Reflections on RSA: Business-Critical Applications Are Still in a Cybersecurity Blindspot

One of the first questions I always ask people when they approach our booth at trade shows is, “are you running SAP or Oracle E-Business Suite (EBS)?” At RSA, I would say maybe eight of ten times the response was, “I don’t know” or “yes, but that has nothing to do with me.” Now, to be fair, RSA is a fairly broad conference, likewise for infosec itself. It’s not fair or practical for every person to cover every system or topic related to the space.

However, I find once you start talking through ERP systems and what these business-critical applications mean for an organization—they’re the engine behind your most essential functions and typically process the most important and regulated data—that starts to get people’s attention. Especially those who thought, “not my problem; that’s managed by IT.” 

This highlights a trend we’ve been talking about for years now—ERP systems are a cybersecurity blindspot, leaving your most important data and applications unprotected. Our very own Jason Frugé, Vice President of Business Application Cybersecurity and former CISO of Fossil, sums it up perfectly here

“Here’s my most important application. I have zero security controls that apply to it. It’s becoming hacked more often, and my attack surface is taking off. That’s the story that should get a CISO to go ‘wow, I need to do something about this’.”

Exposing the Blindspot and Removing the Blinders

If this has your radar up and you want to learn more, check out the following resources also from RSA for more on how you can build a security program to protect your business-critical applications. 

CISO Roundtable

During the conference, Jason Frugé led an interactive panel discussion: Addressing Risk, Cloud And The Applications That Run Your Business. Featuring a mix of current and former CISOs (from companies like Procter and Gamble, Levi’s and Google) and our partner Accenture, the session focused on how to be cyber-ready as business-critical applications are modernized and migrated to the cloud.

Insights from the experts included:

  • Focus on where the biggest risks are. If you chase IT to fix every little thing, you’ll get ignored.
  • It is critical that you work the business and other departments. How can you be an enabler versus a roadblock?
  • Both IT and InfoSec need to be focused on the needs of the business. 
  • Transformation and modernization are a challenge, but the earlier you can get InfoSec involved, the better. Also, it will be easier if Information Security is data-based and risk-focused.
  • Plus, real-life examples of how they handled transformation projects themselves (both the good and the bad!). 

For more real-world examples of how companies are protecting their business-critical applications and preparing for modernization projects, check out some of our recent case studies:

View the rest of our case studies here

RSA Session: Protecting Business-critical Applications from Increasing Risks

Our CTO, Juan Pablo (JP) Perez-Etchegoyen, led a session that provided a great overview of this topic. Business-critical applications represent a massive attack surface with very specific vulnerabilities to be addressed. The session covered the most common vulnerabilities along with direction on how security professionals can monitor and manage these risks. 

Lucky for you, we are re-running this session as a webinar on March 26! This gives you the opportunity to ask questions directly to JP. 

Register for the webinar here.

Jason Frugé Interview with Dark Reading

Jason’s dropping more wisdom on you, this time with a quick ten-minute interview with Terry Sweeney from Dark Reading. Highlights include:

  • Moving to the cloud: there’s an illusion that moving to the cloud means shifting responsibility for security to the service provider. In reality, this is on the application and data owner, which is your organization.
  • Biggest mistakes he sees from organizations working to modernize security of their applications: In addition to the confusion over the shared security model; many organizations focus too much on cost savings and neglecting compensating controls. That is, they get excited when moving to the cloud saves them some money, but don’t realize this money should instead be dedicated to putting appropriate security controls in place. 
  • Security “shifting left” in application development: Gone are the days of having weeks to find and fix code issues before it goes into production. Now, code moves to productions daily if not multiple times a day. This means you need real-time security in checks in place that can be built into the development process, allowing developers to efficiently create secure code without delaying application delivery.  

Watch the interview here.

Thank you to those who you interacted with Onapsis at RSA! To learn more about protecting your business-critical applications, we encourage you to visit www.onapsis.com. We also offer a complimentary Business Risk Illustration, an assessment of your ERP system that will gauge your security and compliance risk posture.