Corporate Security at Volkswagen Group
A Conversation with Michael Schmidt, Head of Corporate Security at Volkswagen Group
The Volkswagen Group with its headquarters in Wolfsburg, Germany is one of the world’s leading manufacturers of automobiles and commercial vehicles and the largest carmaker in Europe. The group comprises twelve brands from seven European countries: Volkswagen Passenger Cars, Audi, SEAT, Škoda, Bentley, Bugatti, Lamborghini, Porsche, Ducati, Volkswagen Commercial Vehicles, Scania, MAN and VW Financial Services. The Group operates 120 production plants in 20 European countries and a further 11 countries in the Americas, Asia and Africa. Every weekday, 626,715 employees worldwide produce around 43,000 vehicles. Heiner Jerofsky from GIT SECURITY speaks to Michael Schmidt, Head of Group Security and Chief Security Officer, about his global security management strategy, experiences and goals.
GIT SECURITY: Mr. Schmidt, you are one of the most experienced German security chiefs, as well as a university lecturer, consultant and member of various security organisations. So far, you are also the only security chief to have held this position in three different DAX companies. In recognition of your services, you were made a Liveryman of the City of London in 2008 and presented with a lifetime achievement award by ASIS Germany in 2017. It’s an impressive track record. Do you have a recipe for success?
Michael Schmidt: During my career, I have been presented with major challenges and trusted by people with a great deal of responsibility. I consider myself highly fortunate. It has given me and the experts who I have worked with, in various roles, an opportunity to continue to grow in my work. There is no such thing as a recipe for success. This would also be the wrong way to approach things. In this profession, it’s important to be a master of your trade and adapt with flexibility to different situations. It’s all about being prepared and adapting to the modus operandi and what motivates the perpetrators. Understanding people is crucial when it comes to security, as is the ability to exclude taboos from your thinking. It may seem surprising but it was as a young police officer that I learned the basic skills of my profession, which I have used again and again in different ways.
I’m extremely grateful for this – and for the recognition that I have achieved within the sector.
For which roles and tasks are you responsible at the global Volkswagen Group?
Michael Schmidt: Group Security manages the strategic themes of building security, personal and event security, crisis management and travel security, expertise and prototype protection, as well as forensics and digital forensics. Higher-level control functions also include international coordination, reporting and security audits. I am also responsible for managing plant security. Fire protection is an area specific to the automobile sector. This range of tasks was similar in my previous positions, including my work at Deutsche Post and RWE. It helps, of course, if you already have experience in a particular area. As a rule, I would say that 80% of security issues are identical across different companies, regardless of the sector.
How important are technologies, such as perimeter protection, video surveillance and mobile object security, at the Volkswagen premises?
Michael Schmidt: Of course, they are extremely important. All three elements are key components of building security. At its very foundations, modern plant security must be based on all relevant innovations. For this reason, we continuously review publications and trade fairs while also working with research teams. Interestingly, the Consumer Electronic Show (CES) in Las Vegas is one of the most important trade fairs for us. It also goes without saying that we use modern perimeter security that is based on minimum security standards. We combine it with fixed and mobile video technologies. And not only in Wolfsburg. At the moment, we are working on a building, which is independently monitored by a drone and the first of its kind. It is a very important technology, but needs to be used with a sense of proportion. We worked closely with employees from the very beginning, in order to involve them in the decision-making process. We also brought in other interface partners, such as the Luftfahrtbundesamt (German Federal Aviation Office), which greatly helped make the project a success.
What experience have you gained of internal plant security as opposed to external security providers? And what does the qualification concept look like?
Michael Schmidt: The Group includes a very diversified set of companies and brands globally. Sometimes we work with external security companies (around 85% of all security staff) and sometimes our own employees. Internal staff cover the main plant security tasks in our six German plants. It’s only when we have additional peaks in demand, for example, during major events or special projects (e.g. temporary security for construction sites) that we seek support from external security providers. Choosing the right security company is a hugely complex process that we are continuously working to standardise across the company. A great advantage of using our own plant security staff is, in my view, that they identify with our company. It also means we can have a direct influence on staff recruitment and development at all times. In terms of career background and qualifications, our plant security staff may have been anything from experienced former police officers to people who have moved sideways move from production. We have developed our qualification programme so that it is compatible with internal and external qualifications. The programme is delivered by our internal academy. We focus on providing comprehensive basic training. Our most experienced employees, as the experts, lead training sessions themselves. This includes monitoring and controlling vehicle and goods traffic, managing visitors, providing information and prototype security, training on the access rights to the premises, as well as standards relating to controls, internal security and customer orientation. We also ensure that our employees are trained as qualified security staff (by the Industrie- und Handelskammer [German Chamber of Industry and Commerce] – IHK) and/or emergency response officers.
You have a central security office at the Wolfsburg plant. How does it interact with other plants?
Michael Schmidt: Every Volkswagen plant still has its own central security office. Last year, at the Wolfsburg plant, we worked on a project to merge the central plant security office with the central fire protection office, in order to form an integrated central security office. In order to achieve this, we used cutting-edge technology and ergonomics. We operate it using our own specialist plant security and fire protection employees. In the future, we will provide training for security dispatchers working at the central security office. Our break-in, fire detection, communication and video technology is highly networked and runs on a central management system. Images are displayed at five individual workstations and on a monitor wall. The relevant resources are assigned to key words so that they can be used appropriately. In special cases, we work closely and with support from the government authorities, including the police and fire brigade. Each intervention is recorded in the system and logged in read-only format. Staff work in continuous shifts, providing cover 24 hours a day, 7 days a week. Based on the experience gained from the project, which incorporated existing fire and other security systems within a primary management system, we will explore and push ahead with the linking of security systems at other plants.
The crucial production sites, assembly halls, equipment and vehicle parts on the premises could be vulnerable to many different risks. How do you prevent and manage disruption and crimes, such as theft, sabotage, espionage and terrorist attacks?
Michael Schmidt: We use technical and organisational measures to do this. These range from technology-based protection of facilities using alarm systems, access control and video to human measures, such as fire protection and plant security. They may also include specialist departments, such as the internal investigation service, threat management, information and prototype security, crisis management, etc. We base all measures on risk analysis and written minimum security standards and security manuals.
Can you recommend an effective prevention model against corporate crime for other organisations?
Michael Schmidt: The most important factor in prevention is awareness. We regularly provide training on key vulnerabilities. In areas where incidents happen more often, we explain the potential consequences of dishonest or corrupt behaviour. The Compliance department supports us in this area by running campaigns. But each investigation aimed at preventing such incidents is discussed with the affected departments, so that we can also use the vulnerability analysis to rectify any issues.
Let’s take the key phrase of “security compliance”. How can you ensure that safety and security rules, operating instructions, alarm plans and other information on security and emergency organisation reach and are be taken seriously by all the different employees and visitors?
Michael Schmidt: In practice, this is a real challenge in large organisations. Regular training and exercises are crucial to success. Globally, we have a uniform reporting system across all brands. We feed the consolidated information into the global security organisation. In this way, all safety and security managers are kept up-to-date and can implement or discuss preventive measures that others have applied within their own departments. We have developed our reporting concept over many years. I think it is extremely effective.
How important are technical systems, such as fire, panic and break-in alarms, video surveillance and access control in terms of safety and security for a Group of this size?
Michael Schmidt: They are, of course, essential. Otherwise, it would be almost impossible to achieve any protection objectives. It’s also true that the best technology cannot be successful without human intervention.
Could you tell us about any particularly innovative modern security technologies?
Michael Schmidt: In my opinion, drone technology is especially important as it is future-oriented. I believe that we have a real competitive edge with our drone projects. Our prototype production facilities will be equipped with drone defence systems this year. At these sites, we can detect objects approaching by air and locate them using geolocation data. The system includes a mobile unit that can be “woken up” and activated by sensors. It means that we can bypass costly one-time solutions and tailor the concept to the situation. Plant security and the police can then be deployed to apprehend suspects. We have also constructed a mobile video unit (a Panomera camera) on an Amarok with fuel cells. The unit can be booked for use throughout the Group and is deployed wherever it is needed. Right now, we are looking at security robots, which are already used for fire protection and plant security applications. Furthermore, we regularly participate in the annual Outstanding Security Performance Awards (OSPAs), which we consider an extremely successful initiative. The security industry celebrates independent ideas, innovations and any outstanding achievements. In 2016, we entered with three of our top ideas and innovations. We won an OPSA for one of our concept ideas and, in 2018, we will compete again with several innovative ideas. As you can see, security can also be creative.
What have been your positive or negative experiences of using drones for plant security and the advent of this new technology?
Michael Schmidt: We anticipated years ago that drones would affect us at some point. The first negative incidents with drones happened shortly afterwards. We currently record around four incidents per year and recently manage to apprehend a drone pilot. This showed that the concept works. A hugely positive side is that we coordinate all drone activities for specific purposes, including logistics, real estate, fire protection, etc. This helps us cut through the many different sales pitches and gives us a real overview of what actually works.
How important is cooperation with local police stations, considering the growing threats associated with public-private partnerships (PPPs)?
Michael Schmidt: Hugely important! You can Google a press article about this in the Wolfsburg newspapers. We operate PPPs at all levels, not just locally, but also regionally and throughout Germany. We often send representatives to authorities on work shadowing placements, as part of their career development, and regularly exchange views at events or if urgent situations arise.
Security concepts are based on current risk and threat analyses. According to your risk assessments, what are the greatest threats to your organisation and how do you personally view the current risk and threat situation?
Michael Schmidt: Take a look at the world around us today. States threaten other states; there are failed states where order disintegrates from one day to the next, coups and revolutions, radicalisation through the internet, bomb threats and explosions in apparently safe places, and jihad may seem to be at our doorsteps; we are seeing extortion through virtual currencies like Bitcoin, thousands of hacker attacks day after day, fake news... the list goes on. In terms of security, the world that we live in is a kaleidoscope of illegality and criminality on an entirely new level. And it’s not just the sheer number of incidents that is new. What concerns me is that they are now extremely widespread and perpetrated with unprecedented complexity, sophistication and technological experience; boundaries are dissolving and the environment is unstable. Above all, because organisations are subject to increasingly stringent requirements. Internationalisation, combined with duty of care considerations, means that employers are increasingly responsible for taking care of their employees - at all times and in all locations. Global liability and executive liability are becoming more and more significant. Yet we cannot expect institutional security structures to be internationalised within the foreseeable future. It is well known that security tasks traditionally undertaken by the government are gradually being transferred to the corporate world. This means that security in relation to structures, operating methods and networks needs to incorporate different spheres. Security needs have also changed for global players. The areas of activity and skills involved in corporate security must also be developed as a result. As ever, we must demonstrate that we are a business enabler. That is our raison d‘être. It isn’t enough to simply update the old corporate security policy in a linear way. An “even better and more thorough” policy will not help us to deal with the complex threats of today. Nowadays, corporate security must be strategically planned if it is to successfully protect the company’s business interests. From the outside, we are seeing more cooperation and public-private partnerships between public institutions and businesses. Within the organisation, alongside the conventional partner “Revision”, IT departments have become a crucial partner when it comes to handling Security 4.0 issues.
What expert advice could you give to other security managers based on your professional experience? Do you have a personal guiding principle or philosophy on the subject?
Michael Schmidt: My colleagues don’t need my advice. All I can say is what’s important to me and helps me. And that’s the experience, opinions and support of experts in our sector and relevant partners. Call it a “network”, if you will. The second aspect, as ever, is “be prepared”. That’s the name of the game for any security manager. It may sound trivial and simple, but it forms the fabric of our work.