Deborah Golden, Deloitte Risk & Financial Advisory’s U.S. Cyber and Strategic Risk leader, shares insights on the most significant barriers to widespread digital identity adoption and the need to face them head-on as we embrace a more digital world.
Security: What is your background, current role, and responsibilities?
Golden: I’ve dedicated my career in professional services to helping commercial organizations and government agencies navigate the complexity of cyber risk and build cyber resilience alongside broader business and mission transformation initiatives. In my current role as Deloitte’s U.S. Cyber & Strategic Risk Leader, I lead one of the largest business growth and transformation programs in the organization’s 175-year history. In the first half of 2021 alone, I’ve overseen three acquisitions designed to deepen Deloitte’s cloud security and threat detection and response offerings. I’m also a member of the Deloitte U.S. Board Council and the Deloitte U.S. Extended Leadership team. Beyond my day-to-day professional responsibilities, I host a new podcast, “the best problem I ever had,” and I train service dogs on behalf of the Guide Dog Foundation and America’s VetDogs.
Security: How can the industry establish trust in the digital identity ecosystem?
Golden: The COVID-19 pandemic deepened our dependence on digital interactions and virtual experiences, elevating the importance of digital identity in our personal and professional lives. The pandemic accelerated the critical role digital identity plays in providing the foundation for building trust among a broad spectrum of stakeholders, whether they be consumers, employees, partners or vendors, governments, and civilians. It’s how we know individuals and entities are who they say they are, without burdening them to provide constant proof. It’s how we can protect ourselves from data breaches, identity theft, data misuse, and other forms of fraud and cybercrime. Because digital touchpoints constantly permeate personal and professional interactions, organizations have the opportunity to leverage digital identities as a means for building trust—for example, by applying artificial intelligence (AI), machine learning, and data analytics to detect unauthorized access to enterprise systems and fraudulent consumer activity. By using AI and analytics to facilitate trusted interactions, organizations can distinguish themselves for their vigilance in protecting data and proactively mitigating risk.
Security: How can security leaders incentivize people to create and use their identity credentials and organizations to adequately secure and protect those credentials?
Golden: Security leaders and the organizations they represent need to reward employees’, vendors’, and others’ adoption of and active, ongoing participation in digital identity programs.
In the B2C space, organizations should provide consumers with incentives to enroll their devices or offer their consent to use passive authentication. Incentives could be simple messaging statements that speak to how the digital identity program will make consumers’ experiences faster, easier, and more secure while keeping their data private; further, incentives could take the form of discounts or points in a loyalty program. For ongoing participation, organizations could reward consumers with higher loyalty status and special promotions.
For the workforce, incentives aren’t as obvious; so, security leaders need to win the hearts and minds of employees by focusing on making the program easy for end-users to adopt and demonstrating how it enables seamless, secure access and improved productivity.
Ultimately, the best incentive for consumers and the workforce may be a robust user experience since a good user experience makes people want to adopt and share with their friends, while a poor one makes them look for workarounds. When users become promoters because the user experience is so good, digital identity becomes more than a way to mitigate risk; it becomes a true value driver for the business.
Security: How are digital IDs making a user’s data safer?
Golden: Digital identity allows organizations to track and monitor how customer data, preferences, and consent are cataloged, shared, and used internally. With the increasing number of digital services consumers subscribe to, digital identity helps to weave the web of trust that ties users to the data they own.
From a workforce perspective, digital identity can make it easier for organizations to align user access according to different data classifications to determine appropriate access and use policies and permissions. It also enables organizations to scale on/off access requests on-demand as application portfolios grow, employees come and go, and business requirements change. The anecdotal evidence pointing to the effectiveness of digital identity is that companies with digital identity programs in place typically earn better results during security audits than organizations lacking digital identity programs.
Security: How can people use their IDs safely while mitigating the risk of exposing their data?
Golden: One of the most important things people can do to try to manage data exposure risk is to educate themselves on the steps companies take to protect their accounts and identities from fraud. That may mean understanding companies’ privacy policies when they sign-up for new services or updating their privacy settings with existing banks, retailers, social media platforms, etc.
To make it easier for consumers to educate themselves, companies should create privacy policies that are easy to understand and don’t take an entire day to read.
Security: What are some new use cases for digital IDs, including how digital IDs can offer users a layer of security when using less secure applications?
Golden: From an application security perspective, digital identity enables workforces to use more passwordless authentication methods, like proximity-based authentication, in place of having to type in passwords or MFA PINs each time employees get logged out.
Another approach to consider is digital identity behavior analysis for enterprises and consumers, which can detect and prevent automated bot attacks, session hijacking, and attempts to use stolen credentials.
Of course, digital identity isn’t just about security. On the B2C side, digital identity systems support privacy use cases and serve as the authoritative source of information on customers’ opt-in and opt-out preferences. As such, they’re a critical component of organizations’ Know Your Customer (KYC) initiatives.
Digital identity systems can also support use cases around customer experience and brand loyalty. Anecdotally, organizations using digital identity as the foundation for providing consumers with greater control over data privacy tend to see higher customer net promoter scores (NPS) and increased long-term customer value.