When Boris Voltchenko joined Reynolds Consumer Products (RCP), he didn’t expect that a Cloud-first journey would spark a complete reimagining of enterprise security. As Chief Security Officer and VP of Infrastructure, Boris has lived through the highs and the headaches of SAP transformations—but today, he’s helping lead a shift that’s as much about mindset as it is about technology.
In a recent episode of the Lemongrass Roots podcast, Boris sat down with Lemongrass CTO Eamonn O’Neill to reflect on a multi-year journey that began with an ambitious goal: take Reynolds Consumer Products public with a new SAP landscape, hosted entirely in the Cloud.
Starting in the Cloud—With Training Wheels
Back in 2020, Reynolds Consumer Products needed to build a new SAP environment fast. Cloud was the only way forward, and AWS became their platform of choice. Lemongrass helped get them there, provisioning SAP ECC in a classic Infrastructure-as-a-Service (IaaS) model.
“There were business constraints. We had to move quickly,” Boris recalled. “It was like opening a new data center in the Cloud.”
Security was top of mind for the time, but Boris knew it was just the beginning.
“We didn’t go as far as we could in applying Zero Trust,” he admitted. “Now, with our S/4HANA and RISE with SAP migration, we’ve got a second chance.”
The Shift to Platform-as-a-Service (and a New Security Philosophy)
Today, RCP is in the thick of a move to SAP S/4HANA using RISE on AWS. For Boris, it’s not just a technical migration—it’s a strategic security reset.
“With RISE, we’re treating the environment as a Platform-as-a-Service. That’s allowing us to rethink identity and access,” Boris said.
Gone are the days of broad network-level permissions. Now, access is restricted at the user identity level using role-based permissions tied to Active Directory. “We’re moving away from the old model of ‘if you’re in the building, you’re trusted,’” Boris explained. “Now it’s ‘if your identity needs access, it gets it—nothing more.’”
1 Employee, 82 Identities
During his research, Boris came across a staggering stat from CyberArk: on average, for each human identity there are 82 non-human identities—things like IoT devices, containers, and automated processes.
“It sounds crazy, but it starts making sense when you think about cameras, scanners, bots, all of it,” he said. “And every single one of those identities needs to be managed securely.”
This was one of many ‘a-ha’ moments that convinced Boris the RISE migration wasn’t just a tech project—it was a chance to overhaul how access is managed across the enterprise.
Goodbye Copy-Paste Access, Hello Governance
One of the biggest hurdles wasn’t technical—it was cultural. RCP, like many organizations, had fallen into the trap of granting new hires the same access as their predecessor with a quick “copy from” command.
“That button was a security team’s worst nightmare,” Boris joked. “So we took it away.”
In its place? A new business role model, backed by identity governance and real-time segregation of duties checks against SAP GRC. It hasn’t been easy, but the change is already making a difference.
“We even built a Power BI dashboard,” Boris said, “where someone could type in a T-code and see what business roles it belonged to. It’s a small step, but it helps people request the right access.”
Educating the Enterprise
Boris is candid: the hardest part of all this is getting people on board. “You can’t just drop Zero Trust on an organization and expect it to stick,” he said. “It needs to be embedded into onboarding, into how roles are defined, into how job descriptions are written.”
He’s hopeful that AI might help down the road—especially in normalizing role names and mapping job descriptions to access profiles—but for now, it’s about collaboration.
“We’re training ourselves to think differently,” he said. “And it’s working.”
AI: Help or Hype?
Of course, no tech conversation in 2025 is complete without talking about AI. Boris approached the topic with caution.
“I tried to avoid the AI sessions at the Gartner conference—but it’s impossible,” he laughed
His take? AI can help, but only when applied deliberately. “It’s not a silver bullet. It can be a huge distraction if you don’t have a clearly defined problem you’re solving.”
Instead of building custom models, Boris is more inclined to look to partners: “There are vendors out there doing AI at scale. Why not leverage their tools instead of trying to build everything in-house?”
The Power of Iteration
As the conversation wrapped up, Eamonn asked Boris what advice he’d give to others starting the same journey.
His answer? Think long-term—and don’t try to run before you can crawl.
“At first, our Cloud setup looked a lot like a data center. We had to grow into it,” Boris reflected. “But each phase—migrating SAP, tightening access, modernizing provisioning—taught us something new. Now, when we approach the next stage, like PaaS, we’re ready to do it the right way.”
Even when things go wrong, the Cloud offers flexibility. Boris recounted a moment when they realized late in the process they needed to run performance testing—but hadn’t planned for it. Lemongrass quickly spun up a replica environment over a weekend using scripts, avoiding costly delays.
“That’s the power of the Cloud,” Boris said. “And of learning by doing.”
Final Word
Security isn’t a one-and-done project. It’s a mindset—and one that evolves with your technology stack. For Reynolds Consumer Products, the shift to S/4HANA and RISE has been as much about culture as it has been about code.
And for Boris, it’s a journey worth taking. “Every time you think you’ve hit the peak,” he said, “the bar moves. That’s just the nature of this space. But it’s also what makes it exciting.”
