Jonathan Sinclair is a seasoned cybersecurity leader with over 15 years of experience. At Roche, he leads cybersecurity efforts in PT by aligning security strategy with innovation and business resilience.
In an interview with CIOReview Europe, Sinclair shared insights on his career trajectory, cyber risk quantification, digitalising the pharma landscape, the challenges of securing patient data and resilience in cybersecurity.
From Developer Roots to Cybersecurity Leadership
My professional journey began with a foundation in enterprise application integration, where I spent five years dealing with complex B2B development projects. I eventually shifted into cybersecurity, a field I have dedicated over 15 years to.
Working across global organisations, I’ve consulted on security maturity initiatives, secure platform design and security operation centres. I've also led initiatives in red and blue teaming, defensive activities, forensic investigations, DevSecOps, Cloud security assurance and overseen compliance projects aligned with ISO 27001, 27017, 42001, SOX, GxP and HITRUST.
“Cybersecurity investments demand a clear data-driven strategy in today's pharma environment, where digitalisation rapidly transforms R&D, manufacturing and patient engagement”
Some defining aspects of my experience have been migrating on premise systems to a hybrid cloud infrastructure for a leading financial institution, converging IT and OT networks for a leading Biotech, investigating APT threats within the Telco vertical and leading the security organisation for a cloud native AI-driven medicine software company. At Roche, I continue my remit of ensuring the safety and security of business-critical systems.
Balancing Risk and Innovation
Cybersecurity investments demand a clear data-driven strategy in today's pharma environment, where digitalisation rapidly transforms R&D, manufacturing and patient engagement.
Cybersecurity investments should be driven by risk management and risk quantification analysis. Threat modelling is a key aspect of the process, involving identifying potential threats and vulnerabilities to systems and determining how to mitigate them.
By presenting decisions in data and risk, I drive investments into high-impact areas without compromising security. AI initiatives transform traditional models, particularly everyday AI, necessitating a rethinking of how businesses structure their operations and capabilities.
AI’s true benefits can be experienced only when data is readily available, including when data is centralised and used within the organisation.
AI’s impact on cybersecurity demands a shift from protecting critical assets to securing the entire data ecosystem—managing data flows, assessing impact on supply chains and mapping security with business priorities.
Securing Patient Data and the Pharma Supply Chain
Protecting sensitive patient data demands rigorous standards, discipline and governance. Regulations like GDPR, CCPA and PIPL play an essential role in demanding an understanding of data flows and classifications, which permits data value realisation. Cloud providers are helping with this assurance thanks to emerging data sovereignty capabilities, which facilitate compliance by following local laws and regulations.
Unlike patient data, supply chain information is grey and doesn’t necessarily fit into traditional data classification categories.
Critical logistics data often leads to direct business loss or legal infringements. To protect and prepare for recovery from disruptions, a shift is required from a pure cybersecurity mindset to a cyber-resilience approach.
Evolving Leadership Philosophy
As cybersecurity evolves, leadership must too. I approach this with a servant leadership philosophy, empowering teams with autonomy while remaining a trusted presence, especially during adversity.
I see myself as an enabler of strategic clarity and human connection for the people I mentor and across the organisation. Cybersecurity is not a barrier, but a critical function that supports business innovation.
Fostering this mindset helps shift the security perspective from pessimism to partnership by removing barriers, understanding individual needs and nurturing an environment for creativity and problem-solving.
Advice for Emerging Professionals
For anyone looking to grow in cybersecurity within pharma, I advise going beyond technical mastery and developing a comprehensive understanding of the business. Universities focus on technical cybersecurity skills but miss their broader role in systemic risk.
Understand your position within the business risk view and gauge the appropriate action level. Not all vulnerabilities warrant the attention of senior management. Develop the ability to identify which vulnerabilities need escalation. This business awareness, paired with strong technical skills, sets professionals apart.
