Ivanka Gajecky, Manager of Application Security, Beam Suntory, joined SAPinsider Studio at the SAPinsider GRC 2016 event to discuss Beam Suntory’s SAP security role redesign project that was undertaken to align with the business becoming more centralized.
This is an edited transcript of the discussion:
Ken Murphy, SAPinsider: Hi, this is Ken Murphy with SAPinsider. I am at the SAPinsider GRC event in Las Vegas. Today, I am pleased to be joined by Ivanka Gajecky, who is the Manager of Application Security for Beam Suntory. She’s here today to talk to us about an SAP security role redesign project. Ivanka, thanks for being here.
Ivanka Gajecky, Beam Suntory: Thanks for having me.
Ken: Can you start by telling our audience a little bit about Beam Suntory and your role with the company?
Ivanka: Beam Suntory is the third-largest premium spirits company in the world. We’ve got brands such as Jim Beam, Maker’s Mark, and Hibiki whisky. My role is in the IT organization application security focused on SAP and also IT compliance which means I’m working with auditors and making sure we’ve got all our controls in place on the IT side.
Ken: Can you talk about your current role provisioning at the company before setting out on a role redesign project?
Ivanka: Basically we have an SAP system the current design of which dates back to 2007. And that’s exactly when the original roles were put in place; it was an excellent design for our business in 2007, but as you can imagine the business has changed as times have changed and our roles haven’t adapted quite as quickly. That’s where we see some of our frustration points or areas of opportunity for improvement.
Ken: With that in mind, is that how you built a business case for this initiative?
Ivanka: Exactly. The idea for the business case came about because we’ve been systematically experiencing complaints from users, and some of which have bubbled up to higher level people especially within our back office, anything that’s become a centralized function our role design was based on more of a decentralized business. That’s really who we were in 2007. And today’s we’ve got a lot more centralized functions. And once you start trying to match up what people need with the system that doesn’t really match that’s when you start having problems. So we just saw a pattern happening and we thought that rather than waiting until we have a problem erupt, let’s think about how we can proactively address this.
Ken: With more centralization, how did you identify the requirements for the project, the key considerations and arriving at role redesign as the best way to handle that?
Ivanka: Some of the main frustration point we’ve seen are around first of all the volume of SoD conflicts, just the line-items if you will on the SoD reports. And when we took a look at the root cause in many cases it’s a matter of role design; we’ve got transactions with SoD conflicts and without in the same roles. So people have SoD conflicts that don’t need them. And the other part was a lot of frustration was experienced in the user provisioning process actually because of the complexity of the roles design, so in order to address root cause from the common thread there was a complicated roles design.
Ken: How do you plan to measure the project’s success?
Ivanka: I would say we’re about halfway there in our journey in terms of getting the business case sold. How we’re going to measure success is in a more efficient controls environment where we don’t have to have so many people performing manual mitigating controls, and a better, more rapid timeline for user provisioning requests for new hires or transfers. We don’t have a problem with SoD compliance or SOX compliance issues; that’s one thing that many times is a driver. We don’t have that in place because we have so many mitigating controls being performed. But just increasing the efficiency in those two areas is where we’ll measure success.
Ken: And so moving forward, how do you think a role redesign project is going to enable the company to use SAP as more of a platform for growth?
Ivanka: I think it’s largely an efficiency play; if we can structure our roles more closely to business roles, and get closer to a roles-based security concept, we’ll just be able to move more quickly and have more agility and people will be able to more precisely indicate what they need meaning we’ll have less business downtime. We’ll just be able to be leaner and more agile in our business processes.
Ken: Ivanka, thank you for being with us today.
Ivanka: Thank you for having me.