Business-critical applications running on SAP such as enterprise resource planning (ERP), customer relationship management (CRM), human capital management (HCM), business intelligence (BI) and supply chain management (SCM) house an organization’s most valuable data and support mission-critical business processes. As we enter 2016, it’s no surprise that these systems have become major targets to nation-state attacks, intellectual property theft, financial fraud and sabotage.
As SAP applications continue to be the target of stealthy breaches, it is imperative that organizations implement not only the right security products, but are also on the same page when it comes to an SAP cybersecurity strategy. This is probably the biggest area of focus for the G2000 that my team and I have seen during our on-site visits with clients – there is a lot of confusion around division of responsibilities, who should own SAP security, and how SAP security gets operationalized within the organization. SAP security and Infosec teams tend to live in a world separate from the business professionals. What we’re finding is that SAP BASIS and Infosec teams tend to concentrate on tactical administrative SAP tasks, and are often focused solely on keeping systems running and compliant. Then you have the business professionals, who on the opposite end of the spectrum, don’t yet recognize SAP cybersecurity is a main area of concern when it comes to the overall cyber strategy of the business.
So to help organizations see the trees through the forest, I have put together my thoughts on the top 5 things a company can do to start an SAP cybersecurity transformation. Working with, empowering and leveraging a cross functional team is key in setting up an effective SAP cybersecurity strategy as it will keep everyone on the same page – especially in the event of a breach. Below, I’ve outlined some basic steps that organizations can begin taking to start the transformation:
- 1. Map Out Your SAP Landscape and Terrain: Through asset discovery you will find out if you have 1 or 100 systems, the type of systems (i.e. Development, Production, Staging), understand the business processes that each system supports and the information that each system processes or stores.
- 2. Understand the Potential Risks: Based on your company, industry and what SAP systems are used within your organization, it will be easier to understand and prioritize the risks in context to your business. You will then be able to gauge the potential economic impact to your organization if an SAP system were to be breached. Look at any gaps in your compliance structure, or policies could impact the organization.
- 3. Identify the Players: As part of the first 2 steps, you will start to understand different owners associated within the SAP infrastructure. This will span across different levels and functions. Typically I’ve seen CIOs and CFOs make key decisions on the management of SAP infrastructure (including security initiatives), and hand down management and security of the SAP environment to IT and SAP Basis teams. Rarely do they get the Information Security Organization involved. By knowing whom the players are you will be able to start the communication process.
- 4. Create a General Action Plan: You must now start to build an action plan leveraging existing security frameworks and incorporate SAP into existing security initiatives. Use an adaptive security approach to fuse together a preventative, detective and responsive plan. Map it to the SANS top 20. Also tie in a threat intelligence strategy to stay on top of security risks within your industry and within SAP environments. Implement a continuous monitoring approach to stay one step ahead of exploits. Also, patch your systems and incorporate security notes into your patching and configuration prioritization/review process. Correlation of the vulnerabilities to your usage/information/risk profile to determine the top risks to the business and provide recommendations for security coverage.
- 5. Measure Progress and Communicate: The only way to keep cross-functional teams aligned is to have common goals and to measure progress against these shared goals. You also need to empower people with information and reports, asset classification, inventory classification, and finally do not just talk about or primarily interact with technology. Talk to people involved and empower your counterparts, leverage leadership and the resources.
As organizations continue to realize the need to incorporate SAP into their information security strategy, it must be understood that more than just technology is required. As with any security initiative, it takes people, process and technology. I hope that the top 5 steps outlined above helps you to see how an organization can become fully operationalized when it comes to SAP cybersecurity practices. As threats will undeniably continue to become more widespread, it is critical that SAP cybersecurity programs and processes become aligned throughout an organization.
Recently, myself, along with Scott Crawford, Research Director, Information Security of 451 Research and Troy Grubb, Manager, Information Security, Governance Risk and Compliance - CISSP, The Hershey's Company hosted a webcast to discuss this matter in greater detail, you can access a recording of the webcast here https://www.onapsis.com/news-and-events/webcasts/CISO-imperative-operationalizing-SAP-cybersecurity.