Ms. Weber is slowly getting an inkling of why her predecessor gave up as IT department head after three years. Identity management alone is excessively tedious, complicated, and not comprehensible in the slightest. The question of whether Mr. Schneider, the predecessor of Ms. Schmitt, who has moved to another area, still has access to the controlling systems, cannot be answered quite simply. Likewise, it happens repeatedly that new employees twiddle their thumbs, as they do not yet have access to all systems, data, and IT resources relevant to their job. This is all because no one really knows which authorizations and access rights are required for which tasks. Of course, nothing is documented, and historical data is only partially available. Her employees are just scurrying around the hallway like mice, so that they will not constantly be stopped with questions and requests. The attempt to bring order into the chaos has so far been only partially successful – bringing Monika Weber again back to the subject of documentation and history. In addition, the processes for approvals are not being complied with, either someone will be forgotten, or your employees will receive emails with content along the lines of “As discussed when we were having a smoke, drinking coffee, or whatever…”. Nothing against the shortcuts if they help get the work done, but it really cannot go on like this, because this way she will only be able to survive the next IT audit with a lot of luck.

Based on the renewed idea “If you are in a company long enough, you have all the permissions and access”, Ms. Weber now gets the picture. She looks to see if Susanne Schmitt is in the office today and walks right over. Because she has a current and very real problem. Her predecessor, Mr. Schneider, is taking shortcuts in the reporting path and regularly even circumvents it entirely. As is explained quite simply – even if according to records he no longer has access to his old controlling systems, he could in fact still have it. Because he regularly checks whether there is budget for his planned actions, and only informs Susanne that he is taking this action because she has the budget for it. He likes to cut this so tight that one can no longer hold off on the activities. Actually, he is supposed to regularly coordinate with Susanne, who then allocates the budget to him, since the sold promotional product and thus also the budget is in her area of responsibility. So, one neither plan nor do any work this way, and Susanne is understandably about to lose it. Turning to the superiors of both of them is of absolutely no use, as Ms. Weber and Ms. Schmitt always get the answer “… But according to the documentation, this is not possible at all, he no longer has access …”. They have also been waiting for a long time for the Finance Department’s reply regarding Mr. Schneider’s access to the controlling systems.

Now the two make a plan and reach very deep into the Pandora’s box. Because no great disaster has yet happened, but it could happen at any time. The question they are now asking their superiors is: Who is responsible if Mr. Schneider oversteps the budget because he is not coordinating with Susanne? This can have many reasons and can just as easily happen, the budget reduction to the half-year does not yet appear, the action with another department has only recently been agreed and therefore has not yet been entered or something similar. Will Mr. Schmitt’s supervisor turn a blind eye, or will he himself, or even Monika and Susanne, bear the brunt of it? As soon as non-existent money has been spent, good advice is tough to get, and the managing director will certainly not have much understanding for this in the tense market situation. That is the least of the problems. What happens when an employee who has already held a number of positions in the company does not part on good terms? He could leak customer data or other information, or even delete and manipulate data. There are no limits to the imagination, as long as he only has access, the possibility is very real. The trigger may be that someone else has received the promotion, or another event that is offensive from the employee’s point of view.

The plan of the two of them is quite simple in itself, Susanne asks who takes responsibility for an excessive budget, and Monika points out the other and very real risks of damage. Hopefully, this will give both parties what they need: a single determination about the budget and an identity management system that will automatically assign and also control users and authorizations centrally. In this way, IT also achieves the desired balance for the audit – between smooth access and effective protection of IT resources, systems, and data.

The appointment has been sent out, all three superiors have agreed, and Ms. Schmitt and Ms. Weber are meticulously preparing their arguments. The scenario is supposed to be as terrifying as it actually is. Because the damage to the company is a real and serious risk.