News Stay informed about the latest enterprise technology news and product updates.

CISO-CIO rapport at AstraZeneca shores up cloud use, security

The tech and IT security chiefs at the pharmaceuticals maker draw on history to help users work -- and innovate -- in the cloud.

Jeff Haskill has a big job. He's the CISO at pharmaceutical giant AstraZeneca. As such, he guards the systems and...

data for a global company that's looking to eliminate heart failure and devising new treatments for breast cancer. But he has other mission-critical responsibilities -- he runs the IT infrastructure team as well. That means data centers, networking and a vast assortment of cloud computing services.

Far from letting his tasks overwhelm, Haskill sees each side of his job benefiting the other.

"It's a rather large role, but it's great because each one of those aspects on the infrastructure side has security elements," Haskill said. "So I can really enable things a lot faster because I can integrate my security team a lot better with the infrastructure team."

Haskill's job at the company, headquartered in Cambridge, U.K., brings him in close contact with his boss, CIO Dave Smoley, who has overseen a mammoth effort to bring $600 million of outsourced IT operations back in-house -- to locations worldwide, from the U.S. to Sweden to India -- and then push a good chunk out to the cloud.

Their CISO-CIO collaboration in those migration projects is "one of the more dynamic and critical parts of what we do," Smoley said. And it has allowed AstraZeneca to save millions and consolidate systems across the globe -- all while reducing the risk of headline-grabbing data breaches.

Jeff Haskill, CISO, AstraZenecaJeff Haskill

Maintaining those benefits, Haskill said, relies on a strong current of communication between him and his teams, Smoley and the IT side, and -- perhaps most important -- the business.

"Our CIO wants to go ahead and enable the organization in the most secure way," Haskill said, but business enablement is Smoley's primary goal. "It's my job to fully understand his strategy and also the business strategy, too, to nail what their concerns are."

Sky's the limit

An important objective for IT at AstraZeneca for the past three years, Smoley said, "has been reducing the cost profile of IT while improving the performance." That has meant grand-scale investments in cloud computing. Smoley started with packaged cloud applications: Microsoft Office 365 for email and productivity software like spreadsheets; Workday for human resource management; and Box for sharing and syncing document files.

The company taps cloud infrastructure providers Amazon Web Services and Microsoft Azure, too, letting scientists help themselves to computing and storage capacity for projects.

This self-service helps minds at AstraZeneca do innovative things and do them quickly -- and having IT sanction cloud services means people will be less likely to order up their own. But it also poses challenges for cybersecurity defense, Smoley said.

"The world is shifting from the traditional, 'build the high walls and the deep moat and be careful who you let in and out,' to one of really being completely open," he said.

Old bond, new environment

That's why IT security needs to be woven into the fabric of the company, with cloud services monitored and governed through company policies, Smoley said. It's also why, in 2014, he brought over a former colleague from his previous employer, Flextronics International (now Flex). That was Haskill, who got his start at the electronics manufacturer 17 years ago working on servers and software and rose through the ranks to CISO.

Dave Smoley, CIO, AstraZenecaDave Smoley

"He's a very strong technologist and very experienced," said Smoley, who led IT at Flextronics. Haskill learned the business by doing, "having his fingernails dirty, repairing PCs, all the way up through the IT organization."

For Haskill's part, he and Smoley got along well in the past and developed a bond of trust, he said, which shows in the present.

"He knows how I'm going to react in certain situations; I know how he's going to react in certain situations. I know what he wants," Haskill said.

Their CISO-CIO collaboration began as soon as Haskill started three years ago -- "I knew even before I was hired at AstraZeneca what his strategy was going to be," he said of Smoley.

His first challenge was convincing business leaders in the highly regulated pharma industry that moving to the cloud leads to benefits like faster implementation of new technologies and initiatives and lower overhead costs. And also that big cloud vendors, such as Amazon and Microsoft, can better protect their data and applications than data centers can. Some folks are still squeamish about sending data into the cloud, though -- something that Haskill is working to dispel.

"As long as the compliance, security, the normal things around patching, pen testing, vulnerability scans --- [if] all that is in place, why should they even care where the data goes? And so that's what we're trying to migrate to," Haskill said.

'Point A to point B'

Today, Haskill and Smoley are working to clean up computer systems in AstraZeneca's production facilities and laboratories around the world. Many of the servers are not linked to the corporate network and are running old antivirus software, so Smoley and Haskill are doing security assessments to determine whether devices can safely connect to them. That will make it easier for scientists and lab technicians to do their jobs.

"What's happened with the rise of the cloud and the rise of data and large compute is, increasingly people in the business want the data from these systems and they want to be able to shift; they want to be able to move it around," Smoley said.

The project is emblematic of Smoley and Haskill's CISO-CIO collaboration and its larger aim: to work side by side with business leaders, understand their needs and what they want to do.

"I might have to say no, but I still have to get the business from point A to point B," Haskill said. "And I just can go ahead and offer a different, less-friction, more secure way than they were thinking of before."

Learn how AstraZeneca uses cloud access security broker technology to further secure its cloud architecture in this SearchCIO report.

Next Steps

Wis. CIO, CISO join forces on cybersecurity

Experts, practitioners discuss CISO reporting structure

Linthicum: Cloud is more secure than traditional systems

Dig Deeper on Risk and compliance strategies and best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How rare is it for the CIO and CISO at a company to have a close working relationship?
Cancel
This is an exciting topic. As a practitioner, we witness fair number of CIO & CISO today hardly wrap their arms around each other, yes they do collaborate but not at the level of meeting eye to eye and embrace information technology and Information Security governance as one. It can be anxieties to some organizations. Nevertheless, when CIO and CISO become more connected and share the same wavelength, substantial driving factors; such as the business values of open platform or open solution, top-line and cost optimization, exceeding stakeholders' trust and confidence beyond shareholder can be realized through stages. Every organization will need to let go the legacy in this era, equip themselves with a mindset-shift to explore and exploit technology to bring larger returns more than winning the spur in share-price but to uphold stakeholders' values that reliably continue fueling the trust and confidence.
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close