A Guide for CISOs in an Age of Disruption



Executive Summary

Members of the Health-ISAC Community have produced a security framework for pharmaceutical supply chain comprising this CISO guide, as well as a practitioners’ guide presenting best practices, and recommended cybersecurity standards across the key links in the pharmaceutical industry. Led by Johnson & Johnson and facilitated by KPMG, the cross-institutional team comprises CISOs and subject matter experts from J&J, Pfizer, Cardinal Health, McKesson, Abbott, and Eli Lilly and Company.



Although the pharmaceutical industry was vulnerable to intellectual property theft (IP) before the pandemic, drug manufacturers have certainly moved higher on the list of potential targets of cyber crime. Headline-grabbing COVID-19 vaccines and treatments, as well as lucrative biologics and perennial brand-name drugs, have called attention to pharma companies’ financial reserves, as well as intellectual property.

At the same time, the number of attack vectors has increased exponentially due to (1) the digitization and increased complexity of the pharmaceutical supply chain and (2) industrywide dependence on a growing array of foreign and domestic third-party suppliers and partners with varying degrees of cyber maturity.




These factors and others explored in this paper have made securing the supply chain an organizational imperative. And chief information security officers (CISOs) are earning a much more strategic seat at the table: they are being asked to weigh in on how the business can pursue efficiency, productivity and even growth initiatives without taking unnecessary reputational, financial, or regulatory risks. In other words, CISOs and their teams have shifted from the sidelines to, if not center stage, then at least a key part of the ensemble.


A Unique Role in the Modern Pharmaceutical Organization

All CISOs interviewed for this paper stressed the importance of tying security and technology solutions to the economics of the business.

Today’s pharmaceutical CISO is in a unique position straddling technology and the business.On the one hand, CISOs need to maintain consistent cybersecurity standards and protocols across not only information technology (IT) but also operational technology (OT) and third parties. On the other hand, they need to speak the language of the business so they can present emerging risks in a context that will resonate and serve as a catalyst for support from the leadership team.

Please download to read the full white paper.

Note: Health-ISAC is all about increasing cyber resilience in the healthcare sector. We are interested in disseminating actionable content that is in keeping with security thought leadership. In alignment with this statement, we do not require your email to download original content from our website.


Translate »