Greg: Hi, I’m Greg Schaffer and welcome to episode forty-four, season seven of the Virtual CISO Moment. Today, we have Chris Carter. He is the Chairman and CEO of Approyo.
Greg: Chris, thank you so much for joining us today.
Chris: Thanks for having me, Greg. I’m excited.
Greg: So I’d like to start as we usually start. I’d like to hear about your history, how you got started in tech, what led you to that, and then what led you to what you’ve been doing for a long time as far as SAP support goes. And maybe you can kind of sprinkle in there a little bit about what SAP is to those of us who maybe aren’t too familiar with it.
Chris: You got it. Well, I started my career back in the nineteen eighties. I know some of the listeners may not even realize that there were a nineteen eighties — high school in nineteen eighty seven. I left for Georgia Tech with a Commodore Vic 20 and an Apple IIe. Yes. Two dinosaurs nowadays, everybody. I get it. I know.
Chris: Heck, I was in school so late that they gave us the big floppies back in the day that we would use inside of our computers. My first job was actually as an intern at Coca-Cola, which is kitty-corner to our campus. I started working on their R/2 environment back in the day, which was a massive mainframe, punch cards and activities.
Chris: And I was lucky enough that I was working there one day when the team from SAP came in to talk to them about migrating up to, at that point, what was SAP R/3, which was on the X86. And I said, yes, I want to be a part of that.
Chris: So I started working for SAP America, went through their training. SAP is an application that companies use to run their entire organization. It’s finance. It’s warehouse management. It’s supply chain. It is, nowadays, everything including AI and artificial intelligence rolled into systems that they can use on anything from their phones and iPads to basic desktops.
Chris: It’s so important for me and why I’m so excited to be on this show — we have so much security wrapped around SAP. Literally every day I’m talking to CISOs and I’m talking to my mid-market folks, and we’re a weak indicator about what’s going on in SAP, what the changes are, what’s coming down, because there’s a lot of changes within our security suites.
Greg: So what led you to go independent? Because you’ve been running Approyo for about fourteen years now, right?
Chris: Yes. I loved being at SAP. I traveled the globe on their dime. I did a lot of projects overseas and throughout the United States. And it started getting so busy with the migrations from R/2 to R/3 that they were looking for partners. I said, “Well, I can do this.” So back in 1992, I started my first company and began working directly with them.
Chris: I did get burnt out in the early 2000s, took some time off and worked for a unicorn startup out of New York. But a VP of SAP, who I’m still good friends with and lives nearby, brought over a bottle of scotch and said, “We need you back. There’s this thing called HANA coming out.”
Chris: By the time that bottle was gone, it was already morning in Germany. We started calling people there. Twenty-four hours later I was on a plane to Waldorf, Germany, to sit down with the team about the HANA in-memory database. That was the future of SAP. I hadn’t been in the ecosystem for two years. I just wanted to decompress and help with the startup. But SAP was blowing up.
Chris: I came back at the right time. Dr. Hasso Plattner took us under his wing, and Approyo became one of the first SAP Startup Focus Program partners. That got me into every door. I started talking about HANA, cloud, AI, security — and it just exploded from there. Fourteen years now, to the day.
Greg: In complete transparency, when we first started talking and prepping for the podcast, I saw “SAP” and didn’t immediately recognize it as the company. I was confused, looking it up on ChatGPT, seeing references to Germany, etc., until the lightbulb went off. So SAP shops — or anyone using ERP software — is this typically for larger Fortune 500 companies, or do smaller businesses use it too?
Chris: Oh, geez. You can scale tremendously. Sure, you’ve got the billion-dollar companies like Exxon, Chevron, Budweiser. But I also have $10 million revenue companies running SAP. SAP realized the mid-market was the most important area to focus on. They really built out and scaled for that.
Chris: We’re a mid-market company and we use it. I know the pains. A $10 million oil and gas company — we manage their entire landscape. Security, internet, SAP, users — we do it all. Why should they have to scale up when they can still maintain their size and get the same benefits as a $20 billion company?
Greg: These systems can store a lot of sensitive, confidential business info. From a security perspective, what are some top concerns for a company with SAP in their environment? And are those concerns different for midsize vs. large corporations?
Chris: Great question. Security means different things to different orgs. In SMBs, they want everything locked down — especially SAP, which is the company of record. We built a tool years ago called Overwatch. It not only runs systems but monitors for bad agents. We monitor all SAP ports and AI connections — because attackers get in through third and fourth parties.
Chris: We also do predictive analytics. For SMBs, we secure everything — infrastructure, cloud, network gear, M365, etc. In the enterprise space, they often have multiple tools. We believe in stacking security — our tool helps, and we integrate well. You need proactive, layered defense. One compromise can create massive risk.
Greg: I need to present to the board as a CISO. What are some good KRIs (key risk indicators) for SAP? Metrics can be tricky — we don’t want to overload the board or give them irrelevant details. Does your system provide something usable?
Chris: Yes, and we use green-yellow-red just like everyone else. Key risk indicators come from action items inside SAP: traffic patterns, where it’s coming from, what data is used and how it’s handled. We monitor touchpoints into and out of SAP, and use predictive analytics.
Chris: If something hits red — like what happened six months ago when we discovered a zero-day SAP vulnerability — we alert SAP and all our customers. SAP issued a patch for all 418,000 customers within 48 hours. That’s why proactive security matters. I love talking to CISOs because it has to be a top priority — 1A or 1B.
Greg: Let’s shift to AI. Two buckets: (A) how has AI affected the threat environment for SAP, and (B) how is AI being leveraged to mitigate threats?
Chris: Great A and B questions. For B — we use AI every day in our monitoring. It predicts database spikes, traffic surges, port activity. It’s real-time, and we pair it with SAP’s “Jewel” tool.
Chris: For A — attackers are using AI too. They’re constantly probing APIs. You have to monitor all traffic. You need intelligent tools that go deep — not just heartbeat checks. Port validation, spoof detection — all of that in real time.
Greg: You mentioned financial services — very mature. What’s an example of the least mature industries cybersecurity-wise?
Chris: Retail. Some are still using green screen terminals from the ’80s in warehouses. Old systems like Infor or ancient WMS modules. No upgrades, no capital investments. They just don’t realize how vulnerable that is. And eventually, the technical debt catches up.
Greg: And the C-suite gets sticker shock when they finally realize the cost. Any advice on mindset shift?
Chris: Keep updating. Budget for it. I’ve got a customer who didn’t upgrade and now has to hire someone to write legacy code just to maintain it. SAP is ending support for older modules, and if you don’t move, you pay more. Better to take small hits than a huge one later.
Greg: I noticed a Rocky Balboa quote behind you. Is that the “keep moving forward” quote?
Chris: Absolutely. “It’s not how hard you hit, it’s how hard you can get hit and keep moving forward.” Three of my clients were hit in a VMware-based breach in Canada. We weren’t responsible, but we stepped in anyway. I slept on an air mattress in my office. You just keep helping. You keep moving forward. That’s how winning is done.
Greg: That quote applies to infosec, leadership, even life. Nothing we do is easy. And it’s stressful. So how do you decompress?
Chris: Great question. I travel with my wife and daughters. One of my favorite trips was to Mount Rushmore during COVID — great family bonding. I love golf — big Ryder Cup fan. And I’m a bourbon collector. I’ve got over 100 bottles and love hosting friends and making Old Fashioneds.
Greg: Any future plans?
Chris: I’m 56 now. Approaching the twilight of my career. My goal now is to help others — whether in tech, life, or faith. I’ve written 17 books and had some bestsellers. Eventually, I’ll hand the business off and spend more time with my wife. She gave me the freedom to travel and build — now it’s her turn.
Greg: I can relate. I’m 58 and thinking similarly. But I also love what I do.
Chris: Try owning four companies! Between Approyo, other tech firms, a bar/restaurant with my wife, and writing — no wonder I’m bald and you’re not!
Greg: It’s important to slow down and enjoy life. The career is important, but giving back is what really matters.
Chris: 100% agree.
Greg: Chris, thank you so much for joining me today. Great discussion — SAP, cybersecurity, Rocky, bourbon — we covered it all!
Chris: Thanks for having me, Greg. Appreciate you.
Greg: And everybody, stay secure.