Controlling the security of critical objects where business data is processed is, unfortunately, frequently left beyond the scope of the CISO’s authority, thereby affecting the security control that most critical objects demand. This example explains why security is crucial, yet neglected. Security is most neglected during project deployment especially if the system owner is part of the Senior Management and strict project deadlines have to be adhered to. Needless to say, even if the need for SAP security measures is recognized, inappropriate or lacking resources and information regarding SAP systems often lead to misconfiguration issues.
SAP security assessment and monitoring is a completely different ballgame compared to other applications such as mail server or domain controller. It demands seamless attention if it has to function and protect information as expected by a business. It is also inherently complex when it comes to enabling and maintaining security, especially since it is highly customizable along with its list of parameters available even in a default configuration. The complexity is amplified by the fact that almost every new SAP vulnerability is traditionally solved by installing an additional option with its own set of parameters, which usually leads to new and complex relations between settings. These complicate pre-existent settings and their functions, often forcing SAP specialists to work through a long list of manuals to rectify and get the system working.
Hence, the demand for SAP security specialists is huge and continues to grow. Regrettably, since the technical side of SAP security is immense, hiring the right candidate for the job is a task. Jobs such as creation of new accounts and segregation of duties can be handled, unlike user passwords, settings that are commonly left in the default state, or software vulnerabilities.