Security tools don’t fix security issues; people do: How to make compliance data relatable and actionable
07-25, 13:00–13:40 (US/Eastern), Room 1

SAP operates a multi cloud landscape across AWS, Azure, GCP, Alibaba, AWS China and Azure China of over 10,000 cloud accounts, with a wide variety of internal and customer-facing workloads. These workloads are operated by hundreds of teams in business units across eight board areas, each with their own organizations, different levels of operational support or cloud-native sophistication, and multiple layers of organizational hierarchy – all of which can be hard to navigate, is rarely clear cut and change quickly. How to ensure security compliance scans not just get conducted across a landscape this large and varied, but also enriched with metadata collected through strict cloud asset management processes, and shared through multiple layers of the organizational hierarchy is a complex task. Along the way we ran into scalability challenges, how to make sense of a large data set, and figuring out how to meet stakeholders where they are, with multiple data formats targeting different personas and roles. This came paired with organizational support structures, board area delegate weekly briefings, weekly Office Hours and executive reporting that brough accountability through the organization and drove remediation and enforcement efforts. We’d like to share our experience and successes in driving visibility and accountability up-and-down the organization to drive continuous improvements in SAP’s security compliance posture in this complex landscape.

Jay heads the Multicloud SecDevOps team at SAP and comes with a background in analytics before finding his way into full time security roles. Jay brings his experience in consulting, analytics, and security to multicloud security operations in order to drive security compliance efforts across a large and complex organization.

I've been a SecDevOps Engineer for about a year and am enjoying it immensely. My specialities are documentation, data/reporting, security ops and am currently working on my security+ certification and learning more about pen testing.