Engage users as people to take the IT out of security: J&J CSO

The role of CSO is often seen as a technical one, but Johnson & Johnson (J&J) global manager for enterprise security and risk management Angela Coble has found that her people-focused background in sales and marketing has helped dramatically change perceptions of the security organisation.

Having started at J&J over four years ago in a compliance role, Coble rapidly moved into information security and ended up as CSO. It was “quite a leap from a marketing and sales environment into a fairly full-on security role,” she told attendees at the recent CSO Perspectives Roadshow in Sydney, “but I found that my marketing and sales background, and my ability to see both sides of the table, technical and people, actually helped translate some of the issues that I saw.”

“This helped me break through to the directors and talk to my technical teams, which was very, very important.”

Despite stereotypes that security staff are “a pretty boring bunch” and questions about why she had moved to the “dark side”, Coble said she had found the company's security staff were actually anything but what was the perception!

“My team are so customer focused, and they do a fantastic job keeping the lights on all the time,” she explained. “That is the main difference with my security team from others that I have seen: we have a corporate responsibility that transcends organisational boundaries.”

That realisation led to some interesting conversations with business leaders from various organisations at different levels, many of whom had often seen the IT and security teams as business inhibitors. However, when Coble talked to her previous colleagues in Marketing, she realised that the biggest challenge was one of perception. “My profession had always been seen as the ones that would halt the business moving forward because we weren't able to keep up with the innovations that were required to let the business grow,” she explained.

One theme to her advocacy of IT security has been to position training and education in an accessible way that employees could relate to; Coble uses her 12-year-old son, who “knows enough [about the Internet] to be dangerous but not enough to be safe,” as a touchstone when considering how to best position her security-related user outreach efforts.

Considering how such a young person used technology helped focus education efforts around increasingly popular bring-your-own-device (BYOD) programs, and reminded Coble frequently that “the traditional borders we had found ourselves working with just weren't there anymore.” “We've got a completely different set of rules,” she continued, “but the one constant, no matter how much the technology evolves, is the people in that relationship. So I decided to do something different: try to remove technology from the discussion piece, and start to talk about the people involved in the relationship itself.”

For example, a suite of engaging education videos – filmed using real members of the security team – has sought to remind users about the importance of issues such as physical device security or protecting intellectual property.

“If we could just tell our company, families, colleagues and the broader community to use a tougher password, we could stop a third of the successful attempts from hackers wanting to get to our personal or company data,” she said.

“It's not a hard message to sell, and it's actually quite simple to get across. I took the videos home and showed them to my children, and they actually got it. The minute you bring these messages down to the level they need to be, they're actually very easy to sell.”

Delivering that simplicity, however, can be difficult when CSOs are too focused on high-level relationships and negotiations. If they can take a step back and think of security from a human perspective, the education process – and, in turn, overall compliance – becomes far easier.

“You don't have to spend a fortune on creating all of these videos or documents,” she said. “The fact that we can develop a very technology-agnostic and dynamic solution with simple tools is probably the biggest message I can give. There is a whole host of information out there that will help you create this personal touch to your security education programs. If you don't, you will be lost in the technology.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Angela CoblesecurityJohnson & Johnson (J&J)

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts