Johnson & Johnson joined other pharmaceuticals in a vaccine race this year no one could have predicted. And through it all, J&J's security mission — to protect and defend its data and systems — has not changed.
"COVID[-19] is a watershed moment, but I think it's less of a watershed moment for security, or even pharmaceutical companies. It's more of a watershed moment for healthcare in the world, and how we do it," said Marene Allison, VP of Information Security & Risk Management and CISO of J&J.
This year, laden with uncertainty, Allison's security organization remained a constant. Allison's security team is supporting vaccine development by using "all our skills for good," said Allison. "We provided the security services that we normally do. We did not add any additional headcount."
In security, no news is good news. And since Allison joined the company in 2010, J&J's cybersecurity has remained quiet.
"I knew that she had the courage to deal with any issue, no matter how political or unpleasant," said Stuart McGuigan, CIO of the State Department and former J&J CIO. "You're going to hear the straight scoop, unvarnished. It was just something I really valued in working with her."
Together Allison and McGuigan migrated 90% of computing and FDA-regulated workloads to hybrid cloud environments. The overhaul of J&J's network infrastructure wove in security from the outset. In 2016, Allison centralized J&J's distributed security model.
In pharma, the organizational makeup of a business, including manufacturing, labs and backoffices, all operate differently with a unified security foundation. With several moving parts within J&J — consumer products, medical devices and pharmaceutical — IT and security standardization could be a moving goalpost.
Centralizing control elements "makes sense," said Doug Saylors, director at ISG. But it's a delicate situation to preserve the freedoms of the IT groups.
Though J&J has always been collaborative, centralizing the security model took "a lot of negotiation, because people like having their own security person handy," said McGuigan. "It's one of the most disruptive things you can do, as opposed to thinking, 'What things are so standardized, that even someone who believes in decentralized organizations wouldn't need their own flavor of it?'"
Centralizing functions under Allison enables J&J to reprioritize and designate resources based on criticality. "Move people and make sure that we are supporting the business in the way that they need to be supported," she said.
Generally, pharmas are sourcing commodity infrastructure and IP functionality, but it leads to multiple providers with several applications working across business units. The units are all involved in security, "they have to patch systems, they have to do vulnerability scanning, but you need an oversight function. And that's really where the centralized piece of security plays a big role," said Saylors.
McGuigan and Allison wanted to take standardization out of the chargeback system and instead make it a corporate standard cost. In doing so, it put the overhaul and Allison directly in front of the audit committee and board.
It was also "the only time in my career" people told McGuigan and Allison to make sure they had enough of a budget. It was "an interesting question to get," he said.
Before Allison began working with McGuigan, her role was then viewed as technical and "lighter on policy," said McGuigan. But she sought a CISO role involved in more conversations with the board.
It was "very effective," so much so, "I'm actually doing that exact same thing at the State Department right now," said McGugain.
The CISO role, in general, is still developing. In pharma, "you tend to see more risk managed focused-CISOs … rather than operationally down in the weeds technically-focused," said Saylors. It's what separates CISOs from CIOs.
J&J's value of security continued into the start of current enterprise EVP and enterprise CIO Jim Swanson's tenure in 2019. Allison's leadership proved to be "an accelerator to my onboarding," he said in an email. It gave him the opportunity to focus elsewhere.
"There is always some change when a new leader arrives," Swanson said. "We focused on first establishing a relationship based on our shared outcome: to do the best for Johnson & Johnson."
Swanson sees Allison as a "continuous learner" while leading her peers to become "co-champions for security across the company." It allows her to add still unknown functions into the CISO role.