It’s not unusual to hear a customer bring up an SAP security question. But what I’m hearing lately has made me sit up in my chair.
Few think they could handle a massive zero-day attack on their ERP systems. It’s a stark barometer for how hard it is to deliver a solid security strategy when CTOs have the pressure of finding skill, balancing tighter budgets squeezed by inflation, and dealing with the heavy demands from the business to automate and improve customer experience.
These worries aren’t new topics; they’ve always preoccupied the minds of boardroom leaders. I discuss these concerns with my own leadership team daily, not just because they are a focus for our customers but because they are integral to our own business strategy and growth.
However, for the first time in a while, the pessimistic perspective on ERP security has been echoed everywhere I turn. Not the type related to end-point vulnerabilities that need a quick turnaround patch, but the sort that could dismantle society.
We’re talking about attacks on a scale that would have serious implications for world food supply, prevent the drilling and shipping of fuel, or cause widespread disruption to energy supply and therefore shut down critical services.
I have long held the belief that a global security incident is just around the corner. Working in the world of ERP does that to you. You can’t help but be acutely aware of the interdependencies within and between supply chains.
In some ways it is reassuring, if not terrifying, to hear a few others express concern. It means reality is dawning, and it’s easy to see why. Every week there’s a new zero-day exploit published and talk of nation state activity. The current macro-economic and political situations only exacerbate this precarious situation; ERP sabotage is a ticking time bomb.
But, at the moment, I’d say there are only a handful of ERP dependent companies that share this outlook, understand the risk and, crucially, have done something about it. I know because we work with them.
They over-index in their ERP security investment for two reasons. Firstly, it’s critical for their brand and secondly security is viewed as a path to innovation.
These brands, though in different sectors, also have one thing in common; they take ERP security seriously in the boardroom. Security is not relegated to the team managing the systems. Instead, every member of the board appreciates the risk profile.
Together they have considered the consequence that lax security has on reputation, but also looked at how a secure automated infrastructure is a means to innovate - whether it’s to create new products and services or transform the processes that bring a competitive edge to the operating model.
However, it’s a rare opinion. For too many companies, security isn’t by design. Instead, running a fire drill on ERP security is a ‘once-a-year’ task if at all.
Why aren’t more companies on high alert?
I have always found this perplexing, yet I understand why it’s the status quo. Put simply, it’s a reflection of the boardroom’s agenda, legacy systems and skill.
What do I mean? Typically, CIOs and CEOs don’t understand the risks inherent to their ERP systems. That’s not to say they don’t understand the value of their ERP systems. Far from it. But they don’t have the detailed knowledge to quantify the threat an ERP breach would have compared to a more obvious breach that would render their business non-compliant.
I think this view is entrenched in legacy and skill. Legacy systems are considered a black hole for cash so there’s a reluctance to invest beyond what’s necessary to keep the lights on. Better to invest in digital transformation. After all, everyone else is doing it.
But there’s the catch 22. How can you invest in transformation programmes when the skilled people you need to make it happen are managing legacy systems?
What’s the answer?
It calls for pragmatism. That is, CIOs need to find a way to deliver strategic change without diverting resource away from essential tasks. And they must convince the board of the merit.
In the SAP world, ‘HotNews’ is a good place to start. It’s a regular compilation of the essential security patches that must be immediately applied to the environment.
Roll out is reliant on a team; systems must be identified, and the patches then need to be applied. It’s time consuming but critical and must run alongside configuration management, permission controls, cyber-attack detection and mitigation.
However, it needn’t be an onerous task or overhead. All of this can be automated, and, when it is, skilled people can focus on the tasks that add real value to the organization.
Plus, it doesn’t require vast sums of capital to do it. The technology exists, so the investment is centered around integration and deployment.
As a result, there’s space to breathe. Time and energy can be spent on the technology that will deliver improvements to service delivery, customer experience and shareholder value.
Paz Oil discovered these benefits after it adopted a different way to manage high risk outages and vulnerabilities in its SAP environment. As we know all too well, any point of failure in the supply of oil has far reaching implications, not just because it can cause severe disruption to supply chains but also creates great stress for compliance teams.
Paz Oil was facing a situation where teams were being sidetracked by manual work arounds for security. The time spent closing holes in security and dealing with false positives could no longer be justified. It was clear that dealing with incidents and finding the root cause was burning up time and creating huge amounts of work for teams whose skills would be better deployed elsewhere.
Today the story is different. Introducing automated configuration and security has turned the situation around entirely. Now the team works proactively rather than reactively, can forecast demand accurately and has time for the more important tasks like innovation, safe in the knowledge its supply chain is protected and compliant.
I speak to clients at big enterprises about these same issues every day. They span the food service, chemical, oil and gas and retail industries to name a few and all are living examples of the value of automation. By investing modest sums in automating security, not only have they significantly diminished their security risk, but they have paved the way for delivering digital transformation. Better still, they have moved themselves out of the bottom 10% into the top 10%, joining the brands leading the pack.