The SAP CCoE Experiment

00:00:02: The E-III Discourse,

00:00:04: a podcast

00:00:05: on key topics in the SAP community, presented in dialogue form by the two AI avatars from the

00:00:12: English language E-III

00:00:13: editorial team.

00:00:14: This E-III podcast is a summary and supplement to the E-III cover story.

00:00:18: December, twenty-twenty-five, January, twenty-twenty-six, the CCOE experiment.

00:00:24: On June, tenth and eleven, twenty-twenty-six, the SAP Communities Competence Center Summit will take place again in Salzburg.

00:00:31: but now to the CCOE experiment.

00:00:34: Welcome to the deep dive.

00:00:35: Our mission here is to really cut through the complexity of enterprise transformation.

00:00:41: and deliver what you actually need, essential, actionable knowledge directly to you.

00:00:46: Exactly.

00:00:47: And today we are focusing on what is, I think, the single greatest challenge and opportunity facing every established SAP customer right now.

00:00:55: Which is?

00:00:55: That inevitable high stakes shift toward Sforana, the cloud, and of course the aggressive automation mandates you need just to survive competitively.

00:01:04: And if you are navigating those very turbulent waters, your anchor point, the one indispensable core of this whole thing is the Customer Competence Center, the CCOE.

00:01:14: Or the CCC, as you'll often hear called.

00:01:16: Right.

00:01:16: And our central question today is really about defining success.

00:01:20: What specific organizational, technical, commercial, and even legal mastery must the CCOE have to secure the future SAP landscape?

00:01:29: And to be clear, all our insights for this, they're drawn directly from deep editorial research by the E Three Magazine team, curated specifically for the SAP community.

00:01:38: We've got some immense pressure points to unpack today.

00:01:40: So we've organized this deep dive around four critical pillars that your CCOE has to master.

00:01:45: First, there's the big strategic shift dominated by the cloud and rise with SAP.

00:01:50: Then second.

00:01:51: we have to tackle the operational frontier, achieving real automation and observability in what has been a very manual SAP basis world.

00:01:59: Third, we'll look at the strategic transformation tools, BTP, the whole concept of a data fabric.

00:02:05: And finally, we'll get into the tough part.

00:02:07: The notorious SAP licensing labyrinth and the absolutely critical duty of security.

00:02:12: And that CCO reel, it's no longer a peripheral function.

00:02:17: It's explicitly listed as a key management theme for the entire ecosystem.

00:02:20: Why?

00:02:21: because it's the translator layer.

00:02:23: It's what turns the strategic mandate into operational excellence.

00:02:25: Okay, so let's start there.

00:02:27: The CCOE as the core navigator in this huge transformation.

00:02:31: Let's begin with the unavoidable reality.

00:02:33: The thing that sits the clock ticking for everyone.

00:02:35: For any major enterprise using SAP software right now, the future ERP system is unequivocally S-IV HENA.

00:02:42: There's

00:02:42: no get around it.

00:02:43: No.

00:02:44: The technical and functional advantages are just too compelling to ignore long term.

00:02:49: But the path to S-IV It's anything but a straight line, is it?

00:02:54: I read that even with everyone agreeing on the destination, about a third of companies are still struggling to figure out the best way to actually get there.

00:03:02: And that struggle is completely understandable, because that choice, it locks you into a decade of work.

00:03:09: Customers are weighing the classic options.

00:03:11: Greenfield, which is basically a complete rip and replace.

00:03:14: A chance

00:03:14: to reinvent everything.

00:03:15: Exactly.

00:03:16: Seeing Sforana as a chance for total process harmonization, or, you know, they might go the brownfield route, a purely technical conversion.

00:03:24: We're just trying to keep everything stable, preserve all your customizations.

00:03:27: Preserve the landscape with minimal disruption.

00:03:30: And then you see these hybrid strategies popping up.

00:03:32: The

00:03:32: blue field or orange field approaches, trying to get the best of both worlds.

00:03:35: Right.

00:03:36: They combine elements, maybe migrating one business unit via brownfield while merging new greenfield processes somewhere else.

00:03:43: And the implication here, this is the CCUE's first fundamental decision.

00:03:48: Is this S-IV migration just a technical IT project?

00:03:52: Or is it a comprehensive business project?

00:03:54: A

00:03:54: project that's meant to drive enterprise-wide change.

00:03:58: The CCOE has to lead that decision.

00:04:00: They have to.

00:04:01: So what's driving the ticking clock behind all of this?

00:04:04: Why the urgency?

00:04:05: It's SAP's own stated strategy.

00:04:07: It rests on two interconnected pillars.

00:04:10: The first is S-IV HANA itself, built on the huge performance gains of HANA technology.

00:04:15: The second pillar, and this is the one that really applies the pressure, is the aggressive expansion of their cloud-based product portfolio.

00:04:22: New functionalities, even for the core ERP, are developed and released first in the cloud.

00:04:27: Which immediately puts anyone on a legacy system at a competitive disadvantage.

00:04:30: They can't get the latest innovations.

00:04:32: And of course that twenty twenty seven deadline is still looming.

00:04:35: It is.

00:04:36: The announced end of mainstream support for business suite seven in twenty twenty seven.

00:04:40: It's a massive forcing function.

00:04:41: It compels every single company to start their transformation and reassess their entire landscape within the next few years.

00:04:48: And on the cloud, the general feeling is that long-term cloud-based SAP operations are pretty much a given.

00:04:55: Is that just marketing or is there a real shift happening?

00:04:58: It's both.

00:04:59: It's driven by vendor framing, for sure, but also genuine benefits.

00:05:02: The promise of lower TCO, greater agility, scalability.

00:05:06: That's all real, especially with the public cloud model.

00:05:08: But the COE needs to be careful.

00:05:09: Always.

00:05:10: They have to maintain nuance.

00:05:11: As of today, all operating models are equally valid.

00:05:15: On-prem, pure cloud, multi-cloud, hybrid.

00:05:18: The CCOE's job is strategic selection, not blind obedience to a trend.

00:05:22: So if the CCOE is the core navigator in this really complex, multimodal world... What's its supreme mandate?

00:05:28: The CCOE is the strategic translator.

00:05:31: Its mandate is to manage that complex, often hybrid system architecture, the mix of on-prem, private cloud, BPP, hyperscalers, and ensure absolute strategic alignment between IT goals and business objectives.

00:05:42: If the architecture just becomes a messy patchwork, it's the CCOE that failed to navigate.

00:05:46: Precisely.

00:05:47: That's why its role is highlighted as such a key management theme.

00:05:51: Okay, let's detail those roles a bit more.

00:05:53: First, on the business and organizational side.

00:05:55: Why is it so critical the CCOE treats this as a business project?

00:06:00: Because the risks are financial, not just technical.

00:06:03: The CCOE is responsible for harmonizing deeply customized business processes with the new standardized SAP world.

00:06:11: That requires huge organizational change management.

00:06:14: And if they fail?

00:06:15: If the planning is inadequate.

00:06:17: or resources are underestimated.

00:06:19: A classic CCOE failure.

00:06:20: studies show the cost discrepancies between the plan and the final result are massive.

00:06:25: The project costs just balloon.

00:06:27: So the CCOE isn't just delivering a system, it's defining the company's roadmap for the next decade.

00:06:32: Exactly.

00:06:33: They have to provide the essential framework for the S-IV migration planning.

00:06:36: This initial phase is crucial using tools like the business scenario recommendation, the fury apps recommendation,

00:06:42: the SAP readiness check,

00:06:44: all of that.

00:06:45: The CKE takes the output from those tools and creates the strategic business plan.

00:06:49: Partners can give you a high level roadmap in ten days, but only if the CKE provides clear, well-defined strategic input first.

00:06:57: And beyond strategy, what about the concrete technical competencies?

00:07:00: What does the CKOE have to master to ensure things actually work?

00:07:04: The list is really a reflection of that hybrid future.

00:07:07: They need deep technical competence in S-IV architecture and across all the operating models.

00:07:13: On-prem.

00:07:14: private cloud, public cloud.

00:07:15: But the foundation is still SAT basis support.

00:07:18: Absolutely.

00:07:19: But that means moving beyond traditional administration.

00:07:21: It means embracing sophisticated, continuous monitoring, comprehensive application, lifecycle management, ALM, and increasingly proactive automated security measures.

00:07:30: That expertise is what prevents the transformation from stalling out.

00:07:33: All right, let's pivot to the operational engine room.

00:07:36: then, the SAP basis environment.

00:07:38: This is where you see the biggest gap between strategy and daily reality.

00:07:42: It's just notorious for manual time consuming tasks.

00:07:46: It's the heart of the crisis in operational efficiency.

00:07:49: So many routine IT infrastructure tasks in SAP basis are still done by hand, or they rely on these clunky cumbersome scripts.

00:07:59: Which only gives you partial automation.

00:08:01: Right.

00:08:01: And it's easily broken.

00:08:03: It's not true.

00:08:04: end-to-end automated processes.

00:08:06: And the people who actually have the knowledge to fix this, the administrators, they're perpetually busy just putting out fires.

00:08:11: That's the time trap.

00:08:13: Your key resources, they just don't have the time or the motivation for ongoing automation development.

00:08:19: They're tied up with urgent requests, project work, and just keeping the lights on.

00:08:23: And automation isn't a one and done thing.

00:08:25: Not at all.

00:08:25: That's the critical insight.

00:08:27: It's a continuous effort.

00:08:28: Scripts and operations have to be constantly validated to make sure they still work after system changes and patches.

00:08:34: If you automate it once and forget it, it will break.

00:08:37: Let's use a really painful example, system copying.

00:08:40: That is always cited as complete resource sinkhole.

00:08:42: Oh,

00:08:42: it's often described as a pseudo project in itself.

00:08:45: A colossal time and resource intensive task that just grinds development and testing cycles to a crawl.

00:08:50: So how do you fix that?

00:08:52: You need specialized tools.

00:08:54: Things like blue copy from Imperius, for instance, which promise end-to-end automation of the entire system copy lifecycle.

00:09:01: What does end-to-end actually cover, though?

00:09:03: It's more than just a database transfer, right?

00:09:05: Oh,

00:09:05: much more.

00:09:06: It covers all the necessary steps fully automatically.

00:09:09: The database restore all the post-copy activities, and importantly, the critical BDLS runs.

00:09:15: And

00:09:15: let's clarify BDLS business data logical system.

00:09:18: That's the required step to update all the logical system names, so the data actually points to the new copied system correctly.

00:09:25: Exactly.

00:09:26: Without tools, it's a manual error-prone nightmare.

00:09:29: And crucially, that end-to-end automation also has to include GDPR-compliant anonymization of sensitive data, which makes the refresh safe for your test and dev environments.

00:09:40: And the speed gains from this are just transformative.

00:09:42: I remember reading an anecdote about an HR system refresh that was unbelievably fast.

00:09:47: Wait until you hear the real figures.

00:09:49: Yeah.

00:09:49: They have real-world examples cited, like full refreshes of an HR system completed in a net, twenty-three minutes.

00:09:55: Twenty-three minutes?

00:09:56: That's astonishing.

00:09:58: In the old world, refreshing a large HR system could easily take up half a week of a basis admins time.

00:10:04: How is that even possible?

00:10:06: It's

00:10:06: the convergence of efficient software and the underlying technology.

00:10:10: The speed comes from leveraging modern storage, for instance.

00:10:13: Tools built on platforms like NetApp can use highly efficient snapshot and cloning capabilities.

00:10:19: So you can do multiple refreshes per week?

00:10:21: Yes.

00:10:21: During project crunch times, regardless of whether you're on R-three or S-four, your developers and testers always have reliable, up-to-date starting points.

00:10:31: That's the definition of operational agility.

00:10:33: So moving from automation to visibility, how does the CCA key gain the confidence that this new automated hybrid environment is actually running smoothly?

00:10:43: Well, often the basis team suffers from a monitoring deficit.

00:10:46: They need to know what's happening at the business process level.

00:10:49: But traditional tools, like the good old SAP solution manager, S.U.L.M.N Yeah.

00:10:53: It often fails to provide the full picture.

00:10:56: The problem is a lack of shared telemetry data, unified tools, consolidated dashboards.

00:11:02: It forces them into manual error resolution, jumping between different screams.

00:11:06: So the goal is to move beyond just checking if the system is up toward true observability.

00:11:11: Flexibly.

00:11:12: Observability at the infrastructure level.

00:11:14: the app server's databases hosts, that's critical to quickly finding areas that impact the business.

00:11:20: If resource overload hits the application server, the CCOE needs to know immediately and find the root cause in minutes, not hours.

00:11:28: And the complexity of the SAP stack makes that visibility just inherently difficult.

00:11:32: It does.

00:11:32: You've got so many potential points of failure.

00:11:35: Resource overload, database issues, errors in integration layers like IDOC or RFC, slow fury performance, external system integration.

00:11:42: It's a

00:11:42: labyrinth.

00:11:43: It is.

00:11:44: And it's made worse by a multitude of specialized monitoring agents and proprietary tools.

00:11:49: It prevents continuous end-to-end monitoring at the transaction and business process level.

00:11:53: This sounds like a really fundamental strategic issue that the community is trying to solve right now.

00:11:58: It is.

00:11:59: The upcoming CC Summit topics for twenty-twenty-five specifically list Solman, Cloud ALM, and SAP Monitoring.

00:12:06: That confirms this is a central discussion point for CCOEs everywhere.

00:12:10: SAP Cloud.

00:12:10: ALM is the newer tool and is designed to support implementation and operations and it can integrate with on-prem landscapes.

00:12:17: But the market is looking for

00:12:18: more.

00:12:19: Yes.

00:12:19: Solutions like New Relic, which focus on centralizing telemetry.

00:12:24: They illustrate the market's need for better observability that goes beyond siloed SAP tools.

00:12:29: OK, let's talk about software quality and delivery speed.

00:12:32: So many companies, even after a big update, fall into this long, incredibly expensive post-go live phase.

00:12:39: Ah,

00:12:39: the notorious hypercare phase.

00:12:41: It's a costly period, sometimes up to three months, where you keep high-priced experts on retainer as a fire brigade just in case something breaks.

00:12:48: Over ninety percent of SAP customers do this.

00:12:50: Think about the stress of that.

00:12:51: Retaining a high-priced fire brigade for ninety days just hoping nothing goes wrong.

00:12:56: That's why automated testing isn't a nice to have.

00:12:58: It's essential financial risk mitigation.

00:13:01: Absolutely.

00:13:02: Those defects could have and should have been caught and avoided with thorough continuous automated testing beforehand.

00:13:09: The CCOE needs to move from that costly reactive model to a proactive automated software delivery pipeline to DevOps.

00:13:16: So what does SAP offer to help professionalize that continuous testing?

00:13:20: They've got a sophisticated testing stack.

00:13:22: For deep process functionality, there's SAP Enterprise Continuous Testing by Tricentis.

00:13:27: It provides end-to-end business process tests covering SAP and third-party systems, and they claim automation rates up to ninety percent.

00:13:34: and for the user experience.

00:13:36: For that, there's SAP load testing by Tricentis.

00:13:39: It provides scalable performance tests specifically for the Fiori UX and modern cloud apps like SuccessFactors and Ariba.

00:13:46: This level of automation drastically reduces the risk of business interruption.

00:13:50: But DevOps is more than just testing, isn't it?

00:13:52: It's about automating the entire basis lifecycle.

00:13:55: It's

00:13:55: about automating day two operations.

00:13:58: The CCOE has to adopt DevOps practices using configuration management tools like Ansible.

00:14:03: They're crucial for automating routines like patch and cluster management.

00:14:07: And this is extending beyond just infrastructure.

00:14:09: Way beyond.

00:14:10: It's moving deep into process automation within the SAP applications casks.

00:14:14: Like managing user rights, creating standard users, executing routine financial processes.

00:14:19: So we're blurring the lines between infrastructure automation and functional application management.

00:14:24: Precisely.

00:14:25: And when you combine RPA robotic process automation with Ansible, you can automate the SAP GUI directly from a central platform.

00:14:33: This bridges IT silos, eliminates manual data handling, and enables entirely new real-time end-to-end processes for the business.

00:14:40: Okay, let's shift from the operational nuts and bolts to the big strategic direction from SAP and the tools the CCAE has to leverage.

00:14:47: Right.

00:14:47: And the major strategic push has been RISE with SAP.

00:14:51: What's the fundamental value proposition for a customer committing to that?

00:14:55: RISE designed to tackle those two big pressures at once, the S-Ferrina transition and the move to the cloud.

00:15:02: It's branded as business transformation as a service.

00:15:05: And it does deliver undeniable benefits, scalability, faster updates, a clean operational environment.

00:15:10: But for large established customers, the reality on the ground isn't always that seamless.

00:15:15: What are the challenges people report?

00:15:17: That's the hidden challenge.

00:15:19: It's often described as a corset or a corset.

00:15:23: It provides structure, but it also imposes long-term commitments and restricts flexibility.

00:15:28: It can minimize competitive advantages that depend on unique customized processes.

00:15:33: And I've heard that big companies often report a missing level of service.

00:15:37: They do, especially when implementing external applications or customizations under the RISE framework.

00:15:43: And the myth that RISE saves you from needing an internal SAP basis expertise is particularly dangerous.

00:15:49: That

00:15:49: feels like a major trap.

00:15:50: It is, because SAP requires precise technical specifications during implementation, even with a managed service like RISE.

00:15:57: Without internal or external basis experts to define those specifications, which is tough with the skilled labor shortage, companies face hard to calculate costs and application problems later on.

00:16:07: So moving on to the innovation platform, BTP, the business technology platform, it feels unavoidable for customers moving into the S-IV world.

00:16:15: BTP is the platform for innovation and survival.

00:16:18: The core philosophy is the clean core strategy.

00:16:22: Your S-IV HANA digital core should be standardized.

00:16:25: All the necessary individualization, all your extensions have to happen outside.

00:16:29: on BTP.

00:16:30: The paradigm is never without BTP.

00:16:33: Exactly.

00:16:34: Extensions should be implemented using Steampunk, the ABADI environment, on BTP, using modern tech like RAP and KP.

00:16:41: And this isn't just for new S-Four customers.

00:16:43: Even legacy ECC-Six-Point-O customers can use BTP in a side-by-side scenario to future-proof their innovation.

00:16:49: So BTP is the basis for modernizing the entire SAP ecosystem, shifting it to a true cloud architecture.

00:16:56: Absolutely.

00:16:57: It supports cloud-native models like containers, and microservices.

00:17:00: And crucially, BTP is the key enabler for integrating highly heterogeneous landscapes, SAP, and non-SAP applications, like Microsoft Office.

00:17:07: three sixty five or teams.

00:17:09: It finally resolves that classic problem of IT silos.

00:17:12: Okay, let's talk about data.

00:17:13: Data quality and data volume are so often cited as the biggest roadblock to S four transformation.

00:17:18: The data challenges existential business critical data has to be quickly and scalably usable.

00:17:24: But the shift to S-IV is so often hindered by massive amounts of historical data, often with just terrible quality incomplete, faulty duplicate data that's piled up for years.

00:17:35: And SAP's answer to this is the data fabric concept.

00:17:38: That concept is materialized in SAP DataSphere.

00:17:42: It's the next generation of data warehouse cloud built on BTP.

00:17:46: and it is explicitly defined as a data fabric, designed to manage business data and provide timely, meaningful information with all the business context and logic intact.

00:17:55: Which is critical because competitors like Databricks and Snowflake are really increasing the pressure.

00:18:01: They

00:18:01: are.

00:18:01: The CCOE has to champion a unified, high-quality data strategy.

00:18:06: DataSphere provides the services for integration, cataloging, modeling, everything data experts need while keeping that business context.

00:18:13: That addresses the strategic use of data, but what about all the historical data that you're legally required to keep?

00:18:18: but that doesn't belong in your new lean S-Force system?

00:18:21: That is the crucial blind spot of so many transformation projects, managing the legacy systems after go live.

00:18:29: A lot of companies just accept they have to keep their old ECC systems running for years just to access historical data.

00:18:36: It's a massive long-term cost and the security liability.

00:18:39: So the CCOE has to proactively separate that historical data.

00:18:43: How do you do that efficiently?

00:18:44: The strategic approach, supported by platforms like GIVS-IMP, is the consistent separation of historical from operational data.

00:18:53: The one-click transformation idea.

00:18:55: By extracting and archiving historical data separately, the new S-IV system stays lean, the migration task gets smaller, and the operating costs for the old systems can often be cut by a staggering eighty percent.

00:19:06: That sounds like a fundamental win for the CCOE.

00:19:09: What's the big strategic benefit?

00:19:10: It gives you crucial decision freedom.

00:19:12: Independence from legacy burdens.

00:19:14: You maintain full legal compliance, retention is guaranteed, and you still have seamless access to all the old data.

00:19:20: Each of the source systems are completely shut down.

00:19:22: Let's

00:19:22: talk about automation and business processes with governance tools and low-code platforms.

00:19:26: Where does Signavio fit in?

00:19:28: For defining, modeling, and optimizing business processes, SAP Signavio is the critical tool for a CCOE.

00:19:36: It's for business process management, BPM, enabling continuous control, optimization, and even cross-company comparison of process efficiency.

00:19:46: And its capabilities are extending into some non-traditional metrics.

00:19:49: now, right?

00:19:50: That's the cutting edge.

00:19:51: Signavio now allows you to natively integrate sustainability into your business processes, so you can design and optimize your processes while factoring in criteria like CO² footprint or recycling requirements.

00:20:03: It's essential for manufacturing companies.

00:20:05: Absolutely.

00:20:06: Now, turning to development, SAP Build is designed to tackle the skilled labor shortage by empowering citizen developers.

00:20:12: The low-code, no-code platform.

00:20:14: Yes, built on BTP.

00:20:16: It enables users with minimal technical knowledge to extend applications and automate processes.

00:20:21: The German-speaking user group DSAG welcomes it as a way to reduce shadow IT.

00:20:26: But

00:20:26: they also had a strong word of caution, didn't they?

00:20:29: They did.

00:20:29: They emphasized that SAP Build is not a replacement for classic deep software development.

00:20:34: Its practical depth still needs to be proven, and the CCOE has to govern these new tools to avoid just creating new silos of shadow IT.

00:20:43: Finally, let's look at AI and machine learning in core SAP processes.

00:20:47: Where are we seeing the most immediate impactful automation gains?

00:20:52: Invoice processing is the classic example.

00:20:54: AI models can understand invoices, suggest creditors and account assignments, and proactively detect anomalies or fraud.

00:21:01: And these models get much better in cloud environments.

00:21:04: They do.

00:21:04: because machine learning models improve faster with more data sets.

00:21:08: So they're optimally deployed in public cloud solutions, where the system can leverage a collective, anonymized data volume for superior model training.

00:21:16: And beyond invoices, where else does AI provide those critical early warnings?

00:21:20: In master data and movement data management, AI models can check historical data to predict if a similar process was successful or suggest critical data completions.

00:21:29: And importantly, these AI assistants could actively warn a user before they even save a document if an exception is foreseen.

00:21:36: So the system becomes a real-time preventative assistant.

00:21:39: Exactly.

00:21:39: It reduces error rates dramatically.

00:21:41: Okay, if the CCOE manages the technology, they absolutely have to manage the financial time bomb hidden in the contract fine print.

00:21:49: SAP licensing is, well, it's a continuous source of conflict.

00:21:53: It's evolved into a complex science, really.

00:21:56: It's driven by fundamental changes in product and license metrics when you switch to Sforena, which creates immense cost risks.

00:22:03: And the move to the cloud makes the calculation even more complicated, especially with full-use equivalents.

00:22:09: Yes.

00:22:09: Full-use equivalents, or FUE, are central to cloud migration.

00:22:13: They're weighted factors used to convert your on-prem user count into a cloud metric.

00:22:19: But the biggest area of uncertainty right now is around the new Sforena user license types, professional, functional and productivity use.

00:22:26: What's

00:22:26: the confusion?

00:22:27: The fundamental confusion is whether licensing should be based on actual usage, what a user actually clicked on, or just on the granted authorizations assigned to them.

00:22:36: And that's where the technical definition just clashes violently with the commercial reality.

00:22:41: It is the critical conflict that costs customers so much money.

00:22:44: SAP tends to view roles as collection objects.

00:22:47: But if licensing is based on authorization, it forces customers to meticulously cut roles small for every user, just to avoid being charged for a function they could perform, even if they never use it.

00:22:58: So given this complexity, the CCOE, the CIO, the CFO, they have to get ahead of this.

00:23:03: Transparency is the only defense.

00:23:05: Exactly.

00:23:06: Before any formal SAP audit, like the Star Service, customers have to proactively establish total transparency in their usage.

00:23:14: You have to seize that opportunity to optimize your role concepts to be license-compliant and cost-effective.

00:23:19: You can't negotiate what you don't measure.

00:23:21: Precisely.

00:23:22: And specialized tools like SAP License Intelligence are essential to remove the guesswork.

00:23:28: They'll let you simulate an SAP audit based on your authorizations and compare that against actual usage data.

00:23:34: They identify the most promising role changes and simulate the exact financial effect.

00:23:38: So the CTOE can go into a negotiation with data, not just hope.

00:23:42: That's the goal.

00:23:42: Another really contentious issue is the database itself, the perception of double licensing for H&A.

00:23:48: This drives many CFOs to despair.

00:23:50: The CPOE has to be prepared to argue against double licensing, especially with the dual costs for HANA.

00:23:56: The perception is you're paying a premium for the application, and then another huge fee just for the database it runs on.

00:24:02: A database

00:24:03: you have no choice but to use.

00:24:04: Right.

00:24:04: HANA became a technical, commercial, and strategic success for SAP, leading to a strong vendor lock-in.

00:24:11: The CQE needs the data and the arguments to push back effectively.

00:24:15: And for customers who try to do this analysis themselves without direct SAP support, it sounds incredibly manual.

00:24:21: It

00:24:21: is.

00:24:22: It's complex, time-consuming, and resource-intensive.

00:24:25: The CQE staff has to manually classify every single user role.

00:24:29: Then they have to run the USMM transaction to measure technical usage, then manually assign price lists, and finally manually calculate the full-use equivalent demand based on complex weighting factors.

00:24:39: That final calculation step.

00:24:41: That sounds like we're all the potential for human error and financial miscalculation lives.

00:24:45: It highlights why automated tools are becoming a necessity.

00:24:48: They

00:24:48: really are.

00:24:49: Now, security.

00:24:51: It has completely transcended being just an IT task.

00:24:54: It's a core business resilience driver and an absolutely critical duty of the CCOE.

00:25:00: SAP systems manage central business processes.

00:25:02: They store your intellectual property.

00:25:05: Maintaining the highest security level is just non-negotiable.

00:25:08: The threat landscape has fundamentally changed.

00:25:11: Cybercrime isn't opportunistic anymore.

00:25:13: It's a professionalized, efficient business model.

00:25:15: ransomware as a service.

00:25:17: That is the critical reality the CCOE faces.

00:25:20: Successful cyber attacks cost companies an average of four point eight million dollars per incident.

00:25:25: And the hackers are focused on disruption.

00:25:28: Eighty-six percent of attacks aimed to paralyze business operations.

00:25:31: And

00:25:31: data theft can start within the first hour.

00:25:33: It can.

00:25:34: So if absolute security is an illusion, the CCOE has to focus on something achievable.

00:25:39: Cyber resilience.

00:25:40: Which is a holistic strategy.

00:25:42: Right.

00:25:42: It combines business continuity, data security, and failure resistance.

00:25:46: It ensures the business can keep operating and recover quickly despite a successful attack.

00:25:51: And this resilience rests on four non-negotiable pillars.

00:25:53: Okay, what are they?

00:25:54: One, identification.

00:25:56: Knowing all your critical business processes in IT systems.

00:26:00: Two, planning.

00:26:02: Having fully tested emergency plans.

00:26:04: Three, infrastructure, ensuring robust technical infrastructure, especially redundancy.

00:26:09: And four, crisis management, thorough preparation and training.

00:26:14: That preparation even extends to data backups, which aren't safe anymore because attackers actively hunt them down and compromise them.

00:26:20: That's a crucial evolution.

00:26:22: the old three two one rule three copies two media one offsite it's not enough against modern ransomware.

00:26:28: you now need the three two one one principle.

00:26:31: okay what's the extra

00:26:32: one one copy that is completely disconnected from the network an immutable air gap for recovery and you have to regularly test these backups and your emergency plans.

00:26:40: it's mandatory to build that crisis routine.

00:26:42: So the CCOE needs to enforce security not just at the network perimeter, but right down at the application layer, especially with user access.

00:26:48: Consistent

00:26:49: authorization concept is fundamental.

00:26:51: We already talked about how uncontrolled roles lead to high license fees.

00:26:54: They also lead to massive security caps by giving users excessive rights.

00:26:58: And how does the CCOE maintain a stable security posture in a system that's constantly changing?

00:27:03: Through continuous monitoring and regular automated security audits of system configurations.

00:27:08: automated detection and implementation of security hotfixes, patching all SAP components, it's all vital.

00:27:16: And there are specialized tools for this.

00:27:17: There are.

00:27:18: Solutions like Security Bridge and Protect Forests exist to automate and simplify SAP cybersecurity, offering real-time attack detection and protection against zero-day vulnerabilities.

00:27:28: We should also address the subtle risk customers introduce when they upload diagnostic data to their vendors.

00:27:33: Yes, diagnostic data logs, protocols, traces, they're often uploaded for support.

00:27:39: This creates a huge security and data privacy risk.

00:27:42: It's often totally unclear who at the vendor has access to this potentially sensitive data.

00:27:47: So what mitigation steps should the CCOE be taking?

00:27:50: Proactive measures.

00:27:51: Most critically, the anonymization of sensitive data within those logs before you upload them have to strip out or obfuscate user IDs, IP addresses, customer names, anything that could tie a system log back to a person or a business detail.

00:28:04: And you have to tell your cyber insurers about it.

00:28:06: You must inform them about the measures you've taken to minimize the risk of coverage restrictions if a breach happens that stems from that diagnostic data.

00:28:15: Now, the modern SAP landscape, especially BTP and Hybrid Cloud, it relies so heavily on open source.

00:28:22: That's a huge innovation driver.

00:28:24: but it introduces supply chain vulnerabilities.

00:28:27: It does.

00:28:28: The CCOE has to treat open source components with the same, if not greater, security diligence as commercial software.

00:28:36: You have to monitor the infrastructure and the use of non-approved open source components because attacks on software value chains are increasing.

00:28:43: But the benefits of open source are clear.

00:28:45: Oh, absolutely.

00:28:46: The transparency, the open interfaces, they help you dissolve IT silos and avoid vendor lock-in.

00:28:51: That flexibility is increasingly crucial as geopolitical tensions drive the need for total control over data and technology data and AI sovereignty.

00:28:59: This is an urgent focus area for the CCO.

00:29:02: European companies, especially in Germany, are increasingly demanding control over their data, their infrastructure, and even their AI models, the concept of sovereign AI.

00:29:11: And regulatory pressure is reinforcing this focus on security from the ground up, making the CCOE responsible for compliance.

00:29:18: New

00:29:19: EU regulations like NIS-II, the Cyber Resilience Act, the AI Act, they all impose strict compliance requirements.

00:29:27: The CRA, for example, demands security by design for digital products.

00:29:31: The CCOE has to implement and monitor compliance.

00:29:34: So with the AI Act, you can't just treat an AI model as a black box anymore.

00:29:39: Not at all.

00:29:39: You have to ensure security by design and be able to audit and document the entire lifecycle of any model you use in your core processes.

00:29:46: So combining flexibility and security brings us back to the optimal target architecture for a modern CCOE, the hybrid cloud.

00:29:53: It is.

00:29:53: The ideal architecture is a hybrid cloud platform using reliable operating systems like Red Hat or SLES for SAP, often built on container platforms like OpenShift.

00:30:02: This provides high availability, multiple security layers, and maximum strategic flexibility.

00:30:08: The develop wants to deploy anywhere a model.

00:30:10: And that's what allows the CCOE to seamlessly connect mission-critical SAP systems with all the non-SAP applications.

00:30:17: Exactly.

00:30:17: Dissolving IT silos and enabling enterprise-wide automation, all while maintaining data sovereignty and regulatory compliance.

00:30:25: We've covered a substantial amount of ground today, moving from operational pain points to really existential strategic demands.

00:30:33: The central role of the SIKOE has never been more complex, but it's also never been more vital.

00:30:37: It is the central hub required to navigate this entire era of transformation.

00:30:42: The mandate demands mastery across technical automation and base sys.

00:30:46: strategic platform used with RISE and BTP, sophisticated commercial risk management for licensing.

00:30:52: And a robust defense to ensure cybersecurity and resilience.

00:30:56: The shift to S-IV ANNA and the cloud, it's far more than a technical upgrade.

00:31:00: It truly represents a moment of decision for the business, a chance to establish a resilient, stable foundation for the future, but only if the CQE rises to that challenge of complexity.

00:31:10: And as the SAP ecosystem becomes more open with BTP, data sphere, the embrace of open source, the sheer variety of solutions just grows exponentially.

00:31:20: This increased choice offers enormous potential, but it also requires focused expert guidance from the CCRE to manage the risks we've outlined.

00:31:28: And we've also noted that relying purely on external managed services or the perceived simplicity of rise can create a basis knowledge gap internally.

00:31:37: Customers often say they want more personal contact and local experts when problems come up.

00:31:42: which leaves us with a provocative question for you, the listener, to consider as you play in your journey.

00:31:46: Given the increasing complexity of integrating AI, BTP, and new security regulations like the EU-AI Act, how much of your CCOA's core competence that highly specializes hard-won knowledge can you truly afford to outsource without ultimately jeopardizing your competitive advantage and your strategic control?

00:32:03: Thank

00:32:03: you for your interest.

00:32:04: That was the E-three podcast on the E-three cover story for December, twenty-twenty-five and January, twenty-twenty-six.

00:32:11: the CCOE experiment, the Customer Center of Expertise in Transition to a Strategy Center, and two more event announcements.

00:32:18: On April twenty-second and twenty-three, twenty-twenty-six, the SAP Communities Steampunk and BTP Summit will take place in Heidelberg, Germany, and on June tenth and eleven, twenty-twenty-six, the SAP Communities Competence Center Summit will take place in Salzburg,

00:32:33: focusing

00:32:33: on the topics of this E-three podcast on the tasks of the Customer Center of Expertise.

00:32:38: Thank you and see you again at the next E-III Discourse.