Interview with Merck's Chief Security Officer
23.11.2023 - The modern form of company security is no longer just a ‘knight with a raised sword who is protecting the castle’, says Volker Buss, who has been the Chief Security Officer at the Merck Group for three years. Rather you have to develop a security strategy together with the respective business unit of the company – and in a dialog with that business unit. Matthias Erler of GIT SECURITY spoke with Volker Buss.
GIT SECURITY: Mr. Buss, before we come to your responsibilities as Chief Security Officer at Merck Group: you are just finishing writing a book together with other authors that is concerned with the security of family businesses. Could you give us a little sneak preview ...?
Volker Buss: The book is a compendium that I have put together with Hans-Walter Borries, the deputy president of the German national association for the protection of critical infrastructure (BSKI), for the Family Businesses and Politics Foundation. In the book, we look at the changing security environment that will present companies with some new challenges in the future, and look at the aspects of business continuity management (BCM) as well as emergency and crisis management. I won’t give away too much, but I will say that the compendium will be available this fall.
The subject is close to you – you are also a member and advisor of the foundation you just mentioned, the Family Businesses and Politics Foundation. What is your role there?
Volker Buss: I consider myself very lucky to have been part of the foundation’s security advisory group since the beginning and I am also proud to be a founding member. We have gathered a committee of experts that discusses current security matters and challenges during regular meetings and provides members of the foundation with a platform to turn to on matters of security.
What were your most important career steps before you came to Merck, and how long have you been working for them?
Volker Buss: The various activities during my 20-year career as a police officer have certainly been the most influential. After that, I started working in the private sector with the Würth Group. I am grateful to this day to the company and those responsible for the opportunity I was given to develop. It was a time of learning that was very helpful to me. After my time there, I moved to Merck where I have been the CSO for almost the past three years.
In your opinion and your philosophy, what is particularly important for company security, and how does that differ from traditional opinions?
Volker Buss: We are business enablers and ambassadors for security-relevant matters. I feel that the role that company security has played in the past is out of date. It is not my aim to perform a purely governing function that makes rules, or be the knight with a raised sword who is protecting the castle.
My opinion and my philosophy is rather to develop a security strategy together with the business units based on their needs that will protect and maintain their business in the long-term. I am of the opinion that, through discussion with the business units, we are in a position to develop tailor-made, efficient and effective standards that can actually be implemented by those business units. In addition, we get to understand the business much better through this conversation and have the opportunity to identify sticking points that had not been not apparent either to us nor to our colleagues until that time so that we can solve them together.
Of course, we do not ignore the normal requirements of legal regulations or classic asset protection. I am delighted each time we are involved in business matters from the start, or we are asked to provide advice. That is the proof for me that corporate security at Merck is not just tolerated, but is accepted and that our philosophy and approach is not so wrong.
Among your latest projects is the bringing together of all security aspects under one roof, that is, into your department. It is called ‘reboot cyber’, and has above all to do with removing the separation of general and IT or cyber security ...
Volker Buss: The discussion on the question of to which department cybersecurity should be assigned has been going on for ages and there are many differing opinions. We have decided to centralize information security in one department. We have bundled the information protection and cybersecurity within corporate security into a new CISO organization, and support these now from one point. The ‘Cyber Security Operations Center’ was also part of the transformation, as were our colleagues in the Security Software Applications department. All this gives us the advantage that we can address these subjects as a whole and from one point. In addition, we use the synergy effects of the non-cyber activities, for example in risk management, incident/emergency management and security auditing, to name just a few.
My view is that separating the security measures into a digital and an analog world, or in non-cyber und cyber makes no sense because they still overlap, are dependent upon one another, or complement each other. A by-product of this decision and its implementation is that it has helped us to fulfill the requirements of the IT security regulations for operators of critical infrastructure, and with a view to the forthcoming general Kritis law, I believe we have at least already laid the foundation stone to be able to carry out the resulting measures.
How do you rate the current security situation for a company such as Merck with its global presence? How is information acquisition organized at Merck?
Volker Buss: I believe we are more or less constantly exposed to latent danger, just like other DAX companies. For sure, our business makes us active in a somewhat critically-viewed environment, and also in one where our knowledge and R&D is of interest to one or the other protagonist. We know this, and have corresponding active security measures, such as information gathering. To answer your question, on the one hand we employ analysts within corporate security who constantly inform us about the current situation. We also use information from the well-known commercial protection sources, from the authorities as well as associations and federations, and also analyze trade literature such as GIT SECURITY.
Product security – above all the illegal copying of medicines – is a special subject for Merck. What are these imitations, what is the scale of the problem, and where do the counterfeiters usually come from?
Volker Buss: We have a particular responsibility as manufacturers of medicines to our customers, the patients. For that reason, patient safety is one of our main concerns, also within Corporate Security. With regard to the type of counterfeit products, we are faced with a wide spectrum of forgeries ranging from copied packaging up to total fake medicine. It is sometimes shocking to see just how unscrupulous the forgers can be just to make a profit. You will understand that I cannot go into detail here, but the cost of the damage runs into millions worldwide, leaving aside the risks and danger to the patients. Copying medicines is a worldwide criminal phenomenon. We have established that the main locations for this activity are established in Asia and South America.
How does your department help with this, what strategy do you follow and what effective measures do you have at your disposal?
Volker Buss: In my department, we are responsible for the investigation of product crime. This includes being the spokesperson for the investigating authorities, but also researching and finding the perpetrators ourselves. We are also involved in projects of the business units in which, for example, new security markings are designed for the packaging. Another example would be systems that make the uninterrupted tracking of medicines from production to end user possible.
How far can this sort of criminality be prevented?
Volker Buss: Preventive work here is very difficult. We train the security authorities on our products to help them identify forgeries. We also screen and monitor the market for potentially forged products or for perpetrator groups so as to intervene at an early stage. We are also involved in a worldwide network of pharmaceutical manufacturers through which current investigations and new phenomena are distributed.
Merck is a company with a big emphasis on research. Could you give us an idea how the security strategy works in this part of the company?
Volker Buss: Our aim is naturally to prevent any flow of information on current research work to the outside. We therefore have systems in place that monitor and prevent this. We also have a comprehensive training program on how to manage data and information within the company that makes our employees aware of the correct way to handle such data and also the dangers that abound. Basically, we follow a ‘no trust’ strategy for this.
You also fall under the heading of ‘critical infrastructure’. This means that you are affected by the new Kritis legislation that we mentioned previously. What does that mean for Merck?
Volker Buss: At the present time, parts of our production facility are already subject to these regulations and these are regularly audited by the BSI (Federal Office for Information Security). The scope will be extended however to a large part of our entire company when the Kritis legislation comes into force, which means we will have to react and implement the legislated and necessary measures. We are very interested to know to what extent we will have to change things, but one thing is sure: it means a lot of work and some new challenges for us – let’s see what happens.
You are also in a Bitcom working group on this subject ...
Volker Buss: Bitcom for us is an important partner on this matter and we contribute to the exchange of information within the appropriate group that is currently dealing with this subject.
Mr Buss, you are currently concerned with business continuity management. What does that mean for your job and your department?
Volker Buss: That’s right. My department is busy checking the existing BCM for completeness and effectiveness and, where necessary, setting and implementing the appropriate standards together with the business unit. For my department, we get to work much closer with the business units which helps us to understand their business and its requirements much better, and to support them as an adviser and partner. In addition, we can increase the influence we have on business decisions and create an awareness of all other security matters. This enables us to offer a comprehensive service that increases the resilience of the company and enables it to return to normal operation quickly and effectively if there is an interruption.
This area is certainly an integral element to security in the management of the company as a whole …
Volker Buss: At Merck we are in the lucky position that corporate security is totally accepted and the work that we do and the necessity for such an organization is much appreciated. So at this point I would like to express my thanks to the directors and all other stakeholders in the company for their trust. Nevertheless, this increases our visibility again and emphasizes the added value that we can offer the company.
Do you have the impression that the reputation of security management has grown positively – also in view of the current crises?
Volker Buss: Definitely. The current crises have certainly contributed to the fact that security management is now viewed differently. But we all know that this is normally not a lasting thing – as soon as the crises have been overcome or gone away, the focus will turn to other areas again. I have the feeling that this has now changed. I can see a change in the way people think about the subject of security: away from ‘security is a cost factor that I have to pay for as a company and a brake tied to my leg’ – over to ‘security management is a full partner within the company that does its part in achieving the business goals and is therefore part of the value chain’.
Mr Buss, many thanks for the conversation.