Prevention is better than cure. Today, this old adage not only applies to health but also to the welfare of successful organisations like biotech pioneer QIAGEN which is placing cybersecurity under the microscope and top of its agenda.
This invisible threat landscape, which is growing exponentially, means the role of Dr Daniel Schatz, Chief Information Security Officer of QIAGEN, is more important than ever as he works to protect the assets of the global provider.
German-based QIAGEN offers “sample to insight solutions” that unlock molecular insights encoded in the building blocks of life - working with more than 500,000 clients - and are currently focusing on rapid tests to stay one step ahead of COVID-19 and using trace RNA evidence to solve crimes.
As we sit down to talk to Schatz from his office near Dusseldorf, he admits the role of cybersecurity experts has historically been low-key but this looks set to change. “The threat landscape has definitely evolved in the past years. Attackers are ruthless and will take advantage of any oversight.”
The analogy of an ancient Chinese doctor who was paid to keep a person well and did not receive any money if they became sick, springs to mind as the role of today’s CISO in global companies are now in the spotlight following high-profile cyber attacks on both the Colonial Pipeline, which supplies 45% of the US East Coast’s fuel and JBS Foods, the world’s largest meat supplier.
Schatz discusses how he works to protect QIAGEN from “opportunist” attacks, the impact of the COVID-19 pandemic on cybersecurity, how he works with his peers at Health-ISAC to collectively prevent breaches, and the importance of their ecosystem of key partners which include Tata Consultancy Services (TCS).
“I’m responsible for the information security risk management programme at QIAGEN. My role is to protect the organisation from cyber attacks and ensure information and digital risks are appropriately managed across the board. We started a bit later with our security journey, so our focus is on building the capabilities needed to protect the organisation today and in the future.”
Clear and present danger
The clear and present danger of a cyber attack is never far from the mind of Schatz who joined QIAGEN two years ago from a previous role at the international news agency Thomas Reuters - another organisation renowned for its sensitive data. “As a CISO we tend to have a low profile but if things suddenly go wrong we become the most crucial person in the organisation.
“Attacks are increasing, which is little surprise considering how quickly organised cyber-criminals are improving their craft. A few years ago it was all very basic. You could buy basic malware packages and later on you could rent some basic botnets. We used to say in cyber-security – you don’t need to outrun the bear, you just need to outrun the person next to you. But today, you have to outrun several bears.”
This is the stark reality of working to protect the biotech company which is not only fighting against COVID-19 but also works on crime scenes to unlock DNA. One of the most notable cases being the OJ Simpson trial. As the world leader in such fields as ultrapure DNA and RNA extraction, processing and analysis, QIAGEN dwarfs its nearest competitors.
For an organisation that strives to provide its customers with the tools and services needed to get valuable insights from samples and supports pharmaceutical development during a global pandemic, you have to ask the question: Why does anyone want to target an organisation working in this humanitarian field?
According to Schatz, they are mostly opportunistic but the cyber attackers tend to target the same industry until they are successful which is one of the reasons they have got together with Health-ISAC, a health information sharing, and analysis centre, to work together to try and avert future attacks.
“Attacks on QIAGEN will often be opportunistic in nature. If we expose weaknesses or look like an easy target, cybercriminals will try to monetise this regardless of what business you are in. Today’s cybercriminals are not motivated by political agendas or activism, they simply look for their next big pay-out.
“In light of the pandemic, and the recent Colonial Pipeline incident, there are ransomware services who tighten their Terms & Conditions to try and keep their ‘Service’ to be used against hospitals or critical infrastructure, but this is unlikely to protect a company like ours. Also, there is of course the question of how likely cybercriminals are to adhere to T&C’s.
“There are, of course, threat actors who target industries and organisations for other reasons. Through our involvement in industry peer groups, government relations, and information exchanges like the Health-ISAC we’re keeping a close eye on developments in this space.”
“Technology plays a big part in protecting QIAGEN, we try to understand where we are being exposed both internally and externally. We use attack surface monitoring to understand where weaknesses are and what potential attackers see.”
Schatz said QIAGEN focuses on Microsoft Azure as their cloud of choice. “We make use of the functionalities and features that it offers to us for our services and we are quite happy with the increase of security controls that this cloud offers to us. We take advantage of the security benefits the shared responsibility model brings and the increasingly tight integration of Microsoft services in the cloud and on-premise. We're already improving our security controls for enterprise technology, accelerated and optimised the use of the security features.”
He pointed out they focus on understanding the cybersecurity risks of key partners and their potential impact on QIAGEN. “Just like we use attack surface monitoring to understand our own exposure, we utilise security scoring services to understand the
external exposure of some of our key suppliers. This helps to identify issues or negative developments that may become an issue for us.”
Focus on the future
Schatz said QIAGEN will refocus its efforts towards more security of products and services. “We will keep up-to-date with the threat landscape. We are well aware that ransomware continues to be a problem, and this will continue due to the evolution from a very technical service to a very kind of white-glove approach. It makes it easy for any criminal to become a very capable cyber criminal without actually having any experience or any skills in this space. They outsource all of the difficult parts to people who already have done the difficult bits and have a pre-packaged service to sell. For us as defenders, it changes the equation.
“What do I mean by that? In the past we typically said you don't need to outrun the bear. You just need to outrun the person next to you, but that no longer holds true. Nowadays, you are basically chased by several bears who compete to get you first.”
Power of partnership with TCS
QIAGEN is currently working on its digital transformation with increasing pace towards digitalisation of products and transforming into a cloud-first organisation. As the digital journey to Industry 4.0 progresses, Schatz points out that this comes with additional security risks which is why they are collaborating with stakeholders and key partners, such as TCS, to manage the risks and help with information technology and security operations services.
“We were originally starting from a low maturity level which can be beneficial as you get a chance to take a fresh look at the problem space and take a different approach than you would have in the past. What was a standard security solution five years ago may not be the most appropriate solution nowadays as the threat landscape has progressed and so should our thinking on how to protect our most important assets.
“We have brought in consulting partners to speed up and assist with optimising our investment in security technologies. Complete assessment of our M365 security stack, then understand what our customers expect – both features but increasingly also security prioritised implementation of the most impactful security improvements.
“QIAGEN has a long-standing relationship with TCS who give us access to many highly skilled experts across various areas who are able to quickly scale up as needs arise. TCS is a trusted partner of ours and easy to work with due to our long relationship,” said Schatz.
Impact of the pandemic on cybersecurity
Commenting on how the pandemic has impacted the work at QIAGEN with their “Sample to Insight” solutions, Schatz said: “The pandemic showed us the relevance of molecular testing in the research and healthcare value chains. QIAGEN played a crucial role in the first testing protocols.
“But the pandemic had a noticeable impact on QIAGEN in many ways. On one hand, demand for our COVID 19-related products and services increased sharply. On the other hand, we were impacted by shortages of crucial materials to keep up with demand and a high percentage of our employees had to work remotely.
“Global demand outpaced what the entire industry could provide. As a critical supplier during the pandemic, our employees worked around the clock to develop new solutions and ramp up manufacturing of key products. We collaborated with our suppliers, logistics partners, and customers to strengthen our supply chain. QIAGEN has utilised the additional revenues from our COVID-19 testing kits and automation platforms to develop solutions that will be relevant beyond the pandemic.
“However, the traditional workplace dissolved so instead of having one office to protect, in the case of QIAGEN, you have about 5,000 sales and business staff to protect as everyone worked from home and you have a very little handle on what’s going on in those four walls. Work was already underway improving our security controls for enterprise technology, so we were at a good starting position.
At QIAGEN, we are listening very carefully to what our customers and partners want and expect of us. From a security perspective, we are working very closely with our business colleagues who talk to customers every day so we understand where our products and services need to go. Getting involved very early allows us to have risk conversations at the right stage that ultimately lead to a better and more secure product,” said Schatz