Cybersecurity continues to be an escalating concern for life sciences companies and requires an actionable response. Accenture’s 2021 State of Cybersecurity Resilience survey showed that a majority (84%) of life sciences respondents believe that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020.
Even a global pandemic can’t stop cybercriminals – if anything, the uncertainty of the past two years created a breeding ground for new attacks. In fact, we found that respondents experienced a 32% increase over 2020 in the number of successful cyber attacks, while some types of attacks, such as ransomware, have seen an even higher increase.
This risk is very real in life sciences, given the industry’s heavy reliance on incredibly sensitive data across R&D, manufacturing, commercialization and its increasingly interconnected operations. Given the highly interconnected ecosystem, a disruption in one place can have a cascading effect impacting the ability to get life saving therapies to the patient. At the same time, it remains imperative that life sciences companies continue to further evolve into digital organizations that bring sources of digital information and analytics together in order to advance science and improve patient outcomes — but with cybersecurity at the core of everything. The big question is: how?
Understanding Cyber Resilience
Accenture research revealed that organizations that treat cybersecurity as a technical compliance concern rather than as an enabler to innovate are missing out on the benefits of cyber resilience. The cloud specifically still has a complex relationship with security in life sciences — yet over the next three to five years, more than two-thirds of workloads are expected to shift to the cloud, with about one-third of organizations moving more than 75% into the cloud globally, increasing the reliance of life sciences companies on cloud services. Leveraging the cloud and data to help accelerate scientific development is an opportunity that can’t be overlooked—and one that requires CISOs to be deeply involved.
Many life sciences chief information security officers (CISOs) see their role as a clear success factor in fulfilling their organization’s business strategy. 84% agree or strongly agree that the cybersecurity strategy should be developed with business objectives, such as growth or market share, in mind — which requires them to be present in core decision-making moments to ensure resiliency is built into all aspects of the business.
In order to build a cyber resilient organization, it is first important to understand the four different levels of cyber resiliency Accenture research has identified. These levels are the following: The Vulnerable, Business Blockers, Cyber Risk Takers, and Cyber Champions.
Each of these groups reflect a different level of cyber resilience and business strategy alignment. Business Blockers put cybersecurity first over alignment with the business strategy, while Cyber Risk Takers put business strategy first over alignment with cybersecurity. The Vulnerable have security strategies and operations that are the bare minimum.
At the head of the pack are the Cyber Champions—organizations that strike a balance, not only excelling at cyber resiliency, but also aligning with the business strategy to achieve better business outcomes. These organizations are successful in at least three out of four cyber resilience performance criteria—they’re better at stopping attacks, finding and fixing breaches faster and reducing their impact.
It matters where organizations fall within this cyber quadrant, as there is money on the table. Business Blockers stand to reduce their cost of breaches by 48%, Cyber Risk Takers by 65% and The Vulnerable by 71%—if they are able to increase their performance to the level of a Cyber Champion.
Becoming a Cyber Champion
Respondents to our survey reported moving their operations to the cloud because they recognize the benefits such as lower costs, more resilient operations and access to more advanced technology. But a journey to the cloud also offers an opportunity to build an architecture with security built in from the start. This type of architecture may offer more granular control and the opportunity to have standardized protections and monitoring around workloads.
To do all this, CISOs need a seat at the top table. It is critical for CISOs to be brought into the decision-making levels of the organization and move away from any security-focused silos so they can collaborate with other c-suite executives to understand business risks and enable priorities.
<<< Start >>>
By drawing on the experience and insights of the wider leadership team, CISOs can gain a broader perspective that serves the whole business well.
<<< End >>>
We found that Cyber Champions—those that are best prepared for an incident—set themselves apart in terms of their reporting structures. Around 70% have CISOs that report to the CEO and Board, and they demonstrate a far closer relationship with the CFO—reporting is seven times higher than the other groups.
Cyber Champions also tap into these relationships when it comes to defining the strategy. They consult most with CEOs (51%) and CFOs (49%) when developing their organization’s cybersecurity strategy—almost twice as much as the Business Blockers. Additionally, 90% of Cyber Champions measure the maturity of their cybersecurity program at least annually (or often more frequently)—18% more than the Business Blockers. This shows that Cyber Champions clearly understand the risks while Business Blockers may be blind to them.
By measuring and monitoring their risk profiles and making that data available to leadership, CISOs can better align with the business objectives. As we have seen in our report, organizations that focus solely on business growth are missing out on the benefits of cyber resilience—and there are gains for those organizations that proactively seek out a strong synergistic alignment between security and the business. By aligning cybersecurity efforts with the business strategy, organizations can not only achieve better business outcomes, but also seize an advantage in the race to cyber resilience.
<<< Start >>>
<<< End >>>