Interview with John Meakin, Group CISO, GlaxoSmithKline - CISO Africa 2019

• To kick, please tell us a bit about your background and how you ended up in your current role

My current role is an interim – I picked-up after the previous CISO left (to become CISO at our National Health Service). The recently appointed CIO also wanted a change in direction to use IT to transform the big Pharma business digitally – using Cloud. Mobile, Social to do better business, be more flexible and get close to the customers (and patients and health care providers). I inherited a major improvement programme in its 4^th year) and had to do some course corrections to that as well as begin to lay the foundations for a new cyber strategy that met the Digital Transformation challenge! All this based on a career as CISO (or equivalent) of almost 30 years in banking, information services, oil & gas and retail.

• What is the biggest challenge you face within your role today and how are you looking to tackle it? How does this compare to previous roles, or the IT security landscape five or ten years ago?

The biggest challenge is the move towards the open, digitally transformed business, where you can no longer rely on control over the “containing” computer (server, client or mobile) by virtue of the business owning it. This contrasts with the way information and computers were typically used within businesses before the cloud and mobile. As a result, you need to fully embrace the move that has been in progress for some time now from Protection to Detection and Response. But in doing so you need to understand to a much finer detail the business and information flows that make up your business. And the robustness and rigour of your monitoring for both security events and of the flows of sensitive information is much higher. So, the deployment of “Advanced Security Operations” becomes a central part of the strategy. And then there is the human factor…..

• Generally, what are the top risks or threats facing most organisations? Do you think there are certain industries under greater threat than others, or are threats different in nature yet equal in the potential harm they cause?

The current threat trends indicate that a “trickle-down” of highly sophisticated attack techniques is happening, mainly from the nation-state end of the threat actors. This is particularly fuelling a growth in the capability of organised crime to undertake attacks (e.g. ransomware) that are either aimed at making money at scale or at assisting their other “businesses”, such as drugs or human trafficking, but laundering funds and the like. In addition, as nation0-staes become more overtly active in the cyber-warfare field, there is an increasing risk of businesses becoming “collateral damage”, which was well illustrated by the summer 2017 attacks of Wannacry and NotPetya.

• One hears of “reformed/ethical hackers” working for large companies to assist with IT security. This may sound generalised, but what do you think motivates attackers? I imagine there is a stark difference between inquisitive individuals and criminal syndicates?

As per my previous answers, there is a very wide difference between the individual hacker who is just “interested” in trying to break into things, or the hacker with a cause but little real capability, and the growing band of organised criminals, who are hacking for a business, or to support their other businesses. Some of these criminal gangs of course subvert the individual hackers with money and personal threats to do their dirty work for them. But more prevalent these days are those with hacking talent who join the criminal gangs simple for the money – and they are indistinguishable from those criminals. So, any organisation that employs a hacker with a known track record of breaking the law or doing damage, with whatever excuse, is at risk of letting the criminal inside their doors.

• How can business better prepare for more serious and frequent threats? Is it merely a case of increasingly budgets – should more be invested in tech, or talent, or both?

This is not simple or easy. All of money, talent and determination are needed. Once you buy into the only really effective strategy of Protect, Detect, Respond, recognising that attacks and security breakdowns will occur to your business, then you know that you need to invest in monitoring, response processes and resources – and in vigilant people (both in the security team and the rest of the business) above all else..

• In your view, how important, and effective, are IT security awareness programmes?

Critical – you cannot take the people out of security. But difficult – due to human frailties. You need an ongoing campaign that is engaging, changing, forceful and never-ending.

• There has been a data breach. Terabytes of customer information has been compromised. What would you suggest be the first steps with a response plan?

First step is to inform internally and use your response plan to put in place a structure of responsibilities and decision-making. Next step is to assess and limit the damage.

• The loss of customer information is one thing, but reputational damage can be long-lasting. What do you think the role of the CISO, now emerging into a stronger leadership position, should be in the fall-out of a data breach?

The CISO’s role in any breach is to provide strong steerage of the whole business reaction in line with the pre-defined incident or crisis management plan, to ensure that a focus is on sensible assessment of the damage, and to take ownership of the remediation required. Good response can be the difference between loss of reputation – and loss of the CISOs job – and proving that the business was an unwitting victim of threats that could hit any one of us.

• In what ways have you been able to effect change within your business, and what the next goal on the horizon (be it talent acquisition, cloud migration etc)?

I think my biggest contribution is to provide assurance to the business that the Cloud is not inherently insecure – and can offer some security advantages – and then working hard on the right and timely security solutions for it.

• There are many IT security vendors and solutions providers out there. How do you determine what technology to invest in (and how often) and is it possible to keep ahead of the threat landscape with current budgets?

This is one of the biggest, toughest parts of the CISO’s job – and there is no magic way of keeping up to date. My approach has been to devote time and effort to reaching out to (1) fellow CISOs, etc and (2) spending time with vendors, large and small, current suppliers and beyond. In terms of the threat landscape – a risk-based approach that projects forward your security improvement needs (based on your threat intel feeds/advisors) and builds a forward plan, is the only way of getting close to the right spend – and bringing business on board with you.

• When it comes to recruitment, what approach do you take to attract and keep the best talent? How do you see demand for particular skill sets changing in the future? And in what ways do you partner with outside entities such as academia to help you in this endeavour?

You have to provide existing and potential new staff above all a work environment to learn new cyber security challenges and to take an active part in tackling them. I try to provide as free a rein to all the team to contribute to solving the problems by their own initiative to do this. I think as cyber becomes more all-pervasive in business and society the most significant skill with be business communication – making the complex simply understood by business and the guy on the street.

• Do you participate in any philanthropic initiatives, either personally or professionally?  What are your views on resource sharing and in what ways do you think it can help further the industry and shape the world in which we live?

I do a little bit of pro bono work as a security adviser to some UK based charities. I also provide support to UK government cyber education initiatives where I can by lending my name and support. I think in the cyber world resource sharing, across industry and industry-government-society, is crucial to provide both a coherent response to the threats and to address the severe skills shortage we all face.

• Finally, some fun stuff. If you could have dinner with any three renowned figures (dead or alive), who would they be and why?

Galileo, Einstein and Stephen Hawking – I would want to see if each believed the other’s current view of the cosmos – and how quickly each genius would understand the other.