Merck’s CISO Volker Buß on securing global operations

Volker Buß joined the German multinational science and technology company Merck Group in 2021. Merck is present in more than 60 countries and employs more than 60,000 people worldwide. Buß talks about his experience and how to handle a cyber attack.

The Merck Group employs around 63,000 people worldwide. How do you keep track of cybersecurity?

Buß: Fortunately, we have a highly dedicated team that tracks all aspects of the situation. Our security operations center is at the heart of this. Our colleagues are the first point of contact for all cybersecurity matters 24/7. They also prepare situation reports, evaluate constantly changing attack vectors, and conduct active vulnerability management. All of this helps us, in the best-case scenario, get ahead of the situation.

How can the risks in such a large company be controlled and how do you ensure cyber resilience?

Buß: A residual risk always exists; we are unable to fully control all risks. Therefore, we have implemented a risk management process that helps us identify and classify risks in a timely manner. The vulnerability of our systems and the threat landscape are continuously monitored.

Another important component is the area that enables us to resume normal operations as quickly as possible after a disaster. This, along with the defense mechanisms, should always be kept up to date. This is supported by a comprehensive training and awareness program that sensitizes all employees and provides tools to identify and minimize risks.

How does the Merck Group’s awareness program differ from other companies?

Buß: Our Love Security campaign is completely different from what’s usually done. The program goes beyond the usual training courses like anti-phishing campaigns—which we also offer—but our Love Security initiative operates not on a technical level, but on an emotional one. For example, we’ve decorated all visualizations with pink hearts to present the topic of security in a positive light. We’ve also designed poster campaigns and giveaways with these. Our goal is to engage every single employee and convince them that they can make their own contribution to security.

Have you ever experienced a cyber incident? If so, how did you deal with it and what did you learn from it?

Buß: Yes, unfortunately, I had to go through that experience. Not in my role at Merck, but elsewhere. I think the most important thing I learned from it and how I handled the situation was to stay calm, to trust the experts and colleagues, and to reassure them that everything they do has my backing.

What would you advise other CISOs in such a case?

Buß: What’s most important, in my opinion, is not to act too quickly and not to allow yourself to be pressured from outside. Instead, you should make clear and quick decisions based on an objective assessment of the situation. Speculation and “could-would-should” questions are, in my opinion, unhelpful in such a crisis situation. It’s also crucial to have the right experts on your side.

However, you can’t prepare for every situation or foresee everything. You have to accept that.

What security projects do have you planned for the future?

Buß: A major current project is addressing the questions and consequences arising from NIS2 for us as a company. We are also examining the opportunities and risks we see in developments in the field of AI. This means we are examining how we can effectively use artificial intelligence in the security sector to, for example, automate processes and for detection. On the other hand, we are also trying to understand the extent to which AI can be used by attackers in the future. This is also adding a new dimension to the topic of social engineering. Due to the misuse of AI, it is no longer possible to determine whether a person is actually sitting in the Teams call with you or whether the whole thing is a fake.