Corporate Security

How a Multinational Pharmaceutical, Chemical and Life Sciences Company Built a World-Class Security Strategy

We recently sat down with an industry-leading Security Manager at one of the world’s largest pharmaceutical companies to learn how he’s using technology to improve the organization’s security processes to help them capture, report on and investigate incidents around the world. Over its long history the organization acquired several companies, which not only means that they’ve grown their portfolio and expanded global reach, but that their security programs would have to be updated to keep up with the changes. That’s where Resolver comes in.

The security team is on a mission to create a risk-aware culture that ties incidents to risk, enabling the them to align the impact of their work to business goals. How do they do this? By providing quarterly risk reports to the business that highlight business risks as they relate to incidents. These reports are delivered to the designated risk owner who then decides whether or not they are in a place to accept the risk or make a change. This is just one step in their process to move toward an integrated approach to risk, combining security, audit and compliance. 

Before you started using a single solution to manage security, what did the security process look like?

The acquisitions meant that there were different processes, systems and services in place and from a corporate security perspective, we didn’t have the global overview of what was happening around the world at their various locations necessary to make actionable decisions for improvement. We didn’t have big picture insight of the specific incident types that were taking place in the different cities and countries, or the unique risks that were happening in each location.

Our corporate security team is headquartered in one central location which made it even more challenging to get insight into the security operations globally. We implemented a “Global Security Network”, which meant that each location had local site security officers, as well as product crime officers. The people on the ground were responsible for managing the day-to-day security of each location and report to their local EHS team. This became another barrier for our team. Each location had their own way of recording incidents and creating reports. But for the most part, the systems in place were outdated and not user-friendly so incidents most likely weren’t being accurately captured, if they were being captured at all. There weren’t any guidelines in place to enforce if and how incidents were captured, so we had limited oversight into how global security operations was running. Aside from the sporadic data and general lack of insight, the various systems across the different locations were also very expensive to keep running.

This lack of incident visibility exposed our business to significant losses from intellectual property theft, counterfeiting and supply chain disruptions.

What was the first thing you noticed when you moved to a unified security solution? 

After implementation, it appeared as though incidents had increased by 100%…because we could confirm that we were accurately tracking them. Now that the entire security team is using the same data structure, we’re able to review the data and provide more impactful and actionable reporting.

100% increase in the number of incidents visible to the security team using Resolver’s Incident Management Software.

What data are you expected to be report on regularly?

For us, it’s imperative to be able to report the incidents, identify the root causes behind them, categorize the risk and determine whether or not there is an impact on the business. We need to be able to identify if there is financial damage and the countermeasures that could or should be put in place to avoid future incidents.

I encourage my team to look beyond the traditional corporate security function. We are always looking for ways that we can provide the most value to the organization. By connecting incidents to overall risk for the business, we’ve been able to create detailed risk maps that help to identify how incidents might be impacting the business. The risk maps highlight whether or not a product has been impacted by an incident and the potential financial impact of that damage, they look at whether or not a physical site has been affected and the cost of shutting down operations at that location.

By highlighting the potential risks and their effect on the organization, my team is providing insight and invaluable data to management. Management can view the risks, and the countermeasures that the security team put in place. This type of insight allows the security team to identify areas of improvement and ideally, overall incident reduction.

For example, we noticed that social engineering incidents had increased by 30% in China. We discovered that the root cause was that the employees in that office were not sufficiently trained for handling a social engineering call. So, our team implemented employee training programs that educated the team on social engineering and how to spot issues as they come up. After the programs have been deployed, we’ll be able to verify whether our countermeasures have been successful by analyzing whether or not the incidents have decreased.

With Resolver, they’ve been able to view all incidents that took place and the countermeasures that they’ve put in place to combat them.

How do you create a security culture in your organization?

Building a security culture is key to any successful security program. As we rolled out the new solution, we created an internal governance process that ensured the mandatory use of the solution, as well as outlined the overall governance expectations of the security team.

This has helped me to include a governance process and improve the overall security culture, because it’s an easier system to use and there are guidelines to follow so our team is able to actively participate in our security efforts. Resolver’s drop-down fields are much easier than the free text fields we were using. The team is empowered to go into the system and fill out the incident reports with ease. 

Request a Demo