Johnson & Johnson’s IT security team is championing the people element of its cyber security framework.
The idea behind the strategy is that a more rigorous focus on people and culture acknowledges that having the latest technology and processes is not a foolproof solution to information security. The idea is explored is a new cyber security handbook released by the CIO Executive Council Australia.
“When I took over this role, the first thing I asked is ‘what’s the [people and culture] strategy that we've been following?’” says Pablo Diez del Corral, global director, enterprise security and risk management at Johnson & Johnson.
“I got great documentation and presentations saying we’re implementing an IDPS system and deploying web filtering appliances, and we’re doing this and that, so I asked – are we only dealing with machines? The security function was properly staffed in all other aspects except this one.”
With breaches fuelled by ignorance almost as frequently as malice, Diez del Corral says a tech-agnostic strategy is always needed.
“At the time, the people piece was almost an afterthought. Somebody was looking after it, but they just followed pre-written instructions and didn't question it. Unless you create the conversation around it, you’re still going to see the problems.”
Diez del Corral, with his colleague Angela Coble, global manager, enterprise security and risk management, are now working to create awareness, teach the appropriate skills, while providing the platforms for collaboration and communication that have led to a more connected and highly secure corporate environment.
Last year, the pair set to work on creating an initial gruelling 90-day plan to kick-start an ongoing three-year strategy complete with roadmaps, major and minor initiatives across four different quadrants.
“The message was: Be aware, not alarmed,” says Coble. “Like a duck, our legs can be really paddling under the surface, but our exterior is calm. So we deliver the message in a way that creates awareness, not panic, and gives our partners confidence.”
A long-term vision and mission were crucial to help guide and empower all stakeholders, while branding helped to tie ideas back to the strategy. But most importantly, it had to be dynamic and ongoing – not dependent on Coble and Diez del Corral, their team or where security sits in the organisation.
“No matter what the changes in my organisation and structure, no matter who is sitting in my chair in the future, this strategy is not going to be affected; there’s no need to change it. It’s got to survive three years; then we need to review it and start looking at the following three years,” says Diez del Corral.
Johnson & Johnson’s people and culture strategy contains several different functional focus areas, including education and awareness, collaboration and communication, roles and responsibility, maturity and metrics, and last but not least - stakeholder management. For each focus, they pair have had to plot key initiatives with a planned quarterly outcome, and an annualised event project plan.
In the end, Coble and Diez del Corral say the focus on people and culture as a security strategy means recognising that you can’t do anything without taking the people on the journey with you.
To read more about Johnson & Johnson’s people and culture journey, including details of each roadmap, and top tips for each focus area, see the full case study in the security handbook, Cyber security: Empowering the CIO</i>.