M A S T E R I N G S A P S E C U R I T Y & R I S K C O M M U N I T Y S N A P S H O T 2 0 2 0 I N T R O D U C T I O N For 24 years, The Eventful Group has specialised in developing technology, and particularly SAP-Centric communities of practice for both business and IT professionals. Intense research is conducted with these communities via a process known as the Circle of Customer Engagement, where both the challenges faced and opportunities perceived are identified through roundtable discussions held across Australia. P A R T I C I P A N T P R O F I L E The roundtable discussion groups brought together business leaders, business analysts and IT teams who leverage SAP’s technology stack of tools from a wide variety of industry sectors including mining, financial services, media, pharmaceutical, retail, healthcare, telecommunications, pulp & paper, energy, utilities, transport, manufacturing, technology consulting and the public sector. Over the course of these groups we met face to face with 170+ SAP professionals from over 100 organisations who shared their stories regarding process optimisation and the use of SAP solutions to support that. These insights are captured in this report. Some of the job titles of participants include: Solution Architect - Security IT Security Manager SAP Security Lead Senior SAP GRC and Security Analyst Cybersecurity Analyst - SAP ERP Governance & Applications Security Cybersecurity Consultant - SAP Security N O T E O F T H A N K S ACCO Brands Australia | AGL Energy | Allianz Australia Insurance | Ausgrid | AusNet Services Group | Australia Post | Australian Broadcasting Corporation | Australian Criminal Intelligence Commission (ACIC) | Australian Pharmaceutical Industries | Australian Taxation Office | Bakers Delight Holdings | BHP | BlackLine System | BlueScope Steel | Broadspectrum (Australia) | Caltex Australia | Capgemini Australia | Central Health Services | CitiPower & Powercor Australia | Coates Group | Coates Hire Operations | Coca-Cola Amatil (Aust) | Coles Group | Commonwealth Bank of Australia | Costa Group | CSIRO Australia | Department of Health and Human Services, Victoria | Device Technologies Australia | Discovery Consulting Group | DuluxGroup | EY Australia | Fire and Rescue NSW | Fonterra Australia | Fonterra Brands | GenesisCare | GFG Alliance - Australia - Head Office | GFG Alliance Australia - Liberty OneSteel | GlaxoSmithKline Australia | GPC Electronics | Hanson Australia | Honda Australia | Hydro Tasmania | Icon Integration | Jemena | Kmart Australia | Komatsu Australia | La Trobe University | LeasePlan Australia | Linfox Australia | Lion Beer Australia | Lion | Macquarie Group | McGrathNicol | Medibank Private | Merivale Group | Metcash | MMG | Newcrest Mining | NSW Department of Education and Communities | NSW Department of Justice | NSW Police Force | O-I Asia Pacific | Orica Australia | Orora | Ruralco Holdings | SingTel Optus | Spotless Group | Stockland Corporation | Sydney Water Corporation | Synchrony Global Australia | TAFE NSW - Sydney Institute | Target Australia | Tomago Aluminium Company | Toyota Motor Corporation Australia | Transport for NSW | Turnkey Consulting | UGL | Visy Industries | Wilmar Sugar Australia | Woolworths Group | Yancoal Australia | ZAG Australia O V E R V I E W In recent years SAP environments have become increasingly complex, and with this comes the commensurate challenge of securing these environments. Many organisations have begun or are planning their migration to SAP S/4HANA, a platform that brings a brand-new set of security considerations due to its underlying architecture. In addition to this there are often cloud based solutions implemented alongside SAP S/4HANA, such as SuccessFactors and Ariba, resulting in hybrid landscapes for the foreseeable future. If security is not considered early in an implementation and built in by design, then there will almost certainly be remediation work required after go-live. Once live, managing security aspects such as the user life-cycle and privileges, configuration and patching across disparate systems is no easy task. There is an ever- increasing raft of regulatory and audit requirements which must be adhered to. The cost of non-compliance, or worse, a cyber incident, could have devastating consequences for an organisation. Customers shared with us that they wish to discuss 11 major themes: 1. A Culture of Security 2. Aligning Roles with Organisational Security Structure 3. Security by Design 4. The Roadmap & S/4 HANA 5. Tools 6. Cloud 7. Cyber Threats 8.Bots & Identity Management 9. Access Reporting 10. Data Privacy / GDPR 11. Governance & Testing 1 . A C U L T U R E O F S E C U R I T Y Organisations need to shift their old school security mindset. Cyber incidents and threats are a very real issue and the implications of a breach can be staggering for any organisation in terms of financial loss (loss of revenue and regulatory fines), reputation and market share. In some organisations participants feel like management is yet to wake up to this risk being materialised, instead adopting a false sense that the likelihood of these events is lower than that represented by reality on the ground. Yet it only takes one person, or one click, or a configuration setting left unchanged to knowingly (or unknowingly) create a major cyber event. The security team and indeed those other parts of the organisation involved with security need to help elevate the importance of security and what is required to keep the organisation safe. Organisational security culture is usually a reflection of leadership within an organisation. The tone at the top is set by the Board and cascades down accordingly How does one elevate cyber security awareness to the same ‘cultural status’ as physical safety irrespective of who leads? How do we get senior level leaders to power sponsor our initiative? How do you direct spend that benefits the entire organisation? How do you link management performance to security outcomes? If the security team is perceived as a ‘blocker’ or a function that slows the business down, how do you demonstrate to management the pain associated with an attack or breach? 2 . A L I G N I N G R O L E S W I T H O R G A N I S A T I O N A L S E C U R I T Y S T R U C T U R E We cannot find a common governance model with reference to role design, there is no “one size fits all”. We need better tools and methodologies to improve Identity Access Management. Often the HR organisation hasn’t defined job roles which cover the entire organisation. This may be because there is no perfect role design. We must be able to adapt to changing business and organisational requirements. · What methodology / tools are used successfully by organisations to map processes and roles at enterprise level? How do we keep the broader team’s access aligned as business users change roles and requirements? Keep their access live and fit for purpose in real-time so to speak. Is the principle of least privilege the right risk mitigation tactic or are detective controls a better strategy? That is, give everyone broader access and detect threats as they occur. Can you balance operational needs through broader access rights while focusing your restrictions only to those that have a direct impact to your financial, cyber or privacy threats? How can I keep other systems, such as Ariba and Hybris aligned with Core ERP? People are acquiring software products at a rate of knots. How do we manage user access and security across all the landscapes? How do we manage this across Development, Test and Production Environments? Are there enterprise-wide identity management tools which can manage access at each app level? 3 . S E C U R I T Y B Y D E S I G N Businesses implementing SAP often have their focus firmly set on realising the operational benefits and fail to identify security as one of the project’s key elements. Failure to identify risks and build security into the foundations of the solution can have damaging consequences for the business going forward. For a robust, secure system to be delivered, it is essential to have business input into the security design, but this input has to be informed by the overall security posture, policies and governance the organisation is trying to maintain. Systems Integrators and project teams are typically focused on the delivery of functionality, with set milestones to hit along the project timeline. This can lead to corners being cut, and security being overlooked – with SI’s reluctant to carry out the extra layers of testing that may slow down delivery. Where SAP security is overlooked in the initial stages of implementation, the most likely upshot is a raft of costly retrospective changes. Often, these fixes have to be made in a live SAP environment – only increasing the risks of downtime. · Within a digital transformation project has security been front and centre to the design and is the future governance model established? How do we adapt security to an agile model given that stability is low when agility is high? Can automation help make security more agile? Development to Operations is so fast. How do we keep up with the pace and embed security into the development lifecycle? Can you use your digital transformation program of works as an opportunity to re-set your approach to security from an end to end standpoint? 4 . T H E R O A D M A P & S A P S / 4 H A N A Organisations are battling with selling the business case for moving to SAP S/4HANA. They need to be able to demonstrate what the additional value is to the business. Within SAP Security decisions and tools to select and upgrade, there are many possible and often conflicting roadmaps. The roadmap to SAP S/4HANA is only one of them.