Global Information Security SurveyA life sciences perspective

3Global Information Security Survey: a life sciences perspective2 Global Information Security Survey: a life sciences perspective

Welcome to the life sciences perspective on the results from Creating trust in the digital world: EY’s Global Information Security Survey 2015, an investigation of the most important cybersecurity issues facing businesses today.

Introduction

Following the completion of our latest survey, we decided to take a closer look at the data for the life sciences sector — a sector that is undergoing big disruptive and transformational changes as a result of advances in digital technology. What we found is a mixture of good news and bad.

On the positive side, life sciences companies clearly have many of the right ideas about developing their cybersecurity. And they are making genuine progress in how they respond to today’s cyber threats and attacks. In particular, their security operations centers (SOCs), which monitor and respond to threats, have a high level of maturity in information technology (IT) terms.

But this focus on IT is actually the flaw in many life sciences organizations’ cybersecurity. With SOCs still firmly located within IT, cybersecurity will most likely be too concerned with technology and have too little understanding of, and alignment with, the needs of the business as a whole. Only by getting closer to the business will life sciences cybersecurity be in a position to enable the big digital changes going on within the sector, such as the move to payment by outcomes.

To help life sciences companies understand how we believe they need to refashion their cybersecurity function, we have created two options. One details the ideal approach, which allows cybersecurity to break free of IT. The other provides a way for the information security function to get a little closer to the business, without the need for a more fundamental reorganization.

A mixed picture for life sciences cybersecurity

About this studyThis study features inputs from 36 life sciences companies from across the globe. It draws insights from the main Global Information Security Survey (GISS) report, which featured responses from 1,755 organizations across 25 industry sectors.

We believe that this study is a useful tool for those seeking to understand the state of cybersecurity in the sector. And we hope that it will serve as a starting point for discussions within life sciences organizations, helping them to better understand the nature and scope of the changes they should be making.

For further details about how to build the active cybersecurity your business needs, please refer to the full text of Creating trust in the digital world. Or, of course, you could get in touch with us here at EY.

Trapped in IT: the failings in life sciences cybersecurityMost life sciences cybersecurity functions remain firmly embedded in IT, which is understandable given that this is where cybersecurity has its origins. But over the last decade, the rapid rise of digital connections between businesses, customers, suppliers and other stakeholders has meant

that cybersecurity must now be understood as a priority for the whole organization. Being isolated within IT leaves cybersecurity facing a number of serious shortcomings.

A lack of understanding

Cybersecurity functions located within IT will most likely be too focused on the needs of IT rather than on those of the business as a whole. They will lack sufficient alignment with the organization’s business strategy and risk strategy. And as a result, resources will not be focused on protecting what is most valuable to the business or on enabling the business to succeed with its most important initiatives.

Being located within IT also makes it more difficult for the cybersecurity function to truly understand the needs of the business. This reduces the ability of the function to prepare for new developments within the business and to accurately assess, and then address, the organization’s vulnerabilities.

In our survey, most of the life sciences respondents say that their cybersecurity strategy aligns with the organization’s IT strategy than with their organization’s business strategy. This is a serious shortcoming, and cybersecurity’s alignment with the business is an area in which life sciences lags behind other sectors.

None of the life sciences respondents to our survey believe that their cybersecurity fully meets their organization’s needs.

Seventy-five percent of life sciences respondents say that their cybersecurity strategy aligns with the organization’s IT strategy. Only 39% say that their cybersecurity strategy is aligned with the organization’s business strategy.

5Global Information Security Survey: a life sciences perspective4 Global Information Security Survey: a life sciences perspective

Every new technology carries its own risks, but 61% of life sciences organizations still do not have a cybersecurity role or department that focuses on emerging technology.

The SOC should be the first to know about any incidents, but 65% of life sciences organizations report that they had a significant cyber incident that was not first picked up by their security operations center.

The Internet of Things (IoT) — which is crucial to payment by outcomes — will create a huge increase in the number of access points to a life sciences company’s systems. But 72% of the life sciences organizations we surveyed do not yet recognize that this presents a serious cybersecurity challenge.

How cybersecurity can help build digital channelsTo improve interactions with patients/consumers, payers and providers, life sciences companies need to build better digital channels, such as connected monitors, apps and web portals. And, at each stage of the design and development of new channels, cybersecurity requirements must be met.

Digital channels are there to help companies build relationships and access people’s data. So they need to be secure from the start to maintain trust. This means that cybersecurity cannot only be called in to check projects once they are complete. Rather, from initial concept to launch, cybersecurity needs to be built in. But for this to happen, the cybersecurity function must be close enough to the business to understand and enable what it is the business is trying to achieve.

How cybersecurity can help the business handle its dataFor each life sciences company, the success of payment by outcomes will largely be determined by how well the company gathers and analyzes the data it generates from patients/consumers, payers and providers. But with the rise of health monitoring devices, social media and other digital channels, the risk is that this data will become an unmanageable flood.

To stop this from happening, organizations must have a data security strategy. They must make sure that incoming data is classified as to its value and sensitivity, and then dealt with appropriately and cost-effectively — whether that involves obfuscating personal data or using the full strength of the organization’s cybersecurity resources to secure data crucial to the future of the business. But for data classification and data management to be carried out successfully, the cybersecurity function must be close enough to the business to understand its strategy and to recognize the value of different data to that strategy.

How cybersecurity can help companies keep their competitive advantageIP data that is processed, the insights generated from it and the advances those insights help produce are all at the heart of most life sciences companies and are only going to become more important for them in the future. Unfortunately, however, digital technology has made IP easier to steal than ever before.

In order to secure the future of the business, cybersecurity must protect the most important IP — the ‘’crown jewels’’ of the organization. But to do this, the cybersecurity function must be close enough to the business to know what that IP data is and where it is stored — crucial knowledge that many businesses lack.

A lack of influence

In organizations where cybersecurity expertise is kept within IT, there will be few representatives able to go out to support the business in its new digital initiatives. This will limit the influence of the cybersecurity function on how those initiatives are executed and will, as a result, increase the level of unnecessary risk new initiatives create.

Ultimately, the aim should be for cybersecurity to act as a digital enabler — it should be a function that helps the organization to experiment and innovate safely and securely. But for this to happen, the cybersecurity function needs to be close to the business and be visible in helping the business. Otherwise, other functions will simply bypass cybersecurity when pursuing their digital agendas, leaving their initiatives far more vulnerable to possible attack.

A lack of awareness

Apart from presenting only risks to new or unknown activities, cybersecurity’s isolation in IT damages its current effectiveness. Located within IT, cybersecurity will tend to place too much emphasis on technology and will miss the other dimensions of today’s sophisticated cyber attacks: people and processes. If a sophisticated multichannel attack is only detected once it has an impact on the organization’s

technology — rather than when unexplained variations are seen in day-to-day business processes or when employees have noted suspicious incidents — then the cybersecurity function will have less time to respond to the attack or to avert it. And the result will be more damage done to the organization.

The digital future of life sciences — payment by outcomesDigital can help life sciences companies improve their services and maximize their revenues. One way it can do this is by allowing them to move to payment by outcomes, a more patient-centric approach that focuses on increasing the value of treatments rather than on simply providing pills. To adopt this approach, life sciences companies will need to broaden their services and better connect with payers, providers and, in particular, patients/consumers — in order to monitor and influence their lifestyles and to maximize the benefit of treatments. And to achieve this will require an increased focus on digital channels, data and analytics, and exploiting intellectual property (IP).

Only 6% of life sciences organizations report that the SOC regularly meets with the heads of business operations units to understand their concerns and risks.

7Global Information Security Survey: a life sciences perspective6 Global Information Security Survey: a life sciences perspective

Moving toward a closer alignmentTo survive, life sciences companies must innovate. So cybersecurity must become a business enabler — a function that, instead of saying “no” to new activities, says “yes, and this is how you can do it securely.” To achieve this, however, the cybersecurity function needs to get far closer to the business.

In the next page, we have provided two options to help organizations build that connection between cybersecurity and the business. The first is the ideal approach, which is the one that we would recommend. But for those organizations that are not yet prepared to make such big changes, we have created a second option — one that increases cybersecurity’s connections with the business while leaving the cybersecurity function itself still within IT.

Forty-two percent of the life sciences organizations we surveyed said that cyber attacks to steal intellectual property or data had been a factor with a high or very high impact on increasing their risk exposure in the last 12 months.

Three-quarters of life sciences companies we surveyed are either currently using big data or have plans to use it.

Relocate the cybersecurity function outside of IT.

Option 1

The next-best thing:Cybersecurity remainsin IT, but builds stronger ties with thebusiness.

Option 2

Amend the governance structure and reporting lines, so that the chief information security officer reports to a board member.

Identify cybersecurity key performance indicators (KPIs) for regular board reporting.

Extend the focus of the SOC to cover people and processes.

Align the cybersecuritystrategy with the business strategy.

Establish regular meetings between cybersecurity leadership and busi-ness representatives, to help the cybersecurity function understand the needs of the business.

Align the cybersecurity strategy with the business strategy.

Identify suitable representatives in the business to act as key interfaces.

Create cybersecurity initiatives to meet the needs of the business.

Keep existing reporting lines, but introduce a “dotted line” to a board member.

Establish regular meetings between cybersecurity leadership and business representatives, to help the cybersecurity function understand the needs of the business.

Only 19% of life sciences cybersecurity functions report to their organization’s top governing structure on the alignment between the business and cybersecurity.

7Global Information Security Survey: a life sciences perspective

9Global Information Security Survey: a life sciences perspective8 Global Information Security Survey: a life sciences perspective

Every new technology carries its own risks, but 61% of life sciences organizations still do not have a cybersecurity role or department that focuses on emerging technology.

How the biggest life sciences companies lead the rest of the sectorOur sample of life sciences companies included some of the largest businesses in the sector. And we discovered that those very large businesses are far more mature in their cybersecurity and their response to cyber threats than the other businesses in the sector.

How the very largest life sciences companies lead the sector as a whole• All the largest life sciences companies have a threat intelligence

program, which helps them to understand, and adapt to, the changing threat landscape. Only 47% of the organizations in the sector sample have such a program.

• All of the largest life sciences companies have a vulnerability identification program, which helps them to spot vulnerabilities before the cybercriminals do. Only 36% of the organizations in the life sciences sector sample as a whole have one.

• All of the largest life sciences companies have an incident response program to help them identify when an attack has occurred and how to coordinate their response. Only 25% of all the life sciences organizations we surveyed have one.

• All of the largest life sciences companies have a breach detection program because breaches of security are inevitable, and early detection is crucial in limiting their impact. This compares with just 19% for the life sciences sector sample as a whole.

• All of the largest life sciences companies have an identity and access management program to make sure that only the right users have access to the information they need. Only 24% of the life sciences organizations we surveyed have such a program.

• All of the largest life sciences companies have a focus on privacy by design, making sure that privacy issues are considered from the very start of new initiatives. This compares with 17% among the life sciences sector sample as a whole.

How life sciences cybersecurity can become an enabler of innovation To achieve future growth, life sciences organizations must innovate. New digital technologies — such as mobile, social media, the cloud and the IoT — can enable life sciences organizations to greatly increase their connections with patients/consumers, payers, providers, suppliers and employees. However, while greater connectivity offers huge opportunities, it also creates new risks. To address these risks will demand a broadening of the scope of cybersecurity beyond its traditional IT focus to include the organization’s people, processes and all of its many activities.

To obtain this broader cybersecurity, life sciences organizations must bring the cybersecurity function closer to the business. Only by achieving this will they be able to close the gap between their need to innovate and their ability to make innovations secure. With the emergence of new digital technologies and the growing sophistication of cybercriminals, this gap will only increase for organizations that do not enhance their cybersecurity. Embedding cybersecurity into the business is an area in which life sciences organizations can learn a great deal from the largest organizations in their sector and from organizations in other sectors.

Changes to the role of the cybersecurity function are crucial, but there is also much that those in cybersecurity can do to get closer to the business. They need to build connections with people in the business so that when a new product or process is being developed, those involved know exactly who can guide them on the right cybersecurity steps to take. And the cybersecurity function also needs to find sponsors in the business so that the voice of cybersecurity can be heard at the highest levels.

By making these changes and by working together more closely, life sciences organizations and their cybersecurity functions will be able to start building the more active and effective cybersecurity they need — cybersecurity that can enable the organization to experiment and innovate in the digital world, successfully and securely.

EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

How EY’s Global Life Sciences Sector can help your businessLife sciences companies — from emerging start-ups to multinational enterprises — face new challenges in a rapidly changing health care ecosystem. Payers and regulators are increasing scrutiny and accelerating the transition to value and outcomes. Big data and patient-empowering technologies are driving new approaches and enabling transparency and consumerism. Players from other sectors are entering health care, making collaborations increasingly complex. These trends challenge every aspect of the life sciences business model, from R&D to marketing. Our Global Life Sciences Sector brings together a worldwide network — more than 7,000 sector-focused assurance, tax, transaction and advisory professionals — to anticipate trends, identify their implications and develop points of view on responding to critical issues. We can help you navigate your way forward and achieve success in the new ecosystem.

© 2016 EYGM Limited. All Rights Reserved.

EYG no. FN0251

BMC Agency GA 0000_04183

ED None

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

The views of third parties set out in this publication are not necessarily the views of the global EY organization or its member firms. Moreover, they should be seen in the context of the time they were made.

ey.com/giss

Global Information Security Survey

ey.com/giss

Cybersecurity and the Internet of Things

ey.com/IoT

Cyber threat intelligence — how to get ahead of cybercrime

ey.com/cti

Want to learn more?