Cybersecurity budgets must be set individually | Expert interview with Peter Merrath

About our interview partner

Peter Merrath is the managing director of Vertanical, a modern biopharmaceuticals company focusing on the active ingredients in cannabis. He previously worked as a consultant for risk management and cybersecurity at McKinsey & Company.

Peter Merrath, managing director of Vertanical

Hello Peter. Your company, Vertanical, is part of the FUTURE umbrella. What is FUTRUE and how does it relate to what you do?

FUTRUE is an international healthcare incubator with more than 20 companies. One of them is Vertanical – a highly innovative biopharmaceuticals company with state-of-the-art facilities for growing and manufacturing medical cannabis. I am Vertanical’s managing director and also the CFO – in that role I am responsible for strategic finance and controlling.

Even before this point, you’ve had quite an interesting career. Can you tell us about it?

After I completed my degree in mathematical finance, I spent four years working in the financial and banking industry. Then – with a few exceptions – I continued working in this sector during my nine years as a McKinsey consultant. While the specifics of each case varied a lot, risk management was a constant throughout my studies and working life. To a certain extent that’s still true today, although my focus and the sector I‘m working in have both changed.

What are your biggest goals and challenges now?

Making Vertanical successful, of course. We already have a variety of products on the market, but we would like to expand both our geographic footprint and our product range.

What is Verantical’s approach to OT security? Are there special challenges that you focus on in your business?

OT security is a key issue for us. We control our entire value chain – in other words, we have our own cannabis farm, production plant, and sales system. Security plays an especially large role in cultivation because the cannabis plants that provide the active ingredients for our products are grown in carefully controlled conditions. We also do research at this site, which covers several thousand square meters, and, of course, our production facilities must meet the highest security and quality standards. All this means that security is a central concern for us – not just in terms of OT security and product safety, but physical security as well.

You can imagine that there are quite a few people out there who would love to break into our farm. The employees there follow strict security rules, such as using access control systems and wearing special protective suits. And these suits don‘t have pockets – a measure that can be seen as a precaution against insider threats. It’s important to remember that our raw materials and products are controlled substances. That means we have to meet high security standards.

All drug manufacturers are required to comply with current good manufacturing practices, which include standards for data security and cybersecurity. In Germany, many pharmaceutical manufacturers are also subject to laws on critical infrastructure, which regulate areas such as IT security management systems. By following these regulations, we also protect the control systems for our production equipment.

You have already mentioned that you have worked intensively in risk management. Recently, Dale Peterson praised an article you wrote on cyber risks and a risk-based approach for prioritizing them. Could you tell us about that approach?

At every company, C-level managers want to understand how well their organization is managing cyber risk – and not only because the investment involved is so high. The risk-based approach to cybersecurity primarily means setting a focus and priorities. Cybersecurity is a complex and, in some cases, highly technical field. But not getting it right can have enormous consequences, including production outages, a damaged reputation, or pressure from regulators, including high fines. For this reason, it helps to understand cybersecurity in terms of business risk and to concentrate on the elements that significantly impact how high that risk is.

Many of our customers are SMEs or part of small corporate groups. What could a risk-based approach (rather than maturity-based methods) mean specifically for companies like these – for example, a medium-sized drugmaker or machinery manufacturer?

An approach based on maturity levels is useful initially or in conjunction with a risk-based approach because it helps in determining the status quo and formulating a potential vision. A concrete risk-based approach, in turn, could involve identifying the most critical information assets, IT assets, and production processes. You can use this information to analyze the level of protection in each case and identify where it needs to be improved. But while this technological understanding is important, the human factor – employees‘ awareness of cyber issues – matters just as much (and creates the proverbial “human firewall”). Clearly defined roles are also essential. And since this topic is not the top priority for many companies, some organizations buy cyber insurance to mitigate some of their risk or are exploring whether doing so would make sense.

Do you regularly hear claims about cybersecurity that you feel are inaccurate or half-truths?

Yes! I often hear statements that companies spend (or should spend) x percent of their IT budget on cybersecurity. They are half-truths because calculating statistics like these depends on assumptions that don’t apply equally to every company – or even every company in the same sector or of the same size. These numbers can trigger a useful dialog at the management level, but I think basing budget decisions on them is a mistake.

Mr. Merrath, thank you for the interview!

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.