Let’s talk about digital identity with Bengt Berg, Head of Compliance Management Services at Cybercom.

We all know the importance of regulatory compliance in any Identity and Access Management (IAM) scenario. What we don’t always know is how to make colleagues engage with compliance, to ensure they sit up, listen and remember to always keep compliance front of mind.

In episode 21, Bengt Berg fills us in on the new alternatives to the dreaded compliance management handbook that sits on the office shelf collecting dust, taking inspiration from the finance industry. Oscar and Berg also cover other key topics such as how to convince the board that IT security is important with easily accessible metrics, specific cases of IT security compliance in IAM and Cybercom’s approach to compliance management.

[Scroll down for transcript]

“The most common system or platform to get hacked is the system you didn’t even know you had.”

Bengt BergBengt has been in the IT security industry since 1994, when building encryption systems for people in uniforms, have been a manager in an American big firm, has taken some time in the finance industry and today works as a do-all guy at Cybercom. Some sales, some consulting, some business strategy, and is also a member of the steering group of Cybercom Secure. He is also the proud father and protector of Cybercom’s products and services in the Compliance Management area.

Connect with Bengt on LinkedIn or at [email protected].

Enjoyed this episode? Listen to episode 10 with Bengt’s colleague, Cybercom’s Head of IAM Solutions, Robin von Post.

Find out more about Cybercom at www.cybercom.com.

Cybercom is a Ubisecure partner. Get the details here: ubisecure.com/news-events/cybercom-partnership.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

[Podcast transcript]

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining. Imagine you have joined a new company and among the very first things, you are meeting the IT manager, giving you some training about security and then they hand you a 40-page guideline that you have to follow and that can be a nightmare for everybody – some stress how I’m going to make sure that I will follow that.

On the other side of the story, of course there are the compliance managers who really want that a company complies with these regulations or guidelines, security-based practices, and how they make sure that everybody is contributing to that, to the common goal. So for that, we will have a conversation about compliance management. For that we have an expert who is Bengt Berg who is a head of compliance management services at Cybercom.

Bengt has been in the IT security industry since 1994, when building encryption systems for people in uniforms. He has been also a manager in an American big firm, has taken some time in the finance industry and today works as a do-all guy at Cybercom. Some sales, some consulting, some business strategy, and he is also a member of the steering group at Cybercom Secure. He is also the proud father and protector of Cybercom’s products and services in the Compliance Management area. Hello Bengt.

Bengt Berg: Hello. Good to meet you, Oscar. How are you doing?

Oscar: Oh, very good. I’m really happy to talk with you and talk about this very interesting topic – compliance management. So let’s get started Bengt. Let’s talk about digital identity. And the very first things I would like to know is a bit more than I said everything in your bio. But tell us a bit more about your journey into this world of compliance and digital identity.

Bengt: I would like to start with thanking you for telling us, saying that compliance management sounds very interesting. In fact it sounds really, really boring. Most of the people who got these PDF documents with all the requirements about what to do and what to not do, they deal with these in a very pragmatic way. They say thank you, they put the document in a bookshelf, and they never read it again.

So that’s one of the tensions that we need to discuss in this podcast. Well, you asked me about my journey into this world of digital identity. So I will get back to that. I just needed to stress that thing first. As you said, I’ve been around in the IT security business since 1996. So it’s almost 25 years now. I got a master’s degree in computer science once upon a time and started doing encryption stuff.

When it comes to digital identities, I wrote my first commercial implementation of the RSA algorithm in 1996 I believe. It wasn’t that good and it wasn’t that fast but it worked. And it was possible to sell. So yeah, I’ve been around in the digital identity business ever since, so yeah.

Oscar: Cool, yeah. So, you don’t let me lie. So, about compliance management, you say it’s boring. OK. But it’s very, very important, especially for organisations. But for the ones …

Bengt: It can be super fun, it can be super fun.

Oscar: It can be super fun, especially …

Bengt: The traditional way is boring.

Oscar: Exactly. And that’s what I want to discuss today. You know, the traditional way is boring. But you are going to tell us how you’re working on that, you have been creating products, very innovative products and services. But let’s continue. Start with the basics. Tell us what that is. What is compliance management?

Bengt: Yeah. You know, I would say what is a challenge of compliance management? Because when you have worked as long in the IT security industry as I have, you work with companies that have been really, really hacked. I mean really badly hacked. Most of the companies who get hacked or have an IT security incident, the most common system or platform to get hacked in is the system you didn’t even know that you had.

And the scale of that… If you go to that book that nobody reads, it has like 200 requirements saying that you must do things or you shouldn’t do things. Think of it as an Excel spreadsheet. You put these in rows and in the columns you would put everything that – where these requirements would apply. Every single system, every single platform, every single process where those requirements are applicable. That matrix gets huge. The scale of the implementation of the security framework easily comes up to hundreds of thousands of “Are we compliant with this requirement on that system?”

That’s the scale that we need to work with in the compliance management. It’s absolutely not about writing documents and telling people to obey. That’s just not going to work.

Oscar: So yeah, it can be immense especially in the size of the organisation and that leads me to the next topic. It’s how big an organisation has to be to have a compliance manager or be really into that.

Bengt: It’s not really about size. Size doesn’t matter, but complexity does.

So think again what is the challenge because if you want to do compliance management, there is a business area around that everybody knows. So that handles this scale of the task easily, super easily and they don’t write PDFs and tell people to obey. So what it is, is I’m talking about the financial management of course. I mean every organisation, Cybercom or Ubisecure, you got finance people, right?

Oscar: Sure.

Bengt: And you have a project for example. You find that project in the finance system. You’re not reading the PDF document to see that, yeah, I’m a project man. You log in to the finance system and you find your projects there and you see income, you see costs. You see people working there. You approve invoices. You put time in the project, expenses, etc. Everybody does that and it becomes a general ledger of Ubisecure, right? Or for the company or the organisation of anybody who’s listening to this podcast.

You can go to your financial people and they say, “Yeah, this is the way we do it.” We let everybody work with their stuff and when they work with their stuff, it becomes an annual financial statement. And that is complexity.

The number of invoices, the number of projects, the number of processes, the number of people involved, the number of taxi receipts in an organisation, flight tickets, 3M post-it notes being bought. The finance people do that easily, and the scale of managing IT security, for example, is also staggering. The number of systems in a large organisation that needs to have their backups checked, all of the backups checked. When were they checked? That’s all a challenge of similar size.

So what we have done in our business is to take great ideas from the finance industry and bring it into security management. And we call that compliance management because it’s not only security.

So when it comes to scale, if you have a very easy organisation to work with from a financial standpoint and it’s big, maybe you can have some finance guy with an Excel spreadsheet. But if your business is complex, then you need to have finance systems and that’s an approach we’re taking. We’re creating the security management system or compliance management system of complex organisations. And when it comes to IT, most organisations are complex.

So yeah, how big? Our smallest customer is like two dozen employees. Our largest for the same solutions and services are super big.

Oscar: Sure, like thousands. OK. So it’s more about complexity as you said, complexity and not thinking from the IT perspective, how many systems assets there are. OK. Very interesting. So there are even relatively small organisations in terms of number of people who are using solutions like that and they really need to take compliance management very seriously.

Bengt: Absolutely. I mean for example we are in the same industry, right? We are in the security industry. We’re doing a little bit different things. So I’m asking you now Oscar. Have you ever heard the security manager or a CISO or a risk manager complaining that the board of the company doesn’t really take them seriously or do what they say? Have you ever heard that, sometime maybe?

Oscar: Well, yes, I have heard that. Yes.

Bengt: You know, compared to the finance manager or the CFO. The CFO doesn’t have to knock on the door when entering the office of the CEO, right?

Oscar: Yes.

Bengt: Hi. It’s me. You know, I need to tell you something. It’s me. Sorry. I needed to borrow your chair and your desk. I needed to do something, you know. And they have easy access to the board. They have easy access to management. Why is that? It’s because they govern the organisation with predictability and experience. If the CEO asks the CFO, “What are our key performance indicators? Are we doing well? Did we have a good quarter one?” they get the answer just like that. They snap their fingers. They already have the numbers in their hand, right?

Oscar: Possibly, yes.

Bengt: But what happens when the CEO says, “Yeah, OK, that sounded good. Maybe I should take down the lift down one floor and go and speak to the CISO guy”? And then I say, “Hey, CISO guy. Are we secure?” “Well, it depends.” “OK, fine. Maybe it does, but are we better now than we were half a year ago?” “Well, you know, I’m going to make a little pen test and I’m going to buy a cool gadget, stuff like that. Yeah. You know, everybody can get hacked. It matters or maybe doesn’t matter. Who knows?” The key secret of the CFO is that they have metrics.

Oscar: Yes.

Bengt: And they are not having workshops and they are not issuing documents that somehow transform into performance indicators. They press a return button…

Oscar: They have tools.

Bengt: …in the tool and they get their key performance indicators. The tool, the finance tool doesn’t make the company financially stable and a compliance tool or a security tool will never make a company secure. But it establishes the playground so to say. It establishes a map on where to track progress, on where to look for key performance indicators and where to look for white areas where no man has gone before.

So yeah, sorry, that’s a super long answer to who needs compliance management and how big an organisation has to be but everybody needs metrics

Oscar: Well, it’s a very good one actually. Yes. It all falls into metrics and the right tools and it’s an excellent analogy, what you have shown comparing to finance, that they have even more trust, what you say, more trust with the CEO, the board, because they are able to present metrics and this is because they have tools. So the tools are the main thing that are lacking in many organisations, on the compliance management desks of many organisations.

Bengt: I would say it’s even worse than that, sorry. Of course the tools are necessary because if the finance system of any organisation is down, broke down or technical maintenance or whatever, the CFO won’t even go to work, right? There’s nothing to do. They go to the golf club and that’s it. Let’s see if the system is up tomorrow.

But the really core part of that is that there are so many people in the security and risk business who seem to accept that their own governance is less stringent than that of financial management. Where did that come from? Well, how come so many people accept that they cannot show key performance indicators to the board? Because when you can do that, when you can say that “Hey, this line is going down. It shouldn’t be this down. That line should go up.”

The board might say, “Yeah, you’re right. It shouldn’t go down. It should go up. How do we make the line go up?” Well, you guys need to do some investment.” “OK. So where do we put the money?” That’s a way to get investments. You’re not getting investments by showing them a live hacking demo. “Oh, look at this: the Unix system can be hacked.” You need to be predictable and in order to be predictable and be predictable every day, you need to have a system to work with. But finance people, they play golf if the system is down, and they are successful. They know what this is about.

Oscar: OK. How do you get this inspiration from the finance industry for this?

Bengt: I’ve been in a couple of years in a large American company as a manager there. So it was quite close to me really. There were financial auditors working there and after a while I started to feel it, you know, like a stone in my shoe. How come we cannot convince the boards that security is important and that risk is important? How come we get you now one hour every half year to have a presentation? And the CFO guy doesn’t have to knock on the door.

So that’s where I wanted to get and I can tell you a little trade secret of mine because I work with business development, strategy development in this area. And if I have a tough day at work, sometimes you are very great at what you’re doing, but you have those other days at work.

Oscar: Me too.

Bengt: A lot of those other days at work, if I don’t find inspiration on what to do, I try to see something that finance people do that I don’t understand why they’re doing it. And it’s quite often a great talking point. You say that yeah, you know, this is possible. This is a really smart thing that they’re doing and it’s possible also in the security, IT security, digital identities, IT risk area as well. We can steal a little bit of what they’re trying to achieve. We need to do it differently. But what they’re doing is a smart thing. So what would that translate to in our business? So don’t tell anybody, don’t try to put this in a podcast or something, but strategy development in this area is super easy.

Oscar: [Laughs] Oh, yeah. Wow.

Bengt: So make sure you cut this away.

Oscar: OK. Well, it’s very, very interesting, what you said. Well, great that you find by working very closely with financial experts or people who had the right tools and were having the trust from the board. You got inspiration one day to put this into the compliance management and that’s the products and services you are working with today. Going a bit more specific into digital identity, what would you say are the top regulations that organisations must really take seriously to comply?

Bengt: Yeah, regulatory governance. That’s today one of the key drivers of IT security as such, right? I have even stumbled across organisations who say that, “We don’t do risk assessments anymore because there are so many regulatory requirements on us that we need to spend all our money into dealing with them to start with. So we are no longer doing any security at all for our own sake. We are doing it to follow the requirements set on us by others,” which is sad, right?

But when it comes to those regulatory requirements, it would be, of course, what everybody is talking about and has now for some time, the GDPR. We also got a miss when that comes with security and risk in the system critical infrastructures such as finance, water supply, telecommunications, transportation, energy, those kind of lines of businesses.

In the commercial sector, of course these ideas, they are maybe not that hot anymore, but it has still been an extremely successful regulation for many companies to deal with. But already, right, we put our finger on the complexity of compliance management. Because what would happen, if you are a financial institution that needs to comply with personally identifiable information, legislation, GDPR, in terms of payment card infrastructures. Right now you’re a company that has to deal with NIS, GDPR and PCI DSS, right?

And there are people coming and auditors and qualified security assessors in the PCI DSS industry or whatever national organisations you may have to govern the NIS requirement. We said in the start, is it possible to guide, to govern an organisation according to a PDF document? Probably not. Now three documents, would it be easier or harder?

Oscar: Yeah. Well, it would be harder.

Bengt: Yeah. It’s a little bit harder, right? And if you’re an international bank and you have a meeting with somebody in Asia, you know, with the finance authorities in an Asian country and they say, “Hey, you guys need to comply with our financial legislation.”

So the question sounds simple. OK, what are the requirements? But they need to be implemented. There are no companies anymore that need to comply with one set of requirements.

An online betting company I worked with, they counted 14 different legislations. With the impact on IT security for different areas and they got the lottery inspection and they got PCI DSS and they got some different national requirements. How do they govern their organisation? If the backups are not checked in system X, which ones of these are they violating? When the auditors come to check them out on regulation 11, whatever that would be, and the auditor says, “Hey, give me proof that you’re compliant to my regulation – I don’t care about the other ones.” Now if you have a system, it would be great, right? Then you could press the button.

Oscar: Press the button, yeah.

Bengt: It’s a little bit work in advance of course. But the challenge is that the system should lower the work that people need to do. Let’s say that you have these 14 regulations and 8 of them have a requirement that you need to check your backups in some way or another. One regulation has a requirement in chapter one and the other one has a regulation in chapter eleven. But still there are only so many ways you can do an IT security guideline. There will be access control. There will be user management. There will be backups management. There will be patching. There will be source code checks. It will more or less be the same.

So you should check your back-ups. Hey, I’m the system manager here. I get the requirement in my system saying, hey, you need to check your back-ups and you’re pressing the Like button or whatever. And you have answered these for 8 of the 14. That’s the trick.

Oscar: Going more concrete also, could you give us some specific cases of compliance in identity for instance?

Bengt: Yeah, of course, I should be able to do that. I would say that GDPR would be a great example there because you need to keep track of users. You need to keep track of people whose data that you are processing in your system. So in your whole IT organisation, where do you comply to the GDPR requirements? It’s so easy for people to look for, you know “Yeah, have a look at this. This is where I comply to that requirement.” But that’s not the way it works. Because if you’re having your car checked out, different countries have different requirements for that, but here in Sweden you need to drive your car to a facility every year and they are checking it out so that the brakes are OK and that the tires are OK and that the horn honks when you press it, stuff like that. Those guys, when they check the grooves of the tires, they’re going to check all the tires, right?

And if one of your tires is blank, there are no grooves anymore, they’re going to fail you, right? But the issue we have, where we have no stringent compliance methods, we put a policy on the intranet and telling people to obey. People look for the first place where they comply with the requirements. Hey, have a look at that tire. It has got three-millimetre grooves. I’m safe and the other ones are blank, which means that they get an excuse, right? You audit them and maybe you say that, “Oh, but here’s a tire.” “Oh, yeah, I forgot about that one. But have a look at this one.” “Oh, yeah. I will put it somewhere to the list.” It would be great to have that in advance.

So when it comes to working with GDPR and of course identity management as well, it’s only personally identifiable information. That’s the whole task, right? We get the ability to look through the whole processing environment and understand where are we compliant with, for example GDPR, and we’re not.

Oscar: OK. You already told us something about the idea of Cybercom’s approach. The name of the services. Yeah. I would like to know more. It’s about more in detail, how it works. I know it’s difficult to say in words because it’s quite visual. Tell us more about Cybercom’s approach to compliance management.

Bengt: Yeah. You know, Cybercom as a company, we are – you need to understand where we come from. Everything comes with a history, right?

The reason I cannot find peace with the regular methods of security management, that may be my background in the financial auditing area. The reason that we have this tool to start with is that Cybercom is a technical consultancy company. We write code. The average Cybercom consultant gets upset when he or she needs to develop a PowerPoint presentation or something like that. We want to deliver code. That’s what we do. So we’re very much in the telecom industry. We are doing some very techy things.

So this meant that I had plenty of people around me who could develop, right? We got this extremely fantastic consultancy project for the Stockholm transportation, public transportation that sounds super boring, right? People driving buses and trams and all tech.

So I went to the first meeting for the project. They wanted us to shape up their security. OK, sure, we can do that, whatever that means. They rolled out, you know, like a network map which was one square meter. It was an A0 sized printout and that printout, it was like black. There was so much ink on it.

It looked like Frank Zappa’s “The Black Page” drum solo. You know, the script for that drum solo. It’s called “The Black Page” because there is so much music in that so there’s nothing white left on the paper. Yeah. And that was a network map. And reading that map, I felt like whoa, you know, a little bit scared. You know, I said, well, you guys got a pretty complex IT environment. They laughed and said that is not our IT environment. This is the map of one of the three big projects we are running right now.

We have seven signalling systems. We got 14,000 online cameras. We got a list of the accounts. They have their own power grid. They have their own everything. They got their own radio base station network. It was just plain silly and they said, “By the way, we haven’t been working with IT security for a hundred years. Where to start?”

So that’s where it started. We said, “OK. You guys, you don’t need a PowerPoint. You guys need a tool, and there are no tools that can deal with this. We can deliver some code to you,” and that’s where it started. So I got the opportunity to have a sponsor for trying out my theories in practice there. At Cybercom, we have the people around to do the coding. So the whole idea of the approach, and by the way, we have a very happy customer now. It took time but still that’s where it started and we’re hugely successful there.

The approach would be that as I said, people cannot function without tools in this area. If we go back to this matrix I told you about where the security requirements of the organisation are the rows and then the columns are the programmes or the IT assets or the computers or the processes and we agreed that this is a very large metric, right?

The whole idea of somebody having the security expert and meetings and workshops and do testing to analyse whether or not things are green or red in those buttons, right? In those cells, that matrix. How long would it take? You got about 2000 working hours every year.

So let’s say that you have 200 requirements and you got a thousand places where those are applicable. You have an FTP implementation on the server. You have an Apache server that runs on a Linux laptop and you got the requirements saying that passwords should be 10 characters, which is a requirement that’s applicable all over the line, right? How many passwords are there in an organisation? So let’s say that you have 2000 hours and now you can do the math here. How many seconds do you need to put on every single cell in order to work that through for your big organisation? If you can’t do that, if you can’t make this decision in 18 seconds, you know, are we working fine with backups here? Are we patching the system, bang, 18 seconds? Not including the cup of coffee in the start of the meeting, you know.

Including. Sorry, including. Then you won’t make it. So the approach is that people cannot do this work without tools. Traditional methods don’t work. That’s it. Writing a document and telling people to follow it and have workshops, it doesn’t work. The finance people don’t do that.

So you cannot say that “well, it needs to be like this because this is best practice”. It’s not best practice. It’s common practice. It’s not best. It’s just what everybody did. Best practices are what the finance industry is doing. It’s about building mechanisms for efficient self-reporting. So that you can bring up this self-reporting and see where you got things that look worrisome, right? In case I would send in, you know, a thousand euros’ worth of taxi receipts every month in my report, people will notice, right?

And then they are going to send an expert to me and say, “Hey, Bengt. We need to discuss your taxi receipts.” That’s what the finance people are doing. The idea of having a designated security guy to find the insecurity of the organisation, that translates to having a finance guy come and look through my wallet to look for taxi receipts and say “OK, this is a good taxi receipt. That is not a good taxi receipt. That’s a taxi receipt. Hey, this is a Sunday taxi receipt. Did you really do this for work?”

So the idea is that people cannot do this without tools, right? Because you don’t have time to do it on an individual basis. You need to establish mechanisms for people to do efficient self-reporting, right?

Oscar: Yeah, exactly.

Bengt: But tools cannot work unless they are 100 percent generic, right? Because otherwise, you will need to make a GDPR tool that works according to our way of dealing with GDPR. It can get you the sales meeting but it won’t give you a working customer, because every customer needs to tweak and twist and let’s do it like this instead, right? Otherwise, it won’t work for them.

So people cannot function without tools and tools cannot function without being generic. And here comes the last part, right? Generic tools cannot function without people.

So because otherwise you just sit there with a set of screwdrivers and you don’t know what to do with them. So our approach is consultancy and technology that they bring with them. Then we install the tools in the customer’s own environment, and we start helping them, working with it, build, operate, transfer and then if the customer loves our consultant, sure they can continue working there. But if they want to start doing it on their own, yeah, we just leave the tools. So that’s the approach. It’s not a technical business but it’s not a single consultancy business either. It’s a hybrid delivery.

Oscar: Yes. So ultimately as you said, the last element is the people. It means that almost everybody, almost every employee would be using these tools, correct?

Bengt: Right. But for them it’s super easy.

Oscar: That is the goal, yes.

Bengt: I mean for the average Joe somewhere, they will regard this as an interactive security policy, which only contains the stuff that is applicable for them. If they’re a Linux guy, they are going to read the security manual. It’s going to look almost like a survey system, you know. Survey Monkey or stuff like that. They are going to read the requirements. They can click right into the requirements and tell things or upload files or write stuff or do things. You don’t need to have a PhD in the financial management in order to send a taxi receipt right?

Oscar: Yeah, yeah, exactly.

Bengt: Yeah. You don’t need to know anything. If you’re a Linux guy and then you have your compliance system, you log in there, a single sign-on. You find the name of your Linux system. You click it. You got the 29 requirements that you need to comply with in order for the bank or for the organisation to get their KPIs to understand whether or not they are compliant to NIS or not.

Then if you put in weird things there, people are going to notice and that’s when the organisation’s own experts are going to rush in and start auditing because you audit the extraordinary to understand why, right? That’s what the finance people do.

Oscar: Exactly. Well, it sounds like an excellent approach and almost like a dream tool for people who can do very silly things with generic tools as you said, generic tools that from the perspective of the user are so easy and cover all the possible compliance that are relevant for a specific person. So it sounds like it’s the tools that change the paradigm of compliance management, we have been hearing, knowing for all this time.

Bengt, finally I would like to ask you if you can give us for anybody, common user, common Joe as you mentioned, some final tip to protect our digital identity?

Bengt: For the common user, no, I wouldn’t go there to give some advice there because the common user, they have little possibility to sort out things. I would rather focus on the persons who are in charge of the decisions who are decision makers and who need to guide their organisations through the mess of digital identities and access management, if that’s OK.

Oscar: Yes, please.

Bengt: OK, sure. The most important thing is that digital identity, that’s a piggybacking business, right? It’s harder to establish. Technology, there are great technology providers around that can help you and, you know, I’m talking with Ubisecure right now. That’s what you do, right?

The wonderful thing for people to start thinking about, as they say, “wouldn’t it be great if we could authenticate our users?” or “wouldn’t it be great if we could have the same login all over our organisation?” That is of course to piggyback on digital identities provided in other organisations or in other systems.

I don’t know how international this podcast is but we got the BankID environment in Sweden, which is hugely successful and people are using it for all kinds of purposes and it’s super easy for companies to get going and start working with that. But there are other providers of IDs as well and even if you cannot get a very, very strong authentication with registration and things like that, it still makes sense to use external entities to provide that digital identity because at least you can easily make sure that it was authenticated at one time. It’s the same person or as – we have reason to believe that it’s the same person at a later day as well.

So federation, federation, federation and look for identity and access management sources in your organisation. And that was super hard once upon a time, but today it’s so much easier. I mean for our tool, Compliance Portal, I mean configuring SAML authentication to get single sign-on for the organisation and that’s like two certificates and three URLs and a GIF for the…

It’s like whoa. Like five years ago, it wasn’t almost possible. Today it’s super easy. So make sure that you look for identity sources around you and use them, integrate them. That’s my tip.

Oscar: Thanks a lot Bengt. It was really great talking with you about this approach of compliance management. It’s very inspiring in the finance industry and having this generic tool that everybody can use. Please let us know how people can find you on the net. What are the best ways for that?

Bengt: Yeah. You can find me on LinkedIn. I’m pretty active on LinkedIn. Mostly in Swedish though but I understand some English. So just search for Bengt Berg or you can just email me at [email protected]. Make sure to get the .com in the end there because if you write “Cybercom,” you don’t mail it. That’s an absolutely different organisation and I don’t work there.

Oscar: OK. Again thanks a lot Bengt and all the best.

Bengt: OK. Have a great day. Bye-bye.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the hashtag #LTADI. Until next time.

[End of transcript]