Skip to Content

My most recent SCN blog shared highlights of my week at SAP TechEd, which I encourage you to read if you have not already done so, just to keep my observations here in perspective. It really was a great week. But…

This post has been on my mind since May, as it got its genesis during an ASUG Community Meeting at the SAPPHIRE+ASUG conferences.

An SAP employee, who shall remain nameless, responded to a question during that meeting that there would be no educational content on GRC 10.0 at SAP TechEd this year. I was among the people quite disappointed to hear it, as upgrading to GRC 10.0 seems to be one of the hottest topics among security administrators this year. After that conference, I filed that comment in the back of my mind for future reference.

When I planned my personal agenda for TechEd, I did a search on GRC in the session catalog, just in case something had changed.

GRC search TechEd session catalog.png

Let’s face it: that list is pretty slim pickings, considering that the only lecture session listed was my own presentation on the work done by our Security Influence Council.

Fast forward to last week at TechEd in Las Vegas. At the first of the two Expert Networking Sessions I facilitated, I invited all present to introduce themselves and briefly mention the biggest issues on their plates today. Nearly every customer there mentioned GRC: planning for their upgrade, in the midst of their upgrade project, or dealing with the aftermath of going live with one or more upgraded GRC modules. Therefore, I invited them to return the next day for my second Expert Networking Session, which I would devote entirely to GRC and the educational content we wish had been available at TechEd.

I should have taken a photo: the lounge was packed with people eager to share ideas and build a wish list of education sessions they would have liked to attend at TechEd. Those topics included:

* GRC as a technology stack – Basis viewpoint on standing up the technology and architecture options

* Integration between GRC 10.0 and all other SAP technologies, including SAP Portal

* Installation tips and tricks

* GRC and SAP HANA

* GRC and SAP Identity Management – recommendations for getting them to play nicely together

* Structuring security for best practices in GRC

* Configuration of GRC reporting

* Roadmap for GRC

* Job-based provisioning and integration between HCM and GRC

* Customer success stories with Business Role Manager (BRM) and User Access Management (UAM)

* GRC 10.0 and CUA integration – inside/ outside Solution Manager

* Mobile GRC – technology requirements ( GRC Access Approver mobile app, anyone?)

Obviously this wish list contains some topics suited to customer success stories, and I encouraged those customers present who had already gone live with their upgrade to consider presenting at SAPPHIRENOW and ASUG 2013. However, it is my fervent wish that SAP’s GRC consultants and solution management will consider offering lectures on at least some of the more technical topics from this wish list at TechEd 2013.  As for hands- on sessions, I offer the suggestion of the MSMP workflows used in GRC 10.0 which are new to just about every SAP security administrator. They may be “old hat” to a lot of customers, but they are new to us.

It has been suggested to me that I just give up and attend a third-party conference dedicated to GRC. The thing is, GRC is just one part of my job, as it is for many of us in security administration, and TechEd is *the* SAP conference dedicated to technical learning. Yes, GRC 10.0 sits on ABAP and is not a wholly unique technology, but there are certainly technical aspects that customers are eager to understand more fully. I hope that those who plan SAP’s education content for TechEd take these customer wishes into consideration for next year, and I also hope that those who have first-hand GRC 10.0 knowledge consider putting in an abstract when ASUG’s Calls for Speakers go out.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Chip Rodgers

    Hi Gretchen,

    Thank you for the feedback — and congratulations and great job on your Expert Networking sessions!

    I will pass this feedback (and a link to your blog) on to our content team.  Bernhard Steigleider manages the overall content structure for TechEd globally.  Also Kristian Lehment manages the Security track (though I know some GRC topics show up in other tracks like ALM, TEC, and others.)

    One other thought is that in your example above, you searched on the text “GRC” which only picks up sessions where the letters GRC were literally written into the session abstract.  The other way to search is through “Topics” and there is a Governance Risk and Compliance topic that brings up 30 related sessions.  Here’s a link for that list of sessions:

    http://TechEd2012.sapevents.com/sessions?sf=953

    Either way, we appreciate the feedback and will continue to strive for the best, most relevant content for what TechEd participants are looking for!

    Chip


    (0) 
    1. Gretchen Lindquist Post author

      Chip,

      Thanks for pointing out that there were sessions on compliance and governance-related topics (three of the thirty being my own 😉 ) , but sessions on using SAP IdM and SAP SSO for achieving improved compliance and better governance are fine for those interested in those solutions but not the same as sessions on SAP GRC 10.0.  I appreciate your willingness to pass along my feedback. As I said, it was a great event; this additional content just would have made it even better.

      Now I am looking forward to next year even more!

      Gretchen

      (0) 
  2. Cooper Richard

    Hi Gretchen,

    I agree with your position. SAP GRC tools are typically a key part of a SAP Security Consultants responsibilities and are only touched on lightly at Tech Ed. In my opinion, GRC Access Control in particular has a natural fit at Tech Ed. It is often a key tool in a SAP security consultant’s working life. For example, GRC AC has functionality which:

    – overlaps with SAP IdM (i.e. User Access Management)
    – is key to technical role design & builds (i.e. Access Risk Analysis.)
    – can be used to manage roles (i.e. Enterprise Role Management)

    Covering GRC-AC would be a plus for the SAP security community at SAP Tech Ed.

    Thanks for posting the blog. I’m disappointed I didn’t make it to your expert network sessions. It is challenging to fit in everthing you want to do at Tech Ed.

    Regards,
    Richard.

    (0) 
    1. Gretchen Lindquist Post author

      Richard,

      Believe me, I too have to make very difficult schedule choices while at TechEd and inevitably miss out on sessions that I would have enjoyed very much. Maybe next year we will be able to meet up. Thanks for sharing your perspectives on my post; I am hopeful that these suggestions will get some traction.

      Regards,

      Gretchen

      (0) 
  3. Julie Ford

    HI Gretchen,

    Thanks for posting these.  Hopefully next year we can have some technical config sessions on GRC10.  The expert sessions were excellent, thanks for facilitating such great dialogue.

    Julie

    (0) 
    1. Gretchen Lindquist Post author

      Julie,

      I will keep my fingers crossed that we will see a change. Thanks again for your own participation and for being my scribe at the session; it helped me keep the discussion moving forward.

      Gretchen

      (0) 
  4. Mehul Shah

    Hi Gretchen,

    Thanks for your post.  As I had conveyed to you, one of the reasons for *not* attending the TE this year was the complete lack of any useful sessions in the Security/GRC/IDM space. Hoping that SAP brings more focus on Security/GRC 10/IDM in ASUG/TechEd 2013, especially from a HANA/Mobility standpoint and also addresses some of the GRC upgrade pain points via hands-on sessions.

    Again, thank you for taking this up and keeping at it.

    (0) 
    1. Gretchen Lindquist Post author

      Mehul,

      I did not find much searching for “IdM,” but a search for “identity management” found 38 sessions.  If all those sessions had to do with SAP IdM, I wonder why they were not tagged as such so that they could be found.

      In any case,  I am hopeful that this discussion will spark a review and reconsideration before next year’s program is planned, so thank you for your comments. I hope to see you at TechEd 2013.

      Regards,

      Gretchen

      (0) 
      1. Mehul Shah

        Thanks Gretchen!

        I haven’t had a chance to look it up in much detail but even if there were so many, I am sure that what is lacking from SAP’s end is coverage regarding the integration of all its new technology offerings for Security i.e. GRC+IdM+Mobility+Cloud+(possibly) HANA.  That’s what we are really interested in.  The customers just get to see pieces of the pie – never the pie itself!  The ASUG sessions have been a big help though in helping to build the picture for our end customers.  But rightfully this should be offered by SAP in order that customers can fully leverage their products!

        (0) 
        1. Gretchen Lindquist Post author

          Mehul,

          I think you are on to something there. It has also been my own perception that it is very difficult to find someone at SAP who sees the whole picture as we customers must in order to support security across the entire SAP landscape. You see it as pieces of a pie; for me it brings to mind the Asian fable of the blind men and the elephant. Surely there is someone at SAP who knows the whole pie/ elephant at a detail level and how it works as an integrated system. I am glad that the ASUG sessions have been helpful to you, but I agree, it would be great if SAP people from the various solutions could work together to give us the integrated perspective. Here in Texas we would call that “the whole enchilada.”

          🙂

          Gretchen

          (0) 
  5. Greg Capps

    Prior to attending SAP TechEd, most people will review the sessions available to determine what they could use immediately.  Although I have been using GRC 10 since ramp up, the availability of training was slow to customers.  I looked to SAP TechEd and how I could get some hands-on knowledge of BRF+ and MSMP workflows specific to GRC Access Control 10.  In addition there were also no sessions on the new security model used in GRC.  With GRC as my primary project currently and for the next year, I could not justify attending SAP TechEd. 

    At TechEd 2011 I met with a GRC resource from Palo Alto who was an attendee to discuss GRC.  I mentioned that the only GRC sessions available were presented by customers.  I also pointed out that SAP did not have a pod on the show floor for GRC or security.  It was suggested that I attend one of the insider events specific to GRC.  My response to SAP was that many of these sessions are at the management level and have limited information for a technical resource.  If TechEd is our source for current relevant SAP security knowledge, we will need more than road map coverage in the sessions.

    (0) 
    1. Gretchen Lindquist Post author

      Greg,

      Funny you should mention the lack of sessions on BRF+ and MSMP workflows specific to GRC Access Control 10; I, too, had been hoping see these specific topics covered at TechEd this year.

      The evening workshop I attended this year was the Role of Empathy in Design Thinking. I think that SAP might want to consider having that presenter speak internally to increase the empathy among both TechEd track owners and the personnel who make suggestions such as those made to you, me, and no doubt other customers.

      Thanks for sharing your experiences and perspective.

      Gretchen

      (0) 

Leave a Reply