SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:
Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
Project Systems: Budgeting, planning, forecasting.

industrial-value-chain

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

I’ve found that many organizations assume that a combination of reactive security measures (i.e. perimeter-based, static controls and siloed management systems) is enough to “cover all their SAP Bases” (no pun intended). To ensure that risks within the value chain are properly addressed, security and SAP teams must work together and take an adaptive approach to securing their business-critical applications.

This approach includes:
◾Transforming compliance initiatives to include SAP systems in audits.
◾Deploying an effective approach for implementing efficient, automated and integrated ways to measure, monitor and review the state of compliance on SAP applications.
◾Performing risk analytics with an established risk model that identifies, assesses and tracks emerging risks to key data and processes running on SAP.
◾Ensuring the organization includes business context in the risk analytics information to ensure preparation for major events that can impact reputation.

One risk calculation for determining the impact of risks to SAP applications should include the probability of a compromise to SAP applications and expected impact of loss when compromised. In fact, on CISO of a fortune 500 company recently stated, “If our company’s SAP System is breached, it will cost us $22M per minute”. Knowing that there is that much on the line makes it imperative for an organization to have an adaptive security approach in place. To do so, organizations need to have ensured visibility into all SAP assets, the vulnerabilities that are prevalent on the systems, and any already compromised SAP assets. Additionally, it is crucial to prioritize the fixes based on business context and ultimately impact. Finally, organization must put in place proactive and behavioral based controls that continuously monitor key business-critical applications.

Leading organizations have embraced the fact that their SAP infrastructure is not secure and have already begun taking a different approach to SAP security. Being proactive, and identifying gaps in existing security plans before an attack takes place is now critical for success.

Over the course of the last month, Adrian has published an ongoing blog series titled “Building an Enterprise Application Security Program.” This is a great series with use cases and recommendations for best practices around how to build an effective security program for your SAP landscape. During the live webcast, Adrian will expand on the issues presented in his blog, and will discuss security challenges that are likely facing your organization.

For more information on SAP security recommendations visit the Onapsis Blog at: http://www.onapsis.com/blog

Advertisements

Risk Management and Business Context

This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.

Signal To Noise Ratio_opt

Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:

1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err

When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.

The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.

In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.

S2N Book

Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

GRC – A Performance Management Platform or A Success Management Platform?

On May 1st French Caldwell posted a blog titled GRC Will be a Performance Platform in which he references a blueprint that provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. But isn’t that too limiting?

Performance Management is merely a solution category and doesn’t do GRC platforms justice! When considering how GRC platforms span across Finance, Operations, Legal and IT providing organizations ways to manage risks, demonstrate compliance and ensure governance business performance benefits is only one output and to me only represents how an organization has done historically against business objectives. This is important but not all the benefits that a GRC Platform can and should provide a company.

When organizations use GRC platforms that also includes Big Data Risk Analytics not only will they be able to report on past performance to various levels, domains and to different audiences but they will also be able to predict the future. Future performance, future risks, future efficiencies, and most important future opportunities for success. Big Data risk analytics within a GRC Platform should model out opportunities for growth that drive success within each domain. So I think that GRC platforms will not be performance management but  “Success Management Platform”. Might this be a new category?

PS – I would have really enjoyed the panel with Paul Proctor and Network Frontier’s Dorian Cougias. Not only do I find business predictive and risk management conversations interesting I also am equally if not more fascinated by conversations with “the security geeks” of the world as they save our businesses every day. We should all find them fascinating!

imagesCAH4BEPD

There’s rapid payback for organizations that automate GRC

It never ceases to surprise me how many organizations still use manual processes and unstructured documents to handle their GRC activities. Relying on spreadsheets, presentations and other documents to manage all that information takes a huge amount of time and effort, but delivers very little in the way of consistency or scalability.

On top of that, there’s no ability to aggregate risks organization-wide. This makes it practically impossible to present risk in meaningful ways, and to respond effectively to audit findings and compliance requirements.

Automation changes everything

Organizations that use a software solution, such as RSA Archer, to automate GRC processes tend to see a very rapid payback. Typically, IT is the first user group, the initial aims often being to improve the rate at which secure IT projects are delivered, and to support policy management processes for information risk management.

Because IT provides the underlying infrastructure for other domains, the initial investment in the software will often provide a strong foundation for adoption by other functions, such as finance, operations, legal and HR.

Everyone starts using a common GRC vocabulary. And you get visibility of collective issues, so groups can collaborate on understanding the aggregate issue, rather than fragmenting their efforts across two or more overlapping issues.

What’s the ROI?

Information risk management staff can be more productive and do more analysis work. IT security expenditure will be better directed. The organization will be able to lower its risk exposure and reduce incidents. And ensuring regulator-ready, accurate and timely output becomes a piece of cake.

A recent Forrester Consulting report, The Total Economic Impact of RSA Archer IT-GRC, indicates a 572% return on investment within a three-year period. One company interviewed said that 97% of the ROI they calculated was based on the reporting tool alone.

RSA is hosting a webcast with Forrester on May 22nd, 2012. The webcast will feature Jeff North, Principal Consultant, from Forrester who will discuss the report findings. Also featured during this discussion will be the VP of Security and Privacy from a F500 Media and Entertainment company who will provide insight into real-world benefits they have been able to achieve using a GRC Platform. Sign up for the webcast.

If you’ve already automated your GRC processes, what have been the payback and benefits of doing so? If you’re ready to automate, where do expect to see the greatest efficiency gains, and what ROI are you counting on?

Heat maps: not quite so hot anymore?

On the face of it, a colorful heat map looks like a great way of visualizing the risks that could affect an enterprise. They’re easy to produce from spreadsheet data and they provide a simple view of the potential impact and likelihood of a range of risks, that can be used to help raise awareness of risk generally and to communicate the risk assessment to senior management.

So what’s wrong with heat maps? Why are security professionals cooling in their attitude towards them?

Because, as I’ve said before, the two-dimensional view of risks based on severity and likelihood are no longer enough.

Risk Heat Map
Old School Risk Heat Map

Enterprises need to go far beyond the focus on inherent and residual risks that’s typical of a heat map and incorporate more dimensions, including assets, threats, vulnerabilities and controls. They want to look at risk relationships and mitigation tracking, with an approach to risk analysis that enables a quantitative assessment of all risks to all parts of the enterprise.

Although risk management information systems (RMIS), enterprise risk management (ERM), business continuity planning and crisis response are all specialized areas in their own right, the lines between them are starting to blur as the realization dawns that these management areas are all fundamental to an enterprise’s ability to survive and thrive.

A spreadsheet-driven approach is simply no longer up to the increasingly complex risk analysis job—and can even become a risk in itself. As Chris Duncan puts it, it’s like being armed with only a rock in the middle of a gunfight: you soon realize you need a lot more firepower.

So what’s the answer?

Heat maps can’t give you a rounded view of risks. Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving at-risk simulations. So heat maps are one view but they’re not THE view.

Think about the difference between the Google Maps ‘Map View’, ‘Satellite View’ and ‘Street View’. It’s Street View that will give you the most comprehensive view of the location you’re searching for, letting you pan around to see not only the building you’re looking for but also the environment you’ll be entering.

In much the same way, when it comes to risk management, you need to use multi-dimensional models that let you view risk data from different perspectives and enable creation of risk intelligence, so that you can make informed decisions enhanced by risk simulations from quantitative models.

Multi-Demensional Risk Heat Map Cluster

Doing this right also involves combining high performance analytics (HPA) so that, instead of collating the different views on a monthly basis, you can collect, analyze and predict risk outcomes in near-real time. Combining all perspectives in this way means you get a much richer, multidimensional view of risk—and is exactly why using just a heat map is an archaic idea. A possible multidimensional view is represented in the above graph.

In the end it becomes possible to see the effect of each risk on different areas of the enterprise. Each enterprise domain—such as IT, legal, finance, operations—can view each risk and determine, for example, how the domains intersect; whether it’s a geopolitical risk; whether it’s an external or an internal risk; who is responsible; and what the impact on the enterprise will be in financial, reputational or other terms.