IT security and standards are a challenge for every company. But what does the practice look like? How do internal IT departments deal with the requirements and challenges of protecting against cyberattacks, complying with data protection laws, and implementing quality standards? In our interview, we talk to Boris Conew, the head of internal IT at Sulzer GmbH, about his experiences and tips for a successful IT security strategy.
Hello Boris, which norms and standards are relevant for information security at Sulzer? What criteria are used to select and apply them?
To protect our company from an information security perspective, we apply the norms and standards that are relevant according to the topics. In terms of IT security, these are ISO 27001, Tisax®*, and BSI IT Grundschutz.
The selection is based on the requirements of our customers and our management. Our ISMS (Information Security Management System) is responsible for implementation and monitoring.
What challenges or difficulties have you experienced in implementing or complying with standards in internal IT, or do you anticipate in the future? How do you plan to overcome or avoid them?
The most difficult aspects usually include the correct interpretation of the standards and the recognition of the meaningfulness of a standard requirement. Especially the latter leads more often to discussions. In addition, there is also the need for good documentation and tracking, as well as continuous improvement of the processes. This continuously means a lot of work, but it is necessary and makes sense.
We overcome the above challenges thanks to the support of the ISMS team and through continuous training of our teams in the area of information security.
How do you define standards in internal IT and what role do they play in the quality and security of your department’s services?
As for other areas in our company, it is also important for Internal IT to establish and live consistent processes and proven standards. The standards already help us to set the right priorities. Processes such as configuration management, patch management, incident management or change management have long been established and have been consciously lived and continuously improved for years. Quality is constantly improving, as we can see from our own evaluations of employee feedback and from the results of the annual employee survey.
What challenges does your department or you face when it comes to compliance with standards in internal IT, especially with regard to the requirements of external stakeholders such as customers, suppliers or regulatory authorities?
At the moment, our customers are the biggest challenge. As a service provider in the field of software development, we usually have to deal with strong dependencies with the IT infrastructure of the customers and especially with the highly differentiated solution approaches of our clientele. One would say that they all boil with water, but nevertheless, each of our customers has a different focus when it comes to implementing IT security. The application processes alone for obtaining the appropriate access and authorizations vary enormously, for example.
The partners with whom we jointly implement customer projects must also be empowered according to the customer’s requirements. In other words, things always look different from customer to customer.
What challenges do you face in your role as soon as there are conflicts or perhaps conflicting requirements? I
As internal IT, you are constantly involved in conflicts of interest and contradictions. For example, IT’s very own task is to provide our colleagues and the company with the best possible IT technology, but on the other hand we have to pay attention to standards, information security, data protection, etc. This can sometimes be contradictory. This can sometimes become contradictory.
Another example is the use of our own hardware, which many colleagues would like to see, but on the other hand a whole lot of other colleagues reject, demanding a strict separation of business and private.
It is clear that it is not possible to satisfy all employees and, above all, it is never possible to meet all requirements. I try to find sensible and workable compromises and to those I cannot support, I give as comprehensible reasons as possible why something cannot be realized. To this end, I always try to assess risks and prioritize with my colleagues from Internal IT.
How do you promote a culture of conformity to standards in your teams and how do you deal with resistance or deviations?
The culture of conformity to norms in the team can only be done like raising children in your own family – exemplify, repeat, correct, exemplify again, scold sometimes and of course praise… 😊
How do you deal with changes or adjustments to norms?
In case of changes or adaptations of standards, we are actively supported by our ISMS team, so we do not have any stress here, but react professionally and solution-oriented. We are currently working together on a standards migration project, for example to implement the more stringent information security requirements of ISO/IEC 27001:2022 (e.g., data leakage prevention).
. A project like this can take a long time, because it is a matter of bringing the new requirements into the company. It must be analyzed, the implementation must be planned and all relevant stakeholders must be involved.
How is the information security management system (ISMS) structured and implemented at Sulzer GmbH? What is your role as head of internal IT?
The ISMS is basically controlled and monitored by our management systems. Through regular audits and regular exchanges with the relevant colleagues from the ISMS team, it is not difficult for us to set up and track processes. In my role, I ensure both a productive exchange and the implementation of defined measures.
As the head of internal IT, however, it is of course also my job to observe the market and strategically plan changes to our IT landscape. Of course, standards etc. also play a role in this. Here, it is always necessary to weigh up and assess.
How do you keep up to date with the latest developments and trends in standards for internal IT and how do you implement them in processes and systems?
Both through the support of our colleagues from the ISMS team and through our own initiatives, we keep abreast of trends. We manage the implementation of necessary measures in collaboration with management.
How do you measure the effectiveness and benefits of standards in internal IT and how do you communicate them to employees and other stakeholders?
Measuring effectiveness is actually not only a standard requirement, but also one of the most difficult tasks. Normally, when implementing any measure, you should already consider how you can subsequently measure the effectiveness in the first place. Only most of the time, you don’t even think about it yet.
First and foremost, we look at our critical path, i.e. all services that are relevant for uninterrupted service delivery. There, availability must be 99.5%, and we have successfully maintained this level for years. The best proof of this was the “Corona years”, when all our colleagues went to their home offices overnight and were able to continue working successfully.
How are information security risks assessed and handled? What methods and tools do you recommend or use yourself?
The biggest challenge is usually not in the assessment or treatment of security risks, but in identifying them in advance. The whole thing only makes sense if risks are identified proactively so that appropriate preventive measures can also be taken. This is exactly where appropriate “head action” is needed, and this is of course exactly where the challenge of evaluating effectiveness lies.
From my perspective, it is important here to work with competent and experienced colleagues and partners in order to identify and evaluate truly relevant security risks and then implement appropriate measures.
How do you ensure that internal IT processes and systems meet regulatory requirements and stakeholder expectations? How do you deal with changes or conflicts?
Basically, I always try to look at requirements and expectations from the perspective of our capabilities and needs. You can’t meet everything, and where we can’t, we make sure that a comprehensible justification is presented to the stakeholders. In conflict situations, we seek dialogue and try to find compromises together. However, we cannot discuss legal framework conditions, for example. They have to be implemented.
How do you promote safety culture and awareness in your organization? What measures do you take to train and raise awareness among employees?
I promote safety culture and awareness in my organization the same way I do with my own children. So as I mentioned earlier, model, repeat, correct, model again, scold sometimes, and of course praise.
Our colleagues from the ISMS team take care of the training and sensitization of the employees. We provide technical support or advice from day-to-day operations.
How can the effectiveness and maturity of the ISMS be measured and monitored? Which key figures and reports are suitable or used?
Of course, our ISMS also helps with such issues. Certainly, KPIs or SLAs are relevant for measuring the effectiveness and maturity of such topics. In addition, there are simple things like counting security-relevant events. All of this is reviewed in the regular management review and confirmed by the management. Improvements and targets are set in motion by both internal and external audits.
Certain standards, such as Tisax®*, also require information security processes to be assessed internally and externally in the assessment (process maturity level).
How do you recommend responding to security incidents or breaches? From your role as head of internal IT – what processes or procedures should be in place?
The thing I can always recommend is to always take security incidents or breaches seriously and not play any “air” games because of the audits. It’s important to have a solid team of competent colleagues who are capable of making decisions. Clear processes and responsibilities help just as much as a dedicated “IT crisis room” – easily accessible and even equipped with a few provisions.
How do you structure collaboration with external partners or service providers in the area of information security? What requirements or agreements are recommended?
With all partners who work with us in the area of information security, appropriate formalities regarding confidentiality and data protection must always be completed in advance. When selecting partners, we pay particular attention to good references and if, in the course of the projects, our requirements are not met in accordance with the agreements made, then we interrupt the cooperation.
We have also had good experiences with charging for such cooperations according to fixed hourly rates based on time and material. In addition, we are actively involved in the conception and implementation of the projects.
Thank you Boris for the interview. Do you have any final words or tips?
In everyday IT life, standards can be very helpful – you should not interpret them as 30 signs, but rather see them as signposts.
*Tisax® is a registered trademark of the ENX Association.