Cybersecurity Is the Alliance Manager’s Business
Cyberattacks are frequently in the news, and generally no one is spared. IT and Information Security (InfoSec) departments in companies across every industry are constantly fighting off phishing attempts, viruses, malware, and the latest craze: ransomware, where hackers shut down a company’s network and demand money to restore access to the system—according to a Gartner report from last year, 75 percent of IT organizations will suffer a ransomware attempt by 2025.
What does this have to do with alliance managers? Plenty, it turns out. With partner organizations exchanging large amounts of data, providing access to certain parts of each other’s information platforms, and sometimes even jointly hosting independent data rooms, cyberthreats that shake up one organization will significantly impact—if not directly expose—the whole partner ecosystem.
At the 2024 ASAP Global Alliance Summit, a panel consisting of four alliance professionals and the chief information security officer (CISO) from Jazz Pharmaceuticals tackled the preventative measures alliance teams should take vis-à-vis cybersecurity and what to do if you or your partner are attacked in the session “Safeguarding Alliances: Cybersecurity Challenges and Solutions.”
The bottom line, according to multiple panelists: a cyberattack is not a question of if, but a matter of when.
“We want you to leave more comfortable in talking about cybersecurity incidents within your alliances,” said moderator Lauren Griffey, CA-AM, associate director of alliance management at Jazz Pharmaceuticals, in kicking off the discussion.
Lots of Questions About Security; Little Question About Its Importance
Robert Fell, executive director of information security and the aforementioned CISO at Jazz Pharmaceuticals, outlined his company’s “third-party risk management program,” which assesses the impact partners could potentially have on Jazz’s IT systems if the former were to be subjected to a cybersecurity event.
“We send out questionnaires to vendors to understand what their security posture is. We go through contract language. We get a lot of complaints because it takes a long period of time, but trust me: when an event happens, it’s good to have those things in place and to show that we’ve done the proper due diligence,” he said. “If a key partner is housing sensitive data of ours, we want to make sure that they have the right things in place to protect the organization.”
Alliance managers are also responsible for helping IT and InfoSec teams understand how “information flows across your alliance, [and] why those systems are set up the way that they are,” according to Danielle Martinez, CA-AM, PhD, associate director of alliance management at Jazz Pharmaceuticals. For example, will information be shared primarily via email, through SharePoint, or via a partner relationship management (PRM) platform? “Understanding how systems are put together and why it’s been established that way—that is, to be able to talk about the alliance [information] model—will allow alliance managers to thoughtfully connect with colleagues from [InfoSec].”
Let’s Discuss—Right Away
Fell strongly urged attendees to engage partner legal and IT teams early in deal negotiations to allow for enough time to complete the survey and review the security-related contract language. This isn’t the only cybersecurity-related action item in the early phases of the alliance life cycle, either. Lena Frank, CSAP, an independent business consultant, labeled the “launch” and “refresh” of alliances as “great places to bring up cybersecurity.”
“Don’t be afraid to have a discussion with your alliance counterpart about cybersecurity. Do they have a plan or plans in place?” she advised.
Alliance managers are generally no strangers to tough conversations, and they cannot afford to avoid this cybersecurity dialogue.
“There’s a stigma around cyberattacks, and it’s not something that, as alliance managers, we want to bring up necessarily right in the honeymoon stage,” said Steven Roy, MBA, senior director of alliance management at Jazz Pharmaceuticals, “but it is something that’s super critical to be thinking about early on, because the probabilities are your team and your partnership could be affected—and most likely will be affected—at some point in time.”
Everybody’s Talkin’ at Me: Alliance Managers Must Stay Calm and Share Info Appropriately
What should alliance managers do if they or their partner’s system gets hacked? First, know that it might be a while until the situation is resolved—it can take days to restore systems from a minor breach and six months or more to recover from a major one.
“You’re likely not going to be on the need-to-know list, so you’ve really got to have some patience,” said Frank. Moreover, with the SEC requiring companies to report larger-scale incidents, these attacks are considered material events. “Limited information, that’s all that’s going to be available, and it won’t be there when you really want it.”
Although alliance managers may not be receiving all pertinent information, the onus is on them to dish out everything each stakeholder needs to know with regular updates as the situation unfolds, just as they would in any other type of crisis.
“Alliance management becomes a really important focal point for all those communications with your internal teams and with your partners,” said Roy. “It’s really important to align with your leadership around the messaging and the plans of what you can say [and] when.”
“Everybody’s coming to you with questions,” Roy added. “We’re looking for alliance management to be that calming, guiding presence in the midst of what’s likely going to be a panic-induced situation.”
Tight Lips Sink Ships
Martinez felt strongly that a cyberattack is an opportunity for partnering pros to activate their “superpower” of communication. She spoke of an incident in which a partner was hacked. Despite the sensitivities of the situation, the partner’s “alliance management team were very big advocates with their leadership in explaining what the business risk is and how it connects to the alliance risk of being exceptionally tight-lipped. So they were big advocates for encouraging their InfoSec team to connect with each partner, ensuring that there was consistent messaging,” she recalled.
The partner went as far as to present critical information to joint steering committee (JSC) members, in addition to briefing Fell and his InfoSec group. “Because they were so transparent, we got to, ‘What uncertainty do we still have to manage, and how can we work through that together sooner?’” Martinez explained. “It ended up being a scenario where, although not ideal, the trust in our partner has gone up tenfold easily because they were just very strong advocates for partnership and what can be done to keep business going during a very difficult time for them.”
Of course, with email and company smartphone communications—and the contact databases within them—likely inaccessible at the outset of a breach, multiple panelists exhorted listeners to print out contact lists or get a paper address book in normal times, “not maybe for all your contacts, but for the key ones,” said Martinez.
An Ounce of Prevention Keeps the Hackers Away
Finally, the panelists encouraged the audience to place a higher priority on the cybersecurity training provided by your company’s IT department.
“I know the training we roll out is boring,” said Fell, “but please take it seriously. It will not only protect [you] at work, but it does protect [you] at home.”
In addition, Fell counseled everyone to “always have a healthy amount of skepticism when people email you or contact you.” With hackers getting more and more clever in impersonating bosses and gathering reconnaissance about company hierarchies, fraudulent email addresses and text messages are looking increasingly real these days. And with the rise of “deep fakes,” audio and video will soon be potential vectors for well-disguised wrongdoers. Once they get in the system, they can go as far as to copy letterhead, create real-looking fake URLs with a couple of letters discreetly transposed, and begin sending false invoices or bank account wiring instructions.
“When people are trying to get you to do something, they’re trying to instill a sense of urgency. ‘You need to do this now. Please do this immediately!’ That is an indication that something’s not right. And always just pick up the phone and contact the person directly,” said Fell.
Indeed, 95 percent of these incidents are rooted in human error—users click on a link they shouldn’t have or unwittingly provide sensitive information to a bad actor.
“Remain vigilant, paying attention to emails, videos, whatever communication systems that can easily be imitated nowadays,” said Frank. “Start with prevention.”