Arbonia protects itself

A single person would not be able to realise the issues and projects in a group with so many companies and sites – it is essential to have a well functioning team who support each other.

Interview with Thomas Zehnder, ICT Security Officer (ICT = Information and Communication Technology) at Arbonia since 1 February 2019.

What is your responsibility as ICT Security Officer at Arbonia?

My area of responsibility is extremely varied. I am responsible for formulating and further developing the ICT information security strategy, for identifying and assessing risks, security threats, and vulnerabilities, as well as for defining corresponding security measures to ensure and continuously improve the cyber resilience of Arbonia. In addition, planning, implementing, and measuring the ICT security quality measures as well as security policies, processes, and standards also fall within my responsibility. I also assist employees with all questions concerning information security.

What skills do you need to be able to fulfil these responsibilities?

The role requires that you understand the technical aspect as well as processes and procedures. With my bachelor's degree in computer science and my master's degree in information systems with a focus on technical security as well as security management, I cover both aspects. Continuous current knowledge and relevant further training in the area of information security and risk management are just as essential for this work as analytic abilities, networked thinking, as well as experience in handling high complexity. In addition, skills in the area of communication and self-management are also advantageous.

How is Arbonia positioned in respect to ICT security?

Basically, the responsibility for the ICT security of the entire Arbonia Group lies with me and the IT Board, which consists of the Group CIO, the Group CFO, as well as IT representatives of the two divisions and of the Group. The relevant issues are always coordinated and presented with the responsible people from the divisions and Group Management. In the implementation of all topics, I am supported by the local IT teams and ICT security officers as well as further ICT security specialists, who are my interfaces to the sites and the companies. A single person would not be able to realise the issues and projects in a group with so many companies and sites – it is essential to have a well functioning team who support each other.

What were the biggest challenges in the past year 2021?

We prepared a detailed security programme with many projects and continuous improvement processes that we are implementing throughout the Group – the limiting factor is especially the personnel resources on the Group level, but also in the companies, who have to help us with the implementation. In addition, there are some maturity differences among the companies that we have to balance as well as the integration of newly acquired companies. As a group with networked systems, we rely on everyone fulfilling the defined security standard, in the spirit of "think globally, act locally".

What priorities did Arbonia have in the area of cyber security in the financial year 2021?

Among other things, we have tried to raise the employees' awareness of cyber risks with an ongoing phishing and awareness programme. In addition, we have developed and adopted an information security strategy with different approaches and a resulting multi-year security programme. The goal was to achieve a stable cyber resilience with targeted, smaller measures across all companies. Furthermore, we implemented several large and Group-wide projects, such as, for example, the introduction of SIEM / SOC, a central collection and evaluation of relevant security logs in connection with an external 7x24h monitoring – or also the establishment of new Group-wide guidelines, for example, for connecting third parties to Arbonia systems.

How has the view of cyber security changed at Arbonia since you have held this office?

Previously, each subsidiary took care of the topic of cyber security mostly by itself. There was no overarching approach. In the past three years, awareness of the need for measures in this area in particular has increased considerably – among employees as well as especially among management. This has caused the commitment and the willingness to become active to increase. In the meantime, almost everyone has realised that cyber security is also a business enabler.

Why is the topic of cyber security also relevant to sustainability in your opinion?

Digitisation in general is a central issue in the area of sustainability. Smart processes and systems that control and optimise the use of resources in a targeted manner and thereby reduce environmental impacts to the greatest possible extent are decisive. As a result of their networking, however, such systems are also a target for attackers, which is why cyber security is so central for maintaining them. The number of cyber attacks has strongly grown in the last years and months, and the threat situation has drastically increased. Finally, cyber security is the business enabler – when the systems are paralysed, a company cannot do business at all in most cases. Not doing business means not being able to exist sustainably, and it is very important to Arbonia to ensure that employees in particular have a sustainable work security.