I am just finishing a project in which we helped design and implement application security for a global rollout of a manufacturing company. The politics of a project never cease to amaze me, and every project has its own unique politics. I have seen it all. A well-run project takes strategic vision and the proper leadership to support all the objectives. More often than not, a project is well supported from an operational perspective, but does not have the same level of support or leadership when it comes to security and controls. This is why using a firm independent from the system integrator is so important. Without a proper understanding of the risks involved in implementing the applications—either from a project as a whole or from an individual element such as application security—management is running blind. In many cases, management does not have the experience or expertise in implementing enterprise resource planning (ERP) systems, in general, or the specific ERP system. Having both types of knowledge is critical to effectively manage a project.
All too often, the bidding process for system integrators lends itself to a “get it done on time and on budget and forget about it” response when it comes to things like properly designed security or the implementation of proper internal controls prior to go live. Without strong project leadership, proper security and controls often never get implemented because post go-live funding is difficult to attain due to the core project being late and over budget.
I suspect this post may hit a few nerves and am looking forward to any comments.
Jeffrey T. Hare, CISA, CIA, CPA
Additional comments from ISACA Journal authors are featured in the Journal Author Blog.
ISACA members can also read Jeffrey T. Hare’s recent article:
“Risk Management When Implementing ERP Systems,” JournalOnline, ISACA Journal, volume 1, 2011
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.