Securing the provision of antibodies - an interview with Abcam CSO Helen Rabe

More than two decades ago, Jonathan Miller, a scientist at the University of Cambridge, had numerous issues with his antibodies: a lack of quality and supporting data were two of his biggest problems, and as a result, his research took a lot longer. So he decided to build a company that would work on exactly that; providing the antibodies accompanied by comprehensive and open data. 

Since then, the company has grown from start-up, to unicorn; the multi-billion dollar organisation ships orders to over 140 countries from a range of more than 100,000 products. It has offices in the UK, the US, China and Japan, with almost of a fifth  of its 1400 staff being PhD-level graduates. 

With so much media attention on anything Coronavirus-related, Abcam is perhaps one of the companies that has gone under the radar, but as it provides antibodies and antibody-related products including protein detection products, the company forms part of a global effort for scientists to better understand COVID-19. 

In fact, as the company's chief security officer (CSO) Helen Rabe explained, unlike many other CSOs and CISOs who have had to contend with security challenges with remote working, Abcam already had a flexible work policy in place, so it was in a strong position to manage that when lockdown came into effect. Instead, Rabe has been busy with challenges that are unique to Abcam.

She said:

What we have been doing is providing avenues to access our intellectual property- we've been providing a number of researchers access to pockets of that data, and we've been supporting them on solutions in line with that initiative. We've had to move very quickly.

 The approach taken was in line with the ‘people, processes and technology' mantra. From a people perspective, the security team needed to know which researchers the scientists were engaging with regards to accessing the data, from a technology point of view, Rabe and her team had to establish where the data was stored, and from a process standpoint, they had to understand how the company could get these data to these researchers and scientists in a secure manner. 

Rabe's team had to ensure that this data was locked down to only that group of individuals, and work with its scientists to ensure that they would be equipped to play their part in securing the data and transferring it to make it available to researchers. 

Security is a personal concern now

Another challenge that Rabe and her team have had to contend with is the number of security questions from employees around the use of certain tools in their personal lives, including Zoom.

She said:

When there are security concerns, my end users reach out to me or my team directly to ask questions through a dedicated chat facility. You're supporting your end users' personal lives as well as they're using Zoom to call family and there's been a rise in other online scams too.

There really is no difference at this point in time between personal and professional lives when it comes to the current security climate. Two months ago, the end user engagement was around one or two queries a day, and since we have been working remotely it has gone up exponentially, with people being far more aware of the security challenges that are out there for them.

As a result, the team has been engaging on activities to help end users in their personal lives. For example, it has a Friday session where the team will introduce them to a topic - such as background information on different types of hackers. 

To help to keep users alert to the threats they're facing, Rabe's team decided to release cyber awareness videos on a weekly, rather than monthly basis, when lockdown went into effect. 

She said: 

The challenge is around keeping the noise from our end user population down from a concern standpoint but also ensuring they're still proactively engaged with our ongoing security awareness programme.

Not spending for the sake of it

While CISOs often have to exploit certain situations such as GDPR in order to get much-needed budget increases, Rabe says that this kind of tactic does not sit well with her, especially at an organisation that already has a good foundation of technology in place.

She said:

I'm not changing my requirements because I don't need to - I have what I need for now, and I won't purchase until I need to.

Rabe says before purchasing further technology, she works to ensure that existing tools are being used to their full capabilities, and that partners' capabilities are also being leveraged as much as possible.  In her experience, if the issue remains after taking these actions, then she would go to the CIO and the board to ask for the money to invest in a new product or service. By taking this approach, Rabe believes that the CIO-CSO dynamic becomes one based on trust, as the CIO will take the request more seriously.

A change in mindset

Previously Rabe wanted the mindset of her leadership teams to be that they would not hear from her or her team because they would be doing their jobs well, and keeping things secure. However, she says that the current climate has meant this should be reconsidered.

Rabe said:

Now, everybody understands because of the amount of media, security in general is under the microscope and under a lot of pressure. So provision of basic metrics around things like how many phishing attacks have been attempted and how many of users have been impacted can provide reassurance. 

This means even if they don't hear from me, they can see what we're dealing with in the background - that gives them that reassurance and keeps the nervousness down, and helps them to understand that lack of engagement is not because If the CISO and security team are keeping everything operating. The team may be invisible but they are still effective.