Story of a CISO – How I made SAP Cybersecurity Priority

story-of-a-ciso

Key Takeaways

  • “Zero trust” sets higher priority on SAP security 
  • “Switching on the light” for SAP security is the first crucial step
  • Due to the criticality of SAP there’s not much in the news about SAP cyber attacks

SAP goes cloud

We all know that SAP is currently reinventing themselves to become a cloud company. At the same time, more and more companies are moving large portions of their IT landscape to external cloud service providers. How does this change or impact SAP cybersecurity from a CISO’s perspective?

Application security has always been around in some form or another, but it hasn’t been focused on by the security teams because of its complexity and often other priorities. But with the push for zero-trust, primarily due to the cloud trend, information security teams must set different priorities and focus more on application security. This is usually done by a risk-based approach, focusing on the most critical applications first. And that’s where SAP almost always comes to the top of the list.

How to measure success in SAP cybersecurity?

A successful start is already a success. That means as soon as you get the buy-in from leadership or the operational teams to even move down the journey toward security, you already have a small success. 

It’s very important to not run cybersecurity in a silo and to make sure that you’re moving it toward the objectives of the business overall so that you’re not only performing security for security’s sake.

Team celebrates success

 

Once you get to that point, the real goal is to apply the established security controls to critical applications such as SAP. As soon as you can say, “yes, I know that I am controlling patches correctly, I know that I’m monitoring the environment well, I know that I’m scanning code for vulnerabilities. I know that I’m mapping to the required compliance frameworks,” then you are on the right track. When you’re able to get that kind of insight and make it back to your security program in a way that you can prioritize your efforts and brief risks up to top leadership, then you’ve succeeded, regardless of how the security posture itself is. You obviously want to improve the posture over time, but the first big win is just understanding what’s going on in SAP. I think if you asked many security teams what the security posture of their landscape is, they wouldn’t be able to answer it in a way that satisfactory that provides value to the business.

The starting phases will be difficult, but once it is rolling, the newfound transparency will pay dividends for years to come. It’s like you are adding a completely new skill to the company that’s called “SAP security.”

Why is there so little news about cyberattacks on SAP?

One reason is probably the criticality of SAP systems. Many of these systems in the US are covered by SOX compliance. They’re running everything from HR processes to the most critical finance processes of the entire company. Reporting an incident on such systems can have far reaching impacts that leadership would prefer to avoid if possible.

A second reason may be that a lot of SAP compromises come from internals, i.e., hired SAP consultants. That’s a lot easier to keep in-house while you’re responding to the incident than a full-on external breach.

Interesting side note: I spoke at a security conference not too long ago (before COVID started), and there were people in the audience that alluded to the fact that they’ve had SAP security incidents, but they were not willing to speak about them, not even in closed forums. So, it’s obvious that there is still a kind of stigma. There’s a stigma around general reporting of incidents across the board in cybersecurity, which is slowly starting to resolve itself. But the stigma around SAP incidents is even larger in my opinion.

Overall, we need to address application security much better than we have in the past, regardless if it is your internal ERP system or an external Microsoft vulnerability. Once the attackers are in your environment, they want to pivot to your crown jewels and get the data they want or make the impact they want. So, we can no longer assume that the systems that are sitting inside of our perimeter are secure. We need to have application-level visibility on all the various controls that need to be applied based on the applications criticality to the business.

Ideally, the security operations and solutions covering operating systems, network level and the SAP application stack would work hand-in-hand to enable extended detection and response.

Posted by

Branden Newman
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

2nd CROSSTHEBRIDGE
Cycling event

Join our cycling community on September 9th in Brabant (NL), get a SecurityBridge cycling shirt and enjoy a wonderful day.

CROSSTHEBRIDGE Cycling event – September 2021

Join our cycling community on September 3rd in Arnheim (NL), get one of our cycling jerseys, and support the Maartens Foundation.
SAP Patchday
SAP customers need to pay attention to the release of the SAP security updates, which have been published on 10th May 2022. This months SAP Security Patch Day contains 13(+2) patches that should be carefully reviewed.
marketing campaign manager
Marketing is your passion? SAP is a familiar term to you? Are you fascinated by cybersecurity? Then join our team as Junior Marketing Campaign Manager and become an SAP Security Hero.
Wouldn’t it be great to have an additional and independent layer for SAP data security which prevents the unauthorized use and distribution of the captured data? The key success factor for this is, to always work with encrypted data.