13.09.2024 • Topstories

Corporate Security at BMW Group

The BMW Group sold around 2.55 million cars and 209,000 motorcycles in 2023. With nearly 155,000 employees, the world’s leading premium manufacturer of automobiles and motorcycles achieved a turnover of 155 billion euros in 2023. Apart from the main plant in Munich, there are also numerous locations worldwide. The CSO Alexander Klotz is responsible for global corporate security. It is self-evident to him that security is a common task and that it brings added value both to the company and all those people involved with it. Matthias Erler from GIT SECURITY spoke with Alexander Klotz.

GIT SECURITY: Mr. Klotz, you head up corporate security for the BMW Group – that is already a significant task with more than thirty production sites alone. Let us look at your career history. How did you become involved in security, what were the decisive stops along the way, and since when have you been working for the BMW Group?

Alexander Klotz: Just like many other CSOs, I used to work for a German authority as an officer with the German Army, where I was also able to continue my studies. After ten years, however, I became curious about security in the private sector. There followed an exciting time as a security manager at Infineon Technologies, in a management role as CSO at Schott in Mainz, and at the Uni Credit Group in Milan, Italy, amongst other locations before I joined the BMW Group. First, I was responsible for security business intelligence, corporate investigations and also incident and crisis management. I have now been head of corporate security for the BMW Group for the past three years. For a petrolhead like me, it is the ideal mix of career progression and personal passion.

Could you give us a broad view of all your tasks and responsibilities? How many employees are working in your area and how is it structured – also in relation to the individual locations?

Alexander Klotz: My team and I bear the global responsibility for the security of all employees, as well as for material assets, i. e. our sites and facilities. We are also responsible for the security of our immaterial assets in the form of important information that continues to give us a competitive advantage.

We are one of the core administrative functions here at the headquarters in Munich, and provide a regional security service for America, Europe and Asia. We currently have 140 employees in the global security organization at a central and regional level, addionally numerous operative colleagues who ensure security at the worldwide production sites. We have been very centrally organized until now. The challenges of recent years have clearly shown that current and future threats are increasingly having a more global and more complex effect and can no longer be limited to one location or centrally managed. That is why we are on a path of transformation to strengthen the regions so that they will be able to act independently, yet in alignment, in future.

But itʼs not just the security organization that needs to change. The entire automotive industry is undergoing a significant paradigm shift towards electrification and connectivity. This is also reflected in our vision of the future: “digital, electric, circular”. A recent example of this: our main plant in Munich is currently being converted during ongoing operations in such a way that we will come a great deal closer to meeting our circularity and sustainability requirements with the Neue Klasse from 2025.

How do you understand your role as corporate security in a large corporation like the BMW Group? What is your approach to organizational development especially in view of the company’s global presence?

Alexander Klotz: As a security organization, we are primarily a so-called ‘enabler’ that wants to provide not only a secure environment for business but also for the various divisions that are involved in the central processes of the company. This means securing the infrastructure both physically and digitally so that the production of our cars, engines and, in future, high-voltage batteries can run safely.

However, this cannot be achieved alone, but only together with all the relevant stakeholders within the company. It is therefore essential for us to understand the business and to speak the same language. It is the only way to apply the various security products that we offer effectively and to strengthen the resilience of the BMW Group. From an organizational point of view, this means being anchored in important networks at all levels within the company. That could be certain committees at management level in which we provide security-relevant information or where we influence strategically important local decisions.

But we are also represented in broad security networks, such as in information security, where we ensure with strong governance and networking that security plays a major role in critical areas, such as automotive security, customer data etc., and that ʻSecurity-by-Designʼ is considered in all processes right from the start. A good example of this is prototype protection, such as for the new BMW X3. We are involved in the project team at an early point and define standards for camouflage together with other stakeholders. The same applies when we plan a new factory or another building – security aspects are planned by us from the beginning, and we implement them together with the operational colleagues on site both in the planning and construction stage as well as during subsequent operation.

Prototype protection with camouflage foil, such as for the new BMW X3, is just... — Prototype protection with camouflage foil, such as for the new BMW X3, is just one of the tasks of BMW Group Security.
© BMW

How important is the contribution of security within corporate management?

Alexander Klotz: The contribution that we as the security organization make to the company consists of detecting appropriate security risks in advance and minimizing these as much as possible. The importance of this job is understood and supported at all levels of the BMW Group. We are also heard by senior management and appreciate their full support for our target group-oriented products, such as strategic situation reports, scenario analyses, targeted awareness campaigns, and also ad-hoc incident and crisis management. We have close ties to the board and report to them regularly. This close cooperation has evolved not least because our company security staff provide board-related services, such as close protection or security drivers and reception services for example. That naturally builds a broad level of trust.

Is it your experience that the recent string of crises has sharpened the awareness of corporate security and its importance? How is this visible?

Alexander Klotz: The BMW Group Security has built up a very good reputation over the years – which of course helps both me and my team. But it is true that the challenges, events and crises in recent years have increased the awareness of security within the company – for example through successful crisis management solutions during Covid or by our support in maintaining supply chains in various conflict areas worldwide.

The appreciation and acceptance of our authority in matters of security is definitely noticeable. That has increased our visibility on the one hand, but on the other hand, the requirements and expectations towards our team have risen. This is reflected, among other things, by the fact that our stakeholders within the company expect to be informed even more quickly and comprehensively about potential developments. This means that we must become even faster and more digital.

You take a holistic approach to all the processes of corporate security, and within the BMW Group generally. Could you explain that for us?

Alexander Klotz: We integrate ourselves in the process environment of the company. All our processes are aimed at reaching the strategic goals of corporate security and address our assets to be protected. That means: we follow a holistic ‘prevent, detect, respond’ approach that will also strongly influence our global organizational structure in the future. Within the preventive part are the regulatory frameworks, i. e. the governance and risk evaluation. The ‘detect’ and ‘respond’ parts concentrate on security business intelligence and analysis as well as our effective response to incidents. This process-oriented organizational structure enables us to handle our daily global business better. In this way, we make a significant contribution to the organizational resilience of the BMW Group – always with the attitude of continual improvement.

From prototype to series production –
the new BMW X3.

Since July, the BMW M5 has also rolled off the production line with an...

Mr. Klotz, security is an important – if not crucial – management task. It includes the detection of threats worldwide – and then communicating them to mitigate risks. Let us talk a little about potential threats. How do they affect the BMW Group in particular – and what resources do you have to recognize them?

Alexander Klotz: Security really is a fundamental necessity. Other activities can only take place freely once this need has been addressed. That applies to every company. To identify threats at an early stage, we must be able to filter out those that are valid and relevant from the huge pool of information by ʻseparating signals from the noiseʼ. We have correspondingly enlarged our science and analytics competence in the data section over the past couple of years.

We aim to be able to derive meaningful patterns out of the multiplicity of available information that could influence our operation. These could be geopolitical data, for example, that initially do not have any relevance, but then become important through strong interdependencies. Our output must naturally go beyond just simply repeating news reports – we must know what no one else knows, distinguish between fake and true reports. All this makes our job very exciting, and we need a team that is capable of it. This team has to adapt our products to the appropriate business context and make it understandable for others. Our recipients can be the management or indivudual employees.

Could you give us some examples of threat scenarios that you have to prepare for? What type of threat and what dangers are you currently most concerned with?

Alexander Klotz: There are essentially three things: firstly – as for all companies – the matter of cybercrime or general cyber threats, also from state actors. Secondly, as a car manufacturer, we are constantly in the focus of activists and extremists. And thirdly, there are the geopolitical situation and armed conflicts that have a direct effect on the security of employees or BMW Group assets. However, the potential impact on our suppliers and supply chains is also critical in this context.

How do you obtain relevant information?

Alexander Klotz: We use a combination of various sources to acquire information: special service providers, open-source information, think tanks, or even exchanging info with other companies. The excellent cooperation with national and international authorities is also important. The raw data that we receive is filtered according to specific criteria (pre-processing) that we define in-house. We categorize it and observe numerous factors that are relevant for classification, such as the distance between a security incident and our production site or location. Of course, we also analyze past events, in-house or external, such as the IAA, the Munich Security Conference, or the Auto Shanghai.

We generate our ‘products’ from all these sources that are tailored to the recipients’ needs and which a security expert or other decision-maker can use. In the case of crises or in situations where we have to deal with simultaneously occurring threats, we adapt our method of operation and form flexible teams with the relevant networks within the company. We regularly rehearse these situations and potential crisis scenarios together with the decision-makers in the company. There are similar local crisis management structures at all the other locations of the BMW Group that come together for training, and of course for a real event.

What are your next important projects?

Alexander Klotz: Our main goal remains the same: to effectively protect the BMW Group. The way in which we do that is strongly influenced by the current security situation and its effect on the BMW Group. Currently we have three aspects:

Firstly: as I explained before, we find ourselves in the middle of a transformation of strengthening the regions to be able to meet global challenges.
Secondly: further improving our early detection and global threat monitoring ability.
And thirdly: recruitment and development of staff.

Even though the BMW Group is regularly honored as an attractive employer, we must do more than before to find suitable and competent employees and managers, and to contribute to their development. The continuous growth of threats and crises worldwide has led to an employee-led market situation in security. It is therefore my task, and our task, to sharpen up here so that potential candidates continue to decide for us in future and we can move forward at full strength.

I have total confidence in my team. My definite aim and simultaneously my biggest task is to find and motivate people who do not work directly with me. It is all about building a team that is distributed over the globe and works in different time zones. We are one community, and all have the same target: security as a core success factor. That only works together in a functioning network.

Mr. Klotz, many thanks for this interesting conversation. To finish though, one question still has to be asked: what car do you drive, and why?

Alexander Klotz: I am privileged to be able to change my car frequently and to try out different models, but what I can say is: ‘the most powerful letter in the world’ – an M – should be in the model’s name.