In Part 1 of the interview with SAPinsider, Roland Costea, CISO Enterprise Cloud Services (ECS) at SAP, discusses the importance of cyber resilience, how SAP is framing its cybersecurity strategies as a value driver, challenges that organizations face when they move to the cloud, and the steps businesses can take to enhance their cybersecurity measures. Cybersecurity is a critical issue for organizations today. How is SAP differentiating on this? Roland Costea: The complexity of cybersecurity covers everything from the endpoint and network security up to the application layer security. It is crucial to understand all such aspects to protect oneself and other organizations effectively. SAP has an advantage in this regard, as we understand our own applications and business frameworks across industries. We have developed many security tools, such as SAP GRC and identity and access management, for our own applications. SAP’s Enterprise Threat Detection (ETD) tool, a critical asset that has undergone extensive development, enables customers to identify and comprehend any unusual activity occurring in their SAP applications and workflows. As the developers of such tools, we possess a superior understanding of our tools’ capabilities, which in turn provides us with an advantage over other competitors in the market. Cybersecurity discussions are significant for SAP and are frequently a part of the final negotiations we conduct before closing deals. When companies that have already invested heavily in cybersecurity for their on-premises environment move to the cloud, they feel like they are losing control, visibility, and their initial investments. But this is not true. Our customers need to feel comfortable with the level of security and control they will have in the private cloud, and that is why we give them this visibility by sharing security audit log information from the layers we are responsible for securing in the cloud. However, we must understand that the user is still the weakest link in the security chain. By allowing companies to focus on securing their users and business workflows in the SAP environment, we take care of the network security, endpoint security and everything below the application layer, and business workflows. How are you framing or reframing cybersecurity strategies as a value driver, not as a cost line? Roland Costea: Being the largest provider of private cloud services, it is crucial that SAP’s security maturity levels align with its customers’ security standards, regardless of whether they operate on-premises or in their cloud environments. Providing a business transformation service that undermines their security maturity levels would not be logical. SAP’s remarkable growth signifies that we have successfully aligned our cybersecurity strategy with our business objectives,highlighting the significance of connecting cybersecu- rity with business goals. Our unique value proposition is our ability to assist customers in highly regulated industries, such as healthcare, oil and gas, and electricity-based companies that operate with stringent security requirements, and safeguard their SAP workloads. This exemplifies our success in moving in the right direction. Our stakeholders and management appreciate the importance of security due to the investments we have made and the results we have achieved. What challenges do you see when organizations transition to the cloud? Roland Costea: There are various ways in which a company could deviate from the right direction, especially when it comes to cloud and cloud security.

The lack of governance is a key issue that could arise when a company moves to the cloud, even for those who do it independently. Without proper governance, having a clear view of the number of cloud services being used, the systems involved, and how they interact can be challenging.

This can lead to security vulnerabilities, especially in a hybrid environment where both on-premises and cloud systems are being used. The second challenge is inadequate security controls. By “inadequate,” I mean that the controls in place may not be the best fit for a particular architecture, even though they are generally effective. Nowadays, people often talk about artificial intelligence and machine learning in security, but they neglect to review the basics of identity and access management, multifactor authentication, and password management. These might seem like simple concepts, but they are a real challenge in a complex environment like SAP, with hundreds and thousands of rapidly expanding servers. Another example would be in the security monitoring area, where you need 360-degree visibility. It is not enough to just detect and monitor everything. We need to ensure that we have a clear and accurate view of the data to make effective detections and correlations. This is an ongoing task that requires contin-uous refinement. Additionally, working with third parties, including cybersecurity tools, can pose a risk if compromised. Managing these aspects falls under GRC and cloud security management, highlighting the importance of being prepared and focusing on cyber resilience. Organizations invest in many security tools but often assume they will do the job for them. The truth is that these tools are only as good as we make them to be. We need to constantly fine-tune and train them to detect and alert us about suspicious activity. While there are automation tools, they cannot replace the need for skilled human professionals. We need effective protection mechanisms in place, but we also need to be prepared for an attack, have efficient recovery processes in place, and work together as a team to minimize the attack’s impact. This includes engaging with our customers and effec- tively communicating the situation. It is a two-way project; protection and recovery are equally important. What steps can businesses take to enhance their cybersecurity measures? Roland Costea: A shift toward digitalization involves the introduction of new technologies. This leads to changes in processes, which can alter the risk profile of the overall operations. It is essential to comprehend and embrace this reality to remain relevant in the market and facilitate a secure transformation toward digitalization. To improve the security of digitalization initiatives, the first step is to conduct a risk assessment, which involves identifying and understanding the potential risks introduced by adopting new technologies and processes. The impact on confidentiality, availability, and integrity should be assessed, and risks should be prioritized based on their likelihood and criticality. A risk management strategy must be developed to mitigate, transfer, or plan to complete or delete identified risks. Implementing security controls that make sense for the environment, whether on-premises or cloud-based, and focusing on the basics before moving to advanced measures is essential. Similarly, encryption, identity and access management, and security monitoring are all crucial elements of effective cybersecurity. However, ensuring that the security monitoring process is comprehensive and includes all necessary data sources in the correct format is essential to enable accurate interpretation and correlation. Security monitoring may not provide an accurate picture of the security posture without proper data collection and analysis. It is important to recognize that the absence of alerts or incidents may not necessarily indicate a strong security posture but a lack of visibility. Therefore, companies must prioritize security data collection and analysis to maintain a robust security posture. Education and awareness are essential components of effective cybersecurity, particularly when promoting user-based behavior. It is also important to collaborate with stakeholders to ensure that everyone understands the value of security and works together as a team to manage digitalization risks. This collaboration should include partners, stakeholders, top management, customers, and third parties. Finally, instant response is critical, and cyber recovery and resilience should be prioritized to ensure that organizations can effectively manage and respond to cybersecurity incidents. Responding appropriately in the event of a cyberattack can make all the difference in mitigating potential damages. Read Part 1 of the interview here.