Why security experts are not SAP experts

Since the answers to this question are often the same, there seem to be fundamental misconceptions about SAP security. When it comes to security, you quickly end up with people. After all, it is hackers who carry out cyberattacks. And therein lies the crux of the matter. Only proven security experts have a chance of standing up to professional hackers. While cybercriminals are highly specialized, enterprise professionals must master all techniques and have strong analytical skills. This cannot be expected of even the most experienced SAP professional. The cybercrime industry is too complex and dynamic for him to learn quickly. That's why it's imperative to bring SAP together with security specialists and get a complete overview of the threat landscape. Because attackers are not interested in internal organizational silos.

SAP in the cloud

Migrating SAP systems to the cloud is a task with a promising future. Cloud adaptation is a highly complex undertaking that is subject to constant change. That's why employees need to be highly skilled. But some companies are convinced that their IT staff can manage the existing IT and are experts in cloud security at the same time. In practice, however, in-house security experts often lack the necessary SAP expertise - just as SAP specialists often have only rudimentary security knowledge. So these companies do not train their IT experts adequately.

But a lack of expertise in securing a cloud-based SAP landscape creates dangerous vulnerabilities. Hackers do not even have to go to the trouble of gaining access to data and systems - well disguised in a Trojan horse. They walk with their visors open over the lowered drawbridge, through the gate that is wide open and nest in the castle. It takes an average of around 100 days for this to be noticed. Three months in which cybercriminals can cause a great deal of damage. It's not always attention-grabbing ransomware or DDoS attacks. Some hackers are very subtle in their approach, for example by tapping into supposedly insignificant information. That's why companies must always think about security when it comes to cloud transformation.

Once again, the question arises: Why aren't companies doing this? It seems that there is no goal-oriented dialog between IT and management. Sometimes management has no tangible idea of how important SAP security is for smooth business operations. And security experts sometimes fail to communicate the benefits of adequate protection measures and their positive impact on day-to-day operations. For a genuine dialog, companies are well advised to leave technology out of the equation for the time being. The point is to be aware of the opportunities offered by the cloud and the complexity of SAP security: to secure the SAP infrastructure against hacker attacks, it is imperative to understand that SAP security is a business process like any other. A process that needs to be carefully modeled, controlled with metrics, monitored with tools, and continuously optimized.

In order to change the way SAP security is viewed, companies must do away with common preconceptions. The fundamental misconception is that security is an IT issue. But cloud and SAP security must be firmly anchored in the corporate strategy and only implemented in practice as a second step. This is a challenge that goes far beyond the IT department. It affects many specialist departments. For effective SAP security, everyone, really everyone, must pull together.