author photo
By Bruce Sussman
Wed | May 8, 2019 | 9:22 AM PDT

As the Information Security Officer for pharmaceuticals at GlaxoSmithKline (GSK), Dawn-Marie Hutchinson helps secure the drugs that millions of people depend on around the globe.

And how does she view this Information Security Officer role? What does she say is part of her Information Security Officer job description?

Let's go with business enablement, team motivation, and ensuring privacy promises are kept through security. 

Along with a few other things.

We asked about her role after her keynote at SecureWorld Philadelphia. Watch her complete answer or see excerpts below: 

[SecureWorld] Tell me about your role and how you view yourself as a CISO within this organization.

[Dawn-Marie Hutchinson] I'm the Pharmaceuticals Information Security Officer, so I actually report to the Global Information Security Officer. So I'm responsible for pharmaceuticals research and development and the pharma supply chain, which means I have a really large purview, a really large administrative oversight, and my job isn't to secure the technology and that organization. It's to secure the business of what we do.

From designing and developing drugs, to producing drugs, to selling the drugs—that whole business chain. I have to secure the entire business chain, and that's what my role is. I think as we transition from tech-focused security and focus more on business-centric security, you know, business alignment as my primary objective.

[SW] And how do you get your team on board with enabling the business, but also maintaining security? How does that balance appear in your mind?

[Hutchinson] So it's a new kind, I think it's new for everybody. But one of the things I've been doing with my team is I bring in outside experts to speak to my team just to teach them to help keep new information coming in.

I think for any organization, as my experience as a consultant showed me, is that when organizations always are looking inward, when there isn't money for training and there isn't money for opportunities like SecureWorld, that staff gets stagnant.

And it's hard for them to see business enablement if they're not hearing it from people like me on conference floors. So, finding opportunities for them to get new information beyond just what they see and do on a day-to-day basis.

[SW] One of the things that I know you mentioned was that you've been on both the privacy and security sides of the house. Tell me how those are linked and why you think that link is crucial.

[Hutchinson] So privacy really speaks to how we use data. How do we collect it? Does the person that's giving it to us know what we're using it for? And are we honoring the relationship with that data subject? That's really what privacy is about, managing the integrity of the relationship.

Privacy doesn't exist without security, because we can't honor that relationship that we're going to protect the data, without security. So security’s role really is to understand the business reason why we collected it, and support the continued protection of it, whether it is who has access to that data, how it’s transmitted, how it moves through the organization.

My job is to care for the customer. And so while privacy is more of the forward face of the customer and understanding what their rights are, mine is more of a quiet backstage role ensuring that the privacy promises that were made are here too.

Curious about how others describe their cybersecurity leadership roles?

Check out these reports in our ongoing series:

The BISO Role at US Bank, 'This Is What I Do'

VP of Information Security Role at Netflix, 'It's About Business Enablement'

My Chief Security Officer (CSO) Role at SMU, 'This Is How I Approach It'

After interviewing so many cybersecurity leaders across North America at our regional conferences, it's clear that a boilerplate definition of cybersecurity roles has limited value.

Because culture within an organization plays a significant part in how specific roles are defined.

Comments