Soterion: A Unique Approach to Risk Assessment

SAP’s enterprise resource planning (ERP) systems are the backbone of many organizations today. With its ability to streamline an organization’s business processes while providing increased productivity and efficiency in a cost-efficient manner, SAP ERP has become the preferred system of choice for enterprises. Though the SAP platform provides functionality to achieve a high level of security, if companies do not implement these controls (access, system controls) effectively, vulnerabilities can emerge. Hence, it is essential for organizations to know the potential risks to their SAP systems and implement strategies to be proactive in protecting their business. Dudley Cartwright, CEO of Soterion, an expert in SAP security and risk management, says, “Ensuring that an organization’s SAP systems are adequately secured is becoming a priority. The primary driver behind this has traditionally been fraud prevention, which is now being fueled by the implementation of data privacy regulations.” Established in 2011, Soterion was born out of Cartwright’s vision to provide ‘fit-for-purpose’ value-added solutions and offer feature-rich governance, risk and compliance (GRC) products and services to SAP companies of all shapes and sizes to manage their access risk. “Our solutions are built from the ground up and our risk rule sets are customized to the needs of our clients,” mentions Cartwright. “We continually monitor each of our clients against our GRC maturity roadmap to ensure they extract maximum value from their GRC investment.” A factor that sets Soterion apart is the combination of the company’s deep domain expertise in SAP security consulting and its ability to provide easy-to-use GRC solutions.

The Soterion product suite can be deployed in three ways: as on-premise software, SaaS application, and managed service. Cartwright ascribes this flexibility and scalability of Soterion’s solutions to the company’s exponential growth in the GRC market: “Our deployment options suit an organization’s GRC maturity and capability.” Another distinct factor that differentiates Soterion products is they can be used either as a pay-as-you-go service or an outright purchase. By highlighting the access risks in a business-friendly manner, Soterion enables firms to make informed decisions regarding whether or not a risk is acceptable, and which controls are appropriate. This makes the company more risk aware.

Cartwright proceeds to state that, “Most organizations misconstrue GRC as a complex process. It is, hence, important to have both technical knowledge on how SAP authorizations work and an understanding of risks, controls, and business processes in order to comprehend the real benefit of GRC.” Soterion has been very effective in translating this complexity into business-friendly language. Corroborating this statement, Soterion has developed two different rule sets for risks depending on the client’s risk tolerance level. These rule sets are easily customized to suit the company’s operations and HR requirements for the countries they operate in. Each risk is displayed in business process flow diagrams, making it easier for users to comprehend the risk’s impact. “This facilitates informed decision-making,” adds Cartwright. Over the years, Soterion has assisted numerous clients that have had concerns with SAP authorization. These organizations initially had not implemented any GRC tool which exposed them to fraud, data privacy leaks, and breaches. However, with Soterion’s solutions, the clients were able to identify the risks and remediate them through Soterion’s powerful risk clean-up functionality.

In the days to come, Soterion is focused on enhancing its offerings by developing data discovery and data classification functionalities. The company also partners with leading identity management (IDM) solution providers. “Moreover, as more customers move to the cloud, we believe GRC managed services is the future. As of now, there are very few companies that have the necessary internal expertise required to implement an effective GRC capability. We see this as an opportunity and are focusing on providing GRC as a managed service from both development as well as services perspectives,” concludes Cartwright.