When your digital enterprise is everywhere, cyberattackers don’t need to scale walls or cross boundaries to breach your network. It takes just one identity – human or machine – from a sea of hundreds of thousands to get inside. It’s no wonder we have Trust Issues. Join us for candid conversations with cybersecurity leaders on the frontlines of identity security. We break down emerging threats, hard-won lessons, leadership insights and innovative approaches that are shaping the future of security.
[00:00:00.210] - David Puner
You're listening to the Trust Issues podcast. I'm David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.
[00:00:24.110] - David Puner
The COVID-19 pandemic accelerated transformation across global healthcare systems, one silver lining for an industry that's expected to feel its impact for years. This widespread digitization is reshaping every aspect of care to improve outcomes for patients. Those patients? You, me, everyone. But as healthcare becomes increasingly data-driven, our personal health information seems to become less and less, well, personal.
[00:00:54.140] - David Puner
From a simple mail-in cheek swab to trace family history to a fingerprint scan to match hospital patients with their EHR records, have we become too flip about giving our digital DNA away? When we share our health-related data, we trust the recipient will use it for good to make healthcare more accessible for us as individuals and to drive medical advancements that will result in longer, healthier lives for all. And for organizations receiving that data, how they handle the great responsibility of trust could well be the difference in the long run between thriving, surviving, or do not resuscitate. In short, trust is a pillar of modern healthcare. Without it, progress isn't possible.
[00:01:41.860] - David Puner
On today's episode of Trust Issues, I talk with Mike Towers, who's the Chief Digital Trust Officer with Takeda Pharmaceuticals. It's a relatively new role there, and he had a lot of input into the role's creation and its multi-tiered focus, and it's really interesting to hear him talk about it and break it down. If you like hearing about innovation and about the importance of data, I think you're really going to like this episode. Without further ado, here's my conversation with Mike Towers.
[00:02:17.440] - David Puner
You recently took on a newly-expanded role at Takeda Pharmaceuticals as their first ever Chief Digital Trust Officer. What does that mean, and how's the role different from your previous CISO role?
[00:02:31.690] - Mike Towers
Basically, the Digital Trust Officer role is a representation of a significant shift that we're taking in the company to have much more of our business, all parts of our business, the entire value chain, deeply dependent and rewired around data, digital, and technology. It's a signal of that transition. It does take on a traditional, I would say, CISO's responsibilities, which I previously had: areas like security operations, identity and access management, governance risk and compliance, et cetera, and builds upon that foundation.
[00:03:16.390] - Mike Towers
And at least in our instantiation, we're going to focus on three areas of growth, if you will, that we think this digital trust responsibility extends our reach and extends our needed focus. Number one is in the data space. We're gathering much more data. We are making the business and enabling the business to be much more data-driven in their decision-making and in their operations, and how we capture, how we share it, how we extract it, how we move it, how we protect it, how we govern it from data perspective is part one at significantly higher volumes than we used to be.
[00:03:56.970] - Mike Towers
Second part is digital engagement, which is we are completely and totally widening and broadening the digital reach of our company from an ecosystem perspective to include patients, physicians, payers, government entities, and our business donors. We have a plasma business that there are donors involved. All of those entities are becoming much more directly engaged digitally. How they're connected and how they're engaged is the second part.
[00:04:29.840] - Mike Towers
Then the third part is what I broadly call ethical analytics. When you gather all this data and you want to apply algorithms, you want to apply analytics to that data, how you do so is becoming more and more important when you start thinking about, for example, expectations or at least concerns of over surveillance or whether or not there's unintended bias in your analytics, or whether or not the analytics that you are applying fit with the original intent and purpose with which the data was captured.
[00:04:59.330] - Mike Towers
That's part of it as well. Basically, in summary of my previous CISO responsibilities, plus those three new practice areas: trusted data, digital engagement, and ethical analytics.
[00:05:12.350] - David Puner
We have an affinity for the word trust and definitely feel a kinship with you having that in your title. I'm wondering about the importance of trust as it relates to your industry.
[00:05:24.440] - Mike Towers
The healthcare industry overall has not been the most reputable when it comes with things like leveraging data in digital and being more efficient. The biopharmaceutical industry specifically, which is a subset of healthcare, has struggled with reputational issues, perceived or, in some respects, frankly, real, commitment of revenue over treatment, and some of the other inappropriate sales practices that have happened with the industry in the past.
[00:05:52.810] - Mike Towers
I think, frankly, the third part is that we're all patients, so everybody lives and breathes in the healthcare industry. Some unfortunately more regularly and deeply than others, but everyone has experience living and breathing in the healthcare industry. All of those things together increase the level of trust that's needed to effectively deliver treatment and also, frankly, engender enough reputation and trust to be comfortable that the treatment you're getting will be highly efficacious, will be effective, that your data is taken care of the more you're doing it digitally.
[00:06:36.580] - Mike Towers
Generally speaking, the trust of the industry has historically been based on the efficacy of our products. Moving forward, we see much more of that trust equation being based on these data and digital experiences.
[00:06:46.330] - David Puner
It sounds like your role, it's not about the role first and then the trust and the transparency will flow through the organization. It sounds like your role is a manifestation of what's been going on within the organization transformation.
[00:07:02.740] - Mike Towers
In some respects, it's reflective of what the industry is going through overall. Historically, healthcare has been very, very inefficient. It's very in-person centric, it's very paper-based. We often use the excuses of regulatory to not move very quickly, we're quite slow. There's not been a lot of disruption comparatively with other industries.
[00:07:25.240] - Mike Towers
The movement in that space was starting and had some momentum, but the pandemic definitely accelerated it. The pandemic brought upon society a lot of focus on healthcare and a lot of focus on, frankly, being digital because of everybody having to be remote. It was an interesting conglomeration of those two types of waves. That came about in things like telehealth, where you can get care through FaceTime or other video means or even more virtual clinical trials when you're participating in clinical studies.
[00:08:00.340] - Mike Towers
Frankly, anybody that works or has worked in a technology type of role in healthcare, we've not done a good enough job in this space. We've not disrupted enough. We've not made this more efficient, and we need to leverage this springboard and do more.
[00:08:18.400] - David Puner
I think one of the things that we should probably do now is take a step back from all this for a moment and take a look at how you got into this role, what your career path has looked like. If somebody is out there aspiring to be a chief trust officer, how could somebody else learn how to how to get into your seat from there?
[00:08:35.950] - Mike Towers
A lot of us who want to be leaders have to ask ourselves and take the right path accordingly. If you're going to be a deeply technical security person, you're probably not going to advance from a leadership perspective because so much of security leadership is about risk and less around security technology.
[00:08:55.910] - Mike Towers
I think the transition, or at least the elevation to a trust perspective, taking on the next level of this question is broadly speaking, there's two areas that path and journey needs to focus on to get from security to trust. Number one is understanding that the world is much bigger than your company.
[00:09:18.830] - Mike Towers
Thinking more at the ecosystem scale. Thinking more than just your employees or just your contracted consultants. Understanding who deals with you in the broad ecosystem, whether it's third parties, or in our instance, it would be patients, physicians, et cetera. Understanding that wider ecosystem is point one.
[00:09:38.840] - Mike Towers
Point two is understanding your business value chain. Why do you exist as a company? What is the business value chain? Understanding in our industry, what does it mean to get from early stage drug research into into drug development, and then getting that into a manufacturing type of approach and supply chain. Then getting that into a negotiations about how various insurance companies or governments are going to pay for it.
[00:10:03.350] - Mike Towers
Then understanding the challenges of getting the treatment to patients and post-treatment care responsibilities. Understanding that value chain from a business perspective and understanding what it means to keep those value or that value chain from a resiliency perspective is really, really important piece as well.
[00:10:22.010] - Mike Towers
Frankly, I work with a lot of folks who aren't ready to make that transition. Again, I'm speaking in my industry's perspective, one of the things that you really have to ask yourself if you're an aspiring security leader, do you want to be the type of security leader that you can be plucked out of your role and put into another completely different industry or do you want to know your business deeply enough that you're going to be, in my case, a biopharmaceutical executive first that happens to know security versus just a pure security executive that really, really deeply knows technology? It's two very, very different paths.
[00:10:53.830] - David Puner
Right. It seems like some of the cues that you're taking in this role potentially have come from other industries. Is that right?
[00:11:02.610] - Mike Towers
Yeah, absolutely. So I think interestingly enough, the one that I would point to the most directly is the tech industry. Because if you look at, frankly, who currently has trust officers or senior trust executives, the vast majority of them are tech companies. Salesforce, Uber, Workday are some examples. HP, Cisco are two more, SAP. Even though they do different things, they are very, very heavily tech-driven companies. The reason why trust officers are important to those companies is that in many respects, the lifeblood of the success of that company is based on how well it does data, digital, and technology. Period.
[00:11:50.040] - Mike Towers
There are other industries like oil and gas, like utilities where maybe how you do data, digital, and tech isn't that critical and may not impact your business. I mean, I personally believe that data, digital, and tech impacts all businesses, but maybe not to the same level. But if you look at a tech company, data issues, digital issues, security issues, privacy issues, ethical issues, all of those things deeply linked to data, digital, and technology will have direct implications to the reputation and trust level of your company.
[00:12:23.040] - Mike Towers
Therefore we're taking a lot of cue from them, because in many respects, Takeda is striving to be that for the biopharmaceutical industry. We want to be the tech disrupter for biopharmaceuticals, and if we want to do that, we have to take this trust role seriously and therefore it's part of the reason why we created the role.
[00:12:37.440] - David Puner
So tell me if I've got these numbers right. Takeda has 70,000 employees, 20 million patients, 2 million doctors in the network in 100 plus countries.
[00:12:49.950] - Mike Towers
That's roughly correct, to be in the 70,000, as I would call them workers. We have about 55,000 employees and 15,000 contractors that aren't officially employees, but they work on our network. But broadly speaking, it's a workforce of 70,000, and those patient and physician numbers are important.
[00:13:05.350] - Mike Towers
There's another data point that I think is important as well. Takeda does have a plasma business where it's a modality where we take plasma from people who donate their blood and we turn that into life-saving medicine. That's another five to eight million or so people that we engage with, frankly, closer to a more consumer approach because of the transaction with them is loyalty-based, it's marketing-driven, making sure that they're comfortable and to be repeat customers, et cetera. So that's another data point as well.
[00:13:38.310] - David Puner
I'm bringing up those large numbers to get to a question about wanting to be the tech disrupter in such a large ship, as it were, to use the term ship metaphorically. Is that more difficult to be a tech disruptor with such a large established company than it is for, I don't think there's probably an apples to apples comparison, but some much smaller company in a different vertical?
[00:14:06.870] - Mike Towers
If you look broadly speaking, at some of the tech disruptors in healthcare, if I take healthcare broadly, and I define healthcare the same way, frankly, the country's critical infrastructure defines it. Healthcare, broadly speaking, is for subsectors. It's biopharmaceuticals, it's medical devices, it's insurance/payment, and it's providers: hospitals, doctor's offices, et cetera. That's broadly speaking, the four parts of healthcare. The most disruptive companies have been the really, really tiny... Or the tech companies that are dabbling and getting into healthcare, mainly because they don't have, I would call it the massive momentum of legacy that a lot of the big pharmaceuticals and medical device companies that have built up over the years.
[00:15:00.490] - Mike Towers
We have applications in our plants and in our manufacturing processes that are old enough to vote. They're 18 plus years old. When you're a disruptor for a small tech company or you have... Take a look what Apple's done or what Fitbit's done or what Amazon has done with the Halo technology. There's all sorts of disruption that those companies have been able to make because, A, they're not saddled with that legacy, and B, frankly, they're attacking parts of the sector that are just tightly regulated. They're challenging the system, if you will.
[00:15:31.870] - Mike Towers
Now, I think the reason why Takeda can be a disruptor and where we come in is that there are other parts of healthcare overall that are not addressed by some of those newer tech startups but we still have a responsibility to do better and do more efficiently. I also think that if we think about this from a business perspective, the biopharmaceutical business model has historically been incentivized by volume of prescription. It has not been incentivized by how much healthier you and I get or how much better the disease state gets or symptoms improve.
[00:16:11.380] - Mike Towers
One of the things that we're trying really, really hard, and Takeda is leading the way here, is we're trying to transition the industry to be much more outcomes-driven. Your disease gets better, your symptoms improved, you become healthier, the incentives go up. That should be the right incentivization.
[00:16:27.250] - Mike Towers
To do that requires a significant amount of data collection, data measurement, patient monitoring, and completely explodes the volume breadth of data collection and then data processing, which is frankly, again, circles back to one of the big reasons why we want to be more disruptive. Because we know that to do this properly, we have to get into that game and we have to get to that business. That's one of the reasons why Takeda wants to be a disruptor, because we really, really do want to drive. It's public knowledge. We are one of the leading voices in our sector to become more outcomes-based.
[00:17:01.300] - David Puner
So you mentioned risk earlier and within what you were just talking about, it sounds like there is a lot of margin for risk potentially. Is that correct? And if so, how do you mitigate that risk?
[00:17:13.090] - Mike Towers
I look at it in many respects around what I call four competing tension levers that all contribute to our ability to do this effectively and at scale. Number one is, there is all this new stuff that we're talking about, this new innovation, these new opportunities, whether it's new companion devices that run on a mobile phone or new medical devices or some of these clever and really, really innovative new capabilities.
[00:17:45.430] - Mike Towers
That's brand new stuff that requires a different level of security than, say, the old stuff that you have. I mentioned before, the manufacturing plants, your big ERP systems, your R&D systems that are older. So there's a natural tension point between securing the deal and protecting the old. That's two of the four tension points.
[00:18:04.370] - Mike Towers
The other tension point which any security or trust leader is going to deal with, is that the "bad guys", the threat actors, they're not sitting on their hands and letting you take a breath because you're trying to do this. They're constantly changing and getting better. They're getting more sophisticated. You have to keep up with the pace of how they're evolving and how they're changing.
[00:18:24.200] - Mike Towers
The fourth lever and tension point is, we're constantly expanding our business. As you mentioned before, some the volumes that you mentioned, we're constantly expanding our business to a much broader level of connection.
[00:18:36.230] - Mike Towers
As the threat landscape is getting more complex and more dangerous, at the same time, we're increasing our risk levels because we're widening the reach of our digital and data connections. So all of those push and pull in different directions and prioritization and focus is very, very critical.
[00:18:53.480] - Mike Towers
A lot of it does boil down to what risks are we willing to accept? I'll give you a couple of real world examples Takeda's dealing with. One of the biggest disease areas that we have a lot of patients suffering from conditions that we have really, really good medicines in is GI, gastrointestinal conditions, Crohn's disease, and ulcerative colitis, for example.
[00:19:14.330] - Mike Towers
We can talk about the reel-to-reel advanced science of our biologic medicines that get injected into people and to help them but there's day-to-day challenges that a patient with GI and in a patient with Crohn's or ulcerative colitis deals with. Things like finding the bathroom quickly. May sound low tech, but it's something that they need. So we have digital apps that will help them find the nearest toilet wherever they are in the world.
[00:19:37.070] - Mike Towers
That's an area that, frankly, you can probably take a little bit more risk in doing that than say, helping somebody with multiple myeloma or leukemia, which is a whole different level of risk when you're dealing about potential digital capabilities and digital opportunities for there. So we can take different risks across the various parts of our health spectrum and establishing where we can make the most impact.
[00:19:58.520] - David Puner
So what you're talking about there to a certain degree would be patient engagement as well.
[00:20:03.980] - Mike Towers
Correct.
[00:20:06.020] - David Puner
When it comes to patient engagement, how does that fit into your bigger purview?
[00:20:11.940] - Mike Towers
Yeah, so interesting pivot point here. The biopharmaceutical part of our industry has historically been quite abstracted from patients, so we rely on third-party clinical trials companies to do the clinical testing or research hospitals will do clinical testing. Generally speaking, the value chain... I mentioned before how important value chain is. Generally speaking, the value chain of biopharmaceutical stopped as soon as the prescription was written. Once the prescription was written, our exposure and our engagement and connection with those patients was really not a business priority because the models didn't allow it to occur.
[00:20:53.640] - Mike Towers
All of that is changing, and there's a couple of reasons why it's changing. Number one is that we in the biopharmaceutical industry realize that we need to get better engagement with patients to better understand their conditions and to improve their health. But patients themselves are becoming much more empowered, and they want to drive their own care. They want to be more involved in the decision-making process, and in order to do that, you have to learn more.
[00:21:16.290] - Mike Towers
Patient engagement fits in in a number of different areas. Again, if you walk through the biopharmaceutical value chain, it starts with clinical trials. If we're going to do testing in clinical trials for certain conditions, how do we find the right patients? How do we recruit them? How do we give them the right level of trust and expectations management so that when they're participating in these trials, that they do so willingly and they do so well and they're compliant with what we're asking them to do, et cetera. There's the clinical trials piece, which again historically has been very, very physically facility dependent, in-person dependent. We want to make that more flexible.
[00:21:54.910] - Mike Towers
A second piece is delivery companions. If we're delivering a drug that there could be tech companions to enable that delivery to be better, maybe it's an app that monitors your Fitbit for your blood pressure or whatever or companion care type of things, or even that Find the Toilet I mentioned before. That's a companion care type of element.
[00:22:20.450] - Mike Towers
Third area where patient engagement is really important, and this is a really, really challenging area, especially in one of our therapeutic focus areas, which is rare diseases, is trying to come up with a way to do earlier diagnosis. When you suffer from a rare disease, one of the biggest challenges is that you may have been dealing with conditions where one out of every ten doctors has actually ever seen it and had experience treating it. And the average time it takes to diagnose patients with some of these rare diseases can be as much as 10 years.
[00:22:47.990] - Mike Towers
The earlier you can diagnose these conditions, the better you're going to be able to treat them. Leveraging all sorts of biomarkers, indicators, to allow us to do more and better earlier diagnosis is really important from a patient engagement perspective.
[00:23:03.350] - Mike Towers
I mentioned before ongoing health management and we've all probably dabbled with the iWatch experience or the Fitbit experience or the Amazon Halo experience when we have things monitoring our vitals or whatever. How can we leverage that data? That's that's another patient engagement piece.
[00:23:20.390] - Mike Towers
Last but certainly not least is circling all of that data back into the requirements-gathering process for where we invest energy for new treatment and new care opportunities. Having all of that circle back into the beginning of the funnel, if you will. Its monitoring, its outcomes, et cetera, so that we are armed with the best data to pivot potentially where we want to focus for new opportunities.
[00:23:44.280] - David Puner
You've got a pretty full plate, it seems.
[00:23:47.970] - Mike Towers
Yeah.
[00:23:49.110] - David Puner
Of everything that's on your plate, what's the biggest challenge you face in your role as it pertains to trust?
[00:23:56.490] - Mike Towers
I think the biggest challenge from a trust perspective is everything that we've talked about. I want to make sure our listeners don't view this as trying to say whose industry is more important than others. I have a lot of respect for anybody who does the security leadership, regardless of the industry. But there are certain social responsibility elements of certain industries that are different than others.
[00:24:23.510] - Mike Towers
Getting and rewiring a company from a healthcare perspective and a pharmaceutical perspective is a very, very different responsibility than, say, enabling you to be able to book your flights and your hotels digitally. It's a very, very different responsibility here. I think what the biggest challenges is, and what keeps me up at night is that all of these digital enhancements and data opportunities are really, really impactful, but they carry with them a significant social responsibility element to make sure that the people that can benefit from them the most are comfortable going along with the journey, and we're carrying a much higher level of responsibility in doing that.
[00:25:00.530] - Mike Towers
Some of the biggest obstacles of doing this at scale is because people just don't trust giving their data up to be useful in this regard, whether it is they think that it's going to end up in some way to sell them more product or they're worried about their data being breached. There's a lot of historical mistrust in sharing enough data for us to do this properly, so that's something that we have to figure out a way. It's not just a Takeda problem, this is an industry-wide problem, which is where I think industry collaboration is so important, is to make sure that we do this with the right level of social responsibility.
[00:25:34.670] - David Puner
You did mention the other industries just now. What other industries are there that you can take cues from when it comes to both your role and as an inspiration for pushing digital transformation further?
[00:25:46.040] - Mike Towers
Well, I mentioned tech. Another industry that I would say, it may sound like a weird one to take cues from but I think it's important, is you take something like oil and gas or utilities. The reason why some of these other industries that historically some people may view as conservative. But one of the biggest shifts that's happened in security leadership overall is many, many security leaders have been spending years focusing on the "C" of the CIA triad. Broadly speaking, people define information security and cybersecurity as protecting three things: confidentiality, integrity, and availability.
[00:26:26.090] - Mike Towers
Most security leaders and most security departments have historically prioritized heavily on the "C" of the CIA. Making sure your data is not breached, making sure your data is not exposed, making sure your data is not stolen, making sure competitors don't put their hands on it. But more and more, you start to realize, and again, the more you are data and digitally-driven as a company, the more important this is.
[00:26:49.010] - Mike Towers
The "A" is critically important. Making sure that your systems are up and running is often times as important, if not more so, than whether or not your data is exposed. When you look at an industry like oil and gas or utilities, resiliency and availability is a number one fundamental top priority. There's a lot we can learn from industries like that where maybe the consistent, trusted, and resilient uptime of their systems is more important, frankly, than whether or not their data gets breached.
[00:27:21.370] - David Puner
Interesting. Really interesting. I feel like we've touched upon a lot here and we could dig into any one of them for probably another many hours. But what I want to ask you is how do you prepare for the unknown? It sounds like there is an awful lot of unknown and you've got to be confident going into that.
[00:27:38.240] - Mike Towers
Two-part answer, broadly speaking, and like a lot of these things, the devil is in the details, but I think it's an interesting semantic question. Number one is first and foremost, the best way to prepare for the unknown is to expect it. I think that sometimes the security trap we fall into is we try to find and try to figure out what's right and what's expected and then stop the rest. We can't do that anymore. It's too difficult to figure that out, so you almost have to expect and assume everything is unknown.
[00:28:15.800] - Mike Towers
A hot buzzword in this area is zero trust where you assume nothing is trusted and therefore it inherently protects you. I think that's an important discipline here. I think the other element here that I would advise CISOs and aspiring security leaders to think about is let's not be so enamored with the advanced controls that are being developed from a technology perspective and focus more on visibility.
[00:28:43.550] - Mike Towers
Because again, everything is so data-driven and analysis-driven, the more data you have, the more likely you're going to be able to get more insights, if you will, and better data to analyze to make the right decisions and drive the right decisions. To me, it's always visibility that's really, really important as well.
[00:29:01.310] - David Puner
Mike, thank you so much for taking the time to speak with us. Really interesting. You've got a lot on your plate, as I mentioned before, and really interesting to see where this all goes. It sounds like it's the beginning of a long, steep trajectory.
[00:29:16.460] - Mike Towers
It's exciting. I appreciate the time and I appreciate the opportunity to speak with you about it, so thank you.
[00:29:20.810] - David Puner
Thank you very much.
[00:29:29.170] - David Puner
Thanks for listening to today's episode of Trust Issues. We'd love to hear from you. If you have a question, comment, constructive comment, preferably, but it's up to you, or an episode suggestion, please drop us an email at trustissues@cyberark.com and make sure you're following us wherever you listen to podcasts.