Inject a security-first mindset into SAP S/4HANA migrations by involving security teams early

⇨ Bring security people as early as possible in an SAP S/4HANA migration to instill security-first mindset

⇨ People, policy and process work together in security

⇨ Security concepts remain the same no matter what application or system

Bringing business stakeholders early in the design process of an SAP S/4HANA migration project ensures that security considerations are integrated in the user experience right from the beginning, according to EBOS MedTech Program & Service Delivery Manager Jackie Johnston.

Speaking at Mastering SAP Collaborate Melbourne, Johnston shared EBOS MedTech’s experience on moving from SAP ECC to SAP S/4HANA and the security considerations.

As a MedTech business, EBOS deals with hospitals and indirectly with patients, and handles patient medical history and other sensitive information so privacy and security are vitally important – equal to the high security protections in the banking sector.

“We have all the standard stuff around risk committees, risk policies and subcommittees in place, as well as the standard project management and risk management that we do as we support systems,” Johnston said.

“However, we’re not quite sure that we did enough on the people side and the user experience (UX) side during our SAP S/4HANA journey.”

She added that introducing the people elements into the project earlier would have helped with the UX, the project’s go-live, change management and more.

“Not only does the security-first mindset come in to play during the design phase, but [designing the user experience] is also about giving people what they need – and only what they need – to make their onboarding journey easier as well,” Johnston added.

Johnston was part of a panel discussion that included SAP GRC Consultant, Sharad Parasher, Commonwealth Bank SAP Security SME, Paul Bisby and CompliantERP CEO, Marissa Shipley. The discussion explored alternative perspectives on how to adopt a security-first mindset when migrating from SAP ECC to SAP S/4HANA.

Overwhelmingly the panel agreed on the importance of the three Ps – policy, process and people – to create synergy to improve business outcomes with a security mindset.

Shipley shared CompliantERP’s experience as an SAP security solution provider, stating that “nine out of ten organisations do not have a cybersecurity policy”.

“If you’re on the start of your SAP S/4HANA journey, that’s something you can go to your security team (or even at the board level) to ask about right now,” she said.

“Policy influences your processes – so then you write your processes, which include your work instructions, et cetera, and then get your people engaged with security. While training people on avoiding phishing emails and similar activities is good, organisations also need to be thinking about [security] from a data perspective as well.”

Parasher offered an SAP perspective, providing an overview of the SAP Secure Operations Map (SOM) – a list of security recommendations centred on identifying the most important areas and topics to address.

The SOM has five layers – environment, system, platform, application and organisation – each playing a role in maintaining security. The three Ps – policy, process and people – fit into the SOM application and organisation layers to ensure everyone understands and adheres to security protocols.

“Not everyone has to be a security expert, but they need to know when to contact one when the need arises,” Parasher said.

Paul Bisby highlighted the importance of risk policy being system agnostic, and that building risk policy starts with a top-down approach from the cyber team that is then worked through individual applications to define how they meet the policy.

“At Commonwealth Bank, we have a design effectiveness and operational effectiveness policy for all of our controls,” he said. “Even if you have designed the best process in the world, if no one’s actually got a proper operation of that designed process, then the process has fallen over.”

Bisby added that no matter what application or service a customer is running, security concepts remain the same, and the policies would “hopefully” dictate what the security controls [are] and how to meet those policies and controls.

On moving to SAP S/4HANA, Bisby said it was important to bring in security people “as early as possible”.

“The later you are, the harder it is to reel things back if people have been testing with wider authorisations,” he said. “So, it’s very important that it’s as early as possible – use the tooling that is provided to you by your implementation partner or by SAP, but also interrogate those tools as well to make sure they’re giving you the best results.”