‘Training is the crucial link between strategy and action and ensures that everyone involved – be it management, end users, IT teams or audit – plays their part in security and compliance in application systems.’

Priska Altorfer, CEO wikima4 AG

Recently, headlines in Switzerland have been dominated by a rare but significant scandal within the Swiss military, exposing deep-rooted issues around compliance, transparency, and communication. While military structures may seem far removed from the business world, this case highlights universal lessons in how security and compliance can falter when roles and responsibilities are poorly defined. The breakdown of trust and governance being felt around the world, serves as a cautionary tale for organisations striving to secure their business applications and data. 

In a time where data access governance is becoming increasingly critical – especially with the rise of AI – businesses must ensure that every stakeholder understands their role in maintaining security and compliance. The Data Access Governance Security (DAGS) framework offers a structured approach to clarify responsibilities, close security gaps, and create a more resilient application landscape. 

So, let’s explore together the lessons to be learned from the Swiss military scandal, how implementing DAGS can help plug security gaps and why we need to rethink the way we see Application Security and Compliance in the modern era.

The Swiss Military Compliance Breakdown: A Case Study

It’s a scandal that is still rocking Switzerland, as arms company RUAG MRO is facing accusations of fraud, poor transparency, and weak internal controls, according to the Swiss Federal Audit Office (SFAO). One key issue seems to be a leadership carousel, five different CEOs spinning in just four years, each leaving behind a trail of inconsistent decisions and unanswered questions. From the chaos has arisen suspicions of corruption in Leopard tank deals and millions of francs lost through questionable sales and VAT fines. It seems RUAG MRO has been rife with inventory mismanagement where military equipment was sold without proper authorisation, perhaps forever tarnishing Switzerland’s neutrality on the global stage. The investigations are intense and ongoing, underscoring the importance of transparent governance structures and rigorous compliance practices to protect both public trust and organisational integrity.

The Swiss military scandal highlights systemic failures that led to compliance breaches and loss of trust. The core issues identified by the investigation have been a lack of communication across different levels of the hierarchy, inadequate compliance know-how, poor awareness of regulatory duties, and insufficient transparency. These problems created security vulnerabilities, highlighting how the absence of a clear framework can weaken even highly structured organisations.

From Application Security and Compliance to Business Security and Compliance

Before we dive into speaking about why clear roles matter so much, we want to recalibrate the way you think about your approach to security and compliance. Traditionally, the concept of Application Security and Compliance has focused on protecting enterprise resource planning systems like SAP, Oracle, or Microsoft Dynamics. However, as businesses adopt a broader range of applications – including cloud-based services, customer relationship management (CRM) systems, and industry-specific solutions – the term Application Security and Compliance no longer fully captures the scope of modern security and compliance challenges. 

A more comprehensive approach is expressed in the term Business Application Security and Compliance. This broader perspective encompasses all critical applications that support business processes, ensuring that security and compliance responsibilities cover the entire application landscape. This shift reflects the increasing complexity of business environments and the need to integrate technical, organisational, and regulatory measures into a unified security strategy.

Why Clear Roles Matter

Business application security extends far beyond technical measures like firewalls and encryption. It is fundamentally an organisational challenge, requiring collaboration between various departments and stakeholders. Without clearly defined roles, businesses risk exposing sensitive data, facing regulatory penalties, and creating operational inefficiencies.

An authorisation concept based on the DAGS framework provides a structured way to assign security responsibilities. This framework helps businesses understand the relationships between different application components and ensures that every stakeholder knows their duties in safeguarding data access and maintaining compliance.

Key Stakeholders in an Authorisation Concept

A comprehensive security approach involves multiple stakeholders, each playing a vital role in the overall security and compliance strategy. These roles can be grouped into four key categories:

Strategic Oversight

  • Senior Management: Provides strategic direction, approves budgets, and prioritises risks. Their support is essential for building a culture of compliance.
  • Project Managers: Ensure security requirements are integrated into project planning and coordinate efforts across teams.

Operational Implementation

  • IT Security Team: Implements security policies, monitors threats, and responds to incidents.
  • SAP Basis Team: Manages the technical setup of roles and authorisations.
  • SAP GRC Team: Automates compliance checks and manages risk mitigation workflows.

Compliance and Monitoring

  • Compliance and Audit Teams: Conduct audits, assess regulatory adherence, and enforce policies.
  • Legal and Data Protection Officers: Ensure compliance with privacy regulations like GDPR and other legal requirements.

Support and Enablement

  • Business Process Owners: Define business access needs and validate role designs.
  • Role Owners: Serve as custodians of roles, performing regular reviews and adjustments.
  • Training Teams: Educate employees on security policies and compliance requirements.
  • End Users: Follow assigned roles, report anomalies, and act as the first line of defence.
  • External Consultants: Provide expertise and help implement best practices.
    Bridging the Gaps: The Role of Training and Behavioural Commitment

    In an age where digital threats morph with alarming speed, relying solely on firewalls and encryption creates a false sense of security. The reality is that technology alone cannot protect against security and compliance breaches – the human factor plays a pivotal role. Even the most advanced systems can be undermined if employees are unaware of their responsibilities or fail to follow security protocols.

    Effective security isn’t just about implementing tools; it’s about fostering a culture of vigilance. Tailored training programs that address the specific needs of each stakeholder group help translate policies into practical, everyday actions. When employees understand why compliance measures matter, they become active participants in safeguarding business applications.

    Regular education, supported by accessible documentation, strengthens this commitment. By embedding compliance knowledge into daily workflows and breaking down departmental silos, businesses can create an environment where security and compliance becomes a shared responsibility, not an isolated task.

    Implementing DAGS for Stronger Security and Compliance

    The DAGS framework provides a structured way to map out data access governance, assign responsibilities, and mitigate risks. By breaking down the complex web of applications, roles, and authorisations, DAGS empowers businesses to:

    • Identify and address compliance gaps.
    • Improve collaboration between technical and business teams.
    • Accelerate transformation projects such as SAP S/4HANA migrations.
      How DAGS Could Have Prevented the Swiss Military Compliance Breakdown

      The compliance gaps uncovered in the RUAG MRO case – from inconsistent decision-making to unauthorised equipment sales – highlight the consequences of unclear roles and responsibilities. The DAGS framework directly addresses these vulnerabilities by assigning strategic oversight to senior management, ensuring operational implementation through dedicated security and compliance teams, and embedding compliance monitoring into daily workflows. If applied, this structured approach could have closed the communication gaps and established transparent accountability across all organisational levels.

      To help you navigate the complexities of DAGS, wikima4 is hosting a series of free webinars that will offer practical insights and expert guidance. It’s an opportunity for our network to learn how they can leverage DAGS to strengthen an organisation’s security posture and achieve compliance goals.

      Turning Lessons into Action

      The Swiss military scandal serves as a stark reminder that security and compliance depend not only on processes and technologies but on people and their commitment to shared responsibilities. By defining roles, encouraging collaboration, and investing in training, businesses can build a stronger security foundation. It also serves as a reminder that failings like this impact not just security but global reputation and trust – things that are much easier to lose than to get back.

      Now is the time to evaluate your organisation’s security and compliance framework. So, join us for wikima4’s upcoming webinars to learn how the DAGS framework can help you align strategy with action and secure your business applications for the future.