In a world where pharmaceutical and agricultural innovation meets relentless cyber threats, how does a seasoned CISO architect a security strategy that empowers rapid development without compromising critical data?
Kevin Jones, Bayer’s Group CISO and former cybersecurity lead at Airbus, is pioneering a platform-centric approach at the life science giant, leveraging AI’s potential while navigating the labyrinth of global regulations.
Jones has aligned the firm’s cybersecurity strategy with the Bayer company direction, which is to have dynamic shared ownership (DSO), with the whole company moving towards unlocking people’s ability to deliver innovation quickly. This means that cybersecurity and IT fit into a whole-of-business approach.
In a recent discussion with Infosecurity, Jones shared how he is fostering the new dynamic shared ownership operating model and is embedding security into the core of Bayer’s operations.
With his long tenure at Airbus in the rear view, his approach to cybersecurity at Bayer has been completely new.
Infosecurity Magazine: With a global workforce of ~90,000 employees across 80 countries, what are the biggest cybersecurity challenges you are dealing with on a day-to-day basis?
Kevin Jones: Two CISOs are never quite the same so it depends on the size of the organization and the industry you’re working in. One of the beautiful things about a company like Bayer is that we’re a global organization with multiple divisions and areas of expertise, which allows us to gain extensive insights and advancements in our cybersecurity programs.
It’s also brilliant to be able to deliver security at scale. Scalability has to be the number one thing that we deliver there.
To do that, we say that cybersecurity is a collective responsibility. I always say it’s team sport.
For me, one of the biggest changes that we’ve already introduced in Bayer has been this notion of human-centric security. We recognize that every employee plays a crucial role in our cyber defense.
To support this, we offer bespoke training and awareness programs that educate all employees about potential risks and best practices for maintaining security. This collective effort helps us create a robust security culture across our tens of thousands of employees while retaining expert teams that deliver the security capabilities we rely on.
We try to tie anything we do around three value propositions:
- The first is license to operate. Regulatory obligations for cybersecurity apply to all of our businesses. Without us doing the right things to stay compliant, we don’t have a license to operate.
- The second is customer trust. Our customers – whether that’s the farmers in our crop science division, the patients and healthcare organizations in our pharma division, or end consumers in our consumer health division – have an expectation that we’re trustworthy with their data. I think it’s an important differentiator to say we want to go beyond the regulation part.
- The third is company resilience. This means maintaining operations in an environment filled with threats and uncertainties. We focus on strengthening our defenses and adapting our strategies so that we can not only withstand cyber incidents but also learn from them to enhance our overall security posture.
The big challenge you face with a company of this size is the pace of change and it is the reason that these are our value propositions.
IM: How has Bayer set up its global cybersecurity team for success?
KJ: We’ve just rolled out a platform-based model across all our IT estate. So, rather than traditional IT, we’ve moved to a DevOps environment for our IT landscape, and that change has impacted security in two ways.
Firstly, we now need to secure that platform-based model by integrating DevSecOps as the security part throughout the lifecycle, as well as maintaining older systems and environments.
In security, we’ve moved to a capability-based model. That means we deliver cybersecurity, digital products and services in an agile way, which allows the business to work at speed.
We have five platforms. The first is our assurance and advancement platform, which focuses on risk and compliance, and embedding technical capabilities and automation into our future risk management strategies. We are working to integrate our risk program into our business digital landscape to be most effective at ensuring regulatory compliance and audit efficiency.
The second platform is cyber defense. When we have to respond to an incident, we have our security operations center (SOC) and computer emergency response team (CERT) to do vulnerability management, threat intelligence and hunting – all of those capabilities that we need to deliver at scale are delivered centrally.
Then we have the cyber technology platform. That is effectively the security controls. This is made up of identity and access management, firewalling, connectivity, security, encryption and endpoint protection.
Next, we have security architecture and innovation. This is the technical expertise around architecture that deliver our technical standards and patterns, the internal consultancy. We have our red team and do our own offensive security. We are also building DevSecOps into that platform.
Finally, we have our global infrastructure platform, which includes national and regional security offices in the countries where we operate. These offices are crucial for ensuring that security measures are effectively implemented across the entire organization.
“By transitioning from a project-based approach to a delivery and capability-based model, we have fundamentally changed how we operate.”
By transitioning from a project-based approach to a delivery and capability-based model, we have fundamentally changed how we operate. Rather than assigning a single security team to oversee our efforts across ~90,000 employees in over 80 countries, we ensure that each platform is responsible for embedding security skills within its functions.
Cybersecurity skills are integrated into IT-wide digital platforms, ensuring that the security standards of all functions, even those outside our primary security platforms, are maintained. To facilitate this, we establish chapters that bring together technical experts across platforms for skills training and development. It’s a novel model and is something we went live with in security from the start of 2024 and across IT since the start of 2025.
I don’t see many companies adopting that kind of model yet but it’s definitely somewhere people will go in the future, because we need to move away from security just being that one team to the collective.
This is how we deliver security globally at scale across a large organization and across digital platforms – delivering security as a capability – because that’s what our business expects of us needs.
IM: The healthcare sector is set the be one of the biggest beneficiaries of AI and ML technology, how do you ensure your business is taking full advantage of AI while remaining safe and secure?
KJ: From an AI point of view, it’s evolving quickly, but we’re still early in the journey.
At Bayer we have developed a lot of our own AI and AI platforms that we use internally rather than from third parties. I think that’s already quite important from a security and business point of view.
We have long established an AI governance body across the group, and that doesn’t just come from IT and cyber. It really involves business stakeholders.
It also brings together our legal departments and AI experts because AI use goes beyond security and considers factors like ethics. Are we aware of biases in the models, and how do we ensure that we don’t fall foul of those aspects?
Then there’s AI regulations like the EU AI Act which is now in force. When we are using these technologies across the business, we must consider whether we are doing them ethically, correctly, legally, and securely. Having a governance body is a key component of how companies do that. Any company that’s leveraging and thinking of leveraging AI has to have something like that to keep it all on track.
The one area companies like ours are very clearly seeing attackers use AI is in social engineering.
This is deepfake voice targeting in real time to employees through text messages, email and calls. We’ve had to respond very quickly to that, and our human-centric security awareness team is providing near real-time training to key individuals.
We’re putting out real examples where we’ve generated our own deepfake voices of myself or other key stakeholders in the business to raise awareness of that, and to ensure people follow good practice. That really is changing our ability to defend against these threats very quickly.
“There’s lots of noise about protecting AI models and the new shiny tools you need. Actually, I’m not sure you do need lots of tools. For me, it’s a data security problem.”
We also protect our own AI models. I’m a little outspoken on this topic because when you really break it down, there’s lots of noise about protecting AI models and the new shiny tools you need. Actually, I’m not sure you do need lots of tools. For me, it’s a data security problem.
I heard a wonderful thing that I’m going to steal with pride. I was talking to some people about how you have a software bill of materials (SBOM) when you’re developing code.
If you’re developing AI, what we really need is a data bill of materials (DBOM). Because in the future, I’m going to have to prove what data was used to build those models.
What I’m looking at is how we measure and monitor data that goes in with the right access controls, how we map that data usage, so observability of data through AI models. Then it’s about how we secure the data that comes out through data access controls.
It’s data utilization and I think where we will see a lot of companies, including ourselves, investing heavily over the next two or three years, is in information and data protection.
Finally, we use AI in our own security tools and predominantly that’s more for automation and machine learning in the SOC. I think, as an industry, we’re still searching for a good use case in security for generative AI large language models (LLMs).
For security, policies and third-party risk management could well be disrupted by generative AI. This is because it’s exactly what generative AI is designed to do − read and understand documents and push those things through. It may even assist some of the SOC aspects about writing reports and automated reporting.
IM: The regulatory landscape is becoming increasingly complex in cybersecurity. How far do you think compliance with various regulations is straining cybersecurity resources?
KJ: We see an increasing number of regulations, which are increasingly complex and competing or diverge from each other. I think businesses are going to have to look very carefully about how expensive it will be to be able to deliver on that continuing compliance globally across the different nations and states that we operate.
We are approaching this challenge by developing a comprehensive compliance framework that aligns with our technical architecture, patterns, and controls, and we believe this approach could benefit others as well.
As new regulations come in, the first thing we’re able to do is map those new regulations to our Bayer compliance framework and see where they fit.
You have to work very closely with the business and with digital. This is because it’s a team sport and we will all have an impact across our business. That includes not only cyber but legal teams, data privacy teams, and the people who are delivering in country.
The next big piece for me is to really think about how to do it efficiently, so the way we work has to be repeatable and auditable, for example.
If you still have a security program that’s based on projects and it’s delivering one project after another, that’s going to be an increasingly large problem because you’re not going to be able to have that auditability, repeatability and the documentation.
Also, for efficiency, we are certainly looking at automation. How can automation help us through the reporting of key metrics for security? How do we do automated audits around our technology landscape and bring that data together so that we can quickly show compliance?
Having a robust controls framework allows you to systematically map compliance requirements, enabling you to demonstrate how you meet those standards effectively.
Security compliance and regulations are not a bad thing, necessarily. It’s really helped the industry as a whole to have the investments we need to make step changes.
But we’re at a point now where I think we need to find efficiency in how we deliver that compliance.
Finally, you need to consider the future. We spend a lot of time anticipating regulation. We know what’s coming out of the EU well in advance. But for the US it is a little trickier, so we have to sometimes wait and see what’s coming out of the US and be slightly more reactive.
This anticipation of regulations typically gives us a window of 18 months to three years to prepare and adapt to upcoming changes.
IM: If you could give one piece of advice to fellow CISOs/cybersecurity practitioners, what would it be?
KJ: The thing I like about the CISO community as a whole is that we’re all continual learners. It’s one of the reasons I love this industry.
“It’s not the easiest job in the world, but if you have a real passion for it, it’s also one of the most rewarding.”
The biggest advice I would give is to be a continual learner. I’d also say good CISOs are generalists, can talk one minute about governance, risk and compliance, and then the next minute we can have a technical discussion about the deployment post-quantum cryptography or the next DLP tooling. Then, maybe you have to talk to the business about the value proposition of cybersecurity or you’re doing human-centric stuff and you’re being an evangelist for security.
You must have a passion for cybersecurity because it’s a long road. It’s not the easiest job in the world, but if you have a real passion for it, it’s also one of the most rewarding.
