.

What is SAP’s view on current trends in IT?

I think we are at one of the more interesting times in the history of information technology. We are in the midst of three megatrends all coming together – Big Data, mobility and cloud. Throw in the rapidly changing economics of in-memory computing and you have the critical ingredients to radically transform how business and government are done.

What are some of the ways Big Data, mobility, and cloud will transform business?

Mobility and cloud come together to drive optimization in IT processes. They are also massive generators of data, which creates a Big Data opportunity to track new signals. In private industry, we are co-innovating with retail companies and sports franchises that want to use mobility and new signals from Big Data to transform the customer experience. In both government and private industry, we are also seeing organizations use the cloud to share data and collaborate on Big Data projects to stop fraud, waste, and abuse. Each of these megatrends when interconnected can drive huge value for an organization.

Big Data, cloud and mobility also raise security concerns, do they not?

Every technology revolution brought along with it concerns. These technology transformations also raise questions about how information is managed. The technology is ahead of information privacy and security policies. More conversation between government and private industry needs to happen, like the TechAmerica Big Data commission I recently co-chaired.

A hyper-connected world is driving more cybercrime, such as cyberattacks. Do mobile technologies complicate the attribution process in a cyberattack?

More devices = more risk. That’s not a bad thing, just the law of averages. Attribution problems existed before mobile devices. The reality is that today it’s easier to track where a device is because most networked equipment generates detailed logs. Organizations can tap into that information in order to monitor and secure their networks. Smart organizations are going to do this in real-time using in-memory technology, like SAP HANA.

It is believed that the Stuxnet infection originally began with an unfamiliar USB drive plugged into a computer. Given the plethora of devices that can connect to a network (USB, tablets, etc.), how can companies protect against such human error?

Business Process Controls. That is both a software solution and a people/HR solution. I believe that 100 years from now, the biggest risk to data will be the same as it is today--people. It amazes me that agencies, organizations, and companies do not attend to business process controls more.

In the past, data was accessed one way: a PC connecting through a hardwire. Now, highly sensitive data is being collected and transferred through multiple outlets (mobile devices, apps, Wi-Fi, Bluetooth, NFC, etc.). What developments are in the works to protect against exploitation of these avenues of communication?

Data access control solutions have been around for a while, and that is the best approach. Shockingly, most agencies do not invest enough here, compared to their general data management spend. That said, organizations need to make investments in access and process control systems for all the various devices popping up, especially on the mobile front. Apple, Android, Blackberry--all have their unique vulnerabilities, so a universal control program is best. Big Data analytics is going to help.

As processing power of even mobile devices increases, what new infrastructure is being created to battle increasingly powerful brute-force cyberattacks, such as DDoS attacks?

There is no one silver bullet for this. It is a combination of existing network security plus new technologies. Afaria from SAP is exactly that–a new technology for securing multiple mobile devices, controlling application distribution, etc. Attacks will not go away, and frankly, more devices just raise vulnerability. More analysis of information logs tracking those devices can help offset the vulnerability. The march of mobile devices is not going to stop, so investing in new solutions at the data layer, network layer, and device layer makes sense. That said, you cannot just secure the device. You have to secure the network, the database, and the business application as well. SAP knows that and has solutions to address it.

What is the likelihood of U.S. infrastructure being subject to a "firesale," or as Secretary Panetta calls it, a "Cyber Pearl Harbor"?

Pretty low. For any one rogue entity to amass the kind of developer/hacker expertise needed to do so, it would not exactly go unnoticed. The U.S. has the most advanced technology infrastructure of any country in the world. That’s not saying there is not vulnerability in the system or the intent to create a false sense of security. It’s meant to say that we have a good security platform, but it could be better.

What would the recovery time from such an attack be?

That’s difficult to say. There really is not a precedent for that scenario, how broad it would be and on what systems it would unfold. I would hope this never happens. SAP spends hundreds of millions, if not billions of dollars on R&D to secure our database platform products, as well as providing the infrastructure to secure business applications and the devices that access them.

What is being done to minimize the fallout of such an attack?

Be prepared. I am always fascinated how a company can get religious on data security at the people and process level, AFTER they have had a DoS attack or some sort of significant intrusion. Don’t wait for that to happen.

What contingency plans are in place for when a Big Data company fails or goes out of business?

The contingency plans are up to the customer. The best way to minimize that is to make investments in companies, like SAP, that have Big Data solutions and have been around for 40 years.

When companies outsource their IT and data collection, how can they ensure that data is secure?

Organizations can educate themselves on data security standards that exist today. ISO/IEC 27002 outlines information security standards in detail. I like to ask customers, “Have you read this?” If you have outsourced your IT infrastructure to a cloud vendor, it does not mean you have outsourced your liability. Companies have been ‘outsourcing’ the development of software to companies, like SAP, for years. Outsourcing your IT is not different. You need to do your due diligence and be careful to work with vendors your trust. We trust that our IT infrastructure is secure because we have confidence in the vendors we purchase from. Whether you are buying cloud-based services or on-premise solutions, your relationship with the vendor is paramount. At SAP we don’t ever want to break that trust.

Steve Lucas is senior vice president (SVP) of the Business User Sales team for SAP North America. In this position, he leads the sales team that focuses on SAP Business Objects solutions.

As a vice president and general manager with Business Objects, Steve launched and led the company’s “OnDemand” business unit. Prior to that, he managed the Enterprise Information Management group, overseeing the sales of software for data integration and management as well as supporting key acquisitions for Business Objects in the EIM segment. Additionally, he managed partner organizations at Business Objects including the OEM and Distribution businesses. Steve joined Business Objects in 2003, when the company acquired Crystal Decisions.

Steve holds a bachelor’s degree from the University of Colorado and is a published author of several books on business intelligence.

This article was originally published in the Diplomatic Courier's November/December 2012 print edition.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

Interview: Steve Lucas, Executive Vice President, Business User Sales, SAP North America

November 21, 2012

What is SAP’s view on current trends in IT?

I think we are at one of the more interesting times in the history of information technology. We are in the midst of three megatrends all coming together – Big Data, mobility and cloud. Throw in the rapidly changing economics of in-memory computing and you have the critical ingredients to radically transform how business and government are done.

What are some of the ways Big Data, mobility, and cloud will transform business?

Mobility and cloud come together to drive optimization in IT processes. They are also massive generators of data, which creates a Big Data opportunity to track new signals. In private industry, we are co-innovating with retail companies and sports franchises that want to use mobility and new signals from Big Data to transform the customer experience. In both government and private industry, we are also seeing organizations use the cloud to share data and collaborate on Big Data projects to stop fraud, waste, and abuse. Each of these megatrends when interconnected can drive huge value for an organization.

Big Data, cloud and mobility also raise security concerns, do they not?

Every technology revolution brought along with it concerns. These technology transformations also raise questions about how information is managed. The technology is ahead of information privacy and security policies. More conversation between government and private industry needs to happen, like the TechAmerica Big Data commission I recently co-chaired.

A hyper-connected world is driving more cybercrime, such as cyberattacks. Do mobile technologies complicate the attribution process in a cyberattack?

More devices = more risk. That’s not a bad thing, just the law of averages. Attribution problems existed before mobile devices. The reality is that today it’s easier to track where a device is because most networked equipment generates detailed logs. Organizations can tap into that information in order to monitor and secure their networks. Smart organizations are going to do this in real-time using in-memory technology, like SAP HANA.

It is believed that the Stuxnet infection originally began with an unfamiliar USB drive plugged into a computer. Given the plethora of devices that can connect to a network (USB, tablets, etc.), how can companies protect against such human error?

Business Process Controls. That is both a software solution and a people/HR solution. I believe that 100 years from now, the biggest risk to data will be the same as it is today--people. It amazes me that agencies, organizations, and companies do not attend to business process controls more.

In the past, data was accessed one way: a PC connecting through a hardwire. Now, highly sensitive data is being collected and transferred through multiple outlets (mobile devices, apps, Wi-Fi, Bluetooth, NFC, etc.). What developments are in the works to protect against exploitation of these avenues of communication?

Data access control solutions have been around for a while, and that is the best approach. Shockingly, most agencies do not invest enough here, compared to their general data management spend. That said, organizations need to make investments in access and process control systems for all the various devices popping up, especially on the mobile front. Apple, Android, Blackberry--all have their unique vulnerabilities, so a universal control program is best. Big Data analytics is going to help.

As processing power of even mobile devices increases, what new infrastructure is being created to battle increasingly powerful brute-force cyberattacks, such as DDoS attacks?

There is no one silver bullet for this. It is a combination of existing network security plus new technologies. Afaria from SAP is exactly that–a new technology for securing multiple mobile devices, controlling application distribution, etc. Attacks will not go away, and frankly, more devices just raise vulnerability. More analysis of information logs tracking those devices can help offset the vulnerability. The march of mobile devices is not going to stop, so investing in new solutions at the data layer, network layer, and device layer makes sense. That said, you cannot just secure the device. You have to secure the network, the database, and the business application as well. SAP knows that and has solutions to address it.

What is the likelihood of U.S. infrastructure being subject to a "firesale," or as Secretary Panetta calls it, a "Cyber Pearl Harbor"?

Pretty low. For any one rogue entity to amass the kind of developer/hacker expertise needed to do so, it would not exactly go unnoticed. The U.S. has the most advanced technology infrastructure of any country in the world. That’s not saying there is not vulnerability in the system or the intent to create a false sense of security. It’s meant to say that we have a good security platform, but it could be better.

What would the recovery time from such an attack be?

That’s difficult to say. There really is not a precedent for that scenario, how broad it would be and on what systems it would unfold. I would hope this never happens. SAP spends hundreds of millions, if not billions of dollars on R&D to secure our database platform products, as well as providing the infrastructure to secure business applications and the devices that access them.

What is being done to minimize the fallout of such an attack?

Be prepared. I am always fascinated how a company can get religious on data security at the people and process level, AFTER they have had a DoS attack or some sort of significant intrusion. Don’t wait for that to happen.

What contingency plans are in place for when a Big Data company fails or goes out of business?

The contingency plans are up to the customer. The best way to minimize that is to make investments in companies, like SAP, that have Big Data solutions and have been around for 40 years.

When companies outsource their IT and data collection, how can they ensure that data is secure?

Organizations can educate themselves on data security standards that exist today. ISO/IEC 27002 outlines information security standards in detail. I like to ask customers, “Have you read this?” If you have outsourced your IT infrastructure to a cloud vendor, it does not mean you have outsourced your liability. Companies have been ‘outsourcing’ the development of software to companies, like SAP, for years. Outsourcing your IT is not different. You need to do your due diligence and be careful to work with vendors your trust. We trust that our IT infrastructure is secure because we have confidence in the vendors we purchase from. Whether you are buying cloud-based services or on-premise solutions, your relationship with the vendor is paramount. At SAP we don’t ever want to break that trust.

Steve Lucas is senior vice president (SVP) of the Business User Sales team for SAP North America. In this position, he leads the sales team that focuses on SAP Business Objects solutions.

As a vice president and general manager with Business Objects, Steve launched and led the company’s “OnDemand” business unit. Prior to that, he managed the Enterprise Information Management group, overseeing the sales of software for data integration and management as well as supporting key acquisitions for Business Objects in the EIM segment. Additionally, he managed partner organizations at Business Objects including the OEM and Distribution businesses. Steve joined Business Objects in 2003, when the company acquired Crystal Decisions.

Steve holds a bachelor’s degree from the University of Colorado and is a published author of several books on business intelligence.

This article was originally published in the Diplomatic Courier's November/December 2012 print edition.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.