Dear Martin Nachtigall, can you tell us something about your background? How did you get into IT security?
As a qualified electrical engineer (FH), I naturally also have a basic IT education. Although I had little to do with IT and IT security during my 16 years in sales and sales-related positions at a telecom’s equipment supplier, the basic understanding remained. After changing careers to the PLM sector, the topic of TISAX came up again and again, as the customer base was predominantly in the automotive supplier environment. At the time, however, I didn’t have the motivation to delve deeper into this, as my employer at the time couldn’t offer anything in the area of information security. When I joined systemworkx, the topic of TISAX and information security was covered by a colleague on the sales side. As I was aware that this topic was becoming increasingly relevant and that the customers, I had previously supported at my previous employer would need support, particularly in the area of TISAX, I familiarized myself with the subject. When my sales colleague left after about six months, I was appointed as her successor. However, our information security team doesn’t just include me, but also our consultants and IT specialists. This enables us to look at the need for information security issues from all angles and offer solutions.
What do you particularly enjoy about your job?
When customers proactively get in touch with a problem or need or when you identify a challenge in a customer meeting, and you know that you can help them. Only then does a deal develop that is profitable for both sides and leads to a good customer relationship.
What are you and your team particularly concerned with at the moment – what questions do customers approach you with?
Now, we are primarily concerned with how to deal with the growing number of enquiries and increasing complexity around information security. How can we strengthen ourselves sensibly in order to create additional capacity and possibly open up fields of activity that have not yet been utilized? One specific challenge at the moment is the changeover to the new VDA ISA 6.0 catalogue, which presents both customers and us with changes. Here it is important to bring ourselves up to date at an early stage, to adapt the required documentation and ultimately to be able to advise customers on what this changeover means for them individually. Many of our customers often enquire about the costs of TISAX® certification, or about a slimmed-down version for small customers such as engineering firms. We understand that transparency is important for many, but the costs and scope of certification always depend on the individual customer. Of course, most people are interested in the benefits of certification, which lie in strengthening corporate security and
customer confidence. Our services go beyond pure consulting and include further support to ensure successful certification as well. We are at your side throughout the entire process.
Why is systemworkx AG the ideal provider when it comes to information security?
Because we not only have in-house expertise in TISAX and information security consulting, but also offer a holistic approach to increasing information security in your organization. We pursue a pragmatic approach that leads our customers to their goal with a “sense of proportion” in terms of costs and benefits.
What types of companies or industries tend to benefit most from your services?
In the TISAX area, our customers mainly come from the automotive supplier sector, which we also serve holistically with other solutions. Apart from that, in principle all industries are affected by the topic of information security and can be served by us. Our current focus is on the sectors that we already serve, the aviation industry, mechanical engineering and manufacturing companies in general.
What sets you apart from other well-known providers?
We offer a holistic approach in which, in addition to advice on information security, the customer also receives appropriate IT software, hardware solutions and the necessary managed services to ensure IT operations and increase IT security. In addition, we also offer vulnerability tests as an important part of identifying security gaps in companies and, based on our extensive portfolio, the opportunity to close them effectively.
Could you give examples of systemworkx AG’s unique combination of experts and software partners and how they underpin the offer?
Our employees are all experts in their field. For example, our information security consultants are not only trained in the basics of VDA ISA or ISO 27001, but they are also all auditors in their field and have extensive expertise, even outside of information security. Another good example of this is our expert who carries out vulnerability tests and has the relevant expertise in firewalls such as CheckPoint. There are various examples of this in our company, where experts also deal with various software partner products such as Veeam for backup, Graylog for event logging, Trend Micro for XDR/EDR and end-point protection and are certified accordingly.
How do you go about implementing an information security management system for your customers?
We rely on a structured process to ensure comprehensive information security. Once the contract has been awarded, the project goes through five phases. Firstly, we sensitize management to the importance of information security. In the next step, we carry out a scope and gap analysis to ensure auditability. Based on this analysis, we draw up an individual roadmap for the implementation of technical and organizational measures (TOMs).
In doing so, we consider the specific requirements of our customers. After defining and planning, we implement the necessary measures, taking all relevant aspects into account. We support our clients closely throughout the entire process, especially during the audit phase. This not only ensures successful implementation of the security measures, but also smooth audit execution. Our comprehensive support effectively strengthens information security and fulfils the requirements. Even after an audit has been passed, we remain at our customers’ side and offer further support, for example through selective coaching, internal audits, vulnerability analyses, provision of external ISBs, training and much more.
What information security tips would you like to give potential customers?
An information security management system and the associated audit is not a “one shot” action that should disappear into a drawer after the audit. In order to sustainably increase information security and thus protect yourself from the economic consequences of damage, it is very important to live the established processes and measures and incorporate them into your daily work routine. This is the only way to maximize the added value for your company from the investments made.
What do you think are false statements around information security, what do you perhaps see differently to prevailing opinions?
A widespread and, in our view, incorrect attitude is that information security is often equated with the terms data protection, IT security and data security and in this context refers to the IT department, which is responsible for this. Information security differs significantly from data protection, IT security and data security. Data protection focuses on the protection of personal data, which is partly at odds with information security, which is aimed at comprehensive data collection and analysis. IT security only refers to the protection of information technologies, which is only one aspect of information security. Data security focuses on protecting data from loss or damage. In contrast, information security not only covers data and technologies, but also integrates processes and people. Its aim is to protect information as a whole. Information security requires a company-wide responsibility, driven and supported by management, and goes beyond the purely technological level.
What’s next – what’s on your roadmap, what are your plans?
Based on the growing demand for information security, we want to increase our personnel, especially in consulting. We are also endeavoring to expand our expertise in IT security and vulnerability testing and to create redundancies, both in terms of the technologies used and in terms of personnel.
