Predicting future threats by approaching CyberSecurity from all angles

Posted 15th April 2019 by Joshua Sewell

Merck, Sharp & Dohme operates a hub model with IT hubs in the US, Czech Republic, and Singapore.

All operations and important functions of IT are distributed within those three hubs. It ensures not only that we follow the standard model but also ensures the regional presence and cooperation with the sites in any region.

A regional hub in a global company

I’m part of the leadership team for the EMEA hub and for the IT risk management and security globally. At the Prague hub, we have representatives of all the functions for IT risk management and security. There are teams focussing on governance and policies, incident response, an access management team and also a security engineering team.

I’m responsible for the function of this hub, and I also have the responsibility to be the compliance lead for the EMEA region. I am responsible for being in touch with local businesses, mainly with the local IT leads in the country. This is to ensure that they have the guidance they need, that they can follow the IT risk management policies, and that we deliver them the service and security that the company needs.

There is a real diversity of working cultures across the organisation. People are very willing to co-operate even though there might be different interpretations, approaches, and working styles. In Czechia for example, we have 72 nationalities working, and so it a very interesting and attractive international environment.

Responding to a major cyber incident

Two years ago, we were hit by major cyber attacks. After the recovery of all of our systems, we launched a global program, focusing on improving our security posture in all areas.

It isn’t simply an IT program; it’s a general company program with all company divisions participating and co-operating. It’s a 2-3 year program and we are currently in the second year of execution, which is one of the most challenging phases. Then there are European regulatory and compliance laws such as GDPR and Russian localisation laws to bear in mind at the same time.

The key feature of this program is that we are approaching cybersecurity improvement from all angles. This means we are thinking through all the following:

1. Resources: what tools, data and personnel do we need to meet and maintain high security standards?
2. Endpoint protection: how can we identify and manage user’s computers across the corporations’ network?
3. Identity and access management: how should networks accessed and to what extent access is granted? This means applying the principle of least privilege.
4. Risk management: how will we enable our policies to connect with risk management and adaptive risk management?.
5. Asset management: this is the fundamental aspect, as we cannot improve security unless we also improve what we have from the asset perspective.

Maintaining and exceeding baseline security

The sustainability of the program is vitally important, as well as our ability to cope with potential future threats. It’s important once we reach the goal set from the beginning, we both maintain that level of security, but also to be able to look forward and imagine possible future threats. We now have a baseline of security which we are perpetually working to maintain, and in addition, we are steadily working towards developing the capability to indefinitely conceive of potential threats and respond accordingly before they become serious.

Eva Tělecká is Director of IT Risk Management & Security at Merck, Sharpe and Dohme. She will be giving a presentation at CybSec & Blockchain Health.

At CybSec & Blockchain Health you will hear experts from international healthcare organisations, academia, and companies at the leading edge of technological solutions. Download the agenda and find out more.

Tags: cybersecurity, data management, IT-Security, pharmaceuticals