The number one objective: to create a secure and resilient IT environment for everyone.
A secure and resilient IT environment is a key cornerstone for all business processes at the Fresenius Group. As the largest clinic operator in Europe and the company with the most dialysis patients worldwide, there is a great deal of responsibility placed on the company’s shoulders – any issues with the IT systems could quickly become life-threatening for patients. At the same time, the IT landscape within the company is both complex and non-standardized, which makes protecting the entire system highly complicated. This all means that the IT Security department at Fresenius Digital Technology (FDT) plays a vital role in safeguarding the organization’s infrastructure, sensitive data and its production of medical products.
Our work centers around the security of the IT infrastructure and applications. We see security as an integral part of IT, and we approach it in line with the latest standards and best practices. One of the greatest challenges throughout IT at Fresenius is the lack of standardization between the different locations and business areas, and, as a result, the architectures, solutions, and software. Defining and following common standards is not always easy, but this is one of the things that makes our work so interesting!
It is often a bit of a balancing act: on the one hand, we always try to make business processes as secure as possible; but we also need to bear in mind the business segments’ practical requirements – we need them to be able to do their work as efficiently and at the same time as safely as possible.
We are looking for (cyber) security professionals. Specifically, this means people with relevant technical expertise, for example from a technical degree or equivalent vocational training (e.g. IT systems engineering, software development and similar areas). Relevant professional experience, ideally within IT security, is desirable.
People who want to change things and make progress, and who want to help create uniform structures in an extremely non-standardized environment are the right candidates for us. Our small yet powerful team is currently (2022) in the development stage, which provides lots of opportunities for personal progression and shaping your own field of work.
Besides technical expertise, we also place a high value on communication skills. After all, our work always involves balancing security requirements with the practical requirements of the different business areas. Our international nature means that we need our team members to be confident in German and English. Additional languages are also beneficial.
In addition, potential candidates need to be able to handle stress. Our work does involve structured projects that we can plan in advance, but working in IT security also means resolving urgent issues – after all, cyber threats generally come without warning. In this scenario, we all need to act quickly. Both generalists and specialists are equally welcome.
In Security Management, we create and maintain an integrated management system for information security (ISMS), which supports the safe implementation of the FDT strategy. This includes a governance framework, as well as the relevant processes, and the definition of technical and organizational measures (TOMs) for the operative level. We follow the group-wide guidelines here, as well as those included in certifications (e.g. ISO 27001) and regulations. We also update documentation and formulate policies. Furthermore, we cover what is known as “people security” – this involves running training sessions and raising awareness. One of our key tasks is creating transparency: for example, regarding the technical and organizational security measures for platforms and services at FDT, and adhering to organizational and regulatory guidelines.
In the field of Architecture & Design, we develop the security architecture, so it supports the company’s strategic goals. We define and implement controls and protective measures within the system environment to ensure the confidentiality, integrity, and availability of data at all times. We translate security requirements into specific measures and define the toolsets required for these. This work involves working together with relevant stakeholders across the company.
Our Security Operations work involves implementing technical organizational measures at the operative level. This encompasses security activities across all levels: including servers, networks, cloud-based solutions, and software; as well as protecting employees’ individual devices – this concerns tools, virus protection, back-up solutions, etc. And, of course, the work also includes the proactive monitoring of incidents and attacks, as well as responding to these. We work closely with internal parties here, as well as Fresenius CERT and other areas of the company.
The large collaborative project Unity concerns restructuring part of the network design and implementing additional security features that relate to this. As part of the project, we are checking the requirements and assessing service providers with regard to security operations. Requirements are constantly changing and the recent Covid pandemic has shown that changes can happen very quickly and with very little advanced warning.
Cloud Platform Security is another large-scale project. We are working together with our partners in the segments to ensure that all structures and applications operating in their own and partner environments are secure. By contrast, Endpoint Security focuses on the security of all employees’ computers. This ranges from suitable and up-to-date virus protection to dealing with user admin rights. For example, someone with an office job will need different access rights to a service technician. It is extremely important to clearly distinguish special admin rights from the rights of normal users.