THANK YOU FOR SUBSCRIBING
In an exclusive interview with Pharma Tech Outlook, Mark Leary, Chief Information Security officer at Regeneron Pharmaceuticals discusses the plethora of impact cybersecurity creates on the pharma industry and how CISOs deal with it.
Prior to joining Regeneron Pharmaceuticals, you were the CISO for Xerox Corporation and oversaw the cybersecurity initiatives for various other industry sectors. What prompted your move to the Life Sciences industry?
In my view, there are generally two archetypes of professional CISOs. One type tends to stay in an industry vertical, climbing to higher levels of responsibility based on company size, scope and impact on the organization. The second type includes more mobile across industry verticals, sometimes searching for increased scope and impact, or simply interested the opportunity itself. There is nothing wrong with either type. My personal decision in joining Regeneron was less about the Life Sciences industry vertical and more about the opportunity itself. In my early discussions with Regeneron, it became apparent that Regeneron has a very unique focus and culture in Life Sciences. At the end of the day, it’s all about patient outcomes. And as I learned more about the cybersecurity challenges facing Regeneron, coupled with the leadership’s desire to build a world-class cybersecurity program, the opportunity simply became too attractive to ignore. I felt that I could make a significant contribution in a company that, in turn, impacts the lives of patients that suffer from significant illnesses. I find it personally rewarding to do what I do and be part of making patients’ lives better.
In your opinion, how does cybersecurity differ at an industry level? And as a CISO, how do you accordingly determine your cybersecurity guidelines?
At an industry level, the main cybersecurity influences are regulatory and technology. There are very few industry verticals that don’t have some form of regulatory pressure that articulate information security and/or privacy requirements. All public companies have Sarbanes Oxley requirements to adhere to; pharmaceutical manufacturers need to meet Federal Drug Administration requirements; healthcare organizations that have some relationship insurance payer-providers must address HIPAA; and the list goes on. So, regulated industry requirements definitely influence our framework, standards and guidelines. The second influence is technology, and more specifically, threats to our technology. This second influence is much more fluid as the rate of technology adoption often incurs a new set of threats to the technology and business it supports. Cybersecurity programs must be very agile and responsive to a changing threat landscape. At Regeneron, we have tailored our program to the NIST Cybersecurity Framework as a reference model and constantly evaluate our risk profile against it. Any adjustments to our framework, standards and guidelines due to new threats or risks are constantly evaluated for conformance, appropriateness and effectiveness based on these new influences. Our adoption is not unique, many companies have moved in this direction.
With pharmaceutical and biotechnology companies moving toward digitalization, what are the new cybersecurity threats they face? Also, do the security measures have to change according to the drug development stage?
Many companies, industry nonspecific, face new challenges in the trend of digitization and borderless business. As data moves beyond the traditional datacenter, the threat profile changes, requiring re-evaluation of our data protection controls. What I didn’t appreciate about Life Sciences industry and digitization is the rapidly increasing reliance on third parties and resultant third-party risk. At a high level, the Life Sciences value chain extends from early stage research, drug development, clinical testing, medical filings, manufacture to commercial distribution. The sheer number of third parties engaged throughout the value chain—CROs, CDMOs, Laboratories, Universities—open the company up to significant risk if intellectual property or patient data is compromised. To deal with this risk, contractual, technical and process controls are now necessary, where they were not beforehand. For example, three key contractual controls de jour describe data protection requirements, expectations on inspection/auditing to the requirements, and identifying liability limits if disclosure occurs. Joint processes should be developed in the event of a data disclosure, such as who is responsible for incident response and public notification. Technical controls around businessto-business connectivity and data transfer should be addressed. Lastly, cybersecurity insurance has been another area to revisit to ensure worse case event may be covered through risk transference.
Is it fair to say that biotech and pharma companies are desirable targets for hackers due to the value of the intellectual property? Or are there other reasons for a hacker to target Life Sciences?
Intellectual property is certainly the lifeblood of businesses in the life sciences industry; the intrinsic value of the research and development may represent $USD billions of investment and future revenue. So, we are naturally focused on preventing accidental or malicious data loss of our intellectual property. However, we are just as focused on the same universal cybersecurity risks that any company faces—mainly the loss of employee data or financial data. Hackers continue to target employee information with the goal of monetizing their personal data through fraud and likewise, to use business email to trick financial staff into fraudulent wire transfers. To combat these situations, we are heavily focused on employee awareness and training to identify and report if they suspect this type of activity.
For years, the pharma industry has lagged behind in the cybersecurity aspect when compared to other industries. What would it take for this popular perception to change?
I’ve observed changes for the better in the Life Sciences, particularly pharma, over the past 2-3 years. The way I measure change is Board attention and company investment. Fortunately, I’ve interacted with board members across many industry verticals and would assess the current level of our Board focus and concern as equal to any other industry. I’ve spoken with several peers in the industry and they would most likely make the same comment. So that’s a positive change. And with increased board attention, the investment in cybersecurity funding and headcount increases. This investment allows the CISO to implement cybersecurity capabilities necessary to protect the business, as well as attract, recruit and hire qualified professionals, even if they are scarce.
"The intrinsic value of the research and development may represent billions of USD investment and future revenue"
I’ve also participated in numerous Life Sciences cybersecurity events, focus groups and information sharing forums where I’ve been pleasantly surprised in the degree of maturity in strategy, thought and purpose. But what I don’t think we do well as leaders in this industry is marketing our thought leadership, innovation or successes as well as we should. Many CISOs in the Financial Services, Aerospace, Defense Contracting industries have learned to take a public position, demonstrate some thought leadership, and share some experiences outside their community. As an example, our Regeneron team created a new novel solution called “Cyber_Immune” using Robotic Process Automation, Machine Learning and Orchestration to automatically, without human intervention, to successfully identify and resolve malware attacks. The team was nominated and recognized with several regional, national and global awards for their innovation and success. Being recognized for the successes and achievements and marketing it internally in our community and beyond, will change the perception of Life Sciences lagging behind other industries.
What advice would you offer to young cybersecurity specialists?
My advice to any cybersecurity professional is, “Be the very best at what you do, but don’t forget to work toward the job you don’t have.” What that means is to focus on the necessary skills, competencies and experiences in order to excel at the job at hand. By simply excelling at the current role, the professional will be identified as high potential by their manager and others. But the professional should not ignore thinking through the next step of his or her career, and even the next step afterwards, and lay out a personal roadmap. This initial roadmap can be further refined with the help of their manager, coach or mentor leader, who may also support their personal development plan and opportunities via training, education or event stretch positions. So, excel, be noticed, look for opportunities, and engage with a mentor/coach. The rest will come.