The life sciences sector is undergoing rapid digital transformation, driving innovation but also increasing exposure to sophisticated cyber risks. How do those in the sector manage the balance between threat and opportunity? A recent webinar—convened by Cognizant and Microsoft—sought to address this central question, exploring the unique security challenges facing pharmaceutical and biotechnology organisations, the role of artificial intelligence (AI), and how these firms can build resiliency into their operations.
The webinar began with panellists asked to consider where the life sciences sector shared the same concerns as the rest of the economy and where it faced specific threats. Helen Ridley, Senior Cyber Security Specialist at Microsoft, summed up the similarities and differences: “Life sciences face the same baseline cyber security threats as any modern enterprise. However, the motivation and the attack surface can be quite different,” she said.
Among the differences is the centrality of intellectual property. IP is a competitive edge for most organisations but for this sector it is a scientific advantage, too. Coupled with valuable and highly-sensitive research and personally identifiable information (PII), life sciences data is ripe for exploitation. “The impact is not just financial, it’s also reputational and regulatory,” noted Arjun Chauhan, Cyber Security Practice Director at Everest Group, and it’s one of “the reasons the ground rules are different” for the sector.
Other differences include its reliance on operational technology (OT) which lacks a track-record of cyber resilience. Another is a propensity for supply chain vulnerabilities, especially related to research projects carried out in partnership with the university sector, historically a highly-attacked surface. The sector’s typical reliance on legacy systems adds a further layer of potential risk.
In offering advice to firms seeking protection, Vishal Salvi, Global Head of Cyber Security at Cognizant said that in an ecosystem of “more than 5,000 technologies to choose from” the ability to prioritise is key. “It’s about choosing the right controls,” Salvi said. He compared security measures to battle armour. Carry too little and you are vulnerable to attack. Carry too much and “you get weighed down”. Identify, instead, “the top 10 most critical aspects” of your cyber security need, Salvi suggested.
AI pros and cons, and the role of agentic
When the discussion turned to the impact of AI, the expert panel was first asked to assess whether the technology was a net positive or net negative for security teams. After all, if the good actors can put AI to work then the bad actors can, too. “It’s a double-edged sword,” acknowledged Ridley, pointing out how AI is accelerating phishing attacks, automating the identification of vulnerabilities, and generating high-quality content at scale.
Chauhan echoed Ridley’s list—convincing phishing emails and believable social engineering scams, among his concerns—and conceded that AI is “making some attacks more effective”. Beyond the attacks, he warned that AI is a risk to privacy from the inside, too, with employees minded to “copy and paste” sensitive information into public generative AI (gen AI) tools. Meanwhile, some organisations are relying on gen AI—prone to hallucinations—for security decision-making and compliance documentation.
On the positive side of the ledger, Ridley pointed out that AI allows organisations to spot activity it would “never catch manually”, compress reaction times, and automate some of the most labour intensive aspects of security operations. Moreover, AI permits teams to identify unusual patterns of behaviour, and more quickly summarise and analyse hostile activity, Chauhan added.
Salvi took an optimistic view, too. Cyber security is a form of “asymmetric warfare”, he observed, where “the good guys have to get it right all the time while the bad guys only have to get it right once.” AI, for all the reasons explored by the other panellists, is beginning to reduce that asymmetry.
Another consequence of AI, and gen AI in particular, is the move from a “deterministic” world to one that is more “probabilistic”. This has consequences for the way we approach security and privacy, said Salvi. Why? Because whereas “our previous world was all about ‘allow’ and ‘disallow’ … we’re moving into a space of grey. It’s not black and white anymore.” This is a culture challenge for security teams.
On the role of agentic AI, Salvi addressed the implications of the “transition from hyper-productivity to agentification”. The new age of agents demands vigilance against ill-informed decision making and prompt poisoning, and requires improved “input and output validation” to protect the integrity of organisational data.
Privacy-by-design
Introducing viewers to—or reminding them of—the virtues of privacy-by-design as an important security methodology, Salvi noted: “If you do security or privacy as an afterthought, the cost of embedding that into the infrastructure becomes exponentially expensive.” Think, instead, about design from the outset and not only does it become “deeply embedded” in everything you do, it is more cost effective, too.
By way of example, Ridley advocated that when setting up clinical trials organisations only collect the data that is absolutely necessary. “Not every data point you collect will be useful,” she noted, adding that it was important to “enforce strict segregation between research data, patient identifiable data, and manufacturing systems data.”
Teams, skills and culture
Switching from technology to people, panellists were invited to explore what constitutes a resilient digital team. Chauhan argued that such a team typically demonstrates three common characteristics. These are clarity of decision making (“confusion is the enemy of response”); a strong grasp of security fundamentals (“the most resilient teams are not the ones with the fanciest tools”); and a willingness to embrace cross-functional collaboration.
Only in a resilient culture, added Chauhan, will people “feel safe” to report mistakes. Ridley argued for cyber security to become part of “everybody’s day-to-day work”. She offered, as an example, a research scientist who may need persuading why labelling her data really does matter. “Give them a reason as to why that’s important.” Ridley also noted that in her own role she has to work to KPIs (key performance indicators) related to data protection.
In the same spirit of pervasive security, Salvi suggested that the trend to “shift left”—"moving the need to protect and implement controls more and more towards the front end of your IT teams”—is surfacing in other parts of an organisation, too. “Now we’re talking about shifting in all directions … shift right towards the business, shift upwards to the board and leadership, and shift downwards towards your users.”
In terms of skills and talent, and potential shortages in both, Chauhan suggested that pharmaceuticals and life sciences firms face two big challenges—competition and specialisation. On competition he noted that because security skills are in high demand across the economy, life sciences organisations find themselves competing with technology, banking, and consulting firms for the same talent, fuelling shortages and adding to the cost of hiring.
On specialisation, Chauhan identified skills such as OT manufacturing security that are particular to the sector, as well as cloud and identity security that are becoming increasingly prized as the sector embarks on digital transformation. To address both challenges, he advised that organisations consider “augmenting” a strong internal team of specialists with contractors from service providers.
Final thoughts
Before the webinar drew to a close the three experts were invited to leave viewers with a final word of advice. Chauhan urged pragmatism. “Do not chase perfection,” he said, “chase resilience. Invest in the fundamentals such as identity, segmentation, and secure configurations. And build partnerships across IT operations. Lastly, practice your response because the organisation that recovers fastest is the one that has done the hard yards.”
For Ridley, it’s imperative to treat cyber risk as a business risk. “It’s not just a security team’s risk—if affects operations, revenues, safety, and compliance.” As such, she said, good leadership means sharing accountability.
Finally, Salvi encouraged viewers to get started. “You’re not competing against anybody else—you’re competing against yourself. So make a start and have clarity in terms of what you’re seeking to do. And make sure you are getting better every single day.”
‘Securing Life Sciences in the Agentic Era: Cyber Resilience and AI Defence for Pharma’, a Cognizant / Microsoft webinar, was first broadcast on 17 March 2026.
