The Chief Information Officer (CIO) holds a responsible position in the company. He is responsible for all IT decisions affecting the company. A task that was still manageable in the early days of the Internet. Today, when a company can hardly do without strong IT, without connectivity and without digital transformation, the complexity of these issues is higher than ever.
1 - Understanding the Importance of SAP Security
While the huge rise in cybercrime is no secret, knowledge of this fact makes the statistics no less shocking. According to a report produced by Accenture, every company, on average, suffers an estimated 130 cyber-attacks every year. This equates to an increase of almost 30 percent year-on-year. What is additionally problematic, is the fact that many of these attacks often originates internally and that it takes an average of 80 days to discover. From that point, an additional 50 days are required to resolve the incident and close the security vulnerability.
With the increase in sophistication of attacks, it should be clear that a holistic security strategy is not merely a "nice to have" anymore, but of fundamental importance. Taken the importance of SAP in the business, protecting SAP landscapes has to play a key role. Even though SAP systems only make up 5 to 10 percent of the IT systems used in many companies, SAP is nonetheless much more than just an application: it possesses its own IT infrastructure and is highly complex.
SAP serves as the engine that drives enterprises, however, viewing it as a black box would be a fatal mistake. Besides modeling critical business processes, these systems contain personal data from customers, employees, and partners. This means that an attack on an SAP landscape can have grave consequences for the corresponding company. To prevent this, all measures that are important for IT security in general should also be deployed to protect such landscapes.
2 - Achieving Transparency
A commonly model used in C-level management is the "Three Lines of Defense." CIOs typically receive security status reports from three separate departments: the SAP department, the IT security department, and internal auditing. This provides them with confidence that they are well-informed and have their finger on the company’s security pulse. The reality, however, can be different.
After all, which SAP developer is bold enough to admit that the code in a given application is sub-par and the related configurations are incomplete, making the application itself somewhat less than secure? In other words, it's quite likely that the reports from the SAP department don’t necessarily provide all the details that would be relevant for security.
The level of SAP expertise in the average IT security department – the second line source of security reports – often ranges from basic to non-existent. Since it’s monitoring systems are typically decoupled from the SAP applications, this organization receives no warnings if something goes wrong in the corresponding SAP landscape. Even when warning systems are integrated with the SAP landscape, those responsible are often unable to act on the data received due to the difficulty of interpreting SAP content by non-specialists.
SAP jargon is also a foreign language to the third and final line CIOs depend on: internal auditing. These units often work with external service providers and receive reports detailing the results of penetration testing, for example, which highlight vulnerabilities in enterprise systems. These results are then assigned to the affected departments as action items despite the fact that internal auditing often lacks an in-depth understanding of the underlying problems.
3 - Taking Responsibility for the Reputation of the Company
The CIO makes fundamental decisions for the company. One core component involves capital investments in security mechanisms, where a CIO aims to maximize ROI and thereby safeguard the company's profitability. IT costs must be kept below a specific proportion of earned income, so high levels of expenditure are hard to justify. If the CIO skimps on security strategy spending, however, the consequences can be devastating. Apart from the costs of detecting and neutralizing an attack, the company may also face production downtime, stiff penalties and tremendous damage to its reputation.
Investing the right amount of capital in a proactive SAP security strategy can be crucial to a company's success.
4 - Complying with External Rules and Regulations
Alongside the many internal factors at hand, compliance with external legislation is also required. Ahead of all others a major challenge for CIOs is the new General Data Protection Regulation (GDPR) that came into effect in 2018. The GDPR is particularly relevant when it comes to holistic SAP security strategies because it lends such weight to data protection within the European Union.
In addition to provisions that stipulate much stronger protection of individual privacy, secure data administration is another important focus. Companies are required to keep records on the data they store, the scope of their related protective measures and who will be held accountable if the data is misused. During processing, the integrity and confidentiality of data must also be maintained. Appropriate technical and organizational measures must be implemented to guarantee protection against unauthorized or unlawful processing, unforeseen loss, destruction and damage, all of which companies are liable for.
In light of such concerns, compliance with these legally binding regulations is taking on new importance.
5 - Keeping Pace with Technical Change
Digitalization is an ongoing trend that will continue to place several demands on the CIO for years to come. The extensive online connectivity of more and more devices (Internet of Things) is currently forcing many of them to rethink their strategies. Among the unprecedented challenges that are emerging, the increase of interconnected devices and the resultant rise in interfaces, are leading to more potential vulnerabilities allowing hackers can break into systems.
The introduction of secure application-development processes (DevSecOps) offers a major opportunity to establish security and minimize risk, right from the start. Common practices such as automation, rigorous application testing and regular releases, offer fertile ground for the integration of security and audit functions.