SC Magazine interviews Adrian Seccombe, chief information security officer at Eli Lilly

Feature by Paul Fisher

An Eli Lilly loyalist for almost 30 years and one of the world's most important CISOs, he still has a lively feel for innovation. By Paul Fisher

An Eli Lilly loyalist for almost 30 years and one of the world's most important CISOs, he still has a lively feel for innovation. By Paul Fisher.

We meet in Guildford, one of those places many have heard of but don't really know much about, except that its cathedral once scared the pants off the young Damien in The Omen, it has a very good shopping centre and it's near London.

It's also on the edge of some of England's loveliest countryside, one of the reasons Adrian Seccombe made it his home in the 1980s to bring up his family, while still in his twenties. “We got our sprogging out of the way early,” he says.

Seccombe started his IT career as an electronic engineer with Ferranti Military Systems Division. After a stint with ITT's business systems division, he joined US pharmaceutical Eli Lilly in 1980 as a telecommunications analyst.

Appointed manager of its telecom and technology development, Seccombe relocated with his family to work at the Lilly headquarters in Indianapolis. In the 29 years since, his roles at Eli Lilly have included: IT director, France; head of IT infrastructure, EMEA, Asia Pacific and Japan; global responsibility for client computing and collaboration services; development of its information risk management processes; and the global IT quality and security management teams.

His current role as global CISO at Eli Lilly, a $20bn pharma giant that designs and manufactures some of the world's most used drugs – for conditions ranging from diabetes to schizophrenia – makes him one of the most important CISOs in the world. That's about the revenue at stake, sure, but also about the absolute need to gold-plate the IP and information processes involved in saving lives.

“There's an awful lot of regulation in the pharmaceutical industry, especially around the manufacturing area. I have a dual role, chief information security officer on the one side, making sure we control the information assets, and then senior enterprise architect on the other, which is gaining the maximum value from them,” he says.

“I don't think too many organisations are set up like that. There is a tension, in that we need both to gain value from an asset and also to protect it. But it's an appropriate tension that we need to be driving in the industry anyway,” he says.

Although, as becomes clear, Seccombe is a huge enthusiast for Web 2.0 and information-sharing, he is acutely aware of the risks that they bring to Eli Lilly.

He says scientists now are as likely to use Twitter as anyone else. In the past, company secrets may have leaked out down the pub, but it really wasn't in the public domain proper. “But tweets – they're recorded, they're retrievable. That has interesting dynamics,” he says.

A company man – even though the interview is at his home, the gold Lilly badge is in his lapel – Seccombe is at the heart of the drive to make Lilly a fully connected business, internally and with the wider scientific community. One initiative is the Lilly-founded open research site, Innocentive.com. Seccombe describes it as a sort of reverse eBay: “You put a scientific problem out on the web, and the first person to solve that problem gets a financial reward. Basically, they're all out there racing to solve it and get the money for it,” he says.

It's the kind of thing capitalism does best – drive innovation and improve lives through competition and reward – but Seccombe has an even greater challenge: to transform the information culture at Eli Lilly. He starts to explain, in the intense but engaging manner that he has, the thoughts coming thick and fast.

“So, I don't know... one of the things I was mapping in my head is: what is the difference between Lilly then, and Lilly where we're going? We've actually got a strategy that's called FIPNet. We are moving from a FIPCo, a ‘fully integrated pharmaceutical company', to a ‘fully integrated pharmaceutical network'.

“The shift is to change the dynamic of thinking, from ‘we'll do it in-house and inside of our silo' to ‘we'll work with the outside world to interact and accelerate research'.” The cost of research for a blockbuster product (a drug with $1bn annual sales or more) is $150 a second.

The future is about making the most of networks and external knowledge. It includes Chorus, a “virtual platform for getting new molecules to proof of concept”, a systems biology hub in Singapore and “risk-sharing deals with Indian biopharmaceutical companies”. A lot of this new thinking depends on trusted networks – and the cloud. Ah, the cloud. What is the value of the cloud and, once and for all, how do you define this damn cloud and its benefits?

“Oh, I love that one,” he says. “Listen, I'm going to say it's translucency, a word that nobody has ever used in this context before; but it's how translucent is your vision of the services that you're actually abstracting from the cloud,” he says. As he enlarges on his theory, this choice of word starts to make sense – there is more to this cloud than just shifting data centres around. Here's his example: “You can get those disks from Amazon S3. I can say ‘I want a disk', and the disk appears virtually, which I can now consume. I don't know where it is – and I actually don't need to know, in many circumstances.

“But how can I make it translucent, how can I start not to care about it? And if it's being provided in a way that's fully translucent, I wouldn't even know the disk was from Amazon; I'd actually type into the little command centre and the orchestration layer would look around and find that Amazon is giving a good price, and so give me some disks from Amazon and maybe additional disks from some other organisations.

“But today I'd say we are at half-cloud; it's not fully translucent and if those disks fail, then I'm going to have a failure. But there are hundreds of clouds up and some are more translucent than others. So being able to force me to decide – is that cloud or is that not cloud? – I'm going to answer: it's a lever. Is it the future? Yes. Is it fully ready? No.”

As well as being able to theorise about what is and isn't the cloud, Seccombe is fully switched on to Eli Lilly's business, and claims he always has been. I suggest he is now transformational.

“Absolutely, in the past 29 years, it's been about driving IT to deliver value. From the very early days, I realised we needed to set it up properly, so that it didn't actually put at risk the value we were creating.”

Now he preaches what he practises. He has been working with Steve Schneider, head of computing at the University of Surrey, to deliver IT graduates with an understanding of information risk and compliance and security.

“I was rattling his cage a little too much and in the end he said, ‘well, come and do the lecture then'. We need people who actually have both sides. We don't need people with a black cap saying, stop, for every train leaving the station; we need people engaged in the building of the thing, so the train can always leave the station.

“Ten years ago, the mindset of security was about control and stopping people doing things. Indeed, much of our policy then was about disabling, not enabling. Most of these students are actually a little bit more technical- than business-minded, but each one of them knows they need to have some understanding of the business. IT is moving to being much more the transforming agent of change, rather than just taking orders,” he says.

“I'm sure you've heard this before, but it's about people, process and technology, in that order. The security model is not technology, process and people, but most organisations have still got it upside down and are trying to deal with security from a technology frame,” he says.

We have indeed heard it all before, but it never hurts to hear it again.

Seccombe enlarges on the opportunities of intelligently exploiting data once it is secure and using more of those human skills. It's all about information analytics. How, he asks, do we drill and get signals out of the noise, get information from the information?

“How do we enable the organisation to be the IT-literate organisation we need it to be, so that the information culture isn't just about the IT piece, it's about the whole of the organisation?

“We see that as our role: to make sure that we can drive social media skills and IT skills, the use of different techniques and technologies, across the whole organisation.” Big questions, big challenges – not just for Eli Lilly, but for business everywhere.

Which brings us nicely to the Jericho Forum's April 2008 position paper on collaboration oriented architectures, something Seccombe is closely involved with (he's on the Forum's board of management). It makes good reading, but isn't it just a published best-practice list – or simply commonsense?

“Well, the interesting thing is that when you look around, nobody is working with these architectures. I think they're the best things to talk about. If everybody was doing it already, then Jericho Forum wouldn't have a need to exist.”

Good point, but do any of the vendors listen to all this collaborative secure stuff? Do they understand that their products go out of date?

“Some of the people that I've found interacting with us do actually recognise that products go out of date rapidly anyway. If you're in the IT vendor industry and you think you've got the possibility of a product that you think is going to last ten years, you must have been smoking something!

“What we all need to strive for is the customer-centric architecture,” he says. “But many organisations are not thinking, ‘how do I architect it so the customer is going to experience it in the most effective way and the most secure way?'”

At Seccombe's house, one can't fail to notice the array of cool technology with which he surrounds himself, a lot of which carries an Apple logo. Presumably, he uses this for business and pleasure – a key part of the new secure architecture thinking must surely also allow for the consumerisation of IT or, more snappily, ‘bring your own device' (BYOD).

“Oh yes, I think it's an excellent thing, but that's basically because I'm a Mac bigot living in a world of PCs. I think it's a good thing, because you can actually drive down cost and drive up security. BYOD is a model that we're trying to set up in ways that say: ‘You know what, it doesn't matter what the device is, because we're going to give you a virtual desktop.'

“So there's a number of different ways we're searching for answers to enable that to be clear and pragmatic. I'm happier if I use my own device, because I normally buy it faster than anything that the company gave me,” he says.

We finish with a story of just how everything we have been talking about comes together in a real world example of people and technology and an application of emotional intelligence across the culture.

“One of our IT infrastructure people was hit by such a high rate of damaged and lost laptops that he came up with an innovation. The laptop owners were told that when their machines reached their official end of life they would be wiped, get a brand new OS and returned to the employee to keep. You can guess what effect that had. When people have a sense of ownership, if you can move to a model where they're looking after their own stuff, it's going to be more secure: it's a by-product of human nature.” It seems as if Seccombe, after 29 years, is still finding that tension quite creative.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events