Root Causes 209: One-Day Deployment of Certificate Lifecycle Management (CLM) Platforms

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So, one of the things that you and I talk about a lot is the technology aspects of digital identities and PKI and the various way it works, and we've done podcasts on things like PKI pitfalls, and is your passwordless really passwordless and a bunch of things along those lines. One of the things we don't really ever talk about very much is that there's a bunch of brass tacks of actually getting your digital identity solutions up and deployed. There's blocking and tackling and that actual implementation is essential. It's very important and if it's not done correctly, or if it's not done well, it makes a big difference to the success of the business.

  We're very fortunate to be joined by Jennifer Binet. Jennifer is, or Jen is, the SVP ofGlobal Enterprise Sales, here at Sectigo. And, as such, Jen has full visibility on what goes on with these deployments, and really is where the buck stops for those. So welcome, Jen.

• Thanks for having me.

• 

  Tim Callan

  What we want to talk about today is that aspect of it - after an enterprise has decided to implement one of these solutions, but before they're up and running, what that onboarding and deployment process looks like and you have a lot of experience in the space. I think that's really changed. That process has changed a lot, hasn't it?

• It most certainly has. I've been doing this for about 20 years. So, watching kind of the evolution of that has been really interesting to see. So, starting back when I was doing this, I remember attaching a six-month deployment professional services engagement to everything that I did. Today, I mean, we have made it so easy in this world with cloud and everything else that we've got, that we are able to spin this up within a day. Sometimes get customers running and going on their use cases by the end of the week. I mean, it's truly been an amazing, for me, evolution to see where it was and now where it is.

• 

  Tim Callan

  What are the reasons? What are the drivers? And that's, that's dramatic. Six months of professional services to the next day? What are the drivers that have made that possible?

• I think obviously going in general, just kind of moving everything to the cloud obviously has made that quite easy for customers. Having all of the integrations and everything available has made it easy for customers as well. So, and then really, for us in general, I think being able to define use cases and making sure that, those use cases are a good strong fit. All of that's really important. I think part of that all goes hand and glove together. I would say that those are some of the big ones.

• 

  Tim Callan

  Like, in the case of the integrations, 20 years ago, there would have been someone who would have sat down and coded it, probably in C++. Today, it's out of the box plug and play.

• That's exactly it. I remember calling up some of those developers to ask and beg if they could kind of put it at the top of their queue. I mean, it would take months. I always had really good relationships with all the support guys to make sure all of this went through. I don't have to do that anymore. Today, I just have to reach out. I do think it's really important, obviously, to have strong and bring in the right resources when needed. So, for me, that's always been a really big part of the of the selling process in general for customers is, make sure you've got the right people that can do the right things very quickly. And today, it's just that speed and ease of having that for them.

• 

  Tim Callan

  I don't know if this question is too overgeneralized, but I want to make this work for everybody in the audience. So, I'm a CIO and I've decided to deploy some kind of complex enterprise digital identity solution. What does that onboarding process look like? What are the steps? What should I expect to happen first? And then what and then what and then I'm done?

• Great question. So usually what we do is, again, I bring in a nice, full team. We like to understand and we like to really dig into not only just the use cases that customers have today, I like to think about customer, like your use cases even future? Down the road. Because when we architect out a solution for a customer, we're doing it for future possibility too. We want to give them that broad reach. So, for me, it's understanding use cases, documenting all of that, pulling that all together and then once we gather all of that great data from our customer and understanding their environment as well, we come together internally, and I try to streamline this with the team. We come together internally, and we discuss what is needed, what's the best approach and I mean, I get all the best minds from our side, together to do all of that. Because I think it's very important that we come up with a nice approach for our customer that's going to be easy for them, deploys quickly, and gets them up and running effectively. It's having that initial call, defining use cases, pulling that together, coming together internally, which we do ourselves, we then read back the plan to that customer, we have them understand what we're going to do and then we just let it go into typically a proof of concept. Customers do like to see and feel what it is that you have. But again, our proof of concepts - I'm not kidding, when I say that I would have done that with drag on for that six-month timeframe way back when I was doing this and I mean, now, when I work on these with my team, I mean, we do seven day POCs. Some days they’re 10 days. I mean, it's drastically gone from that month long proof of concept where it took a really long time to spin up to look at us now. I would say we do a proof of concept and then from there, we do a weekly touchpoint to make sure, are we hitting all the use cases? Are we hitting the plan that you want? Are we where we needed to be?

  Then here's the best part I think at the end. Because we've deployed everything, because we've set everything up and we've architected in such a way, we flip a switch, and it's in production. The customer doesn't have to do anything at that point. Your POC turns into production. I think it's just an incredibly streamlined process. I love where we're at today with that.

• 

  Tim Callan

  So again, perhaps an unfair question, but you mentioned POC might go for six months, etc. So, from beginning, from we get the green light to we flip that switch and we're in production, what's the time range that that typically would be?

• For us on this end, it's a few weeks. I say a few weeks is because we typically have to do some paperwork that is involved in that so. The paperwork is super important. But it's certainly not the tech. The tech piece, we can flip into production and honestly, we've done it days for certain customers. It's really dependent. It's dependent on the use cases. But on average pretty quick.

• 

  Tim Callan

  So, you said another thing I'd love to back up to. You talked about the future. I know that one of the things that we often see is that there's a specific driver. There's this urgent need that causes somebody to go with a more sophisticated digital identity or PKI kind of approach but then they tend to increase their use cases over time. As they start to understand the value and the power of it, they want to do other things that PKI also enables for them. Talk me through kind of that customer process and how that normally goes.

• That's the beautiful thing about PKI. Once you actually deploy it, and you've got those initial use cases, guaranteed there are five more right behind it. As you have it deployed in your system, you realize the broad reach that it could have for you.

• 

  Tim Callan

  Is that other stakeholders? Is that somebody else in the company saying, hey, I want some of that? Or is that somebody who always had this vision, but knew they had to get there in steps? Or does that happen some other way?

• I would say it's a combination of all of it. Especially with the increase in teams now, like, now you've got a DevOps team which we never had before. Until the last few years. So, with all of the increased teams that have come on board, I mean, they all still run under IT, and that CIO/CISO kind of suite. But usually there, if it's your contact,, you've worked with them. We obviously touch bases with our customers to make sure that things are trending where they were hoping that they would be and when we talk to them, they're like, hey, you know what, it looks as though we have a use now for S/MIME. It looks as though we have a use for 802.1x for certificates on there. So there tends to be all of these unique, or not unique, different use cases that come up across the board. Same teams, for the most part, but they keep growing. They keep growing in size. Again, the nice thing is is at that point, usually the POC, if needed, that does take maybe a day or two. They want to be able to put a certificate on a different device and sort of make sure that they can get it there. So, I mean, it is very quick. Usually those add-ons come very fast and we’ve been from this end, it's one of the biggest areas that we focused on is really growing the footprint of the customer and having them leverage everything we've got. So very quick, I'd say for those additional use cases.

• 

  Jason Soroko

  Jen, thank you. So, I love talking about those use cases. I actually got three questions on that alone that I want to hit but before I get there, I got to ask you this is probably the most important message that you've just talked about, which is the whole idea that this isn't your grandfather's PKI. The idea that anybody listening to this podcast who has had experience with rollouts of PKI in the past, you've got to be surprised hearing what you're saying right now. That's absolutely radical changes that are happening. You would know better than anybody. You’ve looked at and have been a quarterback in more of these in what used to be risky and time-consuming engagements for years and years. I got to ask you, what's your ideal customer? In order for a customer to be able to interact with you most effectively? I'm assuming there's got to be some baseline level of institutional maturity, because we are talking about governance and trust related technologies here. What kind of skillsets are they bringing? Obviously, there's going to be some technical skillsets. But I know, Jen, you're a quarterback, not just of our people, but also a lot of times legal people and decision makers, risk officers on the other side. So, what's your ideal customer? In other words, what's the advice to anybody right now, who is going through a digital transformation is looking at digital identity technologies that requires such an intensive relationship with the vendor? What's the customer bringing in your most successful rollouts?

• They definitely have kind of that buy in so that they have to work with somebody like you, Tim, so they have to be able to work with the compliance officer, they're bringing all of that expertise behind them, they're bringing the expertise as just that overarching kind of IT component where knowing the individuals that are going to deploy and integrate and do everything that's important, that's key. Actually, I'm just working with somebody right now, who brings a wealth of knowledge around the contracting process. I know that sounds trivial, but you have no idea how important that piece of it is this is really important infrastructure that we're putting into everybody's environments. The contractual piece is really, really key when we finalize all the tech pieces. Having that relationship with these, that customer’s legal team, with their contracting team. And the lady that we're working with is incredible. She knows how to maneuver and push us to different people to get things done, because it can really get stuck. After we've done all the great tech pieces, and you're ready to have this thing rolled out and deployed out that can be a huge roadblock. So, I think having that somebody that has all of that, bringing that to the table, is so incredibly important. It helps us kind of maneuver through everything and get things the speed of deployment becomes even faster.

• 

  Jason Soroko

  Tim, that's something we don't talk about nearly often enough, isn't it? That's why I'm so glad we're having this conversation. So, Jen, with that being said, there's obviously a key point in the vendor relationship, typically earlier on. Tim and I, because we try to avoid just outright selling a product on this podcast, what we really do try to do, though, is say, hey, what's the best way to challenge the vendor to get the best business outcome for what you're trying to do? And so, to me, Jen, we typically come up with our best ideas for you as Mr. Customer, Mrs. Customer, you're talking to the vendor, you're either at the CIO level, or who knows where you're at in the organization. What are the best ways to challenge your vendor from a high level? Is it asking about hey, is it the speed of deployment? Is it about, are you future proofing me? What are some of the areas that you can challenge your vendor to get the most out of your, what it is you're trying to do with a rollout?

• I do think it's that for me, it's definitely future proofing. I would focus on that. Because we all know, and I think we're all like this in our daily lives you have this specific task in front of you, you want to knock it out, you want to make sure that it's successful, and you do it. But thinking more broadly about what it is that you're going to need, and then really challenging how would that look? How would that or is this vendor that I'm looking at able to keep up with all those future trends that we're seeing out there and be able to execute easily and then the other thing that I think is really important is if you have a problem and you encounter a problem, when you're calling this person are they going to pick up. To me, again, I've been selling this forever. One of my biggest keys to success is any of the customers I ever had, I mean, when they called me, it was instant. For me, I want to give them that level of, I'm here for you. We're in this partnership together, and I want to make you as successful as I possibly can. So making sure that you've got the accessibility to that individual that you're working with, and you feel comfortable with that person that, hey, should something happen, should something go wrong - and I guarantee you it will. It’s software. You want to have the confidence that when you call them, it's going to be taken care of. I think that to me and having broader reach into the vendor. So, it's not just Jen as your salesperson, you actually know, maybe Jason, the CTO. Maybe a few others on the executive team because you've been brought into that mix and you've had these executive discussions. So not just having that single point but I think those would be two biggest things. I think communication and making sure you've got a strong partner that you feel very confident in should anything happen. And then also really looking just past that initial use case and making sure you've got a vendor that you can grow with. I think that’s key.

• 

  Jason Soroko

  It's such an intensive relationship, isn't it? That's what you're describing to me. And that is what was driving me to want to talk to you on this podcast today. I got a final question for you. Just because I am a technologist and it's not just the hardcore soft skills that you bring in such a big way to the customer relationship that you've been talking about. I got to ask you, Tim and I are always going through basically that mix of technologies. Tim often talks about publicly trusted certificates, the public trust world. I often talk about the private trust world. I'd love to hear from you how things have changed through time about customer needs. You've just mentioned two major use cases, DevOps, S/MIME. I'd love to hear about what customers are bringing to you with their problem set about managing and getting visibility to their public certificates, which is quite often where people in the past have started and then say, hey, I also have all these authentication needs for DevOps, for things like remote workers. How has that changed, if at all, Jen?

• I think customers were used to having somebody in multiple systems and checking and looking and it's been painful. I think now I'm seeing huge consolidation. Everybody wants to have consolidated views and be able to do everything from one area. So, I think big management has been even larger. So how do you manage everything you've got. So now we've got all these certificates that are out there. What do we do with them? And they want something simple. We're all stretched. We're stretched every day. We don't have enough hours in the day. Now that I've got everything under management, how do you automate everything you've got? So, for me, it's definitely I've seen a huge shift towards that consolidation component. I still remember going into customers and seeing those spreadsheets everywhere. Now, they have great dashboards that have everything pulled together, so they don't have to go to different areas. Again, it's just making it easy. Make it easy to have those certificates, revoked, and reissued and everything else that they need to do and manage from one place. So having that full automation piece has been really key, too.

• 

  Jason Soroko

  I think a lot of us have seen the kind of analyst charts that have become quite common CB Insights, being one of them, just to shout them out. They have these really intensive slides that have hundreds of logos on them, of the number of vendors that typically a modern CIO/CISO has to deal with. Are you seeing people having fatigue with that wanting to deal with more of a singular vendor that can help to wrap all that together, Jen?

• Definitely. I think that's been the biggest thing I've recognized over doing customer meetings and getting back into those face-to-face is that exact point right there. They do. They want to have single; they want it. They want to bring it together again. That consolidation I think is very key. They're asking for it. It's too tough. It's too tough to keep all of those different agreements that are out there and hear what everybody's doing. If they can have a vendor that can provide them with all of the different use cases that they need and require, that's what they're looking for.

• 

  Jason Soroko

  Thanks so much, Jen. I really appreciate you having come on to this podcast and explained where here the rubber really truly hits the road with what Tim and I talked about in so many of these podcasts. But Tim, I don't want to monopolize Jen. She's all yours.

• 

  Tim Callan

  No. Not at all. Jen, you have a unique perspective and I think it's very valuable to hear how you see the world and how you perceive what's important to the people who are actually operating these systems and maybe one time we can get you back and get into more detail on this kind of thing, because I think there's a lot there still to share.