Security Management at Automotive Supplier Mahle
Mobility has been at the core of the worldwide active Stuttgart automotive supplier Mahle for over a century. These days, not just combustion engines are the main business but also electric drives. The tasks of the corporate security department stretch from protecting employees, location security, and crisis management to IT, OT and production security together with the relevant departments.
The size and scale of global manufacturing locations and divisions require complex organization of corporate security. It is also important here to be constantly on the move because, as Andreas Knobloch, Head of Corporate Security at Mahle, says in conversation with GIT SECURITY: “Today’s solutions will hardly meet tomorrow’s challenges.”
Q: You have been the Head of Security at Mahle for two years. Could you give us a brief job description please?
A: As Head of Corporate Security, I am in particular responsible for physical and personal security of the company – that is, the protection of our employees, our valuables and the commercial operation from crime and physical security threats. The responsibilities of my global teams are manifold and include the physical security of our factories and other locations, the security of our travelling staff and those abroad, the security situation, fraud prevention, business continuity and crisis management, information security (together with the IT department) as well as operational incident management if it falls under one of these headings.
Q: You were at Merck before joining Mahle – and even earlier at the Federal Criminal Police (Bundeskriminalamt - BKA). That was all certainly good preparation for your job today. But you were not always involved in security, were you?
A: That is right. I was able to learn many fundamental aspects on the subject of crime prevention, particularly in an international context, and the necessary capabilities on a daily basis, such as a structured approach, clear separation of facts and assumptions, and legally valid actions through my studies and work as a detective with the Federal Police. I was then able to experience the many various challenges of security in a commercial environment in the corporate security department of Merck, to help expand the department and to design much myself. All these stops along the way have taught me a lot, and prepared me well for my current role. I would not like to have missed any of it.
Q: Mahle has an annual turnover of around €13 billion, some 72,000 employees and 148 locations. How is security management broadly organized?
A: We have two main teams in the corporate security department: one functions as an operations center on information evaluation and the control and coordination of incidents; the other team works more conceptually on global programs and is responsible for our security guidelines.
Apart from these, we have appointed regional experts, who support the local management at each location and provide concentrated specialist knowledge. This approach meets our needs as a worldwide manufacturing supplier to the automotive industry, and has proven effective in a similar form in many other companies.
We always handle the subject of security at Mahle in a structured and practical way in close cooperation with the IT security, OT security, product security and specialist departments, such as revision, communication and data protection. We have established reliable and purposeful partners and processes to solve the various challenges where each area contributes its own expertise. This is the only way to manage such an interdisciplinary subject effectively.
Q: What do you consider the greatest challenges that you faced when you started at Mahle as Head of Security? What matters did you address first?
A: After doing a status evaluation, I first developed and optimized the aspects of travel security and information security. On the one hand, the security of Mahle employees had the highest priority, and on the other hand, we faced the task of protecting the company better against cyberattacks by making the employees competent to deal with phishing attempts.
Both projects have been completed, and the resultant new processes have already paid for themselves numerous times, which has raised our reputation within the company significantly. This year we have the subjects of access management, as well as the further development of our emergency and crisis managements on the to-do-list.
Just like the rest of the industry, Mahle is undergoing a technological transformation. The company has long been supplying technology for battery-powered vehicles or other alternative drive systems. This transformation also generates new security requirements, with new customers and markets for example, increased legal requirements, more varied suppliers and additional development know-how.
We have started our own projects to support these businesses. One ever-present subject though – as you say – is crisis management. It is a very broad term and encompasses dealing with pandemics just as with wars worldwide.
Q: How do you handle these in your company? Where are you particularly challenged – and what contribution can your department make?
A: With almost 150 factories worldwide and the corresponding complex supply chains, we are naturally affected by geopolitical developments and their consequences for security. Conflicts such as the attacks on the Ukraine or the situation in the Middle East have direct and indirect effects on our business activities.
As the corporate security department, we provide in particular method competence in business continuity management as well as emergency and crisis management. We also contribute security situation knowledge to corresponding plans and decisions.
Q: How have you organized the acquisition and processing of information from internal and external sources?
A: We primarily use public sources – either directly or via an information service provider. Parallel to that, our contacts at the various authorities are very helpful with regard to commercial protection, even though I can see potential for improvement in Germany.
The new security strategy and initial measures are showing good signs of further development. Security always includes secure and functioning business, and this aim is only achievable together with all involved.
Q: Where do you see the biggest danger for your company at the moment?
A: I think that it applies to all companies that the various ongoing conflicts and trade wars are threatening business processes and security. I also consider cyberattacks to be a grave and constant danger.
Q: What strategy do you have to counter these?
A: An awareness of risk – in particular at management level – is the essential foundation for coordinated prevention measures. This has been recognized by governments and our customers, and rightly requires significantly more effort now than was the case a few years ago.
What started in critical infrastructure to increase the resilience of companies is now being extended to many other areas of business – either as a legal requirement or most recently through contractually agreed standards that our customers demand from us.
Driven by this, security measures and solutions are increasingly becoming an integral part of new orders. Our products have to be immunized ever more against cyberattacks because of various regulations and customer requirements, and we have to be able to demonstrate the protection measures and recovery ability of our factories. Both the IT department and we are required to offer solutions that meet the relevant requirements and to effectively and securely support our business divisions. We do this at virtually all levels.
Q: What does that involve at the physical security level?
A: As we do not take ‘physical security’ to mean just protecting our factories, we support our locations, for example, with the establishment of security plans and achieving the appropriate certification. This requires an holistic approach at a technical and process level. For new certifications in particular, regular reminders and the development of a general awareness is necessary – simply the introduction of a new security culture – so that the remaining aspects can work properly.
Q: Your responsibilities include security-related aspects of supplier standards, such as those for the automobile-related TISAX certification.
A: TISAX is a widely established standard in our industry, in particular for the information security of supplier companies. We set minimum standards here that ensure that we handle our data and that of our customers reliably and securely – generally and especially, of course, in the research and development environment.
We ensure certification to these standards for over 100 Mahle locations, together with a broad internal network of all business divisions, the quality control department, the IT and OT security as well as data protection, controlling and corporate security. The advantage of this is a clearly regulated, structured framework that covers all aspects of information security – ie technical, organizational and personal.
The present security situation in cybersecurity, however, is leading to constantly increasing protection requirements. This is happening, among other reasons, because of the continual extension of the TISAX requirements, as happened recently in catalog version 6.0. In addition, new aspects or extensions of legal requirements are being implemented soon in many countries.
In general, the requirements of suppliers will rise continually, which naturally requires a legally compliant business operation as well as a higher security standard to win customer contracts. This includes the effort put into disaster recovery and, of course, also prevention and emergency planning. Our corporate security department will continue to contribute significantly to these ever more complex tasks.
Q: Security management is – as this conversation shows – a subject with many aspects. The knowledge of security experts is in demand and is an increasingly important element of business decisions. This is an increase in importance that can be observed in many companies. How do you view this?
A: I have seen increasing importance placed on the subject by decision makers in companies for some years. The widespread and frequent cyber incidents and crises in recent years have helped the subject with a significant rise in importance. Corporate security at Mahle is involved ever more often in business decisions and makes a significant contribution to sustainable business.
The growing number of tasks naturally brings an increase in expectations. We have to continually build up our abilities to be able to meet these new and forthcoming expectations. This is not always easy in our industry in times of a shortage of skilled workers.
Apart from specialists, we need ever more ‘generalists’ who already have good IT knowledge. One thing is clear: today’s solutions will hardly meet tomorrow’s challenges. We will all have to constantly develop our abilities through continuous learning throughout our lives and driven by a large portion of curiosity. But that is what makes our profession so unbelievably exciting.