The SAP CCoE Experiment

00:00:01: The podcast accompanying the E-three cover story is a critical and constructive discussion for the SAP community from the perspective of the E-three editorial team.

00:00:09: Two AI avatars are equipped with all the sources from the E-three editorial team and explain the challenges, tasks, and pitfalls to existing SAP customers.

00:00:18: The respective topics are discussed critically but constructively, with lots of tips and tricks.

00:00:25: This episode of the E-three podcast is a summary and supplement to the E-III cover story, December, twenty-twenty-five, January, twenty-twenty-six, the CCOE experiment.

00:00:35: Event notice, on June tenth and eleven, twenty-twenty-six, the SAP Communities Competence Center Summit for Germany, Austria, and Switzerland will once again take place in Salzburg, Austria.

00:00:47: Existing SAP customers and members of the CCOE Customer Center of Expertise will meet in Salzburg, but now to the E-III podcast episode, SAPC COE experiment.

00:01:02: Welcome to the deep dive.

00:01:04: Our mission here is to really cut through the complexity of enterprise transformation.

00:01:10: and deliver what you actually need, essential, actionable knowledge directly to you.

00:01:15: Exactly.

00:01:15: And today we are focusing on what is, I think, the single greatest challenge and opportunity facing every established SAP customer right now.

00:01:24: Which is?

00:01:24: That inevitable high stakes shift toward Sforana, the cloud, and of course the aggressive automation mandates you need just to survive competitively.

00:01:32: And if you are navigating those very turbulent waters, your anchor point, the one indispensable core of this whole thing is the Customer Competence Center, the CCO.

00:01:43: Or

00:01:43: the CCC, as you'll often hear called.

00:01:45: Right.

00:01:45: And our central question today is really about defining success.

00:01:49: What specific organizational, technical, commercial, and even legal mastery must the CCO we have to secure the future SAP landscape?

00:01:58: And to be clear, all our insights for this, they're drawn directly from deep editorial research by the E Three Magazine team, curated specifically for the SAP community.

00:02:06: We've got some immense pressure points to unpack today, so we've organized this deep dive around four critical pillars that your CCOE has to master.

00:02:14: First, there's the big strategic shift, you know, dominated by the cloud and rise with SAP.

00:02:19: Then second, we have to tackle the operational frontier.

00:02:22: achieving real automation and observability in what has been a very manual SAP basis world.

00:02:28: Third, we'll look at the strategic transformation tools BTP, the whole concept of a data fabric.

00:02:34: And finally, we'll get into the tough part.

00:02:36: The notorious SAP licensing labyrinth and the absolutely critical duty of security.

00:02:41: And that CCO reel, it's no longer a peripheral function.

00:02:45: It's explicitly listed as a key management theme for the entire ecosystem.

00:02:49: Why?

00:02:50: because it's the translator layer.

00:02:51: It's what turns the strategic mandate into operational excellence.

00:02:54: Okay, so let's start there.

00:02:56: The CCOE as the core navigator in this huge transformation.

00:02:59: Let's begin with the unavoidable reality.

00:03:01: The thing that sits the clock ticking for everyone.

00:03:04: For any major enterprise using SAP software right now, the future ERP system is unequivocally S-IV HENA.

00:03:11: There's

00:03:11: no get around it.

00:03:12: No.

00:03:13: The technical and functional advantages are just too compelling to ignore long term.

00:03:17: But the path to S-IV It's anything but a straight line, is it?

00:03:22: I read that even with everyone agreeing on the destination, about a third of companies are still struggling to figure out the best way to actually get there.

00:03:30: And that struggle is completely understandable, because that choice, it locks you into a decade of work.

00:03:37: Customers are weighing the classic options, Greenfield, which is basically a complete rip and replace.

00:03:42: A

00:03:42: chance to reinvent everything.

00:03:44: Exactly.

00:03:45: Seeing Sforana as a chance for total process harmonization, or, you know, they might go the brownfield route, a purely technical conversion.

00:03:52: We're just trying to keep everything stable, preserve all your customization.

00:03:55: Preserve

00:03:56: the landscape with minimal disruption.

00:03:58: And then you see these hybrid strategies popping up.

00:04:00: The

00:04:01: blue field or orange field approaches, trying to get the best of both worlds.

00:04:04: Right.

00:04:05: They combine elements, maybe migrating one business unit via brownfield while merging new greenfield processes somewhere else.

00:04:12: And the implication here, this is the CCUE's first fundamental decision.

00:04:17: Is this S-IV migration just a technical IT project?

00:04:21: Or is it a comprehensive business project?

00:04:23: A

00:04:23: project that's meant to drive enterprise-wide change.

00:04:26: The CCOE has to lead that decision.

00:04:29: They have to.

00:04:30: So what's driving the ticking clock behind all of this?

00:04:32: Why the urgency?

00:04:34: It's SAP's own stated strategy.

00:04:36: It rests on two interconnected pillars.

00:04:39: The first is S-IV HANA itself, built on the huge performance gains of HANA technology.

00:04:44: The second pillar, and this is the one that really applies the pressure, is the aggressive expansion of their cloud-based product portfolio.

00:04:51: New functionalities, even for the core ERP, are developed and released first in the cloud.

00:04:56: Which immediately puts anyone on a legacy system at a competitive disadvantage.

00:04:59: They can't get the latest innovations.

00:05:01: And of course that twenty twenty seven deadline is still looming.

00:05:04: It is.

00:05:04: The announced end of mainstream support for business suite seven in twenty twenty seven.

00:05:09: It's a massive forcing function.

00:05:10: It compels every single company to start their transformation and reassess their entire landscape within the next few years.

00:05:16: And on the cloud, the general feeling is that long-term cloud-based SAP operations are pretty much a given.

00:05:23: Is that just marketing or is there a real shift happening?

00:05:27: It's both.

00:05:27: It's driven by vendor framing, for sure, but also genuine benefits.

00:05:31: The promise of lower TCO, greater agility, scalability.

00:05:34: That's all real, especially with the public cloud model.

00:05:36: But the COE needs to be careful.

00:05:38: Always.

00:05:38: They have to maintain nuance.

00:05:40: As of today, all operating models are equally valid.

00:05:43: On-prem, pure cloud, multi-cloud, hybrid.

00:05:46: The CCOE's job is strategic selection, not blind obedience to a trend.

00:05:50: So

00:05:51: if the CCOE is the core navigator in this really complex, multimodal world... What's its supreme mandate?

00:05:57: The CCOE is the strategic translator.

00:05:59: Its mandate is to manage that complex, often hybrid system architecture, the mix of on-prem, private cloud, BPP hyperscalers, and ensure absolute strategic alignment between IT goals and business objectives.

00:06:10: If the architecture just becomes a messy patchwork, it's the CCOE that failed to navigate.

00:06:15: Precisely.

00:06:16: That's why its role is highlighted as such a key management theme.

00:06:19: Okay, let's detail those roles a bit more.

00:06:21: First, on the business and organizational side.

00:06:24: Why is it so critical the CCOE treats this as a business project?

00:06:29: Because the risks are financial, not just technical.

00:06:32: The CCOE is responsible for harmonizing deeply customized business processes with the new standardized SAP world.

00:06:40: That requires huge organizational change management.

00:06:43: And

00:06:43: if they fail?

00:06:44: If the planning is inadequate.

00:06:45: or resources are underestimated.

00:06:47: A classic CCOE failure.

00:06:49: studies show the cost discrepancies between the plan and the final result are massive.

00:06:54: The project costs just balloon.

00:06:56: So the CCOE isn't just delivering a system, it's defining the company's roadmap for the next decade.

00:07:01: Exactly.

00:07:02: They have to provide the essential framework for the S-IV migration planning.

00:07:05: This initial phase is crucial, using tools like the business scenario recommendation, the fury apps recommendation,

00:07:11: the SAP readiness check,

00:07:12: all of that.

00:07:13: The CKOE takes the output from those tools and creates the strategic business plan.

00:07:18: Partners can give you a high-level roadmap in ten days, but only if the CKOE provides clear, well-defined strategic input first.

00:07:25: And beyond strategy, what about the concrete technical competencies?

00:07:29: What does the CKOE have to master to ensure things actually work?

00:07:33: The list is really a reflection of that hybrid future.

00:07:36: They need deep technical competence in S-IV architecture and across all the operating models.

00:07:41: On-prem, private cloud, public cloud.

00:07:44: But the foundation is still SAT basis support.

00:07:46: Absolutely.

00:07:47: But that means moving beyond traditional administration.

00:07:50: It means embracing sophisticated, continuous monitoring, comprehensive application lifecycle management, ALM, and increasingly proactive automated security measures.

00:07:59: That expertise is what prevents the transformation from stalling out.

00:08:02: All

00:08:03: right, let's pivot to that operational engine room.

00:08:05: then, the SAP basis environment.

00:08:07: This is where you see the biggest gap between strategy and daily reality.

00:08:11: It's just notorious for manual time consuming tasks.

00:08:14: It's the heart of the crisis in operational efficiency.

00:08:18: So many routine IT infrastructure tasks in SAP basis are still done by hand or or they rely on these clunky cumbersome scripts.

00:08:28: Which only gives you partial automation.

00:08:30: Right.

00:08:30: And it's easily broken.

00:08:31: It's not true.

00:08:32: end-to-end automated processes.

00:08:34: And the people who actually have the knowledge to fix this, the administrators, they're perpetually busy just putting out fires.

00:08:40: That's the time trap.

00:08:42: Your key resources, they just don't have the time or the motivation for ongoing automation development.

00:08:47: They're tied up with urgent requests, project work, and just keeping the lights on.

00:08:51: And automation

00:08:52: isn't a one and done thing.

00:08:54: Not at all.

00:08:54: That's the critical insight.

00:08:56: It's a continuous effort.

00:08:57: Scripts and operations have to be constantly validated to make sure they still work after system changes and patches.

00:09:03: If you automate it once and forget it, it will break.

00:09:06: Let's use a really painful example, system copying.

00:09:08: That is always cited as complete resource sinkhole.

00:09:11: Oh,

00:09:11: it's often described as a pseudo-project in itself.

00:09:14: A colossal time and resource-intensive task that just grinds development and testing cycles to a crawl.

00:09:19: So how do you fix that?

00:09:21: You need specialized tools.

00:09:23: Things like blue copy from Imperius, for instance, which promise end-to-end automation of the entire system copy lifecycle.

00:09:29: What does end-to-end actually cover, though?

00:09:31: It's more than just a database transfer, right?

00:09:34: Oh, much more.

00:09:34: It covers all the necessary steps fully automatically.

00:09:38: The database restore all the post-copy activities, and importantly, the critical BDLS runs.

00:09:44: And

00:09:44: let's clarify BDLS business data logical system.

00:09:47: That's the required step to update all the logical system names, so the data actually points to the new copied system correctly.

00:09:54: Exactly.

00:09:55: Without tools, it's a manual error-prone nightmare.

00:09:58: And crucially, that end-to-end automation also has to include GDPR-compliant anonymization of sensitive data, which makes the refresh safe for your test and dev environments.

00:10:09: And the speed gains from this are just transformative.

00:10:11: I remember reading an anecdote about an HR system refresh that was unbelievably fast.

00:10:15: Wait until you hear the real figures.

00:10:18: We have real-world examples cited, like full refreshes of an HR system completed in a net, twenty-three minutes.

00:10:24: Twenty-three minutes?

00:10:25: That's astonishing.

00:10:27: In the old world, refreshing a large HR system could easily take up half a week of a base's admins time.

00:10:33: How is that even possible?

00:10:34: It's the convergence of efficient software and the underlying technology.

00:10:39: The speed comes from leveraging modern storage, for instance.

00:10:42: Tools built on platforms like NetApp can use highly efficient snapshot and cloning capabilities.

00:10:47: So you can do multiple refreshes per week?

00:10:49: Yes.

00:10:50: During project crunch times, regardless of whether you're on R-three or S-four, Your developers and testers always have reliable, up-to-date starting points.

00:10:59: That's the definition of operational agility.

00:11:02: So, moving from automation to visibility, how does the CCA key gain the confidence that this new, automated hybrid environment is actually running smoothly?

00:11:12: Well, often the basis team suffers from a monitoring deficit.

00:11:15: They need to know what's happening at the business process level, but traditional tools like the good old SAP Solution Manager.

00:11:22: It often fails to provide the full picture.

00:11:25: The problem is a lack of shared telemetry data, unified tools, consolidated dashboards.

00:11:30: It forces them into manual error resolution, jumping between different screens.

00:11:35: So the goal is to move beyond just checking if the system is up toward true observability.

00:11:40: Flexly,

00:11:41: observability at the infrastructure level, the app servers, databases, hosts, that's critical to quickly finding areas that impact the business.

00:11:49: If resource overload hits the application server, the CCOE needs to know immediately and find the root cause in minutes, not hours.

00:11:57: And the complexity of the SAP stack makes that visibility just inherently difficult.

00:12:01: It does.

00:12:01: You've got so many potential points of failure.

00:12:03: Resource overload, database issues, errors in integration layers like IDOC or RFC, slow fury performance, external system integration.

00:12:11: It's

00:12:11: a labyrinth.

00:12:12: It is, and it's made worse by a multitude of specialized monitoring agents and proprietary tools.

00:12:17: It prevents continuous end-to-end monitoring at the transaction and business process level.

00:12:22: This sounds like a really fundamental strategic issue that the community is trying to solve right now.

00:12:27: It is.

00:12:27: The upcoming CC Summit topics for twenty twenty-five specifically list Solman, Cloud ALM, and SAP Monitoring.

00:12:34: That confirms this is a central discussion point for CCOEs everywhere.

00:12:38: SAP Cloud ALM is the newer tool and it's designed to support implementation and operations and it can integrate with on-prem landscapes.

00:12:46: But the market is looking for more.

00:12:48: Yes, solutions like New Relic, which focus on centralizing telemetry.

00:12:52: They illustrate the market's need for better observability that goes beyond siloed SAP tools.

00:12:57: Okay, let's talk about software quality and delivery speed.

00:13:01: So many companies, even after a big update, fall into this long, incredibly expensive post-go live phase.

00:13:07: Ah,

00:13:08: the notorious hypercare phase.

00:13:10: It's a costly period, sometimes up to three months, where you keep high-priced experts on retainer as a fire brigade just in case something breaks.

00:13:16: Over ninety percent of SAP customers do this.

00:13:19: Think about the stress of that.

00:13:20: Retaining a high-priced fire brigade for ninety days just hoping nothing goes wrong.

00:13:25: That's why automated testing isn't a nice to have.

00:13:27: It's essential financial risk mitigation.

00:13:29: Absolutely.

00:13:31: Those defects could have and should have been caught and avoided with thorough continuous automated testing beforehand.

00:13:37: The CCOE needs to move from that costly reactive model to a proactive automated software delivery pipeline to DevOps.

00:13:44: So what does SAP offer to help professionalize that continuous testing?

00:13:48: They've

00:13:49: got a sophisticated testing stack.

00:13:51: For deep process functionality, there's SAP Enterprise Continuous Testing by Tricentis.

00:13:56: It provides end-to-end business process tests, covering SAP and third-party systems, and they claim automation rates up to ninety percent.

00:14:03: and for the user experience.

00:14:05: For that, there's SAP load testing by Tricentis.

00:14:08: It provides scalable performance tests specifically for the Fiori UX and modern cloud apps like SuccessFactors and Ariba.

00:14:15: This level of automation drastically reduces the risk of business interruption.

00:14:19: But DevOps is more than just testing, isn't it?

00:14:21: It's about automating the entire basis lifecycle.

00:14:24: It's

00:14:24: about automating day two operations.

00:14:26: The CCOE has to adopt DevOps practices using configuration management tools like Ansible.

00:14:32: They're crucial for automating routines like patch and cluster management.

00:14:35: And this is extending beyond just infrastructure.

00:14:38: Way beyond.

00:14:38: It's moving deep into process automation within the SAP application's casks.

00:14:43: Like managing user rights, creating standard users, executing routine financial processes.

00:14:48: So we're blurring the lines between infrastructure automation and functional application management.

00:14:53: Precisely.

00:14:54: And when you combine RPA robotic process automation with Ansible, you can automate the SAP GUI directly from a central platform.

00:15:01: This bridges IT silos, eliminates manual data handling, and enables entirely new real-time end-to-end processes for the business.

00:15:09: Okay, let's shift from the operational nets and bolts to the big strategic direction from SAP and the tools the CCAOE has to leverage.

00:15:16: Right.

00:15:16: And the major strategic push has been RISE with SAP.

00:15:20: What's the fundamental value proposition for a customer committing to that?

00:15:24: RISE designed to tackle those two big pressures at once, the Sforina transition and the move to the cloud.

00:15:31: It's branded as business transformation as a service.

00:15:33: And it does deliver undeniable benefits, scalability, faster updates, a clean operational environment.

00:15:39: But for large established customers, the reality on the ground isn't always that seamless.

00:15:44: What are the challenges people report?

00:15:46: That's the hidden challenge.

00:15:48: It's often described as a corset or a corset.

00:15:51: It provides structure, but it also imposes long-term commitments and restricts flexibility.

00:15:57: It can minimize competitive advantages that depend on unique customized processes.

00:16:02: And I've

00:16:02: heard that big companies often report a missing level of service.

00:16:06: They do, especially when implementing external applications or customizations under the RISE framework.

00:16:12: And the myth that RISE saves you from needing an internal SAP basis expertise is particularly dangerous.

00:16:17: That feels like a major trap.

00:16:19: It is, because SAP requires precise technical specifications during implementation, even with a managed service like RISE.

00:16:26: Without internal or external basis experts to define those specifications, which is tough with the skilled labor shortage, companies face hard to calculate costs and application problems later on.

00:16:36: So moving on to the innovation platform, BTP, the business technology platform, it feels unavoidable for customers moving into the S-IV world.

00:16:44: BTP is the platform for innovation and survival.

00:16:47: The core philosophy is the clean core strategy.

00:16:50: Your S-IV HANA digital core should be standardized.

00:16:54: All the necessary individualization, all your extensions have to happen outside.

00:16:58: on BTP.

00:16:59: The paradigm is never without BTP.

00:17:02: Exactly.

00:17:03: Extensions should be implemented using Steampunk, the AD-AD environment, on BTP, using modern tech like RAP and KP.

00:17:09: And this isn't just for new S-IV customers.

00:17:12: Even legacy ECC-Six-Point-O customers can use BTP in a side-by-side scenario to future-proof their innovation.

00:17:18: So BTP is the basis for modernizing the entire SAP ecosystem, shifting it to a true cloud architecture.

00:17:24: Absolutely.

00:17:25: It supports cloud-native models like containers, and microservices.

00:17:28: And crucially, BTP is the key enabler for integrating highly heterogeneous landscapes, SAP, and non-SAP applications, like Microsoft Office, or Teams.

00:17:38: It finally resolves that classic problem of IT silos.

00:17:40: OK,

00:17:40: let's talk about data.

00:17:42: Data quality and data volume are so often cited as the biggest roadblock to a S-BOR transformation.

00:17:46: The data challenge is existential.

00:17:49: Business critical data has to be quickly and scalably usable.

00:17:53: But the shift to S-IV is so often hindered by massive amounts of historical data, often with just terrible quality, incomplete, faulty duplicate data that's piled up for years.

00:18:04: And SAP's answer to this is the data fabric concept.

00:18:07: That concept is materialized in SAP DataSphere.

00:18:10: It's the next generation of data warehouse cloud built on BTP.

00:18:14: and it is explicitly defined as a data fabric.

00:18:17: Designed to manage business data and provide timely, meaningful information with all the business context and logic intact.

00:18:24: Which is critical because competitors like Databricks and Snowflake are really increasing the pressure.

00:18:29: They

00:18:30: are.

00:18:30: The CCOE has to champion a unified high-quality data strategy.

00:18:34: Datastere provides the services for integration, cataloging, modeling, everything data experts need while keeping that business context.

00:18:42: That addresses the strategic use of data, but what about all the historical data that you're legally required to keep but that doesn't belong in your new lean S-IV system?

00:18:50: That is the crucial blind spot of so many transformation projects, managing the legacy systems after go live.

00:18:58: A lot of companies just accept they have to keep their old ECC systems running for years just to access historical data.

00:19:04: It's a massive long-term cost and the security liability.

00:19:07: So the CCOE has to proactively separate that historical data.

00:19:11: How do you do that efficiently?

00:19:13: The strategic approach, supported by platforms like GIVS-IMP, is the consistent separation of historical from operational data.

00:19:22: The one-click transformation idea.

00:19:24: by extracting and archiving historical data separately.

00:19:27: The new S-IV system stays lean, the migration task gets smaller, and the operating costs for the old systems can often be cut by a staggering eighty percent.

00:19:35: That

00:19:35: sounds like a fundamental win for the CCOE.

00:19:37: What's the big strategic benefit?

00:19:39: It gives you crucial decision freedom.

00:19:41: independence from legacy burdens.

00:19:43: You maintain full legal compliance, retention is guaranteed, and you still have seamless access to all the old data, each of the source systems are completely shut down.

00:19:50: Let's

00:19:51: talk about automation and business processes with governance tools and low-code platforms.

00:19:55: Where does Signavio fit in?

00:19:57: For defining, modeling, and optimizing business processes, SAP Signavio is the critical tool for a CCOE.

00:20:04: It's for business process management, BPM, enabling continuous control, optimization, and even cross-company comparison of process efficiency.

00:20:14: And its capabilities are extending into some non-traditional metrics.

00:20:18: now, right?

00:20:18: That's the cutting edge.

00:20:20: Signavio now allows you to natively integrate sustainability into your business processes, so you can design and optimize your processes while factoring in criteria like CO² footprint or recycling requirement.

00:20:32: It's

00:20:32: essential for manufacturing companies.

00:20:34: Absolutely.

00:20:35: Now, turning to development, SAP Build is designed to tackle the skilled labor shortage by empowering citizen developers.

00:20:41: The low-code, no-code platform.

00:20:43: Yes, built on BTP.

00:20:45: It enables users with minimal technical knowledge to extend applications and automate processes.

00:20:50: The German-speaking user group DSAG welcomes it as a way to reduce shadow IT.

00:20:55: But they also had a strong word of caution, didn't they?

00:20:57: They did.

00:20:58: They emphasized that SAP Build is not a replacement for classic deep software development.

00:21:03: Its practical depth still needs to be proven, and the CCOE has to govern these new tools to avoid just creating new silos of shadow IT.

00:21:12: Finally, let's look at AI and machine learning in core SAP processes.

00:21:16: Where are we seeing the most immediate, impactful automation gains?

00:21:21: Invoice processing is the classic example.

00:21:23: AI models can understand invoices, suggest creditors and account assignments, and proactively detect anomalies or fraud.

00:21:30: And these models get much better in cloud environments.

00:21:33: They do, because machine learning models improve faster with more data sets.

00:21:37: So they're optimally deployed in public cloud solutions, where the system can leverage a collective, anonymized data volume for superior model training.

00:21:45: And beyond invoices, where else does AI provide those critical... early warnings.

00:21:49: In master data and movement data management, AI models can check historical data to predict if a similar process was successful or suggest critical data completions.

00:21:58: And importantly, these AI assistants can actively warn a user before they even save a document if an exception is foreseen.

00:22:04: So the system becomes a real-time preventative assistant.

00:22:07: Exactly.

00:22:08: It reduces error rates dramatically.

00:22:10: Okay.

00:22:10: If the CCOE manages the technology, they absolutely have to manage the financial time bomb hidden in the contract fine print.

00:22:18: SAP licensing is, well, it's a continuous source of conflict.

00:22:22: It's evolved into a complex science, really.

00:22:25: It's driven by fundamental changes in product and license metrics when you switch to S-forena, which creates immense cost risks.

00:22:32: And the move to the cloud makes the calculation even more complicated, especially with full use equivalents.

00:22:37: Yes.

00:22:38: Full use equivalents, or FUE, are central to cloud migration.

00:22:42: They're weighted factors used to convert your on-prem user count into a cloud metric.

00:22:47: But the biggest area of uncertainty right now is around the new S-forena user license types, professional, functional, and productivity use.

00:22:55: What's

00:22:55: the confusion?

00:22:56: The fundamental confusion is whether licensing should be based on actual usage, what a user actually clicked on, or just on the granted authorizations assigned to them.

00:23:05: And that's where the technical definition just clashes violently with the commercial reality.

00:23:10: It is the critical conflict that costs customers so much money.

00:23:13: SAP tends to view roles as collection objects.

00:23:16: But if licensing is based on authorization, it forces customers to meticulously cut roles small for every user, just to avoid being charged for a function they could perform, even if they never use it.

00:23:27: So given this complexity, the CCOE, the CIO, the CFO, they have to get ahead of this.

00:23:32: Transparency is the only defense.

00:23:34: Exactly.

00:23:35: Before any formal SAP audit, like the Star Service, customers have to proactively establish total transparency in their usage.

00:23:42: You have to seize that opportunity to optimize your role concepts to be license compliant and cost effective.

00:23:48: You can't negotiate what you don't measure.

00:23:50: Precisely.

00:23:51: And specialized tools like SAP License Intelligence are essential to remove the guesswork.

00:23:56: They let you simulate an SAP audit based on your authorizations and compare that against actual usage data.

00:24:02: They identify the most promising role changes and simulate the exact financial effect.

00:24:07: So the CTOE can go into a negotiation with data, not just hope.

00:24:10: That's the goal.

00:24:11: Another really contentious issue is the database itself, the perception of double licensing for HNA.

00:24:16: This drives many CFOs to despair.

00:24:19: The CPOE has to be prepared to argue against double licensing, especially with the dual costs for HANA.

00:24:24: The perception is you're paying a premium for the application, and then another huge fee just for the database it runs on.

00:24:31: A

00:24:31: database you have no choice but to

00:24:33: use.

00:24:33: Right.

00:24:34: HANA became a technical, commercial, and strategic success for SAP, leading to a strong vendor lock-in.

00:24:40: The CQE needs the data and the arguments to push back effectively.

00:24:44: And for customers who try to do this analysis themselves without direct SAP support, it sounds incredibly manual.

00:24:50: It is.

00:24:50: It's complex, time-consuming, and resource-intensive.

00:24:53: The CQE staff has to manually classify every single user role.

00:24:57: Then they have to run the USMM transaction to measure technical usage, then manually assign price lists, and finally manually calculate the full-use equivalent demand based on complex weighting factors.

00:25:08: That final calculation step.

00:25:09: That sounds like we're all the potential for human error and financial miscalculation lives.

00:25:14: It highlights why automated tools are becoming a necessity.

00:25:17: They really aren't.

00:25:18: Now, security.

00:25:20: It has completely transcended being just an IT task.

00:25:23: It's a core business resilience driver and an absolutely critical duty of the CCOE.

00:25:29: SAP systems manage central business processes.

00:25:31: They store your intellectual property.

00:25:33: Maintaining the highest security level is just non-negotiable.

00:25:37: The threat landscape has fundamentally changed.

00:25:40: Cybercrime isn't opportunistic anymore.

00:25:42: It's a professionalized, efficient business model.

00:25:44: ransomware as a service.

00:25:46: That is the critical reality the CCOE faces.

00:25:49: Successful cyber attacks cost companies an average of four point eight million dollars per incident.

00:25:54: And the hackers are focused on disruption.

00:25:56: Eighty-six percent of attacks aimed to paralyze business operations.

00:26:00: And data theft can start within the first hour.

00:26:02: It can.

00:26:03: So if absolute security is an illusion, the CCOE has to focus on something achievable, cyber resilience.

00:26:09: Which is a holistic strategy.

00:26:10: Right.

00:26:11: It combines business continuity, data security, and failure resistance.

00:26:15: It ensures the business can keep operating and recover quickly despite a successful attack.

00:26:19: And this resilience rests on four non-negotiable pillars.

00:26:22: Okay, what are they?

00:26:23: One, identification, knowing all your critical business processes and IT systems.

00:26:29: Two, planning, having fully tested emergency plans.

00:26:32: Three, infrastructure, ensuring robust technical infrastructure, especially redundancy.

00:26:38: And four, crisis management, thorough preparation and training.

00:26:42: That preparation even extends to data backups, which aren't safe anymore because attackers actively hunt them down and compromise them.

00:26:49: That's a crucial evolution.

00:26:51: The old three, two, one rule three copies, two media one offsite.

00:26:55: It's not enough against modern ransomware.

00:26:57: You now need the three, two, one, one principle.

00:26:59: Okay, what's the extra

00:27:00: one?

00:27:01: One copy that is completely disconnected from the network.

00:27:03: An immutable air gap for recovery.

00:27:05: And you have to regularly test these backups and your emergency plans.

00:27:09: It's mandatory to build that crisis routine.

00:27:11: So the CCOE needs to enforce security not just at the network perimeter, but right down at the application layer, especially with user access.

00:27:17: Consistent

00:27:18: authorization concept is fundamental.

00:27:20: We already talked about how uncontrolled roles lead to high license fees.

00:27:23: They also lead to massive security gaps by giving users access of rights.

00:27:27: And how does the CCOE maintain a stable security posture in a system that's constantly changing?

00:27:32: Through continuous monitoring and regular automated security audits of system configurations, automated detection and implementation of security hotfixes, patching all SAP components, it's all vital.

00:27:45: And there are specialized tools for this.

00:27:46: There are.

00:27:47: Solutions like Security Bridge and Protect Forests exist to automate and simplify SAP cybersecurity, offering real-time attack detection and protection against zero-day vulnerabilities.

00:27:57: We should also address the subtle risk customers introduce when they upload diagnostic data to their vendors.

00:28:02: Yes.

00:28:03: Diagnostic data logs, protocols, traces, they're often uploaded for support.

00:28:08: This creates a huge security and data privacy risk.

00:28:11: It's often totally unclear who at the vendor has access to this potentially sensitive data.

00:28:16: So what mitigation steps should the CCOE be taking?

00:28:19: Proactive measures.

00:28:20: Most critically, the anonymization of sensitive data within those logs before you upload them.

00:28:25: You have to strip out or obfuscate user IDs, IP addresses, customer names, anything that could tie a system log back to a person or a business detail.

00:28:33: And you have to tell your cyber insurers about

00:28:35: it.

00:28:35: You must inform them about the measures you've taken to minimize the risk of coverage restrictions if a breach happens that stems from that diagnostic data.

00:28:44: Now, the modern SAP landscape, especially BTP and Hybrid Cloud, it relies so heavily on open source.

00:28:51: That's a huge innovation driver.

00:28:53: but it introduces supply chain vulnerabilities.

00:28:56: It does.

00:28:56: The CCOE has to treat open source components with the same, if not greater, security diligence as commercial software.

00:29:04: You have to monitor the infrastructure and the use of non-approved open source components because attacks on software value chains are increasing.

00:29:11: But the benefits of open source are clear.

00:29:13: Oh, absolutely.

00:29:14: The transparency, the open interfaces, they help you dissolve IT silos and avoid vendor lock-in.

00:29:20: That flexibility is increasingly crucial as geopolitical tensions drive the need for total control over data and technology data and AI sovereignty.

00:29:28: This is an urgent focus area for the CCO.

00:29:31: European companies, especially in Germany, are increasingly demanding control over their data, their infrastructure, and even their AI models, the concept of sovereign AI.

00:29:39: And regulatory pressure is reinforcing this focus on security from the ground up, making the CCOE responsible for compliance.

00:29:47: New EU regulations like NIS-II, the Cyber Resilience Act, the AI Act, they all impose strict compliance requirements.

00:29:55: The CRA, for example, demands security by design for digital products.

00:30:00: The CCOE has to implement and monitor compliance.

00:30:03: So

00:30:03: with the AI Act, you can't just treat an AI model as a black box anymore.

00:30:07: Not at all.

00:30:08: You have to ensure security by design and be able to audit and document the entire life cycle of any model you use in your core processes.

00:30:15: So combining flexibility and security brings us back to the optimal target architecture for a modern CSOE, the Hybrid Cloud.

00:30:21: It is.

00:30:22: The ideal architecture is a Hybrid Cloud platform using reliable operating systems like Red Hat or SLES for SAP, often built on container platforms like OpenShift.

00:30:31: This provides high availability, multiple security layers, and maximum strategic flexibility.

00:30:37: The DEVELOP wants to deploy anywhere

00:30:38: a model.

00:30:39: And that's what allows the CCOE to seamlessly connect mission-critical SAP systems with all the non-SAP applications.

00:30:45: Exactly.

00:30:46: Dissolving IT silos and enabling enterprise-wide automation, all while maintaining data sovereignty and regulatory compliance.

00:30:54: We've covered a substantial amount of ground today, moving from operational pain points to really existential strategic demands.

00:31:01: The central role of the SIKOE has never been more complex, but it's also never been more vital.

00:31:06: It is the central hub required to navigate this entire era of transformation.

00:31:11: The mandate demands mastery across technical automation and base sys.

00:31:15: strategic platform use with RISE and BTP, sophisticated commercial risk management for licensing.

00:31:21: And

00:31:21: a robust defense to ensure cybersecurity and resilience.

00:31:24: The shift to S-IV ANNA and the cloud, it's far more than a technical upgrade.

00:31:29: It truly represents a moment of decision for the business, a chance to establish a resilient, stable foundation for the future, but only if the CQA rises to that challenge of complexity.

00:31:39: And as the SAP ecosystem becomes more open with BTP, data sphere, the embrace of open source, the sheer variety of solutions just grows exponentially.

00:31:48: This increased choice offers enormous potential, but it also requires focused expert guidance from the CCRE to manage the risks we've outlined.

00:31:57: And we've also noted that relying purely on external managed services or the perceived simplicity of rise can create a basis knowledge gap internally.

00:32:06: Customers often say they want more personal contact on local experts when problems come up.

00:32:10: which leaves us with a provocative question for you, the listener, to consider as you plan your journey.

00:32:15: Given the increasing complexity of integrating AI, BTP, and new security regulations like the EU-AI Act, how much of your CCOE's core competence that highly specializes hard-won knowledge can you truly afford to outsource without ultimately jeopardizing your competitive advantage and your strategic control?

00:32:34: This was an E-III podcast episode from the cover story of December, twenty-twenty-five, January, twenty-twenty-six.

00:32:42: The CCOE's transformation into a strategy center is also the topic of two events, the Steampunk and BTP Summit and the Competence Center Summit.

00:32:51: The Steampunk and BTP Summit will take place on April twenty-second and twenty-three, twenty-twenty-six in Heidelberg, Germany, and the Competence Center Summit for Germany, Austria, and Switzerland will take place on June tenth and eleven twenty-twenty-six in Salzburg, Austria.

00:33:09: We look forward to welcoming you to these SAP Community Summits.

00:33:13: Secure your ticket now on the E-III magazine website.

00:33:16: Thank you for your interest.

00:33:18: See you in the next episode of the E-III podcast.