by Bruce Romney, Senior Director of Product Marketing, GRC and Security Solutions, SAP and Erin Hughes, SAP S/4HANA Finance and Governance, Risk, and Compliance (GRC) Center of Excellence, SAP North America and Thomas Frénéhard, Global Finance and Risk Center of Excellence, SAP
What are today’s business leaders most focused on and what are their top priorities? The answers to those questions act as a barometer of true business challenges, and increasingly it points to organizations’ ability to protect and secure employees,’ customers,’ and their own private data. Put another way, today’s business leaders are extremely concerned about building what’s called “digital trust” — confidence that they, indeed, can be relied on to protect information touched by their networks.
Of the top risks on the minds of global boards of directors and executives, according to a recent study by Protiviti and North Carolina State University’s Enterprise Risk Management Initiative, four of the top 10 identified involve cybersecurity and data protection:
- Regulatory changes and regulatory scrutiny
- Cyber threats
- Privacy/identify management and information security
- If the organization’s culture doesn’t encourage timely or early identification and escalation of risk issues
It’s worth mentioning that boardroom respondents, not necessarily CIOs and IT leaders, are citing these concerns. “They have no choice,” says Erin Hughes of SAP S/4HANA Finance and Governance, Risk, and Compliance (GRC) Center of Excellence at SAP North America. “Motivations have changed. The type of information that breaches expose really are boardroom and organizational risks as opposed to IT problems.”
That’s especially true when it comes to data protection. Regulation simply doesn’t keep up with the pace of technology. This means that organizations are tasked with staying several steps ahead of regulation when it comes to risk and compliance.
Meanwhile, risks are escalating — and organizational leaders recognize that. The increased regulatory focus, while it may not fully address the challenge, helps to raise the alert level. “Regulatory measures and building digital trust — those are the two drivers of board-level prioritization of cybersecurity and data protection,” says Bruce Romney, Senior Director of Product Marketing, GRC and Security Solutions, at SAP.
Cybersecurity and Data Protection: All Hands on Deck
SAP is well known as an enterprise resource planning (ERP) and business software solutions provider — but not necessarily as a cybersecurity partner. Romney, however, challenges organizational leaders to see the bigger picture. “The traditional focus of many organizations has been to protect the perimeter,” he says. “That’s important and will continue to be as attacks evolve — but you also have to look at the crown jewels or the applications that house important data and intellectual property. We understand those applications and build technology under strict guidelines and protocols.”
It goes even further than that in this era of digital transformation, according to Thomas Frénéhard of Global Finance and Risk Center of Excellence, SAP. As organizations consider their evolutions, they often opt for a new technology platform. He says, “This is the perfect moment to review security strategy and embed it from day one.”
In that regard, there is an opportunity to start from scratch and eliminate practices that create vulnerability. Take complex access roles, for example. Organizations often don’t know who has access to what or how reliable the data is that they use to make decisions. “Start clean and stay clean is the new game,” Frénéhard says. “This not only pertains to access rights, but also in terms of data credibility.”
It also circles back to SAP’s role in data protection. “This is what we do — we embed controls and governance principles directly in the source solutions,” Frénéhard says. “With identity tools, we make sure that the user is provisioned from the get-go. Imagine joining a company that has a brand-new ERP system, but you can’t get access to it because you must be manually provisioned to every single capability. That can’t happen. We also have behavioral analysis tools that detect suspicious patterns, and we have activity monitoring tools to make sure that attacks are detected earlier.”
Meanwhile, only 53% of digital transformation strategies begin with proactive management of cyber and privacy risks in the project plan and budget, according to Frénéhard. That’s an indicator that organizations need to refocus their data protection efforts. “Our role at SAP is to raise awareness amongst decision-makers so that this number can increase, not only for us as an organization — but for all of us as consumers whose data is being held in these systems.”
Recommendations for Managing Cybersecurity and Data Protection
That boardroom and executive leaders are focused on cybersecurity and data protection isn’t just a fun fact — it’s an essential factor when it comes to creating a strategy for managing these risks. In an SAP presentation, “Cybersecurity and Data Protection: A Key Priority for Every Digital Transformation,” SAP contends that cyber risks should be managed at the enterprise level with business context. That would include a view across all enterprise risks through an SAP product called SAP Digital Boardroom.
The strategy, according to SAP, should be tied to objectives and include a risk management framework that’s aligned with business value drivers. The one view of business objectives should be linked to related risks, controls, and issues.
Accountability is a big part of a cybersecurity and data protection strategy, as SAP lays out in the presentation. There should be clear lines of responsibility across operations, risk and compliance management, and internal audit. There should be support for this Three Lines of Defense approach.
Alignment, meanwhile, is key. SAP recommends a risk-based approach to reduce unneeded effort for controls and audits. A focused collaboration is needed to leverage expert knowledge and to improve decision making.
In the same presentation, SAP also maintains that GRC and security need to be foundational to enterprise transformation. That being said, 91% of enterprise-wide digital transformations include security and/or privacy personnel as stake holders, but only 53% include proactive management of cyber and privacy risks by design in the project plan and budget fully from the start, SAP cites.
So there is much room for improvement when it comes to establishing digital trust. The challenge is compounded by security vulnerabilities changing and evolving during the life of an application, which means all parties share the responsibility of continuous prioritization and taking preventive measures. “SAP, as well as our customers, must understand our joint responsibility to support each other in effectively securing the applications,” Romney says. “It’s important to have that conversation. It’s not necessarily a finger-pointing exercise. It’s joining together and locking arms to support each other for the best possible outcomes.”
Through SAP S/4HANA and solutions from SAP for GRC and Security, customers can automate and prioritize critical elements of an application’s lifecycle, including:
- Governing access and managing identities and users
- Monitoring configuration changes and custom code
- Consistently applying patches and updates
- Reviewing RFC (remote function call) connections and interfaces
- Monitoring logs for anomalies and attacks
- Monitoring business transactions
Along the way, SAP has identified five pillars for addressing cybersecurity and data protection. In the following sections, Romney, Hughes and Frénéhard run down these critical components and explain their views as to why they are so important for establishing digital trust.
Cyber Risk and Governance
One key to addressing cybersecurity and data protection is effectively identifying cyber risks — and managing those risks. It’s also important to identify and manage regulations and policies to minimize potential business impact.
“Document the processes and identify the cyber or security risks that could manifest during the process if there are deviations, for instance, or if the process itself has flaws,” Frénéhard says. He suggests documenting the controls that would prevent these security risks from occurring. “This addresses the root causes of the risks,” he adds.
Culture is not to be overlooked as part of governance, according to Frénéhard. “Ensuring that people understand the concept as well as what can and can’t be done is critical,” he says. “Controls are designed to catch anomalies, but in an ideal life, we wouldn’t even need them.”
SAP, which offers GRC and security solutions designed to help manage risk and provide governance for customers’ compliance processes, recommends in its “Cybersecurity and Data Protection: A Key Priority for Every Digital Transformation” presentation that organizations:
- Document and monitor security risks and regulatory compliance as part of an enterprise risk management program.
- Align risk management and controls with business objectives and security best practices.
- Establish a security program to provide independent assurance.
- Report and manage at the board level to ensure awareness and status.
ERP systems are an appealing target for hackers. Protecting the applications that run a business is a vital part of cybersecurity and data protection. As such, SAP has GRC and security solutions that are designed to secure core applications as follows:
- Monitor business applications for anomalies and attacks
- Analyze business transactions for fraud and unusual activity
- Correlate insights from security and business alerts
- Apply security patches and updates
- Find and fix vulnerabilities in custom code
- Continuously monitor critical security configuration
SAP is also focused on helping companies to implement real-time reaction in the case of a breach. “In this area, we have activity monitoring capabilities,” Frénéhard says. “One would document a detection pattern — for example, identifying a suspicious path — and the solution would then automatically monitor activities within SAP solutions based on log files. This can be extended to non-SAP systems and therefore work in conjunction with other security information and event management (SIEM) solutions.”
The monitoring allows SAP to identify and investigate outliers. “Some analysts say that it takes an average of 200 days to identify an intrusion in a system. We just think this is unacceptable,” Frénéhard says.
Identity and Access Management
A big part of cybersecurity and data protection is optimizing digital identities across the enterprise. It not only reduces cost but improves security with identity management and automated provisioning. SAP’s identity and access management solutions provide key capabilities to manage system accounts and ensure the correct authorization assignments, in part, by:
- Managing access for enterprise applications — cloud or on premise — roles and attribute-based controls
- Enabling greater user productivity by eliminating excessive logins with single sign-on
- Reducing audit costs by quantifying the financial impact of access risk violations
- Supporting super user account access with monitoring and integrated log review workflow
“It really comes back to critical data and how it’s managed,” Hughes says. “Most organizations now store a majority of their critical data electronically and securing it is absolutely crucial. The who, what, where, when, and how of accessing that data has to be a core and fundamental business process that is managed effectively.”
SAP, she points out, runs a lot of critical business processes for a lot of companies. “Being able to help our customers manage access and what users can do with that access — but also to make it a seamless process — that’s an area where we have invested significantly.”
Data Protection and Privacy
“The amount of data that organizations collect has never been higher,” Romney says, describing a landscape in which organizations’ ability to harness the assets of that data is often linked to their strategies for success. Meanwhile, protecting sensitive data is a key to enabling strong cyber security.
“Harnessing that data and gaining insights will continue to be huge for organizations, but because of the proliferation of the data, putting the right protection in place becomes a vital step,” Romney says. “Regulatory pressures help bring it to the forefront, but organizations need to have a vested interest in protecting their data. SAP offers customers solutions that:
- Secure files and data using transportable policies and encryption
- Add layers of granularity for access decisions based on a variety of attributes
- Enable data masking in sensitive data fields
- Manage personal and sensitive data across landscapes and geographies
- Use logging features to identify and stop sources of potential data leaks
Public Cloud Transparency and Control
SAPinsider research shows that the vast majority of the SAP community is somewhere along the journey of transitioning its enterprise resource planning to the cloud. It follows, therefore, that public cloud transparency and control are key cogs in a cybersecurity and data protection strategy.
“As organizations look to deploy to the cloud and put their trust in cloud providers, the different data protection and privacy laws address where data can be housed and accessed depending on geography,” Romney says. “So there’s a lot of consideration of where data resides and where those who are accessing that data reside as well — whether it’s from an IP address or a physical location.”
SAP offers solutions designed to deliver multi-cloud data transparency and control, allowing customers to:
- Create and enforce public-cloud data access, location, movement, and processing policies
- Monitor and report on data access, storage, movement, processing, and location in the public cloud
- Configure public cloud data location, movement, processing, and access policies
- Enforce geolocation controls for data access, storage, processing, and movement
- Prevent unlawful transfer of business data
Affirming Digital Trust
All five of these pillars for addressing cybersecurity and data protection can contribute to establishing and reinforcing digital trust for both customers and employees. As a term, “digital trust” isn’t new — but what it means continually evolves.
In fact, digital trust can be a bit of a loaded term, according to Hughes. “The big thing is to rethink how you’re handling security and what a secure application landscape looks like,” she says. “For many years, there has been a big focus on user access but we need to broaden the focus beyond that — and revisit patch management, configuration management, and continuous monitoring of SAP landscapes from a threat-detection perspective. There’s always been a big focus on the perimeter, but customers are now realizing that they need to take a fresh look at how they’re more broadly securing their SAP systems.”
Along the lines of building that digital trust in 2020 and beyond, Frénéhard suggests some next steps:
- Rate and rank your information. “You need to prioritize what you want to protect before you can do so effectively. To some extent, that means know where the enemy lines are.”
- Map your assets. “Where is the information and how does it transit via services, systems, and other means?”
- Perform a vulnerability analysis. “What are the threats, of course, but also what are the drivers? How would someone get access to the information? You need that information to put in a risk response that will address the root causes.”
- Build a protective wall. “Some say that firewalls are dead, but nothing could be further from the truth. Is it worth locking your door if you leave your windows open? Keep the firewall and build a protective wall around your key assets.”
- Go for offense. “Don’t act like a cybercriminal but think like one to protect yourself.”
Above all, building digital trust takes organizational focus and commitment. “Whether you are embarking on a transformational journey with SAP S/4HANA today or over the next few years, now is the time to step back and reevaluate your security strategy to ensure you are covering all the bases,” Hughes says. “It’s not just about maintaining compliance, but taking a risk-based approach to evaluating security and considering the long-term implications.”
Bruce Romney, Senior Director of Product Marketing, GRC and Security Solutions, SAP
Erin Hughes, Director, SAP S/4HANA Finance and Governance, Risk, and Compliance (GRC) Center of Excellence, SAP North America
Thomas Frénéhard,Director, Governance, Risk, and Compliance Solution Management, SAP