Skip to content

How to explain to your grandmother that you are the guardian of a digital vault

A festive guide for SAP Security specialists afraid of the question "So what is it exactly that you do?" Part one: What on earth is SAP anyway? The…

A festive guide for SAP Security specialists afraid of the question “So what is it exactly that you do?”


Christmas is approaching. The air smells of pine, gingerbread and… fear. No, it’s not about whether the carp will be fresh, or whether Uncle Zbyszek will start on politics again over the second course. It’s about something far more dangerous.

The question.

The question that comes up every year, somewhere between the borscht and the first slice of cheesecake. It’s asked by your grandmother, your grandfather, Aunt Halinka, or Cousin Marcin, who “also works with computers, because he builds WordPress sites”.

The question goes: “So what exactly do you do at that job of yours?”

And then comes the moment. That one, magical second in which your brain performs calculations worthy of a supercomputer. How do you explain it? How do you say that you work in SAP cybersecurity without seeing that familiar look on your grandmother’s face that says “my grandson is probably doing something illegal”?

This article is for you. It’s for every SAP Security specialist who faces the same challenge every year. We’ve prepared a complete guide - step by step - on how to explain your job to every member of the family. With humour, comparisons, and without a single mention of “authorization object”.

Let’s begin.


Part one: What on earth is SAP anyway? The foundation of every Christmas Eve discussion

Before you get to explaining what SAP cybersecurity is, you first have to tackle a more fundamental question. Because when you say “I work in SAP”, most of the family will think of one of three things:

  1. That it’s some kind of illness (it does sound a bit like “I have SARS”)

  2. That it’s an acronym for something rude

  3. That it’s definitely something American, and probably illegal

So we start from the basics.

Explanation for grandmother:

“Grandma, you know your recipe notebook? You’ve got all your recipes written down there - how much of each ingredient you need, where you buy your flour, how much it cost last time. Now imagine that EVERY large company in the world keeps a notebook like that. Except this notebook is so thick it would need millions of pages. And it has to remember everything - how much money the company has, how much material is in the warehouse, who they’ve paid and how much, who they bought what from, who works for them and how much they earn.”

“SAP is that kind of magic, computerised notebook. Practically every big company you know uses it - the ones that make cars, the ones that produce medicine, the ones with huge shops. Without SAP, those companies wouldn’t even know how many screws they have in the warehouse.”

Explanation for the uncle who “also works with computers”:

“Uncle, SAP is an ERP system. Enterprise Resource Planning. Imagine a program that links accounting, warehousing, sales, procurement, HR, production and logistics into a single organism. When a company places an order with a supplier, SAP automatically checks the account balance, reserves the funds, updates the warehouse, generates the documents, and makes sure everything adds up.”

“Around 77% of the world’s financial transactions pass through SAP systems. This isn’t some little app - it’s the backbone of the global economy.”

Explanation for the cousin who builds WordPress sites:

“Marcin, you know how WordPress has plugins and a database? Well, SAP is like taking WordPress, scaling it up a million times, giving it its own programming language, its own database, its own everything, and then making it run the operations of companies whose turnover is bigger than the GDP of some countries. And all of that has to run 24/7 without a second’s interruption, because if it goes down, someone doesn’t get paid, and someone else doesn’t get their medicine delivery.”

A universal metaphor (for everyone at the table):

“SAP is a company’s nervous system. Just as your body has a brain that controls everything - your heartbeat, your breathing, your digestion - a company has SAP, which controls all its processes. And just as you wouldn’t want a stranger poking around in your brain, a company doesn’t want a stranger poking around in its SAP system.”

And that brings us smoothly to your role.


Part two: Who is a SAP Security specialist? Meet the digital security guard

Article illustration

Now that the family more or less knows what SAP is, you can move on to explaining your role. And this is where it gets tricky, because “cybersecurity” on its own sounds like something out of a hacker movie.

Explanation for mum:

“Mum, remember how banks have those big vaults with steel doors? And there are people who make sure who can go into the vault, who can only look through the little window, and who shouldn’t even come close? Well, I do exactly the same thing, except the vault is inside a computer.”

“That company vault in SAP holds everything valuable to it - employee data, production secrets, client contracts, financial information. I make sure that only people with the right to enter each room in that vault can actually get in. And that someone who only has the right to view documents can’t suddenly take them out or change them.”

Explanation for dad:

“Dad, you know how a factory has different zones? Some people can only enter the production floor, others the office, and only a select few the room with the safe? And there are access cards that control this? Well, I design that kind of access-card system, except it’s digital. And I make sure no one can forge their card.”

“And besides that, I look for holes. I check whether there’s an open window somewhere a burglar could get through, or whether someone accidentally left a key under the doormat. In IT, we call these ‘vulnerabilities’, and part of my job is finding them before the bad guys do.”

Explanation for grandfather:

“Grandpa, remember how you used to talk about sentries in the army? How they stood guard, making sure no unauthorised person entered the barracks? Well, I’m that kind of sentry, except I guard computers. And I don’t stand in one place - I have to check every entrance, window, door, fence, and even underground tunnels that nobody normally sees.”

“Because you see, grandpa, modern thieves don’t come through the door. They look for holes nobody thought of. My job is to think like a thief, purely to outsmart him.”

A metaphor for the whole table:

“Imagine a huge castle with a thousand rooms. Each room holds different treasures - gold in one, royal documents in another, military plans in a third. I’m responsible for making sure that only treasurers can access the room with the gold, only royal scribes can access the documents, and only generals can access the military plans. And I also have to make sure that a treasurer can’t suddenly read the military plans, just because they’re curious.”


Part three: Authorisations, or who can do what and why it’s so complicated

This is where we get to the heart of a SAP Security specialist’s job - managing authorisations. And this is where the family usually starts to get lost, because “surely it’s simple, either someone has access or they don’t”.

Oh, if only it were that simple.

Explanation for Aunt Halinka:

“Auntie, imagine you’re the director of a big hospital. You have doctors, nurses, receptionists, cleaning staff, accountants and security guards there. Should everyone have access to everything?”

“A doctor should be able to see a patient’s medical history - but should they see how much the hospital pays for electricity? A receptionist should be able to book a patient’s appointment - but should they be able to change medication dosages? An accountant should have access to invoices - but should they be able to read patients’ test results?”

“Exactly. In SAP it’s exactly the same, just a thousand times over. Every employee at a company must have exactly the permissions they need to do their job - no more, no less. We call this the principle of least privilege. And believe me, auntie, getting this right for a company with ten thousand employees is not a one-day job.”

Explanation for Uncle Zbyszek (the one who talks politics):

“Uncle, think of it like a system of state secrets. There are public documents, confidential ones, secret ones, and top secret ones. Not every general has access to everything - they have access to what’s necessary for their position.”

“Now imagine you have to design a system like that for a company with hundreds of different job roles, thousands of different documents, and millions of possible combinations. And you have to do it in a way that lets people actually work normally, without going crazy from the restrictions. That’s my job.”

Explanation for the younger cousin (the gamer):

“You know how games have different roles? Tank, healer, DPS? And each role has different abilities? Well, in SAP we have something similar, except instead of abilities we have authorisations. An accountant has the ‘ability’ to create invoices, a warehouse worker has the ‘ability’ to enter stock levels, and the boss has the ‘ability’ to view reports.”

“And I’m the kind of game master who decides who gets which abilities. And I make sure nobody finds an exploit and gets permissions they shouldn’t have.”


Part four: Segregation of duties, or why an accountant shouldn’t be able to transfer money to herself

Article illustration

This is a concept that always sparks interest at the table - because it’s about money, and everyone understands money.

Explanation for the whole family:

“Listen, let me tell you about something we call segregation of duties. It sounds complicated, but it’s actually very simple.”

“Imagine that at a company there’s a Mrs Krysia who works in accounting. Mrs Krysia can create new suppliers in the system - she enters the company name, account number, address. Mrs Krysia can also approve bank transfers. Do you see the problem?”

(At this point someone at the table usually catches on.)

“Exactly! Mrs Krysia could create a fictitious supplier - let’s call it ‘Shell Company Ltd’ - enter HER OWN account number, and then approve a transfer to this fake entity. And nobody would notice that she had just stolen the company’s money.”

“Part of my job is making sure the system automatically detects such dangerous combinations. If someone can create suppliers, they shouldn’t be able to approve transfers. If someone can modify product prices, they shouldn’t be able to issue invoices themselves. There are hundreds of such combinations, and I have to watch every single one.”

A culinary metaphor (for grandmother):

“Grandma, it’s like cooking dinner. You wouldn’t let one person buy the ingredients AND check the receipt AND verify that everything adds up. Because that person could buy less than the receipt says and pocket the difference. That’s why, in a well-run household, one person buys, a second checks the receipt, and a third verifies that everything’s actually on the table.”


Part five: Audits and compliance, or why I sometimes fear inspectors more than hackers

Now we enter a world that is just as important as protection against hackers, but far less dramatic in the telling.

Explanation for dad (who runs a business):

“Dad, you know how a tax inspection comes round every year and you have to show all your documents? Well, imagine that for large companies, inspections like that are happening all the time. Except they’re not checking taxes - they’re checking whether the company keeps its IT systems in order.”

“In Europe we now have regulations like NIS2, DORA, GDPR… These aren’t just random letters - they’re regulations telling companies how they must take care of data security. And inspectors check whether companies comply with them.”

“My job also involves making sure the company is always ready for such an inspection. I have to document everything - who has which permissions, why, since when, who approved it. And I have to be able to show it at a moment’s notice.”

Explanation for mum:

“Mum, remember how you had to show proof at the registry office that you really live at that address? Well, I constantly have to be able to prove that the company genuinely takes care of security. That it’s not just talk, but that there are concrete procedures, documents, and logs.”

“And you know what the worst part is? One mistake in those documents can cost the company millions of złoty in fines. Or its reputation. Or both.”


Part six: Monitoring and detection, or how I find intruders

Now we move to the most “cinematic” part of the job - detecting suspicious behaviour.

Explanation for grandfather:

“Grandpa, remember those war films with the room full of maps and lights, where something happens at the front and a light comes on? Well, I have a room like that, except digital. And lights come on for me when something suspicious is happening in the system.”

“Someone logging in at three in the morning? A light. Someone trying to access the system from another country? A light. Someone suddenly downloading thousands of documents when they used to download about two a day? A big, red light.”

“And then I have to check whether it’s a real attack, or whether Kowalski from sales went on a business trip to Germany and forgot to mention it.”

Explanation for auntie:

“Auntie, it’s like being a detective. I look for patterns that don’t fit. If someone at a bank withdraws a hundred złoty every day and suddenly wants to withdraw a hundred thousand - that’s suspicious, right? It’s the same in SAP. People have their habits, their standard activities. If someone suddenly starts doing something completely different, I have to investigate.”


Part seven: Incident response, or what I do when things really go wrong

Article illustration

Universal explanation:

“And what if someone really does break in? Well, then the real fun begins. And by ‘fun’ I mean ‘dozens of hours without sleep, phone glued to my ear, and caffeine in my veins’.”

“When we detect a genuine security incident, we have to act like a fire brigade. First, put out the fire - stop the attack, cut off the intruder. Then investigate - what exactly happened, what they had access to, what they might have stolen or altered. And then repair - patch the hole they came through, and make sure they can’t get in the same way again.”

“And finally, document it. Because remember those inspectors I mentioned? They’ll want to know exactly what happened and what we did about it.”

A metaphor for grandmother:

“Grandma, it’s like at home. Imagine you suddenly see a stranger walking around your garden. First you call the police to catch them. Then you check whether anything’s missing. Then you fix the hole in the fence they came through. And then you tell the neighbour to check her own fence too. I do exactly the same thing, just with computers.”


Part eight: Why does all this matter?

Over dessert, it’s worth summing up why this job matters. Because the family may now understand WHAT you do, but not always WHY it’s important.

Explanation with perspective:

“Listen, the SAP systems I protect contain your data. Yes, yours. If you work at a large company, your salary goes through SAP. If you buy medicine at the pharmacy, SAP was involved somewhere along the way. If you fill up your car, do your shopping at the supermarket, order a parcel - there are systems everywhere along the way that I, and people like me, protect.”

“If we didn’t do this? Hackers could steal the data of millions of people. Criminals could redirect company transfers into their own accounts. Industrial spies could steal trade secrets. Entire companies could grind to a halt because someone encrypted their systems and is demanding a ransom.”

“This isn’t science fiction. It’s really happening. Every week you hear about some company that’s been attacked. We’re here to stop these attacks - or at least minimise their impact.”


Part nine: FAQ, or the questions you’re bound to be asked

Finally, get ready for follow-up questions, because they will come.

“So you’re a hacker?”

“No, I protect against hackers. Although I admit that to protect well, I have to think like a hacker. I need to know how they attack in order to stop them. It’s like being a police officer - you have to understand how a criminal thinks in order to catch them.”

“Can you hack my ex’s Facebook?”

“In theory, I probably know how it’s done. In practice - no, because it’s illegal, unethical, and I could lose my job and end up in prison. Besides, I work on different systems.”

“So do you earn a lot?”

“Cybersecurity specialists are in high demand right now, because attacks are increasing while people capable of defending against them remain scarce. So yes, I earn quite well. But I also work quite hard - sometimes at night, sometimes at weekends, and I constantly have to learn new things.”

“Isn’t antivirus software enough?”

“Antivirus is like a lock on the door. It’s necessary, but not sufficient - if a thief has a lockpick, can get in through a window, has a key an employee sold him, or simply knocks on the door claiming to be from the electricity company. Cybersecurity is a whole system - people, processes, technology. Antivirus alone doesn’t cut it.”

“But surely you’re exaggerating - who would want to attack some company?”

“Believe me, everyone. There are hacking groups that attack for money - encrypting data and demanding ransom. There are those that steal data and sell it to competitors. Some are state-sponsored and carry out industrial espionage. There are even those who attack ‘for sport’ - just to prove they can. No company is too small or too unimportant.”


Conclusion: A merry and safe Christmas!

And so we come to the end of our festive guide. I hope that now, when Uncle Zbyszek asks what you do, you’ll be armed with an arsenal of metaphors, comparisons and examples that will help him not just understand, but perhaps even appreciate your work.

Remember - you don’t need to use all the explanations at once. Choose the ones that fit the audience. Grandmother will better understand the comparison to a recipe notebook and a castle with a thousand rooms. The computer-savvy uncle will appreciate the technical details. The gaming cousin will understand the gaming analogies.

And above all - don’t worry if someone still doesn’t fully understand. What matters is that you try. What matters is that you explain. And what matters is that your work truly matters, even if not everyone at the Christmas Eve table can appreciate it.

At SNOK we know how important your work is. We help companies protect their SAP systems - our consultants bring more than 25 years of combined experience in the SAP ecosystem, and we understand that this is no easy task. Not technically - and not in terms of communication either.

That’s why we wish all of you - SAP Security specialists and your families - a peaceful Christmas. No security incidents. No alerts in the middle of the night. And no difficult questions at the table.

And if those questions do come up - now you know what to say.

Merry Christmas from the SNOK team! 🎄


P.S. If, after your explanations, grandmother says “That’s a very responsible job, son” - count that as a win. If she adds “And aren’t you spending too much time on that computer?” - well, some things not even the best analogies can change.


Would you like to see this in practice, or discuss implementation at your company? Get in touch - we will respond within 48 hours.

Tematy: Safe Tuesday sap-security SAP S/4HANA

Get in touch