Secure and Compliant Cloud Services to Increase Customer Trust: Introducing SAP’s New Chief Security Compliance & Risk Officer
SAP has gone through a significant transformation in the last years. Despite cloud acquisitions before, SAP in 2018 was still primarily focused on on-premise software for its core solutions in the portfolio. 5 years later, SAP is in the top 5 of fastest growing global cloud services providers.
SAP Global Security (SGS), the organization that centrally manages security for the company, went through a similar transformation through this time. In 2018, the organization was primarily focused on product security. During the tenure of Chief Security Officer Tim McKnight, the security organization moved under the Chief Financial Officer to ensure that security risks were established as business risks. Among other things, this started the implementation of the NIST Cyber Security Framework (CSF) to structure our security programs and the FAIR quantitative risk management methodology. 2019 also saw the start of programs to secure SAP’s cloud infrastructure.
In October 2020, SAP announced the Next Generation Cloud Delivery program to move all solutions into either SAP’s public cloud or private cloud landscape. This was followed in January 2021 with the launch of RISE with SAP. SGS moved to the Office of the CEO to establish security as an executive board priority. This was done to secure the accelerated move to the cloud and help marshal resources across the organization. At the end of Tim McKnight’s leadership, the cloud landscape has grown to 9 times its initial size.
SAP Global Security & Cloud Compliance
Any leadership change is an opportunity to review strategy and direction. On October 1, the security organization was renamed to SAP Global Security & Cloud Compliance (SGSC), and placed under the co-leadership of Chief Security Office Sebastian Lange and Chief Security Compliance and Risk Officer Marielle Ehrmann. This was done with the goal to embed security and compliance into engineering and operations, building on what has worked well in the past five years as a model for where we still need to improve. This co-leadership reflects the importance of the first two key pillars of our security strategy:
- Secure Cloud Services to protect customer business operations
- Compliant Cloud Services to meet external regulations
- Trusted Cloud Services to help customers win
They set out an approach that builds upon the model established by our most successful security programs of the last five years, working in close collaboration with the security teams across the various business. These include cloud infrastructure security compliance (Cloud Security Posture Management, or CSPM) and vulnerability management that already operate this way. These five execution principles will allow us to scale security and compliance across the organization:
- Shift-left, to get as close to the source of risk as possible
- Cloud First, with cloud-native central security and compliance services
- Customer-centric, always aware of the needs of external and internal customers
- Data-centric, for measurable and effective security and compliance outcomes and visibility
- Automation of processes and controls
The focus on engineering – and security and compliance firmly established as executive board priorities – implies bringing security and compliance closer to engineering teams. Hence, the new SGSC organization will report to the Chief Technology Officer Juergen Mueller.
With the transition from software- to cloud service provider the responsibilities to our customers change dramatically. As customers move to the cloud, the ownership of many security and compliance controls transfers over to SAP. Since many of our customers are subject to audit attestations, it is imperative that SAP meets ours.
In the rush to secure the rapid cloud transformation, there were increasingly complex mutual dependencies on different teams throughout the organization. Policies and compliance processes didn’t always keep up with the speed of growth, posing operational challenges for teams already under pressure.
To reflect the importance of compliance as a business risk alongside security, Chief Security Compliance and Risk Officer Marielle Ehrmann was appointed to lead the compliance transformation. With a decade of experience at SAP, Marielle is well equipped to drive change through the business units to ensure that these challenges are rectified.
Streamlining existing processes is a start, but we’ll go further. By embedding compliance controls directly into platforms and services, we make them self-auditing and automate control testing. That relieves operational burden, provides greater transparency where gaps may exist, and allows teams to focus on remediation rather than manual evidence collection and checklists. Only through such self-attesting automation can we continue to scale compliance.
This is even more important in a tightening regulatory climate in Europe, North America, the Middle East, Asia, and Oceania. New regulation is already in place, but more is coming into effect in 2025, while other proposals are still being debated. SAP and our customers operate globally and are therefore subject to an increasingly complex set of compliance requirements. This climate drives further urgency.
Building Trust Through Greater Transparency
That brings us to the third pillar of our security strategy: Trusted Cloud Services. It is not enough to be secure and compliant. We have to explain how we achieve that. In the past, we have defaulted to only sharing what we must. That left customers only with information contained in audit reports. However, customer security and compliance teams expect more from us.
There is an ongoing evolution in the relationship between cloud providers and their customers when it comes to the security of cloud landscapes. It started with the Shared Responsibility model, where there is a clear separation between the security responsibility of the cloud provider and the customer. Over time and recognizing that customers were struggling with their responsibilities, the cloud industry start to turn to a Share Fate model. In this model, cloud providers recognize their responsibility to support their customers to run in a compliant fashion. For instance, through more secure-by-default service configurations, or Sovereign Cloud options.
SAP takes this further with Shared Faith. Given the criticality of SAP solutions to their business operations, we have a responsibility to show our customers how we, as their cloud provider, meet compliance. We therefore plan to work towards greater visibility with our customers into the compliant operations of our cloud services. Our new goal is to be transparent and to only withhold information if releasing it increases security risks to our customers and SAP.
This is a significant cultural change for the organization and will not be achieved overnight. Blogs like these have been an early start, sharing how SAP went through its own cloud transformation. However, we are now working on concrete projects to bring greater transparency into our security and compliance processes and operations and are working on a two-year road map. It is too soon to go into details but expect meaningful changes in 2024 already.
The following resources provide more insight into SAP’s security strategy and the Shared Faith concept.
- Managing Security Risks and Cyber Resilience – How SAP Protects our Customers in the Cloud (YouTube)
- Shared Responsibility, Shared Fate, and Shared Faith: An Evolution in Trust in Cloud Services (SAP Blogs)
- EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith? (Cloud Security Podcast by Google)