July 7, 2025
Iskro Mollov, Chief Information Security Officer, GEA (Image: GEA)
Iskro Mollov
Chief Information Security Officer, GEA
Iskro Mollov (IM): Broadly speaking, information security is about protecting company information, including of course digital data. This may contain sensitive customer, supplier and business partner information – as well as our own information, such as intellectual property, our financial and strategic positioning and the personal information of our employees. Protecting this information is first and foremost a holistic governance task. It aims to avoid hacking attacks, prevent espionage, ensure regulatory and contractual compliance, safeguard critical systems and prevent any kind of business interruption. Our stakeholders rightfully demand assurance that their information is secure – not only as part of normal operations, but especially during extraordinary circumstances like cyber-attack or natural disasters.
IM: At GEA, we are looking at all areas and functions holistically to understand the company’s security risks. Based on that, we implement effective and efficient security measures. Information security is especially relevant for information technology (IT), operational technology (OT), our products and product development processes, internet presence, physical assets and sites, suppliers and HR. Crucially, security also comes with a big cultural component: A truly secure organization needs to instill a culture where security is second nature to every employee – no matter their role –as opposed to being regarded as the sole domain of security specialists.
IM: I have three overarching and interlinked responsibilities. The first is to continuously review and improve information security governance at GEA. In our team, we are driving multiple measures to achieve this. This includes steering our worldwide information security management systems (ISMS), achieving security certifications and compliance as well as overseeing security risk management, employee training, identity and access management, security incident response, performance measurement, audits and penetration tests. We also regularly test our digital systems and products via simulated hacking attacks.
Second is ensuring business continuity. That is, keep GEA running smoothly even under extraordinary circumstances. This includes being prepared for different types of possible interruptions of our operations, like ransomware, production and supply chain interruptions, natural disasters, loss of utilities, social unrest, pandemics or legal issues.
Third is crisis management. Corporate crises can take many forms and there were few in the past due to the Covid pandemic and international (military) conflicts. One relevant scenario which we are diligently preparing for is of course a ransomware attack with global impact. Ultimately, crisis management is a complex and intense task which can involve many different corporate functions, requiring tremendous coordination.
IM: Pretty diverse, I would say! Our Information Security, Business Continuity and Crisis Management team is composed of professionals from all over the world and with many different professional backgrounds. We have experts in various security aspects, such as physical, IT, OT and product security as well as business continuity management and general security governance and risk management. Their educational backgrounds are very heterogenous, too, including degrees in engineering, IT and business administration.
IM: Information security has evolved from a support role to a dedicated function that provides a competitive advantage in our industry. If done right, superior information security governance can be a decisive factor for winning new business. Sadly, cyber incidents are on the rise, as is espionage. For instance, nine out of 10 organizations worldwide experienced at least one ransomware attack in 2024. And phenomena like ransomware-as-a-service require only a few dollars and minimal effort for a potentially devastating attack. Nearly all companies in mechanical and process engineering, as well as many others, are rightfully embracing connectivity, AI and cloud-based solutions to reap the benefits of digitization. The downside: This goes along with an expansion of the attack surface. Furthermore, global supply chains have become more vulnerable, and we have all seen the geopolitical environment become more unstable over the past few years.
Additionally, the regulatory landscape is also becoming more complex: Extensive regulations like the Cyber Resilience Act and NIS2 in the EU, directly address plant operators and plant builders. GEA is both. We not only operate our own facilities but also build plants and machinery for customers. This is an advantageous combination for us from an information security perspective: It provides us with comprehensive real-world experience regarding a broad range of requirements, possibilities and potential challenges in numerous industries. Based on our unique exposure and experience, we can offer leading and oftentimes highly customized information security solutions geared towards the latest regulatory requirements.
IM: Absolutely, this topic continues to grow in relevance. This is clearly reflected in the feedback we receive from sales colleagues across our divisions and regions; they all highlight the growing importance of information security in customer interactions. Customers need our help to grow their businesses. Offering excellent security governance is key to building and maintaining their trust and enables GEA to win new business.
IM: Many customers explicitly prefer to do business with companies that are certified, e.g. according to ISO/IEC 27001. This is an international standard for information security management systems. It specifies requirements for establishing, implementing, maintaining, and continually improving a comprehensive management system for information security within an organization. And for an increasing number of them, it is mandatory prerequisite. Reputable certifications are standard for information security and provide our customers with objective and transparent insights into the strict information security standards we maintain at GEA. They are exclusively awarded by leading inspection institutions, like in our case the German TÜV Rheinland.
In 2021, GEA achieved the first ISO/IEC 27001 umbrella certification. This was expanded year by year to more GEA sites and legal entities. The most recent re-certification in 2024, this time according to the newest 2022 version of the ISO/IEC 27001 standard, covers all business activities at 53 GEA sites worldwide. This is an important achievement as ISO/IEC 27001 is the leading international standard for information security management systems – widely respected across industries. Our production sites and product development process are also certified according to IEC 62443 2-1 and 4-1, the leading standards for industrial automation and control system security. Those are also group umbrella certifications where we include more of our locations year by year.
IM: Our goal is to have all relevant GEA sites and products security certified by 2027 as part of our Global Security Program at GEA. Additionally, to further improve our ratings with international ESG standards, we aim to achieve a certification scope covering more than 75 percent of employees by the end of 2025. Another high priority task is to prepare GEA for more impending regulations. For example, the EU Cyber Resilience Act (CRA) will require manufacturers to consider cybersecurity throughout the entire product lifecycle, along strict standards and accompanied by extensive reporting requirements.
But even more important than those international topics is to support our customers and help them be more secure, compliant and prepared for the future. Thus, on the one hand by providing secure GEA products and digital services and on the other hand by providing dedicated security products and services as part of the GEA offering, like GEA Asset Care.
IM: That’s simple: GEA is committed to relentlessly strengthening its information security governance to foster innovation and trust. Just like our reputation for engineering excellence, we want our high standards in information security to be a key reason why customers choose GEA. As we continue to excel in this area, we could potentially leverage the deep expertise we gained to help other industries. The complexity of our business and the legislative environment we deal with put us in a strong position here.