Q & A with GSK Consumer Healthcare CISO, Michael Elmore, Taking on Zero Trust, Episode 1

Elisity came out of stealth in 2020 with the vision of combining Zero Trust Network Access and an AI-enabled Software-Defined Perimeter to deliver on the practice of building intelligent networks. We are humbled when one of our customers takes the time to speak with Elisity's CEO, James Winebrenner, about operational security and networking challenges faced not just by their organization but by the industry they represent. Today, James had the privilege to interview Michael Elmore, CISO of GSK Consumer Healthcare, for the first episode of our Taking on Zero Trust series: the journey towards a more secure, resilient, and dynamic edge.

Michael oversees the cybersecurity strategy enabling the digitalization of GSK Consumer Healthcare's critical manufacturing infrastructure, and network, and cloud security strategy. From 2016-2018, he held the position of Chief Customer Experience Officer and embedded Security Solutions within the Enterprise Networking Product Management organization at Cisco, where he led the acquisition of Viptela. Before joining Cisco, Michael held various executive leadership roles at Cigna Healthcare from 2011-2016, including Chief Information Security Officer (CISO) and VP of Global Enterprise Network and Contact Center Engineering.

James: Mike, it's great to sit down with you.

Michael: It's great to be here as well, James.

James: You can bring a perspective on the network infrastructure side but also as someone who made the leap to security. What was the biggest challenge in that transition?

Michael: I remember thinking that I knew what security was because I ran network security as well, which was very perimeter-based. But then, as you move into a CISO role, the real value of what we're trying to protect is typically closer to that data.

James: It really does come down to data versus just the underlying connectivity?

Michael: I had a CISO role as well in 2014, and so really, what we were protecting was Personal Health Information (PHI) and Personal Identifiable Information (PII). When I compare and contrast that into a pharma-type role, it's not just the data. It's not just the information. It's protecting the availability of the operations. Look at the downstream global impacts of not being able to produce medicines. That was bad for Merck's shareholders after the company suffered a cyberattack and bad due to the global need for those medicines.

James: Are there things that you recognize that you could do differently from an infrastructure standpoint to help support those goals?

Michael: Probably none because I haven't been given the tools as a network operator to drive more security efficacy into the infrastructure. And we need to figure out how to drive the industry in a way, just like what we did with the software-defined WAN. The OEMs didn't really drive that. In fact, it scared them to think that now this is going to impede their hardware business.

James: What do you see as kind of the biggest opportunity for you and maybe the biggest challenge as well?

Michael: If you think back, the network has always been about how I get the packet from A to Z the most efficient way: performance-based. As a network engineer, I never really thought about security from the perspective of the network's fabric. I always thought about it as perimeter and perimeter controls. And then, when you look at the endpoint, taking traditional IT types of security approaches, we'd been so reliant on being able to touch and put agents on the endpoint, and now you have where you're not able to apply the IT traditional security to the endpoints.

James: What you're saying goes beyond laptops and phones, right? We're talking about other endpoints, other assets that the organization has. Maybe you can share a bit of kind of what that footprint looks like.

Michael: Yeah. Much of this equipment was never intended to plug into the corporate network. If GSK plugs all of its Operational Technology (OT) environment into the corporate network, it's going to dwarf IT by tenfold. You have to rely on the network and use the network as a sensor to be able to:

• Number one, identify a threat.
• Identify lateral movement in the environment.
• But then, in a distributed way, being able to implement enforcement in the network fabric.

We all know that the biggest issue is getting that telemetry data without impacting the performance of the network. I think the opportunity is really about taking the network and turning it into some type of sensor, both from a control-plane and data-plane perspective that will allow us to react very quickly without impeding the network's performance.

James: These two organizations -the network infrastructure team and the security team-  may have reached this problem with opposing goals almost.

Michael: From a dynamic perspective, if you think back to Network Access Control (NAC), it was on or off, right? You either let the device in, or you didn't let the device in. In the world we're moving into, to be able to not disrupt the business, we need to be able to let the device in and manage that trust. This whole notion of Zero Trust: it's very aspirational. But the reality is we've been in this world for 30 years of implicit trust, and being able to get to explicit no trust is very, very nirvana.

So the reality is we have a ton of vendors out here preaching to us, "Buy this Zero Trust product." But the reality is Zero Trust is an architecture, and it's an aspiration. And the reality is, I think the first vendor that figures this out and can have an honest conversation with the customers to the point where it's, "Hey, look, we're first going to learn your environment because you don't know your environment. We're going to let the assets in because they're in today. And we're going to start pruning back, and we're going to start managing the trust closer to Zero Trust. But at the end of the day, I have a view that it will never, ever be Zero Trust."

So, we should profile the entire network based on who needs to talk to what and prune back devices that shouldn't talk to crown jewels. Why is this user talking to the crown jewels? We should be able to prune just that back but let the rest of the business operations and things that administrate the business flow through.

James: I think that this idea that the network needs to play a role there is really important.

Michael: Yeah. All of those attributes and all of those edges, the only commonality that they have is that the network is connecting them to that. The question is, how do you get that sensor capability at that boundary, right? You can define that by cloud boundary. You can define that by your traditional perimeter that's actually going away, or you can identify that as an IoT or OT device at the edge as well. So it's super important that we have this software-based capability, or overlay, that allows these devices to connect. And then, we learn what those requirements are for those devices and those applications. Until then, you can't even think about what the policy should be.

James: What are some of the other things that you think, from kind of a trade-off perspective, that the networking and security teams have had to deal with? How do we address those and avoid some of those pitfalls?

Michael: We need to have the network team and the security team's ability to have one policy. So operational availability with security policy needs to come into as one policy. We need to do this much more surgically so that the network teams feel comfortable, and oh, by the way, we need to change their remits and hold them accountable for providing secure networking. But we also need to provide them the technologies to do that, which don't exist today.

We're starting to see this market around visibility. We've seen it for the last two to three years. But the reality and practicality are that the customers are buying these tools. But then they don't realize that, oh, to get that visibility, I'm using 1990 technology to do RSPAN, SPAN that creates this operational resiliency risk to be able to get that visibility. And even then, I still don't have full 100% visibility. So, where is that visibility? The visibility is in the data plane. How do I tap into that data plane without having to do physical taps or buy a boatload of Gigamon, right? So there's got to be a way to innovate in the network fabric, again, greenfield, brownfield, and be able to give me that intelligence innately into that data plane.

James: I think about that kind of false dichotomy, that we have to compromise the security posture for the benefit of availability… How does the organizational side of this change so to really be able to, as you said, bring the network policy and the security policy together?

Michael: We need to have a network that also thinks and breathes security. And I do believe that part of this has been back to the whole segregation of duties. Part of it is the whole CAI confidentiality, availability, and integrity, right? But we tend to forget that, even as security practitioners, the availability piece is just as important as confidentiality and integrity. I believe that these cultures will come together, but the missing link right now is the technology that will allow them to have that unified policy.

James: How do you think through that evolution of those brownfield environments from a policy perspective, from a connectivity perspective, and then the role that hardware refresh or dealing with hardware obsolescence does play in that journey?

Michael: Imagine a day where the business R&D in this use case has a bunch of IoT sensors, and we can build a unique profile and policy around those sensors. And then, no matter where they plug that into the environment, we know that we're secure because the policy follows that profile. That's what we need. That's an intelligent, dynamic edge that SDA does not provide. It doesn't. It provides VLANs and automation of the creation of VLANs. As a network operator and as a business owner, they still have to come together and figure out what it is they're trying to plug in, open a service request, figure out which VLAN is the standard VLAN. Yes, they'll automate the build of it, but from the user and the business value, there's still a long... It's an elongated time to connect. So we need to make this dynamic and real for them.

James: So, Mike, we've seen a huge shift, obviously, to work from home. But I'm very interested in your perspective on how much of that is delivering versus hype?

Michael: The industry is driving this, and they're not solving the enterprise problem. It's breaking all of the rules, both from a networking perspective and from a security perspective. And what we're talking about here is the Secure Access Service Edge (SASE) market. I'm not buying it. Again, there has to be something that evolves so that the fabric of the network, in a truly distributed way, becomes more intelligent and provides the enforcement capability within the network control.

James: How do network people need to be thinking about things like identity, things like context and behavior, because there's, again, a lot of hype. What's the reality? What are the top three?

Michael: For sure, visibility. And then, we need to have the ability to have dynamic and distributed enforcement control of the traffic. But what I mean by that, not just at the edge, in the middle, at the edge, and being able to do decryption-type services.

James: So Mike, you've been around the industry, and you mentioned just a minute ago the kind of proliferation of new security solutions that are trying to bring visibility. What's kind of your perspective on the efficacy of those efforts?

Michael: I think we've been putting too much focus on how do I get data off so I can inspect it, versus how do I get my inspection into the network. You heard me on some of these calls with all these vendors. I get them right down to that one last question, which is, "How do you get the telemetry data?" And they say, "That's your issue."

James: Why is it such a hard thing, do you think, for the network vendors to do? I mean, you guys are working with all of the big names in networking.

Michael: At the end of the day, they're not software-based companies for the most part, nor are they traditionally security companies. You have network companies, the Ciscos, the HPs. They think network. They say they know security. They've done a ton of acquisitions to get that security footprint, but they never integrated that into the network. And all of this development is really to protect the hardware business. Think back in the network and how we've evolved into quality of the service (QoS), right? Why can't we become more security-aware networking or even data-aware networking? Because the closer we can get up that stack, the more intelligence we're going to have in that data plane to be able to program the control plane to enforce those security policies effectively.

James: So, I want to pivot just slightly and kind of talk about this idea of Zero Trust. How do you communicate the value of this from a business perspective? How does it change the business for GSK?

Michael: The whole Zero Trust is not a product. It's an architecture, and it's a vision, and it's aspirational, right? We have tons of vendors that show up, knock on our door, and say, "Buy our Zero Trust product." That's great if, again, you as the enterprise know what needs to flow through that Zero Trust. So we have to come up with a capability that is instantiated at the dynamic edge. Define that however you want. Now you have the visibility to be able to enforce up and down the stack. And the actual network operators have the ability because we give them the technology, and we give them the toolsets, to be able to instantiate that.

James: The point you make on managing that policy is really, at the end of the day, what this comes down to. And I look at Security policy: there's all this work that gets done before a new control goes in.

Michael: Right.

James: All the due diligence, all the planning, all the preparation. And then, I implement the policy, and the control goes in. And I come back a hundred days later, and the policy's unrecognizable, right? And so, from a policy-management perspective, I think we do need to be able to provide better tools to the administrators to make smarter decisions about how to manage those policies over time. As we think about being able to build infrastructure and bridge this brownfield-to-greenfield gap and do so in a way that this policy is inherent in the infrastructure, what does that unlock from a business-value perspective?

Michael: I think it unlocks clarity for an enterprise to be able to say, "If this, then that," which we can't prescribe to our business today. I'll give you an example. We're doing a geo-segmentation strategy that says we have five BUs; we've got 120 sites. One site gets compromised. We have a very quick way of hitting the red button and quarantine that site. That's what we shared with the business. The business immediately goes, "Well, if I'm that BU that's impacted, holy buckets, that could be my top revenue-generating site! That's still not a good day." But it's not a situation where the entire operations and the entire enterprise is down. If we can get to that point where we can instantiate policies and clearly articulate -if this application becomes compromised or WannaCry hits us- we can say we can quarantine that specific type of traffic away from the rest of the environment, and business operations continue.

James: So Mike, Zero Trust is probably the biggest buzzword right now from a security perspective, but again, it seems to mean a lot of different things to a lot of different people.

Michael: The realities of Zero Trust in a Fortune 2000 company are super aspirational and have low likelihood of being able to instantiate Zero Trust on day one. So they could absolutely provide you Zero Trust, but would your business operations be able to support that? Probably not. So we need to take this implicit trust model that we have today that we've been running in for 20 to 30 years, and we need to slowly wind that towards Zero Trust.

James: What are the challenges that you see with those kind of different perspectives? And what can we do better?

Michael: I just had this conversation this morning with a bunch of kids playing hockey, and I asked them if they knew what a hippopotamus was. And of course, they knew, but what they didn't understand is that a hippo has a big mouth and little ears. And that's how I feel with our vendors right now. It's that they're not really listening to what we're trying to solve. And we feel like we're a little bit held hostage, that we only have what's on the shelf to buy, versus how are we going to integrate this, and how do we bring solutions that are integrated that meet the needs of network and security? And it's just not happening.

James: Networking infrastructure vendors have talked about integrating security capability into the platform, but they typically work with and partner and sell to the networking team. And a lot of the security vendors are talking about visibility and all of the things that they can produce. Still, they need access to the network fabric to do it, and they're marketing and selling to and partnering with the security teams. Is there an ability to bring the stakeholders together towards that shared goal?

Michael: I believe that there has to be this coming together as one solution, which I think we own, but there hasn't been any impetus to force that conversation.

James: Zero Trust is not a check box. It's a journey. And if I try and go from implicit to Zero Trust overnight, I'm going to fail.

Michael: That's exactly right.

James: And we've got to be able to make it easier to take steps towards that goal. And where we end up may actually be different for every enterprise, but the security posture will improve with each step of the journey. It seems like there are still two very kinds of distinct camps with their own vendor ecosystems, and everybody is kind of having a conversation off in their own corner.

Michael: It's not that the network team and the security teams don't speak together or even on the same meetings together. The challenge is we get spoken to versus being listened to in those meetings with our vendors. And it's just classic and par for the course that you have a solution provider coming and speaking to a joint network and security team, but you know exactly when that person from the vendor is talking to the security team versus the networking team. And it always feels like there's a winner and a loser in that conversation, which further divides the network and security teams.

So the vendor comes in, says, "Hey, here's the security value we can bring. Oh, but here are the implications on the network team". Or they're going to speak to the network team and, "Oh, by the way, here's a trade-off on the security." That's got to end because it's actually the vendor community that's pulling us further and further apart. So I put the onus back on the vendor community to start bringing this together, so there are no more trade-offs.

James: All right. Well, thank you very much. I appreciate spending the time talking today. It's always a pleasure.

Michael: It's always a pleasure to be with you, James.

James: Thanks, Mike.

Discover how Elisity is driving the convergence between information security and network security with Cognitive Trust, helping customers like GSK start the Zero Trust journey without disrupting business operations. Request a personalized demo.