Implementing new technology can be challenging, but executing a secure and effective GRC initiative means also factoring in the latest regulations, mission-critical data, and a broad set of stakeholder expectations on top of the IT considerations.
I recently was able to sit down with Ed Davis, director at Turnkey Consulting Australia to discuss this very topic. Ed will be speaking at SAPinsider’s upcoming GRC 2014 event, taking place in Singapore from October 13-15. Ed gave me an overview of the session he’ll be presenting there, along with a few GRC and controls tips to think about between now and then.
Here is a recap of our conversation:
Q: To start off, would you mind giving us a bit of background in how long you’ve been working in the area of GRC?
A: I’ve been working with SAP security and GRC since the mid-1990s, started off at PricewaterhouseCoopers in the SAP risk management and controls group, where I went through an intensive SAP security training program, which was followed by numerous pre- and post-implementation security and controls reviews, where I gained a solid grounding in the field. I then moved to the UK, where I was the SAP security lead for the global SAP HR rollout for Shell. This involved rolling out a solution to 100,000 employees in over 40 countries over a period of ten years. When I returned to Australia, I joined Turnkey Consulting, which is now SAP’s main partner in the GRC space. Since then I’ve been involved with several GRC and security projects with a range of clients.
Q: In your experience, what would you say is the most common reason behind a poor or inappropriate security design?
A: I would say definitely a lack of business engagement is the main cause of a poor security design. The business should really own the risks in a system and should therefore be very involved in the security design from day one. If it’s left to a project team with very little business input, then the security element of an SAP implementation is quite likely to fail.
Q: What would you say is the most effective way for an organization to really improve business engagement within a security and GRC initiative?
A: Having a solid change management plan from the outset will help to ensure that the business stays engaged and has input at the appropriate point. The change management plan should include detailed communications and training planning; this way the project can make sure that the relevant people are provided with the relevant information at the right time, development and data decisions being made along the way.
Q: If you could provide one tip or best practice for our readers to use to help simplify their SAP security design, what would that be?
A: When designing SAP security, the project team should look at it from the end users’ point of view. By understanding how end users use security, you’ll be able to design a much more user-friendly solution which will be far more likely to succeed. To make the processes as simple but robust as possible, so that people can understand them and work with them, I’ll obviously go into the solutions and best practices in a lot more detail in the session.