Key Insights Blog

Read the latest insights from our experts on GRC and risk management

10 August 2020

Ten things CISOs must know about SAP Cyber security

As the IT landscape gets more complex, the difficult job of a Chief Information Security Officer (CISO) is getting even more difficult. One of the challenges facing any CISO is to keep track of various technologies used by their organisation. CISOs for organisations using SAP face another big challenge – managing SAP security.

Traditionally, most CISOs relied on the SAP BASIS team to manage SAP security – using SAP GRC Access Control (or similar tools) to manage SAP Segregation of Duties (‘SoD’) and access issues within the SAP system. Occasional audits of SAP system covered the IT general controls sufficient to satisfy the financial auditors.


However, rapidly changing threat perception and SAP technology landscape is challenging this traditional model of managing SAP security. With our experience of working with multiple large and medium size organisations across industries, we have identified these ten things that will help a CISO navigate the increasingly complex SAP security challenges:

  1. First and foremost, SAP security is the responsibility of CISO and not just the SAP team!
  2. SAP security is more than SoD and authorisations – attackers can bypass the SoD and authorisations controls to gain privileged access to SAP.
  3. SAP is not secure by default (which application is?) – it needs to be hardened before being deployed. But unfortunately, there are no industry security benchmarks for SAP systems (e.g., NetWeaver ABAP, NetWeaver Java, SAP HANA, etc).
  4. SAP has many security vulnerabilities and new vulnerabilities are regularly identified – SAP security needs to be tested regularly to keep the set up secure.
  5. SAP can be hacked – SAP application testing and Vulnerability Assessment and Penetration Testing (‘VAPT’) should be regularly performed by competent testers.
  6. Security patching is important – annual system upgrades are not sufficient. SAP releases hundreds of monthly security patches and many of these patches are not included in the service pack upgrades.
  7. SAP network and communication security is complex and needs special attention to ensure sufficient security. Securing RFC connections, enforcing encryption, and managing 3rd party connections to SAP is not easy considering the enterprise-wide business impact of any disruption.
  8. Monitoring is important – integrate SAP security monitoring with the corporate SIEM solution.
  9. SAP BASIS is not same as SAP security and IT security teams are not always proficient with SAP cyber security. There is often a SAP security skills gap.
  10. Remember, SAP is your crown jewel – it needs the same, if not more, attention than other cyber security precautions.

A CISO of an organisation using SAP has the responsibility to protect its most important system – SAP ERP. An SAP security threat mapping is a good starting point to understand the specific challenges in the organisations.

Once the security risks and vulnerabilities are identified, come up with a roadmap to address these. Identify the ones with high impact but easy solutions – and go after them first. Have a time-bound and phased approach for the remaining. It is best to take some of the more complex areas as mini projects!