Jeff Haskill has a big job. He's the CISO at pharmaceutical giant AstraZeneca. As such, he guards the systems and...
data for a global company that's looking to eliminate heart failure and devising new treatments for breast cancer. But he has other mission-critical responsibilities -- he runs the IT infrastructure team as well. That means data centers, networking and a vast assortment of cloud computing services.
Far from letting his tasks overwhelm, Haskill sees each side of his job benefiting the other.
"It's a rather large role, but it's great because each one of those aspects on the infrastructure side has security elements," Haskill said. "So I can really enable things a lot faster because I can integrate my security team a lot better with the infrastructure team."
Haskill's job at the company, headquartered in Cambridge, U.K., brings him in close contact with his boss, CIO Dave Smoley, who has overseen a mammoth effort to bring $600 million of outsourced IT operations back in-house -- to locations worldwide, from the U.S. to Sweden to India -- and then push a good chunk out to the cloud.
Their CISO-CIO collaboration in those migration projects is "one of the more dynamic and critical parts of what we do," Smoley said. And it has allowed AstraZeneca to save millions and consolidate systems across the globe -- all while reducing the risk of headline-grabbing data breaches.
Maintaining those benefits, Haskill said, relies on a strong current of communication between him and his teams, Smoley and the IT side, and -- perhaps most important -- the business.
"Our CIO wants to go ahead and enable the organization in the most secure way," Haskill said, but business enablement is Smoley's primary goal. "It's my job to fully understand his strategy and also the business strategy, too, to nail what their concerns are."
Sky's the limit
An important objective for IT at AstraZeneca for the past three years, Smoley said, "has been reducing the cost profile of IT while improving the performance." That has meant grand-scale investments in cloud computing. Smoley started with packaged cloud applications: Microsoft Office 365 for email and productivity software like spreadsheets; Workday for human resource management; and Box for sharing and syncing document files.
The company taps cloud infrastructure providers Amazon Web Services and Microsoft Azure, too, letting scientists help themselves to computing and storage capacity for projects.
This self-service helps minds at AstraZeneca do innovative things and do them quickly -- and having IT sanction cloud services means people will be less likely to order up their own. But it also poses challenges for cybersecurity defense, Smoley said.
"The world is shifting from the traditional, 'build the high walls and the deep moat and be careful who you let in and out,' to one of really being completely open," he said.
Old bond, new environment
That's why IT security needs to be woven into the fabric of the company, with cloud services monitored and governed through company policies, Smoley said. It's also why, in 2014, he brought over a former colleague from his previous employer, Flextronics International (now Flex). That was Haskill, who got his start at the electronics manufacturer 17 years ago working on servers and software and rose through the ranks to CISO.
"He's a very strong technologist and very experienced," said Smoley, who led IT at Flextronics. Haskill learned the business by doing, "having his fingernails dirty, repairing PCs, all the way up through the IT organization."
For Haskill's part, he and Smoley got along well in the past and developed a bond of trust, he said, which shows in the present.
"He knows how I'm going to react in certain situations; I know how he's going to react in certain situations. I know what he wants," Haskill said.
Their CISO-CIO collaboration began as soon as Haskill started three years ago -- "I knew even before I was hired at AstraZeneca what his strategy was going to be," he said of Smoley.
His first challenge was convincing business leaders in the highly regulated pharma industry that moving to the cloud leads to benefits like faster implementation of new technologies and initiatives and lower overhead costs. And also that big cloud vendors, such as Amazon and Microsoft, can better protect their data and applications than data centers can. Some folks are still squeamish about sending data into the cloud, though -- something that Haskill is working to dispel.
"As long as the compliance, security, the normal things around patching, pen testing, vulnerability scans --- [if] all that is in place, why should they even care where the data goes? And so that's what we're trying to migrate to," Haskill said.
'Point A to point B'
Today, Haskill and Smoley are working to clean up computer systems in AstraZeneca's production facilities and laboratories around the world. Many of the servers are not linked to the corporate network and are running old antivirus software, so Smoley and Haskill are doing security assessments to determine whether devices can safely connect to them. That will make it easier for scientists and lab technicians to do their jobs.
"What's happened with the rise of the cloud and the rise of data and large compute is, increasingly people in the business want the data from these systems and they want to be able to shift; they want to be able to move it around," Smoley said.
The project is emblematic of Smoley and Haskill's CISO-CIO collaboration and its larger aim: to work side by side with business leaders, understand their needs and what they want to do.
"I might have to say no, but I still have to get the business from point A to point B," Haskill said. "And I just can go ahead and offer a different, less-friction, more secure way than they were thinking of before."
Learn how AstraZeneca uses cloud access security broker technology to further secure its cloud architecture in this SearchCIO report.
Wis. CISO-CIO partnership tackles cybersecurity
Experts, practitioners discuss CISO reporting structure
Linthicum: Cloud is more secure than traditional systems