Have you ever heard of this kind of organization?
What is it? How does it work? How is SAP Security managed in this kind of organizations?
Teal Organization, what is it?
Essentialy, it's a new vision on how to do "business", based less on "doing things the right way" but rather on do the right thing. Which doesn't often happen in classic corporations.
In this vision there are different types of companies/organizations, described using colors:
- Infrared
- Magenta
- Red
- Amber
- Orange
- Greem
- Teal
*Image source: (Reinventare le organizzazioni. Come creare organizzazioni ispirate al prossimo stadio della consapevolezza umana, autore: Frederic Laloux pag. 61)
Each color represents the maturity of a certain company, we could say that your footprint, going towards teal over time.
What are the main characteristics that distinguish these organizations:
- Red: Job division and command-based authority (i.e. criminal organizations)
- Amber: Defined roles, precise hierarchies (i.e. army, public school)
- Orange: Innovation, responsibility, meritocracy (i.e. Multinationals, private school)
- Green: Stakeholder model, culture guided by values to give your employees the maximum motivation (i.e. Zappos)
- Teal: Self-management (not in the sense of chaos as one might be led to think), sharing, common evolution (even outside your organization)
But what are the strengths of this kind of organizations?
- Self-organized team
- Missing HR or purchase structure
- Fluid roles instead of job role description, no role labels
- Decentralized decision-making processes, no superior that can decide
- Information sharing at all levels. No secrets. Each one sees what other teams do, everyone knows the results and fails, everyone knows anyone's salary. And not only that, everybody decides its salary (through a shared process)
It may seem crazy (or at least looking at today's situation in our client's companies and in our company for some aspects), but trying to imagine and finding the positive aspects is important. Some companies already adopted this method.
SAP Security Teal
So what should you do? SAP_ALL to everyone by default?
I tried to imagine SAP Security in this type of organization. Maybe based entirely on cloud paradigms.
Does greater sharing and data fruition mean less security?
In my opinion: no.
Maybe it's better to separate this argument in two parts:
- External threats
- Internal threats
For external threats you can keep on using the tools already in place. System protection, cryptography, ransomware protection, social engineering, cyber security in the broadest sense of the word.
For internal threats, things get more complicates. If today, in most organizations, there are precise job divisions, tomorrow this may not be the same.
What does it mean to manage the Segregation Of Duties in teal organizations? Maybe mitigation controls to the nth degree?
It's possible that in this case the efforts to protect data are mostly concentrated at the base of the issue. The processes of assigning authorizations are less stringent, anyone can have the role they want, but everyone knows that the information viewed, exported and managed is tracked and controlled. A specific chapter could be created on the subject of lawfulness.
We'll see!
What do you think about this topic? Write you thoughts in the comments!