Written by Dudley Cartwright
CEO of Soterion
Pablo Escobar is one of the most infamous narco-terrorists of our time. His name is synonymous with illegal drugs, brutal murders, and a remarkable talent for avoiding capture. He is perhaps less well known as an access risk management professional.
But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.
Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.
While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.
The three lines of defence for SAP security
Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?
The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.
Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:
- First line: Operational / Business users
- Second line: Risk / Compliance departments
- Third line: Audit / Assurance departments
Your first line of defence should be your strongest
Escobar implemented an exceptionally effective first line of defence.
In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.
If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.
It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.
For organisations, this is also true: Your first line of defence should always be your strongest.
An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.
Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.
Empower your first line of defence with business-centric solutions
If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.
But just having these people available is not enough.
You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.
All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.
When this happens, you lose your first line of defence.
Be more like Escobar (minus the drugs and deaths)
Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.
While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.
By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.
To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.
How can Soterion Help You?
Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.
Feel free to email us on [email protected]. Let us help you take your GRC to the next level.