Security is now job one for SAP operations teams - lessons from Avantra Summit 2021

By Jon Reed

December 9, 2021

Audio mode

(Brenton O'Callaghan of Avantra talking shop)

All software vendors have a core message or two - but not all of them resonate with me. Avantra's core message, filtered through my own lingo, is: "ERP operations folks - quit messing about and start automating."

The way I phrased that is probably unfair. Most ERP operations folks I know work their tails off. But ERP vendors have let them down.

I believe that ERP vendors have focused more on cloud applications than on automating internal landscapes - especially for customers on older releases. The landscape management tools provided are clunky at best. Want me to back that up?

SAP operations - playing catchup with the rest of ITOps?

Prior to the Avantra Summit event (replay available with sign up), Avantra's Brenton O'Callaghan published a forceful post on diginomica, Time for an ERP automation wake-up call - five keys to automating your ERP landscape. This phrase jumped out:

We're operations leaders and professionals, many of us in the SAP space, and we continuously rely on the narrative that we're special, what we do is special and it is so different from the rest of the IT Operations world. While it may have been true once, we need to get over it because it is absolutely not the case today.

That's more diplomatic than the way I put it - but is the core message all that different? So what needs to change? O'Callaghan:

SAP Operations in particular is playing catch-up with the rest of the ITOps world which has moved on to revolutionary concepts like SecOps, Infrastructure as code and intelligent automation. While we are catching up fast, we all must recognize the part we must play in embracing this journey.

That holds true even today. Take SAP TechEd - while I am very impressed with how SAP TechEd has modernized its SAP development tools and vision, on the tech operations side, I'm still waiting to see the intensity of DevOps focus I believe is warranted. The good news: I think SAP operations managers embrace the automation imperative. The issue becomes: how do you pull that off at scale? While AIOps approaches are promising - and Avantra has quite a bit to say on the topic of AIOps - tools proliferation can confuse as well. O'Callaghan adds:

In my role, I speak to a large number of IT operations leaders and ERP professionals each and every day, and there is one word on their mind in nearly every case — automation. How do they automate the basic and foundational elements of their team day-to-day.

For ERP operations, the urgency of security is mounting

O'Callaghan goes on to detail five keys to ERP automation. Now that Avantra Summit is in the books, I had a question for O'Callaghan: how does his message stack up to what he heard from attendees? Attendees always bring surprises. O'Callaghan did indeed get a surprise from Avantra Summit attendees. Or, if not a surprise, a strong emphasis: security is now job one. As he told me:

We had a very high number of conversations happening literally minutes after the event. One of the things that really surprised me was that some of our existing customers reached out immediately. There was one feature in particular they all got very excited about, which was this SAP HotNews piece.

Yes, security has always been an operational concern. But the urgency is mounting:

Because security seems to be a growing concern, they realize this the kind of feature that [speeds] their ability to react to security events that are happening every single month on the second Tuesday of every month, the "Patch Tuesday." They're realizing it would reduce that effort from two weeks down to seconds.

That tells O'Callaghan one thing: the threat of ransomware - and other sophisticated attacks - is shaking things up. That includes Avantra, where security hasn't necessarily been the core product focus:

I thought that was really interesting and really telling, considering the ever-changing security environment. Whether you take ransomware, whatever the case may be, we've never been a security company. This is not something we have specifically focused on as, 'Hey, we are the security experts for SAP, or for general-purpose landscape management.' But we're almost being thrust into that way.

Sometimes customers see potential in your platform, beyond what you planned: "Our platform is flexible enough to delve into those areas when required," O'Callaghan says. He expects Avantra to double down on security capabilities:

From a feature perspective, one of the areas we're investing in is: How do we enhance this as a platform? And how do we give large organizations the ability to create assets of their own, which are developed code, developed checks, whatever the case may be, that allow them to stay ahead of this stuff?

"I know it has nothing to do with SAP - please work with me here" - a ransomware story

Ransomware concerns go well beyond ERP. That doesn't mean ERP operations teams can pass the buck. O'Callaghan hears that directly:

When one of our customers raises what we call an urgent ticket, i.e. something's really wrong - I know about it immediately. I vividly remember that about six months ago, an urgent ticket came in from our largest customer. He says, 'There's there's been this ransomware attack, and I'm using Avantra to figure out whether, throughout our entire install base, this ransomware is actually installed.'

In a crisis, you use the best tool on hand, no matter what it was intended for:

He says, 'I know it has nothing to do with SAP, please just work with me here; I need to know if this is installed in our customer landscapes. And your tool is the best way of achieving this; I just need a little bit of help.'

Ten minutes later, he had that up and running and deployed within their entire landscape. He realized there were three of their customers that actually had this ransomware installed, and it was starting to worm its way through the network. As a result, they were able to get out ahead of it and protect those customers... This is, as you say, job number one. And it's becoming such a thing that they are worrying about it on a constant basis.

My take

Go where your customers take you - I can think of worse mantras. ERP operations teams need tools that are not proprietary-only to their chosen environments. The more Avantra expands its platform beyond a narrow ecosystem focus, the more relevant it becomes. Their deep ServiceNow partnership is one promising example. Security seems like an excellent way to carry that mentality forward.

Every customer has a different transformation agenda - and action plan. For those not planning to modernize their ERP platform (yet), ring-fencing ERP has been the primary option. But why not automate, even if you ring-fence? No matter the approach, automating ERP operations is a clear win, with security patches and updates front and center. O'Callaghan shared the example of a hyper-security-conscious customer that asked for a kill switch - a feature that was not difficult to add.

One big challenge for Avantra: balancing enhanced security with modern user experience. There is a difficult tension there, one that O'Callaghan's team continues to plug away on. Even "zero trust," held up as the next-gen solution to security breaches, has strong UX critics. 

Avantra's SAP HotNews functionality, which "intelligently monitors" SAP HotNews, is part of its newly-announced Enterprise Edition. Here's the sensitive part: how do you manage the rollout of an additional layer of (paid) functionality, beyond the core release existing customers are on? My talks with Avantra leadership convinced me they've gone about this the right way, aggressively adding to the core release as well. From what I can tell, early customer response has been positive, but it's early days. My colleague Derek du Preez has an upcoming article via his talk with Avantra CEO John Appleby on the Enterprise Edition, so watch this space.

Avantra is not the only player in this game. To be fair, SAP itself has come a long way from the early Solution Manager days. Still, many of the workflow automation things I hear about from SAP are in an S/4HANA environment. Customers should look hard at their options, in the context of their ERP upgrade plans (or not). You should not have to upgrade your ERP to gain a stronger DevSecOps foothold.

Here's what I find fascinating: the challenge of reconciling this "security first" customer feedback with an energizing future of work vision. Du Preez wrote about Avantra's future of work take in Avantra CEO - 'SAP operations managers can no longer sit on the sidelines of talent war' . In his keynote, Appleby tried to reconcile the two. Yes, talent is a potent theme, but as Appleby acknowledged, for operations managers, security and compliance is now a constant thread.

I think you need both. A compelling automation and talent strategy makes operations more efficient - and opportunities more attractive. Your transformation can't be successful without them. I am partial to high and mighty themes about transformation and ROI. But if your back door is open in some way that a hostile can exploit, then forget about the other stuff, you're in a literal hot seat.

That's a perfect challenge for Avantra to take on.

Updated, 6am UK time, December 10, with a number of small tweaks for reading clarity.