One of the reasons why ERP security is still an issue for many organizations is that it is still unclear who is in charge of ERP Security and who will take responsibility if an ERP breach occurs. The research from Crowd research partners highlighted that 43% of responders think CIO is responsible, while 28% believes it CISO’s duty. The other report conducted by Ponemon institute agreed that it is rather a CIO who is responsible for this area than a CISO, but most people think that nobody is actually in charge.
In reality, it is the responsibility of all the stakeholders including CIO, CRO, CISO, Managers, Security Engineers, Internal Auditors, SAP Security team, BASIS Admins and ABAP Developers. All of them should somehow participate in this task.
Among top 3 risks for ERP systems such as Espionage, Sabotage, and Fraud, CIOs are mostly warned about Sabotage. Just imagine that denial of service of a core banking solution from SAP can cost millions of dollars per minute.
CIOs have to worry about making sure that all the software that is required to support the business objectives is stable and secure. As the pace of technology adoption is accelerating and risks are growing, they need to find ways to balance between adopting new technologies for their security, the possibility of doing it and, of course, the costs this process may bring about.
SAP Systems are complex and customizable solutions which require continuous monitoring to be sure of their availability and efficiency. Manual solutions are not cost-effective, and there is a severe need for automation.