SAP Private Cloud

“Security is not simply a subset of IT”

Reading time: 4 mins

Meet the Authors

Key Takeaways

⇨ As companies continue to adopt container-based architectures, container security, and Kuberne- tes-based security in the cloud are also emerging as important topics on the cybersecurity agenda.

⇨ One growing concern in the cybersecurity land- scape is supply chain attacks, which have been on the rise in recent years.

⇨ The top five priorities for 2023 include defensive architecture, privileged identity and access management, zero trust, risk-based vulnerability management, and cyber resilience.

In Part 2 of the interview with SAPinsider, Roland Costea, CISO Enterprise Cloud Services (ECS) at SAP, discusses an overlooked topic in the cybersecurity field that deserves more attention, the top priorities for the year, and the top-line thing organizations must keep in mind if moving to the cloud.

What is an overlooked topic in the cybersecurity field that you believe deserves more attention or discussion?

Roland Costea: Organizations often overlook the importance of having good people, processes, and frameworks in place besides investing in security tools. The focus tends to be on technology, with new vendors and de- velopments constantly emerging. However, it is crucial to recognize that security is not simply a subset of IT; it is a separate dimension that requires its own strategy and approach. Although IT and security are related and must collaborate, they are distinct entities.

While compliance is essential, it is not equivalent to achieving a high security maturity level. Compli- ance may provide a foundation or act as a driving force for a security framework, but adhering to regulations does not guarantee that an organization is fully secure. Although there is no universal standard for the best security framework, scrutinizing an organization’s approach to security beyond their certifications, such as SOC 2 or ISO, is crucial. Executives and stakeholders need to comprehend that while compliance can facilitate new business ventures, it is only a small piece of the overall security puzzle.

What are the new things to worry about in the coming years for companies?

Roland Costea: Deploying emerging technologies such as arti- ficial intelligence and machine learning is becoming increasingly common in automating and streamlining various processes. However, these technologies present new risks, as they may become targets for attackers. New vulnerabilities or zero-day exploits may be identified through these systems, which must be considered. Another area of concern is the security of the Internet of Things (IoT), which has gained momentum in the market in recent years.

As companies continue to adopt container-based architectures, container security, and Kuberne- tes-based security in the cloud are also emerging as important topics on the cybersecurity agenda. Over all, it is important to remain vigilant and proactive in identifying and addressing potential risks associated with these new technologies.

One growing concern in the cybersecurity land- scape is supply chain attacks, which have been on the rise in recent years. These attacks can manifest in different forms, such as ransomware and other types of malware, and have sparked increased scrutiny from the market. Quantum computing is another emerging trend that presents significant challenges to cyberse- curity. Its potential to operate faster than current technology means that current encryption methods might be compromised.

Encryption algorithms that were once deemed secure may become vulnerable in days, weeks, or months rather than years. In the coming years, these challenges require the industry’s attention to main- tain the security of sensitive data and systems.

What piece of advice can you give to organizations that are building their security strategies?

Roland Costea: I would suggest that C-level executives should be aware of both current and emerging risks and threats and have a shared understanding of the organization’s information risk capital. They must also recognize their responsibility to safeguard organizational assets and customer data from cyber threats.

Irrespective of their specific C-level position, executives must understand the organization’s position in the threat landscape, including how big of a target they are, and the likelihood and impact of risks. It is essential to be prepared and not assume that such an incident will not happen. The correct organizational chart, overall resilience, and response in case of an incident are critical. Although this requires a multi-faceted approach, the fundamental idea is to understand the organization’s role in the world and the threat landscape, identify targets, and develop and implement effective protective measures.

What is the top-line thing organizations must keep in mind if moving to the cloud?

Roland Costea: In SAP Private Cloud, the security controls are owned in the operations itself, with the security and compliance team overseeing governance. This concept is similar to bringing security to the Software Development Lifecycle Process. In transitioning to the private cloud, organizations need to understand that they play an important role in the overall security, especially on the application layer where they need to make sure their business workflows are secure, andshould work with us to facilitate the downtime windows needed to patch different system layers (Database, Application).

What are the top priorities for the year for you?

Roland Costea: Our top five priorities for 2023 include defensive architecture, privileged identity and access management, zero trust, risk-based vulnerability management, and cyber resilience. Defensive architecture is focused on improving and fine-tuning our defensive capabilities; Privileged identity and access management is concerned with securing our administrators’ access to systems containing customer data, balancing operability with security; Zero trust is a critical concept for us, as we collaborate with our customers in operating their systems; Risk-based vulnerability management involves assessing vulnerabilities based on criticality and potential impact in our unique environment, a complex process that requires a mix of manual work and automation; and finally, cyber resilience is another crucial priority for us and involves both prevention and recovery.

It encompasses considerations such as imple- menting protective measures to safeguard against potential attacks, but also preparing for the eventual ity of an attack occurring. It also includes assessing how ready and efficient the recovery process is, how different processes and teams within the organization interact, how customers are engaged and informed, and how communication strategies can minimize the impact of the attack on the environment.

Read Part 1 of the interview here.

More Resources

See All Related Content