There are a few definitions of digital trust out there, so I won’t create a new one. Instead, I’ll simply refer to PwC’s, which I think is very clear and straightforward: “the level of confidence in people, processes, and technology to build a secure digital world.”
As a matter of fact, there are so many questions about this topic, what it means, and how to address it that we decided to make it the theme of the first International SAP Conference on Application and Information Security coming up November 13 and 14 in Amsterdam.
Knowing what it is, though, doesn’t really help in knowing how to address it. Let me try and suggest a few options.
Start with governance and risk management
To me, this is the first step: documenting the processes and then identifying the risks that could manifest if there are any deviations in the process or if the process has flaws.
To reduce the likelihood of the risks, process owners would then document controls that can be manually and regularly assessed – or better even, be connected to the source systems and run automatically. What’s great with automated controls is that the only effort is in the original design and setup. Once this is done, the company can move to a “manage by exception” type of approach where control owners must look at it only when the control has raised issues.
Instead of creating new controls, though, I strongly suggest reviewing what’s already in place. Indeed, some reports state that over 40% of financial compliance-type requirements relate to IT controls (like the IT general controls for SOX). Why not reuse these instead of creating new ones that could very well be duplicates?
Let’s, of course, not forget to lower the impacts of the risks. If controls reduce the likelihood, action plans and other risk-response strategies can help mitigate the impact of the risk.
Finally, raising awareness via a sound risk culture should be included in this phase. Here, the intent is to ensure that all stakeholders (employees, contractors, etc.) acknowledge and understand the policies in place and respect them. In a sense, this acts as a proactive human firewall.
Go for application security
Controls are great and necessary to ensure that the process functions as designed. But they are used after the fact. What most security departments – and company executives – are asking for today is to move the reaction time to real time in case of an issue and, when possible, to simply remove the driver that could cause the risk or the security incident itself. The quicker you catch it, the less damage can be done. Here’s where application security plays a big role.
By monitoring both business transactions and security risks in parallel, companies can detect anomalies earlier and reduce the losses they could incur, or even avoid them.
Take it as a mix between NCIS and Criminal Minds, where you combine activity monitoring and behavioral analysis to correlate actions by users and machines across different systems and highlight outliers that need to be investigated.
Results of these investigations can then be used to determine how to eradicate the root causes directly. Is it by reviewing permissive access rights? Is it by enforcing new field-masking policies?
In case you are still wondering if this really applies to all organizations or just major international corporations, let me leave you with a final thought. If data is the new oil, as many say, how do you think shareholders of an oil company would react if the CEO states that they are losing crude oil but that the company is unable to explain how, where, and to whom? The very same applies to information, regardless of the business and its size.
Want to hear more?
If you are interested in hearing more about this topic, have a look at the agenda of the International SAP Conference on Application and Information Security. Please join us to listen to thought leaders in organizations that have started on this path already and will be sharing their insights and experience.
In the meantime, please share your comments on Twitter @TFrenehard.
This article original appeared on SAP Community and is republished by permission.