5 questions every biotech CISO should ask software providers
“How would you vet software providers if you were in my shoes?” — this is a question biotech CIOs and CISOs often ask me. When selecting software vendors, biotechs aren’t making their decisions based solely on features. They’re choosing partners that will also help them minimize security and regulatory risks, partners that they can count on for the long-haul.
Security, compliance, and privacy have always been priorities for biotechs, but in recent years, treating data as a strategic asset has become more crucial than ever. As scientific techniques and R&D processes have gotten more complex, the amount of data generated has massively increased, and data has become a biotech’s lifeblood. Software vendors need to be a trusted partner in building a secure environment for biotech data.
Here’s my list of five questions that a biotech CIO or CISO should ask a software vendor. These act as a litmus test to see if it is even worth putting the vendor through a full-blown security evaluation.
1. Which industry standards and compliance frameworks does your organization follow?
Right off the bat, this will indicate three things:
Does the company prioritize and invest in security?
Does the company uphold a baseline level of good security practices?
Is the company’s security externally validated?
Modern software should meet the strictest regulatory requirements globally. Check if the company is currently subject to and compliant with the following regulations: ISO27001, AICPA SOC 2, GDPR, and SOC 2 Type 2. A modern software company should also be able to answer questions about how they align their program with common security frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
2. Can we audit your security practices? Can we perform a penetration test?
It’s one thing to say your software is secure, but it’s another thing to open your doors to a customers’ penetration testing, security assessments, and/or security audits. If a software vendor isn’t willing to be transparent about this, allowing their customers to verify the security of their product offering and company, then that software vendor isn’t confident in their own security.
Trust, but verify. All of the best cloud providers and software companies will readily welcome their customers to test, assess, and audit. Modern software providers undergo more testing, assessments, and audits than their customers usually do. A CISO can get a higher degree of security assurance if a software vendor is open and transparent.
3. Tell me about your security teams.
Another harbinger of an organization’s security chops — the team they keep. The software vendor should be able to talk about the structure of their security team and the various sub-teams within their security organization. The teams should be staffed with full-time, dedicated security personnel. For example, most modern software vendors will have separate product security, incident response, and cloud security teams. They’ll do this because those security disciplines are highly specialized, and the teams are usually made up of individuals who have spent their entire careers in that specialty.
If a software vendor only has one or two people working on security, or they claim that all of their IT team members are security experts, consider this a red flag. Real security takes significant, sustained investment each year, larger numbers of dedicated teams and personnel, specialized knowledge, and an engineering rigor. A company won’t hit that bar with only one or two people doing security.
4. Do you understand biotech and our IT dilemma?
Many software vendors are relatively new to the biotech space. Are they thinking through the challenges that biotechs are facing, and will they be a good partner in this specialized domain?
Biotech organizations generate revenue based on intellectual property, and if compromised, a great deal of revenue stands to be lost. Biotechs are also highly regulated due to the potential human impact of their products, and complying with regulations can make or break the organization's ability to compete. Layer into the mix that most biotechs are in the midst of a digital transformation, swapping legacy IT infrastructure for modern technology stacks to handle the data and automation needs of modern labs. Biotechs are also exposed to active, advanced security threats. A good software partner knows these challenges, and knows how to help.
For example, most legacy on-premise technology providers will issue security patches once a year, maybe twice a year at best, and they leave vulnerability management entirely up to their customers. That approach is woefully inadequate when it comes to protecting a biotech company and its data. Modern cloud software providers, on the other hand, utilize routine automated vulnerability scanning and have tight timelines for patching any identified vulnerabilities. They understand that the security of their customers’ data is also their responsibility. A modern cloud and software company should be a security partner, not just a software vendor.
5. Do you provide as good or better privacy and security solutions than we already have?
Part of what any CISO (and CXO) should be looking for when choosing a software partner is a net gain in terms of security and privacy capabilities. By working with modern cloud companies, CISOs can benefit from an economy of scale on security. In other words, taking advantage of the material investments in security that cloud providers have made and continue to make. When assessing a software vendor, it should be readily apparent that:
They invest more in security than their customers do year over year,
They have larger numbers of dedicated security personnel (actual security engineers, security analysts, security incident response teams),
They can explain in detail and give examples on how security is both embedded in their software development life cycle and is part of the actual value proposition they are offering to customers,
They can explain in detail and transparently give examples on how they perform threat detection and incident response,
They have more robust and automated vulnerability management capabilities,
They can explain in detail and transparently give examples on their endpoint protection strategy, identity and access management, security training programmes, etc.
They are very transparent about not just compliance, but also actual security performance (i.e. ask them about their SLA performance, ask them how they handled specific vulnerabilities, ask them how they handled their last security alerts),
They welcome their customers to audit them, perform penetration tests against them, etc., in addition to hiring independent third parties to do so, and
They readily share reports with their customers from independent third party penetration tests and audits (example, SOC 2 Type 2, ISO 27001, annual penetration test reports).
Ultimately, our customers’ IT teams know that we’ve got their back — with Benchling, they feel confident in our ability to handle security, privacy and compliance risks, and they can turn their focus to supporting other critical scientific and business IT needs.
Benchling’s successful completion of the Type 2 SOC 2 examination ensures its biotech customers can perform their critical R&D work in the Benchling R&D Cloud in compliance with the highest security standards. Visit Benchling’s Security & Privacy overview for a more detailed explanation of the company’s best-in-class security, privacy, and compliance.