Posted: 10 Sep. 2024 3 min Lukuaika

Ownership & Governance

Cybersecurity and Privacy Matter in S/4HANA Projects

This blog is part of our Nordic blog series, ” Why cybersecurity and privacy matter in S/4HANA projects”. Explore other blog posts from this series here:
Part 1 - Setting the scene
Part 2 - Know your data
Part 3 - Ownership & governance
Part 4 - Access management & available tools
Part 5 - Security hardening, monitoring & available tools
____

A well-thought-out SAP Cyber governance framework is the foundation that every organization should establish before beginning their digital transformation journey. This ensures that cybersecurity and privacy are intentionally integrated into the business processes, safeguarding critical assets, data, and regulatory compliance throughout the S/4HANA program's lifecycle. Effective governance and leadership responsibility are crucial throughout the transformation—before, during, and after S/4HANA implementation—helping organizations secure sensitive information and maintain compliance. By establishing strong ownership of the cyber program, organizations can align their efforts with broader business objectives and adapt to evolving risks.
 

Identifying Key Indicators for Cybersecurity and Privacy

An important first step in a transformation program is establishing a clear structure for identifying and monitoring cybersecurity and privacy metrics. This process involves several key steps:

  • Define Strategic Objectives: Begin by outlining the security and privacy goals that align with the organization's overall vision for transformation. These objectives should focus on data protection, compliance, and mitigating cyber risks throughout the S/4HANA program.
  • Define Cross-Functional KPIs: Develop key performance indicators (KPIs) that monitor both security and privacy performance. These KPIs should be informed by past data (e.g., security breaches) and forward-looking measures (e.g., potential conflicts like SoD). The goal is to maintain visibility into the organization's security and privacy posture.
  • Involve Relevant Stakeholders: Engage key stakeholders, including the internal controls team, IT leadership, and the Chief Information Security Officer (CISO), to ensure that cybersecurity and privacy metrics are monitored and aligned with the organization's objectives.

Once these indicators and stakeholders are identified, it's crucial to ensure that cybersecurity and privacy policies remain adaptable to emerging threats and changing technologies. By following these steps, organizations ensure that governance of cybersecurity and privacy remains robust, fostering trust in their ability to protect data. Ownership of cybersecurity and privacy must align with strategic goals and daily operations, ensuring stakeholders understand their roles.

Regular updates to the cybersecurity framework help organizations stay proactive against threats, while governance structures ensure clear responsibility for privacy and security.

Adapting Policies and Procedures

A key component of a solid cybersecurity and privacy governance framework is the ability to adapt policies and procedures as technology evolves and new cyber threats emerge. These policies must align with both strategic goals and day-to-day operations to safeguard sensitive data. Regular updates to the cybersecurity framework help organizations stay proactive against threats, while governance structures ensure clear responsibility for privacy and security.


Embedding Frameworks within S/4HANA Projects

Established cybersecurity frameworks help organizations adopt industry standards and best practices, which are essential for effective risk management. Organizations should implement structured policies, clear responsibilities, and comprehensive risk management strategies. Leveraging Deloitte's SAP Security & Controls Framework provides a solid foundation for managing cybersecurity risks. This framework is tailored to specific organizational needs, ensuring best practices and compliance with industry regulations.


Building an Effective Cyber Governance Framework

Creating a robust cybersecurity governance framework involves several key steps:

  • Vision and Roadmap: Define your organization’s vision for cybersecurity and privacy, ensuring this vision aligns with broader strategic goals. This alignment ensures that security initiatives support business growth while protecting sensitive information. The roadmap should outline milestones, timelines, and the resources needed to achieve these goals.
  • Risk Management Structure: Establish a proactive risk management approach that identifies threats, implements mitigation measures, and continuously monitors control effectiveness. This approach is critical in managing privacy risks and addressing potential threats in an S/4HANA environment.
  • Organizational Structure and Talent: Ensure the organizational structure for cybersecurity and privacy is aligned, with policies regularly updated to address emerging threats. Building a well-structured team with the right expertise ensures resilience in cybersecurity governance.
  • Communication and Metrics: Ensure that all stakeholders are informed of policy changes, and use metrics to monitor cybersecurity and privacy performance. This approach helps organizations manage risks proactively while keeping everyone engaged in maintaining security.
  • Clear Accountability: Clearly define roles and responsibilities within the cybersecurity framework, especially as organizations navigate cloud environments and complex systems like S/4HANA. This ensures transparency and distributed accountability for both security and privacy.

As businesses scale their operations in increasingly digital environments, cybersecurity and privacy measures must evolve alongside them.

Fostering Growth and Innovation through Governance

A strong governance framework not only protects against risks but also enables innovation and growth. As businesses scale their operations in increasingly digital environments, cybersecurity and privacy measures must evolve alongside them. By integrating these controls into business processes, organizations can embrace innovation while maintaining a secure environment.


Conclusion

Ensuring cybersecurity and privacy in S/4HANA projects requires a holistic and integrated approach that prioritizes governance, clear ownership, and continuous adaptation. By leveraging established frameworks and evolving policies in line with technology advancements, organizations can build a resilient security posture. Governance structures that align with business objectives ensure that security is a shared responsibility across the organization.

Ultimately, this approach enables organizations to mitigate risks, protect sensitive data, and support long-term growth. By taking proactive steps to define responsibilities, engage stakeholders, and embrace innovation, businesses can confidently navigate their S/4HANA transformation while maintaining a strong cybersecurity and privacy framework.

___
Authors:

Gerard Ward

Get in touch with our team

Reach out to your local S/4HANA & cybersecurity contact:

Finland & Denmark

Jouni Viljanen

Jouni Viljanen

Operational Risk Leader

Jouni toimii Deloitte Suomen operatiivisten riskienhallinnan palveluiden johtajana. Hänen erityisosaamistaan on teknologian ja analytiikan hyödyntäminen organisaatioiden riskienhallinnassa ja sisäisessä valvonnassa. Hänellä on myös pitkä kokemus IT-riskienhallinnasta sekä IT-kontrolliympäristöjen ja tietoturvan auditoinneista osana sisäisiä ja ulkoisia tarkastuksia. Briefly in English: Jouni is working as partner in Operational Risk services at Deloitte Finland. His special expertise is to leverage modern technology and analytics in Risk Management and Internal Controls. He has long experience in risk management and leading the audits of IT controls and IT security as a part of external and internal audits.

Anh Nguyen

Anh Nguyen

Partner

Anh is part of the technology enabled GRC team focusing on business driven transformations from an Internal Controls and Compliance perspective. He has extensive experience designing and optimizing Risk Management processes and frameworks including managing business impact and change management Anh is specialized in technology enabled optimization incorporating innovation in transformation projects, turning risks into competitive advantage.

Norway & Sweden

Erling Pettersen Hessvik

Erling Pettersen Hessvik

Partner

Erling er partner i Risk Advisory og hjelper våre klienter med å håndtere teknologirisiko og cybersikkerhet.

Peter Ostlund

Peter Ostlund

Partner

Peter Östlund is a Partner within Risk Advisory. He is responsible for our IT Risk and Assurance services. He has many years of experience from working with IT and Cyber Risks, Information security, IT audit and third party assurance reports. Peter holds a master´s degree in Computer Science and a bachelor´s degree in Business administration from Uppsala University, Sweden.