LV Podcast_MarianoNunez_Onapsis 0:00 Hello, I'm Robert Holland and this is the SAP Insider Las Vegas 2025 podcast. 0:06 Thank you for listening as we speak with SAP insiders and industry experts about their experiences in the SAP space. 0:13 In this episode I'm speaking with Mariano Nunez of Onapsis. 0:17 Mariano, fantastic to have you here. 0:19 Please tell us a little bit about yourself and your role. 0:22 Yeah, thanks for having me. 0:23 It's a pleasure to be here. 0:24 My name is Mariano Nunez. 0:25 I'm CEO and Co founder of Onapsys. 0:28 So I've been with the business since the beginning, over 15 years now. 0:32 And yeah, I basically lead all the strategy and and really execution of the company. 0:36 Fantastic. 0:38 So you're in the cybersecurity space for SAP. 0:43 What are the biggest challenges that you see SAP customers and, and SAP insiders given that we're at the SAP Insider event here in Las Vegas experiencing today in securing their SAP systems? 0:55 Yeah, that, that's a great question. 0:56 I, I believe the main challenge we see today is how they protect their SAP applications as they go to the cloud, whether it's, I mean, it's mostly rice today, but it used to be like, I was like calling native hyper scatters before. 1:10 I think it's really understanding like what is a shared security responsibility model? 1:15 There's been over the last couple of years a lot of confusion for SAP insiders and and SAP customers. 1:21 So on what is their responsibility from a security and compliance perspective when they go to the cloud and what is SA PS responsibility? 1:29 And that became a bit more, I think especially confusing on on rice private cloud scenarios. 1:34 I think when it's comes to grow when it comes to like SAS applications, I think it's a bit more kind of commonly understood by by customers. 1:42 But in when they talk about going to rice, private cloud environments, it's a bit confusing and, and it's really understanding what SAP does, where SAP kind of starts and stops and what they need to do. 1:55 And really the, I think the key way to understand that maybe the easiest way to understand is that anything that is the application layer and the data layer is still the customer responsibility, right? 2:05 SAP is doing a fantastic job at securing the cloud infrastructure. 2:08 So the network, the the hypervisor level, the operating system, but anything that is looking at SAP security patches at the application level, interfaces, configurations, APIs, all the custom code, all the transport, all that's it's still the the responsibility of the customers to keep secure and compliant. 2:27 Yeah, yeah, that's a good point. 2:28 I mean, even though I know SAP has actually produced a shared security model for Rise, but SAP specifically that helps that scenario, but it doesn't help every scenario. 2:39 Exactly. 2:40 Yeah. 2:40 And and it's still confusing when when you. 2:42 I I think it's actually much better now. 2:44 In the last few years, SAP updated the, the, those documents being way more clear about again, what they do and what the customers need to do. 2:52 But before that it was still like a bit blurry on, on what that, that where that line was drawn. 2:59 So I think now it's, it's kind of where there's much better assets from SAP, much better education. 3:03 We we did a a webinar a few months ago, withdrawal and Costella the seas of rice, where we were going kind of through this together to educate SAP customers on again, where like what where solutions like an app can help and where SAP solutions really can help. 3:18 And we got a lot of figure from customers like, OK, finally I get it now, right. 3:21 I get it that OK. 3:23 And now I understand what I need to do. 3:24 I was doing on Prem how what I was doing on Prem compared to what I need to do in rice. 3:29 And again, for the most part, a lot of that steel is, is a customer responsibility. 3:33 And and the good thing is that they can offload a lot of the basic lower level controls to SAP now. 3:38 Yeah, no, that, that makes a lot of sense. 3:40 And I think it is important that people understand, you know, what their role is in this because otherwise, well, I don't want to leave stuff open. 3:48 No, exactly. 3:48 And look, at the end of the day, there's this phrase in security where like, like no matter what, it's still your responsibility, right? 3:53 Even if you're delegating operational kind of responsibility to a partner, either it's a bridge, either it's an audit finding, it's a security event, it's still the customer's name on the headlines, right? 4:04 So for the like every customer, especially the type of organisations we work with, the very large organisations, it's really important to be able to have the confidence that they have the right controls and the right security measures irrespective of their their deployment model. 4:19 So yeah, absolutely. 4:21 So you've already talked about this a little bit and some of it is simply education, learning, understanding, but but what are some of the ways that, you know, these challenges can be addressed? 4:31 Yeah, it absolutely starts with visibility, right? 4:33 Starts to with understanding what is your current security posture, what is your desired kind of target operating model once you go to the cloud, which is definitely changing, right. 4:41 the IT operating model changes and with that changes your your security and complex operating model. 4:46 I think the good news is that there is a lot of automation that you can put in place when you go to rise and when you go to the cloud, not only to secure the new cloud environments, but also many customers we work with, they still going to have some systems on premise or some system in in native cloud environment. 5:00 So having automation across all the environments, it's a good way we're seeing them to be able to kind of manage this very complex and and kind of significant task integrating SAP applications and especially rights applications into your security and compliance programs you already have. 5:17 You don't have to reinvent the wheel like you have if you have a vulnerability management program, a threat detection program, a dev SEC OPS program, a compliance program for the rest of your non SAP apps. 5:26 There's actually a really easy ways for you to integrate that into into those programmes versus having to reinvent the wheel. 5:34 And I would say probably the last one is expertise. 5:36 Something we noted is customers being able to have the right expertise by their side when they go into the to the cloud and be able to do this right from the beginning when they think about things like the rights methodology or recipe activate. 5:52 We just released some assets to help customers understand what do they need to do secure and compliance wise in each phase, right. 5:58 When you're doing kind of the the early phases when you go to deploy, when you go to run, what do you need to do as part of the quality gates and and security control so that you know that the systems you're provisioning the cloud are are secure by design and then you just it's way easier to keep them secure afterwards. 6:13 Yeah no, that's good to remember and some good starting points. 6:18 So, you know, one of the things I think we're seeing in the security space, cyber security space, is an increase in cyber threats, right. 6:27 What what do you think is driving that increase? 6:30 Yeah, actually, that reminds me of this phrase. 6:33 This, this famous bank robber, Willie Stodd on, I think it was in the in the 60s, I believe he was caught by the FBI. 6:40 He was a famous bank robber and he was caught by the FBI. 6:42 And they asked him like, hey, Willie, what was the journalist asking? 6:45 Like Willie, why do you rob banks? 6:47 I can say, well, that's where the money is, right? 6:49 So attackers know in the digital war, attackers know that the money is in SAP systems, right? 6:54 That is the most critical data is kind of the most sensitive business data processes they know. 7:00 And so from a confidentiality perspective, attackers know that there's a lot of crown jewels in in in the SAP systems that large companies have from, if you will, integrity and financial fraud perspective. 7:11 Again, those are the systems that like attackers can go in and change bank accounts, create fake payments, create vendors. 7:16 So they, there is an ability to actually monetize those attacks directly with fraud. 7:21 But also from an availability perspective, you, you see this huge increase overall in ransomware attacks over the last decade. 7:28 And what we see now is like, think about the consequences of an SAP system just being taken offline, right? 7:33 And taken offline and, and been kind of held by ransomware. 7:36 Just the operational impact on the big team organization is huge. 7:40 And attackers know this, right? 7:41 They know, we just saw a case a few months ago of a company that went bankrupt and they filed Chapter 11 and they actually attributed an SAP security bridge as one of the, the, the major factors in that situation because they couldn't run the business and they actually couldn't comply with financial reporting obligations. 8:00 So we, we definitely see attackers knowing that these are the, the critical systems and, and really have a lot of valuable data or they're critical to availability. 8:07 So they can do this. 8:09 And look what we have as part of an artist without an artist research lab. 8:12 So we do a lot of threat intelligence and threat analysis to really help our customers stay ahead of the threats we've seen over the last several years. 8:19 An increase of like, I think it's 400% on a ransomware incidents affecting SAP systems and data. 8:27 We see attackers talking about this on the dark web and, and, and the criminal networks or like a three 100% increase in that chatter and, and discussions. 8:35 A 5X increase on the price for SAP kind of exploits of cyber weapons, so like tools for them to hack into SAP systems, that's now five times the price it used to be a few years ago. 8:46 So there's definitely a lot of of interest from the attackers. 8:50 And and I think to your point on what's changed is converge with the cloud transformation. 8:55 So SAP systems used to be behind the firewall on premises, harder to access for remote attackers. 9:01 Now everything is going to the cloud, right? 9:03 So everything is more accessible for someone in a remote location to be able and organisations to be able to do these attacks from their, you know, operations, right or from their basements. 9:14 So they don't they, they don't need to go through the internal network. 9:18 They can just go and attack the systems in the cloud. 9:20 So those I think the convergence of the systems getting more exposed and attackers realising that they can go directly after them with significant consequences. 9:28 It's it's it's way driving increase. 9:31 Yeah. 9:31 I mean, and you know, when the fact is that, you know, as I think I've said before in research I've done, I mean, you know, when you're moving to some of these systems, these SAP systems becoming the single source of business and financial truth within the organization. 9:43 And that just makes it that much more valuable. 9:46 A target 100 percent, 100%. 9:48 It's it's again, it's the lifeblood of the business. 9:50 It's all the critical data. 9:51 It's, it's exactly the the heart, I say the heart of the business. 9:56 So an attack on that is, is really could be devastating. 10:00 So, you know, one of the things that we hear about a lot at at a conference like this just in general from SAP is this thing called AI, right? 10:09 We may have heard that a couple of times, yeah, maybe once or twice. 10:12 So how is AI impacting cybersecurity and how are customers securing their systems for with, you know, if you're starting to use business, business AI within your SAP solutions, how are you securing that? 10:28 Yeah, we have a lot of customers really kind of asking us about that and we're helping advise on, on what they need to do there. 10:34 Because of course, if you think about it, now you're starting to make decisions with that data and automation with that data and enabling kind of AI agents. 10:41 It definitely takes a whole different level of from a risk perspective. 10:45 So what we see, I think there are a couple of basic things that we see is 1, customers are really looking to secure the applications that generate the data in the 1st place and they house the data in the 1st place. 10:56 Because if you're not protecting those, then it doesn't matter that someone goes to after your, your data data lake or, or the AI data or the algorithm. 11:05 Like we're not seeing advanced attacks on AI today. 11:07 We're seeing attacks like very basic attacks going directly after the data. 11:11 Like we don't see again, for the type of, of, of threat models that we trace and threat actors, they're not like going after the models itself. 11:19 So like they're protecting the, the applications that, that they run and generate data. 11:23 That's number one. 11:25 And I'll say maybe more tactically specifically for business AI and, and SAP customers is really the, the BTP environment. 11:32 I think a lot of the core AI use cases are of course running on BTP and powered by BTP services. 11:38 So and, and that's, that's been a big change for SAP customers to adapt to BTP. 11:42 They're used to securing the traditional kind of ABAP stacks and HANA and maybe As for HANA, but BTP is a complete different beast, right? 11:50 So the, I was just talking with a customer earlier today, I was describing BTP as a Wild West for them from a security and compliance perspective. 11:55 They just didn't know what they, they don't know what they don't know. 11:58 So getting your arms around BTP from like is BTP properly configured? 12:04 They have the right activations, you have the right interfaces. 12:07 Is that securely designed or, or operationalized? 12:10 And then we have monitoring on BTP to make sure that no one is abusing their access or doing attacks and, and securing the custom developments you have on BTP that eventually turn into AI kind of capabilities that I would say is a is a place to start right now. 12:23 Yeah, yeah, yeah. 12:25 I mean, and, and obviously things are going to change. 12:27 I mean, as AI becomes more prevalent, people are going to start using, well, people are already starting to use AI for things like helping with phishing attacks, social engineering attacks, you know, on because, but, but this is all to do with awareness, right? 12:40 I mean, you know, as, as someone working on an SAP system, you need to be aware of, you know, these potential threats as well. 12:45 Yeah, that's a great point. 12:46 I mean, we see that like on the on the threat actor side, they're capitalizing and and leveraging AI to exactly as you say, to, to be more efficient and effective with their attacks. 12:55 Right. 12:56 I remember you remember probably the days where you would get this kind of phishing emails, but you could tell the spelling wasn't right because there's not a native English speaker. 13:03 And now like they all the same actors are doing perfect like phishing emails with AI that are highly personalized to the big teams. 13:10 And they're doing that at scale and they do not to like trigger cyber attacks on different scales. 13:15 So I think the good news is that AI can also be used for cybersecurity. 13:20 So we use a lot of AI at anapsis as part of the platform to help protect against this type of attacks with a different level of, of, of scale and, and capabilities that that you couldn't in the past. 13:29 But yeah, it's a it's a double, double edged sword. 13:34 And then again, is protecting the AI itself, the security of AI. 13:38 That's that's definitely a key, a key area of, of growth and concern. 13:42 So on Appsys is an SAP partner. 13:45 You have been for quite a while. 13:47 Yeah. 13:47 In fact, I believe you're the only certified app security app in the SAP App Store. 13:55 So what's your opinion on, you know, the role that the SA PS partner ecosystem plays in, you know, in securing the ecosystem and and your perspective on, you know, solving problems for SAP customers? 14:13 Yeah, that's another good question. 14:14 So, yeah, we're so there's a lot of companies that are certified by SAP, including cybersecurity companies and vendors. 14:19 We are now for a few years now we're the only ones that are endorsed by SA PS we're part of endorse apps. 14:26 So that gives us the really different level of capabilities on, on, on how we collaborate both in the technical side and the commercial side with SAP and, and giving more value to SAP customers. 14:35 So yeah, today on apps is a is the only one with that status as endorse application for cybersecurity. 14:41 So I think the way we work with SAP as banners is really helping SAP, for example, identify and mitigate all this, you know, zero day vulnerabilities that we identified. 14:50 We also help kind of with security awareness. 14:53 We help like things like kind of writing the book on on cybersecurity, right? 14:56 And a lot of ways that we help customers stay ahead of the threat and SAP stay ahead of the threat. 15:03 And I think that the other big part that we see in the Panico system is the service providers kind of system integrators. 15:09 So we work very closely with many of the of the leading global system integrators that many customers are already working with while they're doing the rights transformations or SAP projects. 15:18 So with them and also some specialised boutique firms, the way we partner with them is because we know that in order for this to be effective, it's not just about the technology, it's just you need the people and process side, right. 15:32 You need to be able to integrate again, SAP applications into your risk programs, into your compliance and security programs. 15:38 That is not just technology. 15:39 So what we're doing is with them is really have, I mean, they're really experts right at, at, at SAP and security. 15:45 So we work with them and will they leverage our platform to deliver their services and their programs and really at the end of they help customers to have a complete solution. 15:55 So but we believe that a complete solution is not the solution is not complete without the people and processes. 16:00 And that's how we partner with with the global system, integrated community and and specialized firms to deliver that as well. 16:06 Yeah, now you just said people and processes. 16:10 So one of the most important things that people try and figure out is what skills am I going to need on my team, you know, in the coming years, What do you think is going to be most critical for SA professionals in the next in the next couple of years? 16:23 Yeah, actually, I have to say that this is one of the the things that excite me, excites me the most about what's happening in in the industry. 16:31 If you think about that. 16:33 Exactly as I said, the, the people side of things and expertise, every company today is struggling with getting SAP cybersecurity experts on their teams, right? 16:42 There's just not enough of them, right. 16:44 And you know, you have people that know cybersecurity or security in general. 16:48 You know, we have people that know SAP and maybe G or C and access controls, but there's very few people that know SAP and cyber. 16:56 So I, I, I'm really excited and hopefully everyone listen, listen in the house, maybe an SAP background, like on the basis side or, or AG or C background. 17:05 There is AI think a pretty meaningful personal growth, career growth opportunity for for you to really go into this world of like becoming an SAP cybersecurity expert. 17:17 And the good news is at the heart, I think I'm a cybersecurity guy. 17:20 I didn't know anything about SAP before starting an app is really so I had to learn SAP and I know how hard it is. 17:27 And actually it's much easier to learn security if you already know SAP. 17:31 So I think it's a really encouraging for base again, basis people, architects or or GRC and kind of traditional security, SAP security professionals to grasp the cybersecurity concepts that you need to put in place. 17:45 And I think that gives them a significant opportunity to, to develop their careers and grow and get great job opportunities and and kind of grow their, their personal, personal careers. 17:55 So that's why I know JP and Grab were were also part of your, of your podcast. 18:01 They just created this great asset, right, The cybersecurity for SAP book with SAP press. 18:06 I think that's going to be the definitive guy and a big asset for anyone that wants to start a journey. 18:10 It starts at the very basics, the one-on-one on like kind of cybersecurity concept and really walks everyone to how to start becoming the journey of, of SAP cybersecurity. 18:19 I think that's going to be, it is already today a high demand, kind of very, very lucrative opportunity for anyone to go after. 18:27 Great advice. 18:29 Mariano, it's been absolutely fantastic speaking with you today. 18:32 Thank you so much for coming and speaking with the SAP Insider audience. 18:35 Yeah, like, Robert, this was great, Great time. 18:38 Great to see you finally in person after so many discussions online and over the years. 18:42 So no, it's great to be here and thank you again for the time. 18:45 Thank you.