It may be subtle, but over the past year I’ve seen a significant shift in mindset in how IT and cybersecurity leaders think about, evaluate, and deploy technology. Many of us, particularly in larger organizations, have evolved to an approach where we now frame our decisions through a lens of overall business resilience rather than a traditional technology-centric perspective.
When I became a CISO more than a decade ago, the focus was on protection, as in: “How do we protect the network, endpoints, servers, applications?” But the framework and context of what, why and how we protect has changed. Now, it’s about making the organization more agile, efficient and resilient in achieving the most important outcomes for the business.
In my view this is a positive development, linked to the overall maturity of the cybersecurity discipline and our growing role as advocates in the boardroom and the C-suite. The focus on business resilience has been a catalyst for CISOs to think about technology in a new way and implement solutions that embed security at all stages of the application lifecycle. If it were not for the need to accelerate deployments and move at the speed of development, we may not be witnessing the rapid growth of DevSecOps as a best practice in security, or related innovations such as open-source or API-based security.
The Value Chain
The new mindset starts with an understanding of the value chain of the business. In my organization and industry – biopharmaceuticals — there are four elements to the value chain:
- Research and development, i.e., developing new medications and vaccines
- Manufacturing and distribution
- Sales, marketing, pricing and other factors that go into the commercialization of our products
- Direct engagement for ongoing health
With this as a basis, our team has changed how we discuss IT and cybersecurity among ourselves and with our internal stakeholders. Our new mindset is: How do we make the entire ecosystem more resilient? And what are the tools — Zero Trust and XDR are two examples — that are tied to resilience in terms of managing behavior, systems, and security?
This means there are many more factors to consider versus even just a couple of years ago, when our primary focus was still on protecting the technology in our own organization. While some of these new considerations are specific to our industry, they also reflect trends across many industries, especially as supply chains become increasingly digital, distributed, global, interactive, and interconnected.
In our industry, the external ecosystem has shifted. We now have a direct digital experience with physicians and patients, something we weren’t even dreaming of three or four years ago. In the past, our value chain stopped once the doctor wrote the prescription.
The focus of our industry has shifted as well. The mission now revolves around outcome-based medicine. This means a greater emphasis on real-world data and real-world evidence to prove the efficacy of our medicines and measure improvements in the disease state of patients.
Health care has always been very in-person centric. For good reasons patients often have to go to a doctor or clinic. Now, engagement with patients doesn’t necessarily have to be in-person. With telehealth services, clinicians can see more patients and provide services across a broader geographic area. But as these services grow and become embedded into the foundation of health care, they create incremental challenges and risks in cybersecurity.
New Criteria for Technology
What does all of this mean for how we implement and secure technology?
One of the things we did in our organization was build an API-based security platform for all parts of our business. We have more than 70,000 workers in over 100 countries. That is a lot of therapeutic areas. In the old days, we would have built all the applications independently.
With an API-based platform, however, we have built one solution that allows any part of our business to securely engage directly with doctors or patients. APIs for user creation, update and search are managed by our team and we have implemented clustering from a traditional resilience perspective. API resilience also includes the use of rate limits, negative testing (i.e., intentionally trying to break the API), and API monitoring for abuse. The impact has been spectacular. In just a few months we have had an almost 10-fold increase in usage, from about 150,000 active patients and physicians to more than 1.4 million.
In this environment, the criteria for how physicians and patients evaluate us is no longer simply about the quality of our products or the service we provide; it is also about their digital experience. The market demands a great, mobile, data-driven digital experience. In fact, the value of digital interactions is becoming primary for many users and customers.
This has a big impact on how we think about technology and security. Keren Elazari, an accomplished hacker and security researcher, believes the entire cybersecurity industry is moving from a protection discipline to a trust discipline. This makes sense: If users can’t trust the digital experience, they won’t use your products or services.
Think Business Resilience
I firmly believe that you can’t adapt to this new mindset and new environment unless you are fully and deeply committed to doing everything in the cloud. None of what is required can be done efficiently or safely in a traditional data center environment. Everything in security must be cloud native. That’s a big technology shift.
In-house development has also become a priority. We are back to developing our own solutions in-house, following a time when off-the-shelf software was very popular. Our needs now are too specific. That is why we are seeing the rise of technologies such as DevSecOps, open-source security, infrastructure as code, and low-code/no-code architectures.
Finally, we are using new metrics. When we procure and manage our security solutions now, we group them in alignment with business deliverables. We are still buying the same technology, but the metrics have changed. We don’t have application security metrics anymore; we have patient engagement metrics.
Business resilience has always been humming in the background. Now it has taken center stage. COVID has been a tremendous impetus for change. For CISOs and other technology leaders, more than ever before it’s about staying at least one step ahead of the new and unexpected.
Mike Towers is the Chief Information Security Officer at Takeda Pharmaceuticals International, Inc. He has received four Information Security Executive of the Year awards within the healthcare industry and is a regular on digital trust, information risk and cybersecurity.