A guest article by Christina Schlichting, Head of Group Information Security Programs & Projects, Volkswagen AG

The entire business world is undergoing a digital transformation. No industry is exempt from this. The Volkswagen Group is pushing ahead with modernisation and digitalisation at full speed, in its products and the entire ecosystem. As Group Information Security, our tasks and responsibilities are essentially focused on corporate IT with many interfaces, including to software that is installed in the vehicle, or on the customer interface, which plays an important role in retail, for example.

We have twelve brands, 120 production sites, more than 670,000 employees in the Group, 153 countries in which our vehicles are offered, as well as vehicle production. Also part of this are other business areas such as large diesel engines, steam and gas turbines, compressors, battery production, finance, green electricity and much more. This shows the high level of complexity in which we operate with information security.

History

Major projects and programs in IT are the order of the day for us. For example, the Volkswagen Group launched a Group-wide information security program back in 2011.
The program included twelve very complex projects and topics, which essentially dealt with increasing the level of information security across the Group, uniform processes, standards and technical solutions. When this program was completed in 2019, PwC attested:

"The major IT security initiatives form the basis for raising the level of information security throughout the Group, the harmonisation of standards and tools, and the deployment of centralised solutions across the brands and companies." (PwC audit ITSP2)
And this was to continue, albeit under slightly adjusted parameters and framework conditions:
•    Shorter, faster intervals - based on annually redefined focal points
•    Continued cross-brand and cross-regional cooperation
•    Even more synergies between the brands
•    Easy adaptability to enable a well-orchestrated rollout

Procedure

The Group-wide information security committee consisting of the CISOs (Chief Information Security Officers) of the brands jointly analyses the threat radar of the Information Security Forum (ISF) every year and derives corresponding risks. These risks are used to define measures that are then prioritised and incorporated into the Group Information Security Program (GISP).  

The program includes different focal points each year. The projects are staffed by different brand representatives and a promoter who, as a member of the CISO panel for the program, represents the entire panel and does not only have the interests of his brand in mind.

The projects are controlled by a cross-sectionally organised Global Program Management (GPM) with reporting, finance, communication, quality assurance and risk management.    
Since the beginning of 2022, another cross-cutting issue has been added: the rollout of the work results in the brands and locations. The work results developed in the first two years are now being integrated systematically and prioritised into the line functions of the brands. The brands are supported in their implementation by dedicated rollout managers, a close exchange between the project managers on best practice approaches and with bookable rollout packages.

Current projects in the GISP include the topics of Cloud Security, Identity & Access Management, PKI Enhancement, Shopfloor Security, Cross Functional Monitoring, Endpoint Security, Secure Software Development and Governance.
Success factors

In retrospect, the PwC recommendations are also success factors for the implementation of the program. The recommendations mentioned above, such as faster intervals and adaptability, are an essential aspect.

But also the cross-brand staffing in the project responsibilities and the active role of the promoter contribute to the high acceptance of the program.  

For programme steering, the following factors are crucial:

• Regular project manager meetings
• Regular retrospectives
• Feedback & implementation of measures
• Regular review of interdependencies between projects
• Actively manage risks
• New Work (Covid19): Try out new methods!

Of course, we have also learned from previous programs. These aspects are important success factors too:  

• No overregulation
• Low administration
• Professional programme management
• High level of self-organisation in the teams
• Rollout not left to itself

Collaboration between Group brands at management and staff level has been strengthened, and the program's active communication with best practices and lessons learned is helping to develop a global community around Group information security.