Whether they’re needed for enterprise resource planning (ERP), customer relationship management (CRM), or Supply Chain Management (SCM), critical business applications play an essential role for organizations in their day-to-day operations. Given this, demand for these solutions continues to increase significantly, with the global enterprise application market expected to grow to more than $471 billion by 2031, up from an estimated $300 billion today.
However, these same organizations face challenges which prevent security and IT teams from collaborating effectively to improve governance and strengthen the overall protected state of critical business applications.
This comes at a time when regulations and shifting dynamics are creating additional complexities: The Securities and Exchange Commission (SEC), for example, now requires registrant companies to disclose “material” cybersecurity incidents they’ve experienced, and to report annually about the state of their cyber defense risk management, strategy and governance. The reporting has to include processes related to the assessing, identifying and managing of material risks from cybersecurity threats – as well as the effects of risks from threats and previous incidents – as specified by the SEC’s Regulation S-K Item 106.
In addition, many organizations are striving to accelerate their digital transformation journeys, which include cloud enterprise resource planning (ERP) systems, advanced analytics, artificial intelligence (AI) and integrated business process optimization. A failure to adequately defend applications during and after cloud migrations can prove costly, as we’ve personally seen organizations lose as much as $100 million due to ransomware and other cyberattacks on SAP applications. In fact, this past year, we’ve seen one of the largest public impacts to a compromised SAP system: Stoli’s bankruptcy.
Attacks are increasingly targeting Internet-facing applications as initial entry points, and bolstering cybersecurity for business-critical applications has emerged as a major priority for the modern enterprise. So how do organizations successfully address the challenges? It all comes down to getting the right people, the right processes and the right technology in place, to empower both security and IT teams to effectively – and safely – migrate:
People. One of the most significant hurdles is the disconnect between IT and infosecurity professionals, whose work within business-critical applications often overlaps. Yet, these teams often operate in silos, speak different technical languages and are measured by distinct performance metrics. This misalignment can lead to confusion over responsibilities, missed security signals and inefficient governance structures. To avoid this, IT and security teams must:
- Form a cross-functional governance team consisting of security, IT, compliance and business leaders to ensure a unified approach to oversight.
- Define shared responsibilities through a governance framework that clarifies roles in risk assessment, compliance and security controls.
- Conduct regular training to bridge knowledge gaps and enhance collaboration across teams.
Processes. We have too many silos set up to determine auditing, assessment, risk identification and code inspection functions. It doesn’t help that each silo seems “set in its ways,” adding to the complications. Instead, teams should break down the silos by working together to standardize processes across these functions, allowing them to take advantage of common technology platforms and more readily share – and act upon – information. Teams should:
- Develop a controls matrix that aligns security measures with regulatory requirements and business needs.
- Translate the matrix into enforceable policies for business critical application security, ensuring clear guidelines for compliance.
- Implement continuous monitoring using third-party security solutions to assess the effectiveness of governance efforts.
Technology. In this case, it’s not that the needed tools don’t exist – they certainly do. But there are flaws in the adoption/implementation stages. A migration to S/4HANA Cloud, for example, introduces entirely new concepts to traditional IT teams. These concepts involve a steep learning curve for even the most experienced professional. Leaving teams to “learn on the fly” will only introduce misconfigurations, security gaps, operational inefficiencies and governance breakdowns.
To avoid this, organizations must:
- Ensure proper configuration of security controls across business application environments to prevent unauthorized access.
- Implement continuous threat detection that provides real-time visibility into anomalies and suspicious activity within those environments to enable faster and more informed responses.
- Secure custom code across the digital business landscape, including multi-cloud platforms and technologies, data processing functions and legacy systems, by embedding security and compliance into the development lifecycle.
It’s really this simple: If organizations don’t have the right people, processes and technology knowledge-base/skills in place, they will not be able to collaborate effectively to improve governance processes. Attacks will happen and business operations – and customer services – will get disrupted. When senior executives and managers allow for security and IT teams to spend enough time collaborating, understanding and executing together, they’ll reap the rewards of critical business applications which are both productive and resilient. Regardless of what might happen in the regulatory landscape, it would behoove IT and security teams to perfect the fundamentals putting themselves in a position to have a real opportunity in closing the governance gap.
