On April 11, I attended the NC Tech Talk Live panel discussion on Cybersecurity Metrics in the very impressive WeWork Office Facility in Durham, NC.  Panelists included Brian Wilson (CISO, SAS), James Lemond (Security Solutions Architect, CenturyLink), Jay Kenley (Identity and Access Management Manager, BlueCross NC, and Paven Reddy (Partner Strategy and Architecture, Zscaler).  I’d like to thank NC Tech and the panelists for an engaging and informative dialogue about cybersecurity readiness, a very critical topic facing companies today.  In this post, we’ll recap the key themes from the session and apply them to highlight the impacts to pre-commercial life sciences companies.

Some of the key themes discussed on cybersecurity readiness metrics included their importance in securing and justifying budgets and resources, making the right investment decisions, and ensuring the right mix of skills within cybersecurity departments and the business. The panel also discussed the importance assessing against a standard like NIST, involving a broad group of executives in awareness training and incident response exercises, and being able to quantify the impact of various kinds of threats (e.g., loss of productivity, loss of operational capability, impact on customers, impact on brand).

One of the points that really resonated with the audience was that in today’s environment there is no longer “internal” versus “external” security.  Your defenses will be breached, whether this is a phishing scam, an employee knowingly or unknowingly exposing data, or a straight-up external agent with malicious intent.  Your challenge is to have the people, skills, tools, and relationships to react appropriately and with confidence.

In applying these concepts to pre-commercial life-sciences companies, here are a few points to consider:

•  It’s not one-sized fits all.  There are appropriate levels of risk and control based on the stage your company is in.  Once you have a compound in Phase 1 and certainly Phase 2 you have “grown-up” to the point where your ability to secure your environment requires additional focus and investment.
• Have a plan.  At a minimum you need to have a vulnerability management strategy, identity management strategy, patch management strategy, cyber-awareness training, and an incident / response plan that has been exercised with both business and IT personnel.
• Treat cybersecurity as a program, not an event.  You need to conduct an assessment against one of the several available industry standard models that lets you baseline and identify gaps.  These gaps, in-turn, justify the actions that you need to take over time.  You will want to take steps related governance, policy, employees / users, networks, hosts, applications, and data.  These are not one-time actions but must be managed and monitored to ensure success.

Finally, do not be wary of identifying and articulating weaknesses to your executive team and your board.  They want to know that someone who is realistic, and who knows what they are doing, is minding the store.  It is unrealistic in today’s day-and-age to think you will not have weaknesses in your electronic asset defenses.  The trick is to identify which weaknesses need to be addressed, how they need to be addressed, and then to get started.  One thing is for certain – waiting is a bad idea.

If you would like to talk to Clarkston about helping you conduct a two-week cybersecurity assessment that gets you confidently on the path forward to cybersecurity readiness, please contact Joe D’Ambrosio at joed@clarkstonconsulting.com.