Strategy of Corporate Security at Volkswagen
As technological advancements towards AI (artificial intelligence) and automation transform the world, new threats and risks emerge. In response, the automotive industry is redefining their security equipment and strategy. Andreas Maack, Head of Group Security & Resilience and CSO of the Volkswagen Group, provides GIT SECURITY with insights into his vision for corporate security in this new era, addressing the evolving protection requirements. At the core of Volkswagen‘s security vision lies the proactive anticipation of threats and the strength of a globally connected team.
GIT SECURITY: Mr. Maack, let‘s start by talking about the tasks of corporate security: How have these changed in recent years – and what framework conditions result from this in strategic terms?
Andreas Maack: Let me first address the second part of your question. As Volkswagen AG, we were part of RC Security (working group for CSO) under the leadership of Dr. Harrer (Head of Research Division: Economic Protection at Bundeswehr University Munich). The work results are valuable to me and an incentive to continuously develop security within the Group. To this end, I orient myself on the jointly developed portfolio model. Following the model, we are gradually shifting our focus towards a strategic direction. Especially in the challenging times we are currently experiencing, the topic of the value contribution of a security function and its comprehensible presentation is essential. The portfolio model is of great use here.
... particularly in times of strong transformations and crises
Andreas Maack: In the automotive industry, we are indeed experiencing the transformation towards electromobility and digitization, all the way to autonomous driving. Technological advancements such as AI and increasing interconnectivity offer opportunities but also bring risks. However, the change is not limited to the automotive industry - the global geopolitical landscapes and the general world situation are also undergoing a transformation. Unpredictable geopolitical tensions, wars, as well as natural disasters and extreme weather intensify the situation and put the world in a permanent crisis mode.
These external influences and developments have a major impact on security requirements and are leading to an increased significance of the term and function „security“. The advancing digitization and the associated threat in the digital space require new competencies more than ever, especially in the protection of intellectual property and sensitive data. The analog and digital worlds are increasingly merging, which also applies to the attack vectors of criminal activity. Digital forms of crime complement the previously analog fields of crime. Natural disasters and droughts as a result of climate change lead to cascading effects such as violence and serious crime. In order to respond flexibly and appropriately to existing and new threats and to anticipate future security risks, security organizations must redefine their tasks, competencies and responsibilities.
How have the priorities within the security department shifted as a result?
Andreas Maack: The primary task of security functions lies in crime prevention, protection against all forms of violence, natural disasters and other threats, as well as the coordination of law enforcement measures. This also includes cooperation with security and regulatory authorities and government agencies within economic protection.
This „general mandate“ of security has not fundamentally changed, but the perimeters of security responsibility have shifted and expanded. The focus is shifting from classic protection areas, such as plants, to vehicles (automotive security) and thus closer to the customer. Additionally, the physical space is being expanded to include the virtual space, which plays an increasingly important role in security due to the aforementioned technological changes. Geographical boundaries are also being redefined or becoming obsolete: wars, extreme weather events and climate disasters require a constant analysis of global events, as they are of central importance for various security decisions and risk assessments. The scope of security tasks is therefore constantly growing. In order to continue fulfilling the general mandate in the context of the new framework conditions and requirements, adjustments to the structure and orientation of security are necessary.
Could you provide a concrete example of how these changes have practically impact and what measures have been implemented?
Andreas Maack: The trends mentioned above are increasingly influencing the work within Group Security & Resilience. For example, the spread of AI technologies brings significant security risks alongside benefits. There are quite a few people who warn very fundamentally about AI, especially since we are currently „only“ using the first generation of such technology. However, even at this stage, the manipulation of media content such as images, videos, texts or audio recordings, for example, poses a serious threat.
Such content can already be quickly and massively created and disseminated in a targeted way through various tools that are easily accessible via the internet and can be spread via social media. The consequence is misinformation about people, events or statements, which perpetrators use for targeted disinformation or opinion manipulation. The enhancing quality of AI results makes it increasingly difficult to identify manipulated content as such. This can have far-reaching consequences - from phishing attacks and fraud in the economic sector to targeted influence on elections or societal sentiments in the political context.
As a security function, we can hardly defend ourselves against these developments and the resulting threats in the traditional sense. Therefore, we must learn to deal with them and counteract them. One measure is to further expand our security competencies, particularly in data analysis and our own AI. It is crucial to understand the new technological possibilities and to make use of them in order to anticipate threat scenarios and take appropriate precautions.
In this context, it would be interesting to know what your current security strategy looks like. What key topics does it deal with and what specific areas of security does it cover?
Andreas Maack: Our security strategy „Protect“ is fundamentally based on three dimensions: people, products and assets. It links the analysis of current and future challenges with strategic goals and expanded collaboration models of the security organization for the coming years (2030+). The guiding principles of the strategy are reflected in three overarching strategic terms: digital, connected and preventive.
„Digital“ means the digitalization of the security organization in terms of internal processes and dealing with (new) digital crime phenomena. „Connected“ stands for the expansion of horizontal and vertical networking of people and processes. And „preventive“ means strengthening the preventive effect and orientation of security measures to prevent incidents (value contribution model) and, in the sense of the „broken window theory,“ to give crime no room to unfold.
“Protect” aims to show the medium-term vision of the future, taking into account our values and our general mandate. Our global security network within the Group, i.e. the close cohesion between the Group and its brands, is an indispensable component. Since we cannot tackle the challenges alone, we need strong partnerships both internally and externally in order to respond to the changes and requirements.
A strategic realignment often brings organizational changes. How do you approach this?
Andreas Maack: Strategy and organization always go hand in hand. At the beginning of this year, I carried out a major reorganization with the aim of streamlining and modernizing structures to enable a faster and more effective response to security threats. It was important for me to evaluate our thematic fields of action and tasks in terms of the necessary methods and technical expertise and, guided by this, to set the structural framework. For example, forensic tasks are now processed in each individual department where necessary, instead of being assigned to a single department as before. At the same time, all of the digital tasks of Group Security & Resilience are consolidated under one department. Overall, we have increased flexibility and professional networking and promote professional and methodological dialogue.
In addition, we have integrated the term „resilience“ into our department name to emphasize the central importance of crisis prevention and responsiveness. By promoting cross-functional collaboration, we have been able to make tasks and processes more efficient. The global network with our partners in the brands and other entities remains a central component to optimally protect the Group and further strengthen its resilience.
Finally, after discussing global trends and your strategy: how does the implementation look like in the everyday work at Volkswagen Group?
Andreas Maack: Quite simply put: There is always something going on here. The Group employs more than 670,000 people, has over 100 production sites and is present in almost every country in the world. The collaboration in our security network is very important to me. This means that the brands, entities and regions or countries each have their own security organizations. Through our guidelines, strategy and networked competencies, we set impulses from Wolfsburg and promote global exchange. This is comparable to a „federal structure“, with the central anchor being the „Volkswagen Group“. Our partners maintain their identity and we all benefit from the wide range of experience and professionalism of the network. Security is teamwork.
Security at Volkswagen works because we are a professional, committed and future-oriented team. This is precisely why security is so important in the group, but like any other function, it has to prove itself again and again. Today, the focus is not only on the technical component, but also on the value contribution, the future models and the level of digitalization with which we keep pace. Fulfilling legal obligations is, of course, a given. Crisis prevention and resilience, strategic advice to business units in conjunction with a profound understanding of business processes and products, are essential for a modern security organization. We are on an excellent path here, which will never end, as there will always be new parameters, and we will therefore always have to set new goals.
