The lock on your IT door.
A security leak will not get out of control that fast... would it? ... Do you recognize this state of mind? Just the fact that you have not yet identified a security breach within your organization does not mean that your environment is actually secure.
It is not a matter if a security vulnerability arises within your organization, but only the question of when. Technology refinement in hacking techniques, expansion of hacking motives (from the original financial to the current often social, political or strategic) have resulted in organizations that are increasingly confronted with major security risks.
Organize your defense upfront.
Every organization needs an information security program to protect its systems and assets. A good security program is characterized by proactivity in closing (possible) security gaps because ignorance is never blissful. Certainly in an integrated ERP environment such as SAP.
Performing an accurate assessment of your current security operations and their maturity can be extremely difficult if you do not know what or how to assess this; often this assessment is only the starting point. Ultimately, senior management expects adequate security targets to be set and a robust plan for the way in which they will be achieved.
Start small but do start
Effective IT management approaches their security strategy from the realization that attacks on their organization will occur. Building a strategy around this assumption allows the security team to recognize and understand the gaps in the current approach and to become proactive versus reactive. For example, applying data encryption, preventing (too) many SAP authorizations or the first steps towards a security certification.