SAP security has reached the boardroom. What it still struggles to do is shape decisions.
That gap defines the work Asha Vartak has navigated for years at the intersection of SAP security, enterprise risk, and business decision-making. Now Director of Cyber Security and Risk Management at Bayer, she has worked across security and risk roles in global SAP environments, where technical accuracy does not guarantee executive action.
In this interview, Vartak reflects on why awareness alone has not closed that gap. Executives are willing to engage on cyber risk, particularly in SAP landscapes that underpin finance, supply chains, and regulated operations. Yet those conversations often stall when risks are not translated into business impact and prioritization.
The pattern she describes is familiar: Boards rarely dismiss cyber risk, but they act on what they can clearly understand.
SAP Security Still Struggles to Drive Action
SAP security is no longer invisible to the business. The shift from “IT security” to “cybersecurity” has opened doors that once stayed firmly closed.
Vartak traces that change through the evolution of the function itself. Early in her career, security conversations were buried in infrastructure and networking discussions, removed from business priorities. Over time, the language changed—from IT security to information security, then to information risk management, and back to cybersecurity—each step making the topic more legible to nontechnical stakeholders. As she puts it, the change in terminology mattered because it changed who was willing to listen.
“When I was doing IT security at that time, no business wanted to talk to you,” she said. “Today, the word cybersecurity itself has a lot of awareness to it. At least the business is willing to open the doors.”
That increased visibility, however, has not solved the harder problem. Business leaders may now engage with cyber discussions, but they still struggle to act on them when risks are framed in technical terms rather than business consequences.
Vartak sees this play out across industries, where security concerns are raised in technically correct terms, but without the business context needed to influence decisions. The issue is not denial. It is relevance.
“At the end, they just want to know: how does it impact my business?”
Vartak sees SAP adding another layer of complexity. For years, cybersecurity and SAP programs evolved in parallel, rarely intersecting in meaningful ways. Security was something applied to SAP, not something discussed as part of SAP’s value proposition. She argues that separation is now starting to erode, driven largely by practitioners who see security as inseparable from system reliability, data protection, and business continuity.
“SAP was always so segregated from cybersecurity,” she said. “That is changing now. In the last two years, I really see things changing.”
The result is a partial transition. SAP security has reached the boardroom, but it often arrives without the translation needed to influence prioritization. Awareness has improved. Decision-making has not always followed.
That gap—between being heard and being acted upon—sets the stage for the pressures now accelerating the conversation even further.
How AI and Regulation Complicate SAP Risk Decisions
If SAP security has become harder to ignore, AI has made it harder to defer. Vartak describes AI as the dominant force shaping risk conversations heading into 2026—not because organizations understand it, but because they can no longer avoid it.
Boards and executives recognize that AI introduces both opportunity and risk. What they lack is a clear operating model for how to respond. In her conversations with peers and business leaders, Vartak sees confidence replaced by hesitation.
“They know it’s coming, they know we have to do something,” she said. “But nobody really knows how.”
That uncertainty matters. Decisions about AI and security are often shaped by limited exposure rather than established practice, producing uneven approaches across organizations. Vartak does not frame this as failure. She treats it as reality.
Rather than replacing judgment, she sees AI as a way to improve how risk is assessed and communicated. In particular, she points to its potential to shift discussions away from generic compliance language and toward clearer business impact.
“We could leverage those capabilities to really do a more business-focused risk assessment,” she said, “to directly show what impact it can have on the business.”
AI does not arrive in isolation. Vartak situates it alongside new regulations and geopolitical shifts that are already reshaping how global companies operate. Regulatory awareness, she notes, varies widely depending on geography and footprint. Organizations with deep exposure to Europe or cross-border data flows tend to feel the pressure sooner, while others encounter it later—often abruptly.
What ties these forces together is prioritization. Global businesses face overlapping demands, limited attention, and competing objectives. In that environment, security leaders cannot assume risk will speak for itself.
“At the end of the day, it’s about prioritization,” she said. “They have a million other things besides this.”
Why SAP Risk Must Be Translated for Executives
As SAP security reaches executive decision-making, the challenge shifts from awareness to prioritization. Vartak sees this gap appear even when organizations have invested heavily in cybersecurity. Technical expertise remains essential, but it is rarely sufficient on its own. When security discussions stay rooted in technical detail, business leaders struggle to act.
“We put someone with a very technical mindset in front of the business,” she said. “They’re talking in very technical ways of protecting, and the business doesn’t really understand what they are saying.”
The problem is not lack of interest. Executives already accept that cyber risk matters. What they need is context that allows them to prioritize.
“At the end, they just want to know: how does it impact my business?”
When that translation does not happen, security discussions tend to default to compliance framing. Vartak treats that as a warning sign.
“If you have nothing valid to say, they always end up saying it’s a compliance risk.”
Her own response to that limitation was practical. Early in her career, she realized that technical depth alone was no longer enough to influence decisions. Rather than specializing further, she stepped into corporate risk management, where security was discussed alongside broader enterprise risks, planning cycles, and sustainability concerns.
That exposure reshaped how she worked. She began treating business learning as deliberate effort—preparing before conversations, spending time with finance, marketing, and operational leaders, and using informal lunches and coffee chats to understand what actually mattered to the business. Those experiences form an implicit playbook:
- Step outside pure IT roles to understand enterprise risk.
- Learn the business deliberately through preparation and exposure.
- Translate risks early, knowing board messages are compressed.
- Avoid defaulting to compliance when impact is unclear.
For Vartak, these are not soft skills or communication tricks. They are execution requirements. Without business fluency, even well-understood SAP risks struggle to compete for attention in organizations balancing countless priorities.
