Relentless threats from increasingly sophisticated attackers. Organized crime and rogue nation-states. Hacktivism and new mechanisms of compromise. Many years ago, the prospect of these security challenges seemed like something out of James Bond. Now I defend organizations from these threats every minute of every day.
Cybersecurity is an endless journey for organizations, including government agencies at the federal, state, city, and county levels. Facing an ever-changing threat landscape, public administrations know they need to protect IT systems and critical infrastructure. Less understood, however, is the need to secure enterprise software applications and solutions.
The data and transactions processed by these applications represent the operational center of many agencies, entities, and organizations. This is especially true in oil and gas, aerospace, defense, public sector, and utilities. Ensuring deep security at the application layer — where data resides and transactions radiate to networks and the endpoints beyond — is a fundamental requirement.
But the vast majority of software companies fail to implement security as an integral component of their applications. Most software offers only the most basic security protections for data and transactions, enabling organized groups and individual actors to easily exploit security weaknesses. In many products, protection is applied as an afterthought — a Band-Aid intended to compensate for a lack of security at the application layer.
Government and business leaders typically are surprised by this. They believe that their collection of security tools will protect their organization from the bad guys and that applications placed behind their firewalls are safe. Nothing could be further from the truth.
The solution to this problem is double-sided. Enterprise software vendors need to employ more mature cybersecurity technologies. And decision makers need to make security a higher priority when choosing and deploying enterprise software.
Because SAP solutions handle the most sensitive data and transactions of more than 300,000 of the world’s largest companies and institutions, we consider security one of our highest priorities. Our focus is on incorporating advanced, threat-based security features in all of our applications.
This approach differs from that of other software vendors whose security features are designed to meet the minimum requirements needed to attain compliance certification. For government and industry regulators, compliance mandates are the only way to raise the bar when it comes to protection. But public sector executives must realize that regulatory compliance is the lowest bar — one that cannot and will not address all of their security concerns.
Instead, IT departments must build out a security strategy, using software that offers enhanced protection out of the box. To stay one step ahead of hackers and bad actors, it’s important to choose vendors that are committed to continuously improving and updating their products.
To help organizations become secure and protected, we aim for the highest bar: targeting the actual threat. Organizations that want to reach beyond compliance should look for enterprise software that includes advanced security features, such as:
•Sophisticated 360-degree correlation analytics across the network, endpoints, applications, and data.
•Real-time incident response and forensics to accelerate detection, limiting the impact of threats.
•Next-generation context- and application-aware firewalls to enhance both protection and performance.
•Deep, machine learning-powered cybersecurity analytics that respond to threats in an adaptive manner.
Focusing on securing critical infrastructures helps ensure they can be defended against both physical and digital threats. In doing so, organizations can protect everything from logistics and operational management to HR systems and vendor interactions.
Protection should also extend to the burgeoning network of Internet of Things (IoT) sensors and devices. In the last few years, we’ve seen customers use IoT security features to keep trains running in Italy, cranes operating in Dubai, and city streets well-lit and safe in Germany.
To stay ahead of the increasing number and variety of threats, we continue incorporating new technology into our solutions. Today we’re exploring new ways to use artificial intelligence and machine learning to identify new or previously unseen attacks. Our upcoming generations of software should be able to identify and prevent attacks from within the application, store data in the cloud, protect it from outside control, and minimize vulnerability across the IT landscape.
As public sector organizations consider transforming their cybersecurity strategies, there are several key steps they should consider.
Take care of the basics. Breaches are more likely when there is a consistent lack of patch management, configuration management, and log analysis.
Implement mechanisms that enhance visibility. Networks are more complex than ever before, with digitalized businesses connected throughout the value chain and executing as one. Security solutions that increase cross-enterprise visibility can help organizations identify and stop malicious activity.
Prioritize ease of use. Traditional security solutions often created hurdles that compromised the protectiveness of the technology. With powerful security features embedded in their applications, organizations can expedite and streamline protection.
Finally, get started identifying the most sensitive data and transactions in your network and know where they reside. By combining enhanced security knowledge with enterprise software that offers security at the application layer, you can better defend your organization against today’s — and tomorrow’s — most difficult threats.
We’re all in this together. And we don’t need James Bond to figure it out. By joining forces to tackle cybersecurity challenges, software vendors and public sector organizations can enable secure IT environments that support your timeless mission of protecting the community, providing services, and helping the economy prosper.
For more information on how you can ensure deep security at the application layer, visit https://www.sap.com/corporate/en/company/security.html
• Justin Somaini heads the SAP Global Security (SGS) team. With more than 20 years of information security experience, he is responsible for SAP’s overall security strategy, ensuring that SAP and our customers have a consistent and convenient security experience and establishing SAP as a recognized and trusted leader in the industry. In his role Justin is accountable for three core domains — Physical Security, Product Security, and Enterprise Security — for all of SAP.
Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.