This is an insight into the exciting podcast episode with Christoph Schacher, Information Security Manager at Wienerberger AG. The conversation partner was Claudia Howe, GRC Competence Lead at avedos (now GBTEC).
Christoph Schacher serves as Information Security Manager at Wienerberger AG, where he is responsible for global information security and data protection. Wienerberger is the world’s leading brick manufacturer. The company based in Austria offers a vast range of products and services including energy-efficient homes, secure sewer systems as well as solutions for patios and outdoor surfaces. Creating digital solutions to meet tomorrow’s demands – for example, planning or design aids for end users or B2B clients – is a prime focus.
Wienerberger has been a client of avedos since the fall of 2017. Although it had originally intended to implement an information security management system, fulfilling GDPR soon emerged as the higher priority. The company, which employs over 16,000 people, generates 3 billion euros in revenues worldwide. Its presence extends acrossin 30 countries in Europe and North America. The company operates over 200 plants in the relative vicinity of its sales markets, where sometimes several parent companies operate as well.
In order to run compliance checks with the data protection regulations, the company developed a maturity level model with one- to five-star ratings similar to Amazon evaluations. Its objective was to achieve a certain number of evaluations in the individual dimensions (i.e. organization, processes, processing directory, deletion). Since Excel sheets or questionnaires could not deliver a structured overview, they were not feasible options for a global company of this size.
The company needed to create an overview that covered all key requirements in a very short time. At this time, T-Systems suggested taking a closer look at risk2value (now BIC GRC Solutions). Wienerberger made a prompt decision to implement risk2value and quickly achieved initial wins as well as complete results worldwide.
The time frame between determining the necessity for data protection management to selecting risk2value was approximately one month. Thanks to the strong support from avedos and its wide selection of standardized content, Wienerberger was able to go live with its first questionnaires in a matter of weeks.
As part of its data protection management, Wienerberger has been able to map questionnaires that determine the maturity level and maintain its complete processing directory in risk2value. Its approach has two levels: data processing and the documentation of applications (e.g. IT applications).
Data processing for applicant management, for example, must provide responses to individuals outside of the company. Oftentimes, there are offline printouts or Excel sheets containing lists of rankings. The subsidiaries were given the task to input their IT systems and offline attachments so that they are accessible if needed. Mapping questionnaires was another important task. The subsidiaries then checked them to ensure that responsibilities were clarified, processes were implemented, and employees were trained. The maturity level, which is divided into several dimensions, was derived from this information. Thanks to the solution, Wienerberger has gained a central overview of its data protection management as well as the ability to break it down by region or product segments.
The avedos GRC podcast series was launched in February 2019 to explore the topics of integrated GRC, enterprise risk management, internal control systems and information security management. Five episodes are currently available and can be streamed through leading platforms including Soundcloud, Spotifiy and Apple Podcast.