Nowadays, cybersecurity experts don’t discuss the value of security and awareness training but what training is needed for whom?
SAP system and user administrators traditionally own the SAP security topic, focusing on identity and access management. There are weeks-long curricula dedicated to these narrow groups of SAP experts.
CISOs try to establish a shared security responsibility model over and within each three-line-defense (operations, security, audit) to address today’s threats where adversaries are successfully applying techniques to bypass access control measures.
Step one: Identify which employees within your organization need to be upskilled
Different security frameworks have incorporated advice to train various groups of stakeholders to increase security. However, only a few provide guidance on which roles require what security knowledge, -skills, or -abilities (KSA) to leverage the overall security posture to the intended level. The National Institute of Standards and Technology (NIST) released with the National Initiative for Cybersecurity Education (NICE) a detailed and ongoing maintained framework to close this gap. NICE represents a catalog of security KSA’s for 52 IT, security, and audit work roles with an identifier system education providers, learners, and employers can reference.
Step two: Pinpoint which specific SAP security topics they need to be upskilled on
But apply a framework to train the workforce when it’s uncertain what the people’s interpretation of their role and their KSA’s doesn’t help. For this purpose, you’ll need to assess the workforce. But who wants to deal with performance measurement cases, interviews, or hourly long annoying tests? How about an anonymous lightweight online survey that adapts to the survey taker’s response to only ask for the information necessary? The security aptitude assessment of the NO MONKEY ADVISORY is a lean approach assessing the workforce’s KSA and responsibility traits around SAP security. Knowing the weak spots, managers can implement development plans for the relevant work roles and make more specific sourcing decisions. In addition, because we create a mapping of the OWASP CBAS NO MONKEY Security Matrix as an application of the NIST Cybersecurity Framework (CSF) to the NICE work roles, the relevance of learning becomes more transparent for the SAP cyber defense of the organization.
Step three: Send them to the NO MONKEY Academy for convenient online training options on the hottest SAP security topics
But does it make sense to send all your workforce to any applicable security training? Indeed, this is rhetorical. Consider your SOC analyst learns how to detect a password spraying attack against an SAP system, but there are no plans yet to feed your SIEM with SAP logs. This misallocation of resources is not going to help but rather harm you. SAP application security is like any security target, a moving one. It makes sense to address it with a maturity concept. If you know where you are and want to be, you can find the shortest path to your destination. The OWASP CBAS SAP Security Maturity Model can help you to figure out where you want to be. But which training can enable your workforce to become as security competent as needed? In the NO MONKEY ACADEMY, we are starting to reference our security learnings to the roles and KSA levels of NICE and the SAP Security Maturity Model’s controls.
As a CISO or learner, we want you to be confident that your efforts are efficient and meaningful to secure your SAP landscape. We’re glad to help as your independent advisor and learning provider.
What Do You Think?
We’re happy to get in touch with you and learn something about your view. Feel free to send us a message.