Pfizer Security Chief: 'It's All About Protecting The Business'
Steve Nyman is director of information security at Pfizer Inc., the research-based pharmaceutical giant. In this Q&A, Nyman discusses what worries him, upcoming technology he's looking forward to and how government could be working better with industry.
Pfizer, headquartered in New York, is a giant in the global pharmaceutical industry. With about 90,000 employees, Pfizer has a presence in 150 countries and boasts more than 100 manufacturing sites. The company's portfolio also includes eight $1 billion prescription medicines, including arthritis medicine Celebrex, the antidepressant Zoloft, Zithromax, an oral antibiotic, and probably Pfizer's most talked-about drug, Viagra, for erectile dysfunction.
With that kind of financial, market-share and research power under its belt, Pfizer's most valued commodity is easily its information. And safeguarding it is Nyman's job.
Q: What do you worry about when you're driving home from work?
Insider threats from people who have access to information they don't need to do their jobs. There are people who are entrusted with information who could expose it to the outside. That's just a reality. But the worry is the people who have access to information they don't need. I don't think the percentage [of that happening] is too high but we are addressing it... In an organization's zeal to make information available rapidly, it's easier to deploy to large groups rather than taking the time to figure out what they should have and shouldn't have. With a little planning, you can restrict that access.
Q: Do you think information security administrators have the top-level access they need to make critical decisions and implement policy?
It's everything. We recently developed information protection guidelines with the chairman's endorsement. ...My boss' boss sits on Pfizer's Leadership Team. We are represented at the highest levels of the company and without that support, it would be a very uphill battle.
Q: What security issues are looming ahead that worry you the most?
Wireless is a major issue. It's exploding. You can go to Radio Shack and pick up an access point and wireless network cards. There are so many vulnerabilities. It's a tremendous boon to availability, mobility and to lowering costs for network mobility. But security issues have to be addressed or the vulnerabilities are huge. ...In our haste to deploy a technology rapidly, some basic security that is readily available is not deployed because nobody thinks about it or they assume it's too difficult.
Q: What are the new security technologies you see coming down the pike that you're the most excited about?
Any new technology that makes system access easier. A smart card with a proximity device. As you walk close to a computer, the smart card emits a signal and it verifies you. You can also require a pin number in case someone is trying to use someone else's card. It also could be used in other areas of the company -- to make charges at the cafeteria and for physical access to the building.
Q: How long before you get rid of passwords?
Not for a long time. Biometrics are expensive and I'm not sure how foolproof they are. It's a challenge to companies our size. Technologies that work great for companies with 500 employees just don't always scale for companies our size.
Q: Since Sept. 11, how has the threat of cyber-terrorism affected your security plans?
I think our efforts in improving security are not related to any type of threat from without or from within. We didn't step up our efforts or curtail our efforts because of it. We've been working hard on this for the past five years or so. Slow and steady wins the race.
Q: If you could give one piece of advice to other security administrators, what would it be?
When they're deploying information systems, take the time and work with the business people to assess the risk of the information being stored and transferred. Don't overprotect it or underprotect it. Be careful not to overprotect and impede business, or the security will just be thrown out. It has to be a partnership with IT and business. It's all about protecting the business so it can make a good product or service, and a profit.
Q: What should industry and government be working on together?
Government needs to provide right incentives to major ISPs so they build in appropriate security for the infrastructure. You need the right business climate to build in the right infrastructure. What's the incentive for the home user to put in a firewall or virus protection software? ISPs should do that, but how do they do that without affecting profitability? They may need some help doing that. ISPs don't want to absorb that cost. I'm not sure what the answer is. There needs to be a partnership. If you protect those home PCs, it will go a long way to dealing with viruses. It's a big piece of the puzzle not being addressed right now.
June 20, 2002
Some studies show nearly half of surveyed IT executives have no formal security policy in place. Why are many in the industry running in place when it comes to security?