The ERP Security Challenge
In a rare interview, SAP’s Sachar Paulus talks about how the ERP software giant secures the software that may very well be your business’s backbone.
By Katherine Walsh
January 08, 2008 — CSO — Until June, Paulus was CSO, responsible for IT, physical and organizational security at the $12 billion German company known for its enterprise resource planning (ERP) software. Now, he’s SVP of product and security governance, and as such is responsible for security strategy for all products. New threats, increasing complexity and emerging regulations have increased the importance of security on all fronts. Despite the high stakes, though, Paulus is not in the spotlight in the United States and does few interviews. CSO’s Katherine Walsh recently talked with him about SAP’s security strategy, global compliance issues, and how he stays on top of it all.
CSO: What is the current state of IT security in businesses and organizations?
Sachar Paulus: The weakest link is still people. As good as IT measures and technologies can be, the biggest problems occur wherever technology comes into contact with people who need to administer, manage or even use IT security functionality. One of the best examples is related to protecting confidential information over the Internet using e-mail encryption. Existing tools are still too cumbersome for people to actually use it the right way. Many people use encryption but then send the password for the encryption in the same e-mail, so what’s the use?
CSO: Can you elaborate on how the security function at SAP has transformed, and how it continues to evolve?
Paulus: From a corporate standpoint there are two things happening at SAP: One is to extend the use of IT security competencies into other areas of the business. IT security is moving away from being mainly driven by the IT organization where the availability of the network and the information were top priorities in terms of security. Now, largely due to compliance requirements like Sarbanes-Oxley, integrity of information and confidentiality is more relevant and important. The CFO is looking into these types of activities, and in most cases he is the one responsible for managing the compliance activities of the organization.
From a product perspective, security is a little more difficult. Years ago at SAP we had ways of managing complex authorizations for complex business systems. That’s something that requires additional expertise beyond the ERP system itself. There were few companies under the IT security label with that kind of expertise, but there was no big dema