process – Bredemarket

Three Ways in Which My Identity/Biometric Experience Exhibits My “Bias”

Yeah, I’m still focused on that statement:

“I think too much knowledge is actually bad in tech: you’re biased.”

Why does this quote affect me so deeply? Because with my 30-plus years of identity/biometric experience, I obviously have too much knowledge of the industry, which is obviously bad. After all, all a biometric company needs is a salesperson, an engineer, an African data labeler, and someone to run the generative AI for everything else. The company doesn’t need someone who knows that Printrak isn’t spelled with a C.

In this post I will share three of the “biases” I have developed in my 30-plus years in identity and biometrics, and how to correct these biases by stripping away that 20th century experience and applying novel thinking.

And if that last paragraph made you throw up in your mouth…read to the end of the post.

But first, let’s briefly explore these three biases that I shamefully hold due to my status as a biometric product marketing expert:

Independent algorithmic confirmation is valuable.
Process is valuable.
Artificial intelligence is merely a tool.

Biometric product marketing expert.

Bias 1: Independent Algorithmic Confirmation is Valuable

Biometric products need algorithms to encode and match the biometric samples, and ideally to detect presentation and injection attacks.

But how do prospects know that these algorithms work? How accurate are they? How fast are they? How secure are they?

My bias

My brain, embedded with over 30 years of bias, gravitates to the idea that vendors should submit their algorithms for independent testing and confirmation.

From a NIST facial recognition demographic bias text.

This could be an accuracy test such as the ones NIST and DHS administer, or confirmation of presentation attack detection capabilities (as BixeLab, iBeta, and other organizations perform), or confirmation of injection attack detection capabilities.

Novel thinking

But you’re smarter than that and refuse to support the testing-industrial complex. They have their explicit or implicit agendas and want to force the biometric vendors to do well on the tests. For example, the U.S. Federal Bureau of Investigation’s “Appendix F” fingerprint capture quality standard specifically EXCLUDES contactless solutions, forcing everyone down the same contact path.

But you and your novel thinking reject these unnecessary impediments. You’re not going to constrain yourself by the assertions of others. You are going to assert your own benefits. Develop and administer your own tests. Share with your prospects how wonderful you are without going through an intermediary. That will prove your superiority…right?

Bias 2: Process is Valuable

A biometric company has to perform a variety of tasks. Raise funding. Hire people. Develop, market, propose, sell, and implement products. Throw parties.

How will the company do all these things?

My bias

My brain, encumbered by my experience (including a decade at Motorola), persists in a belief that process is the answer. The process can be as simple as scribblings on a cocktail napkin, but you need some process if you want to cash out in a glorious exit—I mean, deliver superior products to your customers.

Perhaps you need a development processs that defines, among other things, how long a sprint should be. A capture and proposal process (Shipley or simpler) that defines, among other things, who has the authority to approve a $10 million proposal A go-to-market process that defines the deliverables for different tiers, and who is responsible, accountable, consulted, and informed. Or maybe just an onboarding process when starting a new project, dictating the questions you need to ask at the beginning.

Bredemarket’s seven questions. I ask, then I act.

Novel thinking

Sure all that process is fine…if you don’t want to do anything. Do you really want to force your people to wait two weeks for the latest product iteration? Impose a multinational bureauracy on your sales process? Go through an onerous checklist before marketing a product?

Just code it.

Just sell it.

Just write it.

Bias 3: Artificial Intelligence is Merely a Tool

The problem with experienced people is that they think that there is nothing new under the sun.

You talk about cloud computing, and they yawn, “Sounds like time sharing.” You talk about quantum computing, and they yawn, “Sounds like the Pentium.” You talk about blockchain, and they yawn, “Sounds like a notary public.”

My bias

As I sip my Pepperidge Farm, I can barely conceal my revulsion at those who think “we use AI” is a world-dominating marketing message. Artificial intelligence is not a way of life. It is a tool. A tool that in and of itself does not merit much of a mention.

How many automobile manufacturers proclaim “we use tires” as part of their marketing messaging? Tires are essential to an automobile’s performance, but since everyone has them, they’re not a differentiator and not worthy of mention.

In the same way, everyone has AI…so why talk about its mere presence? Talk about the benefits your implementation provides and how these benefits differentiate you from your competitors.

Novel thinking

Yep, the grandpas that declare “AI is only a tool” are missing the significance entirely. AI is not like a Pentium chip. It is a transformational technology that is already changing the way we create, sell, and market.

Therefore it is critically important to highlight your product’s AI use. AI isn’t a “so what” feature, but an indication of revolutionary transformative technology. You suppress mention of AI at your own peril.

How do I overcome my biases of experience?

OK, so I’ve identified the outmoded thinking that results from too much experience. But how do I overcome it?

I don’t.

Because if you haven’t already detected it, I believe that experience IS valuable, and that all three items above are essential and shouldn’t be jettisoned for the new, novel, and kewl.

Are you a identity/biometric marketing leader who needs to tell your prospects that your algorithms are validated by reputable independent bodies?

Or that you have a process (simple or not) that governs how your customers receive your products?

Or that your AI actually does unique things that your competitors don’t, providing true benefits to your customers?

Bredemarket can help with strategy, analysis, content, and/or proposals for your identity/biometric firm. Talk to me (for free).

By the way, here’s MY process (and my services and pricing).

Bredemareket: Services, Process, and Pricing.

Why Did The Wildebeests Cross The Road?

Because they needed to move forward rather than staying still.

And a process—even a simple one—helps them to do that.

Understand, Adapt, or Create

When Bredemarket begins an engagement with a client, I usually have no idea what processes, templates, or practices the client already has. So I have to handle whatever is or is not there and either understand what is there, adapt it, or create what is needed.

Understand

In some cases clients already have a process.

For example, as I delved into the Sharepoint library for one of Bredemarket’s clients, I found a complete set of branding guidelines that covered logos, colors, and many other aspects of the company’s branding.

In that case, my job is to simply make sure that I align with the client’s branding, and that my content, proposals, and analysis work for the client aligns with the branding guidelines…or with whatever other process the client has.

Adapt

Sometimes the client has a process, but it needs to be adapted in some way.

Here’s an example I can publicly share: not from a Bredemarket client, but from my former employer Motorola (back when Motorola was one company). I was a product manager at the time, and products were developed via a “stage gate” process. At Motorola, of course, it was called M-Gates.

Our “Printrak” group (automated fingerprint identification systems, computer aided dispatch systems, and the like) was the odd group out in our part of Motorola (the part that would later become Motorola Solutions). Most of the people in that part of Motorola sold police radios that were manufactured in bulk. Therefore the stage gate process included a step for a limited production run of police radios before moving to full production.

That didn’t apply for the software we sold to government systems. For example, the entire production run for the Omnitrak 8.1 release was no more than a half dozen systems for customers in Switzerland, Oklahoma, and other places. A limited production run wouldn’t make sense.

So OUR stage gate process eliminated that step and went straight to full production.

Create

And then there are the clients who don’t have anything. In these cases, my invention hat goes on.

For one Bredemarket client, I was asked to develop several pieces of collateral, such as (ironically) one on process maturity, and several random pieces of content tied to a product release.

I decided to approach it more systematically by introducing a simple go-to-market process that defined the external and internal collateral required for a “high” tier product release and a “low” tier product release. Resisting my urge to define something thorough, I simplified the GTM process as much as possible, while still providing guidance on what a product release should contain.

The client rejected the idea: “we don’t need no steenking process.”

Not surprisingly, the process maturity content was never released either.

I’ve had better luck with other Bredemarket clients, defining go-to-market, proposal, and other processes for them as needed.

Be Prepared

Providing product marketing expertise is much more than writing about a product.

Before I write a word of text, I ensure that the content aligns with the client’s strategies…or my own strategies if the client doesn’t have any.

And of course I ask questions.

Chris Allsop Asks, Then Asks, Then Asks Again

You already know how Bredemarket launches a content project with a client.

Bredemarket asks seven questions.

But Bredemarket may not be the source of all knowledge.

Let’s look at Chris Allsop’s process to launch a writing project.

“Step 1: Talk with your client, whether by email, on the phone, or in person. This will give you a clear understanding of the project, the audience and your client’s goals.”

Allsop asks multiple questions, including why, what, and who.

“[A]nswers to these questions will help you write copy that resonates with your audience….”

Great. Bredemarket and Allsop are pretty much in alignment.

But Chris is only on Step 1.

“Step 2: Take your conversation with your client a step further with thorough research.”

I gloss over this but it’s important. If you don’t know an industry it’s important to understand it. And if you do know an industry it’s important to understand it better. Even if a biometric product marketing expert is writing biometric content, it always helps to conduct research.

(Yeah, I’ll share the video. Later.)

Oh, and Chris isn’t done yet.

“Step 3: Study successful promotions, websites, and content in the topic or industry you’re working in. Ask yourself how each promotion got your attention.”

Good idea…to a point. Don’t slavishly imitate other promotions. The content from your client still needs to differentiate from the content from the competitors. And aping some popular brand to call yourself the “Uber of lawn care” just sounds bad when you spend two seconds thinking about it.

(Picture from an older version of https://www.yourgreenpal.com/blog/is-there-an-uber-for-lawn-care)

But whether you ask my seven questions or perform some other type of preparation, the act of preparation is important.

And for those who were waiting for me to share the “landscape” video…

Landscape.

And I might as well share the third of the three.

Bredemarket’s Biggest Accomplishments in 2025 (So Far)

I’m jumping ahead in the year-end post ridiculousness to cite Bredemarket’s two most notable accomplishments this year. Not to detract from my other accomplishments this year, but these two were biggies.

The first was my Biometric Update guest post in May, “Opinion: Vendors must disclose responsible uses of biometric data.” I discussed elsewhere my reasons for writing this, and created a Bredemarket-hosted video summarizing my main points.

Biometric vendors…

The second was my go-to-market effort for a Bredemarket client in September, which I discussed (without mentioning my participation) here. And there’s a video for that effort also.

Recent go-to-market.

I’ve accomplished many other things this year: client analyses, blog posts (both individually and in series), consultations, presentations, press releases, proposals, requirements documents, sales playbooks, and many more.

And I still have three more weeks to accomplish things.

Today’s Acronyms are CMMI, ISACA, and NSS

I’m going to discuss the acronyms CMMI and NSS, which I’ve kinda sorta discussed before but never in combination. (And as an added bonus I’ll discuss one more acronym.)

Capability Maturity Model Integrated (CMMI)

Back in February and in April I made passing references to CMMI, which stands for the Capability Maturity Model Integration. But I only mentioned it in passing because my experience is with the older Capability Maturity Model (CMM).

Who manages the CMMI?

Information Systems Audit and Control Association (ISACA)

Back in March and in April I either explicitly referenced or implicitly quoted from ISACA, which is the Information Systems Audit and Control Association.

Back in 2016 ISACA acquired the CMMI Institute, which managed CMMI. But the process suites originated earlier.

“CMMI was originally developed at the Software Engineering Institute, a federally funded research and development center within Carnegie Mellon University.”

Thus ISACA governs all CMMI-related activity, including assessments and certifications.

Which brings us to…

National Security Systems (NSS) and National Security Solutions (NSS)

‘Cause you know sometimes acronyms have two meanings.

It makes me wonder. And if you’re wondering, this is **NOT** Imagen 4. By Dina Regine – https://www.flickr.com/photos/divadivadina/465006384/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8022602.

Although in this case the two are related.

When a foreign-owned company wants to do business with the sensitive parts of the U.S. federal government, they have to set up a set up an entity that is free from foreign ownership, control, or influence. This is FOCI, a bonus acronym for you today.

In the biometric world, there are two notable FOCI-mitigated subsidiaries of foreign companies:

NEC National Security Systems (NSS), a subsidiary of the Japanese-owned NEC.

IDEMIA National Security Solutions (NSS), a subsidiary of the primarily U.S.-owned IDEMIA. Primarily, but not exclusively, because a small sliver of IDEMIA is French-owned.

Bringing all the acronyms together

Focusing on IDEMIA National Security Solutions, the company recently made a CMMI-related announcement:

“IDEMIA National Security Solutions (NSS), a subsidiary of IDEMIA, the leading provider of secure and trusted biometric-based solutions, is proud to announce that it has successfully earned re-certification at level 3 of ISACA’s Capability Maturity Model Integration (CMMI^®).”

You’ll recall that the CMMI levels go up to Level 5. So IDEMIA NSS is not at the maximum CMMI level, but Level 3 is impressive enough to issue a press release.

IDEMIA NSS’ extensive federal government work dictates that it maintain a number of certifications and conformances. CMMI gives the government agencies assurance that IDEMIA NSS provides its products according to specific quality and process improvement standards.

Is Your Organization (Not) Managing Your Identity Proofing Vendors?

A wildebeest process evaluator discovers that another wildebeest has no goals.

Today I’m doing something different.

Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.

So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?

But if you BUY identity proofing, read on for some helpful expert advice from the biometric product marketing expert.

Managing an identity proofing solution

When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.

Here are some questions you must answer:

What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
What about artificial intelligence? Your vendor probably uses some form of artificial intelligence. What form? What does this mean for you? Again, do you like prison food?

Again…are you ready?

GAO, IRS, and DOA

So how do other organizations manage identity proofing solutions? According to Biometric Update, not well.

A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…

As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.

“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.

“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”

So while ID.me meets the IRS’ key requirement of Identity Assurance Level 2 (IAL 2) compliance, is it performing well? The IRS needs to define what “performing well” means.

You would think the IRS had a process for this…but apparently it doesn’t.

Dead on arrival (DOA).

But I’m not the IRS!

I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?

Do you know what questions to ask?

Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.

Let’s set up a free 30-minute consultation to assess your needs.

CPA

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

Third party risk management, illustrated by a locked safe connected to a breached safe.

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

To promote Bredemarket’s services so that you meet with me and buy them.
To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
Organizational process maturity. News flash: I used to work for Motorola.
All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment.

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

So I applied on Monday, June 2 and received an email confirmation:
And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels.

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.

Writers Must Disclose Responsible Contributions of Biometric Governance Opinions

You knew that I was going to link to THIS Biometric Update post, because…well, I wrote it.

You can read “Opinion: Vendors must disclose responsible uses of biometric data” here: https://www.biometricupdate.com/202505/opinion-vendors-must-disclose-responsible-uses-of-biometric-data

Excerpt:

“Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.

“But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.

“Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.”

But this is actually the SECOND time I have been featured by Biometric Update. If you check its YouTube channel, you can find the 2015 gem “MorphoTrak (Safran) – MorphoWay demo”: https://youtube.com/shorts/mqfHAc227As

Stay tuned for my next Biometric Update appearance in 2035.

Too Many Trees in the Forrester?

As far as Forrester is concerned:

“[O]nly a quarter of firms employ a launch process even vaguely approaching best-in-class…”

But I take this with a grain of salt, because Forrester has a product it is marketing.

“We began by introducing attendees to our proprietary Product Marketing And Management (PMM) Model (client login required).”

I’m not a client, so I don’t have a login. But Forrester’s PMM Model appears to cover some important topics.

Proposals.
Market requirements.
Dashboards.
Defining your hungry people, although Forrester uses the legacy term target audience. (Hey, I try.)
Sales targets.
Competitive differentiation.

And that was just the beginning, because Forrester is certainly comprehensive.

Although it sounds like the full Forrester PMM Model process may be completely mystifying and overwhelming if you have no model at all. I know.

Better to start off moving from Level 1 to Level 2 in a maturity model rather than trying to jump to Level 5.

(Imagen 3)