After a slight dip in 2022, in 2023 the number of reported ransomware attacks rose by 50% compared to 2 years ago. The global average cost of a data breach was $4.45M in 2023, according to a recent IBM report, but individual cases can have far greater impact. New U.S. Security Exchange Commission (SEC) regulation on cybersecurity incident disclosure has caught the attention of Chief Financial Officers (CFO), Chief Executive Officers (CEO) and other executives at publicly listed corporations. Global regulations are sharpening in the U.S., EU, and elsewhere, putting an increasing demand on anyone providing digital products and services.
It is no surprise then, that the Accenture The Cyber-Resilient CEO report (ACC p. 12) found that 96% of CEOs understand the importance of cybersecurity. According to the World Economic Forum Global Cybersecurity Outlook 2024 (WEF2024 p. 26), more than half the business leaders and two-thirds of cybersecurity leaders agree that cyber resilience is integrated into enterprise risk management in their organizations. Only a sixth of business leaders and cybersecurity leaders disagree.
Yet despite agreement on the importance of cyber resilience, cybersecurity leaders still often struggle for attention. Business and security leaders both agree on the importance of cybersecurity, but neither are getting what they need from each other.
It gets yet more complex when it comes to the security of ERP systems and the business operations they support. Cybersecurity teams rarely have ERP expertise. The security of ERP systems is generally an IT function, whose first responsibility is keeping systems running to support critical business processes. As a result, many ERP security teams find themselves in the hamster wheel of keeping up with patches, like SAP Security Notes, isolated both from business leaders and their natural allies in cybersecurity.
ERP Security Communication Triangle
Cybersecurity and Business Leaders
Both cybersecurity and business leaders agree their biggest barrier to cyber resilience is the availability of resources and skills gaps. However, cybersecurity leaders stress the cost of transformation and processes, as well as resistance to change as key barriers, much more than business leaders do. (WEF2024 p. 23).
The biggest difference, though, lies in costs of addressing cyber risks: For business leaders it is far more important that cyber risk does not exceed investment cost (17%), while cyber leaders don’t (1%) think costs should be such a significant barrier. (WEF2025 p. 23) 74% of CEOs in the earlier referenced Accenture report are concerned about their organization’s ability to avert or minimize business loss from cyber attacks, but 54% say they feel the cost of implementing cybersecurity is much higher than the cost of the attack. (ACC p. 14)
Security leaders must make cybersecurity risks clear and visible in business terms. Security leaders cannot expect business leaders to invest a greater amount into security programs than the risks these investments mitigate. Security leaders must justify the return on investment and measure the effectiveness of security controls in return for continued executive support.
60% of CISOs fear personal liability. However, business leaders have long lived with that. With greater responsibility in corporate governance comes greater personal risk. A seat at the executive table for cybersecurity comes with consequences.
Business leaders’ concerns revolve around the financial impact of incidents and disruption of business operations. Business leaders are more susceptible to a cyber resilience narrative involving the ability to withstand attacks, business continuity planning, fast time to recovery, and limiting disruption. Otherwise, it is difficult to escape the compliance trap. With 95% of CEOs saying that compliance drives their cybersecurity strategy (ACC p. 15), it is the task for security leaders to turn compliance investment into effective security outcomes.
ERP Security and Business Leaders
Given their criticality to business operations, ERP security leaders could be expected to find it easier to justify the cyber resilience of ERP systems to business leaders. However, that same criticality makes it difficult to agree on scheduled downtime with the business to patch landscapes or implement changes that affect business processes.
Many customers have built up ERP estates of dozens of systems. Each with their own versions, patch levels, operational SLAs, business stakeholders and interdependencies. Many are still on legacy systems. In many conversations with ERP security professionals at customer sites, it has become apparent to me that they are struggling to keep up, and many don’t have the bandwidth to address threat detection or hunt for overprivileged accounts.
The cost of disruption to business processes due to downtime is easy to calculate. Business risk drives retail customers to freeze technology changes between August and January. When the cost-benefit of interruption for a security patch or system hardening is not clearly articulated, ERP security leaders find themselves in a similar communication trap as cybersecurity leaders.
Cybersecurity and ERP Security
Often ERP security leaders don’t have the support of their cybersecurity peers. Instead of acting as natural allies, they can be in a contentious relationship. For instance, because the ERP team doesn't keep up with vulnerability management SLAs provided by cyber or can’t provide the same visibility that cybersecurity teams get from other systems.
Cybersecurity is a broad field, but it is rare to find security professionals with ERP expertise. Similarly, it is rare to find ERP security teams with cybersecurity expertise. ERP security is typically managed by ERP system administrators. Cybersecurity split off from system administration decades ago. ERP systems are more comparable to Industrial Control Systems (ICS) – which share the same longer lifecycle, criticality to operations, and limited opportunities to patch – with their own ecosystem of security partners and service providers. This contrasts with the corporate IT, vendor ecosystem, and service providers that cybersecurity teams are familiar with.
This inevitably leads to communication challenges.
The ERP Security Communication 3-Pointed Star
Breaking through the unproductive hamster wheel cycle requires more than a security awareness program. Cloud transformation can be the opportunity to bring all stakeholders back to the table and change the dynamic.
The Opportunity of Cloud Transformation
Cloud Transformation brings all the parties back to the table for a reset of old assumptions. Cloud transformation cascades through organizations in an ongoing process of change. It is driven by corporate strategies, strong executive support, and business justifications. The imperatives towards cloud migrations we hear from customers are business agility, but also resilience, security, and compliance. This process can be supported and intermediated with a trusted partner. Through cloud transformation, we can turn the communication triangle into a 3-pointed star and address the following five challenges.
1. Address the Skills Gap
Bringing in a service provider can relieve skills gaps, as economies of scale allow service providers like SAP to bring more resources to bear, and gain experience from supporting thousands of customers.
SAP needs to meet local regulations wherever it operates globally, as well as enable our customers to do so where possible. Therefore, we are deeply engaged with governmental institutions and standards bodies to help inform upcoming regulations and directives. This also helps us to update policies and processes before new regulations go into effect.
I have seen SAP account teams work with customers through data residency, data privacy, and security and compliance challenges. SAP facilitated workshops bring different customer teams together to balance deployment options against business requirements, relevant locations and jurisdictions, applicable regulations, and resiliency expectations. SAP has helped customer cybersecurity teams through security approval processes and risk management exercises in for them unfamiliar territory.
2. Keep Systems Patched, Monitored and Compliant
SAP cloud services generally are patched by SAP by the time the monthly Security Patch Day Tuesday comes around. SAP’s internal vulnerability management program also includes the underlying infrastructure these cloud services run on. For security patches to customer systems that require downtime, SAP negotiates maintenance windows with customers.
However, if a customer keeps delaying for operational reasons, eventually SAP will require a risk letter where the customer must accept the consequences of delaying further. Internal ERP security teams no doubt wish that business leaders would respond timely to their requests. But a risk letter from the cloud provider is bound to hit harder.
3. Free Up Teams for Higher Value Activities
With resilience, vulnerability management and infrastructure security managed by the cloud provider, teams can focus on higher value activities. Currently, many teams do not have the time for least privilege authorization management, the security of business processes, custom code or extensions, or integrations with third party systems.
Even fewer teams have integrated such activities with cybersecurity risk- and security incident event management (SIEM), threat hunting, and security incident response and recovery. Cloud transformation provides an opportunity to bring ERP security and cybersecurity together.
4. Align Security Costs with Risk Remediated
Cloud transformation changes risk calculations. Because the risks change, this reason alone must bring business-, cybersecurity-, and ERP security leaders back together for alignment. When security leaders better understand business drivers and the impact of outages to operations, it helps them to prioritize what is important, rather than blindly execute on prior playbooks or checklists. It must be understood what risks the cloud provider manages and which fall to customer teams. When cybersecurity and ERP security leaders work together on contextualizing security risks accordingly, they are bound to get a more sympathetic ear from business leaders.
5. Increase Agility and Cyber Resilience
The global economy is in an uncertain business climate where agility and adapting to constant change is critical to stay competitive. Cloud services have a higher innovation rate, and are always up to date, always adding more features. New technologies bring new opportunities, such as Business AI solutions. They also bring new security and compliance risks. We must be prepared for the risks and regulations of today, as well as tomorrow. The more cloud service providers address security and compliance risks for their customers, the more they can focus on what makes them great, in whatever industry or sector they operate.
Shared Fate
The separation of responsibilities for security in the cloud is typically described as the Shared Responsibility Model. A more evolved approach is one of Shared Fate, in which the cloud provider takes an active role helping their customers run more secure and compliant. SAP is one such cloud providers. We would be delighted to help you achieve more effective and productive outcomes in your ERP security.
More Information
- SAP Managed Tags:
1 Comment
