IDPro = Help Build Next Gen of ID Professionals

From IIW

IDPro: The Organization for Identity Professionals

Tuesday 5I

Convener: Sarah K Squire, Steve “Hutch” Hutchinson

Notes-taker(s): Steve “Hutch” Hutchinson

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Where is Identity 
in our organizations?
  • Is it merged with security? Is it part of the larger IT organization? Do you end up sending identity experts to the four corners of the organization and infuse it without knowhow? My guess is a bit of all of these. There’s no one ”standard” place for identity to be located on organizational charts
  • With the rise of the value of identity within in business systems, identity professionals are in high demand. But we still struggle to grow in terms of prominence when it comes to executive mindshare. Or prominence with policy makers. Or even when trying to grow communities like this one.
  • We do hear a lot about security and privacy. They are the peanut butter & jelly in today’s world but they have their limitations. GDPR is a good example of this.
    • For certain, there are obvious security requirements in GDPR: encryption in motion, encryption at rest, have a security program. Those are definitely security requirements
    • There are also easily understood privacy requirements: privacy by design, privacy by default, know who your Data Protection Officer is. It’s great and important stuff.
    • But there’s also requirements in GDPR like “Do Not Process,” “Right to Rectification,” and all of the “Consent” stuff. The default tools available to Security and Privacy cannot do these. Because these are identity requirements. Only the tools in the stable of identity professionals have these capabilities. This is our workshop.
  • In order to provide a stable base for all of our enterprises to rest upon, not only do we need security & privacy but we need to add identity to that as well
    • Identity is the human interface for security. Without identity, you have a lot of boring logs without context, and that diminishes their value
    • Identity is the operational arm of privacy. How else do we grant access to data? How do we monitor it? That’s us.
    • Security and Privacy give us the requirements and we make it real. We are the fabric by which their needs are instantiated in the enterprise
  • Security and Privacy give us the requirements and we make it real. We are the fabric by which their needs are instantiated in the enterprise

Identity industry lacked a professional organization

  • We’re not always the “go to” source in the enterprise to get these answers. Our voice isn’t always heard when some of these decisions are being made about how to tackle large-scale problems like GDPR
  • We face these challenges, in large part, because, unlike our peers in Security & Privacy, we have not had an advocate to be the entire industry’s voice. We didn’t have an advocate for the profession and the practice and the discipline of identity management
  • In that sense the Identity industry was a collection of professionals without a profession

How did you learn identity management?

  • It’s a difficult practice to learn because there’s no established curriculum so most of us gained our knowledge by first learning a particular vendor product and then backing into the art
  • Let’s ask the question a little differently … how long did it take you to learn? How long does it take to train someone in your enterprise? You get a bright, smart kid right out of school and you put them into identity. And you do what? What is the curriculum? A couple of blog posts? Some Twitter handles?
  • You’ve really got to *want* to build new identity professionals because the resources required are enormous

How do we grow this industry?

  • All of these things restrict the growth of this industry. How do we change that?
  • How do we grow the industry in terms of prominence among executive mindshare?
  • How do we grow the industry in terms of prominence among policy makers?
  • Last year, Ian Glazer had these same questions kicking around in the back of his head and in the spring of 2016, he sat down to discuss this situation with Allan Foster and Robin Wilton from the Kantara *Initiative who, as it turns out, were also noodling on the problem
  • Kantara agreed to host a discussion group which was launched in May 2016 at the EIC in Munich and at the CIS the following month in New Orleans. Within the first three months, we had over 400 professionals sign the pledge. Over 100 of those signed up to begin the actual work on a code of practice and body of knowledge
  • All of this led to June 17th of this year when we announced the formation of IDPro, a fully incorporated 501c6 non-profit organization of, by, and for identity professionals

What is IDPro?

  • Three things we’re focused on from a program level: 
  • Membership
  • Code of Practice
  • Body of Knowledge

  • The development of the above three are in support of the eventual development of a certification


  • Individual Memberships
  • Corporate Members
    • We also have ~ 15 fully-paid corporate sponsors
      • Including Oracle, Radiant Logic, Ping Identity, SailPoint, GIGYA, ADP
    • We have another dozen corporations pending legal/paperwork
  • Organizational Partners
    • FIDO Alliance, Women In Identity
      • Event Partners
    • First one is Identiverse

Code of Practice

  • If we’re going to be a profession and formalize this, we need to have a code of practice. And we’ve been hard at work creating one that incorporates ideas around professionalism, personal integrity, and onward continuous skills development

Body of Knowledge

  • But I also asked you earlier “how did you learn this?” One of the trickiest parts is finding a curriculum to give a new identity professional … or for yourself because you just inherited Customer Identity *Management, and you don’t really know what it is.
  • So we’ve been working on developing a taxonomy for identity management. Because if you take two identity professionals and put them in a room together and ask them to define one term, they’ll come back with four definitions. We’ve got to make it easier to pass through this forest of knowledge and learn … not just debate the definitions


  • Building that body of knowledge is all in support of getting to certifications
  • In talking to companies and professionals across the globe about certifications, the most important thing to any of them is that a certification has to be neutral. They cannot be specific to a product but instead address a discipline: “This is how you do access certification”
  • Certifications have to be applicable, which means we need to keep them contemporary. We need to be addressing the practices that are important today that practitioners are responsible for and performing in their normal line of work.
  • And finally, a certification needs to be meaningful. It has to have teeth. We don’t want this to be a paper mill, we want it to represent that you really know your stuff.  

Member Services

  • A monthly newsletter that includes best practices of things to do in your world. Original editorial content targeted specifically towards our membership. There is already an established team under Andy *Hindle creating and collecting content as well as establishing a publishing calendar
  • A daily news clipping service. There’s a lot going on in our industry and it’s really, really hard to keep track of everything
  • Digital forums that can bring practitioners together for discussion on current issues or even for those seeking help from other experts. This is one fo the most important things we can do. At identity conferences across the globe, some of the most popular sessions have been case studies. People talking about what they have done in their own enterprise. 
  • And meetups, like this one. How do we physically get together in one place? It’s great to go to a conference and be surrounded by identity gurus from across the globe. But not everyone gets to go to those conferences. So how do we do something locally?