Eli Lilly’s CISO Andrea Abell on Safeguarding Innovation in Pharma

February 20, 2025

By Bio-IT World Staff 

February 20, 2025 | Earlier this week at the ViVE conference in Nashville, Tenn., Bio-IT World editor, Allison Proffitt, sat down with Andrea Abell, Eli Lilly’s Chief Information Security Officer (CISO), whose mission is to protect the integrity of pharmaceutical research from inception to patient delivery. Together they discussed the critical role cybersecurity plays in Lilly’s broader goal of bringing life-changing medicines to market. 

“My mission is to secure [Lilly’s research] from the time that a researcher or scientist… has a concept or an idea for something that can make people’s lives better, to the time it goes to clinical trials, to the time that we are starting to manufacture it, to the time we’re putting it in to be approved until the time we are starting to make it available to patients. Through that whole iterative lifecycle I have to secure it,” said Abell. “From day one through day 1,000,001, I am responsible for security.” 

A Cybersecurity Journey Across Industries 

Abell brings a unique perspective to the pharmaceutical industry, having spent 17 years in the defense sector with Lockheed Martin before transitioning to media giant NBC Universal. At Lockheed, she became well-versed in cyber defense, intelligence-driven security, and the “cyber kill chain” framework, which anticipates and counters attacker tactics. 

Her tenure at NBC Universal exposed her to an entirely different risk model—one focused on consumer-targeted cyber threats. “Journalists are highly targeted by nation-states,” she said. She also learned how consumer-based attacks work. They often leverage assets that seem low-risk but can be exploited, like credit card validation systems,” she explained. That experience, she added, was instrumental in preparing her for the unique cybersecurity challenges in pharma. 

Protecting Lilly’s Expansive Ecosystem 

At Lilly, Abell’s role extends beyond internal data protection; she is also responsible for securing the broader Lilly ecosystem. This includes safeguarding intellectual property, ensuring the security of patient data, and managing third-party partnerships. 

“Very rarely are you able to just care about the things that you have control over,” Abell said. The moment you interact with a third party, you’re co-mingled. “It comes back to trust.” If someone logs into Lilly, they need to trust that their data and privacy are secure. And if we work with external partners, we ensure they uphold our trust standards, she said.  

Cyber Threats in Pharma and Life Sciences 

Almost two years into her tenure at Lilly, Abell identifies three major cybersecurity threats facing the pharmaceutical industry: ransomware and extortion attacks, nation-state espionage targeting intellectual property, and consumer-based fraud and data breaches. She also highlighted the challenges of securing legacy systems, which are common in healthcare and take longer to modernize, making them vulnerable to cybercriminals. 

The time it takes to uplift these systems gives adversaries more opportunities, she said. “As a community, we really have to continue to raise the bar and work together… We’ve got to make it better for consumers and patients,” Abell emphasized. 

Balancing Security and Innovation 

While security is paramount, Abell recognizes the need to foster innovation in pharmaceutical research. She firmly rejects the notion that cybersecurity should stifle scientific discovery. “I got into security because I love technology,” she said, “I want to be playing with the newest technology the same way everyone else is. My goal is never to shut it down.”  

The key to enabling secure innovation is to include security teams in innovation conversations early on—“shifting left”, moving the security conversation closer to the beginning of a timeline—and to be careful about which projects and assets are used for early exploration, Abell said.    

AI tools are particularly powerful, Abell said, for both for protection and attack. AI “is such an amazing tool in our wheelhouse; it is also an amazing tool in the adversaries’ wheelhouse,” she said. She reported that thanks to AI, dwell time of attacks is shortening dramatically. “The attackers [are] actually taking code and then having it customized within seconds to then be deployed within an environment.” The speed of cyberattacks means defenders have even less time to detect and respond to attacks. AI also accomplishes much more sophisticated social engineering as well, with much more deceptive phishing attacks and deep fakes.  

The speed of change, Abell said, can make employee training more difficult, but for the past two years at Lilly, AI has been incorporated into the entire organization’s learning goals. This culture of learning serves as a foundation for any training Abell needs. The entire organization is imbued with the idea of continuous learning: “What we did yesterday is not going to get us where we need to be tomorrow,” she said. That global messaging makes it easier to implement security changes when needed.  

For Abell and her team, their work and enthusiasm fit well in such a culture. “We're very energized by it. The pace of change is incredible, and I think that's the thing: every day you wake up and there is something new to look at,” she said. “It's a fun time to be in technology.”