"It is always about finding a balance between security and usability"
Daniel Schmitz has an intriguing job title: he is a Security Architect within the Fresenius Digital Technology IT Security team. In this interview, he reveals all the different tasks that this encompasses.
I am really inspired by the opportunity to play a part in developing a comprehensive security strategy in a large company.
Lots of things spring to mind when you hear the words “IT security”. What is it that your department actually does?
Daniel Schmitz: As the IT Security department, our job is to implement the groupwide security strategy. In other words, to ensure the availability, confidentiality, and protection or integrity of data and information across all of the platforms and services within our remit. We are building a security infrastructure that is able to guarantee this for the entire corporation. My responsibility within the IT Security department lies in endpoint security. This means that we implement the appropriate processes and measures to protect each individual work computer against risks.
What does this mean in concrete terms?
Daniel Schmitz: One example is that when our cyber community agrees upon regulations concerning virus protection, it is our job to put these into practice. We draw up a practical policy for this and ensure that an appropriate solution is installed on every computer and kept up-to-date. We make sure that the entire IT infrastructure is monitored so that we can respond quickly to incidents. We work closely with the respective stakeholders within the group, as well as with external service providers. Finally, we set up tools and support processes so we can protect all employees against cybersecurity attacks.
What challenges do you face in your work?
Daniel Schmitz: The constant challenge is to anticipate potential dangers and to stay one step ahead of potential attackers. On the one hand this means that we need to keep an eye on what’s going on and make sure that we can fend off cyberattacks using the existing technology and the established protective measures. On the other hand, I am constantly looking for new tools to ensure that we can stay ahead of the game. And we need to constantly update existing measures so they are suitable for situations that may be different from those expected. The human factor is another danger that we need to be aware of. This includes phishing attacks, which are getting more and more sophisticated. Here we need to raise awareness among employees so they are aware of the dangers and don’t fall prey to phishing attacks.
Our work is always about finding a balance between security and usability. After all, there is no point having a highly secure system if it is too complicated for users – for example due to long-winded login processes or an over-active firewall that makes it difficult to use normal web applications. For users, it is often more convenient when there are very few guidelines to adhere to, but this can in turn create gateways for cyberattacks. Our challenge is to find the right balance between these two conflicting factors.
What is your background? How did you end up at Fresenius?
Daniel Schmitz: I have over 10 years’ experience working in consultancy and IT security. During this time, I have worked across a number of different roles, including managing a 24/7 support team, working as a security software product manager, advising companies on IT security, and featuring as a speaker and contributor at industry conferences. I have been working for Fresenius since 2019. I am really inspired by the opportunity to play a part in developing a comprehensive security strategy in a large company.
What skills do people who want to work for Fresenius need?
Daniel Schmitz: They need the relevant technical background and an interest in security architecture. Communication skills are also important, as we have to work closely with lots of different departments within the corporation, as well as with external service providers. Stress resilience is also advantageous as cyberattacks don’t respect office hours – things can get quite hectic. But on the plus side it means things are never boring! A desire to keep learning is also important – you won’t get anywhere without this. We are a relatively new centralized unit and so there are lots of opportunities to shape the work and processes. Potential candidates should relish this opportunity and not be expecting structures that are set in stone. On the other hand, we are working on projects across the entire global corporation – it is about thinking big and enjoying the process of defining and implementing standards.