Interview: CISO Adrian Seccombe on Eli Lilly from FIPCO to FIPNET - Information Security Magazine

Interview: CISO Adrian Seccombe on Eli Lilly from FIPCO to FIPNET

In the four years since it was founded, the Jericho Forum has promoted a new approach to information security, one that takes into account that traditional hard boundaries between the company and the rest of the world are fast dissolving. Adrian Seccombe, CISO and senior enterprise information architect at pharmaceutical giant Eli Lilly and a Jericho cofounder, explains how Jericho principles are put into practice inside Eli Lilly.

Adrian Seccombe

What has been the catalyst for change in your business?
At the start of 2008, our CEO announced a new strategy that would make it a more distributed operation, working with partners in all areas of the business. He said it would take Eli Lilly from being a FIPCO (fully integrated pharmaceutical company) to a FIPNET (fully integrated pharmaceutical network). Becoming a FIPNET means we are going to leverage external competencies and network externally, and collaboration will be the primary driver of our organization.

How do you keep risks under control when sharing information with outside organizations?
We are taking [Jericho's] Collaboration Oriented Architecture (COA) framework and implementing it. In the past, outsourcing has always offered a way to deliver lower costs but it's

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

not something we have been able to deliberately engineer to be more secure. Adoption of COA principles allows us to do that.

But I want to emphasize that the FIPNET is not an IT thing. It is a business objective of Eli Lilly. It is a recognition that we can do more by working with outside organizations than we could deliver by ourselves.

With such a focus on information assets, how you are classifying and managing information?
We use Microsoft SharePoint as one of our key collaboration tools. We are putting up identity federation models and have already built into SharePoint a classification framework based on one from the G8 countries. It is a traffic light protocol using four colors: white (public), then green, amber or red (depending on level of sensitivity).

Every time someone saves a record into SharePoint, classification is a required field. And we know that for most of the time, it is going to be green. It is the responsibility of the person storing the field to change from the default setting of green to amber if for example they spot intellectual property or Social Security numbers that warrant a higher classification.

Many are skeptical about information security ever becoming a business enabler. What effect will this have on Eli Lilly's business?
One of the brand pillars of Eli Lilly is reliability and trustworthiness. If we can move to becoming a FIPNET--driving lower cost and more flexibility, while maintaining or improving our trustworthiness and reliability--then if that is not a business enabler, I don't know what is.

If the organization can start doing things much more cost-effectively in a manner that is much more secure than their competitors, that is a big advantage. It is all about deriving value from your information assets at an acceptable level of risk.

Read the full interview with Adrian Seccombe, including a full explanation of the Jericho Forum's COA, at searchsecurity.com.

This was first published in July 2008