Episode 106 -- The Invisible Attack Surface: Zero Trust for SAP and ERP Environments
Here's the version at ~1500 characters:
In Episode 106 of the Cybersecurity Readiness Podcast Series, Dr. Dave Chatterjee is joined by Holger Hügel — CTO of SecurityBridge and SAP cybersecurity authority with over 26 years of experience — to expose a governance blind spot hiding inside even the most mature enterprise security perimeters: the SAP environment.
The August 2024 ransomware attack on Stoli Group USA sets the stage: attackers targeted the company's SAP ERP system directly, disrupting financial operations and contributing to a bankruptcy filing within three months. The hard truth — organizations can have zero trust, network segmentation, and identity governance fully deployed and still be critically exposed, because most CISOs have never claimed accountability for SAP security.
Hügel identifies the structural gap: SAP systems are the most business-critical yet least security-governed assets in large organizations. SAP and security teams speak different languages, operate under different budgets, and rarely collaborate — leaving configuration drift, patch backlogs, and monitoring gaps entirely unaddressed.
Viewed through Dr. Chatterjee's CPD (Commitment–Preparedness–Discipline) framework, the conversation transforms SAP cybersecurity into a governance imperative. The Medtronic case study shows what good looks like: a CISO who crossed the organizational divide, sponsored SAP hardening, and built governance structures enabling response to critical vulnerabilities within hours, not weeks.
The bottom line: survival after the next ERP-targeted attack belongs to organizations that have claimed ownership, built continuous processes, and bridged the SAP–security divide.
🎙️ Full episode summary: https://www.dchatte.com/episode-106-the-invisible-attack-surface-zero-trust-for-sap-and-erp-environments/
In Episode 106 of the Cybersecurity Readiness Podcast Series, Dr. Dave Chatterjee is joined by Holger Hügel — Chief Technology Officer of SecurityBridge and a global authority on SAP cybersecurity with over 26 years of experience — to address a governance blind spot that exists inside the security perimeters of even the most mature enterprise organizations: the SAP environment.
Opening with the August 2024 ransomware attack on Stoli Group USA — where attackers went straight for the company's SAP enterprise resource planning (ERP) system, disrupting financial operations and contributing directly to a bankruptcy filing within three months — Dr. Chatterjee frames the episode's central challenge: organizations can have zero trust architecture, network segmentation, and identity governance fully deployed across their IT landscape, and still be critically exposed, because most CISOs have never formally claimed accountability for SAP security, and most SAP teams do not think of themselves as part of the security function.
Hügel explains the structural gap at the heart of this problem. SAP systems are simultaneously the most business-critical and the least security-governed assets in most large organizations. The C-suite depends on them for financial operations, payroll, procurement, and supply chain continuity, yet SAP teams and security teams speak different languages, operate under different budgets, and rarely collaborate. SAP departments typically define "security" as managing user authorizations and privileges — a narrow interpretation that leaves configuration drift, patch backlogs, and monitoring gaps entirely unaddressed.
Analyzed through Dr. Chatterjee's Commitment–Preparedness–Discipline (CPD) framework, the conversation translates SAP cybersecurity from a technical niche into a governance imperative. The Medtronic case study demonstrates what good looks like: a CISO who crossed the organizational divide, sponsored SAP hardening from the cybersecurity budget, built a continuous patch management process, and created the governance structure that allowed the team to respond to an out-of-band vulnerability within hours rather than weeks.
The episode's central message is neither technical nor abstract: the organizations that will survive the next ERP-targeted ransomware attack are not those with the most sophisticated tools — they are the ones that have claimed ownership of the problem, built the processes to address it continuously, and created the cross-functional governance structures that SAP and cybersecurity teams cannot build on their own.
To access and download the entire podcast summary with discussion highlights - https://www.dchatte.com/episode-106-the-invisible-attack-surface-zero-trust-for-sap-and-erp-environments/
Connect with Host Dr. Dave Chatterjee
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Books Published
Cybersecurity Readiness: A Holistic and High-Performance Approach
Articles & Cases Published
Chatterjee, D. (2026). Root: Automating the Remediation Gap, Ivey Publishing, Jan 7, 2026.
Chatterjee, D. and Leslie, A. (2024). “Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness,” Business Horizons, Accepted on Oct 29, 2024.
Chatterjee, D. (2023). “Mission critical – How American Cancer Society successfully and securely migrated to the cloud amid the pandemic,” I by IMD, March 13, 2023.
Chatterjee, D. (2022). “Preventing security breaches must start at the top,” I by IMD, September 28, 2022, Institute for Management Development, Lausanne, Switzerland
Benz, M. and Chatterjee, D. (2020). “Calculated Risk? A Cybersecurity Evaluation Tool for SMEs,” Business Horizons, available online from May 4, 2020
Chatterjee, D. (2019). “Should Executives Go To Jail Over Cyber Attacks,” Journal of Organizational Computing and Electronic Commerce, Vol 29, Issue 1, pp. 1-3.
Abraham, C., Chatterjee, D., and Sims, R. (2019). “Muddling through cybersecurity: Insights from the U.S. healthcare industry,” Business Horizons, July 2019.
