Yes. Thank you very much. Happy to do that, the course about the big ship and the small leagues that can sh think a big ship is, is also more in detail in the session later on with my colleague and co-founder Marco.
How, what I'm trying to explain you today within this presentation right now is what is the main challenge about SAP security and why is it so complex for enterprises worldwide to deal with it? Who has the ownership who takes care of it, who has the responsibility and latest consequence. And if you really dealing with that challenge in right now, I would really strongly recommend you to, to also visit the session of Marco later, where he will give you valuable insights of how he can protect your SAP environments. Get the low hanging fruit and quick wins to increase security immediately.
What I will show you right now is based on a, on a pretty famous model, the freelance of defense model right now, what can be done and what needs to be done to clarify ownership.
So starting with those challenges right now that everybody has, when you want to go, imagine you are a CIO or a CS O and you want to, or you'd have to protect your SAP environment. There are several players within that game, having an outside perspective on it. There is the SAP customer itself, but most of the SAP customers also use system integrators, or maybe even have outsourced their it in SAP to Accenture cap.
Whoever is in that area, dealing, there are also security vendors who are very good and have a special expertise, maybe on code, maybe on configuration, maybe interfaces, many, many areas. Security is such a big topic, and there are many security vendors out there. Not too many. There are few security vendors out there because the topic itself is a very complex one, but we will get to that in a second.
And there is also regulation and auditors, the big four who are checking on SAP more or less, sometimes it depends, but there's also regulation, pharmaceutical companies who are FDA regulated in Germany, for example, the banking industry with the B and some regulatory requirements. So this is the outside view on the, on the big picture. These stakeholders somehow need to deal with each other. If you wanna have a consistent security strategy for your SAP environment, they all have stakes in that game.
And the issue that we see for example is most of them are biased because for example, system integrators, they want to position products or services to keep the engagement going on security vendors. They will always pitch on the question, which is actually binary. What is the first thing I need to do to secure my SAP environment. They will pitch their products that they want to do, but they don't give you an unbiased advice where you can get your low hanging fruit.
Even the auditors, the big four companies, they mostly have also a project team.
And, and they, if they, for example, have GRC consultants on the bench, they will recommend you to do GRC as a first step, which is definitely not the first thing you want to do when you want to secure SAP environments. So where do you get the unbiased advisory? How can you get independent from others? And the answer is actually pretty simple. When you have your three lines of defense and you might have asked yourself why this company has the name of no monkey. You see those monkeys here in the back. They're not talking. They are not seeing they are not listening.
And the original monkeys are right here in front of me. Those are the ones I brought all around the world to do a cybersecurity awareness show. So those gentlemen are pretty famous actually, and have seen many, many events around the globe, but I'm using them to explain the complexity within SAP security.
Because what we, as what we are saying is it's not natural. That for example, the first line of defense, your SAP department is reporting to the C level.
Hey, we have unsecured coding. We have unstable configuration. We don't know how many interfaces. In a nutshell, we haven't done our homework in SAP security in the past years. And now we need a lot of money to fix it. That's not their comfort zone. That's why they are not speaking by nature. This is no finger pointing. This is just how it has developed. Over the last years, the second line of defense, the security experts, they have the security operations system centers, their sea systems. They are security experts, but are they connected to SAP?
And what we have seen is that 99% of all SAP customers are not connected between their SAP department and their security department.
So in fact, they don't even have any visibility about what's happening within SAP. Even if they do, they don't speak the Japanese language for them. SAP is a bit like North Korea. For most of us, we might know the leader, but we don't know the mindset what's happening in there, how they think, what the terminology and all that. That's very, very special. And this is something that needs to be learned.
Lastly, we have audit audit checks. If the software runs away, it must run due to regulatory requirements and internal policies. But in fact, they can't check it themselves. So they're asking third parties to do a penetration test or an application out it. And they take the information being provided, hand it over to the SAP department and give them a time to time slot to fix it. But in fact, they're not really listening what they need to do to minimize the attack surface.
They are just delivering the information being provided by a third party.
So what we have done right now is explained with the help of all three lines of defense in logic way, why SAP security has no ownership, or who would you call when your most important SAP system is getting attacked your security department, your SAP department, who is it? So there's always a question. You see three monkeys here. Here's another one, what this guy is doing. I'm leaving it to your imagination, but I see the sea level right here because this guy thinks he has three lines of defense and what he's covering with them. I don't know, but security.
And this is a very, very important lesson. Learned from SAP needs to be done top down. There won't be a Robinhood coming out of machinery room of SAP, SAP departments to save the corporate responsibility of the company. Security is an extra mile security needs to be done. And it's extra effort in terms of time, money, and behavior. So what we see is, or what we would like to do and assist companies and the entire ecosystem worldwide to establish security as a culture and culture always starts with people. This is very important people.
We have three main attack vectors when comes to not SAP to any software in the world, you can always attack people. You can attack processes, or you can attack technology. So what companies tend to do, and there is a parallel to mean to COVID 19, right now, what companies tend to do when they are faced with a problem they don't understand is that they throw money at it, which is mostly technology. There is a tool that can help you to fix the problem so far.
So good, but I'm doubting that this is really effective. If you don't have the right processes and people to use the technology. That's why we are saying people need to learn only when they understand what they are talking about. They can adapt, it, develop a strategy for their SAP environment. Ideally with all three lines of defense sitting on the same table and them being covered by the C level to force the initiative.
So they learn, they adapt and they execute.
Execute is the technology part in the third step, we can check which software can support your processes and people, but not vice versa. So how do we do that? No monkey has created a matrix, which is the first metrics that is covering traditional cybersecurity with SAP terminology. So what you see right here is the security framework with the five areas, identified, protect, detect, respond, and recover. What we have done here is we've mixed it with our IPAC model, which is typical for SAP in the areas of integration platform, access and customization.
What we want to do with that matrix is do a wide spot skill analysis. So where does your competencies within an organization sit? And then we match that with a risk appetite that we define together with you, where do you want to lend? Do you want to be at 10, four or eight out of 10 when it comes to to security?
So we mix that up and then we find the Delta and give you the evidence to make the decision, to decide if you want to catch that Delta up by training people by establishing the right processes, or by using a technology.
We have the know how about that as we have a lot of experience in that area, and we know the market quite well, we are happy to support you. But what we want to do is that you can create your own cause list for the relevant people to learn the right things in the right depth for their job.
So what we want to encourage you is that you design your corporate security package. We provide evidence first because evidence is very important to do the right things. You can burn a lot of money within SAP doing the wrong decisions.
So we are offering some advisory services for you to get the evidence and understand what can be done. There is for example, the security aptitude assessment, where we do those analysis on your current skill levels. We do penetration testings where we, where we do attack with some of the most dangerous hackers that you can see in the SAP environment. We do network security checks, and we do want to give you the best possible information to take the right decisions. There are some details about that.
You can see that in the, in, in the presentation that you can download afterwards, I also would like to encourage you to have a look at our, our little film, where we are trying to demonstrate the problem. And we took a lot of effort to, to realize that and make this happen for you. It's called the inconvenient truth about application security. It will be provided within the coping, our calling network as well. It's worse to watch it have a glass of wine with it and enjoy. It's pretty cool.
While I'm talking, you see a few of those services right now, and we also provide a little demo on no minus monkey.com where you can get a feeling of the learning experience. The idea is really to have a customer-centric approach and have your thoughts in the middle of our acting, because we want to give you the best possible security based on your resources, on your timeline, on your, on your current risk attack, surface, and on, on, for example, also your budget. This is quite important because we, we have seen a lot of companies spending money on totally wrong things.
So this is it for now. If you have any questions, feel free to reach out time. It was my pleasure to be here and miss account. Maybe we have a few questions. Is there anyone, anyone with some questions around here.
