So good morning. Good afternoon. Good evening. Depending on where you are at. I see we've got Australia representing a lot of Europe. I see we've got a bit of a, who is who, when it comes to SAP security in Europe. So I'm very excited to see a lot of new faces, a lot of names to meet and, and use the networking lounge to really network with everybody. That's here in this conference today. A lot of great presenters. I think the theme you'll see today, and we heard it earlier already is it's not just SAP security anymore. The topic of SAP security is a lot wider, so I'm very excited.
There's a lot of different presentations today. A lot of good content being covered from our team, Accenture and Ansis together. We later have Dr. Renee and Frederick Whiteman, who are our techies who are really going to look at SAP threat landscape.
And then you may have already seen a video from Stephan Troutman and Andre Ross, who talk a bit more about the Accenture SIS partnership and what we do together to really help our clients drive SAP security and cyber resilience. So the elephant in the room is really the threat to E R P systems is real.
I don't think I'm telling you anything new just last week, SAP and Ansis released yet another cyber report about known SAP vulnerabilities that we need to be aware of. So the spotlight is certainly on SAP, you are running your crown jewels on this landscape and, and we want to protect it. The statistics are concerning. If you look at just almost 75% of companies, half their ERP systems accessible to the internet, and then we've got 29% of companies report downtime with significant cost at, at the minimum hang of thousand dollars per hour.
So a lot of very interesting statistics, but then there's the unknown factor as well. How do you know you are really secure? How do you know sensitive data that you have hasn't already been obtained and is being used fraudulently? So those are definitely questions our clients have and questions we wanna certainly help and advise on. And bottom line really is the move to cloud and, and really having an ERP system in today's world and transitioning in this digital world doesn't mean you are secure by default.
It means that you have to drive security requirements from an enterprise standpoint, and that really requires you to have a sense of security and awareness of security to really successfully drive the requirements based on your maturity and, and be successful in this transformation.
So what does that really mean? Balancing SAP security and, and from a as a security person, right? We generally balance security with, with business needs and ideally with business needs, but there is constant change impacting us.
And, and we're constantly plagued with threats external as well as internal. So we really looked at this as a multidimensional challenge and we identified these three dimensions that we felt are probably most important.
And, and we want to take a deeper look at these. So what are technology and architecture impacts that we see today? And I think that is very important. We've got infrastructure. Infrastructure is a significant change. When we talk about S four transformation, you don't just have one cloud, you've got multiple clouds, different vendors. You don't just have an SAPs four or an ECC. You have other applications that integrate with each other on-prem or in cloud.
You have integration potentially to identity systems.
And I know we've got a sale point talking later on about their most recent acquisition with E P Tron, interesting spin to identity governance when it comes to EC to SAP and the enterprise. So a lot of automation to consider like identity, but also security monitoring and event monitoring, something that we're doing together with Ansis. So what are some of these external impacts?
Again, compliance and regulations are obviously a big driver here, especially when it comes to data, privacy and protection. We constantly see change new regulations coming about considerations. You need to have when you secure your data, we're constantly under attack, right? From an external standpoint, as well as internal. But if these attacks ever are successful, if there is a breach, you have consequences like grand reputation to think about and to deal with.
And, and again, balance from an internal standpoint, we're looking at stakeholders, have you defined a racy?
Do you have the right people identified in your organization that are the decision makers when it comes to security to risk, to controls, and do they have the right security awareness and skills? And I know Johan from my monkey, no monkey is going to be talking a bit later about that important topic of awareness and skills around security and how that really drives the success of your transformation or your SAP program in general, security, maturity is another important component.
Everybody has a different maturity state and or maturity goal, and it is important to really drive requirements around what these maturity goals are for you as an organization. Are you aiming to just be compliant? Are you aiming to go beyond compliance and really aim for security? And there's certainly a difference there.
And again, those are pieces that all are part of the security requirement definition, and the journey that you're embarking on closely related often is budget.
And that's a bit of a sensitive topic, but as you develop a strategy, as you develop a roadmap, having a enterprise view on this roadmap is really tightly aligned with what that budget is to really optimize tooling, optimize, optimize initiatives, and really focus on risk. We've got business needs and user experience.
Again, that's often the topic to really balance how much am I locking down the environment? How easy is it for our users to do that day jobs and, and drive business, and then threats. They're not just external, right? They're internal as well. Segregation of duty is a great example. And it seems here in Europe, segregation of duty is not so much as standard as it is in other regions, for example, the Americas or north America, especially.
And, and again, I think the sale point team will have a bit of a point of view on that specific to SAP later when it comes to identity governance, threads and compliance, again, internal and external, very important to consider to really think about what, what am I balancing? What is the risk? What are the controls that I'm embarking on?
And, and how do I manage that?
So where does that lead us? It leads us to the SAP security dilemma and security and controls are not considered as an integrated component of S four on the solution, as well as the enterprise. And if you look at the layers of security here in this diagram, and you look at what's highlighted in yellow, that is what we found are the base security requirements or base foundations when it comes to an SAP program that especially here in Europe are generally being addressed in, in an RFP and or again in a program.
And that we feel is just not enough, not enough to be compliant, certainly not enough to be secure. Again, highlighted here, segregation of duty and segregation of duty. We feel should be a standard in today's world with all the tooling that we have available to use a very easy target to achieve, again, information, security and awareness, an important topic and topic that is rarely addressed. SAP is a business application.
And, and as a result of that, your business really need to have a security awareness, a security skill set to really be helpful in making the right security decisions and drive the right maturity RFPs today are plagued with lack of security requirement definition. And, and that really sets the stage where I think challenges when you embark on this journey.
So where are you in this S four journey today? You may be at various different phases of your S four journey. And the question is, have you considered security along the way now, ideally you'd have security at launch.
And that's where you really look at again, the enterprise security roadmap, a tooling roadmap. How can I optimize across the enterprise solutions? We already have processes we already have, and again, drive security from an enterprise standpoint, we are moving to the cloud.
And again, it's not just one cloud it's, it's moldable, it's integration with on-prem. So have you performed a cloud security assessment? Have you developed a security reference architecture to develop the right controls, to enable and, or build your environment secure by design?
Have you, do you have a data privacy protection strategy? There is a lot of data that's about to be moved into this new landscape.
Do you know where that data is today? What data is sensitive and where it will be going tomorrow and how it should be protected? These are basics that should be really at the start of every program. Now you may have already moved a bit further along in this, in this journey, and you may not have considered some of these components yet.
And that's where we recommend really take a step back, reassess realign, develop that security roadmap and strategy and get back on track in your journey. And as you get further, along in that journey, there's really components like automation, innovation, continuous security monitoring. That should really be the priority list for you to embark on, to gain more efficiencies, gain higher quality, reduce your risk cost and, and operational costs.
So what are some of the key success factors that we have found really is having that holistic understanding of security impacts, understanding security and compliance as an integrated component of the solution, integrated security asset and accelerators.
And again, that's something we're gonna be talking about, how Accenture approaches that from a methodology standpoint, together with Ansis and security, tooling, and automation to reduce risk again, resilience again, it's not all bad. It is complex.
The new infrastructure changes, the, the complexity that security brings along, but there's a lot of great tooling and opportunities. We can jump on to really optimize these efforts, reduce your risk, reduce your costs. So what does that next generation as for cyber resilience look like? So what Accenture has done is we, we developed a delivery methodology together with Ansis in which we develop and deliver secure by design SAP programs.
And as you see, compared to the picture we saw earlier that the yellow squares there's a lot more dark purple square, you dark purple being secure by design embedded in the Accenture methodology. We feel it's absolutely critical that information security and awareness is part of your transformation.
So enablement of your business of the users is absolutely critical SAP assessment doing a current state assessment that drives your requirements is critical as a base, having SAP governance throughout the program, absolutely critical.
And then we go really further along these, these layers of security. And that's where we leverage Ansis as a leader in the SAP vulnerability monitoring space to bring in automation. As we build the environments, as we deploy that solution, we already embedded vulnerability monitoring and, and end control to make sure the sec, the solution is secure by design, beyond that in light purple, you see recommendations that again, we feel are basics. These should be part of every program defined by you as a requirement, segregation of duty.
Again, we feel is a basic to have critical access review, single sign on, and then, and, and encryption and masking, right? Those are basic components of a security strategy that you should embed in every single program. And you take that further along the maturity roadmap, right, where you can look at the white squares to see, well, what else can I do to optimize my current state, to climb up that maturity ladder and, and to, to automate and reduce risk reduce cost.
So what does that Accenture secure by design delivery methodology really look at we embedded assets accelerators in our methodology to really drive resilience and, and having security and controls as a fundamental component in our methodology is really laying the groundwork for cyber resilience. We embed a security architect in every single program, starting with solution planning, starting with initiation. Your security team should really be part of every single layer of your security program. Looking at program management, change enablement tech, arc data, service introduction.
Those are all components where security needs to be part of every single program where I, I would say most of the programs today, leverage agile methodology. So having already assets build into our methodology into tooling that we use to deliver SAP solutions makes agile methodology for a security team, a lot easier enabling our functional teams to make the right decisions when it comes to security is absolutely key here to, to, to support the speed of agile methodology.
Again, we're using an ASIS as a platform to build our environments on. We will have secure by design and environment, starting with a development environment going through your deployment. And that's when you go into service delivery is really an opportunity for you to build out your cyber resilience within the SAP platform, or even beyond integrating with an enterprise team or GRC solution to go get a broader enterprise security footprint.
Again, some of the assets we've got embedded in here are rules authorizations, right? This is the basic of every SAP solution, but also beyond that, and really included in these sprints are document traceability for security, having system harming vulnerability, monitoring components.
Again, that's where SIS helps us automate this having identified security integration components, where we can make decisions on identity on governance, on security monitoring that make most sense for you as an organization and based on your maturity.
So again, very important to look at methodology and embedded assets, embedded accelerators to really drive the security topic. And this leads us really to the key takeaways in this journey.
Again, I cannot stress enough, consider security early to be successful in planning your cyber resilience. It is a enterprise security topic. The define what your current state security is, develop a security assessment and roadmap to drive requirements.
Again, that's where we work very closely with an ASIS. We have teams look at your current state. We develop that to be state, and that is really the baseline for your requirements for your journey and, and for your maturity map. Looking at security as an integrated component across the S four program and the enterprise.
Again, this is a CSOs view to really drive what we're doing with the SAP platform. Very important to not just be a standalone SAP basis, a component.
It is really an enterprise view take advantage of automation, tooling early to gain efficiency of the solution and operational cost saving.
Again, that's what we work with Innopsis to really use that OSP platform and enable the solution with automation closely risk management program. I think that is a very important, we are constantly embarking on change and, and that change drives the risk and respectively drives controls, security controls. We have to consider so constantly assess, optimize, and align with your maturity goals in your journey. And finally, it's not all about tooling. I think tooling is, is fun. Tooling is, is, is, is sexy, right?
But, but the process is really what's important. The process really drives the tooling and that's where it's important for us have the right awareness. Johan will talk a bit more about that and identify the right tooling. That's best fit for you and optimize that tooling across your enterprise. Don't just silo it for SAP and or other programs. Thank you very much for your time. Thank you very much for, for listening to today's presentations, contact us. We've got Stefan Troutman or myself.
We'll be in the breakout rooms, ready to meet you, and certainly discuss this topic a little bit more, but let us help you identify your current state. Let us help you develop these requirements that you have in your journey and help you be successful. Thank you so much. Enjoy the rest of the day. And I know we'll be, we'll be talking again a bit later.
