The Cybersecurity Conundrum

By Christoph Nagy, CEO, SecurityBridge

A conundrum persists in the cybersecurity industry: Why do cybersecurity risks forever multiply while skilled professionals remain in short supply? It sounds like an enigmatic statement the Riddler would use to pose a question to Batman. But in reality, the lack of cybersecurity professionals is a real growing issue.

According to the US Bureau of Labor Statistics, “Employment of information security analysts is projected to grow 35 percent from 2021 to 2031, much faster than the average for all occupations. About 19,500 openings for information security analysts are projected each year, on average, over the decade.” And Statista reports that “As of February 2023, there were 755,743 cybersecurity job openings in the United States.” California had the highest number of job openings, with 81,584 open positions in cybersecurity-related fields. Given these facts, high school guidance counselors should consider cybersecurity the best career option for students.

In some ways, it seems that the industry is making it more difficult to become a cybersecurity professional by introducing a constant flow of new regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX),  and the EU’s General Data Protection Regulation (GDPR). The conundrum is exacerbated when security specialists are required for specific business process systems such as SAP.

SAP systems are being used by 99 of the Fortune 100 companies and have over 280 million Cloud subscribers throughout the world. Organizations typically operate their SAP ERP systems next to an SAP SRM and an SAP HCM environment, while existing SAP implementations are constantly moving to the cloud. Companies rely on a hybrid-cloud architecture to maintain the flexibility required for each environment. The ERP environment operates with the “RISE with SAP” model. The other two SAP environments work at a hyper-scaler, while only the SAP HCM has been shifted to the cloud thus far. The internal SAP team will still be responsible for managing these. Given this enormous footprint and all the data at stake—it boggles the mind to think that SAP cybersecurity experts are not only rare but simply unavailable to hire.

While organizations lose track of the complexity of their environment, they are constantly expanding. Using hyper-scalers, SaaS models, and combining them with on-premise systems requires new cyber security expertise. IT professionals are put under additional strain to handle these situations. I suggest reading the NTT Security Holdings 2022 Global Threat Intelligence Report for organizations comfortable with cybersecurity protection and trained IT professionals—it’s a wake-up call to those who think their systems are secure.

There’s No Shame In Needing Assistance–A Piece of Advice

First and foremost, organizations must take ownership and introduce a cybersecurity strategy that embeds the protection of critical SAP applications with Patch Management,  Vulnerability Detection, and even Vulnerability Remediation or Threat Monitoring. Organizations lacking the in-house IT expertise to meet this criteria need to consider an SAP Managed Service Provider (MSP). MSPs fill the SAP IT gaps for companies and work on Service Level Agreements (SLAs) while using Key Performance Indicators (KPIs). In the specific case of managed SAP Security Services, the monitoring period (e.g., 24×7, 8×5), or the time lapsed until reporting a detected incident, serves as a criterion.

Specifically, SAP MSPs realize that any SAP attack surface is the sum of all possible entry points or attack vectors through which an unauthorized attacker can access a system or application. The smaller it is, the better it can be protected. In the SAP context, web-based access, for which the Internet Communication Manager (ICM) and the SAP Web Dispatcher are responsible, and the Internet Communication Framework (ICF) (via the SAP transaction SICF) should be particularly monitored and secured. Connecting via the RFC interface (Remote Function Calls) is also vulnerable and can cause data leaks to the outside world.

All exposed services (HTTP, HTTPS, SOAP, WebService, APIs) must be continuously evaluated and inventoried. Any system service that is not used or does not serve a specific SAP business scenario should be disabled to reduce the attack surface. SAP services that do not require authentication should be given special attention. In SAP, they are located in the /public/ namespace (found in transaction SICF). Services such as /public/system_info are the first port of call for attackers to gather information about the SAP system during the reconnaissance phase of an attack.

Conclusion

There is no superhero coming to take ownership of your cybersecurity enigma. If you think that out-of-the-box SAP cybersecurity is enough—think again. According to the University of North Georgia, “Since 2013, 3,809,448 records have been stolen from breaches every day. 158,727 per hour, 2,645 per minute, and 44 every second of every day.”

SAP systems are among the world’s most interconnected data warehouses touching every part of an organization, and need special attention regarding cybersecurity. If a company lacks the in-house expertise to help mitigate risks, an SAP MSP is the next best resource. SAP MSPs bring a high level of cybersecurity acumen at a predictable cost.

###

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.