How Pfeifer & Langen IT-Solutions KG eliminates shadow IT and makes KRITIS compliance verifiable

As the internal IT service provider of Pfeifer & Langen Industrie- und Handels-KG, a leading manufacturer in the food and luxury food industry, one of the challenges the team faces is ensuring the compliance of decentralized systems. The company uses LocateRisk to continuously identify and evaluate its external attack surface. This supports the daily defense and audits.

The networking of IT and OT as well as growing infrastructures are increasing the complexity of the IT landscape. At the same time, decentralized system implementations and service provider connections are making complete transparency of the digital footprint ever more demanding. Jörg Marczinek, IT Governance Manager at Pfeifer & Langen IT-Solutions KG, faced precisely this challenge. „Due to the networking and expansion, we have many more external service providers that we have to coordinate,“ explains Jörg Marczinek. Specialist departments commission agencies, register domains or set up servers in order to remain agile. However, these systems are not always recorded in the central IT administration. „There is already a server somewhere that is not secure, but over which we have no control,“ says Jörg Marczinek, describing the challenge.

From sporadic checks to a continuous overview

Before LocateRisk was used, there was no structured overview of the external IT attack surface. Sporadic orders from IT service providers only provided snapshots. The idea to commission LocateRisk came at an IT event in Düsseldorf, when the then still young start-up presented itself professionally and competently. 

The primary goal was transparency. „It was about establishing a systematic approach and gaining an overview of which servers and domains are susceptible to attacks and highlighting security gaps,“ says Jörg Marczinek. The first scans also revealed systems that were assigned to the company by name but were not under its direct control; an important step towards clarifying responsibilities and cleaning up the assets.

„We can present the report to inspectors and auditors and prove that we carry out regular risk analyses for the external IT infrastructure.“ —  Jörg Marczinek, IT Governance Manager at Pfeifer & Langen IT-Solutions KG

Support with audits and insurance issues

Today, quarterly analysis is an integral part of IT security. The solution is particularly helpful when communicating with inspectors and auditors. „We can present the report to inspectors and auditors and prove that we carry out regular risk analyses for the external IT infrastructure,“ explains Jörg Marczinek. This creates trust and speeds up the processing of inquiries. Although the scans do not replace the complete internal documentation, they do provide the necessary data points to objectively substantiate the current security status.

Compliance risks at a glance: NIS-2 and GDPR

In addition to the technical inventory, the team uses the Compliance mapping from LocateRisk. The function visualizes how well the servers and domains in the scope are set up with regard to standards such as GDPR and NIS-2. „I'm responsible for regulatory issues, so it's helpful to get direct indications of vulnerabilities without having to investigate them manually,“ says Jörg Marczinek. Even if the visualizations sometimes paint an optimistic picture, they help to focus on areas where action is actually needed.

Conclusion: Automated processes in response to growing IT infrastructures 

For Pfeifer & Langen IT-Solutions KG, the change from sporadic audits to continuous monitoring has proven its worth. The key benefit lies in the validation of the company's own perception through an objective external perspective. „For us, the ongoing identification and evaluation of our external digital presence is absolutely essential in order to close the gap between documented IT and actual exposure on the network,“ summarizes Jörg Marczinek. The next steps have already been defined: In future, the results are to be incorporated into incident management in a more automated manner in order to further streamline processes and shorten response times.

The advantages for Pfeifer & Langen IT-Solutions KG

---