Three Steps Towards The Optimal SAP Cybersecurity Budget

Christoph Nagy, the CEO at SecurityBridge, outlines the three steps companies must take to create an optimized SAP cybersecurity budget. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Any enterprise is subject to cyber-attacks. The details about incidents concerning critical enterprise applications like SAP S/4HANA are often internal, and hence, public awareness is not up to the mark of malware and phishing. As the attacks become more sophisticated, we want to guide you in defining the optimal budget to protect your mission-critical applications.

Everyone is worried about cyber-attacks. Employees responsible for applications and the infrastructure will constantly state they need to do more to strengthen the cybersecurity posture because they are continually competing with hackers. The attackers use more sophisticated techniques, tactics, and processes (TTP), and the defenders must form solid defenses. Admittedly, the phrasing in the last sentence was inspired by the European Football (soccer) Championship.

Today, adequate cyber protection becomes even more necessary because AI provides threat actors with a new efficiency level. Many organizations have acknowledged the technology shift and the subsequent increase in cyber threat potential that negatively impacts enterprise risk management. These companies have increased their budgets and started putting forward a strategy to protect their business application crown jewels, which are operated by SAP’s critical enterprise applications.

Step 1: Create The Asset Inventory For SAP 

Through our interaction with many DAX and Fortune 500 clients, we have learned that global operating enterprises have a challenge keeping track of the complexity and size of their landscape. A common question we ask is, “How many SAP System Identifiers (SIDs) are operating within your organization?” The most common answer is, “We don’t know.” Our reply is, “Then you don’t know how many of those SIDs are internet-facing or how you can ensure they have not been infiltrated.” This short conversation typically causes the person being questioned to break out into a sweat.

In general, the budget requirement will strongly correlate with the number of SIDs and the technical components an organization uses. As the most valuable DAX organization, SAP has released more than 1,000 different products, including many communication components required for integration, such as SAP Router and SAP Cloud Connector, which also build the foundation for secure communication with the SAP Business Technology Platform (BTP).

Once SIDs are identified, organizations can move on to SAP applications and the classification of processed data. This needs to be thoroughly reviewed in Step 2, Risk Management.

Step 2: Active Risk Management and SAP 

With NIS2 becoming effective in October 2024, many organizations in the EU Zone need to implement an active risk management process. It’s essential to analyze and evaluate all individual risks. However, risk management is more than cyber-related; it must consider operative vulnerability and financial impact.

When pinpointing the enterprise-critical applications, SAP quickly becomes a topic of conversation. However, it’s often challenging for the risk management team because SAP assets must undergo the same data and business process analysis and evaluation as other applications. Still, the team does not have a complete understanding of the platform.

It becomes evident that the last penetration test or security audit report is not enough and may be outdated. A more detailed solution is required that helps analyze the complexity of secure configuration, detect malicious activities, and protect against malware. When diving into the rabbit hole of SAP security, many more topics present a point of confusion; these include:

• Authorization concepts such as segregation of duties.

• Identity management.

• Privileged access management.

• Timely and efficient patching of the enterprise application.

It’s important not to get overwhelmed with the fine details—risk management requires continuous re-evaluation and adaptation. Remember the principle of security: 100 percent security isn’t a realistic or desired target, and the early start of security measures significantly impacts your security posture.

Step 3: Define The Optimal Budget For SAP Security 

The first steps in determining a budget are essential. Enterprises must ask how much of their cybersecurity investment is compared to SAP’s yearly license and operational costs. Adding the projected financial impact of attacks, such as denial-of-service, will create a more accurate investment prediction. And don’t overlook the associated damage-of-reputation costs in the financial analysis.

Try to answer which measures should be implemented in the next budget year and calculate the desired investment per SAP SID or production line to get to a precise budget plan. To do so, it is vital to look at answering the following questions:

• How high was the cybersecurity budget in the past year, and which measures have been implemented?

• Focus on the present situation:  Which known vulnerabilities must be resolved?

• Focus on the near future: Are any projects planned to impact the existing security posture?

• Is it necessary to look at SAP security automation?

Conclusion 

Ultimately, it is not the organization with the most significant cybersecurity budget that finds itself best protected. The effectiveness and reasonableness of investment, in correlation with its own individual risk, promote the best defense. In the European Football Championship, successful tournament teams exhibit significant strengths, including defense, midfield, and attack. Similarly, SAP security excels when organizations achieve high maturity levels in various areas, including security monitoring, threat detection, and efficient patch management. Thoughtful planning and configuration are the best defense to eliminate weakness on or off the field.