CSD Interview with Ray Mastre - Director at PwC
Yeah. So, if you can just introduce yourself, your name, where you're from, and where we are just so we can have it for the tape.
My name's Ray Mastre. I'm a director with Price Waterhouse Coopers, and I'm at the San Francisco ISACA Conference.
Awesome. Thanks. I heard you've been with PWC for a while.
I've been with PWC for almost 14 years. I'm a little bit of a PWC dinosaur.
Always curious how people ended up in cyber security.
I was an IT guy at Penn State, and when I was coming out of school, I think consulting was really attractive to me because I got to see problems many different ways at a lot of our clients. It wasn't just looking at one thing and trying to make it better. It was looking at 20 things and realizing that there's probably common solutions throughout all of those problems. It's taken me all over the world, and I've gotten a chance to live in Europe and in many cities in the U.S. It's been a good ride.
Yeah. You said you were in Switzerland and a couple other places.
Beautiful Switzerland, the Swiss Alps, skiing, chocolate ... it's great stuff.
Yeah. I've been a little bit myself, but not lucky enough to live there yet.
It sounds like you've focused in on SAP as your coverage practice. How did you land there and what's exciting in that space right now?
SAP was a little bit of luck of the draw for me, but I think one of the things that was most interesting is just the amount of data worldwide that flows through SAP. In my presentation today, I talked about the percentage of business transactions that will touch SAP is astounding, worldwide. For me, that level of data was always interesting, and then being able to go to multi-national organizations in many different industries has given me the chance to just see SAP in ways that I don't think everyone gets to see it. Security has always been my focus, but it's just broader SAP that's interesting to me, as well.
I think for individuals who aren't running companies or running large systems, they may not realize how prevalent some of that stuff is running in the background and underlying the structure of making companies work.
As you think about where attacks are happening and how the potential for damage, destruction, theft, all the different elements that keep people in cyber security up at night -
It seems like the critical infrastructure and backend systems have risen to the surface as an area for concern. What's driving that? Are there specific incidents? What's pushing people to realize that?
As I just mentioned, a very high percentage of business transactions worldwide are happening in SAP. Because of that, SAP really holds the crowned jewels for many organizations, right, their financial data, their supply-chain data, their procurement data, their customers, their employees. All of that is contained within SAP, and there's people out there that want that data, whether it's Nation States or hactivists or what have you. That's always been a target. Now the thinking behind SAP has always been that it's behind the firewall. It's not really a problem, and historically there never was that risk. Well, starting in 2012 with an anonymous hack in the Greek finance ministry, it's happened, and it's happened continually to larger degrees. It just continues to get worse.
In 2016, there was a Department of Homeland Security U.S. memo that, essentially, let the world know, first one ever, that there is a huge risk to SAP and the data within it, and companies need to start thinking about systems like SAP because even though it's behind the firewall, that data is accessible. Like I said, it's critical assets, and you want to make sure you're protecting them well.
I think it's interesting. As you think about cyber security, you know the typical life cycle of the software might be a year or two, and the typical lifetime of some equipment ... if it's well made, may be measured in decades. There's this natural mismatch between the life cycle of the two and thinking how do you protect critical systems that were cutting edge when they came out, but that thing was built so well it's running 20 years later.
How are you, whether at PWC or in your clients ... and you don't need to use any names specifically ... how do you handle that problem?
With the idea that SAP has been around for a very long period of time, and some of these threats are new ... like I said, I don't think the threat ever was imagined. I don't think people really thought that SAP was on their list, and now all of a sudden it's on their list. Companies are being forced to perform many structural upgrades when it comes to their software. Specifically with SAP, the new craze is Hana, so every company is required to move to SAP Hana in the next 5 to 7 years as an SAP requirement. Because that's a new system and it's not as mature, there's a lot of security concerns with Hana, and Hana continues to be, every quarter when SAP releases its security threats and vulnerability profiles, Hana continues to be at the top of that list of new enhancements that are needed to protect companies. It's a target, and I think from our side, PWC has been able to go in and help clients to ensure that, for example, they're including those patches, that they're using solutions that help to identify what those risks are, and help get those patches in.
There's actually a lot of vendors onboard, as well. There's a solution called Onapsis out there right now that Onapsis is the leader right now in making sure that companies are aware of what those patches are and what needs to be implemented so that they can integrate Onapsis into their cybersecurity program, which contains SAP.
Yeah. You know, I would love to hear specifically what you're seeing. The security in the design of programs is the ideal way it happens, right? When you're designing the software, you're expecting security to be built in, but in this environment you're sort of backward looking, trying to understand these older systems. What are the ways that people can protect those legacy systems? Are they just air gapping them or are they literally unplugging them? What do you see people doing?
I mentioned it in the presentation that I did today, but it's people, process, and technology and aligning those three. That isn't always so easy. If technology doesn't support the idea of security, then you've got an issue. I think SAP, at least the core ECC system, supports the ability and gives you the flexibility to control what users can do in the system.
And I think that's good. You have the capability, but what we see in the industry is that the focus is not necessarily on that application security. What happens is overtime, it may start out on day one as it's working fine, but as that system is in place for 5, 10, 15, 20, 30 years, you start to have a problem.
So, I think what will happen is there will be an intense focus on Hana with this new transition, and people will get it right, eventually. The question is, what processes do you have to have in place to identify new threats and also continue to keep your current security design up to speed.
Yeah. It's such a challenge because you've got some of those equipment critical infrastructure, and we'd love to say that everything's going to come up to Hana, but you've gotta plan. You've got a piece of machinery that works and it's gonna continue to work, and the price to buy a new one is pretty astronomical.
Do you just sort of expect at some point that that's gonna fail? How are people handling that?
I think that SAP is a software company, right.
They're not a security company. Just like PWC is professional services. We help to consult on SAP, but we're not a software designing company. In my mind, I think the best thing companies can do is really understand the capabilities that are out there, really do an analysis of what they're trying to protect ... so what's their critical assets - why are we trying to secure this period ... and then, ensure that the technology is used, the people are up to speed, and there are processes in place. That's basically all you can do. Just knowing what the risk is and then looking at creative ways to continue to ensure that people are responding in the right way.
Yeah. I think in one of your slides, you had understanding the different levels of threats and the different levels of access you need. You may have some vulnerabilities that you can't take care of, but as long as they're all lower level, you'll get to them but they shouldn't be your first priority.
Okay. Cool. So, let’s have some fun questions.
What would you recommend people read? What do you think, in terms of value? I know you had a couple of pieces that you recommended.
You know for me, I love to read, but reading in the SAP securities space ... generally the books are like this thick, and it's a lot. I think there's a lot of really strong resources that are available at conference level. Normally, I don't even recommend conferences, but conferences really are a place, especially in the SAP space, there's a cyber security and a governance risk and compliance conference that is thrown by SAP every year. It's excellent. I try and speak at it every year, but also a bunch of my colleagues in the industry do, and that's even a help for me to ensure that I'm staying current because the market's ever changing and the requirements are, as well.
What's keeping you up at night?
Right now, my dogs.
What's keeping me up at night? You know, the biggest fear for me is not staying current. In technology as a whole, it changes so much and SAP Hana, they release a new version of the software support or the patch level behind Hana every year at least, every nine months. Having to understand what's there, what are the changes in security, how are our clients adapting to it, and what type of threats and penetration and hacks are we seeing ... to me, that's what keeps me up at night and that's where I spend my time.
Yeah. This is awesome. That was great.
Really appreciate it.
About Raymond Mastre
Raymond is a Director at PwC based in the San Francisco office. For twelve years, Ray has specialized in SAP Application and Cyber Security and the implementation of Governance Risk and Compliance (GRC) solutions for SAP. He has completed eight global SAP security redesign projects and multiple end-to-end implementations of the SAP GRC Access Controls suite (v10.1) and the customization of client specific Segregation of Duties (SoD) rule sets. Ray also completed a 3.5 year exchange program with the Zurich, Switzerland PwC office; where he led the business unit dedicated to proving compliance solutions for companies running SAP (SAP GRC, Approva One, Security Weaver, etc.). Ray has worked for clients in various industries including: Retail, Public Sector, Insurance, Consumer Electronics, Entertainment, Pharmaceuticals, Manufacturing and Defense.