GRC Predictions: The Critical Shortage of Skilled SAP Security Resources

In a recent episode of the SAP Security & GRC Podcast, hosted by Dudley Cartwright, the focus was on one of the pivotal predictions from Soterion’s GRC Trends Report: the shortage of skilled SAP security resources. The episode featured industry experts Meindert Keuning from BR1GHT and Emile Steyn from Soterion, who provided valuable insights into the causes, impacts, and potential solutions to this pressing issue. Enjoy listening to these discussions on your favourite Podcast app or YouTube, or reading the episode summary below.

Download your copy of the full GRC Trends Report.



The evolution of SAP and the complexity of SAP security

Over the past two decades, the SAP environment has undergone significant changes, evolving from the relatively straightforward R/3 system to a more complex landscape that includes cloud-based solutions like SAP Ariba and SuccessFactors. This rapid transformation has made it increasingly challenging to train and retain skilled SAP security professionals. The introduction of advanced products such as SAP S/4HANA and Fiori has further complicated the landscape, requiring years of experience for consultants to become proficient.

Meindert highlighted that the changing SAP landscape demands a higher level of specialisation. Historically, authorisation functions were often handled by Basis or Functional consultants. However, the increased complexity now necessitates dedicated security experts who can design and manage roles specifically for S/4HANA from the ground up.

The challenges of training and retaining skilled resources

Training an SAP security consultant to a level where they can lead projects typically takes five to seven years. This long learning curve is exacerbated by the concurrent need for many organisations to migrate to S/4HANA, creating a high demand for skilled resources within a short timeframe. The result is a “perfect storm” where organisations are competing for the same limited pool of experts.

Emile added that many senior consultants might find the shift to S/4HANA, with its new security concepts and cloud solutions, daunting. This could lead some experienced professionals to retire rather than re-skill, further exacerbating the shortage.

Impacts of the skills shortage

The shortage of skilled SAP security resources has several significant impacts on organisations:

  • Inefficiencies: Inexperienced personnel often take much longer to resolve issues, leading to inefficiencies.
  • Errors: Lack of experience can result in security misconfigurations, such as improper role assignments or the use of wildcards, which can increase the risk of unauthorised access and potential fraud.
  • Compliance Costs: Organisations might face increased compliance costs due to the need for extensive audits and remediation efforts.
  • Risk of Fraud: Improper role design and management can elevate the risk of fraud, with unauthorised access potentially leading to financial losses.
  • Inferior Role Design: Organisations may struggle with suboptimal role designs that complicate compliance and user access reviews.

Potential solutions: Managed Services

Podcast guests agreed that considering a Managed Services option is a viable solution to the shortage of skilled SAP security resources. Managed Services providers can offer specialised expertise on-demand, allowing organisations to maintain high standards of SAP security without the need for full-time, in-house experts.

This model provides several advantages:

  • Access to Expertise: Managed Services providers can offer access to highly skilled professionals who can assist with complex security issues on an as-needed basis.
  • Cost Efficiency: Organisations can save costs by not having to employ full-time experts. Instead, they can leverage the provider’s resources as required.
  • Consistency and Quality: Managed services ensure consistent and high-quality management of SAP security functions, reducing the risk of errors and compliance issues.

Meindert emphasised that for a Managed Services model to be successful, businesses must retain accountability for security and compliance. The Managed Services provider handles the technical aspects, but all changes and approvals must come from the business.

    BR1GHT’s Managed Services offering

    BR1GHT offers a comprehensive managed services model tailored to the needs of each client. Their approach includes:

    • A Governance Assessment: Identifying all critical roles and ensuring appropriate governance structures are in place.
    • Customised Services: Providing first-line support services, complex role maintenance, and GRC tool management.
    • Flexible Models: Offering fixed-hour or flexible service models that integrate with the client’s existing systems.

    Meindert also stressed the importance of educating business users about access risks and controls. By increasing understanding and ownership of security among business users, organisations can better manage and mitigate access risks.


    The episode concluded by reinforcing the notion that Managed Services can be a cost-effective and efficient solution to the shortage of skilled SAP security resources. However, not all Managed Services providers are created equal. Organisations must ensure that their chosen provider has the necessary expertise and capabilities to meet their specific needs.

    As businesses continue to navigate the complexities of the evolving SAP landscape, leveraging Managed Services can provide the expertise and flexibility required to maintain robust security and compliance standards. By doing so, organisations can mitigate the risks associated with the current shortage of skilled SAP security resources and ensure their systems remain secure and compliant.

    An Access Control (GRC) tool to increase SAP security and ensure compliance  

    Soterion supports and works in collaboration with a global partner network to provide customers with effective SAP security solutions. BR1GHT can provide a comprehensive Managed Services solution for those organisations who do not have the necessary in-house SAP security resources.

    To enhance your SAP security and risk management, Soterion can provide organisations with business-centric GRC solutions that help your organisation improve accountability for risk, increase the security of your SAP solution and ensure compliance.

    Contact us to learn more about Soterion’s GRC software solutions.

    You may find this interesting