This week, I had a unique chance to interview Monica Zirkler, Cybersecurity Awareness & Training Specialist working for BASF, the biggest chemical company in the world. Monica is an international expert living in Germany who gained invaluable expertise in one of the most interesting and most complex fields of compliance, namely cybersecurity. Enjoy this absolutely insightful interview to learn more about what cybersecurity means in our world and what it means to be responsible for providing global training sessions to thousands of people every day.
You work for BASF, the world’s biggest chemical company headquartered in Ludwigshafen, Germany. You are responsible for providing cybersecurity training which, in the world of today, has become one of the most essential pillars in the defence mechanism of every company. What is the biggest threat for chemical companies such as BASF in this regard?
Allianz ranks cyber incidents as the #1 business risk worldwide – meaning that BASF is not unique at all in this regard. The potential impact on any organization can be anything from financial losses and disruption of services to data breaches and even physical harm to people and the environment. Attacks can range from opportunistic scams to sophisticated, state-sponsored campaigns designed to influence or cause damage.
In the past years, there were several cyberattacks against chemical companies. What was in your opinion the most dangerous cyberattack in the past years and what can we learn from it?
I read about cyberattacks every day and the ones that stop me in my tracks are always the ones with real, human consequences. As far as bad goes, the Triton attack against a Saudi petrochemical plant in 2017 is widely regarded as the most dangerous cyberattack ever discovered in the chemical and process industry – the malware was designed to directly manipulate the industrial safety systems that protect human life.
The world is such an interconnected place – you only have to think about the impact of geopolitical conflicts – that any cyberattack can have severe knock-on effects. For instance, a ransomware attack on an IT provider in 2023 paralysed five hospitals in Ontario. When critical healthcare systems are compromised, or your patient file and social security number land on the dark web, things become scarily personal.
Although I’m an optimist by nature, what we can learn from all this is that cyberattacks are not a matter of if – but when. Organizations must have robust crisis management in place to be prepared for when they do.
You are responsible for the training aspects of a company which operates in 93 countries, has 234 production sites and employs more than 108 thousand employees (as of December 31, 2025 according to the BASF Report 2025). How do you perform such a massive task?
I can’t! Cybersecurity is a team sport, and any organization needs local multipliers who can identify training needs, pain points, and generally be an ear to the ground. Each and every one of us is responsible for cybersecurity, and for making cybersecurity a habit that we practice every day – by taking a second to hover over a link in an unexpected email, or pausing before reacting to a strange popup.
What I can do is support community enablement with concepts, materials and engaging awareness formats that these multipliers can either adapt to local circumstances or use out-of-the-box. This is a big part of my day-to-day.
The CEO of FireEye, Kevin Mandia, said that cybersecurity is like a game of poker: you always have to stay one step ahead. If you could summarize the most important takeaway of your training sessions in one sentence, what would it be?
Think critically. Even the most advanced technical security measures are not foolproof, so it is up to us – as humans – to catch what slips past the filters. You need both: strong technical defences and vigilant employees.
You may have heard the term “social engineering” before – “hacking” the human element using psychological tactics like fear, urgency and flattery. You’d be surprised how effective these tricks are – and no-one is immune, not even security professionals! Critical thinking is our best defence against this kind of manipulation.
If we talk about cybersecurity, another topic has to be considered and that is AI. Through threat detection and prediction, enhanced authentication or autonomous response systems, AI has unlimited potential when it comes to cybersecurity. In your opinion, what is the role of humans in this new world? How can we harness artificial intelligence and carry human responsibility at the same time?
Agreed. AI is a game changer for both sides – attackers can use it to craft better phishing emails, automate attacks and create convincing deepfake images, audio and video. But AI can also be used to harden a company’s technical defences, too.
As for human responsibility: Again, critical thinking is everything.
AI has democratized the threat landscape: it only takes a few dollars and eight minutes to create a deepfake and the technology is now so good that only one in four people can spot a deepfake. We can’t trust our eyes and ears alone – we have to think critically and ask ourselves: Why is a person in a position of authority contacting me privately about a “confidential matter”? Why would a government agency ask me to click on a link and enter personal details? (Spoiler: they wouldn’t.)
If you let me to ask one personal question: you are an Australian-born, international expat with tremendous experience behind you. What was your calling to work for the world’s biggest chemical company in Germany?
Working for a company with such a global reach gives you the ability to really move the needle on cybersecurity awareness – not just professionally, but privately as well. Anything you learn at work about safe browsing or common scams can be applied at home as well.
It’s also incredibly rewarding to work with such inspiring colleagues around the world. I love being part of a team that works together on something that can have such a positive, real-world impact.