Syngenta's journey with modern capabilities of cyber & cloud
Widely known as a leading science-based innovator in agritech, Syngenta needs very little introduction.
In addition to its multi-billion-dollar turnover and 30,000-strong workforce, the global company is known for its significant investment in the scientific side of the business, driving advances in agritech that help farmers meet global demands surrounding sustainability and growth. As such, Syngenta dedicates a whopping $1.3bn a year to R&D, regularly bringing new products to market; this dedication to identifying cutting-edge tech and practices has helped it maintain its lead in a competitive market.
Despite this, though, the 22-year-old organisation faces the same problems as any other large business when keeping up with tech and security advances in a constantly fluctuating environment – with the two being interdependent in certain areas like cloud security and therefore complex to maintain.
Syngenta's Global Head of Infrastructure and Cybersecurity, Vanja Vlaski, oversees the company's networks, included within which is cloud, as well as workplace technologies, the helpdesk, and overall cybersecurity.
“Infrastructure and security are at the base of any company today. Anything that goes wrong in any sub-department impacts every single employee and the company overall. As an example, having a data breach causes parts of our operations to stop, and that has an immediate financial impact. If some part of our cloud service is unavailable, key business applications don't work. That's a simplistic explanation of how important all these interdependent technologies are.”
The world of agriculture is, according to Vlaski, surprisingly fast-paced and forward-thinking in terms of cyber and technology, so it’s important that the same attitude is applied to the security of those.
“Nowadays, as you go on investing in infrastructure, you don’t take that static view any more; falling behind in capability, getting out of touch with latest technologies, developments and frameworks can have that direct, immediate impact all the way to where your sales and go-to-market strategies interface with your customer. This is as fast-changing a technology landscape as it is anywhere else.”
Syngenta and cybersecurity
This, in a nutshell, is how the IT landscape looks from Vlaski's standpoint. To take a closer look at the threat levels, we can turn to Paul Carugati – he's Syngenta's Global Head of Information Security, or CISO.
“When we're talking about information and cybersecurity, it's all about risk management,” he asserts. “To my team and to all of our internal and external customers, I say that, essentially, the role we play is as facilitators of risk in every corner of the global business. We help them all to understand the level of cyber risk that's being incurred, to help to find what the risk 'appetite' is, and then implement the appropriate controls to effectively manage those risks.”
A business like Syngenta is very dynamic, he points out, so this is essential. “The organisation is continually changing shape and that makes it difficult to pinpoint where it may become vulnerable, especially in the cybersecurity realm. We face constant technical and administrative threats that hinder the operation of the business. We have to not only understand the technology that is driving those threats, but also the people component.”
In addition to needing to raise awareness among stakeholders, Carugati likes to re-emphasise the basic fact that while technology can do quite a lot to keep a business secure, it’s less effective when lacking strong human collaboration. This is particularly true in cases where much of the threat – and, conversely, defence – stems from users, as at Syngenta.
“The majority of threats we see come from our end users. End users outside and inside the business can be our most vulnerable area. But at the same time, they can be our greatest defence against those threats if they are educated and trained properly in threat awareness and protection.
“In the ever-changing technological landscape our threats are very dynamic. It's an almost continuous game of cat and mouse to stay on top of those technical issues from a threat management perspective, but ideally, with our strategic outlook and the protection and defensive measures that we put in place, we can manage those responsibly.”
The journey to cyber maturity
Becoming a fully cloud-based company (ahead of most competitors in the space) was a challenge. Once achieved, though, it became necessary to turn the attention of the teams to the questions of how to modernise the company’s application landscape and drive the business towards a cloud-native approach. Cybersecurity moved to front and centre. “If I look back three to four years,” says Vanja Vlaski, “this was not a professionally run department; today, it is a 24/7 operation.”
That was before the arrival of Paul Carugati and the setting up of a dedicated organisation. “Prior to my time here, there were certainly areas of competency on information security within the business, but they were extremely decentralised; nothing formal was in place. As a result, the organisation started seeing more incidents that were impacting operations negatively.”
So, how did Syngenta – with the collaboration of Vlaski, Carugati and the rest of the team – link these decentralised strands?
“We centralised the function, working directly under the CEO and CIO to establish a central and global information security organisation,” explains Carugati.
“From there, we aligned standards and the best practices defined for enterprise risk management – including ISO 27001, NIST 800.53, and, more recently, the NIST CSF (cybersecurity framework), which are needed to understand the appropriate capabilities for the purpose of organising teams and building responsibility for information security in a growing enterprise.
“One of the first things we did was to implement a formal risk management and treatment framework. We had to create that from scratch, as well as a team to govern it. In the process, we established good cadence with our legal, finance and HR partners. We then introduced ourselves and established good partnerships right across the all lines of service as well as in the functional areas of the organisation, especially from an R&D perspective.
“Where we find ourselves now evolved from what I found to be a baseline maturity model: reactive, unstable, ad hoc and inconsistent into the standards-aligned, documented and risk-based programme that I think is absolutely critical to be able to maintain from a cybersecurity perspective in a global organisation.”
It's not a finished job though, given the dynamic threat landscape – ever-evolving and expansive.
“Without continuing to grow and innovate in this space we will remain static and find our maturity level reducing. We have to grow, and we have to innovate along with the company’s risk appetite. Our goal over the next few years is to move the needle even further across our maturity curve toward a more proactive and metrics-driven organisation, with a predictive, integrated information and cybersecurity programme.
“We need not only to address the current needs of the business, but to actually predict what those are going to be, if we are to stay one step ahead of our cyber adversaries. And we must be able to build security controls and capabilities into our technological solutions across the organisation as opposed to bolt-on solutions.”
The road to the cloud
A great leap forward in capability and tech maturity was taken when the company moved all its on-prem infrastructure to the cloud. The responsibility of Subu Iyer, Global Head of Cloud Services, DevOps and IT Intelligent Automation, Syngenta's journey to the cloud started back in 2016 with the setup of Cloud 1.0 in AWS.
"Migration of applications from data centres to the cloud started then, as the cloud promised a 50% reduction in operating costs. We successfully migrated the initial batch of 500-plus applications to the cloud in 2020, but project teams soon started running into governor limit-related issues linked to a single account architecture in Cloud 1.0. Subsequent discussions with AWS led us to setting up the secure multi-account landing zones, or Cloud 2.0. This proved to be a huge milestone for us. After detailed analysis and careful considerations, we chose to migrate the entire suite of SAP platforms and workloads out to our Cloud 2.0 ecosystem that same year,” explains Iyer.
“Following in the footsteps of the AWS operation, we then set up the multi-account landing zones in Azure in Netherlands and Chicago in 2021. That year saw us onboarding Nordcloud as the Managed Services Provider for the steady state operations of all our cloud assets. This meant that, for the first time, we had round-the-clock support coverage for this critical foundational service.
“In a massive, complex undertaking in 2022, we migrated the last set of applications and all the infrastructure services out of the data centres, making Syngenta a 100% cloud operation. This was really the proudest moment for our infrastructure and security teams. Everyone banded together to unwind the decades' worth of legacy – and often undocumented, on-prem solutions – and set up fit-for-purpose, cloud-ready alternatives".
In a cloud-first organisation, how does the wider business successfully engage, communicate and share best practices on cloud policy and IT infrastructure?
“In the cloud organisation we have a competency called Cloud Business Partners (CBPs),” Iyer says. “Their primary goal is to engage with all our stakeholders and understand their vision and strategy, so that we in Cloud Services can organise to better support them and help them meet their goals. The CBPs also drive the cloud initiatives and priorities with teams across geographies and functions.
“Apart from that, we have the architecture, engineering and automation units that provide additional capabilities, services and competencies to support our customer base. We also empower our customers by providing a guided experience on our self-service platform for provisioning all their cloud assets, supported by guidance on cloud-native design patterns and best practices. All this helps make sure that whatever they may build accords with Syngenta's codes and standards.”
Talking about cybersecurity, Iyer states: “Cybersecurity is particularly important in the cloud and compute space. We have to ensure that that the assets we manage are always patched for vulnerabilities, and that we stay on top of all the upgrades and new iterations. It's also important that the guardrails around our cloud infrastructure and various account types that we provide our customers are accompanied by the right security controls and policies, while providing them the required levels of flexibility and autonomy. And, of course, MFA-based SSO with role-based access are key to ensure that only authenticated, authorised users have access to the relevant cloud assets."
Currently, Syngenta’s priority is to optimise the assets in the cloud and modernise legacy applications to embrace cloud-native design patterns, while making sure that all new applications and services that are onboarded to the cloud follow the latest technology trends.
"A key focus area for us in 2023 will be to drive the adoption of Infrastructure-as-code, or IaC, across the enterprise for increased agility and standardised compute deployments."
But, as Vanja Vlaski is proud to document, this has been a massive and transformative operation that will make life easier for all Syngenta's employees and customers. Just as importantly, it will release funds for product development, boosting R&D to drive better and more sustainable food production in every corner of the globe.