Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Interview: CISO Adrian Seccombe on Eli Lilly from FIPCO to FIPNET

In this interview, CISO Adrian Seccombe discusses how Eli Lilly went from FIPCO (fully integrated pharmaceutical company) to a FIPNET (fully integrated pharmaceutical network, the importance of collaboration and the work of the Jericho Forum.

In the four years since it was founded, the Jericho Forum has promoted a new approach to information security, one that takes into account that traditional hard boundaries between the company and the rest of the world are fast dissolving. Adrian Seccombe, CISO and senior enterprise information architect at pharmaceutical giant Eli Lilly and a Jericho cofounder, explains how Jericho principles are put into practice inside Eli Lilly.

Adrian Seccombe

What has been the catalyst for change in your business?
At the start of 2008, our CEO announced a new strategy that would make it a more distributed operation, working with partners in all areas of the business. He said it would take Eli Lilly from being a FIPCO (fully integrated pharmaceutical company) to a FIPNET (fully integrated pharmaceutical network). Becoming a FIPNET means we are going to leverage external competencies and network externally, and collaboration will be the primary driver of our organization.

How do you keep risks under control when sharing information with outside organizations?
We are taking [Jericho's] Collaboration Oriented Architecture (COA) framework and implementing it. In the past, outsourcing has always offered a way to deliver lower costs but it's not something we have been able to deliberately engineer to be more secure. Adoption of COA principles allows us to do that.

But I want to emphasize that the FIPNET is not an IT thing. It is a business objective of Eli Lilly. It is a recognition that we can do more by working with outside organizations than we could deliver by ourselves.

With such a focus on information assets, how you are classifying and managing information?
We use Microsoft SharePoint as one of our key collaboration tools. We are putting up identity federation models and have already built into SharePoint a classification framework based on one from the G8 countries. It is a traffic light protocol using four colors: white (public), then green, amber or red (depending on level of sensitivity).

Every time someone saves a record into SharePoint, classification is a required field. And we know that for most of the time, it is going to be green. It is the responsibility of the person storing the field to change from the default setting of green to amber if for example they spot intellectual property or Social Security numbers that warrant a higher classification.

Many are skeptical about information security ever becoming a business enabler. What effect will this have on Eli Lilly's business?
One of the brand pillars of Eli Lilly is reliability and trustworthiness. If we can move to becoming a FIPNET--driving lower cost and more flexibility, while maintaining or improving our trustworthiness and reliability--then if that is not a business enabler, I don't know what is.

If the organization can start doing things much more cost-effectively in a manner that is much more secure than their competitors, that is a big advantage. It is all about deriving value from your information assets at an acceptable level of risk.

Read the full interview with Adrian Seccombe, including a full explanation of the Jericho Forum's COA, at

Article 14 of 16

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All