LV Podcast_JPPerez_Onapsis 0:00 Hello, I'm Robert Holland and this is the SAP Insider Las Vegas 2025 podcast. 0:06 Thank you for listening as we speak with SAP insiders and industry experts about their experiences in the SAP space. 0:13 In this episode, I'm speaking with JP Perez Echigwian of Onapses and Gaurav Singh of Under Armour. 0:20 JP and Gaurav, tell us a little bit about yourself and your role. 0:25 All right. 0:25 Hey Robert, really happy to be here. 0:28 Thank you. 0:29 Thank you for hiring us on this side. 0:33 JP Citian, Co founder of Anapsis and been doing cybersecurity for SAP applications for the past more than 15 years and IT security more than 20. 0:46 And yeah, really applying all of those concepts of cybersecurity to secure SAP applications. 0:56 And we've been presenting here with Grab and on different capacities, pre conference workshops, sessions in SAN 20. 1:06 So it's been a really good experience all over in the conference. 1:11 Fantastic. 1:13 Hey, hey Robert, thank you for having me. 1:15 My name is Gaurav Singh. 1:16 As you said, I work for Under Armour as a senior cyber security manager and this is the conference I've been telling everybody, one with the blue T-shirt that this is the conference I want to be every year. 1:27 It's been almost, I would say 5 plus years for me, including the mastering SAP. 1:32 So maybe 6:00 or 7:00. 1:34 So I have to pick this one over any other that that community, that tribe, that that personal that is stories from customers and whatnot. 1:41 And then we as ASAP cybersecurity community coming in together with the sessions. 1:44 JP was talking. 1:46 I just phenomenal and it's just amazing. 1:48 So thank you for having us. 1:49 Enough about me, I guess for now. 1:51 Yeah. 1:52 Well, I guess the big news is that you've both just published a book on cybersecurity for SAP. 2:00 So what is cybersecurity for SAP and why do SAP landscapes need cybersecurity? 2:08 I, I maybe start with my take and then we'll let grab a compliment. 2:14 Well, cybersecurity for SAP is basically applying the traditional cybersecurity or IT security concepts into SAP landscapes, which is very different from the traditional SAP security. 2:28 And that's why we, we wrote this book, because there's definitely a gap in terms of the publications focusing on SAP cybersecurity. 2:38 And both of us got together and said, OK, let's, let's bring our perspectives from from one side and from the research and vulnerabilities management and the practitioner perspective and on the other side from a customer perspective, navigating the challenges of actually doing cybersecurity for SAP. 3:01 OK, OK. 3:02 As as JP was saying, I think cybersecurity for SAP is bringing two different silos of word. 3:10 One is the traditional SAP security which we have all known for almost 20 plus years and then there is a other word for them is still SAPSAP is a black box. 3:22 So this book was like more like our effort to bring those two words together saying you are not just SAP security, you are SAP cybersecurity. 3:31 It's our effort to bring that mind. 3:33 I would say some more of a mindset than anything else. 3:36 I started with that mindset calling you SAP cybersecurity. 3:42 So why? 3:44 Why do SAP landscapes need cybersecurity Well, because of many reasons, but let's start with the simple ones and the simple one is complexity. 3:59 It's these technologies supporting SAP applications today, 2025 with it's public cloud, private cloud on Prem, everything in between with technologies with such a diverse spectrum of, of technologies, it's securing, integrating security and ensuring that these landscapes are secure is is very difficult because of that complexity. 4:30 So that's one reason. 4:32 The other is going back to what Gura was mentioning is really over. 4:39 Over the history, organisations have been doing security for SAP. 4:44 However, they've been focusing on things that are absolutely important and must have. 4:49 But there's been a gap because ensuring that you have a, a perfectly well implemented security strategy doesn't mean that you cannot have security vulnerabilities or, or, or risks in your SAP landscape. 5:05 So because of all of the reasons and others, we need to have cybersecurity for SAP landscapes. 5:14 And I will just add, I think all my 20 years of working into SAP space, I've been on almost like half decade. 5:21 I was on the other side doing consulting for customers. 5:23 And then maybe almost I'm doing 10 years for as a customer. 5:26 I see there's still false sense of security assuming we we are we have been a GRC heavy ecosystem from SAP perspective because of reasons. 5:36 We all know we are financial system for all the customers. 5:40 So because we are so GRC heavy, there's false sense of security thinking we are all secure. 5:46 We kind of leaving our crowns as a risk from cyber perspective because we are not patching on time, we are not fixing all the security vulnerabilities and whatnot. 5:58 So I think that's why you need cyber security for SAP in today's world, which is changing, which is more cloud, as we say, cloud in the cloud world. 6:06 It's no longer a a system within firewall with the with the rise and S4 and whatnot, right? 6:13 The identity becomes your new parameter and then you're going to do things through cyber, not just assuming with doing GRC, you're all good. 6:23 So, you know, I think you made some interesting points there because one of the things I think that is important when it comes to cybersecurity for SAP is there's a number of different myths about it. 6:35 And I know that you address some of those in the book. 6:38 So what are some of the obstacles or myths that you talk about in the book and, and why is it important to ensure that both SAP teams and security teams understand those? 6:49 OK, do we have like 2 hours? 6:53 Well, there are many myths and that that's why all of these misinterpretations or myths led to an existing gap. 7:04 But let's cover a few of them. 7:06 For example, well, my SAP system is behind a firewall, so I don't need to do any any cybersecurity. 7:13 Well, guess what that's no longer true, right PTP, Ryse, public and private cloud extensibility through the cloud. 7:25 So a lot of concepts open up our landscape to to be more interconnected and more exposed, opening up the attack surface as well. 7:36 But also as as I said before, the the misconception of yes, we are doing security, but we have a whole security team for SAP. 7:45 Why do we need anything else? 7:47 Well, that team is, is awesome and is doing a great job on, on ensuring that whoever needs to do something can do that and nothing else on the system. 7:57 But given the complexity and the, the lack of knowledge on the SAP technology and, and the, the different vulnerabilities and risks, well, organisations run with a significant level of risk if they don't purposefully do security as well. 8:16 So, and, and, and we can keep talking about needs, but really they have been building over time and, and, and building this, this gap between IT security and SAP security. 8:29 And I, I think I will just add here our book, the book we wrote titled Cybersecurity for SAP is the first ever book written for cybersecurity for SAPSAP has been here for almost, I know 30 plus years, even the years we can even think about it. 8:47 But there has not been a book written ever. 8:49 So you can assume there has been a myth, there has been a false sense of security or assumption thinking we all could. 8:58 We are doing a lot of GRC and and audit and we have all this big force and whatnot. 9:04 We are quarterly doing a lot of audit. 9:06 So the team I think different teams there have been assumption. 9:10 OK, I think we are good. 9:11 The infosec guys assumes because the SAP guys are so GRC heavy, they got all all the area covered and where there is ASAP team assuming oh, we got the separate cyber team and they got everything covered. 9:24 So it's still that silo exists and one of the reason I think we and then we talked about why did we write this book, I think was to bring that that kind of a break those myths bring those two different side, those two different work together. 9:39 I think we we are in this world of rise cloud As for and whatnot, we cannot have those myths anymore. 9:45 The risk is very high in this world of changing to the cloud first approach. 9:51 So yeah, those are the myths. 9:52 As JP was saying, we don't have two hours to speak. 9:54 So I think I will stop here, Robert. 9:56 Yeah. 9:56 But I I think that's a really good point because, you know, even though there even though cybersecurity and dedicated security teams and SAP security teams and SAP teams and basis teams are starting to collaborate more with each other, there's still those silos. 10:19 And unless, you know, I think something that your CEO Mariano said in our recent magazine was, you know, something along the lines of it's a team effort. 10:32 Everyone has to work together as a team. 10:35 And that's, and that's something that I think people don't necessarily realise as much, even though they're starting to be more collaboration. 10:45 So what are the biggest cybersecurity challenges that you address in the book? 10:50 Hopefully not two hours. 10:53 Well, as I said before, the interesting part of this book is that we took two different perspectives, the perspective of what what it means to secure SAP applications. 11:09 They're going into the technical concepts, the, the services, their configurations, the, the, the practical steps you need to, to implement. 11:18 And then also from a process perspective, more from the customer, right. 11:23 So combining both allows you to push forward a good security strategy. 11:29 So even if you're starting your first steps on that, this book can help you navigate. 11:37 Yeah, I think we didn't want to make it like 1000 pages book as we know. 11:41 And there's always a balance which we have to find. 11:44 So I think our effort was as JP was saying to bring in those two different perspective complement each other. 11:50 And how do we kind of bring a inclusive book where anybody like a customer who's already on SAP or they are trying to be on SAP or they are trying to embark on S4 journey. 12:02 How do they bring that cyber security in SAP, cyber security for SAP mindset, How do they build their program for cybersecurity using this cybersecurity framework, secure operations map and whatnot. 12:15 So this is our like our effort to give them A1 this source where they can just OK, get this book, hard book or, or ebook, whatever and they can at least have a basic cyber security foundation, a program for for their for their SAP landscape no matter where they are on their SAP journey. 12:32 Yeah, there are some SAP press books that I have that are real door stoppers and this one is relatively spelt compared to some of the ones I've seen. 12:40 So hopefully it it it's an opportunity for people who perhaps wouldn't necessarily think about reading an SAP Press book to look at something that is going to be more direct, more useful, more immediately productive. 12:55 You actually draw a few chapters just to make it a good book for for our readers. 13:00 Originally. 13:00 Originally it was twice as long. 13:01 Yeah, somebody said, me, I think it's somewhere saying write the book you want to read. 13:06 Yes. 13:06 So I think as author, I think the responsibility is is huge honours to make sure the book I've been writing also going to read it as well. 13:15 Right. 13:15 So that's our our our idea and effort, right. 13:18 JP, you agree? 13:18 Absolutely. 13:19 Yeah. 13:20 So maybe it's just a final question here. 13:23 What do people need to know to get started with cybersecurity for SAP? 13:30 Well, I think there is one thing that can get you there, can take you really long, that is be purposeful. 13:42 It's like there's so many different ways to implement security, cybersecurity for SAP, but it starts with being purposeful. 13:51 So you can take baby steps. 13:53 You can prioritise efforts, you can plan, you can train your teams, you can put processes, you can implement technology, you can buy a book, you can do many things, but it starts with really prioritizing and being purposeful about securing and reducing that gap in your organization. 14:15 Yeah, I would, yeah, I would agree. 14:17 And I would also say it is start from the mindset. 14:20 Again, cybersecurity is a journey. 14:23 It's not a Sprint, it's a marathon. 14:25 And you will never be 100% secure. 14:28 So start with that mindset of understanding. 14:31 And I would say start from the risk. 14:33 Everything is like as a cyber city professional, our our job is to mitigate risk and immediate risk we have in in our landscape. 14:40 So start with that risk. 14:41 What are risks we are talking about our landscape and how do, what are things I need to do to protect or, or immediate those risks for for my SAP? 14:50 And yeah, get, get our book if you, if you want to, if you love book reading book, I think it our book as well. 14:56 It's a great book. 14:58 Thank you. 14:59 Thank you. 15:00 Thank you, Gaurav and JP for stopping by to speak to the SAP Insider community. 15:04 It's been fantastic to have. 15:06 You appreciate it. 15:07 It's a pleasure to to be speaking with you again. 15:10 Thank you, Robert. 15:10 Yeah, absolutely. 15:11 And I met the Robert who sends all his emails to me. 15:14 So thank you, Robert, to finally meet you in person. 15:16 Thank you for having us. 15:18 You're welcome, Gaurav.