There is a moment in large transformation programs that outsiders almost never see. Not in the kick-off meetings, not in the beautifully designed roadmaps, and not in the steering committees. It happens later. The point where everyone involved realizes that the real challenge is not SAP, not the cloud, and not even the new processes. The real challenge is identity, access, risk, and security.A senior manager from an international transformation program once described it perfectly: βIn every ERP or cloud program we see, security becomes the topic nobody planned for – but everybody suddenly depends on.β This is exactly where PwC comes into the picture. Not as a peripheral security specialist, but right in the core of the transformation.
PwC is rarely brought in because a company says, βWe need security.β PwC is brought in when companies reinvent themselves. During carve-outs, post-merger integrations, ERP transformations, global cloud programs, and enterprise risk realignments. In all of these scenarios, the same pattern emerges. Security is not its own project. Security becomes the prerequisite that determines whether the project can succeed at all.Who is allowed to access what? How are identities managed across system boundaries? How are legacy authorization models transferred into modern platforms? How are regulatory requirements such as DORA, NIS2, KRITIS, or TISAX translated into real architectures? These are not theoretical questions. These are the issues that can suddenly slow down entire programs – or enable them to move forward.
Information security at PwC does not originate in a lab. It develops inside ongoing large-scale transformation programs, where business, IT, risk, compliance, and organizational change collide. Where traditional security concepts are no longer sufficient because ERP, cloud, deals, and organizational structures are deeply interconnected. PwC operates directly inside these programs, not from an audit perspective, but from an operational transformation perspective.A director from a global program once put it this way: βSecurity at PwC is rarely a control function. Itβs a transformation enabler.β This is what fundamentally differentiates PwC. Security is not treated as a control instance, but as an architectural component. A prerequisite for business change. A foundation for cloud architectures. A risk management factor in deals. A structural element of ERP programs.
Anyone who has worked on an SAP S/4HANA program or a global ERP consolidation knows where the real challenges lie. Not in the processes. Not in the data migration. But in role models, segregation of duties, identity management, and authorization structures across system landscapes. This is where information security reveals its true significance. And this is where PwC demonstrates exceptional strength by embedding these topics into the overall transformation instead of treating them as isolated tasks.This becomes even more visible in deals and M&A situations. When companies are merged or separated, it is not only about contracts and organizational charts. It is about systems, data domains, identities, and risks. What risks are inherited with an acquisition? How mature are existing security structures? How quickly can a secure target architecture be established? These questions have a direct impact on business success, and information security suddenly becomes a business factor.
Cloud programs show the same pattern. Many organizations focus primarily on the technical benefits such as scalability, flexibility, and modernization. PwC looks deeper into the architecture behind it. How are identities managed? How do authorization models function across cloud and on-premise environments? How are logging, monitoring, encryption, and regulatory requirements integrated properly? Not as an afterthought, but as a foundational element.This is where the topic becomes particularly interesting from a Darkgate perspective. In our daily conversations with information security professionals, we see that many of them believe they work βin security,β while in reality they are already deeply involved in business transformation without necessarily labeling it as such. PwC is one of the clearest real-world examples of how the role of information security is evolving. Away from the narrow specialist role and toward becoming an architect and contributor to enterprise transformation.
An experienced project lead once said: βAt PwC, you donβt work on security projects. You work on transformation projects where security is critical.β Information security is not viewed here as a standalone discipline, but as a cross-functional capability that appears wherever major change occurs.In times of increasing regulation, this approach becomes even more relevant. Frameworks such as DORA, NIS2, KRITIS, TISAX, and many industry-specific requirements force organizations to translate security into real, operational architectures. PwC is in a unique position because these requirements are not only understood from an audit standpoint, but from practical implementation within transformation programs. They know how to integrate regulatory demands into real projects without slowing down transformation.
For information security professionals, this creates an environment that is both broad and highly strategic. They are not working on isolated policies or controls, but inside programs that reshape entire organizations. They see how security influences real business decisions. They contribute to projects that have a direct impact on structures, processes, and systems in large enterprises.From the Darkgate perspective, this is where information security reaches its highest level of impact. Where it enables business. Where it secures transformation. Where risk and innovation meet. As a specialized recruiting and market intelligence platform, we are in constant exchange with exactly the profiles that work in these types of programs. We see firsthand how the requirements for these roles are shifting. Away from traditional security specialists and toward advisors, architects, and transformation partners.
PwC represents one of the strongest examples of how this evolution is already happening in practice. Information security is not a separate playground here, but an integral part of business transformation, enterprise risk, and technological modernization. And this connection will become even more important in the coming years. Organizations are facing massive change. Legacy systems must be modernized. Cloud becomes the standard. Regulatory requirements are increasing. Business models are evolving.In all of these developments, information security will play a central role. PwC already demonstrates what this role can look like. Not as a guardian on the sidelines, but as an active enabler of change. And that is exactly why PwC is a company worth observing closely if one wants to understand how modern information security is truly practiced inside large organizations today.
