Johnson & Johnson champion people-based security strategy

The strategy highlights how having the latest technology and processes is not a foolproof solution to information security

Johnson & Johnson’s IT security team is championing the people element of its cyber security framework.

The idea behind the strategy is that a more rigorous focus on people and culture acknowledges that having the latest technology and processes is not a foolproof solution to information security. The idea is explored is a new cyber security handbook released by the CIO Executive Council Australia.

“When I took over this role, the first thing I asked is ‘what’s the [people and culture] strategy that we've been following?’” says Pablo Diez del Corral, global director, enterprise security and risk management at Johnson & Johnson.

“I got great documentation and presentations saying we’re implementing an IDPS system and deploying web filtering appliances, and we’re doing this and that, so I asked – are we only dealing with machines? The security function was properly staffed in all other aspects except this one.”

With breaches fuelled by ignorance almost as frequently as malice, Diez del Corral says a tech-agnostic strategy is always needed.

“At the time, the people piece was almost an afterthought. Somebody was looking after it, but they just followed pre-written instructions and didn't question it. Unless you create the conversation around it, you’re still going to see the problems.”

Diez del Corral, with his colleague Angela Coble, global manager, enterprise security and risk management, are now working to create awareness, teach the appropriate skills, while providing the platforms for collaboration and communication that have led to a more connected and highly secure corporate environment.

Last year, the pair set to work on creating an initial gruelling 90-day plan to kick-start an ongoing three-year strategy complete with roadmaps, major and minor initiatives across four different quadrants.

“The message was: Be aware, not alarmed,” says Coble. “Like a duck, our legs can be really paddling under the surface, but our exterior is calm. So we deliver the message in a way that creates awareness, not panic, and gives our partners confidence.”

A long-term vision and mission were crucial to help guide and empower all stakeholders, while branding helped to tie ideas back to the strategy. But most importantly, it had to be dynamic and ongoing – not dependent on Coble and Diez del Corral, their team or where security sits in the organisation.

“No matter what the changes in my organisation and structure, no matter who is sitting in my chair in the future, this strategy is not going to be affected; there’s no need to change it. It’s got to survive three years; then we need to review it and start looking at the following three years,” says Diez del Corral.

Johnson & Johnson’s people and culture strategy contains several different functional focus areas, including education and awareness, collaboration and communication, roles and responsibility, maturity and metrics, and last but not least - stakeholder management. For each focus, they pair have had to plot key initiatives with a planned quarterly outcome, and an annualised event project plan.

In the end, Coble and Diez del Corral say the focus on people and culture as a security strategy means recognising that you can’t do anything without taking the people on the journey with you.

To read more about Johnson & Johnson’s people and culture journey, including details of each roadmap, and top tips for each focus area, see the full case study in the security handbook, Cyber security: Empowering the CIO</i>.

Join the CSO newsletter!

Error: Please check your email address.

Tags employeessecurity officersframeworkeducationJohnson & JohnsonISOsinformation securitysecuritytransparencypeopleFocusstrategycollaborationCulturedata protection

More about CIO Executive Council

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bonnie Gardiner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts