Johnson Johnson\u2019s IT security team is championing the people element of its cyber security framework.\nThe idea behind the strategy is that a more rigorous focus on people and culture acknowledges that having the latest technology and processes is not a foolproof solution to information security. The idea is explored is a new cyber security handbook released by the CIO Executive Council Australia.\n\u201cWhen I took over this role, the first thing I asked is \u2018what\u2019s the [people and culture] strategy that we've been following?\u2019\u201d says Pablo Diez del Corral, global director, enterprise security and risk management at Johnson Johnson.\n\u201cI got great documentation and presentations saying we\u2019re implementing an IDPS system and deploying web filtering appliances, and we\u2019re doing this and that, so I asked \u2013 are we only dealing with machines? The security function was properly staffed in all other aspects except this one.\u201d\nWith breaches fuelled by ignorance almost as frequently as malice, Diez del Corral says a tech-agnostic strategy is always needed.\n\u201cAt the time, the people piece was almost an afterthought. Somebody was looking after it, but they just followed pre-written instructions and didn't question it. Unless you create the conversation around it, you\u2019re still going to see the problems.\u201d\nDiez del Corral, with his colleague Angela Coble, global manager, enterprise security and risk management, are now working to create awareness, teach the appropriate skills, while providing the platforms for collaboration and communication that have led to a more connected and highly secure corporate environment.\nLast year, the pair set to work on creating an initial gruelling 90-day plan to kick-start an ongoing three-year strategy complete with roadmaps, major and minor initiatives across four different quadrants.\n\u201cThe message was: Be aware, not alarmed,\u201d says Coble. \u201cLike a duck, our legs can be really paddling under the surface, but our exterior is calm. So we deliver the message in a way that creates awareness, not panic, and gives our partners confidence.\u201d\nA long-term vision and mission were crucial to help guide and empower all stakeholders, while branding helped to tie ideas back to the strategy. But most importantly, it had to be dynamic and ongoing \u2013 not dependent on Coble and Diez del Corral, their team or where security sits in the organisation.\n\u201cNo matter what the changes in my organisation and structure, no matter who is sitting in my chair in the future, this strategy is not going to be affected; there\u2019s no need to change it. It\u2019s got to survive three years; then we need to review it and start looking at the following three years,\u201d says Diez del Corral.\nJohnson Johnson\u2019s people and culture strategy contains several different functional focus areas, including education and awareness, collaboration and communication, roles and responsibility, maturity and metrics, and last but not least - stakeholder management. For each focus, they pair have had to plot key initiatives with a planned quarterly outcome, and an annualised event project plan.\nIn the end, Coble and Diez del Corral say the focus on people and culture as a security strategy means recognising that you can\u2019t do anything without taking the people on the journey with you.\nTo read more about Johnson Johnson\u2019s people and culture journey, including details of each roadmap, and top tips for each focus area, see the full case study in the security handbook, Cyber security: Empowering the CIOlt;\/igt;.