Salesforce, Inc. (CRM) Earnings Call Transcript & Summary

With that, we will move on to the next phase of today's main tent events, where we're doing Garrett Bekker, Senior Research Analyst for Information Security, and his guest, Ian Glazer, SVP for Identity Product Management at Salesforce, in a fireside chat, where they're going to talk about multifactor authentication, or MFA, and its adoption in the enterprise and its role as a critical component of a broader zero trust strategy. Over to you, Garrett.

Thanks, Melanie, and thanks, everyone, for joining us. Thank you, Ian, for joining us.

So let's jump right in. Ian, I did a webcast -- sorry, a podcast a couple of weeks ago with one of your colleagues about -- and one of the things we talked about was that Salesforce recently rolled out the requirement for multifactor authentication or MFA in your organization. So maybe that's a good place to start off. Maybe you could talk about that a little bit. What was the motivation? What was the problem you're looking to solve, et cetera?

Well, first off, it's great to be here, Garrett. Thanks for having me. And yes, I know you that you talked to Tom Gersic last week. And absolutely, Salesforce has been for the last 1.5 years, I'd say, pushing very hard to drive MFA adoption in its customer base. In fact, come February of next year, we're going to require our customers to use MFA when they interact with Salesforce. And the goal there really is about, well, as our CISO, Jim Alkove, says, it's time to put our seat belts on, right? I think all of us who use enterprise services and frankly, consumer-facing ones as well, it's time to do better because we know that strong authentication, things like MFA are one of the best controls that you can deploy both in an enterprise context and frankly, in a personal context, protect your customers and yourselves on the Internet.

So were there any specific types of attacks you're looking to solve? In other words, was it trying to solve fraud? Was it trying to solve phishing? I know a couple of years ago, Google did a similar thing, and one of their motivation was to try to get rid of phishing attacks.

Yes.

Was the motivation there?

So from an attack perspective, obviously, phishing is a persistent threat that we want to mitigate as well as credential stuffing, right? We see a lot of adversaries out there that are looking to find valid credentials. And the reality is we've all got a lot on our minds. And so one of the shortcuts that often people take is password reuse because it's one last thing to think about. And so that's where credential stuffing becomes such a threat is that once we get -- once an adversary gets a set of credentials that are valid, there's a good chance it's going to be useful in other places. So we really want to mitigate those threats. And that was one of the initial goals for the push for MFA.

Got it. And were you concerned at all about some of the customer pushback? And has that been an issue? Have you gotten any feedback so far?

So overall, the feedback has been really positive. We've heard from a variety of our customers saying, "Thank you. You have given me the justification I need to push MFA further in my enterprise." We hear this from CISOs a lot and like, oh my goodness, thank you that one of my major vendors in my landscape is saying, look, it's time to level up, right? It's time to increase our shared responsibilities for establishing trust. So we see amount of people saying like this has been great. Obviously, there are specific use cases that can be more challenging than others. For example, scenarios like third-party call centers, where the organization may not have direct control of the infrastructure, the workers may be more on a contract basis. And that provides a little bit of extra challenge for certain, but there are certainly ways that, that can be mitigated.

Excellent. Well, I guess last one on that. What about your own? Were there specific user groups or what about -- have you thought about rolling out to internal employees at Salesforce?

Well, we rolled out MFA to internal employees back, I want to say, about 5 years ago and could be off a little bit there. And we did that to -- at that time what was, let's call it, about 18,000, 19,000 employees. So we've obviously grown a lot over that time period. But at the time, Salesforce did a massive communication push internally. We turned all of our office sort of tech centers where you would go and get tech support with the device. We turned them into essentially like MFA enrollment parties. So we overcommunicated. T-shirts and pizza go a long way. And in about 48 hours, we got somewhere in the order of 98% of our employees fully enrolled in MFA using it in conjunction with our single sign-on infrastructure. And that was really good because it has been the basis ever since, right? So in a lot of ways, I don't even think about MFA enabling our employees anymore because that's something done in the past, and it's just taken for granted. What we hope is other organizations emulate that, both internally for themselves. And I think you and I, as we were thinking about this conversation, know that there's some data that we both have seen that are saying, yes, look, there's a lot of interest in terms of MFA within the enterprise and really taking this word to heart and not only practicing it for interactions with Salesforce products, but also with their own infrastructure.

Interesting. So -- there is good segue here, I want to -- this shows a chart that I've gotten a lot of mileage out in the past few years. And it's essentially from our Voice of the Enterprise service or we call VoE for short. And anyone out there, I'm sure we've seen some other VoE charts already throughout the sessions. But basically, we survey several hundred senior level IT decision-makers about a variety of topics. And this particular one we do every year, where we ask what is the level of deployment of various security tools. And this particular chart actually has about 25 or 30 different tools on it. But just for the sake of making it readable, we've truncated a bit. But essentially, what we found is -- and this has been pretty steady over the past 5 years or so, not surprisingly, the most deployed security tools are things like firewalls and email security and endpoint security, right? And conversely, we look at things like MFA, and MFA has historically trailed by quite a bit. We've seen pretty steady last 5 years, 50% deployment, 51%, 52%, 53%. It was almost like clockwork. Every year, it will go up 1%. And that's not even enterprise-wide rollouts, right? Those are often departmental rollouts. They're only for mobile workers and what have you. But anyway, it's interesting. And I suspect part of the reason for that years ago, I used to cover network security, I used to install firewalls. And one thing about firewalls is typically talk about pizza and caffeinated beverages go a long way on a Friday night. We'd show up with our firewalls after everyone left for the weekend, and then we install them. And then Monday would come around, and all the employees are coming in and they'd be none the wiser right? They don't really know what's going on, has it interrupted or impacted the way they interact for the most part. MFA, that hasn't been the same. Now we saw -- and actually moving ahead to this next slide a little bit. We got a boost from work from home. And last year, the big rush to remote access, we've -- our survey data is now showing 75% of businesses say they have a significantly increased reliance on remote work. So that gave a boost to enterprise adoption of MFA for sure. It went up to 61% immediately. So I guess what I want to talk about here, what do you see is some of the challenges? I've got my own ideas, but what are the challenges for MFA? Why have we trailed other security technologies for so long?

I think part of it is that there's been a reticence to ask the user to do something different. We ask, especially in an enterprise context, our employee users to do a lot of different things. There's a lot of hoops sometimes we make them jump through. But I think with each decision to do that, there is some hesitance to say like there's going to be push back on this. There's going to be resistance. And a lot of that is grounded in some very pragmatic needs. Our fellow employees want to get their jobs done. They want to do their jobs. And in a lot of ways, sometimes the hoops that we put in front of those enterprise users feels like getting IT's job done for them and not the individuals, right? They didn't feel a sense of buy into why do I need these controls? Why do I need to do these extra steps? So I think in some regards, that's one of the major reasons that MFA has maybe trailed is that this is very clearly something of, hi, we're going to ask you to do something different and it's going to be a new moment in the path between you and getting your job done, we acknowledge that. And too often, that conversation stopped right there. And it left off the really good part, which is the reason why we want to do this, roll out MFA. We're going to push a challenge to your phone. We're going to ask you to insert a USB key is because we are so invested in trust and keeping the trust of our customers and protecting their information and protecting their workloads that we're asking all of us to pitch in, right? And leaving that part out leaves out the larger mission that I think most employees would actually get behind, which is saying like, "Yes, I do want to persist and improve and grow the trust to my customers, to me and my organization. So yes, I'll pitch in. If it costs me one-button push, yes, why not? Absolutely. So we've got to really make sure that, that larger mission, that larger justification, if you will, is shared so that people are like, yes, I can buy into that.

Yes, it makes sense. I've often wondered is accountability part of the issue? I think sometimes end users are thinking, well, why is this my problem? Why do I have to worry about it? IT should take care of it? Or what's the benefit to me? And to your point, I think there's a little bit of socialization that needs to go on, I think, internally. We're certainly -- security awareness training and things like that, we're seeing a lot more of that. We're certainly doing that internally at S&P.

So Garrett, actually, one thing about that, which is the shared responsibility aspect. So as employees, we have a shared responsibility to our customers and to our organization. One of the things that we talk about is that security is actually a shared responsibility between us and our customers as well. There are obviously things that we as Salesforce can need, must do to improve the security posture of our services. And there are things that are uniquely what our customers can do, they can have endpoint security in their infrastructure. That's not something obviously we have implements of, but we can strongly suggest it because it's really a shared partnership to protect the data, which represents our mutual customers. And so that shared responsibility is a bit of a nuance in the conversation. Often the story stopped with enterprise employee. But if we then say, look, let's add the customer to this conversation, then that shared responsibility starts to paint a broader picture that both organizations really can get behind.

Interesting. No, it's a very good point. I just skipped ahead of the slide here, but actually, there's some good news on the horizon. We had some other Voice of the Enterprise data. We asked specifically what are the most common controls that you'll see as a result of work from home and very good news. We see multifactor authentication at the top of the list, which I think is certainly encouraging.

Nice to see.

And also same with cloud. We ask a similar question, what are the top security technologies to use in the cloud? And again, we see MFA moving to the top of the list. So I think that's definitely an encouraging sign. Another issue that we talked about the other day about getting this involved and getting your employees involved and getting this rolled out some of the challenges is certainly an issue that we -- that I've talked about, my teammates have talked about a lot in the last 7 years, this idea of skill shortages. And we're seeing it across the -- we're seeing it in cloud. We're seeing it in security. Certainly, we're seeing in different pockets of security around IM. So maybe -- and we talked a little bit the other day about some of the IDPro stuff. So maybe now I'll turn it over to you, and you can talk a little bit about that.

Absolutely. So besides my day job of looking after product management for the identity services here at Salesforce, I'm also the Co-Founder and Board member of IDPro, which is the professional association for digital identity management. And it got formed some years ago, partially out of a realization that there aren't enough IM practitioners out there. And it's incredibly hard to grow new ones. Now we've been doing a lot of things as IDPro. We've been building, for example, a vendor-neutral body of knowledge, which is publicly available for personal use. We've just rolled out a certification program for identity management. But one of the other things we do is yearly, we conduct a skills and program survey. And we just released this year's results to our membership. The rest will become public in about 30 days. But one of the things we ask about is okay, respondent. What would you identify are the top priorities for the enterprises you work with? And over the last 3 years, the big 3, if you will, has been multifactor authentication, customer identity management, CIM and then cloud identity management, I guess. And over the last 2 years, very specifically, MFA has owned the top position. This, in my mind, is not surprising given the pandemic and the push to work from anywhere and the sort of effect, the knock-on effect of saying, okay, to do that, one of the most cost-effective controls I can roll out is MFA and the most effective in terms of from a mitigation of many threats. And so it's not necessarily surprising that we see institutions, organization saying, "I got to roll out MFA." Now what is an interesting contrast is so we ask about what are the enterprise priorities? But on the next slide, we also ask as an individual practitioner -- Garrett, would you mind going ahead one? Or I'll just...

Yes, yes. Sure.

We're talking sort of in contrast here. Yes. As an individual practitioner, what are areas that you want to learn about? Now this list looks really different. Now IDAS is one of the top items, it has been over the last couple of years. In some regards, this isn't surprising. I think these are practitioners saying, "Hey, there is a market opportunity here, right? More enterprises are interested in IDAS. Maybe I don't have skills around there, and I want to learn about it." But some of the other areas, things like self-sovereign identity or standards maybe more about the individual saying, "Hey, these are growth areas for me as the practitioner, and I'm keen to dig into that." So let's go ahead with more. That contrast between what the enterprise is interested and what the individual is interested over this year has been really stark in some places. So I mentioned self-sovereign identity, where individuals or respondents are very interested in, "I want to learn more about this." It's maybe not making above the fold, if you will, for the enterprise priorities. Whereas something like API protection, we see sort of an even response that individuals say, "Hey, look, there's something here. I need to learn more about this." And organizations are clearly saying, "As we are shifting to API first, we need to up level our capabilities and our skills here." And then you have MFA, which is the opposite, contrast, which is really high enterprise priority, not so much from an individual. This doesn't necessarily concern me because one of the things we actually look about -- we look into in this survey is where do people have experience in identity management? And our preponderance of respondents say, MFA is one of the big 5 things that everyone seems to do in the identity world as a practitioner. And so although there may be lower interest from an individual priority perspective, the good news is we've got a lot of people with a lot of skill who can go do MFA, which meets that enterprise.

So it's interesting. As you're talking about that, remind me of something sort of a phenomenon that we encounter. Certainly, I've encountered over the past 5, 7 years is 451, we have a reputation for being very sort of bleeding-edge focused on innovation and disruption. We deal with a lot of early-stage companies and a lot of early-stage trends. And I'm thinking of things now like cloud infrastructure, entitlement management and even things like password list that maybe aren't exactly bleeding-edge, but passwordless and adaptive often, all those early-stage stuff where we are very well-versed in. But yet when we have conversations with the average enterprise, they still haven't caught up to that stuff yet. They're like, "What are you talking about? I have no idea what this stuff is." And I guess, to some extent, and as I'm looking at this IDPro data, remind me of that a little bit, that maybe firms they sometimes take a while to get caught up. It seems like certainly the employees are a little bit ahead of the curve in terms of what they want to learn and what have you. So -- but I guess the other question is, you mentioned that we've got skills in terms of MFA already there. When I looked at this data, it looks like there's a little bit of a disconnect between what employees want to learn and what companies think is important.

Sure.

Is that an issue, do you think? Is that a barrier to further deployment of some of these technologies? Or how do you view it?

I don't think -- first off, it shouldn't be very surprising. One of the things I love about digital identity management in the industry is that we're a curious bunch. There is a lot to learn, and that it is a great place to be a practitioner if you want to be surrounded by people that are pushing in various directions, right, so that the total domain of identity management continues to grow. So that's a good thing in my mind because it's the way that you can actually have a career in something and not get bored, not because, okay, well, I did workforce identity, and now the only other thing I can do is go do customer identity. Well, that's actually not the case. There's a lot of new ones and all that. There's a lot of space to learn. And I think you're right. I think that individual interests sometimes pulls enterprise along. And partially, this is because you have senior enterprise architects or identity architects, or security architects who are saying, "Look, where we want to go is to north star as a business is stated here." To get there, I'm seeing that these are risks we've got to mitigate. Good news is there's emergent things in my discipline. It's identity, it's security, what have you, that can help mitigate those things. Let me go dig in and present a case for why we need to go invest in these areas in order to reach that north star. So I think that, that kind of pattern we see in organizations around the world. I think it's a really healthy one. And in organizations that may not have that senior kind of architect who's helping to do that, that's okay, too, because by the time some of these now newer technologies become more mainstream, they're also going to become consumable by the mainstream. And that means that whether it is the cloud service providers that they use or its other infrastructure that they use, those kinds of emerging technologies are now going to be baked in, right? They will start to become table stakes. And so I think it's a very healthy and normal pattern that we see, and we have consistently seen. Even going back to my days when I was an analyst, absolutely the case, that when you talk to people on the bleeding-edge and they're -- that's super energizing. And then you say, "Okay, well, then how does this become mainstream? And why is it important to the organization?" Well, here's the real value prop. This is what matters. And whether it's you as an identity architect doing that for your organization or Garrett, you as an analyst doing that for your customer base, like that's an important role that needs to be played in the market.

Interesting. Reminding me of another issue, so -- related issue. When I mentioned earlier, I used to cover network security and firewall, like go back 20-some years. That's where I spent the first 10-plus years in my career as a lot of people did, right, worrying about firewalls and intrusion prevention and things like that. I dabbled in identity, but when I started covering identity full-time 7.5 years ago, it struck me that it almost felt like it wasn't quite a security discipline. Like in a lot of ways back then, it was as much an HR discipline or...

It's not a security discipline, yes.

Right, right. It's still -- it was an IT discipline, but IT admin and what have you. But I think that's changing, right? It's becoming -- and I think part of that is with this transition to the cloud and mobility and all that, the whole zero trust thing that's popping up, I'd argue identity has to be front and center there. We're hearing things about identity as the new perimeter. Just curious in your role as IDPro, have you seen anything along the lines of -- what I'm trying to get at is who owns identity typically in the organization now? Is it increasingly the security team? Is it the customer engagement team? Is it various -- I don't know if you have any perspective on that?

Yes. I do -- a couple. So a couple of years ago, I gave a talk, and I pointed out that the disciplines of security, privacy and identity are peers. They are in a peer relationship if only because the default tools of each of those disciplines are in and of themselves only insufficient for the total needs of the enterprise. So in some regards, for example, the way privacy operationalizes a lot of the controls that it needs is through identity tools because identity tools can govern access to data, which is a fundamental need for protecting sensitive information, customer information, what have you, which comes out of a requirement for privacy. Similarly, identity provides the who in the story for security. And so it's an important piece of context in the mix. And so really, it's a peer relationship. And so from the ownership question, back years ago, there was a conversation about should identity be owned -- workforce identity owned by HR because it's governing well, who can do what? Well, I know what job role you have and what region you're in. In theory, I should be able to use that to model what access you have, which is a true statement. HR never really ended up owning identity. I'll speak from my own experience actually at Salesforce, where I look after our identity services in our Salesforce platform, essentially, the capabilities we provide in our offering to help organizations interact with that platform: SSO, strong auth, provisioning, [indiscernible], et cetera. There is a sister organization of mine that lives in our security organization that owns workforce identity that owns privileged account management. And there is also a separate group that really is partnered strongly with marketing and digital to manage our customer identity infrastructure. So the way I like to think about it is that there's a need for identity in a lot of parts of the business. The organizational chart matters less. What matters more is that you have, if you will, emissaries in each of the parts of the business that can represent the capabilities the organization has from an identity perspective, express the value prop of what those capabilities can deliver and then maybe do some of the things we were just talking about, which is to say, "Hey, looking down on the road, digital or workforce or product, here are the needs we're seeing in the customer base. And this is the way identity can help, and we can't do all of this, but we can help provide this extra value, mitigate this risk." And so having those emissaries is really, really important.

Interesting. Yes, it's not all that different from what we're seeing in other areas. And I guess another way of summarizing your answer is it's all of the above, right? We're seeing -- our VoE data shows, I believe, roughly 50% of organizations have a Chief Information Security Officer, which implies that roughly 50% don't. A lot of them don't have a separate security team. And I think we're having a lot of internal discussions as you throw in things like cloud, you're pulling in cloud engineers, DevOps getting involved. And it seems, in general, there are a lot more stakeholders involved in security decisions in general. And I assume that's no different with identity. Last question on the sort of the IDPro and hiring thing. I was just curious, how are companies filling vacancies? Are you finding -- are they going and retraining existing IT people and teaching them identity skills? Are they hiring people fresh out of college and teaching them from the start? Any thoughts on that?

The one thing that I've seen through our survey data certainly is that the time it takes to build an identity practitioner is, I think, longer than most organizations are able to really support in a lot of ways. So growing a new one is often very hard. We ask a question about how long does it take you to feel proficient as a practitioner? Now key word being feel proficient versus actually being proficient. But interestingly enough, 25% of respondents say, "I still don't feel proficient." Now keep in mind that a majority of our respondents have been in the industry more than 15 years -- 10 to 15 years. To me, this says this is a growing discipline, and you're never done. There's no state of perfect enlightenment in identity management. But then the next chunk of sort of respondents say it took anywhere from 2 to about 10 years. I think the answer really lies around 5 to 8 to feel proficient, to really have both depth and breadth. When we were building the case, if you will, for IDPro, I would talk to organizations around the world. And I remember talking to a bank in Germany. And I was saying like, how long does it take you to build someone new in identity? They're like 18 months or so. And I'm like, how do you do that? And they are like, well, the majority of them learn a product, right? You learn whatever you've deployed, okay? So I'm going to learn this IDAS service. I'm going to learn this on-prem federation service, what have you. And then you learn another, then you learn another. And I think this all stems from a challenge that has been in the market for quite some time, which is, there hasn't been great vendor-neutral training materials for identity management, whereas security in some regards is more mature in that area, whereas the privacy industry has both the body of law but also all the good work of the IAPP, International Association of Privacy Practitioners, that allows for people to learn in a generic context and not just, here's the thing I got deployed and I got to master it. And so that's one of the things we tried to do in IDPro is to build out that vendor-neutral learning materials so that people can accelerate that, right? They can come up to speed on the basics faster, can then learn about, okay, here's good practice. Now let me put it into play in my organization sooner because -- and this is the part that has always worried me in the absence of being able to grow identity talent, organizations turn to service integrators. And in and of themselves, that's not a bad thing. There's really talented service integrators out there for identity. The concern I've always had is what that means is that the organization isn't building its own institutional knowledge when it comes to that discipline. And because identity is so baked into our business process, our security processes, our privacy needs, not having some amount of institutional knowledge retained within the organization, to me, that's very concerning because it means that there is actually an institutional weakness that we don't have muscle there that we need to. And the last thing I'll say about that is what we've seen through the pandemic and the need for digital transformation has made me feel now more than ever assured that we need identity practitioners in those conversations because we can't have digital engagement without good identity management, get people securely logged in and digitally engaged in our apps. And so you've got to have that capability if you're going to make it through the digital transformation process. And if you're only relying on external help, then you may not be the strongest organization you can be in that regard.

So there's no CISSP for IM in other words?

Well, but there is now. So there's the CIDPro certification, which IDPro has put forth to start with the foundation. So we do have a certification program, and it's written by practitioners for practitioners. And it tests a broad range of identity capabilities and knowledge from the components of an identity infrastructure to some of the regulatory and standards environments surrounded and everything in between. So we're beginning that journey. It took us a while to get there, but we're super proud of that work.

Yes. Good. Something I maybe need to do. I can certainly vouch to the amount of years it takes to feel proficient in identity. So let me -- let's switch gears here a little bit for the last segment here for the home stretch. You're rolling out Salesforce to your customer base. But you mentioned you also have it to your internal employees. To a lot of people that aren't that intimately familiar with identity and MFA, employee, workforce, consumer may seem what's the difference, right?

Right.

But technically, there is a huge difference between rolling out MFA to your internal employees or to your external customers, to enterprise customers, et cetera. Wondering maybe we could spend minute or 2 talking about what some of those differences are between the B2B, B2C, B2E scenarios? And then we can poke at that a little bit.

Yes. I think the best way to sum it up is for workforce identity, the fundamental question we are trying to solve for is who has access to what? And from that comes, I want to deliver the right access to the right people, in the right place, at the right time. But if we contrast that with consumers, it isn't identity. It's really about delivering the right experience to the right people, in the right place, at the right time. So the sort of parameter we're solving for is fundamentally different. I want to take friction out of every interaction with an individual customer that I can, so that they actually get more from my service. Now I need to do that against a backdrop of security requirements and privacy requirements. And I need a certain level of assurance about the individual, but really the noble goal here is to make an awesome experience that we can deliver value. On the workforce side, the story is a little bit different because now we're really focused on do the right kinds of people have access to the right data, and no more, right? That's the thought of the privilege and things associated to that. So you've got different starting premise for each of them that makes it fun. To me, the fact that there is that breadth of difference of mission really makes the whole thing fun to work on.

Yes. I think -- no, I agree. And I think couple of fundamental differences for me. I think in the -- first of all, user experience is paramount, right, as you alluded to. If you push it out to your employees, well, tough luck. They don't have much of a choice. You tell me, you have to use this, right? You may give them some choices or some different options and different form factors. But generally, they don't have a lot of options beyond that, right, other than go look for another job. In the consumer world, right...

I want to push back there a little bit, which is like, I think that had been the case for time immemorial. But in the last 5 years and really accelerated in the last 3, workforce expectations around experience, around capabilities, around design, around usability is no longer governed by the enterprise. It's governed by our experiences as individuals. So what Apple and Google do in the mobile operating space is a really important driver of expectation in the workforce space. So this is partially why coming back to multifactor authentication, we don't really see people carrying around onetime code generators anymore because it's a clunky user experience, not to mention it's yet another thing to lose. And you combine the expectations of the individual now driving workforce decisions and the remote work from anywhere world we live in, then you're starting to see organizations saying, "Look, I'm not competing with my competitor or my peer in the industry. I am competing with -- from a service delivery perspective with the likes of Apple and Google in terms of the experience I've got to deliver to my workforce." So I think that is a change we've seen in the last couple of years. That has, albeit slowly, changed the thought process around what form factors work for people? What are the modalities that work for people in terms of identity and security as the whole?

Yes. No, it's a great point, and it's something we've been dealing with in security for the last 10 years or so, this sort of consumerization of IT, right? I can remember the old antivirus vendors back in the day, like Symantec were very early on this. And if you look at it in terms of BYOD context, I mean, a lot of people, including myself, are using the same phone for personal as you are for the workforce, which creates a whole different set of circumstances. But I do think it's even more so true on the consumer side, right? If you offer up an authentication or an MFA experience to a banking customer, say, or to a retail customer, if they don't like it, they're gone, right? They're off to another bank. They're off to another website. So that's one aspect. The other thing is scalability as opposed to pushing. I remember pushing out an MFA deal or any security deal to a bank. Like I used to work at Merrill Lynch years ago, 50,000 seats. That was a big deal. 200,000 seats is a big deal. Some of these B2C deals can be millions, if not tens of millions of customers, which is a whole different level. We also have to worry about privacy, right? Because now you're worried about dealing -- having that data, and you have to do it securely and whatnot. So I guess the question is getting back to the earlier question I asked you, too, is if you're using MFA in a B2C context, in other words, selling it to a bank to push to their consumers, are you solving a different problem than, say, you were solving it at Salesforce pushing it out to your customers? You mentioned credential stuffing and account takeovers. Is it similar in the B2C place? Or are they looking to solve fraud or how do you see that?

I think the spirit of what both are trying to solve is very, very similar, which is, let's acknowledge that there are adversaries in the Internet that are looking to do harm in different ways. I think, however, why we are coming to different kinds of authentication modalities and different approaches to these problems, that comes more from an experience and a cost and a risk mitigation, more specific risk mitigation need set. So I talked to organizations who are rolling out customer identity management, and they're saying, well, I want to go -- I want to find a way not to ask the user for another password. Don't create another password for us because, A, yes, generally credential stuffing password use is bad. But B, it's just cognitive load, right? It's a tax. It's like one more thing you got to remember or hopefully, you're using a password manager, and it's remembering it for you. But if we could sidestep that whole problem, and be like, look, the experience I want to deliver is my customer looks at their phone, and they're in my app. And I knew who they are, and they've done so securely with an unphishable mechanism for that to have happened. That's what I want to get to. Now all right, so that's passwordless, and it could use things like the WebAuthn standard from FIDO and it can do those kinds of thing. Hey, great, that's all the plumbing. Propellerheads like you and I get excited about that. But experientially, what we delivered is a magical moment of like, I look at my app, I'm in my app, I'm using the app. That's what we want. And so there are great techniques for the B2C space to up its game, its security posture and its assurance around its -- the interactions it has with individuals by getting out of the password business entirely. And so like that's a win all the way around. Workforce sometimes -- and this isn't inabsolute, it's a little bit different because we have different regulatory requirements or different sort of governance and operational requirements that we need to meet. It starts us at a different position on the Board, if you will, in terms of what we need to solve for. But a lot of the spirit is still the same thing. And ideally, whether it happens this year or next or the next, over the next couple of years, the arc of the design and the experience of what the employee needs to do is going to look identical to what a consumer demands. And that's great news because it means low friction and high assurance. That's a great goal for both to share, and I'm excited to actually help our customers push towards that.

Yes. Great points, and it kind of reminds me what we've talked about in the past a little bit. For me, I'm big on user experience, right? Ultimately, I think it has to be great. And I think it arguably has to be better than a password, right? And I -- but I often wonder like if you look at a lot of the top websites, whether it be e-commerce sites or general media sites, if you were and I suspect there aren't a lot industry pros like you or me that will actually try to use MFA on those sites, it's really hard, right? Like a lot of times, you have to sift through a support menu and jump through all hoops to try to get it done. And it says to me, I wonder if, ultimately, the firms are more worried about losing a customer from a bad experience than they are from actually giving them MFA. So...

I hear you. I think to me, it's more a function of we have habituated the majority of people on the Internet who interact with services to a certain kind of ceremony. There's a box, and you put probably an email address in there. And there's another box, and you put a password in there. And we are arguably in year 1 of a meaningful transformation, mainstream meaningful transformation to changing that ceremony from those 2 boxes to something else, like just look at your phone, just tap your finger. That transformation and that sort of change of behavior is going to take years to get to. What it has to start with is conversations between identity security and the business to say, we can give you higher assurance to the individuals who they claim to be and consistency across time. It may need for you to change some of your business process in terms of when you get data from the individual. That's okay because we can actually get them and engage and then start to ask for information, demonstrate value and then ask for a little more. And that transformation, I'm really excited about. I'm also one of the first people to point out, we're not quite there technology-wise, we're just on the cusp. We'll start to see things that Apple and Google are doing as to helping the experience and make things more mainstream. And then we as enterprises, we roll out services to those customers who can fast follow behind them and take advantage of it. It's going to start slow, but we'll see this ramp up over the next 5 years for certain.

Excellent. So we only have a few minutes left. I was thinking maybe we could wrap up with for anybody that was listening and saying, "Hey, we hear it, we're really impressed by what Ian is saying and what Salesforce is doing. I want to do that, too," what sort of counsel would you give them say, "Hey, what can potentially go wrong? What can we screw up if we try to do this?" What are some of the lessons learned and some of the pitfalls they might want to look for and avoid?

So first off, that willingness needs to be encouraged. We need more organizations, more enterprises, more service providers saying, "Yes, it's time to put on all of our safety belts." And that means let's get MFA involved. I think, first and foremost, the council I gave is make sure that you have user experience practitioners with you in this journey and that you are looking at the entire journey that your customer may go through. So for example, one of the things that I should have seen coming, but I didn't, and I learned along the way was, there is a small number of our users and our organizations that are doing automated UX testing, which totally makes sense. I didn't see it on day 1, but I got the message. And if we ought to do MFA, that may be a little bit hard because those are automated services. So robotic process automation, RPA, has similar needs. Like, oh, right, there are going to be these really important use cases that I may not have thought on day 1 that MFA could pose a challenge for. We need to name them and then solve for them over time. And that's okay. That's part of the process because you will still uplift a majority of your customers, your workforce, the people that you serve, security posture. Like we're starting to turn this on and do it slowly over time, and you'll learn the other use cases.

Awesome. That takes us right about to the end. Thanks so much, Ian, for joining me. This was a lot of fun. Hopefully...

Yes, thanks, Garrett. I appreciate it.

Hopefully, our audience got a lot out of it. Enjoy the rest of your day, and I hope everyone enjoys the rest of your day as well. Bye.

Everybody, thank you.

Thank you, Garrett, and Ian, for the discussion about multifactor authentication. I was thinking MFA was Master of Fine Arts. So there you go.