If you want to banish the “Frankensystems” in your environment, there are three key things you need to do:

1. Select the right tool
2. Create efficient business processes
3. Develop a robust change management plan

A better mousetrap 

Most tools do not address the entire lifecycle. In the figure shown, the outer ring represents the lifecycle from finding the right content to publishing and distributing the final product, and the inner circles illustrate the tools or systems that are used typically.

To manage information today, various systems are used at each step, and often (in the case of email) information or documents are handled outside the system.

Fortunately, there is now a single, end-to-end, system that includes the necessary functionality and integration for managing information in the lifecycle.

Docuvera, a cloud-based software offered by Author-It, is a unique solution that supports creation, review, approval, localization, storage and distribution of your key regulated and controlled information and documents within a single integrated system.  A component-based authoring solution, Docuvera enables information reuse and ensures consistency and accuracy across documents.  Content is created once and can be re-used across document types or global regions.  Changes are made once and are automatically replicated throughout the document library.  Provided with a clear audit trail, version control issues are eliminated.  The ability to reuse content across departmental silos improves visibility and transparency while  increasing efficiency and reducing costs.  Some clients have avoided or reduced cost by 29-44% for document creation, and 74% for reusing information. It helps you work faster too: reducing cycle time by as much as 40-45%.

Setting up for success 

Too often companies assume that a new technology or tool will fix their pain points. But without efficient business processes and effective change management, most (70%) technology implementations fail.  Docuvera—or any solution—alone will not banish the monster. It needs to be supported by efficient business processes and effective change management and communication.

TransAccel Group is uniquely positioned to help design, execute and realize the benefits of an integrated, enterprise-level information management strategy. Our approach focuses on crafting solutions unique to your situation, designing business processes and recommending technology solutions that enhance integration and improve communication, collaboration and consistency, both functionally and globally, and then developing the change management and communications that will make it useful and sustainable in your environment.

Email Mark Lane or Bruce Lotier to continue the conversation or discuss how TAG can help you develop an information strategy that works for you

How did we get here?

Like many sectors, the pharmaceutical industry is known for functional siloes, which make it difficult to communicate and collaborate across the enterprise. The challenges are magnified when multiple systems are involved, and further compounded when information needs to be shared, or when larger documents, such as submissions, need to be created collaboratively across business functions.

It starts with scattered information and broken processes. 


When you’re creating a document that cuts across functional areas, such as a regulatory submission, medical writers, subject matter experts and/or authors must spend time identifying and retrieving content, by searching across multiple systems (drives, folders, other storage systems) and emailing various contributors to find the most up-to-date content. When more than one author is involved, people must either work independently on their sections, or documents must be checked in and out, making collaboration more complex.

The evolution of Frankensystems

Identifying content, creating documents, reviewing and localizing documents is challenging enough without complicating matters further by using multiple systems. But this approach started because an integrated solution wasn’t there to support the end-to-end process, so companies addressed each sub-process as technology became available. Today, “Frankensystems” persist and multiply in the absence of an integrated strategy that brings together business and IT goals, and manages information, documents and the supporting processes.

Can you banish the monster—or at least teach it to dance?

Yes! The first step is to examine your information and document management approach and pain points, with an eye towards developing enterprise solutions. When you look at your information requirements from a higher level, and address specific business unit and IT needs, a comprehensive approach to information and document management will save time and money, improve compliance and free up key talent to work on higher value activities.

When considering your information management strategy, it is important to remember that software and other technology tools are merely enablers of the overall solution. No tool can fix business processes that don’t work well or engage people to use them. Assessing and improving your business processes and practices and developing a change management and communication plan will also help you “tame the monster.” In the next post we will discuss technology options that provide an end-to-end solution for creating, reviewing, approving, localizing, storing and managing regulated and controlled information.

How can you can address your own “Frankensystem” nightmare, engage leadership, manage change, and start on the path to a better way? Contact TransAccel Group by reaching out to Mark Lane or Bruce Lotier.

When we talk to our clients and colleagues in the pharmaceutical industry, their stories are very consistent: They are overwhelmed by the amount of information and documentation required to research, develop, approve, launch and commercialize a drug.

As one executive said, “If you think about it, we really produce two products: the marketed drug—and all of the documentation needed to support it through its lifecycle. And somehow, somewhere along the way, it becomes an information vortex.”

How did we get here?

The demand for information and documentation has grown exponentially as regulatory and compliance requirements have increased in scope and complexity. Patients, payers, and administrators are also playing a greater role in treatment and prescribing decisions, and desire increasing amounts of product information to inform those decisions. Throughout the research, development and commercialization processes, companies must capture, create, review, manage, store, distribute and track critical content and documentation.

Getting it wrong can impact approval, successful commercialization and create compliance risk for the company as a whole.

Are you trapped in an information vortex?

In a typical “information vortex,” there are many people creating, reviewing and approving information and content, using multiple tools and systems, stored in many places, shared over email or other platforms. The relative lack of process and structure leads to low reliability and confidence in the information. Knowledge workers can lose significant time searching for, retrieving and creating content, and tracking it through the collaboration, review and approval process.

When was the last time you had this conversation: “Is this the latest version of the document? Does it include the most recent results? Where is the citation for this? Has it been reviewed by Legal and Marketing?” That’s the information vortex.

But it doesn’t have to be this way.

Your information management strategy, explained

An integrated, enterprise strategy will help you define the processes and select the tools to manage regulated information and documentation across the lifecycle of the products in your pipeline from research and development to commercialization and medical information. It will drive consistency, transparency and compliance, answering a number of questions.
• What systems and tools are best suited for managing our regulated and controlled content?
• How can we make our creation and review and distribution processes more efficient?
• How do we enhance quality control and compliance?
• How can we reuse content and information around the globe and across business functions?

Ultimately, an information management strategy will drive significant competitive advantage in terms of costs, time and the quality of your information—and create a more positive experience for your colleagues, partners and patients.

If you would like to continue the conversation or learn more about the benefits of our approaches to developing an integrated information management strategy, email Mark Lane or Bruce Lotier.

Protecting your digital assets is very much like looking at the whole board. A proper defense is not just one thing, but comprises a systematic construct of what you know (past events, known best practices, proven strategies), what measures you plan on putting in place, and the anticipation of what your adversaries might try to do.  This would be augmented by an endless cascade of if/then planning and dry runs to prepare for an attack.

A security program should not be static but a living, breathing thing that is ever-changing based upon the observations you make and information you gather. It is a series of defenses and actions premised on what your opponent is doing to others, and perhaps will do to you. For this reason, technology alone won’t guarantee success. While best practices around firewalls, protection systems, network configurations, passwords and processes is essential, people—as in ALL the people in your company—need to play a vital role. This cannot be understated. While it’s true that people often cause cybersecurity risks and outright breaches through negligence or idle curiosity or ignorance, they can also be educated to help identify and stop bad behavior. That said, an annual security “training” program alone won’t do this. A continuous communication campaign that engages the employees and gives them a forum where they can ask questions and learn how to better protect their personal digital world will pay a nice security dividend. If you can show them how their efforts as an integrated part of your security team have paid off, you will have built a security function that isn’t static but considers the changing world. By using your company’s staff as part of your security program, you are now looking at the whole board!

– See more at: http://www.transaccelgroup.com/blog/2015/05/07/what-would-bobby-fischer-do-taking-a-cybersecurity-lesson-from-a-chess-master/#sthash.1u1vHupb.dpuf

My guess is that administrative controls are considered “soft,” focusing on management and training, and it’s pretty enticing to think that technical controls and physical controls will suffice for cyber security defense. Not a good idea, says Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products in a recent issue of Computer World.

“…businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error…invest in your people and process.”

In the broader world of business, success depends on the correct balance of the three main pillars: people, process, and technology. Within information security, are we creating a three-legged stool with one leg (technology) longer than the others? That can’t be good. Technology is an important piece of your arsenal, but insufficient by itself. Having sound policies, defining clear role-based processes and procedures, and providing communications and training for key stakeholders (which may include every employee) will create balance for the three-legged stool of information security. Policies and processes might sound like management overhead, but any organization desiring to provide consistent goods and services must have consistently applied policies and processes—i.e., CMMI, but that’s a topic for another blog.

Unfortunately, many IT areas don’t give communications and change management its proper due, which is why we focus on those areas as part of all of our client engagements. Information Security user awareness and training helps create a faction of employees who understand that they can be either a vehicle for threat actors to enter your environment, or sentries at the gate, raising an alert when something looks suspicious.

A one-legged stool is going to have you end up on the floor. While you are focusing on technical and physical security, your adversaries are busy figuring out how to leverage your employees to breach your environment. Remember, three legs: People, Process, Technology. Don’t shortcut people and process in cyber security.

Does this sound familiar?

If so, take solace in knowing that you are not alone, but things have to change. For many companies, growth has outpaced their policies and processes, which can be a risky situation, especially in cyber security.

In information security, due care means “acting responsibly and doing the right things.” While information security is a very complex field, there are certain basic building blocks that must be in place for every company.

Ask yourself:

Do you know your company’s most important assets, where they are located, and how they are protected?
Do your employees understand their role in information security?
Do you understand the major vulnerabilities within your company?
Do you know the major threats and threat agents to your company / industry?
Do you know how your company would respond in the event of a cyber attack?
When the topic of cyber security comes up, most people think about firewalls, intrusion protection/detection systems, and other technical solutions. While these are inevitably part of the solution space, if you are hesitant or unsure of the answers to any of the questions listed above, you could be negligent in providing “due care” for your company.

You probably understand the things that need to be done to make your company secure from an information perspective. Nevertheless, not taking action—even by doing something as small as raising the issue with your leadership—can be construed as not “acting responsibly.” Knowing what to do and actually doing it are two completely different things. There will always be the “hot,” critical project that needs attention, but ignoring what you know to be absolutely necessary is comparable to a “dereliction of duty.” Taking key resources away from information security operational activities to do project work is shortsighted and negligent, and puts you at risk as a company.

Don’t wait any longer. Now is the time to act and provide your company the level of due care that is necessary and expected.

The fact is that most companies still view IT and the CIO role through the narrow lens of providing technology-based services; they have not broadened that view to take into account the stunning changes wrought by digital technology. IT is no longer simply responsible for building, operating, and maintaining infrastructure; it’s responsible for data governance, driving growth through data analytics, cyber security, connectivity and integration. However, since most organizations are peering through the old lens of IT-as-service-provider, they are blind to IT as a revenue-producer. The irony here is that Sales, Marketing, R&D, Finance, and HR—those typically considered revenue-producing—are only able to do what they do because of IT and IT’s ability to stay ahead of the curve.

According to a recent IBM study of 4,100 C-suite executives, only 42% of CIOs were involved in strategy, as opposed to 72% for CFOs and 63% for CMOs. This is puzzling. Since IT touches everything, the CIO has an enterprise-wide vision that would be invaluable in integrating an enterprise-wide strategy. Luckily, the IBM study suggests that this is turning around—the CIO is soon going to be considered one of the C-suite “triumvirate,”: CEO, CIO, CMO.

Another reason the CIO role is more difficult than most is that it bears sole responsibility for ensuring business continuity through critical service level agreements that define uptime, availability and redundancy. At the rate of change today—BYOD and big data come to mind, besides the emphasis on ever-changing end-user demands and satisfaction—it’s a lot to juggle at once. Not to put too fine a point on it, the CIO is answerable in a very tangible way to every executive in the C-Suite as well as the end users, both internal and external.

Mary Shacklett, former CIO of FSI International and current president of Transworld Data says this about the role of the CIO today, “. . . virtually every aspect of the business these days is run on systems. When systems fail, even if the wrongdoing originates in business operations, the CIO is still a ‘best bet’ lightening rod to attract the blame.” Here Ms. Shacklett is responding to the resignation of Target’s CIO after the data breach last fall. To my mind, blaming the CIO underscores the notion that IT is still perceived mainly as the supplier of technology and that with the right technology, incidents like this would not happen. But this is patently not true. It cannot be the CIO’s job to absorb all the operational risk.

It is past time to realize that risk management is critical to your operations and adequate overhead should be provided for it. Preventative measures such as performing regular maintenance and security checks is not the place to economize; economies can be made by killing unnecessary demand and scrapping any projects that have either outlived their usefulness or whose value is questionable or negligible. Give IT the budget it requires to undertake the discipline, training, and governance necessary to do the job right. Data and operational security should always take precedence over functionality improvements if you are faced with budgetary constraints.

The U.S. economy for the past few years has been unkind to IT, and now that there seems to be a slight improvement, organizations will be making some overdue upgrades to their hardware, servers, and storage systems. IT will be at the forefront of these efforts as well as efforts to move to the cloud, coordinate the use of employee mobile devices, mine data, and maintain security. I read somewhere that the CIO is not unlike a conductor, orchestrating separate sections into a synchronized whole. I think that’s about right.

Give me your thoughts on how you see your CIO role. How are you/they addressing these challenges? Does the world look different from where you sit? What would you do if you were CIO or CISO?

According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

• Implement an information risk management program
• Ensure network security is adequate, including boundary and internal
• Guide user education and awareness
• Verify malware protection and prevention
• Deal with secure configuration and patch management for devices (network, servers, PCs)
• Manage user access and privileges
• Handle incident management
• Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members, Information Systems Audit and Control Association (ISACA) found that although 83% of the respondents recognized Cyber Attacks as among their “top three threats,” only 38% felt prepared to endure one. Make sure you are part of that 38%. If you do nothing else, purchase cyber insurance. If you are ready to take additional steps, we can help.

P.S. On our C4C blog we recently wrote about the fallacy of thinking you are too small to garner a hacker’s attention. I can’t stress the following enough: While big companies more often make the news by getting breached for millions of records, they also have the financial resources to dig out of that hole. Small companies aren’t as lucky. A data breach at a small company can mean closing the doors, for good. Don’t let that happen.

Many companies think because they are small they are immune to a cyber attack—after all, they do not have the net worth of, say, Target ($38B) or Home Depot ($55B) or Walmart ($250B). This is a dangerous misconception. The fact is, whether you are worth millions or billions you are at risk, and your insignificant size might be the very thing putting you in jeopardy.

What makes a small business attractive to hackers? For one thing, smaller enterprises often don’t have the resources to implement the programs and training necessary to prevent, detect, and recover from attacks. Larger organizations do have the resources (including insurance) to weather a breach, but smaller ones may suffer irreparable damage. Another attractive difference is that while larger companies have a more holistic, integral view of IT security that extends across an enterprise, smaller companies tend to have a more myopic view where IT security is relegated to, well, IT. In addition, since smaller companies often have less sophisticated firewalls and detection programs, they may be targeted as a portal for later use as conduits to larger organizations. For example, preliminary investigations indicate that the mess at Target may have been initiated by an employee of their HVAC vendor who opened a malware-laden email. It has been said that you are only as strong as your weakest link, and all too often, that link is human.

Whether you recognize it or not, your organization’s systems and data are exposed in countless ways, including via mobile apps, third party vendors, remote employees, former employees, cloud storage, weak passwords, neglected legacy systems, and social media. In its September 30th report, Managing Cyber Risks in an Interconnected World: Key Findings from The Global State of Information Security Survey 2015, PricewaterhouseCoopers writes,

We also saw increases in attacks on connected consumer devices— such as baby monitors, home thermostats, and televisions— that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet-connected devices are vulnerable to attack because they lack fundamental security safeguards…

According to Gartner’s 2014 Magic Quadrant for Security Information and Event Management, “more than 92 percent of breaches [are] undetected by the breached organization.”

Are you still feeling invulnerable? No matter how small your organization is, cyber hacking is an equal opportunity threat. As such, cyber security is no longer the province of IT; it is the province of everyone in your organization from the C-suite on down.

Our information security and risk assessment service will help you understand where you have critical risks in your cyber security landscape. If you are feeling uneasy or uncertain about your information security, let us know. We can help.

Why is Cyber/Computer Security so far down on your to-do list? If your reasons are any of the following, you might want to reconsider your priorities.

• Because you live under a mushroom or live off the grid.
• Because your environment is in such disarray that if someone did breach it, the chances of him or her finding anything of value would be remote.
• Because you believe that you are only a little fish in a big pond and hackers have much bigger companies to go after.
• Because no one has requested it and you have more than enough other problems to handle right now.
• Because you don’t know where to start.

Let’s address each of these points in turn.

They can’t find you.  On a recent episode of 60 Minutes, Dave DeWalt, CEO of cyber security company FireEye, asserted that 97% of all companies are being breached. Ninety-Seven percent. So, unless you truly live off the grid, you have likely had a breach already. The real question is how bad is the damage?

They can’t find your valuables.  These criminals are very sophisticated and have the knowledge, tools and patience to find your sensitive data and exploit it.  Hacking has evolved from the lone geek making mischief to an actual profession and, as Lance Cottrell, Chief Scientist at Ntrepid and expert on security and privacy writes, “In most breaches, it turns out the hacker has been inside the network for months.”

Your valuables aren’t worth it.  Wrong again. They aren’t always interested in your data; often they are interested in your financial partner, investor, supplier and customer. Anything sensitive they can sell or make profit from.

You have other priorities.  You will always have other priorities. But believe me, if the hackers come—and they will—you will have to deal with the fallout and that will become your new priority.  With several methodologies at hackers’ disposal such as viruses, malware, botnets and ransomware, cleaning up the damage will be more involved than you think.

You don’t know where to start. Improving your security begins with having a prioritized list of actions based on risks to your company.  A risk assessment will accomplish that and, at the same time, help you raise awareness and understanding with your executives of possible threats and the cost of inaction. It will also demonstrate confidence that you and your team are pro-actively dealing with the today’s cyber security reality: it’s not a question of if, but when.

What is your reason for not having an information security and risk assessment performed ASAP?

If the real reason is you don’t know how, that is where we can help.