Secure Cloud Transformation

⇨ Cloud security and secure cloud transformation has multiple touch points

⇨ Any security finding that needs to be addressed works its way back into the developer teams

⇨ Cloud transformation ultimately is mostly organizational change

As Strategic Advisor to the Chief Security Officer at SAP, can you share what a “working day in the life” of Jay Thoden van Velzen involves?

Cloud security and secure cloud transformation has a lot of touchpoints, both within different security functions and capabilities, as well as in interaction with developer teams and security teams in the business units. So, there is a lot of continuous facilitation and bringing people together. Ultimately, with the way the cloud works and modern CI/CD pipelines, any security finding that needs to be addressed works its way back into the developer teams, so it becomes a product security issue.

It also involves a lot of education, both in terms of explaining cloud security threats, but also how the cloud requires a different agility and velocity, or even different cost considerations or tooling. Cloud transformation ultimately is mostly organizational change, so bringing people together is the greater part of the job.

SAP has a mammoth multi-cloud landscape, which has grown rapidly. You have played an important role in securing SAP’s journey—what two factors do you believe have allowed SAP to manage this well? 

1. Strong support from both the security leadership team (CSO and CISO), as well as SAP’s Executive Board that helped ensure that the initiatives got the right priority.
2. The concerted approach from the start to engage the community of security experts and developers, and praise the ones doing well, and help those struggling along. The continuous engagement between policy teams, security operations teams, and the business units helped keep policies and controls practical and achievable, while taking the operational burden on teams into account.

Cloud transformation is really a people problem far more than a technical problem.

You’ll be delivering a Masterclass on DevSecOps, SecDevOps and Secure Cloud Transformation: Accountability Through Cloud Security Engineering—what tips can Mastering SAP attendees expect to walk away with?

We will dig deeper into these factors of success. With greater visibility of the state of the landscape through security metrics at any level of the organization, we were able to create accountability through the organizational hierarchy with numbers everybody could agree on. That takes significant engineering for a landscape this large.

We will also go into the structure of our enablement and engagement model with the community that has been effective beyond our expectation. Finally, as we expect developer teams to adopt a DevSecOps approach—that is, DevOps with security controls included every step of the way—so must all security operations adopt a SecDevOps approach—that is, security operations with a DevOps approach—to ensure that the security organization meets the agility of developer teams and works hand in hand.

I believe that while each organization is different and that the model we based our success on is transferable. It is more a collaboration model than a technical blueprint for transformation. We have to get used to operating in a DevOps way far beyond its narrow scope of deploying cloud landscapes.

Australian SAP customers are considered to be mature when it comes to cloud adoption—what conversations are you looking forward to having with the Mastering SAP Community, when you join us in Melbourne this June? 

Every journey is different, and everyone is in a different stage of cloud transformation. This change is not a one-and-done, now I am in the cloud, and we’re good. Cloud Transformation is a continuous process. Cloud security specifically is still an area that is evolving, and I am looking forward to hearing what others are doing, where they had success, and where they struggle.

In conversations with peers, I have found that the character or nature of an organization or institution often determines what is feasible. Some of our successes were almost unintentional, simply because we tend to do things a certain way in SAP. Other changes may be really difficult, organizationally. I am fascinated by how cloud transformation and security teams progress along different paths because of that.