On March 9, 10 and 11 the SAP insider GRC 2021 was held, an event that dealt with SAP GRC and cybersecurity.
Our colleague and sales assistant Ricardo Veiga, telematically attended the event given by more than 50 opinion leaders and experts, where topics such as thought leadership, best practices, practical studies and new opportunities were discussed.
The main objective of this event was to learn how GRC professionals are preparing their strategies and examine compliance and impact on risk management, accompanied by real cases and stories that served to know and understand these strategies closely.
The event began with a session on GRC intelligence by Vishal Verma, Director of GRC and Security Solutions Management, and Jochen Thierer, Director of GRC Product Development and Management.
In this session they provided key insights into GRC intelligence, highlighting:
- Easy to use: GRC functions have simple configurations and fast results.
- Modular and scalable: ability to configure services available to the company to transform them to current needs, which saves cost and time, as well as preserving usable functions of the previous system.
- Process-aware: the system allows reconfiguration of existing services rather than forcing a new implementation to keep the cost of GRC under control.
Subsequently, other GRC sessions also mentioned the key objectives to be achieved. The integration of the GRC system needs to have a regulation that aims to:
- Increase profits: this is where SAP Process Control and SAP Risk Management come into play, as they help companies in achieving objectives based on best practices and process management, thus enabling them to improve planning, reduce production costs or become more efficient.
- Achieving management objectives: such as keeping customers and employees happy. For this type of objectives, it is essential to have agile programs with secure access, which allows working with greater control over the data and in a more orderly and planned way, reducing time and unnecessary delays. The implementation of this strategy is provided by Identity and Access Management, a system based on practices that make it possible to monitor and prevent breaches in SoD risk analysis, password resets, updates or pending approval requests.
With good strategic management, these activities can achieve a 75% reduction in manual efforts in control activities, reducing time and costs for the organization.
Cybersecurity was another key topic at the SAP insider. For professionals such as Arndt Lingscheid, Global Solution Owner Cybersecurity and Dataprotection, Product Management at SAP Labs, companies prioritize the risks with the greatest impact. The problem comes when, by focusing on those two or three risks, we are allowing vulnerability to increase in the others, so we need to have visibility into all scenarios to assess the necessary investment in prevention in order to have the most secure enterprise possible.
Today’s CISOs need to estimate the impact of the attack on business decisions in order to have an in-depth assessment of the strategy to be implemented.
How can we have better visibility?
- ERPs (S4/HANA): this system obtains many records with very important information, which will allow us to analyze the evolution of the business in all areas and draw productive conclusions.
- Cybersecurity and risk management: it allows very useful configurations for the use and creation of information. This allows user access logs to be obtained, as well as the detection of possible threats.
- Data analysis: solvent solutions such as Cloud analysis (very simple to know the business).
The integration of ERPs, cybersecurity and risk management and data analysis, allows the creation of a document that integrates all the information together, which enables managers to make better and more effective decisions.
One of the most effective preventive activities is to have up-to-date equipment. Updating patches should be performed on all the organization’s systems in the shortest possible time, it is a task that requires little effort and has a lot of vulnerability. The case of Microsoft is a clear example, in less than 3 days, systems that lacked the update were hacked, so it is necessary to establish control and compliance policies in order to increase prevention as much as possible.
Finally, to talk about risk and compliance in the enterprise, it is necessary to start by analyzing people and processes, not technology.
If we want to protect business intelligence, it is necessary to prioritize by the factors with the greatest vulnerability. Some organizations focus on technology, thinking that it is the main risk factor, but they are wrong. People are an obvious risk, as they are open to breach procedures, access phishing attacks or act against the interests of the organization, for their part if we do not have updated and secure processes, they can access confidential information or damage the image of the company, so it is necessary to start the strategy and risk management by people and processes if we want to have a secure organization.