Richard Hunt, founder and managing director of Turnkey Consulting, chats with SAPinsider's Ken Murphy about governance, risk, and compliance (GRC) issues and trends important to SAP customers at the close of 2014 and beginning of 2015. Topics include:
- Cybersecurity issues in the spotlight following "The Interview" controversy
- SAP Audit Management
- SAP Access Control 10.1 adoption
- SAP Process Control
- Beginning a GRC roadmap with risk management
Listen to the podcast, and read the full transcript of the conversation here:
Ken Murphy, SAPinsider: Hi this is Ken Murphy with SAPinsider, and I am pleased to be joined today by Richard Hunt, the founder and Managing Director of Turnkey Consulting and an expert on the topic of data security. Richard is here today to chat with us about data security and some trends and issues that are important to SAP customers and governance, risk, and compliance and security…sort of a year-end GRC wrap-up if you will. Richard, thanks for joining us.
Richard Hunt, Turnkey Consulting: Hi Ken, thanks for inviting me.
Ken: Curious to start off, first, if you see a lot of customers making the transition to Access Control 10.1, and how are customers transitioning to that new version?
Richard: We’ve seen a lot of customers transitioning into the later versions of GRC over the last couple of years. So 10.0 came out a couple years back now, and we’ve seen a lot of customers moving on to those ABAP versions of the tool. What I would say is I’ve seen a lot of those customers transitioning as a technical migration initially from the previous Java versions just to get themselves onto the later version. And then starting to think about how they could use the tools in the wider context with the process controls and risk management capabilities that are in the same landscape now with 10.1 and 10.0. And I think next year I could definitely see even more customers looking at that transition very carefully because the 5.3 versions of GRC, which is the last Java version that was available, is going out of support at the end of next year, so there’s quite a lot of customers thinking about that. I think the only other thing I would say on that question is that we are seeing a slight trend in newer customers looking at the GRC tools in a slightly more holistic way and thinking about if they haven’t deployed GRC at all in any capacity just thinking about whether they should be looking at all three components at the same time, whether it might make more sense to start with Risk Management, actually, and work down to Access Control as opposed to the more traditional way of deploying the tools with access controls first to meet Sarbanes-Oxley requirements, etc.
Ken: That’s interesting. So, I’m curious then if customers are maybe taking that next step in their GRC journey with the adoption of Process Control. And if you can address if there’s any misconceptions over the value that Process Control can bring.
Richard: I think we’ve seen a lot more Process Control projects in 2014. We’ve delivered several this year, and that’s been steadily on the increase over the last couple of years. I think one of the reasons for that is the maturity of the product. I think one of the main reasons is that Process Control as I said is on the same landscape now with 10.0 and 10.1 as the access controls tool, so as customers are moving out of that upgrade of their access controls tool onto version 10 or 10.1 they’re considering the Process Control tool at the same time. And I think we’ve seen an increased level of maturity in our Process Control customers, as well — you’ve described it as a journey. I think we’re seeing our existing process controls customers’ maturity increasing. Perhaps starting off their Process Control journey using the tool as a controls repository, maybe with a limited set of automated controls. And then perhaps moving beyond that to start to think about how they can optimize their controls and automate as many controls as possible and really sort of stretching the tools to their capabilities. And that’s been an interesting journey for us getting to really understand the art of the possible with process controls and really start to stretch our knowledge of those tools and the full capabilities of the tools. I think in terms of your question around misconceptions of Process Control and the value it can bring I do think there’s a little bit of that out there. I think the challenge there is that process controls tools actually are very flexible tools. There’s quite a lot of ways you can use it and therefore there isn’t necessarily one specific use case for it. It’s really the value it can bring to your organization is dependent on how you’re intending to use it and what your specific gaps are. I also think that one of the key strengths of the tool is actually around testing controls and as repository for control testing information, and not every customer quite gets that being its real core strength. A lot of them are more focused around trying to use it to operate controls, which can be done very well in Process Control but I think the real killer use of it is in the testing of controls.
Ken: Switching gears a little bit, Richard, I’m curious if there’s any significant regulatory changes or compliance issues in 2014 or coming up on the horizon that customers need to account for.
Richard: I’m based in the UK, and specifically in the UK something that I can think is quite relevant for next year would be the new guidance on risk management from the Financial Reporting Council though that came out in September this year, and I think that there’s a lot more very strong guidance in there around how internal controls and risk management practices should be applied at the governance level, and I think that’s that going to raise the broad awareness of this area and potentially drive the need for technology solutions in this space. I’m very aware this is not purely around technology. This is around improving risk management. It’s around improving internal controls, and you can do those without technology, but I think the GRC tools will be tools that customers are looking for to give them an edge in improving their alignment with those new regulations—they’re not regulations; it’s what we call a “Comply or explain.” It’s the rule that UK companies have to apply to that. It basically means that if they don’t comply with the new guidance from the FCA then they really need to explain why.
Ken: That’s important to know. Also, what general trends are you seeing in the overall GRC and security space, and how they’re important, or how they affect SAP customers?
Richard: Well actually today’s quite a topical day to think about that. I think external threats and cybersecurity threats to SAP are on the increase. I don’t know if you saw Newt Gingrich’s comment about the Sony announcement today that they were pulling their film “The Interview”. His comment was pretty strong on this. He sent a Tweet, I’ll quote, is “No one should kid themselves with Sony’s collapse. America’s lost its first cyber war. This is a very, very dangerous precedent.” While this wasn’t SAP-specific by any means, I think with the increase of external entry points to the SAP environment, with the interconnectivity of SAP systems, etc. and with the fact that SAP is a core application for most of the customers that are running it, it is potentially a target from a cybersecurity perspective. So I think the cybersecurity risk to SAP and the risk of external threats and the focus of securing SAP away from securing it toward, shall we say, securing SAP for external threats more robustly, as well as the internal controls that we’ve always been focused on around segregation of duties, sensitive access, etc. For me that means taking a slightly different approach to how we secure SAP. It means thinking — we call it end-to-end security for SAP — it means thinking about things that you wouldn’t necessarily have focused on in the past. Things like the SAP message server and all the various different Web entry points to SAP, the database security underlying the SAP environment. There’s quite a lot more things you need to think about if you really want to secure an SAP system from external threats. Also I think going forward securing the HANA environments that customers are putting up is quite a key area, as well, ensuring that you’ve applied the same level of rigor to your HANA systems as you have to the rest of your SAP environment. As with any new technology, security quite often doesn’t come first in these things. I think now that a lot of the technical guides have got all of that, most of the bugs out of the way in terms of getting SAP HANA systems up and running and working functionally, we need to start getting the opportunity from a security perspective to step in and apply the same level of rigor we would do in a normal SAP environment to those HANA systems now.
Ken: Lastly, Richard, I’m curious if you had any parting advice for customers as we head into 2015. Anything in particular that SAP customers should be on the lookout for?
Richard: Well I think I’d say two things on this. I think, you know, I’ve mentioned the external threat side of things. Two other things, though, I think would be relevant here would be the newer SAP GRC products being more mature as products: the Fraud Management and Audit Management modules. I think further integration of those products into the SAP solution, going to the SAP GRC suite, and also deployment of SAP GRC on HANA. And then I think finally there is a bit of a call to action in the SAP GRC space for me this year, which is the fact that the 5.3 solution is going out of support at the end of the year. So I think that should be driving a lot of conversations in the SAP GRC space this year, particularly for customers who’ve been using SAP GRC for a while, maybe haven’t really driven value out of that. And I think rather than just purely thinking about upgrading or migrating that to the latest version, just step back and look at what those products are now, because they’re very different from what you would’ve deployed when you deployed the Java version a few years back.
Ken: Again this is Ken Murphy with SAPinsider, and we’ve been chatting with Richard Hunt, the founder and Managing Director of Turnkey Consulting. Richard, we appreciate your insights. Have a great holiday season, and we look forward to connecting with you again next year.
Richard: Thanks, Ken. Have a fantastic Christmas and New Year, and I look forward to seeing you in Vegas if not before. Cheers.