Director of Strategic Ops and Technical Enablement Yvonne Wilson Offers Insights from 20 Years in Identity, Security
Director of Strategic Operations and Technical Enablement Yvonne Wilson pauses during a hike on the Vatnajökull Glacier National Park in Iceland. An avid (and prepared) hiker, she points out that both hiking and security require that you identify potential risks and plan to mitigate them.
With 20 years of identity and security experience, Yvonne Wilson, Auth0 Director of Strategic Operations and Technical Enablement, Customer Success, began her career as a developer and moved through system architecture to lead the design of a world-wide corporate directory service at Sun Microsystems. That effort led to developing Single Sign On and federated identity, smart cards with personal certificates for authentication, encryption and digital signing, and an architecture for step-up and step-down authentication. She even worked with an early experimental OpenID server (a protocol in use before OpenID Connect).
An acquisition brought her to Oracle, where she founded five managed cloud identity services, implementing cloud-based identity provisioning, federated Single Sign On, and strong authentication services for a number of customers in a variety of industries. She says she had a great time building the business from scratch, but despite being born and raised in Silicon Valley, she’d never worked for a startup. So when Auth0 came calling, she made the leap to become our 19th employee (at publication we are at 432).
We talked with Yvonne about creating long-term customer benefits by pragmatically scaling Auth0, how she’s helping train the next generation of identity experts, and what people need to consider to have a successful Identity Management project (and her blog series of the same name).
On why she sticks with identity and security:
I like security because it's like a chess game where your opponent is constantly inventing new pieces and not telling you what they do. There are the very interesting business challenges that customers have — and identity is an enabling function for a lot of interesting business initiatives.
On why identity matters:
Identity is very much an enabler of almost any customer initiative. They are offering services to their customers or employees, and so they need to ensure that they are securing them so they can let the right people in and keep the wrong people out. It's not good enough to be secure — you have to be able to prove that you have been secure. Identity Management is a critical component of that.
On training the next generation of identity experts:
I'm very fascinated with how you scale a fast-growing business, and I think one of the chief things to help Auth0 scale is to hire people who are close to the skills need, and then efficiently and quickly fill the knowledge and expertise gaps because identity is a very niche expertise. Our customers count on us to deliver a depth of identity expertise and we have to deliver that.
To prepare new hires, I created a series of videos with subject matter experts, technical hands-on learning exercises, and simulated B2C, B2E, B2B customer requirements that would come from business owners to architects to developers to security staff to audit staff. I drove the creation of a set of mock sessions for people who are learning. In these sessions, subject matter experts simulate those different customers with those different environments. This tests new hires on the architectural, programming, and product knowledge needed to advise our customers.
As part of that training, we’re simulating customer interactions. Not just technical knowledge, but understanding the situations that come up with customers in real life. This means helping new experts with the social skills they need to gracefully give our customers the technical information they need to succeed.
On the fundamental set of values and/or tenets that Yvonne follows when working with customers:
Number One — Always think about the customer perspective, try and put yourself in their shoes and use your expertise to predict what the customer is going to need before they know themselves, so that they don't have unwelcome surprises.
Number Two — Think about how we scale the business and what our customers need to scale their business. The right answer is not necessarily saying yes to a customer’s initial request. Sometimes this might lead to technical debt that will cause problems down the road for customers. You know, thinking about how we can do things better, faster, more efficiently, and enable our customers to do the same. It’s always a balance, meeting the customer's immediate needs, but not at the expense of scaling the business. Because if we don't scale the business, we're not going to be there for our customers long term and if our customers can’t scale their business, they won’t be there for us long-term.
Last — Constant learning. With everything we do, we have to ask ourselves, what can we learn from this?
On what Yvonne can do in professional services at Auth0 that she wouldn’t have been able to do at another company:
Because we're an identity hub cloud service, designed with developers in mind, we are able to offer a more innovative and flexible service than some of the big, established players in the market. We also have a lot of identity expertise at Auth0, so we’re able to really advise customers well, from a depth of identity experience..
On what Yvonne loves about the people she works with at Auth0's professional services:
The dedication to helping the customer and the dedication to diving in and learning things at great depth so that we can help customers with that expertise. It sets the bar really high and it keeps inspiring each person in the team to get up every day and figure out how to do things better.
On Yvonne’s most intriguing use cases:
Our B2B customers have a number of customers, and each of their customers have different requirements. So we suddenly have to be multiple things to that one customer and yet make it as easy as possible and as efficient as possible for our customers to manage that complexity.
As we get into the IoT world, there are lots of very small devices, devices with very limited user interface capabilities, and people may want to manage them from their phone. This adds more components and complexity to the architecture, which can increase the attack surface.
With the security challenges in the world, more and more people want to use stronger forms of authentication, often called “multi-factor authentication,” where you require a stronger level of authentication for more sensitive applications or even individual transactions. That's a very interesting area when you consider the complexity of user interaction and that there are multiple sessions going on: application sessions, sessions in Auth0, sessions at different remote identity providers. That's a complex area to get right in terms of both security and user experience, especially for less tech-savvy users. And you may want to be able to step-up and step-down a user’s privilege level at appropriate times because you don't want to keep working at an elevated privilege level if you don't really need it. And step-down and log-off are often more complex to implement than login.
On the importance of doing whiteboarding and architectural design during customer calls:
The customer gets advice that takes into account their reality, because we've had them show us some pictures of everything that's going on in their environment so they get advice that's better tailored to their environment. And what we get out of it is better information about what the customer is doing so that we give appropriate advice. A large part of architecture is making sure that all the pieces are considered — even auxiliary things that aren't part of the immediate application because they may have an influence.
On the value of providing security-focused guidance regardless of whether or not customers follow our advice:
Hopefully we've increased the security knowledge in the world, which is a good thing. We are likely to use a lot of the services that our customer base provides. So the banks that we bank at, the hospitals that we go to — We'd like to ensure that they're secure. Even if they aren’t able to take our advice that day, hopefully we've improved their knowledge and they might do something better when they can. And certainly we have, hopefully, reduced Auth0's liability by providing appropriate advice.
On Yvonne’s advice for customers trying to decide whether or not they need professional services:
Well, this might be a shameless plug for my blog series on How to Have A Successful IDM Project, but I started the series to help customers understand the breadth of what they need to worry about for a project and assess their knowledge and timeframes. If you don't have the knowledge, you can take the time to learn it, but that's going to increase your time to market.
So how important is time to market? And if it's important, would you benefit from having professional services, because they'll speed you along? You don't know what you don't know. So we'll identify, "Oh, there are some disadvantages with the approach you are using and we’d like to recommend this alternative instead, and here’s why." Professional Services can help you form a realistic project plan, understand the best practices as well as the advantages and disadvantages of certain approaches. That allows the customer to focus on what their core competency is, so they can focus on being the best hotel or transportation service or medical service as opposed to spending a lot of time learning the identity pieces from scratch.
On how the speed of technological change is driving the need to future-proof:
In the early days, much of the technology I was working on was either done or fairly adequate for the task at hand, like with SAML. Even though I did one of the very early SAML deployments, things weren't as in flux as I see them with OIDC and OAuth and the many flavors of application architectures, languages, and frameworks out there. The tech stack options continue to evolve rapidly and there are a lot of draft specs to monitor. With the proliferation of technologies that people have to choose between and support, and the rate of change, you need agility and flexibility from your tools. You can’t afford to be locked into outdated technology.