Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
12 July 2015

Evolving Challenges Require Evolving Skills

One of our clients recently remarked that our team offer something that their other partners in the security & GRC space don't - We keep them integrated with other relevant projects in their organisation and they are confident that they get the benefit of our experiences from other engagements and clients.

That is great to hear and reinforces my view that we take KT seriously but also got me thinking about how, like projects often are, security knowledge for SAP is still kept in silos.

SAP and the security ecosystem have done great work in getting the message out that as the technology platform improves integration and collaboration, there is the need for strong controls over the technology that supports this. Those controls are not the domain of just one team but from a security perspective we need to understand how they fit together to provide a secure environment.

There have been discussions on some of the SAP forums recently debating the role of the SAP security analyst (and the relevance of certification based on that role).

There are two prevalent views:

  1. Those who say that they retain a business focus and therefore roles are their domain and that's where they are staying. If SoD and SA checks are OK then things are secure (which will be the topic of another blog soon).
  2. Those who are developing their skills to meet the challenges of evolving technology and business practices. They view security holistically and while not necessarily being expert in comms, OS, DB, network security etc, they have an understanding of the integration points and dependencies between the components.

The business & technical components of security are not mutually exclusive and it is one of the things that makes this field such an interesting area to work. I do, however, believe that a credible security practitioner must be aiming to wear both hats if they want to be, and stay, effective.