Controlling the security of critical objects where business data is processed is, unfortunately, frequently left beyond the scope of the Security team authority, thereby affecting the security control that most critical objects demand. Security is most neglected during project deployment especially if a system owner is a part of the Senior Management and strict project deadlines have to be adhered to. Even if the need for SAP security measures is recognized, inappropriate or lacking resources and information regarding SAP systems often lead to misconfigurations.
SAP security assessment and monitoring is an entirely different ballgame compared to other applications such as mail servers or domain controllers. It demands seamless attention if it has to function and protect information as expected by a business. It is also inherently complex when it comes to enabling and maintaining security, especially since it is highly customizable along with its list of parameters available even in a default configuration. The complexity is amplified by the fact that almost every new SAP vulnerability is traditionally fixed by installing an additional option with its own set of parameters, which usually leads to new and complex relations between settings. These make pre-existent settings and their functions even more “perplex,” often forcing SAP specialists to work through a long list of manuals to rectify the settings and get the system working.
Hence, the demand for SAP security specialists is enormous and continues to grow. Regrettably, since the technical side of SAP security is immense, hiring an appropriate candidate for the job is a serious challenge.