Concurrently with its promotion of digital transformation (DX), Chugai Pharmaceutical is strengthening cybersecurity measures for the entire Group, including its supply chain. The Cybersecurity Group in the IT Solution Department plays a central role in these initiatives. Digital strategy is a driving force for Chugai Pharmaceutical in its aim to become a Top Innovator in the healthcare industry. This article focuses on the excitement of the cybersecurity aspects of that strategy.

(Interviewee: Toda)

*Reproduced from Chugai Pharmaceutical’s official Talentbook website (https://www.talent-book.jp/chugai-pharm) Article details and employee positions are current as of August 2024.

From vulnerability and privileged access management to international collaboration. Challenging the forefront of cybersecurity on the global stage

The Cybersecurity Group oversees cybersecurity across the entire Group. It implements comprehensive cybersecurity measures, from the formulation of in-house rules, governance of overseas bases, and cybersecurity architecture reviews to the privileged access management of systems.

 

Toda role in this group is the enhancement of vulnerability management and privileged access management.

 

‘In vulnerability management, I identify and prioritize vulnerabilities that could become a potential threat and take measures in cooperation with the people in charge of the individual systems. In addition to day-to-day operations, I am also working on the revision of rules for swifter, more effective responses.

 

In privileged access management, in addition to the maintenance and operation of the privileged access management system, I am pursuing ongoing improvements, such as consideration of resilience enhancements and robust management practices for the system.’

 

Toda works on cybersecurity management for overseas Group companies, as well as of those in Japan. He has also dealt with the differences in legislation and cultures of individual countries, as well as issues that are unique to pharmaceutical companies.

 

‘The staff in each country are very cooperative, and I think I have built good working relationships with them. Having said that, the ways that staff think and their policies differ from country to country, so coordination through daily communication is essential. As each base has its own initiatives, I try to understand their situation and engage in dialogue to build consensus.

 

Moreover, there are unique considerations in the cybersecurity aspects of pharmaceutical companies. In particular, research labs and plants use systems and infrastructure that are different from those of head office, necessitating individual actions.

 

For example, factories may use embedded systems other than Windows because of their OT environment, and research labs frequently have specialized experimental equipment that relies on unique systems. As such, there are numerous cases in which normal IT knowledge is not enough.’

 

Meanwhile, another of Toda’s key roles is to realize cybersecurity alliances between Chugai Pharmaceutical and Roche. Efforts are under way to further deepen the partnership between the two companies.

 

‘Currently, we are working on a project called “ASPIRE” to overhaul our enterprise resource planning (ERP) system and reform company-wide business processes. The aims of this project are the integration and efficient use of information between the two companies.

 

My role is to realize smooth partnership with Roche. This includes the formulation of cybersecurity measures after system integration and the establishment of a cooperation policy between the two companies for handling any incidents that may occur in the shared systems.

 

I believe that the first step toward a smooth partnership is for both companies to understand each other’s efforts, such as their positioning of cybersecurity and operation mechanisms. In my view, the two companies will be able to build a cybersecurity system that leverages the strengths of both companies through this partnership.

 

Toda is in the eighth year of his career. He says that Chugai Pharmaceutical has an appeal that he is able to sense precisely because he has accumulated experience as a cybersecurity officer for multiple other companies.

 

‘Chugai’s greatest appeal is that employees are given a great deal of discretion. It is an environment in which individual judgments and ideas are respected, from setting targets to how they are to be achieved. Being able to create my own vision and guide it toward achieving my goals gives me a great sense of reward every day. Of course, there is also the atmosphere that is conducive to asking questions and seeking advice without reserve when we are not sure of anything. The peace of mind this gives is another point of appeal of this company.

 

Another of Chugai Pharmaceutical’s distinctive features is its extremely proactive stance toward the introduction of new technologies. Compared with other companies, there seem to be many active initiatives being taken, such as the use of generative AI. The fact that the use of generative AI in various operations is being considered is very advanced. This includes not only general use such as improving the efficiency of routine tasks but also core operations such as drug discovery and drug manufacture. As someone involved in IT, it is extremely inspiring to be able to consider the cybersecurity of these cutting-edge technologies before anyone else.’

To be a bridge that connects technology and business. New challenges guided by strong convictions as a cybersecurity officer

Toda started his career as a network engineer at a major electronics manufacturer. The turning point for his career came about when he unexpectedly entered the cybersecurity field.

 

‘At first, I was working on the consideration and proposal of network solutions, but I happened to be assigned to the cybersecurity design of a private cloud service.

 

Partly because I had studied informatics at university, my impression of the term “cybersecurity” was that it was a highly complex and advanced field that dealt with so-called “abnormalities.” At first, I worried whether I would be able to handle such sophisticated work. However, as I worked on actual operations, I became attracted to the process of building consensus about the feasibility and implementation period of cybersecurity measures through dialogue with concerned parties.

 

The fact that I realized that you do not have to be an expert in every technology and that it is fine to proceed by borrowing the knowledge and help of other concerned parties was probably a significant turning point for me.

 

Having said that, it is also true that, because the cybersecurity measures of a variety of systems must be considered, you need to have a certain level of knowledge of these technologies. Although I was hesitant at first, as I threw myself into my work with determination, I realized the excitement of quickly catching up on a wide range of knowledge. This is another factor that drew me to the field of cybersecurity.’

 

Toda subsequently joined a consulting firm in the hope of working in cybersecurity from a business perspective. There, he saw new and different aspects of cybersecurity.

 

‘At my first company, I worked in implementation and detailed design, and I sometimes felt that there were issues at in the business requirements definition phase, which was the stage previous to my own. This inspired in me a desire to become involved in projects from that initial phase, to prevent the emergence of issues in the implementation phase, thus allowing plans for cybersecurity measures to be progressed more efficiently. This is when I started to consider changing jobs.

 

After doing so, I felt firsthand that being involved from the early stages, before the technical requirements are finalized, allowed the subsequent phases to proceed more smoothly. I think this is largely due to the fact that, when conceptual decisions were being made, I was able to envisage to some extent how such concepts would be materialized later on in the process. It made me happy to be able to leverage the technical experience that I had gained at my first employer.

 

If I may digress a little, I would say that the greatest lesson learned at my previous job was the importance of believing in your abilities and doing your best. As I worked so hard on a single issue, I sometimes felt that my performance and ideas exceeded even my own expectations. These experiences are a great support to me even today.

 

While some consulting firms tend to divide responsibilities between technology and business requirements, the cybersecurity department of the consulting firm that I worked for had a culture of developing human resources who could take on both fields. As I myself thought that these two fields are inseparable, I fully endorsed such a corporate culture and was actively engaged in various projects. In the course of gaining a variety of experience, I was convinced that the intersection between technology and business was the career path that I wanted to pursue.’

 

And so, in recent years, Toda moved to Chugai Pharmaceutical. His strong conviction as a person involved in cybersecurity was behind that decision.

 

‘There are two key factors that prompted me to choose Chugai Pharmaceutical. Firstly, the Company had received platinum rating as a DX stock, and it had been actively introducing new technologies. I imagined that I would be able to accumulate diverse experience in such an environment.

 

Secondly, I placed emphasis on the character of the other employees that I would be working with. In addition to the favorable impression I received in my interviews, I had previously heard about Chugai Pharmaceutical’s excellent corporate culture from a former colleague who had been assisting the company. These were also key factors in my decision to join Chugai.

A corporate culture that supports challenges that encourage growth. The reward felt in being able to focus on substantive cybersecurity improvements

What stood out most to Toda after joining Chugai Pharmaceutical was its corporate culture, which is filled with a strong spirit of challenge. An environment that offers a wealth of learning opportunities has supported growth.

 

‘As the patents for pharmaceuticals have expiration dates, it is impossible to continue business in perpetuity with current products alone. Hence, the company needs to constantly create new value. For this reason, there is a sense of crisis within the company, but in a good way. The ability to convert that sense of crisis into a positive driving force is something that I find particularly appealing.

 

Chugai Pharmaceutical also has a culture that is tolerant of failure. This allows us to address challenging issues without hesitation and to pursue solutions to issues constructively while cooperating with colleagues as necessary. I truly feel that the company has established a workplace environment that ensures psychological safety.

 

Moreover, I have been inspired by the exceptional skills of my colleagues. As well as the high level of their expertise, I have been struck by their proactive attitude in tackling challenges. For example, at workshops held in the division, many attendees actively voice their opinions. The company has a culture in which each individual has their own clear thoughts and strives to share their ideas proactively. I think that this is highly valuable.’

 

When he worked on a joint project with the Agile Development Promotion Group, Toda directly felt this strength of Chugai Pharmaceutical at first hand.

 

‘I was asked to review the cybersecurity specifications produced by the team in charge of in-house production of an internal application.

 

Typically, when it comes to cybersecurity specification, it is not uncommon to adopt well-known public documents as is. Therefore, I had anticipated having to make a variety of amendments, such as refining the details of the specifications and adding perspectives that were specific to the in-house application. However, when I actually saw the specification, it was of astonishingly high quality in terms of both its comprehensiveness and specificity. I was greatly impressed that such a high level of cybersecurity literacy existed in departments other than the cybersecurity division.

 

While many companies tend to put off cybersecurity initiatives, here at Chugai Pharmaceutical, we have enough knowledge and awareness that even departments other than the cybersecurity department are able to draft cybersecurity policy. I was surprised by the high level of expertise and innovation, and at the same time, I realized that a cybersecurity culture has taken firm root in the company.’

 

Toda said he also feels the unique excitement that comes with working at a business-focused company.

 

‘As system integrators and consulting firms are contracted by their clients to perform work, any risks that encountered, large or small, need to be reported to the clients and countermeasures discussed.

 

On the other hand, working for a business-focused company as an employee, I can make judgements about risks for myself and focus on essential risk management with a certain level of discretion. I think that this is a unique benefit of working for a business-focused company.’

Curiosity and ethics lead to next-generation technology. Toward the realization of cybersecurity that supports digital strategy.

Toda has been working at Chugai Pharmaceutical for about a year. His career as cybersecurity officer at Chugai Pharmaceutical has only just begun.

 

‘We still have a long way to go in the enhancement of vulnerability management and privileged access management. My immediate goal is to ensure that they are accomplished with a view to in-house production. At the same time, I will focus on strengthening collaboration with overseas sites.

 

Further, in light of the emergence of generative AI, I will also strive to build a model case that will serve as an industry-wide guideline. To this end, we must first establish effective ways of utilizing generative AI in cybersecurity operations. Once that is achieved, we also need to address the issue of how to ensure the cybersecurity of generative AI technology itself.

 

We plan to proceed with the comprehensive review of the key considerations for utilizing generative AI, its maintenance and operation requirements, and cybersecurity measures specifically for generative AI applications.

 

On the other hand, I personally hope to contribute as a bridge that connects the governance and technical aspects. My ideal position would be one in which I could leverage my experience to integrate these two aspects more effectively.’

 

Toda says that curiosity and a strong sense of ethics are indeed the crucial qualities for a cybersecurity officer. Toda has a message for his future colleagues.

 

‘Curiosity is a critical factor in the work of a cybersecurity officer. With rapid technological innovation, the cybersecurity field is also constantly evolving. If you are willing to absorb new knowledge and technology actively, you will be able to enjoy this job from the bottom of your heart.

 

At the same time, given the specialized nature of the cybersecurity field, a high sense of morals is also crucial. For example, in this job, you will be given opportunities to learn about hacking and even, on occasion, to access employees’ personal information. It is essential to have a strong sense of ethics, that you understand that there is a line that should never be crossed and to uphold that line.

 

We welcome people who have a combination of curiosity about technology and a strong sense of ethics and who have learned something from their own experiences. Of course, there is a lot to learn from textbooks and training, but I strongly feel that such learning cannot match the experience that you gain from hands-on work. Chugai Pharmaceutical has a culture that strongly encourages taking on challenges, so I highly recommend that you actively try things for yourself and embrace the process of trial and error.

 

The IT Solution Department accepts mid-career recruits every year, so we have a culture that welcomes mid-career hires. In terms of support systems after you have joined the Company, each division has its own onboarding resources, and there is an atmosphere that encourages you to ask questions freely if there is anything that you are not sure about. Even if you do not have any experience at a pharmaceutical company or business-focused company, it is highly unlikely that you will feel isolated.

 

As this is a global company, you may feel anxious about your English, but there is no need to hesitate, even if you are less confident in your English. Certainly, English is used in some aspects of the work, but in general, the majority of communication is conducted in Japan, which means most of it is in Japanese.

 

Conversely, if you are keen to use your English, you can create such opportunities yourself by attending meetings with overseas sites and English-speaking vendors. As the Company has an environment where adjustments can be made according to the individual’s preferences and job responsibilities, feel free to knock on the door.’