Eli Lilly security finds strength in flexibility in WFH shift

CISO Meredith Harper shares the greatest challenges her organization faced in the wide-scale move to work-from-home and lessons learned that will outlast the pandemic.

Meredith Harper, Eli Lilly and Company
Eli Lilly and Company

As executives throughout the United States scrambled to send employees home to work this past spring, Meredith Harper already had a roadmap for action.

That’s because Harper, who as vice president and CISO at Eli Lilly and Co. oversees the pharmaceutical company’s global cybersecurity program, had gone through the process just weeks earlier with the firm’s China-based workers.

Still, Harper had a significant task to tackle: The Indianapolis-headquartered company employees approximately 34,000 people worldwide and engages a host of third-party partners in the countries where it operates.

The scale and global aspect of the company’s shift to a widescale work-from-home environment, as well as the speed required to do it, was far from typical CISO responsibilities — even for a security chief at a global organization. Still, the work offers lessons that transcend the pandemic and can inform security programs moving forward.

Harper recently spoke to CSO to share her approach to managing the company’s global security function at scale during this year’s extraordinary events.

CSO: What were your priorities for workers as a CISO responding to the pandemic?

Harper: We wanted to make sure that we were protecting their safety first and foremost, then we wanted to make sure we were providing them opportunities to continue to do their work, because, at the end of it all, we have patients who rely on us. So how then do we position ourselves to be in a place where we can continue to do that? That was really the first part of our thinking: How do we protect our team members and how do we give them access to do the work they need to do?

How did Lilly’s global footprint affect your decision-making process?

Lilly was actually one of the first organizations within the Indianapolis market that decided to [move to a] work-from-home environment. We actually made that decision on March 8 or so, which is when we started.

Luckily our team had been paying attention to what was happening in other geographies like China. We have teams that work in that area, and we had already shifted them to work-from-home, so we knew eventually this would find its way to the U.S. and we would have to do something very similar. We had been preparing for weeks, looking at things from a people, process and technology perspective.

[We were asking] how do we, one, provide the right level of technology and access and, two, how do we make sure if we have to shift or change processes in any way that that doesn’t impede us from moving quickly and then, three, how do we train, educate and make people aware of the increased threats in this pandemic.

What were the biggest security challenges for your global organization?

Lilly was no different than others. We had to look at whether we had the right infrastructure for the load as we went from an instance of having a few thousand people accessing the VPN on any given day to tens of thousands of people accessing it on any given day. So, we had to deal with the bandwidth issue; we had to prepare ourselves to make sure that our infrastructure could actually handle all of the access that needed to happen.

We [focused on giving] people the most secure access and monitoring to make sure that when they’re accessing the network there’s no exposure or threat to that particular access.

We focused on what types of data they were accessing and then what types of access our third parties have — because most of them do have access to our networks and if their security postures are not strong, could they be a vehicle for those threats?

We talked a lot about the controls to put in place, [for example] asking whether we were going to allow people to print or not to print — basic things that we don’t think about when we’re in an office environment but now that you’re moving people home you have to talk about.

We talked about training and awareness, what we now have to offer to team members working in a different environment; we wanted to make sure they have a heightened sense of security.

Then Lilly, very similar to most organizations, looked at what I consider to be some of the very basic hygiene things, [such as] our patching schedule and how well we’re doing against that schedule. Lilly has always done really well in that space, but I wanted to ask how we could accelerate some of those things so there weren’t additional vulnerabilities that could be exploited.

As CISO, how do you tackle this not only at scale but also across national borders?

There are always so many moving parts, whether we’re in a pandemic or not; there are so many moving parts when you’re working for a global organization in a CISO role. One of the things I think we do well at Lilly is that we have a really strong partnership between our technical environment, our regulatory environment, our legal environment and our security team, and we stay in close contact.

All of those groups are monitoring, to a certain degree, individual geographies and the laws, the regulations and even the technology platforms and landscapes that might be different from the global nature of what we do.

So while there are some services and support we provide that are global, there are some instances where that’s not the case.

I rely on those close partnership to be able to funnel those nuances to me so I can make adjustments to our security strategy.

In addition to that, we have an engagement model that we’ve leveraged across our organization; we have security and business advisors across the globe who actually sit within our business areas. They represent security and the business, and that gives us the ability to understand local considerations.

Can you give me an example of regional adjustments made to your security program?

Most of what we do in our security program is global because we’re looking at the foundational, what I would consider to be good hygiene — Are you patching appropriately? Are you providing the right level of access to the right individual? Are you terminating access when individuals no longer work for your organization? — things that aren’t based off of geography or anything cultural in nature, or even based off of regulations.

But when we’re looking at other things, for example, monitoring insider threats, there are some countries where we have to address their cultural and regulatory concerns. So when we’re looking in Germany and markets like that, where the privacy of the team member is paramount, there are adjustments that we have to make to those programs.

How did third-party providers factor into your pandemic response?

Lilly is no different than most organizations: We have relationships with third parties that support what we do [including] some of our core functions. We worked with those third parties to ensure that they were protecting their team members. In some geographies, like India, we were able to work with partners to help them to enable work-from-home for their workforce. That meant helping send devices to India to give them the ability to be mobile.

What were the biggest challenges in working with third parties?

When you looked at some of the contracts that we have traditionally written with our strategic partners and third parties, we didn’t always from a contractual perspective give them the ability to work outside of a defined work environment.

So work-from-home was not allowed per the contract.

We had to do a lot of review with our legal team and our procurement team to make sure that our contracts were flexible enough to send people home.

But even once we did that, because they were so used to working in a defined work environment, most of those third-party team members were working off a desktop. We realized that we couldn’t package up desktops and send them home. That’s where the whole logistical challenge came into play: How do we help get more mobile devices to these individuals so we can get them to their home environment?

Then, once they got to the home environment, there was an assessment that that third party had to do to make sure there was the right connectivity to actually be able to access the internet.

Some team members were living in smaller towns that might not have had that coverage from an internet perspective, so we had to work through that and ask: Do we ship some other devices to them? What are the plans?

We found that some of our third parties were not prepared to be able to send those team members home, and that’s what I hear from my peers as well.

But I believe in the future, if we ever get to a crisis where we have to do this again, I hope we learned that we should not hamstring ourselves by contractual agreements, that we should be prepared for mobility, that the devices we’re using are ready for mobility and that we train people appropriately, so they can do their best work in the most secure way.

What lessons did you learn that will inform your strategies in the future?

The need to be flexible and creative. The facts and threats and issues change quickly when you’re dealing in crisis situations, and you have to be ready to adjust your strategy whenever you need to. We can’t be so held to what we were doing in the past, because when the fact pattern changes, we will need to adjust.

I also learned about my team, that we are more flexible than we thought and that we can move quicker than we thought. I was very impressed with how the team accelerated a lot of work to get prepared for the pandemic.

There’s also an adjustment in terms of culture. We were used to being in one space, where I can go over to a desk and have a conversation and we can solution together. One of the things we learned about ourselves is remote work is an option for us. Now when we think about access to key talent that I wouldn’t typically have access to because they don’t reside in the Indianapolis area, we have now proven that we can actually have people from other geographies work for our team.


Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.