Story of a CISO – How I made SAP Cybersecurity Priority
- “Zero trust” sets higher priority on SAP security
- “Switching on the light” for SAP security is the first crucial step
- Due to the criticality of SAP there’s not much in the news about SAP cyber attacks
SAP goes cloud
We all know that SAP is currently reinventing themselves to become a cloud company. At the same time, more and more companies are moving large portions of their IT landscape to external cloud service providers. How does this change or impact SAP cybersecurity from a CISO’s perspective?
Application security has always been around in some form or another, but it hasn’t been focused on by the security teams because of its complexity and often other priorities. But with the push for zero-trust, primarily due to the cloud trend, information security teams must set different priorities and focus more on application security. This is usually done by a risk-based approach, focusing on the most critical applications first. And that’s where SAP almost always comes to the top of the list.
How to measure success in SAP cybersecurity?
A successful start is already a success. That means as soon as you get the buy-in from leadership or the operational teams to even move down the journey toward security, you already have a small success.
It’s very important to not run cybersecurity in a silo and to make sure that you’re moving it toward the objectives of the business overall so that you’re not only performing security for security’s sake.
Once you get to that point, the real goal is to apply the established security controls to critical applications such as SAP. As soon as you can say, “yes, I know that I am controlling patches correctly, I know that I’m monitoring the environment well, I know that I’m scanning code for vulnerabilities. I know that I’m mapping to the required compliance frameworks,” then you are on the right track. When you’re able to get that kind of insight and make it back to your security program in a way that you can prioritize your efforts and brief risks up to top leadership, then you’ve succeeded, regardless of how the security posture itself is. You obviously want to improve the posture over time, but the first big win is just understanding what’s going on in SAP. I think if you asked many security teams what the security posture of their landscape is, they wouldn’t be able to answer it in a way that satisfactory that provides value to the business.
The starting phases will be difficult, but once it is rolling, the newfound transparency will pay dividends for years to come. It’s like you are adding a completely new skill to the company that’s called “SAP security.”
Why is there so little news about cyberattacks on SAP?
One reason is probably the criticality of SAP systems. Many of these systems in the US are covered by SOX compliance. They’re running everything from HR processes to the most critical finance processes of the entire company. Reporting an incident on such systems can have far reaching impacts that leadership would prefer to avoid if possible.
A second reason may be that a lot of SAP compromises come from internals, i.e., hired SAP consultants. That’s a lot easier to keep in-house while you’re responding to the incident than a full-on external breach.
Interesting side note: I spoke at a security conference not too long ago (before COVID started), and there were people in the audience that alluded to the fact that they’ve had SAP security incidents, but they were not willing to speak about them, not even in closed forums. So, it’s obvious that there is still a kind of stigma. There’s a stigma around general reporting of incidents across the board in cybersecurity, which is slowly starting to resolve itself. But the stigma around SAP incidents is even larger in my opinion.
Overall, we need to address application security much better than we have in the past, regardless if it is your internal ERP system or an external Microsoft vulnerability. Once the attackers are in your environment, they want to pivot to your crown jewels and get the data they want or make the impact they want. So, we can no longer assume that the systems that are sitting inside of our perimeter are secure. We need to have application-level visibility on all the various controls that need to be applied based on the applications criticality to the business.