IT security - no more tinsel please

I'm a big fan of the Pessimists Archive podcast. Jason Feifer gives a stirring and not at all dusty account of the history of resistance to change.

Things that today are classified as rather conservative and established were revolutionary and also often "of the devil" when they were introduced. For example, the waltz was as scandalous in the early 1800s as rock 'n' roll was later. People even fought duels over the honorability of the waltz. Can't be?

I can tell whether something is taken seriously by whether someone is willing to pay money for it. And security for SAP is now taken seriously. Today, I see that companies are willing to change something.

However, only enough to change as little as possible of the established system. New SAP authorizations are then requested, which should be conflict-free and fit into the existing concept. But the concept for operations is usually to do mass work manually with human power.

Dull, error-prone, boring and completely replaceable. Administrators in dozens of companies I've personally met are still working on IT security as they did before the iPhone was introduced. That was 2007.

While many companies are now working on how employees and customers can access the SAP system via pretty new Fiori interfaces, the mood in the engine room is gloomy and sinister. There is no orchestration or control, just a blunt shoveling of coal into the fire.

Keeping hundreds of roles in sync on front-end and back-end servers without investing in role and identity management concepts and tools is - outdated concept.

Operating an SAP system without having established security monitoring is - outdated concept. Not investing in the systematic training of employees with regard to SAP security is - you guessed it - an outdated concept.

And new employees are increasingly unwilling to accept this. Why should they? They have a choice - there are enough employers who are urgently looking for skilled and motivated personnel.

Why should a young employee then get involved in dull jobs with old concepts? Whereas at other companies he can develop concepts and configure tools that do the repetitive work for him?

The "get in IT Study 2017-2018" states:

"IT talent wants to innovate and become experts in their field."

So we have the crazy situation here that the budget is there, but success will not materialize. Because a sustainable security concept still has to be operated by expert personnel. And they're not in the mood for "there used to be more tinsel".

It's not that anyone has done anything wrong. But if SAP's existing customers want to continue to exist securely in the current reality and not end up in the headlines as a data slinger or in bankruptcy when it comes to company secrets such as recipes, then employees must also be recruited to help. And companies must also accept that there is more to change than just "damp wiping through the SAP system" once.

In the history of all innovations, there have always been one or more people who have not let themselves be dissuaded from the idea of the new. Even if everyone grumbled, grumbled or grumbled. There must be this one person in every company. The one who patiently explains the advantages of the new without snubbing those who still strive for the old.

At the end of the day, it's like waltzing: The young won't be dissuaded because they understand the new world and take IT security as seriously as it needs to be today.

Not by manually tinkering with roles or creating users. Instead, a concept is developed and established tools are used. So that you also have the time to find out about new security risks and can plan countermeasures.