Data Security Decoded 7.14.26
Ep 58 | 7.14.26

Shifting Security and Protecting the Pharma Supply Chain with Andy Hillis

Show Notes

This episode provides a technical exploration of security engineering within highly scrutinized life sciences environments, drawing on ⁠Andy Hillis⁠' decades of operational history at ⁠The Almac Group⁠. The discussion centers on the practical realities of shifting security left. Andy explains how his organization integrated rigorous info security reviews directly into the initial request for information and request for proposal stages, effectively establishing an unyielding baseline of evidence for third party vendors.

Listeners will gain access to battlefield stories regarding the navigation of sudden structural oversight from global regulatory bodies, including the FDA, EMA, and the post Brexit MHRA. The narrative moves past high level compliance abstractions to focus on the technical enforcement of GXP principles, least privilege role based access control, and centralized configuration change management across distributed international networks.

Andy challenges conventional industry perspectives on cloud adoption and rapid automation, outlining a calculated, use case driven approach to infrastructure management. The conversation covers critical recovery metrics, defining the architecture required to build a provable, immutable backup position capable of supporting a minimum viable company operational state during an incident. Finally, the dialogue addresses the integration of automated security operations centers and the governance frameworks needed to control decentralized citizen development.

What You'll Learn

  • Core methodologies for integrating security teams into early procurement and RFI cycles.
  • Operational frameworks required to support over 200 diverse compliance audits annually.
  • Tactical application of GXP guidelines to digital data retention workflows.
  • Engineering immutable backup states to secure a minimum viable company position.
  • Governance mechanisms for regulating generative AI and managing rogue asset development.
  • Automated SOC implementation techniques designed to suppress alert noise effectively.
  • Value of network discovery tools in mapping complex assets internationally.