Sponsored: Can Pablo Escobar teach us something about risk management?


Pablo Escobar is one of the most infamous narco-terrorists of our time. He is less known as an access risk management professional. The truth is, risk mitigation has been one of his greatest accomplishments!

The following is sponsored content. It may not reflect the opinions of our editorial team.

By Dudley Cartwright, Co-Founder and CEO of Soterion

Pablo Escobar is one of the most infamous narco-terrorists of our time. His name is synonymous with illegal drugs, brutal murders, and a remarkable knack for avoiding capture. He is perhaps less known as an access risk management professional.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest accomplishments. And the way he operated gives us some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he was running a multi-billion dollar a year industry that had many moving parts – all without the aid of the kind of fancy technology to which many of us have access to today. . This is not an easy task.

While I’m not suggesting you go out and commit a crime, there are important lessons you can learn from Escobar to help you manage risk, improve SAP security, and improve access risk management in your organization. .

The Three Lines of Defense of SAP Security

Escobar’s greatest fear was being arrested and extradited to the United States. So how is it possible that he was the most wanted person in the world for a period of 10 to 15 years, everyone knew the city where he was residing, but some of the most powerful government agencies didn’t could catch it?

The answer is that Escobar was brilliant at managing risk. He not only had a very clear idea of ​​his risks, but he implemented a strategy better than any organization today to mitigate those risks.

Escobar enjoyed and perfected all three lines of defense. In business or not, you have three lines of defense when it comes to SAP security:

  • First Line: Operational/Professional Users
  • Second line: Risk / Compliance Departments
  • Third line: Audit / Insurance Departments
Image: Soterion

Your first line of defense should be your strongest

Escobar put together an exceptionally effective first line of defense.

In his city of Medellin, he was almost untouchable. He realized the importance of having lots of eyes and ears on the ground, so there were all walks of life that fed him information when there was a risk. From street kids to grandmothers selling food on street corners, whenever something looked suspicious, Escobar was notified.

If a Westerner arrived at Medellin airport, it was assumed that he was a DEA agent and would be tracked and monitored. When the Colombian army moved on Escobar, a street vendor noticed many army trucks leaving the barracks and thought it could only be for one reason – and then alerted Escobar.

One could argue that Escobar’s second line of defense was to bribe the police and military. Perhaps his third line of defense was his army of assassins. However, it was Escobar’s first line of defense that was most effective in getting him out of trouble the most times.

For organizations, this is also true: your first line of defense should always be your strongest.

An organization’s first line of defense are usually employees (super/key users) who have been with the organization for 15-20 years. They understand their industry and business processes better than anyone.

Unfortunately, in most organizations, this is usually the weakest line of defense. It is not because these employees do not know the risks in their field, it is because the organization has not implemented the appropriate processes and solutions to allow these users to participate in the management activities. risks.

Strengthen your first line of defense with business-centric solutions

If you have employees who have worked in your organization for many years and/or who have a deep knowledge of their field of activity as well as a clear understanding of the risks, you are in a good position.
But having these people available is not enough.

You need to provide them with the right solutions and processes to manage access risks and harden SAP security.

Too often, organizations end up implementing complex solutions that are too technical for business users, resulting in underutilized or redundant solutions. At best, these technical solutions end up being used as “back-end” solutions by the IT or technical team.

When this happens, you lose your first line of defense.

Be more like Escobar (minus the drugs and the deaths)

Escobar implemented a system and process where people in the field could effectively act as the first line of defense. These early liners were educated on what was considered a risk to Escobar. When identifying a risk, there was a clear process that the first liners could use to pass this information on to the relevant people in the organization. Escobar authorized his early liners to sound the alarm if they noticed anything that posed a risk.
While you may not have the weapons Escobar had, you do have a powerful weapon when it comes to risk management – loyal and experienced operational and commercial users.

By building business buy-in and improving your first line of defense, your organization will become more risk-aware and be able to identify and respond to security threats more quickly.

To give your organization the best chance to combat risk, you need to equip your users with the right weapons – and one of your best weapons today is a enterprise-friendly GRC solution. By giving your people tools they not only understand but aren’t afraid to use, you empower them to effectively manage your organization’s risks.

About Soterion

Soterion is a leading international provider of governance, risk and compliance solutions for organizations running SAP. Soterion’s user-friendly GRC solutions provide detailed access risk reporting to enable organizations to effectively manage their access risk exposure. Soterion is passionate about simplifying governance, risk and compliance processes, with a focus on translating this complexity into user-friendly language to improve business decision-making and accountability.

About the Author

Dudley Cartwright, co-founder and CEO of Soterion
Dudley Cartwright, co-founder and CEO of Soterion
Image: Soterion

Dudley Cartwright is co-founder and CEO of Soterion. With over a decade of SAP authorization experience, Dudley’s strong technical understanding combined with deep business knowledge has enabled him to implement the highest quality security solutions for enterprises around the world. whole. Dudley has a passion for implementing “fit for purpose” value-added solutions – a philosophy that has become a cornerstone of Soterion’s mission.


About Author

Comments are closed.