Book Review: "SAP Cybersecurity for CISO"


Posted on by Ben Rothke

Noted security guru Bruce Schneier has long made the following observation: If it’s in the news, you don’t have to worry about it. The media obsesses on the one-offs. While a small number of tragic deaths around vaping were covered relentlessly in the media, more people died exponentially in DUI-related accidents, but the media didn’t cover that.

In the world of information security, Windows gets all the media coverage. And that is precisely the point Alexander Polyakov addresses in SAP Cybersecurity for CISO (ERPscan 978-1980531043). SAP is found in a majority of the Fortune 500 and is often a critical element that keeps them operating.

Yet far too many firms don’t consider the security implications of SAP. The importance of this can’t be overemphasized, given that the E in ERP stands for Enterprise. And any vulnerabilities or security misconfigurations in SAP will affect the entire organization and supply chain.

Most of the SAP security guides are thousands of pages long. At 275 pages, this book is meant, as the title indicates, to be a high-level guide for CXOs, so they can understand what needs to be done by their direct reports.

SAP is a massive, actually a monstrosity of an application. With over 70 acquisitions, SAP is simply a monster of a program that needs to be tamed. The book does an excellent job of showing the jobs that need to be done.

Polyakov is not a native English speaker, and the writing in the book is a bit rough around the edges at times. But that is easily forgiven, given the importance of the topic and the death of useful resources on it.


For those whose responsibilities include SAP and SAP security, this is a book that should be read. After it has been read, it is crucial that there be adequate staff empowered to make the necessary changes to ensure that SAP security is done correctly.

Contributors
Ben Rothke

Senior Information Security Manager, Tapad

C-Suite View

application security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs