Today, every efficient GRC (Governance Risk & Compliance) program includes SoD. Separation of duties means separating the roles of people who deal with different steps of a company’s business transactions—lowering the risk of errors or intentional fraud in the process.
With SoD, all responsibilities within the company’s transactions are shared, meaning one person is never solely responsible for a process’s critical functions. However, while this works perfectly in theory, there are still a number of risks we need to prepare for.
Separation of Duties Risks
The new wave of SoD risks began roughly half a decade ago. Companies started shifting away from big, monolith ERP solutions to a variety of smaller vendors. From there, a mix of on-premise and cloud-based deployments also became increasingly popular.
There are plenty of advantages to this hybrid application approach. Companies can easily choose the best vendor for each one of their individual needs, coming up with a specific enterprise technology solution for their particular business.
However, the other side of that coin is the vast rise in SoD risks. There are plenty of access security challenges that arise from cross-application integration, along with a multitude of security solutions.
While acquiring and integrating cloud-based solutions is easier than ever, that’s not always a good thing. Business leaders are adding new applications frequently without the full involvement of IT departments. And since IT staff are far more familiar with compliance requirements and cloud security than the management team, the risks are severe.
Using more applications means more automation. It also means more workflows and integration points, along with sets of compensating or mitigating controls that need to work in harmony. Things don’t get any easier after the initial implementation either, as companies need to carefully manage the “domino effect” of mandatory software updates to multiple enterprise applications in one business entity.
COVID-19 has also significantly impacted the business landscape. Once a niche choice or employee perk, remote work is now the norm for many industries. With parts of the global workforce staying more mobile and remote even after the end of the pandemic, security risks are further increased on the vendor side as well.
In addition, plenty of companies have realized that efficient restructuring can achieve the same results within a smaller workforce. While this can be beneficial from an organizational and financial standpoint, a concentration of responsibilities is the primary logical source of SoD risks.
This complexity makes it easy for decision makers to become overwhelmed, resulting in only the bare minimum being done to secure SoD controls across the entity.
Mergers and Acquisitions
Another acute source of recent SoD risks is the increased M&A (merger and acquisition) activity. While this is a positive development for a market in desperate need of recovery, it’s simultaneously a breeding ground for SoD failures.
Actions from the Federal Reserve lowered the cost of capital in 2020, especially for bigger companies. This kind of low-rate landscape has increased the volume of M&A transactions in 2021 as well.
With more and more organizations combining their powers, SoD risks are becoming more mainstream. Companies that undergo massive growth through M&A often combine existing technologies from previous entities—usually on short notice. This leaves the complexities and SoD deficiencies largely unattended.
Changing regulations, shifting department responsibilities, more mergers, regular software updates, applications from different vendors—all of these factors have hugely complicated SoD and risk management in general. However, while technology has largely triggered these issues, it is also the only way forward.
Future of SoD
The companies experiencing the most SoD issues are trying to manage SoD compliance manually—creating makeshift, cookie-cutter in-house solutions. In the end, these rarely work to improve risk management or achieve a higher level of efficiency in the process.
Automation is the correct answer, but plenty of organizations simply aren’t equipped to handle various SoD risks across different applications. That’s where implementing a dedicated third-party security solution comes in.
Separation of Duties Management solutions help track the vulnerabilities that arise. Plus, this solution meets the needs of a global workforce with 24/7 self-service, allowing employees to request access to tools and applications whenever they need to. SoD Management Solutions removes excess permissions that often come with remote work.
The same is true of risks arising from M&A transactions, thereby allowing companies to expand and enter new markets freely. SoD Management helps with user access planning before the merger, along with implementations and post-merger activities.
SoD Management also assists with cloud security. This helps companies use all the cloud infrastructure they need to succeed without increasing SoD and other operational risks.
Wrapping Up
In 2021, the list of SoD risks is longer and more complex than ever before. However, modern SoD and Access Risk Management solutions enable companies to simultaneously tackle a variety of security issues, from M&A risks and multi-cloud integrations to the problems that come with remote work.
See how SoD policy management can prevent conflicts of interest, build and enforce custom policies across applications, and meet your organization’s compliance needs.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint’s separation-of-duties policy management.