Have you ever heard of this kind of organization?
What is it? How does it work? How is SAP Security managed in this kind of organizations?
Essentialy, it's a new vision on how to do "business", based less on "doing things the right way" but rather on do the right thing. Which doesn't often happen in classic corporations.
In this vision there are different types of companies/organizations, described using colors:
*Image source: (Reinventare le organizzazioni. Come creare organizzazioni ispirate al prossimo stadio della consapevolezza umana, autore: Frederic Laloux pag. 61)
Each color represents the maturity of a certain company, we could say that your footprint, going towards teal over time.
What are the main characteristics that distinguish these organizations:
But what are the strengths of this kind of organizations?
It may seem crazy (or at least looking at today's situation in our client's companies and in our company for some aspects), but trying to imagine and finding the positive aspects is important. Some companies already adopted this method.
So what should you do? SAP_ALL to everyone by default?
I tried to imagine SAP Security in this type of organization. Maybe based entirely on cloud paradigms.
Does greater sharing and data fruition mean less security?
In my opinion: no.
Maybe it's better to separate this argument in two parts:
For external threats you can keep on using the tools already in place. System protection, cryptography, ransomware protection, social engineering, cyber security in the broadest sense of the word.
For internal threats, things get more complicates. If today, in most organizations, there are precise job divisions, tomorrow this may not be the same.
What does it mean to manage the Segregation Of Duties in teal organizations? Maybe mitigation controls to the nth degree?
It's possible that in this case the efforts to protect data are mostly concentrated at the base of the issue. The processes of assigning authorizations are less stringent, anyone can have the role they want, but everyone knows that the information viewed, exported and managed is tracked and controlled. A specific chapter could be created on the subject of lawfulness.
We'll see!
What do you think about this topic? Write you thoughts in the comments!