How much does slavishly following company procedures lead to problems?
Are there any solutions? But what are the impacts in security management? Can we be affected by digital stupidity?
"I simply do it because it says so" or even "We have always done it this way."
I remember once during a consulting session where a person having to produce evidence was obliged to make screens of all the changes made to SAP users.
To the question, "why?" Because it is defined in the procedure. Not knowing that there is a specific trace and logging mechanism in SAP for changes made.
It can happen to everyone at times to go on autopilot without much thought.
This, however, if activated always, can lead to thought limitation and thus one of the main clues in this context.
In more detail:
Beware, following procedures is not harmful, in fact it is certainly correct and recommended. But that is not what is being talked about here. It is about doing it blindly without asking any questions.
Sometimes even wondering, "But why are we doing this? Is there any better way to do it?" Can be helpful.
Unfortunately, it can happen to come across as "out of standard." If those who deal with these issues, following the example above, try to raise problems or concerns, they are often seen as a troublemaker.
What can happen then?
To what extent can being "out of the chorus" create problems with leadership? No one wants new problems to deal with, every day there are already problems without raising them. Better not to raise unnecessary fuss. Better to prefer then to be ignorant. However, how much do these issues really protect corporate data security?
We followed procedures and all company policies. Yet, something did not work as it should. For what reason?
How well is the establishment of company procedures and policies really controlled in practice?
It is recommended and certainly helpful to define all policies (without exaggeration) but when and how are controls operationally implemented? Instead, how much becomes material to be presented to stakeholders, perhaps during inspections, without delving more deeply into the applications of these?
Better a well-done power point than the substance of the controls put in place?
How much is window dressing, in this context, part of your organization?
This article was inspired by the following sources:
Topics: security awareness, sap cyber security, formazione sap