Security and Compliance Blogs
Security & compliance of business operations are critical in this age of rising cyber threats, increasing compliance regulations, and rapid technological change. SAP customers, partners and SAP employees put great effort in to meet those risks and work towards effective security outcomes and cyber resilient systems. We benefit from each others' challenges and successes to protect the business processes and services we all depend on. Join us here for blog posts and thought leadership regarding the security and compliance of SAP software and cloud services, as well as secure development, deployment, and operational practices, whether on-premise or cloud.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Explore the tactics SAP is Implementing to Drive Digital Trust

Geeta_Menon
Advisor
Advisor
‎03-19-2024 2:18 PM
0 Kudos

Introduction

In this age of swift technological progression and changing regulatory landscape, businesses are progressively capitalizing on data, artificial intelligence (AI), machine learning (ML), and cloud technologies. This digital transformation is an arena that presents prospects not solely for optimizing operations but also for fostering trust among its stakeholders. In this article, we delve into how SAP is pioneering digital trust through transparency, reinforcing ethical practices, boosting data privacy, and hardening security. SAP's approach emphasizes value-driven goals, operational performance, and risk reduction, aligning with the broader journey towards digital transformation and long-term stakeholder trust.

Picture1.png

 

Value-Driving Goals Vs Risk Reduction Goals

Value-Driving Goals

  1. Enhancing Operational Performance with AI/ML

  2. Strengthening Existing Customer Relationships and Acquiring New Customers by building Trust

  3. Increasing Employee Adoption of Digital Technologies

  4. Reducing Operational Costs Through Standardization

Risk Reduction Goals

  1. Compliance with Regulatory Standards, such as GDPR and Schrems II

  2. Mitigating Financial e.g., market, credit, operational and Non-Financial Risks e.g., ethics, environmental or social impact. 

Digital Transformation at SAP

Digital transformation, in the context of SAP, refers to the process of utilizing technology to enhance services and activities that engage customers. It is characterized by unlocking value in a more efficient manner through technology-optimized processes and using templated content curated by industry experts.

It is realizing efficiencies in our process by leveraging more technology when we execute activities and services to engage and enable both our internal & customers at scale. Digital is not only limited to virtual interactions, but it is the way in which we engage more often through technology optimized activities in order to engage them across their customer value journey. Digital transformation signifies the strategic and tactical use of technology to improve service delivery and customer engagement practices at SAP. It involves achieving process efficiencies by leveraging technology and employing industry-curated content. Thomas Saueressig explains, “Our differentiation potential is our smart, relevant, and reliable answers that are given in a trustworthy way.”, which is embodied in SAP’s approach in leveraging best practices and certified processes. SAP’s value delivery is focused on automating comprehensive processes in a transparent way. 

Anticipating Challenges

An essential part of understanding the landscape of digital transformation involves acknowledging the challenges our customers may encounter in their future strategies. These challenges may range from training and awareness, centralizing and standardizing information, to ethical AI use and ensuring data security. We partner with customers for continuous feedback and improvement to address evolving security needs and we provide assurance about the effectiveness of our development and operations. As SAP's CEO Christian Klein emphasizes, "To harness AI’s massive growth potential, we must invest significantly, infusing business AI across all functions and processes and delivering more value to our customers and colleagues faster than ever before." Tackling these challenges head-on is pivotal in demonstrating our expertise and capability in building digital trust.

Approach for Adoption of Digital Technologies and Automation

SAP recognizes that automation is most effective for tasks that are repetitive and require low expertise and applies AI to enhance the automation. An important element of this is utilizing data analysis to identify areas of focus and guarantee the accuracy and integrity of data. The adoption of the "zero-party data" approach, where data is directly collected from users, helps prevent any inaccuracies in data interpretation.

Customers want greater insight into how our cloud landscapes run securely and access to security metrics, logs and events, beyond audit reports. We need to show customers that their data and information are secure with SAP by increasing transparency, visibility, and awareness. Demonstrating to clients that their data is secure with SAP is essential to build trust, bolster customer loyalty, and fuel business success. This aligns with Christian Klein's emphasis on the importance of data handling, stating, "For businesses to trust generative AI, they need to be sure their data is handled safely and confidentially." We empower our customers and partners to think security-first.

SAP Trust Office has focused on process and technology improvements to drive a transparent security culture that permeates the enterprise ecosystem and customer lifecycle.  

  •  Automate and enable Solution Advisory and Customer Information Security Advisory (CISA) teams to address security questions during customer engagements
  •  Automate and enable contract reviews with Lines of Business and enhance regulatory governance, risk and compliance management with monitoring and metrics.
  •  Build cross organization RACIs within Global security and with Field, Cyber and IRO legal, Data protection, Procurement, Go-To-Market, Compliance, Solution advisory and Lines of Business to streamline processes, roles and responsibilities.

The role of sales and presales colleagues is essential in driving sales operations and solidifying customer trust. These individuals play crucial roles in areas where trust needs to be established, rebuilt or maintained along the customer value chain.

Security and Trust Service Center

Key initiatives include streamlining roles and responsibilities across organizational units, automating security-related tasks, and enabling customer facing teams to address security queries. Emphasis is placed on transparency regarding cyber risks, and sharing more about policies, contracts, controls, vulnerabilities, incident response plans, incidents, breaches, certification reports, audit remediations, penetration tests, disaster recovery tests, and KPIs. For example, sharing firewall rule parameters carries a risk that a vulnerability may be shared. But having a standard, and saying that the firewall rules meet that standard, doesn’t give away intricate details and helps enable trust. SAP is investing in automated compliance monitoring and customer dashboards to assure customers of how secure their cloud environment and data is and to showcase transparency as a competitive advantage.

The Security and Trust Service Center utilizes AI/ML and web services to promote transparency, scalability, and cost reduction. By implementing explainable AI (XAI) and LLM technologies, SAP ensures that customers can comprehend how self-learning algorithms operate. This encourages customer self-service and enables customers to easily and efficiently evaluate SAP’s security capabilities at the enterprise and product levels. We allow a combination of probability scores to make recommendations and human interpretation to select accurate responses to security due diligence questionnaires. 

Internally, SAP employs AI capabilities to maintain their knowledge base and a Digital Library to manage their document inventory, versions, and metadata. Customers and partners can subscribe to a dedicated platform for both receiving and retrieving information.

Our safety measures, guidelines, and methodologies are at your fingertips and exhibit complete transparency. Explore the SAP Trust Center site to delve into our security protocols and services, featuring:

  •  Detailed procedures for data protection and security
  •  Inbuilt, internal compliance audits and assessments
  •  Global access to our tried-and-true cloud services

 For in-depth technical material, log in to  My Trust Center, where you will find:

  •  Documented specifics on security, data protection, and privacy for various SAP solutions
  •  Documented evidence of technical and organizational measures (TOMs) implemented by SAP
  •  A directory of data sub-processors along with a detailed rundown of the services they offer
  •  Documents from SAP partners that offer services to SAP

Service Request Management

SAP Trust office recognized the importance of collecting accurate data and gaining insights to address recurring inquiries. To achieve this, we implemented a shared service system that simplifies the process of creating service request tickets and analyzing support case management data. We essentially had to rework our initial steps to optimize the input and output of desired data. Additionally, the system assists with prioritizing and escalating tickets based on their category and complexity.

In future updates, the system aims to integrate with different systems such as Lean IX (service catalog) and sales systems for customer opportunity, quote and contract management and internal chargebacks. Furthermore, the system should utilize AI for guided intake and automated responses to inquiries, enforce service level agreements (SLAs), and enhance interactions with requestors and workflow participants in Legal and Lines of Business.

Internally, the Trust Office utilizes a project management tool for  tracking issues and actions. This improves productivity and communication across teams. Power BI is employed for analytics and reporting, allowing for the integration and automated refresh of data from various sources, and the generation and distribution of reports.

Regulatory Compliance

Countries are drafting new legislation on AI and implementing stricter regulations for critical infrastructure cybersecurity due to growing concerns about cyber-attacks. These regulations are shifting from self-assessment to more directive control frameworks, which include mandatory incident reporting and external audits. Regulators are also becoming more specific in their control frameworks. Additionally, sectors like finance are witnessing the emergence of more comprehensive resilience requirements that focus on business recovery in extreme but plausible scenarios.

As regulations continue to develop, SAP's Regulatory Compliance Tool simplifies the process of evaluating product compliance. It offers a comprehensive overview of industry and regional obligations, links these obligations to SAP Product Standards and Controls, and facilitates the connection between product compliance and relevant obligations. To establish a common language and terminology for security controls and standards across different lines of business internally and with partner organizations, SAP employs the NIST cybersecurity framework. SAP also ensures transparency by sharing its country certification roadmap, which is designed to align with changing regulatory requirements. This is available for SAP's top 19 focus countries/regions to our customer-facing teams through a dashboard in SAP Analytics Cloud (SAC). On the operational side, SAP Privacy Governance (SPG) is utilized to conduct reviews of process entries (procedure enrolment) to mitigate non-compliance to data protection and privacy regulations.

Data Transparency

SAP Data Custodian enables users to maintain visibility, control, and encryption of their data. It enforces security and privacy controls, combats biases, and aligns with ethical principles and regulatory requirements. Data transparency is essential for operational resilience and compliance.

SAP Data Custodian integrates with public hyperscalers and SAP applications to help users maintain visibility, control, and encryption of their data across the suite. They can define and enforce where their data is stored, who can access it, where it is processed, and where it can be moved. The tool can be used to enforce security and privacy controls (e.g., scan code and logs), root out biases (e.g., anonymization) and enable organizations to operate in line with ethical principles and regulatory needs for operational resilience such as EU DORA. 

Contract Management

SAP collaborates with suppliers and partners, and the Icertis platform helps manage sub-processor and sub-contractor data. This ensures compliance with organizational policies and regulations, during supplier onboarding and on an ongoing basis, while reducing supplier chain risk. Future plans include automating customer contract authoring, negotiation, and approval workflows, and monitoring deviations from standard terms.

Currently, the assessment of security risks for contracts takes place in a dedicated system by the SAP Trust office. This process involves reviewing deviations from standard terms in the quote before finalizing it into a contract. For reference, there is a repository of previous contracts containing flagged security risks due to non-standard security clauses available in a designated cockpit.

Security Incident Communications

SAP employs various tools to optimize security contact maintenance and communications with customers and partners during security incidents. Collaboration across the ecosystem is vital to anticipate and recover from vulnerabilities, attacks and breaches. The focus is on resilient thinking rather than isolation, emphasizing a coordinated and cooperative approach to security.

Conclusion

SAP's journey in cloud security and digital transformation illustrates the critical role of technology in building trust with stakeholders. By aligning with value-driving and risk reduction goals, SAP enhances operational performance, fosters customer relationships, and ensures compliance with regulatory standards. The organization's commitment to transparency, data privacy, and security further solidifies its position as a global leader in the technology industry. Emphasizing the fundamental ‘R’s of relevance, reliability, responsibility brought forth by Christian Klein, is forming the cornerstone of trustworthy AI for the business world. SAP's approach to cultivating stakeholder trust and fostering transformation serves as a model for organizations navigating the evolving digital landscape.

Popular Blog Posts
Top kudoed authors
View all