Outsourcing the Defense of the Crown Jewels
Pathlock and NTT DATA Business Solutions have announced a global strategic partnership to deliver managed SAP cybersecurity services worldwide, and the premise behind it is worth examining. SAP systems run the financial, supply chain, and human resources core of a vast number of large enterprises, which makes them simultaneously the most critical and, paradoxically, among the most underprotected systems in many organizations. The two companies are betting that enterprises will increasingly choose to outsource the security of these crown-jewel systems rather than try to build and retain the capability in-house.
Pathlock chief executive Damon Tompkins put the diagnosis bluntly: "SAP systems remain one of the most underprotected layers in enterprise cybersecurity." That underprotection is not an accident. SAP security is a deeply specialized discipline that sits awkwardly between the SAP administration team, who understand the application but not security, and the cybersecurity team, who understand security but not SAP's idiosyncratic architecture. The gap between those two competencies is exactly where attackers operate, and it is the gap this managed service is designed to close.
How the Combined Service Works
The offering pairs two complementary capabilities. Pathlock contributes its Cybersecurity Application Controls solution, which provides the SAP-specific security controls, while NTT DATA Business Solutions contributes its security operations center capabilities, the around-the-clock monitoring and response infrastructure. Together they deliver 24/7 SAP cybersecurity monitoring, threat detection, response, and governance support. The combination is logical: Pathlock supplies the specialized knowledge of what to watch for inside SAP, and NTT DATA supplies the operational muscle to watch continuously and respond when something fires.
The functional scope is comprehensive. It spans vulnerability management, code scanning, transport control, and dynamic access controls, the full range of activities needed to secure an SAP environment. Code scanning catches vulnerabilities in custom ABAP development, transport control governs how changes move between systems, and dynamic access controls manage who can do what in real time. Each of these requires SAP-specific expertise that is genuinely scarce, which is the entire commercial rationale for packaging them into a managed service rather than expecting customers to assemble the capabilities themselves.
The AI-Native Platform Underneath
The service is powered by Pathlock Nexus, which the company describes as an AI-native platform spanning identity, governance, assurance, and security. The AI-native framing reflects where security tooling is heading, with machine learning increasingly used to detect anomalies, correlate signals across noisy data, and prioritize the alerts that actually matter. In a managed service context, AI is also the lever that makes the economics work, allowing a finite team of specialists to cover a large number of customer environments by automating the routine detection and triage that would otherwise overwhelm human analysts.
There is a substantive point buried in the platform's breadth. By unifying identity, governance, assurance, and security on one platform, Pathlock is treating SAP security as a problem of who can do what and whether they should, rather than purely as a matter of detecting external intrusions. That orientation fits the reality of SAP risk, where insider threats, excessive access, and segregation-of-duties violations are often as dangerous as external attackers. A platform that ties access governance to threat detection addresses the SAP risk surface more completely than a bolt-on monitoring tool would.
The Talent Scarcity Driving Demand
The deeper market force behind this partnership is the acute shortage of specialized SAP security personnel. The skill set is narrow, the demand is broad, and the supply of practitioners who genuinely understand both SAP internals and modern security operations is thin. That scarcity makes building an in-house SAP security team prohibitively expensive and difficult to sustain for most enterprises, even those that recognize the risk. The managed service model is a direct response, pooling scarce expertise across many customers to make it economically accessible to each.
Claus Tscherner, who leads global managed services for NTT DATA Business Solutions, described the partnership as providing a "scalable SAP security service" that ensures "smooth and secure daily business operations." The scalability claim is the crux. A single enterprise cannot scale a two-person SAP security function to cover a global, 24/7 estate, but a provider amortizing specialists across a large customer base can. For enterprises facing rising SAP exposure to ransomware, insider threats, and fraud, that pooled-expertise model may be the only practical way to achieve adequate coverage given the talent reality.
A Pattern Beyond SAP
The Pathlock and NTT DATA partnership is a specific answer to an SAP problem, but it reflects a pattern that extends across enterprise security. As the technology stack grows more complex and the specialized skills required to secure each layer multiply, the talent shortage pushes more security functions toward managed services. Organizations are concluding that they cannot hire and retain specialists for every critical system, and that buying outcome-based security services from providers who concentrate the expertise is more realistic than building it all internally.
For enterprise technology leaders, the strategic question is which security capabilities to keep in-house and which to outsource, and SAP security is increasingly landing in the outsource column for the same reasons it has been underprotected: it is too specialized, too scarce, and too operationally demanding to staff internally at most organizations. The risk of outsourcing the defense of your most critical systems is real, including dependence on the provider and the need for rigorous oversight of their work. But for many enterprises, the alternative of leaving SAP underprotected is worse, and partnerships like this one are betting that the calculus increasingly favors the managed model.
