An invisible shield around IT systems – a look at the work of a cyber security consultant

Article: An invisible shield around IT systems – a look at the work of a cyber security consultant

Markus Eifler helps to keep Deutsche Bahn's IT applications safe and secure. As part of a dedicated cyber security team, he is responsible for organising the security tests that DB Systel uses to test the DB Group's applications, infrastructure and OT components for security vulnerabilities.

In this digital age marked by the proliferation of digital tools and products, cyber security is a business-critical priority. The secure digitalisation of Deutsche Bahn is a particular priority for DB Systel, whose "Digital Security Consulting" unit offers a range of security consulting services to the DB business units. Markus is a member of the "AppSec" (Application Security Specialists) teams, where he is responsible for supervising what are known as "penetration tests" (or "pentests" for short).

The security squad for railway applications

Markus's official role is "Business Consultant Penetration Tests". It's a role that involves a variety of tasks, from coordinating and organising the tests with the three AppSec teams to supporting the teams and product owners on a day-to-day basis. He concentrates on interface work with the Group partners, customer communication and sales management being his specialities. These pentests are an essential tool in cyber security. They simulate hacker attacks in a controlled environment, using the same kinds of methods and tools as a real attack. The applications are selectively and systematically scanned for vulnerabilities in order to pre-empt potential problems. The testers look for vulnerabilities such as incorrect authentication, try to infiltrate foreign program code, and search for breaches that could be used to "break out" of software and access the server's operating system.

Because they are so important, pentests are included in Deutsche Bahn's security requirements and are mandatory for all new and existing IT applications. The three AppSec teams conduct around 400 of these tests a year. So, Markus has a lot to coordinate. It can take several months from initial contact to test completion as the Group partners usually announce the mandatory tests well in advance. This means that Markus always has to keep track of numerous small projects at the same time. Testing consists of consultations, preparation, the test itself, a final pentest report and, if required, a final presentation. Sometimes Group partners simply get in touch with content-related questions, which initially end up in his inbox as well.

"Within DB Systel, you are always free to develop professionally and change your area of responsibility."

Beforehand, Markus had already worked in IT security at Deutsche Bahn. In his previous role, he was responsible for organising, designing and delivering training courses as part of the awareness and training team in the Digital Security Consulting unit. Topics such as password security in everyday working life and security aspects for consultants in IT projects were part of his daily routine. He really enjoyed his time there too but is now looking forward to becoming familiar with more rail projects and applications at close range.

Cyber security

At Deutsche Bahn, around 300,000 people work on essential infrastructure for the entire population. Ensuring the cyber security of information technology (IT) and the digital infrastructure used in rail operations (operational technology, OT) is therefore an important task with many facets.

A DB Systel "Sprintstarter"

Markus joined DB Systel in 2017 straight after university. He had studied business IT and was looking for an option that would offer him a structured start to his new career. Like many graduates, he didn't know exactly what to expect from professional life after university, despite having studied for so long. However, he knew that he wanted to work for a well-known company that also had a positive and sustainable footprint. That's why he chose DB Systel, where he was one of eight newcomers on the first Sprintstarter programme. This is a programme for recent graduates that provides structured career support for the first few months. All eight trailblazing "Sprintstarters" are still with Deutsche Bahn today.

"If you're interested in IT but can't find the right position with us, apply anyway. We'll find the right position for you."

Markus spent his first few years at DB Systel working in CRM (customer relationship management). His tasks included dealing with the security and data protection requirements of customer relationship software solutions. When he decided that he wanted to focus on developing his skills in the security area, he moved to DB Systel's Digital Security Consulting unit.

How do you become a cyber security consultant?

Markus is still new to the AppSec team. His position was newly created so that there would be a distinct role for project and contract management. Markus enjoys the variety of topics and perspectives that make up his job: "Because a pentest is mandatory throughout the Group, you get to know every system used at Deutsche Bahn. You never stop discovering new things."

To work in this kind of interface role in security, you should at least have a basic understanding of how IT systems work. A degree in business IT or a business degree with an interest in security would be an ideal foundation, he says. And it goes without saying that a broad understanding of IT security and an interest in continuing professional development are also important. Markus also enjoys the sense of camaraderie and the enthusiasm of his fellow team members: "Everyone's intrinsic motivation is very high. They are all very competent and technically adept. And even though we are all very busy, there's a really strong team spirit."