The global and independent platform for the SAP community.
Business Management, MAG 25-11

Security black box S/4

How to better secure your company's crown jewels - and take care of SAP security? Oliver Villwock, Consulting Director with a focus on SAP security at cbs, and Robert Stricker, Head of Security Consulting at Materna, talk about this in an E3 interview.
E3 Magazine
November 11, 2025
Content:
avatar
This text has been automatically translated from German to English.

Many companies often view SAP security in isolation and do not integrate it into overarching security processes such as patch and vulnerability management, threat detection or incident response. The reason for this is the high degree of specialization of an SAP environment combined with its criticality for the organization. This fear of contact creates dangerous gaps.

Vulnerabilities in authorization management, insufficient user awareness and a lack of end-to-end security architecture, ranging from security design and secure configuration to code security and monitoring, are particularly underestimated. In order to effectively secure SAP systems, a holistic, proactive approach and a rethink in the security strategy of all companies is required. After all, the manufacturers and operators of systems and applications are not responsible for companies' IT security.

E3: Mr. Villwock, Mr. Stricker, SAP systems are considered by many to be a black box. How can we shed light on this black box?

Oliver Villwock, cbsEffective SAP security requires transparency through specialized tools, sound SAP know-how to classify risks and effective protective measures derived from this.

Robert Stricker, MaternaIt must be clarified who is responsible for SAP security. Then management must recognize SAP as security-critical, because critical business processes often depend directly on SAP, but are not given sufficient security consideration.

E3: How can SAP security be integrated into existing structures?

VillwockSAP security must start at the governance level, anchored in the IT security policy with clear responsibilities and communication channels. Operationally, transparency is required in order to gradually eliminate legacy issues in configuration and design. A realistic, externally supported roadmap ensures security without overstretching the budget and organization.

"SAP security must start at the governance level, anchored in the IT security policy.

Oliver Villwock,
Consulting Director with a focus on SAP security,
cbs Corporate Business Solutions

KnitterCompanies should consistently integrate SAP into existing security processes, with clear responsibilities, well-founded risk analysis and integration into patch, change and incident management, among other things. SAP security is part of the overall strategy, not a special case.

E3: In your opinion, what are the most important first steps for companies that want to take SAP security seriously?

Villwock: A clear assessment is the first step: Where do we stand? What do we have? Who is responsible for what? Without an assessment, there is no basis for any meaningful planning. S/4 transformation, cloud migration and new architectures provide an opportunity to rethink security from the outset. Acting correctly now will prevent the next security bottleneck.

E3: How do you see things developing over the next few years? Will SAP security finally become a priority?

KnitterAccording to the Nis2 directive, critical business processes must be protected, and there is no way around SAP. SAP controls central processes, in some cases not only in IT but also in OT areas.

"When it comes to information security, SAP is often treated like a black box that nobody understands.

Robert Stricker,
Head of Security Consulting,
Materna

VillwockSAP contains the crown jewels of companies. Those who do not take SAP security seriously are jeopardizing their own resilience. Acting now is essential, otherwise it will be expensive and risky in the future.

E3: What is your mission in this area?

KnitterReduce fear of contact. When it comes to information security, SAP is often treated like a black box that nobody understands. This leads to uncertainty and stagnation. Our mission is to start right here: SAP must not remain a blind spot, because the risks are high due to the criticality of the data processed. However, securing and monitoring SAP is not rocket science.

VillwockOur mission is clear: to help customers create transparency and implement SAP security in a sustainable, efficient, forward-looking and future-proof manner. The market is overloaded with tools, but there is a lack of sound advice that combines tools, processes and people in a meaningful way.

Continue to the partner entry:

Write a comment

AI icing

Agent-Based Transformation With Real-Time as an SAP BTP Alternative

The Deconstruction of an AI Agent

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

FourSide Hotel Salzburg,
Trademark Collection by Wyndham
Am Messezentrum 2, 5020 Salzburg, Austria
+43-66-24355460

Event date

Wednesday, June 10, and
Thursday, June 11, 2026

Early Bird Ticket

Regular ticket

Subscribers to the E3 Magazine Ticket

reduced with promocode CCAbo26

Students*

reduced with promocode CCStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
*The first 10 tickets are free of charge for students. Try your luck! 🍀
EUR 390 excl. VAT
available until November 30, 2025
EUR 590 excl. VAT
EUR 390 excl. VAT
EUR 290 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, April 22 and
Thursday, April 23, 2026

Tickets

Early Bird Ticket
Regular ticket
EUR 390 excl. VAT
available until 30.11.2025
EUR 590 excl. VAT
Subscribers to the E3 magazine
reduced with promocode STAbo26
EUR 390 excl. VAT
Students*
reduced with promocode STStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
EUR 290 excl. VAT
*The first 10 tickets are free of charge for students. Try your luck! 🍀
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2026, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.