When my son has a sudden asthma attack, he takes a couple of puffs of Ventolin from his rescue inhaler. Suddenly, his airways are open again.
Ventolin is made by pharmaceutical giant GlaxoSmithKline (GSK) and the researchers and scientists on its payroll.
However, we just discovered something else.
There is a cybersecurity team that secures the entire pharmaceutical process.
"From designing and developing drugs, to producing drugs, to selling the drugs—that whole business chain. I have to secure the entire business chain, and that's what my role is."
Dawn-Marie Hutchinson is the Chief Information Security Officer for Pharmaceuticals and R&D at GSK.
I met Hutchinson just before she took the stage to keynote SecureWorld Philadelphia 2019.
She went on a fantastic deep dive into next gen data governance and the ways security must adjust with this shift.
After her keynote, I interviewed her about many topics: identity-centric security, digital transformation, security as a business enabler, InfoSec adjusting to new buzzwords, how she views her role, big pharma's cyber adversaries, and more.
Watch our discussion with Dawn-Marie Hutchinson of GSK here:
[SecureWorld] Something you said at the very end of your presentation was that you believe in "identity-centric" security. How do you define that and why does it work?
[Dawn-Marie Hutchinson] So identity-centric security really speaks to moving the controls closer to the person engaging with the data. So if you know who has access to the data and you can manage their access to systems and data better then some of those other controls, I don't want to say they become less important, but we can stop a bad actor in your environment if they can't escalate credentials or privilege escalation is harder.
So building security controls around who has access to data really puts security at the center and data at the center of all your activities.
[SW] You were also talking about digital transformation and how it suddenly appears in an organization.
[Hutchinson] Digital transformation really speaks to enhancing either the user interactions or the experiences of your customers, but it results in new types of data, new data feeds, the exchanges and sharing of data. So digital transformation has come and it's a clear and present business objective, and if security is really going to be a supporter of business, they need to get on board with digital transformation and understand how data now moves, the new data environment moves.
[SW] About how it can hit security out of the blue sometimes?
[Hutchinson] Yes, so security, there’s a little bit, a kind of a joke, right? There's a new buzzword, and then someone sets up a meeting to talk about the buzzword, and then suddenly you see signature lines have buzz lines and buzzwords in them, and people are seeking training for the new buzzword.
And then whole groups of staffing plans and organizations, job families, grow out of this new buzzword. We saw it in security with APTs. We see it with cloud, with IoT.
And so we love buzzwords, and I think I use those slides from my digital transformation team because it happens to us in security too, and it's just one way to remember some things are buzzwords and some things are actually really critically important to the business, and defining the difference will really help your career.
[SW] Tell me about your role and how you view yourself as a CISO within this organization.
[Hutchinson] So I'm the Pharmaceuticals Information Security Officer, so I actually report to the Global Information Security Officer. So I'm responsible for pharmaceuticals research and development and the pharma supply chain, which means I have a really large purview, a really large administrative oversight, and my job isn't to secure the technology and that organization. It's to secure the business of what we do.
From designing and developing drugs, to producing drugs, to selling the drugs—that whole business chain. I have to secure the entire business chain, and that's what my role is. I think as we transition from tech-focused security and focus more on business-centric security, you know, business alignment as my primary objective.
[SW] And how do you get your team on board with enabling the business, but also maintaining security? How does that balance appear in your mind?
[Hutchinson] So it's a new kind, I think it's new for everybody. But one of the things I've been doing with my team is I bring in outside experts to speak to my team just to teach them to help keep new information coming in.
I think for any organization, as my experience as a consultant showed me, is that when organizations always are looking inward, when there isn't money for training and there isn't money for opportunities like SecureWorld, that staff gets stagnant.
And it's hard for them to see business enablement if they're not hearing it from people like me on conference floors. So, finding opportunities for them to get new information beyond just what they see and do on a day-to-day basis.
[SW] One of the things that I know you mentioned was that you've been on both the privacy and security sides of the house. Tell me how those are linked and why you think that link is crucial.
[Hutchinson] So privacy really speaks to how we use data. How do we collect it? Does the person that's giving it to us know what we're using it for? And are we, are we honoring the relationship with that data subject? That's really what privacy is about, managing the integrity of the relationship.
Privacy doesn't exist without security, because we can't honor that relationship that we're going to protect the data, without security. So security’s role really is to understand the business reason why we collected it, and support the continued protection of it, whether it is who has access to that data, how it’s transmitted, how it moves through the organization.
My job is to care for the customer. And so while privacy is more of the forward face of the customer and understanding what their rights are, mine is more of a quiet backstage role ensuring that the privacy promises that were made are here too.
[SW] Let's talk about data governance, which is kind of the point of your keynote or a big section. What are we missing right now around data governance? Where do we need to be looking?
[Hutchinson] The piece we're missing is around the business side, you know, we tend to focus on structured systems. We tend to focus on applications, and the ones and zeros moving around our network. Where we're not paying attention is the business process that's using the data.
So, often times, I say to folks about third parties: sometimes the best way to find all of the third parties we're working with is to go to Accounts Payable and find out who we’re paying.
And the same is true when it comes to data. Sometimes we need to take a step back and go right to the business and find out how is the data coming in, particularly in digital transformation. How's the data coming in? How is the business using it? Because often times there's people with spreadsheets doing tremendous amounts of activities on spreadsheets that we don't know about. And that's data that requires protection.
[SW] About the pharmaceutical industry in general, what what are the cyber adversaries, what are they looking for?
[Hutchinson] Every industry has a different set of threat actors. And the first thing we do when we do threat mapping is we start to talk about who are they? For GSK, we're not likely combating [typical] cyber criminals. We're likely looking at cyber espionage, other companies looking to interfere with our production, or nation-state actors.
If it's a cyber espionage situation, they either want to steal the work we've been doing or they want to interfere with our production. So those are kind of integrity availability questions, generally. When we look at nation-state actors, nine out of 10 times they're looking to steal information.
[SW] Okay, last question, why have you been involved in SecureWorld?
[Hutchinson] So, I really like SecureWorld because I feel like it brings good security content to companies who otherwise can't afford to send their employees all over the country. It keeps security from being a boondoggle and focuses more on information that they need. I think the accessibility of SecureWorld is why I've always been committed to coming and presenting here.
Because if we reserve RSA level speakers only for RSA, right, that's not helping the security community. We need to have those same speakers that are available there available locally, and I think that SecureWorld has pulled that together.
~~~
And personally, I'm glad Dawn-Marie Hutchinson pulled a specialized cybersecurity team together at GSK.
A team that watches over the security of product development, including the rescue inhaler my son uses. And the 1.9 million GSK vaccine doses that are given each day.
It reminds me of what JPMorgan Chase CISO Jason Witty told me a couple of years ago: "Cybersecurity is no longer just data security. Cybersecurity is life security."
And in more ways than ever, this is becoming true.
[RELATED: SecureWorld interviews Bruce Schneier on the State of Security]
