‘Smooth Sailing’ Fallacy in ERP Security

I just read an essay with interesting observations made by Richard Rumelt in McKinsey Quarterly. He says “There’s been a dramatic failure in management governance. And so our basic doctrines of how we manage things are in question and need revision.

At the heart of this failure is what I call the “smooth sailing” fallacy. Back in the 1930s, the Graf Zeppelin and the Hindenburg were the largest aircraft that had ever flown. The Hindenburg was as big as the Titanic. Together these vehicles had made 620-odd successful flights when one evening the Hindenburg suddenly burst into flames and fell to the ground in New Jersey. That was May 1937.

Years ago, I had the chance to chat with a guy who had actually flown over Europe in the Hindenburg. And he had this wistful memory that it was a wonderful ride.  He said, “It seemed so safe.  It was smooth, not like the bumpy rides you get in airplanes today.” Well, the ride in the Hindenburg was smooth, until it exploded. And the risk the passengers took wasn’t related to the bumps in the ride or to its smoothness. If you had a modern econometrician on board, no matter how hard he studied those bumps and wiggles in the ride, he wouldn’t have been able to predict the disaster. The fallacy is the idea that you can predict disaster risk by looking at the bumps and wiggles in current results.

The history of bumps and wiggles—and of GDP and prices—didn’t predict economic disaster. When people talk about Six Sigma events or tail risk or Black Swan, they’re showing that they don’t really get it. What happened to the Hindenburg that night was not a surprisingly large bump. It was a design flaw.

To see the disaster coming, you had to have looked beyond the data about flight bumpiness—beyond the professionalism of the staff—and really think, “Does it make any sense to have people riding in a gondola, strapped to a giant sack of flammable hydrogen gas?” There’s just not a data series that lets you think about that. But it’s not that hard to think about.

If we apply this logic to SAP Security – I find many SAP customers suffer from the Smooth Sailing fallacy. ‘Well – we implemented SAP 10 years back, IBM is managing the support, we have no problems! Our Security incidents are insignificant.’ ‘OH we have installed SAP GRC solutions but no one uses them!’

This smooth-sailing fallacy in IS Security arises when we mistake a measure for reality. Competent management always looks deeper than the numbers, deeper than the current measures. Incompetent management just focuses on the metrics that are based on past reality. And that’s how we get into these troubles. We really have to think about the redesign ERP and SAP security & its measurements. This lesson is fundamental: you cannot manage by just looking at the results meter.  You have to have a big picture view of Security by applying constant changes in security protocols and metrics. That means your Security policy which may be 5 years old is useless and you have no security in place.

CEOs and CFOs will use the smooth sailing argument – Hey! We never had a security issue in the past 2 years? So why now?

You have to show them what Rumelt said about Hindenburg! A small design flaw can blow them out of the window.

Is NetWeaver IdM really replacing CUA?

So far – despite all efforts from SAP on the Marketing front – I have not seen this to become a reality. CUA is no longer one of SAP’s beloved children – meaning no major functionality upgrades will be provided through enhancements. But to tell you the truth, it works. So if you only care about SAP user provisioning (like me) then CUA is good enough. On the flip side CUA has nothing to do with Identity Management. Its intend was to simplify role assignments across complex system landscapes, not to automate user management. It’s still not capable of mirroring best practices for onboarding, position changes and terminations. The manual workload is tremendous and here and there in the mist of Excel spreadsheets and e-mails from HR orphan user id’s are as inevitable as candy at Halloween.

So I say it’s time to retire the good old box and get something in place that makes SU01 and SU10 go away forever. Time it is indeed.