The Evolution of Security Concerns

  • by Andrea Haynes, Group Editor, SAP Experts
  • August 8, 2017

Raymond Mastre, a director at PwC and a speaker at the GRC 2017 SAPinsider conference in Las Vegas, has seen an uptick in concern about the IT topic he has been immersed in for almost 13 years since graduating from Penn State: SAP system security. He leads the PwC SAP security services practice in the west region. He is responsible for the area from Seattle to Arizona, and reaching east to Denver.

At the recent GRC 2017 SAPinsider conference, Mastre presented the session “Cyber Threats in your SAP ecosystem: What you need to know.” This is the sixth year he has spoken at the conference, and in an interview after the session, he discussed the evolution of the topic of security during that time.

When he first started speaking at the conference, his topics focused on SAP application security, how to build security roles, and how to secure the application itself. The orientation was toward compliance and meeting audit requirements. There wasn’t a lot of concern about someone breaking in from the outside as the thought in companies was that it would take a lot of effort. However, after news stories about break-ins, there was an uptick in interest. Currently the concern has become systemic and topics have evolved toward a comprehensive security discussion. “This is not going to end any time soon,” he said. “People don’t want to end up on the front page of the newspaper.”

For more information on securing SAP systems, attend the Cybersecurity for SAP Customers 2018 conference, June 27-29, 2018, in Prague. For information on the event click here.

 The motivation behind SAP GRC used to be purely compliance related, as companies didn’t want deficiencies in their systems. Now it has moved more toward protecting data, the crown jewels of information that companies do not want to see out on the Internet or in the wrong hands, he said.

Going forward, as SAP systems become more cloud focused and SAP builds on top of SAP HANA, Mastre expects companies will continue to have security concerns. Right now, the concerns are at the SAP HANA level as it is new and developing. He noted SAP is quick to find issues and patch them.  When SAP HANA matures, he expects the apps built on top of it will go through the same evolution.

Asked what PwC was emphasizing at the SAPinsider conference, Mastre said a main message is that no company can know all the vulnerabilities it will encounter in the future. Instead PwC helps companies to align their people, processes, and technology to continually monitor their system so a company can quickly identify and patch a vulnerability. He said, “I am a process person. I can help you define a program so that if an issue is identified, you can resolve it quickly.” In addition to hearing from attendees at the conference that they don’t want to end up on the front page of a newspaper, he said they are also concerned about the unknown—what are they missing. Mastre said clients have asked PwC to do what he calls a full SAP ecosystem review. It starts with SAP applications, and then goes out from there for a review of the whole IT system of a company, not just the SAP system. PwC makes recommendations, a lot of them, and then helps establish a priority roadmap.

In his session, he said, he tried to raise awareness of the need for an integrated approach to security. Often, for example, a chief information security officer (CISO) may be responsible for the company’s web site and firewalls, but may not be part of the SAP system security effort. The CISO and the SAP team need to be talking with each other, he emphasized.

In closing, Mastre said that despite the current concentration on cybersecurity, you still need to start at the application level. “The things I was talking about six years ago are still important, even with the threats of cybersecurity.”

Andrea Haynes

Group Editor, SAP Experts

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.