With a lot of companies implementing SAP S/4HANA in the coming years different strategies are beginning to show.
We see a group of businesses for whom the migration is primarily viewed as a technical upgrade of functionality. They have no strategic business drivers but simply need to shift to the latest version of SAP before maintenance and support for their current installation expires in 2027.
Then we see another group of businesses using SAP S/4HANA as a catalyst for digital transformation by integrating business processes and data on a single, seamless platform to create competitive strength in the market.
No matter the objective of a SAP S/4HANA implementation our key message is the same: You can mitigate risk and dramatically reduce costs by integrating security models and demands during the design and implementation phases. If you wait and address security issues when they occur, costs will go up, and more importantly your business will be highly exposed to security breaches.
A reactive approach more than doubles the cost
There are different reasons why security matters are being deprioritized in large implementation projects such as SAP S/4HANA.
Sometimes it has to do with budget concerns; if top management does not insist on keeping IT security in scope, the cost of security is a chunk that can be carved out to slim down the overall budget and smoothen the decision-making process.
Sometimes – most frequently in technical upgrades – performing a risk assessment on the new ERP system is simply forgotten. Which from a top management perspective shouldn’t be acceptable. SAP S/4HANA is a cloud enabled platform with integrations to a wide range of business applications that can be accessed via a browser from devices and users all over the world. That’s a whole different kind of IT complexity compared to the traditional SAP installation many companies are migrating from.
If security is not invited to the opening round table discussion, the lack of adequate security measures will come back to haunt the organization later.
A report shows that proactively embedding security including, but not limited to, access rights, proper security configuration, secure integrations, internal controls (IT and business) and more sophisticated security like vulnerability management and Detect & Respond cost approximately 10% of a SAP S/4HANA migration project. That’s not peanuts. But if you don’t include security in the initial phases, the cost for making reactive security adjustments will be significantly higher. For instance, in the aftermath of a cyberattack or an audit, or if you for strategic reasons need to comply with certain security frameworks later.
Planning for the future
Let us be clear. There is nothing wrong with performing a technical upgrade from an old version of SAP to SAP S/4HANA. That kind of shift can make sense for a lot of businesses. But even a simpler scope of a SAP migration project still requires that a risk assessment and adequate security measures are an integral part of the project. The nature of the new system demands it. Companies who use the shift to SAP S/4HANA as part of a large transformation process know this, and they use their holistic approach to integrate risk and security in their new business model.
Large or small organization, technical upgrade or transformation process, the task is the same: When you design security for a fully integrated digital business platform like SAP S/4HANA you need to take different things in account: What kind of data, systems and processes do you have today? How will SAP S/4HANA change that landscape – for example which old applications will be shut down because of the migration, and how will data flows be affected? Which new integrations can be built between SAP S/4HANA and your different business applications? How are these integrations managed and protected? What kind of internal and external rules, regulations and legislation does the company need to comply with, and how will that affect the digital capabilities across the organization?
Answering these questions in advance will not only save you money and mitigate risks; it will also leave you with a more future-proof ERP platform. Who knows what strategy you will follow in the years to come? Maybe you decide to enter a new market, maybe you need to add production facilities in the Far East, or maybe it’s time to integrate a new web portal in your SAP platform? No matter the requirements or business needs. If the foundation is not built properly, it will eventually crack when more layers are added.