An SAP Security dashboard is a key piece for solving the complexity issue discussed before.
Andreas Kirchebner (SAP Security Lead Austria at Accenture and chair of the DSAG working group for SAP Cloud Security) and I recently talked about dashboards: The key concept is to visualize SAP security posture in an easy-to-digest way.
A simple way to illustrate this would be to have a single traffic light for this with the top 5 risks that are currently the focus of mitigation activities. You should not only show risks, managers also need to understand what you have done already and where you need help. A filter can be: Top x recommendations of SAP, then the baseline topics, and then everything filtered by necessity level.
The next level could be a system overview. A leading pharma company in France has implemented this dashboard use case. They have defined a benchmark based on the SAP Baseline Security Template and measured the compliance of each key system against it. This shows overall progress over time and which systems and areas of responsibility are covered. The CISO organization could show that the security status could be increased from 15% to 75+% in a 2-year timeframe. That is tangible, isn’t it?
Besides status, showing the trend of SAP security is important. Do we make progress? Do we fall behind? What is the impact of migration? Or a shift to a HANA system? Or a new acquisition were some procedures need to be integrated? Etc.
Finally, a mitigation projects list could be illustrated. What is going on? Are we on time and within budget? What’s blocking success and must be escalated?
A dashboard should also allow it to drill down to the system owner level and the topic owner level (as defined by the SAP Secure Operations Map). Ideally, this is complemented with a knowledge base and monitoring capabilities (bridging the gap between the identification of an issue and the actual correction).