Rights of way, speed restrictions, traffic lights… as road users, we have to comply with these and many other rules. If we didn’t, there would be chaos and accidents would happen all the time. The same applies to cybersecurity, where an incident can have devastating consequences: data theft by hackers can result in financial losses running into the millions, not to mention the collapse of a company’s good reputation. In Rainer Zahner’s opinion, an orderly roadmap that employees live by every day is the best possible way to protect Siemens against this danger.
“Without rules, there’d be mayhem,” says Rainer Zahner, Head of Cybersecurity Governance, Risk Management and Services at Siemens. Rules regulate how we interact with one another and lay the foundation for Siemens’ cybersecurity strategy. They stipulate what we must do and what we’re permitted or not permitted to do, and help us to assess the current state of security and pinpoint potential risks. But it’s precisely because they’re so important that rules can’t stand on their own: they can only be brought to life by the people who apply them.
Secure working needs a clear framework
With a Siemens-wide circular, the Cybersecurity Governance, Risk Management and Services department has established cybersecurity rules and constraints specifying what employees must do and are permitted to do. This in turn makes cybersecurity measurable, providing a springboard for further improvements.
For example, all employees are required to protect their account with a 12-digit password, renew it every six months, lock their computer when leaving their workstation, undertake cybersecurity awareness training once a year, and refrain from using any USB sticks that may be lying around. There are also rules for encrypting e-mails and protecting sensitive data as well as for acquisitions and spin-offs: what data can new employees access straight away, and what data can former employees continue to access? What to do if a security incident occurs is also regulated in a Siemens-wide process.
Risk management as the foundation for informed decisions
The cybersecurity risk faced by Siemens is constantly growing and evolving with the increasing prominence of digitalization technologies in our portfolio. New information technologies like cloud computing and an expanding and rapidly changing threat landscape call for us to create transparency and to handle risks effectively and promptly. This is keeping Rainer’s team busy, too: a risk assessment is an essential prerequisite for an informed decision when considering whether to invest budget in a project or service and how urgent this is.
“We examine how high the risk of a cyber-attack is in the area concerned, what data could be exposed and what impact this would have on Siemens’ business in terms of financial loss or reputational damage,” explains the governance expert. “We assess all this against the applicable cybersecurity rules.” His team doesn’t work in isolation here; it collaborates with IT, the security engineers and the operating units to conduct a holistic, cross-functional risk assessment. Depending on the extent of the risk, the affected unit decides for itself or the Managing Board decides for the whole of Siemens whether or not to go ahead with the investment.
It’s a people thing
No matter how detailed rules and regulations are crafted, they’re worth nothing unless they’re actually applied. By people. “My team and I aren’t the police, ordering everyone to toe the line,” emphasizes Rainer. “Instead it’s the whole community that pulls together to uphold the rules.” To this end the Siemens Cybersecurity Board meets once a month to discuss important topics and developments and, if necessary, to define updated rules. These are then implemented and driven forward jointly as a community. The board is currently focusing its attention on the ever-growing number of cloud services, for example, and evaluating whether their use needs to be subject to Siemens-wide policies.
Think before you click
But anyone who thinks they can just lean back and let the Governance team and the Siemens Cybersecurity Board take care of the company’s cybersecurity is making a big mistake. Cybersecurity isn’t a matter for one department but affects each and every one of us in both our professional and private lives. Rainer stresses: “Critical security incidents often begin with a moment of carelessness that’s open to exploitation: a click on a link in an e-mail here, a downloaded file there. And before you know it, the door to the system is wide open for hackers. That’s why I’m appealing to you to always think carefully about what you’re clicking on!” This is also addressed by the Siemens-wide cybersecurity awareness training, which all employees have to complete once a year.
On top of this, anyone struggling with particular challenges in their working environment that are exacerbated by the security requirements is welcome to turn to Rainer and his team. “We examine individual cases of this kind and work with those affected to find a secure solution so that we can continue to do good business with customers.”
This approach is bearing fruit for Siemens: in previous years, the company suffered no significant losses as a result of cyber-attacks. The Cyber Defense Center detected attackers and rendered them harmless; vulnerabilities were identified before any damage could be done. Our customers, too, value this security.