.
CEO Mark McClain recalls the client server era of the early 1990s. “You had tonnes of Unix servers and Windows servers all over the place.” In 2000, McClain founded identity management company Waveset Technologies, growing the business 250% year on year for the first three years before it was acquired by then-giant Sun Microsystems.
The main issue McClain was dealing with in his Waveset days is known as joiner/mover/leaver: the granting of access to data when a stakeholder joins an organization or moves departments, and the rescinding of this when it’s no longer needed. “People now, not just employees but contractors and business partners who can look a lot like employees, they’re certainly insiders who can access your systems and data.
“Today, the interesting challenge is around non-human identities,” he adds. “These are software bots or robotic processes where software is effectively imitating the behavior of people, in AI and other applications. Today, it’s not uncommon for a loan to be processed initially by software bots that categorize and evaluate, and then go to humans for the next step… The same things we worry about with people and their access now also apply to non-humans.”
In 2004, when SailPoint was being conceived, joiner/mover/leaver and the associated issues were top of mind: namely, process management and identity. “That was the emerging challenge of compliance and governance,” says McClain.
Following the Sarbanes-Oxley act of the early 2000s, data access became an increasing concern – and today we are familiar with the same issues due to the EU’s GDPR. “People got nervous that the wrong people had access to data and could tamper with it – so the beginnings or governance and compliance in the industry were around making sure the right people had access to the right information.”
In McClain’s view, the industry evolved the wrong way around, automating before looking at security elements. SailPoint, however, decided to remedy this by looking at how well a client’s current state matches its desired state in terms of cybersecurity. “That’s the analysis of what the current access privileges are of the organization – once I get that right, then I want to run that into an automated system,” McClain points out.
A common issue, says McClain, is atrophy: when an organization grants access temporarily or to an employee who has moved, but then does not take the access away after it ceases to be necessary. McClain likens this to having a bunch of keys that can open doors you don’t need – or shouldn’t have – access to.
With shifts to cloud and mobile, it’s even harder to ensure data remains ‘safe inside’ a company – “but the processes we use assume it still is, and that’s what customers are really wrestling with. The days of being sloppy about access management are quickly ending.”
What identity governance software, and particularly SailPoint’s offering, can be boiled down to are three key benefit areas: compliance, security and operational expense. In terms of security, McClain says simply: “If you don’t know exactly who has access to what, and that they are using it correctly, bad things can happen.” SailPoint aims to solve the problem of ensuring only the right people have access.
In terms of compliance, SailPoint works not only to manage the ongoing maintenance of identity but also audit compliance validation of identity. GDPR is an example of where businesses, not just in the EU, need to remain compliant. “If a customer says ‘I want you to forget me’, a core tenet of GDPR is that you have to know where that data is and who has access to it so you can turn it off… somewhat broader than security, GDPR is a board-level discussion and yet it’s really about identity,” he adds.
Automating security and governance through SailPoint can also bring about significant cost savings. “It’s not uncommon for a 50,000-person enterprise to have hundreds of people working on nothing but joiner/mover/leaver,” says McClain, adding that through automation this repetitive and costly process is cut down.
Having started with larger organizations, around 2012 SailPoint began to target medium-sized enterprises, developing a software-as-a-service (SaaS) offering called SaaS. “Mid-size organizations today almost never buy software and install it – wherever they can, they want to buy SaaS,” says McClain, who puts this down to the fact that mid-sized organizations want a less sophisticated solution, and often don’t have the time to customize and configure.
The next issue SailPoint is tackling is data being removed from its original location, often to a less secure home. “Every day, people export and download data onto spreadsheets, PowerPoints, and other documents to be stored in things like SharePoint and Dropbox.” SailPoint is therefore looking at what McClain calls ‘unstructured data’ and how AI could be utilized to protect it.
“For an organization with 50,000 people and 10,000 applications, it’s hard to figure out where you might have exposure to risk,” he explains. “In most organizations, there’s no single system of records – who an employee is, what they do, and what access they have across mainframe, client server, cloud, SaaS… finding anomalies of access privileges is very painful.”
An ongoing commitment to solving these pieces of the identity puzzle, as well as adapting solutions for businesses of various size and scale, has contributed to SailPoint’s solid growth into a mature public company. Having begun in North America, the business soon moved into the European market via London due to its volume of clients in the finance sector, and is now growing in the APAC market.
Instead of opting to work with smaller companies and branching out as the likes of Salesforce did, McClain puts SailPoint’s growth to just the opposite. “We wanted to tackle some of the largest, most complex organizations in the world because we had a belief that if we could get those folks hooked and bought into our products, we could leverage that down the market,” he explains, adding that over time investors have certainly ‘voted with their wallets’. “They’ve come into the stock and pushed the value up – the security market has certainly emerged as a very important submarket within IT.”
As a final word of advice for any business, McClain says that a period of automating or moving to the cloud is the ideal time to examine security. “Digital transformation is an opportunity and a reason to evaluate your current state of identity controls and governance and shore up your policies and processes to prepare for the future. If you just take those poor policies to the cloud, it’s going to explode and get worse.”
Marketing matters: from IBM to Kyndryl
Prior to joining Kyndryl as Chief Marketing Officer, Maria had a 25-year career at IBM, most recently as the tech giant’s CMO where she oversaw all marketing professionals and activities across North America, Canada and Latin America. She has held senior global marketing positions in a variety of disciplines and business units across IBM, most notably strategic initiatives in Smarter Cities and Watson Customer Engagement, as well as leading teams in services, business analytics, and mobile and industry solutions. She is known for her work with teams to leverage data, analytics and cloud technologies to build deeper engagements with customers and partners.
With a passion for marketing, business and people, and a recognized expert in data-driven marketing and brand engagement, Maria talks to Business Chief about her new role, her leadership style and what success means to her.
You've recently moved from IBM to Kyndryl, joining as CMO. Tell us about this exciting new role?
I’m Chief Marketing Officer for Kyndryl, the independent company that will be created following the separation from IBM of its Managed Infrastructure Services business, expected to occur by the end of 2021. My role is to plan, develop, and execute Kyndryl's marketing and advertising initiatives. This includes building a company culture and brand identity on which we base our marketing and advertising strategy.
We have an amazing opportunity ahead at Kyndryl to create a company brand that will stand apart in the market by leading with our people first. Once we are an independent company, each Kyndryl employee will advance the vital systems that power human progress. Our people are devoted, restless, empathetic, and anticipatory – key qualities needed as we build on existing customer relationships and cultivate new ones. Our people are at the heart of this business and I am deeply hopeful and excited for our future.
What experiences have helped prepare you for this new opportunity?
I’ve had a very rich and diverse career history at IBM that has lasted 25+ years. I started out in sales but landed explored opportunities at IBM in different roles, business units, geographies, and functions. Marketing and business are my passions and I landed on Marketing because it allowed me to utilize both my left and right brain, bringing together art and science. In college, I was no tonly a business major, but an art major. I love marketing because I can leverage my extensive knowledge of business, while also being able to think openly and creatively.
The opportunities I was given during my time at IBM and my natural curiosity have led me to the path I’m on now and there’s no better next career step than a once-in-a-lifetime-opportunity to help launch a company. The core of my role at Kyndryl is to create a culture centered on our people and growing up in my career at IBM has allowed me to see first-hand how to prioritize people and ensure they are at the heart of progress in everything Kyndryl will do.
How would you describe your leadership style?
I believe that people aren't your greatest assets, they are your only assets. My platform and background for leadership has always been grounded in authenticity to who I am and centered on diversity and inclusion. I immigrated to the US from Chile when I was 10 years old and so I know the power and beauty that comes from leaning into what makes you different from other people, and that's what I want every person in my marketing organization to feel – the value in bringing their most authentic self to work every day. The way our employees feel when they show up for themselves authentically is how they will also show up for our customers, and strong relationships drive growth.
I think this is especially true in light of a world forever changed by the pandemic. Living through such an unprecedented time has reinforced that we are all humans. We can't lead or care for one another without empathy and I think leaders everywhere have been reminded of this.
What’s the best leadership advice you’ve received?
When I was growing up as an immigrant in North Carolina, I often wanted to be just like everyone else. But my mother always told me: Be unique, be memorable – you have an authentic view and experience of the world that no one else will ever have, so don't try to be anyone else but you.
What does success look like to you?
I think the concept of success is multi-faceted. From a career perspective, being in a job where you're respected and appreciated, and where you can see how your contributions are providing value by motivating your teams to be better – that's success! From a personal perspective, there is no greater accomplishment than investing in the next generation. I love mentoring younger professionals – they are the future. I want my legacy as a leader to include providing value in work culture, but also in leaving a personal impact on the lives of professionals who will carry the workforce forward. Finding a position in life with a job and company that offers me a chance at all of that is what success looks like to me.
What advice would you give to your younger self just starting out in the industry?
I've always been a naturally curious person and it's easy for me to over-commit to projects that pique my interest. I've learned over years of practice how to manage that, so to my younger self I’d say… prioritize the things that are most important, and then become amazing at those things.