For many medium-sized and large companies, Industry 4.0 and further growing collaboration networks offer far-reaching opportunities: more automation, intelligent monitoring, more flexible production and a smart data exchange. With advancing digitalization in industry, however, many new challenges are also emerging. Questions regarding data security and business continuity management are given a whole new weight in the context of comprehensive networking in industry: How can I ensure process and data security, productivity and the ability to act in the company and in my network? And how can business impacts and risks be minimized if data flows or IT systems suddenly fail? According to a recent BITKOM survey, 52% of German companies cannot respond adequately to data loss and IT failures due to the lack of business continuity management. Schmalz's data protection and emergency management officer Hermann Huber explains how the medium-sized J. Schmalz GmbH, Industry 4.0 supplier and award winner of the Baden Württemberg Security Prize 2015, managed the balancing act between business, security culture and compliance.
The specialist for vacuum technology Schmalz employs around 850 people at its headquarters in Glatten and numerous foreign branches
"Until two years ago, the topics of IT security, data protection and business continuity management at Schmalz were in addition to day-to-day business, so to speak, they finally came to the management agenda due to various" near-disasters "in the nearby corporate environment," says Hermann Huber, describing the initial situation.
For the first time, the focus shifted specifically to the extent to which one prepares in one's own company for disruptions to the operational process or failures and which economic damage was to be feared. An awareness campaign, among other things The process administrators were asked how well prepared they are for the IT emergency today, revealed latent weaknesses and at the same time contributed to raising awareness of this important topic. The specialist for vacuum technology Schmalz has around 850 employees at its headquarters in Glatten and numerous foreign branches
There is often no budget for safety
Hermann Huber attributes the fact that integrated concepts for IT business continuity management have not yet been widely adopted in Germany despite their need in complex IT networks, due to a lack of awareness of responsibility and dominant cost-benefit considerations: Why should I, despite "acute" Investing in construction sites in a concept that does not bring visible ROI?
The answer to this self-critical question was clear for the world market leader in vacuum technology in handling and automation technology: If a system failure occurs today, this would not only affect the headquarters in Germany, but also the operational business of the 17 affiliated subsidiaries worldwide to stand still.
Initialization not without the management
Many companies, especially the middle management level, are aware of the need for IT business continuity management due to similar constellations, but often do not know how to approach this topic strategically and how to win advocates at the management level. "Because without the commitment of the management, such a complex, cross-departmental project is doomed to fail," warns Hermann Huber, who has for many years examined, audited and supported large corporations in the field of IT security and IT business continuity management.
As a rule, the human being is the greatest hurdle to be overcome here, since resistance to change projects due to human fears are not always communicated openly, but often come to light in reactions. In this respect, the persuasion work has to be done in a top-down approach, in order to emphasize the common goal and at the same time the personal benefit for each individual involved in the process and to reduce resistance at an early stage.
Managing Director Wolfgang Schmalz (left), data protection officer Hermann Huber (right) with Interior Minister Reinhold Gall at the award ceremony for the Security Prize 2015 (Messe Stuttgart).
"Without the commitment of the management and the firm integration into day-to-day business, business continuity management will not work", Hermann Huber knows from experience.
The first step was the adaptation of a project plan based on theoretical knowledge to the circumstances in the company and the formulation of concrete goals. A first matching of requirements with the offer of the market was used to define the lowest common denominator and a project profile together with the schedule and budget.
Mapping of emergency processes via ticket system
Critical IT systems have to be operational again within four hours - so the theory. What this means specifically for IT and the emergency processes and how quickly replacement systems and documentation have to be provided was the subject of a subsequent, short design phase. "It was important to us to quickly transfer the basic considerations and the project into an operational phase with tangible progress," explains Huber. "That is why we used our existing EcholoN service management system to create our critical IT systems as business services, to map the associated emergency processes and to add documentation from our administrators." The entire initialization phase lasted a total of five months until the 200 or so emergency processes were finally mapped by the system, assigned to the responsible process participants, representatives or service providers and finally transferred to the line function.
Integrate documentation into day-to-day business
One of the main challenges for sustainable project success was therefore to integrate the documentation of IT and core processes into day-to-day business. Because the most common cause of unsuccessful emergency scenarios lies in outdated documentation, which an external service provider or emergency management representative can only partially reproduce. Schmalz solved this central challenge with a small intervention with great effect: by commissioning the EcholoN manufacturer mIT solutions GmbH to design a function that asks the administrators to update the emergency processes and documentation every six months, the emergency processes in the ticket system never could be "closed".
“It worked extremely well. In this way, we were able to ensure that our IT business continuity management system always remains up-to-date and “lives”. If you distribute these tasks evenly over the year, you have achieved the goal of successfully integrating IT business continuity management into day-to-day business”, says Huber.
Since then, all the processes that have been processed have also enabled quality documentation: Has something been done in an incident, has it been done correctly, or are steps still necessary? Before an operation "rests" for six months, the emergency officer Hermann Huber receives the operations in the system for review and can react immediately if necessary - in addition to the existing escalation routines.
If the IT fails, the processes stand - fatal in the collaboration networks of Industry 4.0
Daily updated emergency process folder at the push of a button
Schmalz also dealt with the question of how to create a daily emergency process folder in paper form that also meets the requirements of an auditor.
"As we regularly update the documentation of our 200 process operations in the system anyway, we are able to generate an up-to-date overview at the push of a button using the report generator integrated in the system. The creation of business continuity management reports for the management or evaluations for quality control can also be generated with just a few clicks thanks to standardized reports”, explains Hermann Huber.