Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
22 May 2023

Bridging the Gap: The Crucial Role of Security in Connecting Business and IT Leaders

Exploring the vital, but often missing, link between Business Process Owners and IT - Kelly Webber, Senior Manager IT Security Consultant

I always dread when I'm asked what I do for a living.  I think it’s because often when I tell people that I'm an IT Security Consultant the conversation immediately turns to securing networks, firewalls, and infrastructure. Which, to be fair, is IT security - but it is not what I do. I was curious one day and asked my 13-year-old daughter what she thinks my career is, and her response was “I have no idea, but it seems like a lot of data and extremely boring.”  Which, honestly, is more along the lines of what my day-to-day job actually looks like.  

As a security professional with expertise in access governance, application security, data security & compliance (what a mouthful!), I do deal with data, a lot of data: user IDs, email addresses, positions, organizational levels, business partners, roles, authorizations, sensitive fields, critical authorizations, data matrices, ITGCs, mitigating controls, control frameworks, and so on and so on.  

During the last ten years of my career, around 90% of my clients cannot answer these two simple questions: 

  1. Who has access to what data?

  2. Why do they have access to that data?  

Even more worrying, business process owners cannot answer if there are data inconsistencies across their applications and systems. What happens when these organizations are now subject to new data regulations that require them to answer these questions within 24 hours or be slapped with massive fines? The answer to this problem is urgent, not only because organizations are becoming more digitally complex, but also because data privacy and security regulations are quickly becoming a reality for businesses! Organizations that successfully navigate these regulations will be proactive in defining and documenting where their data exists, who has access to that data, and how they can secure the data from being compromised. But how? What does security have to do with it? 

This year’s RSA Conference theme was “Stronger Together” and I was delighted to see it, as this approach is critical for security professionals when organizations ask them to advise, fix, and secure their business platforms. Business Process Owners and IT are all too often operating in isolation, not discussing where and how data flows across systems. 

Often, I'm asked to assist an organization in implementing and securing a specific application for a specific business process (HR for example). During discovery, when I ask the HR owners about what data in finance their joiners, movers, and leavers need access to, I get this answer: “Ask Finance. That’s not an HR question.” But conversely, if I'm implementing a new Finance application and ask Finance owners when during the hiring or transferring process do employees get access to applications, and how do you determine the access they have, the response I often get is: “Ask HR”.   

We have to start breaking down these barriers across the business and start having real conversations about data! Security is the golden integrator between business process owners - the team that intimately knows how the applications work and where the data is on those applications. Why? Security administrators have already identified where the critical and sensitive data is in the system to be able to grant access. What happens if the organization needs to integrate those systems? Or what if an auditor asks a finance person who has access to critical data for a cost center? Unfortunately, IT security is often seen as a blocker to business processes, or “The Office of No”. But in fact, IT security is a key enabler of business processes. For the business to operate, data must be available to them, the integrity of the data must be protected, and the confidentiality of that data is key. 

Businesses cannot thrive and will not survive if security is not given a seat at the decision-making table. Data regulations are coming, and quickly, and guess who can ensure your business is compliant? Security. 

I’ve been seeing this issue creep up for the past 20 years and am ecstatic that these conversations are starting to become imperative to organizations. IT professionals have been training for this for years! Hopefully, we can move the needle enough so that when I ask my daughter about what I do at work, she answers by telling me, “You connect business and IT leaders to help make them "Stronger Together.”


Turnkey Virtual Event Banner Template 2023 5-9-23 (2)