December Risk Revolution
ERP Risk Advisors
Risk content to help you identify, manage, and mitigate ERP risk.
Hi Friends,
As the year winds down, the challenges in safeguarding ERP systems remain as dynamic as ever. In this month's newsletter, we're excited to offer valuable resources to enhance your security posture and spotlight meaningful work beyond the digital sphere. Sharpen your defenses against data theft and fraud with expert-led webinars and courses and explore how the frequency and impact of patch updates shape modern security strategies in our featured article.
Additionally, we're proud to partner with the Tim Tebow Foundation this month to amplify their incredible work. Please consider joining us in your year-end giving to "to bring Faith, Hope and Love to those needing a brighter day in their darkest hour of need".
Join us in closing the year strong—protect your systems, expand your knowledge, and contribute to a cause that matters.
Have a Blessed Day.
~ERP Risk Advisors
Spotlight News
Below are hot topic items in the IT audit and cyber security industry. Enjoy the read and reach out with any questions or feedback to [email protected]
ERP Armor: Learning
Below are our December ERP ARMOR: Learning featured courses. whether you're seeking last-minute CPE credits or looking to stay ahead of the digital revolution, these courses are designed for you! This month, we're featuring the 'what,' 'why,' and 'how' of SaaS system security empowering you to protect your organization against fraud and data theft.
Social Impact
At ERP Risk Advisors, we believe in using our resources to make a positive impact on the world around us. When you partner with us, a portion of that partnership goes toward supporting another community, one person at a time.
The Tim Tebow Foundation is our December Featured Social Impact Partner! The Tim Tebow Foundation exists to bring Faith, Hope and Love to those needing a brighter day in their darkest hour of need. We strive to fight for the Most Vulnerable People in the world—the MVP—through our work in our four main focuses in Anti-Human Trafficking and Child Exploitation, Orphan Care + Prevention, Profound Medical Needs, and Special Needs Ministry.
领英推荐
Perpetual Patch Cycles Define Todays Digital Revolution for Saas Applications
By: Jeff Hare, CPA CISA CIA
A digital revolution is upon us! We are witnessing the greatest digital transformation since Y2K thanks to perpetual patch cycles within SaaS Applications. Organizations are ridding themselves of building and managing data centers by moving their legacy applications to hosted data centers. And thus moving many of their legacy applications to modern SaaS applications.
Some of this is chalked up to necessity with the work from home requirements derived from the COVID pandemic. During those challenging times, IT staff had to shift from on-site access to remote access for enterprise applications. Meaning, they had to enable users to work from home securely and efficiently.
This transformation appears to have picked up steam driven by a Return on Investment calculated by C-Suite executives.
There are two types of transformations. The first is the movement of legacy on-premise applications to hosted “Cloud” infrastructure. Terms such as PaaS, IaaS, and SaaS have become a part of IT lexicon. Some of these ‘lift and shift’ projects have also involved outsourcing support and maintenance of these applications.
The second type of transformation is a re-implementation of legacy applications to Software as a Service (SaaS) applications which are browser based. The provider hosts SaaS applications and updates them regularly, often following a pre-defined, published schedule.
There are many differences between these two types of transformation projects. However, I want to highlight one significant difference in their approaches.
The Big Difference
For legacy ‘on-premise’ ERP applications, the client can defer application patches for years at a time. ?For SaaS ERP applications, the software provider enforces patches on a periodic basis. In the early days of the SaaS application, there were times when the software provider wasn’t 100% transparent about when they patched and what was changing. Management sufficiently chastised software providers in these early days on this issue. And for the most part, the transparency we see today with the timing of patches is no longer an issue.
What hasn’t changed is the “Perpetual Patch Cycle.” The Perpetual Patch Cycle is the notion that patches (often referred to as Releases) will be applied on a regular basis and ARE mandatory.? Most software providers allow organizations to delay some patches here and there. This can be especially helpful to organizations who are in the implementation process. Also, organizations can often negotiate what ‘cycle’ they get the patch / release in.
Now, organizations can be an early adopter or be in a subsequent cycle, but they cannot defer the patches for years like they used to. Hence, the reason we, ERP Risk Advisors, coined this as the ‘Perpetual Patch Cycle.’
While management is mostly excited to have outsourced the process of scheduling and applying patches, they have NOT outsourced the identification and management of the changes being introduced by the SaaS software providers.
Keeping Dangers Due to Patch Cycles at Bay!
I fear that auditors and management haven’t fully awakened to the reality that every patch / release is a mini upgrade. The ignorance of management is partly due to the ‘hype’ being created by SaaS providers and the large system integrators (SI’s)… Who all stand to gain from these digital transformation projects. The large SI’s rarely see the impact of the perpetual patch cycle because they often roll a project within a month or two of the project’s go-live. More often than not, the SI’s intentionally fail to mention the perpetual patch cycle in their proposal responses even when they may be present for subsequent implementation phases.
Management would be wise to understand the impacts of the quarterly or semi-annual patch / release process. Most organizations implementing SaaS applications understand the “upgrade cycle” from managing their on-premises legacy applications. Thus, they have a good understanding of what the execution of a software upgrade project takes. These upgrade projects are often six to twelve months or more in duration.
To prevent being caught flat footed after go-live, organizations need an additional budget of 10% to 30% of the project costs. Management often discovers the contingency budget was spent on go-live or, worse, wasn’t funded at all.
What’s Next?
At ERP Risk Advisors, we help management rebuild and enhance their security and controls program. This often involves customizing roles, training staff, and implementing processes to monitor security improvements and bug fixes.
We interact with other firms who have built businesses around the gaps left behind by these large system integrators and ERP software companies. We often see ‘rescue projects’ being executed by other system integrators and a growing number of managed service providers.
Addressing the Challenges
The following are a few of the many challenges faced by management:
Contact Us
If we can be of assistance to you and your organization as you face the challenges of today’s ever-changing digital revolution, feel free to reach out to us at [email protected]. We can help you navigate the waters before they get too murky.?