Security Insights from Guy Delp, VP of Global Information Security, Pfizer

We were honored to have Guy Delp, VP of Global Information Security at Pfizer, as the keynote for Accenture's Operation: Next summit. Heading security for one of the largest pharmaceutical companies in the world is no small task. Now add to that the pressure to safeguard vaccine research, research labs, and production plants with up to 90% of your workforce working from home, and you’ve created an unprecedented challenge. His solution: get behind a common goal.

Rather than thinking they are protecting controllers or data, your security team should connect with the bigger picture—they’re defending the products, power generation, food, and medicine that all of humanity depend on.

His message really resonated with me and my own team. As security service professionals, it can be easy to attach our mission to the services we provide—we enhance understanding of vulnerabilities for our clients, we teach them how to improve their security programs, we help them build a business case to get funding, etc. However, those are only a means to the true mission: To help our clients build resilience.

There are and will continue to be data breaches, operational disruptions, and full-scale ransomware attacks happening every day, around the globe. Unfortunately, no one is immune. So taking a play from Guy’s playbook, our mission is to better help our clients detect, defend, and recover from an incident.

I hope after you watch Delp’s keynote you, like me, will turn to your team and remind them what your company’s mission is and how their efforts are part of that bigger picture.

<<< Start >>>

“As we come through this challenging year, I do have some good news. And the good news is, we're never going to go back to the way things were. And what that means for us is that collectively, we get to decide what's best for our security programs in the new reality that we're entering. How are we going to connect our people to the mission? How will we focus and measure what matters? … Will we focus on fundamentals while still investing in talent so that they can take us to the next big thing? These are some of the exciting questions that we now collectively get to face…”

– Guy Delp
Watch the full session.

 

<<< End >>>

Transferrable takeaways

<<< Start >>>

Michelle DeLiberty
Managing Director, NA Chemicals Security Lead
on Chemical

"Focus on metrics that measure effectiveness…" – Guy Delp

Chemical manufacturing is a strong, integral part of making the world go round—supplying the critical components necessary for manufacturing across consumer goods and packaging, automotive, construction and government agencies. Safeguarding this industry from attackers is critical. Right now, the industry is focused heavily on R&D, digital transformation programs, and growth via M&A transactions.  If security teams aren’t involved in these initiatives from the start, the business misses an opportunity to get security right up front and will end up introducing new cybersecurity risks to the organization. Security teams can help reduce risk by ensuring the basics are done right and by gaining support for the overall security strategy. This will accelerate the business objectives by aligning modern security and infrastructure investments needed to reduce risk.  What the business wants to know and what a cyber team needs to illustrate and articulate might include:

  • What new security risks does my program introduce?
  • Where is my sensitive data and intellectual property?
  • How will my business be impacted if we have an incident?
  • Where are my highest risk sites, users, etc.?
  • If we have an issue, are we ready to respond and recover?

<<< End >>>

<<< Start >>>

Salwa Rafee
Managing Director, Global Healthcare Security Lead
on Healthcare & Life Sciences

"… the path back to normalcy for 7 billion people …[is] reliant on continuous, uninterrupted and secure operation of both OT and IoT technology." – Guy Delp

Speaking about a reliable supply chain for vaccine production and delivery, Delp’s comment rings true for the future of securing Healthcare systems. Post-COVID Healthcare reform depends on robust IoMT security. It is crucial to make sure medical devices are cyber-secure. The proliferation of unmanaged and unaccounted IoMT devices, their disparate nature, lack of security by design, dependence on legacy infrastructure, unsupported operating systems, along with network and internet connectivity considerably widens the attack surface. Patient safety is always at stake in our industry.

<<< End >>>

<<< Start >>>

Paul Brownlee
Managing Director, Global Industrial Security Lead
on Manufacturing

"… it's no longer enough to just rely on contractual protections, to ask a supplier sort of vanilla set of questions like, 'Do you apply patches?'" – Guy Delp

The pandemic brought to light how critical the manufacturing supply chain is to the world. Safeguards to avoid operational shutdowns caused by security threats should be just as important as safeguards for power outages and natural disasters. Vendor assurances and contractual protection clauses are not enough to secure the supply chain. Manufacturers should identify the equipment most critical to production and then architect cybersecurity controls, monitoring and management of these OT systems as they would IT assets.

<<< End >>>

<<< Start >>>

Luis Luque
Managing Director, Global OT Security Lead
on Oil & Gas

"… measure the depth of visibility that you have for your security tools. Where are your blind spots?" – Guy Delp

Today’s Oil & Gas infrastructure is plagued with blind spots—disconnected, last mile assets that need to be addressed. One area consistently overlooked is building automation systems, including physical access control systems. These systems are usually “owned” by Corporate Real Estate, rather than IT or OT security, so they’re not on the radar. O&G needs to treat corporate campuses as OT field assets and put building automation systems and physical security in scope.

Another area often overlooked is the integrated collection and sharing of contextualized data feeds across IT and OT stakeholders. Monitoring tools capture data but it is not available to the right people in operations, such as equipment health, facility health, and up time data. This can be resolved through collaboration, training, integration, and contextualization via things like metadata labeling within your tools.

<<< End >>>

<<< Start >>>

Rich Mahler
Managing Director, Global Utilities Security Lead
on Utilities

"Build that connection to the broader purpose of your company for your security team…That connection to the mission really changes the dialogue for your team." – Guy Delp

Almost every utility company is focused on safe, reliable, and environmentally friendly generation, transmission, and delivery of electricity. Connecting our utility security programs to that mission enables everyone to see how security directly contributes to reliability much in the same way that our safety culture is already a critical component.

Our goal is to make a security culture as commonplace as our safety cultures—by doing so, we provide confidence in the security of the systems responsible for utility operations as they evolve and the grid modernizes to support more renewable generation, electrification of transportation, and other technology breakthroughs. As those grid systems evolve, so must our approach to training our workforce, enhancing our processes, and updating our systems to ensure reliable, safe, and secure operations.

<<< End >>>

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security .

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

 

Jim Guinn

Managing Director – Accenture Security, Strategy & Consulting Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog