Skip to content

Story of a CISO – How I made SAP Cybersecurity Priority


Key Takeaways

  • “Zero trust” sets higher priority on SAP security 
  • “Switching on the light” for SAP security is the first crucial step
  • Due to the criticality of SAP there’s not much in the news about SAP cyber attacks

SAP goes cloud

We all know that SAP is currently reinventing themselves to become a cloud company. At the same time, more and more companies are moving large portions of their IT landscape to external cloud service providers. How does this change or impact SAP cybersecurity from a CISO’s perspective?

Application security has always been around in some form or another, but it hasn’t been focused on by the security teams because of its complexity and often other priorities. But with the push for zero-trust, primarily due to the cloud trend, information security teams must set different priorities and focus more on application security. This is usually done by a risk-based approach, focusing on the most critical applications first. And that’s where SAP almost always comes to the top of the list.

How to measure success in SAP cybersecurity?

A successful start is already a success. That means as soon as you get the buy-in from leadership or the operational teams to even move down the journey toward security, you already have a small success. 

It’s very important to not run cybersecurity in a silo and to make sure that you’re moving it toward the objectives of the business overall so that you’re not only performing security for security’s sake.

Team celebrates success


Once you get to that point, the real goal is to apply the established security controls to critical applications such as SAP. As soon as you can say, “yes, I know that I am controlling patches correctly, I know that I’m monitoring the environment well, I know that I’m scanning code for vulnerabilities. I know that I’m mapping to the required compliance frameworks,” then you are on the right track. When you’re able to get that kind of insight and make it back to your security program in a way that you can prioritize your efforts and brief risks up to top leadership, then you’ve succeeded, regardless of how the security posture itself is. You obviously want to improve the posture over time, but the first big win is just understanding what’s going on in SAP. I think if you asked many security teams what the security posture of their landscape is, they wouldn’t be able to answer it in a way that satisfactory that provides value to the business.

The starting phases will be difficult, but once it is rolling, the newfound transparency will pay dividends for years to come. It’s like you are adding a completely new skill to the company that’s called “SAP security.”

Why is there so little news about cyberattacks on SAP?

One reason is probably the criticality of SAP systems. Many of these systems in the US are covered by SOX compliance. They’re running everything from HR processes to the most critical finance processes of the entire company. Reporting an incident on such systems can have far reaching impacts that leadership would prefer to avoid if possible.

A second reason may be that a lot of SAP compromises come from internals, i.e., hired SAP consultants. That’s a lot easier to keep in-house while you’re responding to the incident than a full-on external breach.

Interesting side note: I spoke at a security conference not too long ago (before COVID started), and there were people in the audience that alluded to the fact that they’ve had SAP security incidents, but they were not willing to speak about them, not even in closed forums. So, it’s obvious that there is still a kind of stigma. There’s a stigma around general reporting of incidents across the board in cybersecurity, which is slowly starting to resolve itself. But the stigma around SAP incidents is even larger in my opinion.

Overall, we need to address application security much better than we have in the past, regardless if it is your internal ERP system or an external Microsoft vulnerability. Once the attackers are in your environment, they want to pivot to your crown jewels and get the data they want or make the impact they want. So, we can no longer assume that the systems that are sitting inside of our perimeter are secure. We need to have application-level visibility on all the various controls that need to be applied based on the applications criticality to the business.

Ideally, the security operations and solutions covering operating systems, network level and the SAP application stack would work hand-in-hand to enable extended detection and response.

Posted by

Branden Newman
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Cybersecurity Beyond Authorizations

Watch the webinar on-demand at any time to learn what „holistic“ really means in the context of SAP security…

Know Your Attacker Surface

Log4j, ICM,… An jedem SAP Patch Tuesday steigt bei vielen SAP Security Verantwortlichen der Blutdruck. Mit ihm beginnt oft das Wettrennen der SAP-Verantwortlichen gegen potentielle Hacker. Doch wie kann man diesem Aktionismus strategisch sinnvoll begegnen?
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.