Why SAP RISE isn't a "set and forget" model - and how CISOs can shape its success

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

The move to SAP RISE has been heralded by many organizations as a streamlined path into the cloud, unifying licensing, technical support, and transformation services under one umbrella. However, viewing SAP RISE as a self-running solution is a risky assumption—particularly for Chief Information Security Officers (CISOs). While transformation projects often concentrate on cost savings, operational efficiency, and digital innovation, the CISO’s role is frequently underrepresented or, worse, perceived as an afterthought. In reality, security must be interwoven from the outset if SAP RISE is to deliver on its promise without incurring significant organizational risk.

Below, we dive into why this cloud-based model requires ongoing diligence and illustrate how CISOs can—and should—claim a front seat in shaping its success.

🔎 1. Unmasking the Myth of “Set and Forget”

Embracing SAP RISE is often thought of as a convenient way to shift the operational burden off internal teams and onto SAP itself. Yet, this assumption glosses over the reality that SAP RISE is not an all-in-one panacea:

• Shared Responsibility: While SAP manages certain layers (e.g., infrastructure), customers retain accountability for securing applications, data, and user access.
• Ongoing Optimization: RISE includes continuous updates, patches, and integrations, each of which can introduce new vulnerabilities. “One-and-done” security validation is neither realistic nor prudent.

Here, CISOs play a pivotal role in challenging any perception of absolution from risk. By clarifying shared responsibilities and rallying cross-functional teams, they ensure that security remains a continuous thread rather than a post-implementation thought.

🔒 2. The CISO’s Central Influence on SAP RISE Architecture

CISOs wield unique organizational visibility that transcends technical and strategic domains. They are inherently placed at the intersection of risk, technology, and governance, making them crucial stakeholders in cloud-transformation programs such as SAP RISE. Some key areas of influence include:

1. Identity and Access Management (IAM): As SAP solutions scale, the complexity of granting the right privileges to the right people at the right time grows. CISOs oversee the policies and tools that keep unauthorized access at bay.
2. Threat Monitoring & Incident Response: Moving to the cloud demands a shift in monitoring strategies. CISOs champion the adoption of continuous threat intelligence and advanced detection capabilities aligned with SAP RISE’s operational cadence.
3. Compliance Alignment: Industries with stringent regulations—pharmaceuticals, finance, or government—cannot afford to treat compliance lightly. CISOs interpret and implement the necessary controls (e.g., data sovereignty, encryption standards) that keep the company compliant when sensitive data traverses SAP RISE modules.
4. Supply Chain Security: In an increasingly interconnected ecosystem, third-party applications plugging into SAP can become weak links. CISOs bring a meticulous vetting process that spans vendor risk management, data handling policies, and periodic audits.

🚀 3. Use Cases Where CISO Involvement Is Mission-Critical

Case A: Mergers & Acquisitions

A multinational conglomerate recently acquired a smaller tech-focused competitor. As the acquired entity’s SAP environment merged with the parent’s infrastructure, disparities in IAM frameworks, legacy encryption methods, and regional compliance mandates emerged. The CISO’s early intervention ensured these risks were cataloged, prioritized, and systematically remediated. The result? A smooth, secure integration without unplanned downtimes or compliance violations.

Case B: Rapid Cloud Scalability During a Pandemic

During a global health crisis, a large healthcare services provider witnessed exponential growth in patient data volumes and telemedicine services. Transitioning core modules to SAP RISE helped handle spikes in demand. However, the CISO proactively enforced stringent authentication protocols and real-time anomaly detection, preventing data breaches that could have severely impacted patient trust and tarnished the provider’s reputation.

Case C: Cross-Border Data Flow

A luxury goods manufacturer expanding into Asia Pacific integrated regional supply chain partners into its SAP RISE landscape. This posed cross-border data residency and transfer compliance challenges. The CISO’s expertise in local data protection laws guided precise configuration of data encryption layers, data residency settings, and vendor contracts, preserving brand equity and steering clear of hefty fines.

⚙️ 4. Steering the SAP RISE Journey: Practical Recommendations

1. Governance by Design

CISOs can institutionalize governance frameworks—covering risk assessments, decision-making protocols, and reporting lines—well before project kickoff. This ensures that each phase of SAP RISE adoption is underpinned by security-by-design principles rather than retrofitted controls.

2. Continuous Validation & Pen Testing

Traditional annual risk assessments are no match for the pace of cloud transformation. Advocate for automated scanning and penetration testing cycles timed with every major SAP RISE update or new module integration.

3. Security Champions in DevOps

Build a dedicated security champion network across development, operations, and infrastructure teams. With real-time security monitoring and feedback loops, DevOps cycles remain agile yet secure—a requirement for robust SAP RISE deployments.

4. Active Stakeholder Engagement

CISOs should be in the driving seat of stakeholder alignment, partnering closely with CFOs, CIOs, legal counsel, and line-of-business leaders. By connecting security imperatives to risk mitigation and business outcomes, CISOs can secure the influence and budget needed to embed security from blueprint to go-live.

5. Periodic Risk & Compliance Audits

Formalize a cadence for risk reviews. This includes verifying compliance posture, evaluating the supply chain ecosystem, and recalibrating IAM policies to address shifting threat landscapes.

✅ Conclusion: Paving the Way for Secure Transformation

SAP RISE offers a promising bridge to the cloud, accelerating digital transformation and operational efficiencies. However, it is far from a “set and forget” affair. The high-stakes realm of data privacy, regulatory compliance, and threat landscapes demands that CISOs be integral, authoritative voices from the outset. When CISOs take an active seat at the table—championing proactive security design, continuous oversight, and cross-functional alignment—they elevate the entire transformation project, ensuring both strategic and secure outcomes.

Instead of seeing CISOs as “optional advisors,” forward-thinking organizations recognize them as indispensable orchestrators of risk-based success. In the fluid environment of SAP RISE, a vigilant, empowered CISO is the difference between a stumbling digital transformation and one that truly thrives in the face of evolving cyber challenges.

Publication Note & Disclaimer
This article was originally published on LinkedIn on April 15, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.