Intro: Broadcasting live from the Business RadioX studios in Sandy Springs, Georgia. It’s time for Sandy Springs Business Radio. Now here’s your host.

Lee Kantor: This episode of Sandy Springs Business Radio is brought to you by Mirability, providing unique IT solutions, leveraging cloud, AI, and more to solve business problems. Here’s your host, Erik Boemanns.

Erik Boemanns: Thank you, Bill Morse, for joining me today. I’m glad to have you here to talk to us about. We’re going to talk about identity access management, which is probably a term that nobody’s ever heard of. So we’ll dive into what that really means in a bit. But I wanted to start maybe just with a quick give yourself an introduction, tell, you know, tell us a little bit about yourself.

Bill Morse: Sure. And thanks for having me. My name is Bill Morse. I’m about a 30 year career doing different enterprise roles for a for large financial services companies. Towards the end of that time started to focus on what we call identity and access management. We’ll explain what that is in a in a second here. And then about three years ago, I started my own company doing the same thing, but as a as a consultant. So get to get to help, you know, several several organizations with some, some shared lessons. And that’s what we’re here to talk about. Awesome. Thanks for having me.

Erik Boemanns: Yeah. And so that company name is Aretos. Right. And it’s we focus on identity access management. And we will I want to talk a little bit later about kind of that journey to a founding a consulting company and, and some of the things there because that it’s always interesting as well. But, um, maybe just start with what does Aretus do? How do you help your clients? What is maybe even take a step back? What is identity access management?

Bill Morse: So we focus on, uh, so if you think of a large company, kind of, you know, hiring and firing, you know, potentially hundreds of people, you know, weekly, monthly, etc., we do is we help automate that whole process. And, you know, what we what we focus on is when you bring a new employee in, you don’t want to just give them a computer and joke around how it’s going to take a week to get them all the access he needs. You know, we want to get people productive on day one. And more importantly, when they when they leave your company either on their own or, you know, a mutual decision, we want to make sure they lose all the access that they have. And this this is much more important now than it used to be in the old days and the old days, you’d go to a building, and if you lost access to that building, you couldn’t get to any of the computer systems in it. But now, as you know, everything tends to be in the cloud. So what we do is automate what we call the provisioning and the deprovisioning of that access across all the different applications. So, you know, keep the the enterprise more secure, but also make the the resource more productive, you know, give them access to everything they need kind of on on day one where, you know, where possible. So if you, you know, we’re talking about large enterprises here. Banks and pharmaceuticals etc.. But you know, everyone kind of has this need right from the, you know, at the at the lowest level If you have a PC in your house and you want your you know your child to use it, you might create an account for that, for you know, for your child and say you have access to this, this and this, but I don’t want you messing with quicken.

Bill Morse: Right. So, you know, at all levels, there’s kind of this, this concept of of identity, right? Kind of prove who you are and then access management. So based on you being Eric and you know, your level of trust and training, etc., I’ll give you access to, you know, these things and, um, you know, the bigger the enterprise gets, the more complicated that gets. Right. One of the things we deal with is, um, called separation of duties. So, you know, maybe if you have this access over here, I shouldn’t give you that access over there. You shouldn’t be able to, you know, approve your own time sheets or, you know, write, write checks and then, uh, you know, make journal entries that kind of, you know, wipe away the fact that you wrote that checks and stuff like that. So, you know, it gets gets more complex the the more complex the business gets. Uh, but it’s basically the same thing as, as just, you know, that that that first use case of, you know, based on who you are. I only want to give you access to what I feel comfortable giving you access to. So that’s that’s I am in a in a nutshell.

Erik Boemanns: Gotcha. And I think something to point out too, is that not only when the employee starts and leaves, but even in the middle as they get promoted, as things change within the organization, they may also gain access. Because I’m thinking a lot of breaches happen when a person, an individual’s computer gets hacked through, you know, ransomware or something, and then whatever they have access to is the target. Yeah. And so if they have access to something that they shouldn’t have access to because they’ve either changed departments or it wasn’t poorly managed or was poorly managed, that kind of access control, I think, matters too. So it’s not just that beginning and end.

Bill Morse: No, definitely. There’s there’s a lot a lot of concepts. Some. So there’s a concept of what’s called least privilege, right. So you should get the least amount of privilege to do the job that, that you’re supposed to be doing. But in the industry we we have different jokes. Right. So we call people packrats. Right. If you’ve if you’ve been in an enterprise for a decade and change roles three times. You know, sometimes people are afraid to remove permissions because they might need you to kind of come in and help them out. That kind of thing. But, you know, over the course of, of a long career, you might have access to too many things. So that’s that’s one of the things that I am looking at, right. Do you, you know, have roles that can can conflict with each other over time. And, you know, as as people leave departments, they should lose access to the old department and just have the access they need for the for the new department they’re moving to. So great. Great point.

Erik Boemanns: Yeah. And so understanding the kind of complexity, like you said, as the organization gets bigger, they’ll have multiple systems, but even a small company now will have multiple systems and probably a a login and account in each of those systems. So the complexity may vary, right, depending on the organization size. Um, what is it? How does Airbus come in and help? What is kind of that first type of engagement if you will?

Bill Morse: It differs. So one of the things we offer is called a IAM maturity assessment and the use case. There will be typically a new CIO, new CISO. There will be a merger. There will be a divestiture. Something significant will happen, and someone will bring us in and say, hey, just just give us an inventory of what we got from an IAM perspective. Sometimes they have 2 or 3 products to do the same thing. So, you know, help us help us rationalize this to, you know, can we get down to one? Is there a is there a good reason to have two products to do the same thing? Um, a lot of times the the event will be, like I said, either a either a merger or a divestiture. So you’ve got to figure out, um, how do we combine these different user stores or split them out? And a lot of times with, you know, big organizations, the divestitures is announced. You know, we’re going to we’re going to spin this company off, etc.. But there’s a period of of, you know, sometimes a year where the, the company that was spun off still has to use systems at the, at the parent company that that spun them off.

Bill Morse: Um, but, you know, there’s a limited amount of stuff you want that that spun off company to have access to. Um, so we’ll kind of come in, look at the whole picture. Um, you know, a lot a lot of what we do, um, from an architecture and strategy standpoint, is draw pictures, right? Um, and, you know, the simpler the picture looks at the end of the day, the better. But typically it takes, you know, hundreds of interviews and a lot of research and stuff to figure out what does the enterprise look like. And then you show that picture to people, and it makes it a lot easier to say, you know, see this redundancy here? We’re going to get rid of this, this and this, consolidate it into that. This is, you know, the future state that we we suggest. And then we talk about how to get there. And um, again, the bigger the organization, the longer these processes take. Because, you know, systems that have been around forever, they they tend to grow legs, right? They’re used in ways people forgot they were used. So you really got to kind of, you know, go through and dissect these things carefully.

Erik Boemanns: It makes sense, especially in the divestiture where your point was exactly right, where you have a user base that’s now no longer part of the company, but still needs to access those resources. But I think something I heard you say, as you’re talking about that is the multiple systems. What do we even have? And we may have 2 or 3 systems. So I assume one of the outputs of what you’re doing is to actually help simplify, which then probably one could improve their security, but two has a cost saving.

Bill Morse: It definitely is. Yeah. And there’s there’s a couple of ways where I am can can help you save costs. So one of them is, um, you know, knowing who has access to different systems. So, you know, a lot of these cloud systems, you provision people, they they leave the company, you kind of forget to deprovision them. So, you know, going in and looking at your email provider or looking at your CRM provider, etcetera, looking at all the accounts that are still active that you’re still paying for and make sure you’re, you know, those people are still around. That’s that’s one of the, the easiest ways to kind of, you know, show some show some cost savings. Um, but on the, um, on the, on the what we call the harmonization side. Right. If you have three, three systems that do the same thing, you know, the goal is always to get, you know, down to one, you know, reduce your attack surface, you know, run one thing and run it well. Um, but we joke it’s a lot like painting a bridge. So it takes, you know, it takes a year to paint it. By the time you’re done painting it, they’ll merge with someone else. So now they. You know that. And that other company might have a, you know, a fourth technology. So now you have to kind of take a look at that, you know, hey, they’re using this other technology, you know, how are they doing with it? Can, can our technology do all the stuff that their technology does, that kind of thing.

Bill Morse: Um, so, you know, one of the things about IAM is it almost never ends, right? You’re always trying to get simpler. Um, from a, from a user access standpoint, we’re always trying to make it easy so that it’s, it’s role based. Right? So if you join the company and you’re a, you know, tax accountant one. Um, you should get access to six different systems to do your job. You know, by just by just by putting you in that one role. Um, so we have, we have concepts that we call birthright access, right? So as you, as you join the company, you kind of get everything you need just because you’re in that role. Well, these roles change, right? As you know, your CFO says, hey, we’re not going to use that tax platform anymore. We’re going to shift to this one. Now someone has to go in and see what permissions. Tax accountant one should have. So it’s kind of a it’s always an evolving thing. We always try to evolve towards a, you know, simplified, easy to manage model. Uh, but it’s uh, you know, it’s a journey.

Erik Boemanns: I think the other thing that I heard just now, if a person is leaving the company and you forget to de-provision their account, if you forget to delete them from the system, or you’ve got so many systems, you remember to do it on two, but you forget on the other eight. If you also are either interested in going through an audit, a security audit, like a soc2 or something like that, that’s something that the auditor is going to check. And then they’re going to have all sorts of questions about like, why is this person still in your system if they haven’t worked for you for six months.

Bill Morse: And so it’s an uncomfortable conversation. Exactly.

Erik Boemanns: So if you are thinking about that sort of audit or or already under it, having something like this looked at and and fixed is almost a critical item at that point. Yeah.

Bill Morse: Yeah, that’s that’s one thing we’ve seen. Auditors love automation. You know, they love the ability to, you know, push a button and run a report. Um, you know, even if the report has, has bad news on it that at least you can run it, right? It’s much better than, um, you know, having to make the auditor go go dive for it. My wife’s an auditor, actually. So there you go. She always tells me the, you know, the the friendlier you are with me, the better the audit goes. So I try to I try to put my clients in a way where they can, you know, kind of make the order. They’re happy.

Erik Boemanns: We talked about cost savings. We talked about some security benefits and a lot of business owners, when they’re thinking about security and they’re thinking about risk, it’s it’s cost that I spend to not lose more money, but it’s just still a cost center. It’s still me spending money. And this could feel that way to other than we said, there’s a few cost savings, but I think the an aspect of this that’s missed is that these can be a business enabler as well. So how do you see that in terms of identity, and how does it having a good practice around identity actually become an enabler, not just a cost?

Bill Morse: That’s a great question. Yeah. Since since I’ve been in this business we’ve almost joked about it, you know, can can security be a business enabler. Right. And you know, the people that just want to get some functionality out of it when the when the security department says, hey, you can’t do that. And here’s why. You know, there’s all these jokes, right? Where the department that says no and all that. So we, you know, we always try to say, hey, you know, we can be a business enabler. I think we’re finally getting to the point where people are believing that. Right? So when you when you wake up and your system is not ransomware, you know, when you’re when your website’s not defaced, etc., um, you know, hug your CISO. So, um, you know, we’re at the point now where like, like from an identity standpoint, I’ll give you some specific examples, right. You mentioned a minute ago that, you know, all these different cloud systems. You might have your own ID and password. Yeah. So if we go in and we enable them all for single sign on, we’ve made ourselves way more secure. Right? I know that if you don’t have access to the thing that you can single sign on through, then you lose access to all these things immediately. And I can worry about deprovisioning your account later on.

Bill Morse: But from a user perspective, I can now give you, you know, a portal where you can just click on all the access you have, all the apps you have access to, and kind of, you know, log in directly without worrying about, you know, an ID and password for, for each one of them. Um, so there’s, there’s, there’s different um, you know, another even even simpler. Right. People used to complain about, um, you know, I step away from my desktop for ten minutes, and when I get back, it’s locked. Now I have to log into it. Well, you know, with with, um, Windows Hello and touch ID, depending if you’re, if you’re a PC or Mac, it’s not that big a deal anymore, right? But now, you know, I’m authenticating you with a with a biometric, not just a simple password. So you’re more secure, and, you know, all you have to do is drag your smile, your camera, drag your finger across the fingerprint scanner so it’s, you know, it’s easier for the user and more secure, you know, and I do want your desktop to lock when you walk away. So there’s there’s several examples where, you know, you can be more secure and make the user happier at the same time.

Erik Boemanns: Yeah. And so happy users, obviously more productive users. And I think you start talking about fingerprint biometrics and the idea of password lists is is a topic that people may have heard about. And we’re so focused on making sure that that people have different passwords and strong passwords, and all of a sudden we’re saying actually just don’t even have a password. You’re going to be more secure if you just skip that step altogether, which I think also can result in more security and more productivity and lower risk as well.

Bill Morse: Yeah, yeah, shared secrets should, uh, you know, and that’s, that’s a fancy way of saying passwords and other things that, you know, you know, but someone else can, can guess or find out or whatever. Just a public service announcement, right? When we when we tell you to use a different password for every site, you know, there’s there are reasons that we’re we’re telling you that. Right? We can kind of scare the audience by, uh, you know, explaining that, you know, as, as, as, as sites are hacked and IDs and passwords are kind of, you know, discovered there is really simple technology that can kind of, you know, spray those IDs and passwords across every other website on Earth, right. So that’s that’s why we don’t want you to have the, uh, you know, the same password more than more than once. But another example of how, you know, security can make users happy. Um, they’re a very good password managers. Right. It’s trivial now to have a, you know, strong, unique password for every site, and you don’t even need to know it, right? You just, you know, unlock your, your, uh, you know, keystore on your computer and, um, you know, pass that, pass that password. So.

Erik Boemanns: So I’m going to pivot the conversation a little bit. I mentioned we want to talk a little bit about the business itself, consulting and how kind of what motivated you to shift to that mode of.

Bill Morse: I’ve wanted to have my own business since I was a child. So it was it was it was time. Right, right. Um, so I was looking for my next my next role, um, had several offers to take another kind of enterprise role, but I got one offer that was a, you know, an offer to come in as a consultant and, um, you know, working, working through the details, I realized this was my this was my chance to kind of, you know, come in, start my own business, come in as a consultant, um, you know, through through another consulting company that had the actual contract, but then try to build, you know, my, my book of business on my own. Um, so that was about three years ago now. Um, you know, I’m I’m enjoying the journey. So, you know, one of the, one of the things that, um, is kind of fun about it all is, you know, if you come from the enterprise side, where, you know, you’re supposed to secure the the ERP platform and the accounting platform and HR platform and all that, but you don’t really understand 100% what these things do. Now you’re running your own business, and you need an HR system and a CRM and an accounting platform and all that. So, you know, these days, um, you know, if you’re if you’re out there thinking about starting a business, I would say go for it because, um, you know, it’s a lot easier. You know, you can subscribe to all these things. You don’t need to stand up a data center, etc.. You know, all this stuff is kind of available. Um, you know, the more people that use something, the easier it is to find other people to, you know, ask for advice and etc.. So, yeah, you know, the process of getting this all started was, uh, was very exciting. And anytime anyone and I could go for a couple of hours about starting a business up and integrating all your systems together and all that. So if anyone wants to know more about that, please, please reach out. It’s one of my favorite topics.

Erik Boemanns: You did mention one thing, though, that I think scares people the most about starting a new business. You should build your own book of business. So getting customers, getting clients that obviously once you get past that curve, having your own business is amazing. It’s fun. It’s getting to that first customer second, and then a repeatable process. Um, so do you have any secrets you want to share about how are you acquiring new business?

Bill Morse: So our so one of the things about identity and access management at the enterprise level is it’s, it’s difficult for a very small business to knock on, you know, a large bank or pharmaceutical store and say, hey, I can I can help you with your problems. Right. It’s it’s almost impossible. Um, but what we do is we, we call them our channels, right? So we partner with much bigger consulting firms that already have those relationships. And in the ideal situation, they don’t do IAM. So they might do ten other things for a for a company. And if they hear I am they’ll kind of call us and say, hey, we you know, we just heard that this company has this problem. Can you can you solve it? Um, sometimes we can’t. And I’m and I’m happy to, you know, stay in my uh, my wheelhouse. Um, you know, one of the things is, is people, um, often ask me, hey, is this guy your competitor? And I always joke, I’m too small to have competitors. You know, there’s enough business out there, um, that, you know, the crumbs that fall off the table from from some of the big guys are big enough to to, you know, run your own consulting firm on. Sure.

Erik Boemanns: So you’ve been doing this a few years now looking forward. What are you excited about?

Bill Morse: Am I excited about I, I personally want to get to the point where I’m no longer billable. Right. So we right now we have about a dozen people, um, you know, there there is work involved in, you know, going on podcasts. Actually, this is this is great. Thanks for having me. But there’s there’s work going out there, marketing, you know, running the business, finding, finding the next job, etc.. And, um, you know, when I stand up and say, yeah, I’ll get that spreadsheet to you next week, you know, I need someone to smack me and say, no, you can’t. You know, you’ve got other stuff to do. Like, you know, delegate that. Um, so 2025 is going to be the year where, you know, Bill is is less billable. The guys in the office are kidding about that, but also want to want to get bigger. We have some some revenue targets for this year that we think we can hit. Um, you know, I’m making it sound like it’s great. One of the scariest parts of starting your own business is, well, talking to other people that have a successful job into quitting it and coming along with you. That’s that’s the most terrifying part. Yes. So, you know, you got to remember you’re bringing other people along on this, on this journey with you. But it’s it’s been, you know, a lot of fun, very rewarding so far.

Erik Boemanns: That’s great. Um, so real quick as we are getting close to the end here, how can people find out more about Erdos and reach out to you?

Bill Morse: So we have a website just w WW. Com has a contact us link. That’s one of the best ways to to kind of get our attention. Um, we’re also on LinkedIn. Uh, we have, we have a page on uh, on LinkedIn. If it’s okay, we’ll put links to both in the, uh, in the comments and all. Um, and, you know, bring bring us your, uh, your questions, comments, concerns. You know, one of the things we, um, we really believe in is, um, you know, as an industry, as a society, etc., we’ve got to talk about these things. And one of the things I wanted to I want to talk about today is, you know, we, you know, if some someone wakes up and their system is ransomware, like I said a minute ago, it’s not something to be embarrassed about. It’s something to tell everyone about and tell them what you could have done differently so that we can all kind of learn from the experience. So, you know, if you if you want to tell me something I said here was wrong or if you want to ask for advice. Either way, you know, feel free to reach out.

Erik Boemanns: Yeah. And real quick, if you don’t mind spelling the company name as well.

Bill Morse: So it’s, uh, I r I t o s. So, yeah, some people do tell me it should be pronounced like like the bag of chips, but but it’s it’s it’s supposed to sound Latin sound.

Erik Boemanns: Yes. Not a snack. Um. So awesome. Appreciate that. I just want to close out. Maybe, um, what are three things that people could do as they today to make themselves more secure?

Bill Morse: That’s a good question. So we mentioned one of them. So, you know, talk to each other. Right. Learn from each other and and, you know, share your experiences. Share your your good experiences, but also your, your bad ones. So we can all learn from it. Um, have a healthy amount of skepticism. You know, so, um, you know, when you get that link that says click here, your package can’t be delivered or you got a wire or whatever. You know, think think twice about where it came from. Uh, you know, all the advice people give you. Check the URL, make sure it’s a known sender, make sure it’s a, you know, SSL cert, etc. but be skeptical when you’re when your bank calls you out of the blue and they’re asking you for more information that they should probably know already. You know, make sure it’s really your bank. So we all have to be skeptical. But we all we all have to tell each other about this so that we all understand, you know, where to be, where to be skeptical. And then if you’re, you know, if you’re a you’re a service provider, your bank, your insurance company or your travel agency, whatever. If they’re offering more security, take them up on it. Right. You should, um, you know, we talked about having unique passwords for all your sites, but if they offer what’s called multi-factor authentication, where, you know, you can’t log in without, um, you know, acknowledging a notification on your phone or that kind of thing. Take them up on it. Right. You know, it’s our responsibility to be as secure as we’re we’re able to be. If the vendors were working for our, um, I’m sorry, if the vendors were using our offering security, we should take them up on it. And if they’re not offering these levels of security, we should we should push back and ask for it be.

Erik Boemanns: Consider different vendors. Right.

Bill Morse: Right, right. Part of part of due diligence.

Erik Boemanns: Right, exactly. Well, thank you again for coming. I appreciate the time and the insight and look forward to next time.

Bill Morse: This was great. Thanks for having me.