Christiansborg Slotsplads in a cold and wet Copenhagen
One of the best parts of this year has been the return of customer-facing events. How much I appreciate the opportunity to speak at conferences and share our experience, I like even more to hear from peers and customers. What they are doing, what they are working through, and where they are in their digital and cloud transformation.
I was at AWS Summit Berlin in early May, which predictably was a very cloudy affair but not exactly in the SAP ecosystem. MasteringSAP in Melbourne, Australia in June gave a good impression of the customer base in Australia and New Zealand. Being an equivalent event, SAPinsider EMEA 2023 in Copenhagen last week offered a fascinating chance to compare regional differences, moods and trends.
Both MasteringSAP and SAPinsider EMEA had a special Cybersecurity track of sessions on the schedule. At both events, the show floor had many exhibitors offering security and compliance solutions relevant to SAP customers. That already visibly gave an indication of the importance of the topic.
The tightening regulatory climate was a key topic of conversation in both regions. In Melbourne, each customer touched on the SOCI Act and the Essential Eight. In Copenhagen, it was EU regulation such as NIS2. Both regions have a large public sector and many regulated industries. Both have data residency and privacy concerns.
The challenges in keeping core SAP systems up-to-date are well known in the ecosystem and not unique to a particular region. Facing increasing cyber threats and stricter compliance regimes, security teams are understaffed and overworked. Many still struggle to be heard by their business leaders. We are all in an uncertain business climate, and organizations are all somewhere along a digital transformation journey, including migrations to S/4 HANA. Much effort is spent on organizational change and buy-in to do what is necessary, while trying to keep up with the need of the business to move faster.
There were significant differences, though, in how these common security and compliance concerns were discussed and how they impacted their digital transformation. At the chance of sounding obvious, I found real Old World and New World contrasts.
Digital Vs Cyber Physical
Growing up in Europe and crossing borders was easy. During the 20+ years I’ve lived in California that has only become easier, and most attendees despite a very international crowd were only a few hours travel from home. In Australia, cyber physical aspects brought on by geographical constraints played a large factor. In Europe that was almost entirely absent. The focus in Copenhagen was on systems and data, roles and authorizations, patching and custom code.
But it also reflected the different stages in cloud transformation. My surprise in Melbourne was how enthusiastically the region was embracing cloud. Customers thus naturally were more concerned about the cyber resilience of SAP’s cloud services. In Europe, attendees were far more likely to run on-premise, with a large part of the landscape still on SAP ECC 6. The customer focus was instead on how to run their SAP systems more secure and compliant themselves – with or without a third party service provider.
Building the New Within the Old Vs Raze and Replace
Growing up close to Amsterdam, I am familiar with how Europe builds the new within the shell of the old. Copenhagen’s city scape is an example of this. From the restoration and repurposing of old buildings into museums, stores or office buildings, to the integration of modern infrastructure into old squares, roads and cobble stone canal streets. New designs are intermixed with old houses, palaces, and places of worship from different eras.
The United States – and especially the West – isn’t like that. Australia isn’t either. There is far more of a tendency to knock the old to the ground and build something new.
How enthusiastically Australia embraced the cloud, how ever reluctant Europe appeared to be. I don’t mean this as a criticism. The European approach makes its cities often more attractive and livable, and more easily manageable on foot. That aside, it takes its own skill and ingenuity to build the new within the old. We all have to deal with legacy systems and ensure that business operations are not impacted. SAP systems are integrated with other critical systems, and changes have cascading downstream effects that we all understand.
Teams showed off innovative approaches in managing their challenges, the needs of the business, and business continuity. Some of my favorite sessions in the conference were from customers describing their DevOps approach to manage Enterprise Threat Detection findings, Security Notes, upgrades or custom code scanning, across large numbers of SAP systems across different business units and functions in their organizations. Their use of automation was no less sophisticated and mature than many cloud-native pipelines.
But they were optimizing for systems with an end of life that is coming up soon.
Many customers were already on S/4 HANA with at least some systems. Some were on RISE, and others were in the cloud with other third party providers. But the default was on-premise with an estate of various ECC 6 systems in the landscape, and often still contemplating their path forward. Regardless of migration journey, there was a reluctance to cloud that was remarkable. Especially, since many of the reasons given against the cloud were the same arguments Australian and American customers I talk to say they are moving to the cloud for. The most extreme expression of cloud reluctance came from one attendee during a RISE with SAP interactive Café Session: “We can’t go cloud, because of security and compliance reasons“.
I won’t dispute the self-assessment of this particular customer. Perhaps we won’t be able to fully accommodate their particular needs through existing options or SAP’s Sovereign Cloud offering, yet. But organizations in Australia in the public or private sector come to different conclusions than their European peers. Customers moving to RISE or adopting other SAP cloud solutions mention security and compliance as key reasons for doing so.
- (More*) up-to-date systems with the latest Security Notes applied (* depending on cloud service and deployment option; for instance, RISE Private Cloud Edition)
- Operating System and infrastructure updates
- Network configuration, infrastructure management
- Vulnerability scanning
- Security event detection and incident response management
- Recovery and cyber resilience
They can outsource that while focusing on where they can add more value in serving the business. Aside from these, there are often broader, more strategic reasons.
- Reducing data residency complexity through consolidation of systems by jurisdiction (EU, U.S., Australia Japan)
- Keys, secrets and encryption management
- Keeping up with worldwide cybersecurity related legal requirements
When security resources are tight, Euros need to go far, and the pace of the business increases, a re-assessment of the security risks and merits involved in moving to the cloud compared to staying on-premise can be justified. With the 2027 date looming, this may be the best time to do so. Not all cloud security fears are justified. There is investment required to keep up with increasing security threats and upcoming legal requirements. You may not be able to tackle all.
Meanwhile I recognize SAP must do better to explain the security and compliance benefits a move to the cloud brings. I hope I made a contribution to that for those at the conference.
Be the first to comment