How To Talk to Your Board About SAP Security: Three Tips From Former Google CISO

I recently sat down with Gerhard Eschelbeck to answer three questions on how to talk to your board about the importance of ERP application security but also how to address questions they might have about its importance and your security posture. 

Gerhard is the former CISO of Google and has extensive experience in the cybersecurity and technology industries. He joined Onapsis as an independent Board member in 2019, after seeing the widespread need for a solution that protects ERP systems and other business applications. 

How does our security posture or risk scoring compare with our peers?

Gerhard Eschelbeck: I have seen this question asked and, of course, I have asked it myself as a board member at certain organizations. Another common question, at a high-level is: “How secure are we?” The most important thing as a security practitioner is to remember that there can be a gap between the knowledge and language used from the board to folks that are within the security function. The NIST Cybersecurity Framework can be helpful here as it is a common framework that is used by many organizations to assess security posture. Alignment to a cybersecurity framework can help organizations assess and improve their ability to prevent, detect, and respond to cyberattacks. The goal of the NIST framework is to use business drivers to guide cybersecurity activities as well as consider and include cybersecurity risks as part of the organization’s overall risk management process.

Another thing that I highly encourage is working with your CISO peers when it comes to determining industry measurements. In my past roles, I leaned on and spent a lot of time cultivating and collaborating on challenges and measurements of cybersecurity programs. 

How can I get the organization to move on security initiatives given all other priorities across the business?

Eschelbeck: Security teams and DevOps teams need to be tightly aligned and be their own advocate here. That being said, this is absolutely a common challenge, especially given the economic climate, that teams are being asked to do more with less. One of the things that I found valuable was to communicate regularly with the peer teams that are getting work done in terms of resolution. Creating a monthly communication to share about the state of security projects and priorities that are done, in progress, and are not progressing gives transparency across the business that can keep security projects in mind. 

How do we educate our board on the relevance of protecting business applications? What are some best practices or recommendations?

Eschelbeck: Education is very essential. Educating the board, here are some personal things you can do on your side. I have even seen companies conduct cyberattack simulations with their board toward the end of the fiscal year when budgets are in review. This keeps security top of mind when considering budget approval for the coming year. Making the impact real, quantitative, and personal is the best way to show the importance of ERP security to the board. Showing the impact and how it is going to be fixed with a given solution is key. 

Translating and highlighting relevant, newsworthy examples can also help iterate the importance of protecting your SAP and Oracle applications. Making it personal and how it impacts us is also very key to show.

To learn more about protecting ERP applications, view our on-demand webinar here.