Technological innovations have provided pharmaceutical companies with data sharing, real time information and an unprecedented level of supply chain visibility. However, the ever-changing nature of their supply chains can leave companies vulnerable to theft and emerging cyber risks. Protecting data should be a top priority. However, integrating cybersecurity with business strategy is often not given adequate consideration. According to Christopher Callahan – Chief Information Security Officer at Weichert Companies and ex Novartis Director, Global IT Risk & Compliance, Cyber Security Operations: “Security is thought of as an IT problem, a tech problem, not a business level problem”.
While Chris suggests that may be changing, the pharmaceutical industry’s approach to cybersecurity has not always been consistent. Sometimes board-level engagement has been prompted by breaches at other pharmaceutical companies. However, the general misconception as to where responsibility lies hampers organizations when it comes to measuring their cybersecurity risk.
To begin to assess the cybersecurity risk, it’s important to be able to see where the vital intersections are. Simon Roach, Head of Transformation and Operations at eClinicalHealth Ltd, and former CIO of Global Pharmaceuticals R&D for GSK, is now a Management Consultant. He explains where to look: “Verticals – like people, investment, resources,” he says. “The value chain runs horizontally through research, development, manufacturing, distribution, sales, and so on. [Cybersecurity] success means thinking horizontally, paying attention to interface points on the horizontal axis.” As in many natural systems, the interfaces between organizations are often the weak links – the fault lines that are most easily attacked.
With so many possible areas of exposure or risk, and digital transformation driving pharmaceutical forward at such a rapid pace, protecting day-to-day operations requires even greater focus and attention. Board members are looking after the overall success of the company, and most have a focus on certain specific areas of responsibility, so it is perhaps understandable that cybersecurity seems like a technical issue and is not always a top priority. However, to truly fulfill their duty of oversight, the board needs to think holistically about security.
The need of this holistic perspective is no better illustrated than by collaboration both within and outside the organization. There is little doubt of the benefits to collaboration in the pharmaceutical industry, but there is also the realization that it opens the business up to more attacks. These weak points are not just an issue for a specific board member or area of the business, but for the entire value chain.
It is an imperative that preventative measures be designed proactively. The perfect balance to strike with security is between being proactive and reactive. Where security is integrated and automated in the value chain, it gives pharmaceutical companies greater visibility into what is happening to them in the present, but also better prepares them for the future.
While security protects against loss, it can also provide added value. When members of the board shift their thinking to see how security can also be an enabler, it helps them insist that the organization strike the right holistic balance in its security approach. Identifying the value of the risk can often be a great motivator to reviewing security more holistically. Take the example of a production facility and the investments it entails: it may cost one hundred million dollars to build, and $20 million to operate each year. This is an investment that can be easily valued and viewed on a balance sheet.
Now, try that with data and it’s not so easy. Data is an intangible asset. However, it can and should be quantified. The value of that data and the surrounding processes helps boards reappraise where the investment in security should be. It’s not just in the processes that the board should look for value – it’s also in what is provided by the data flowing between each of the points of the value chain. It powers collaboration, it inspires innovation, and it empowers employees to drive the business forward. Strength, confidence, and security in the value chain does not just protect data, it enables its use. It is this value - the value of the use of data to the business - that is important.
For a CISO - Chief Information Security Officer - recognizing and understanding the risks, threats and solutions is one thing, but explaining it to the rest of the executive team and to the board is another. Chris makes the point that on the board there is one quality that is key: “leadership is understanding all of the pieces.”
Equally, fundamental to explaining a more holistic view of security is laying out the threats and risks to individual elements of the value chain. As well as demonstrating how those impact the greater business strategy.
It is natural to apply protection to key areas of the value chain once its true value is recognized and understood. However, as Simon warns: “technology and security mustn’t be allowed to get in the way of sharing.”
Sharing and collaborating, enabled by well-thought-out security, leads to the growth board members want to see: “If you make it difficult to access, analyze and utilize information because of security controls, you destroy its value.”
CISOs are the overseers empowered to drive this agenda. Simon suggests that a CISO should lead a group: “you need to have some sort of board or committee, to oversee, guide, direct, and steer investments that are necessary to reduce risk.” In part, this is to align the security approach to the business strategy. But also so they can input into the 360-degree view required to drive the holistic implementation of a security strategy.
Security is not just about protecting the value chain. It’s about enabling the value chain, and the wider business, to grow and develop.
Learn more about how Fortinet enables pharmaceutical companies to innovate while protecting mission-critical assets.
Subscribe to Fortinet's Cybersecurity Podcast and join Fortinet’s top experts as they discuss today’s most important cybersecurity topics.