This was the nagging concern of Andreas Wuchner, Novartis AG's head of global IT security.
"You have to prove that you have done risk management on an ongoing basis--to show that you do your patch management, that you actively manage the security situation," Wuchner says. "[Two years ago,] we could not necessarily show that."
Uncertainty over Novartis' security posture was a function of isolation; security had limited visibility into remote locations operating in more than 140 countries. Some were keen on security, while others with fewer resources focused their priorities elsewhere. Baseline security policies were nearly impossible to enforce. Meanwhile, mandates outlined in Basel II, HIPAA and SOX were clearly not going away.
If they were going to survive an audit, the fiefdoms in the giant pharmaceutical's kingdom had to be dissolved.
That was more than 18 months ago. Since then, Novartis AG has hopped on the fast track toward aggressive security management, beginning with a high-level risk assessment and ending with an overhaul of the company's security policies and frameworks, and the development of centralized management systems.
Anxiety Attacks
Novartis manufactures prescription drugs used to treat cancer, cardiovascular
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
disorders and nervous system malfunctions. The company also owns a consumer health division that manufactures Ex-Lax, Maalox, Theraflu and Gerber baby products. In 2004, Novartis' global sales reached $28.2 billion. Not only does it share data with business partners and service providers, the company has reams of intellectual property that needs to remain confidential yet selectively accessible.
Before Wuchner and Manfred Schreck, the head of group information security at Novartis, could pursue a centralized management system, they had to identify and prioritize the systems and information most at risk. Less formal risk assessments had been conducted every two years since the company was formed in 1996, but in 2004 a top-level assessment helped the pharmaceutical company turn the corner.
"There had been a lot of changes [since 1996], yet we were still living with our old information security policy and framework," Schreck said. "We had never looked at the overall change to the company's risk exposure."
Consultants interviewed three dozen top Novartis managers--including C-level executives, attorneys and IT managers in the U.S. and Europe--to assess current and future risks to information, which systems should be prioritized and what business processes were potentially at risk. According to Schreck, mobile devices were deemed the top emerging threat.
This shift from tactical to strategic thinking is something many enterprises strive for.
"Novartis' company-wide risk management reflects a far-reaching change in the role of the security manager, from firefighter to prevention professional," says Michael Rasmussen, VP of enterprise risk and compliance management research at Forrester Research.
Resource constraints and regulatory pressures are forcing companies to make business distinctions in their security decisions. Undergoing a risk assessment analysis, rather than just looking at a laundry list of system capabilities, is a wise decision, Rasmussen says.
"In the emerging model, the security manager must do just what Novartis has tried to do here: set the risk in a business context," Rasmussen says.
The fix begins at the policy level with rules that spell out, for example, the obligation of outside entities in an outsourcing arrangement to conform to internal security guidelines. Novartis makes this a contract requirement.
Schreck relies on checklists, too. He comes to a business partnership negotiation armed with a defined set of security questions and requirements, including internal audit-process requirements and a clear understanding of how information will be treated at the termination of a contract.
These diverse initiatives take their cue from a single baseline security policy that spells out the fundamental requirements for any IT implementation.
This was first published in December 2005