Continuing the tradition of improving lives through innovation for more than 150 years takes effective business and security management. This is true for Bristol Myers Squibb (BMS), one of today’s leading global pharmaceutical companies.
Founded in 1858, the company has made a lasting commitment to “discover, develop and deliver innovative medicines that help patients prevail over serious diseases” in the following areas: cardiovascular disease, immunology, oncology and hematology.
Headquartered in New York, BMS has more than 30,000 dedicated employees, all of whom bring unique skills, insights and passions to the work they do for patients every day. As a science-driven company that works in the public interest, BMS has further made a strategic commitment to address and accelerate diversity, equity and inclusion at the executive level globally and double executive representation for Black and Latino/Hispanic executives in the U.S. to better reflect the patients and communities it serves around the world.
Committed to women’s advancement, diversity and inclusion, BMS has been recognized by Forbes as one of America’s Best Employers for Diversity, by Working Mother’s Top Companies for Executive Women, and by Disability:IN as one of the Best Places to Work for Disability Inclusion. In 2015, the organization achieved gender parity and continues to grow in the representation of women in the manager and professional categories. The company is on track to achieve global gender parity at the executive level by December 2022. In addition, as of December 2020, BMS’ Board of Directors contained 35.7% female leaders, 14.3% of which are Asian American and 14.3% of which are Black/African American.
Perhaps even more unusual for a company is to have the following three women leading the historically male-dominated security field:
- Amy Lyons, Head of Corporate Security
- Noreen Gleason, Executive Director, Business Continuity, and Corporate Event Response Team Lead
- Sydney Klein, Chief Information Security and Data Officer
All three women are proud champions of the company’s global diversity and inclusivity program. “BMS has made diversity and inclusion a priority. It’s woven into who we are as a company. To best serve the company and our most important assets — our people — we need to bring in different people of different backgrounds and experiences,” Lyons says.
Photography by Robert Bruschini
Lyons, who holds a Bachelor of Science degree in psychology, dedicated 25 years to law enforcement, holding several roles as a Special Agent with the Drug Enforcement Administration and leading the Federal Bureau of Investigation (FBI) and ending her career leading the Internal Inspection Division. There, she oversaw all compliance and ethics investigations and risk-based program inspections.
Prior to joining BMS, Lyons was looking for a different role outside of the FBI. She was contacted by former Deputy Director of the FBI and BMS Head of Security Tom Pickard, whom the BMS General Counsel had asked to bring in a woman to Corporate Security (CS) with the experience and skills needed to succeed in Pickard’s role. “This intentional effort to diversify CS allowed me to have the opportunity to interview and compete fairly for the role. I’m very grateful and fortunate to have had that opportunity.”
Before her arrival, there had never been any women in CS. Recognizing the role a more diversified leadership team can play in the success of organizations, Lyons encouraged two of her former FBI colleagues, Gleason and Ken Moore, an African American senior leader, to join BMS. She has deliberately hired and promoted women and diverse individuals into different roles within the organization, as well as advocated for increased female leadership. “Fostering a diverse workforce that is highly skilled, competent and committed brings fresh perspectives and approaches to fulfilling our mission of maintaining a safe working environment for our workforce and visitors, as well as providing safeguards for the company’s assets and protecting patient safety,” Lyons says.
Trusting three women to lead security, Lyons says, is an excellent example of how BMS has put its words into action. Because of these deliberate, conscious decisions to hire and promote talented female and other diverse minority leaders, Lyons says, a solid, traditional corporate security program has become an embedded program that is continuously sought out and charged with conducting risk assessments for key stakeholders and business functions. “Stakeholders see the value in it. We help the business make sound decisions on how to execute its mission while minimizing risk. We hire highly qualified people that are aligned with our company values to have the best approach to security.”
Three female leaders, Lyons, Gleason and Klein, tell their unique stories about making inroads into managerial positions; how they are leading and forging long-term successful careers at BMS; and how they support and cultivate their teams to make diversity, equity and inclusion mainstream — and not just a talking point.
Amy Lyons – Head of Corporate Security
As Head of CS, Lyons directs enterprise-wide security programs to address emerging threats in today’s multifaceted business environment impacting patient safety and to safeguard the company’s assets, people and most sensitive information.
Joining a mature security program, Lyons set out to transform CS into a true business enabler, supporting agility, innovation and growth as well as deeply embedding a competitive edge into the organization. The 'Centers of Expertise' within CS include physical security, investigations, supply chain and illegal trade, threat intelligence and also the Global Response and Operations Center (GROC) — the nucleus for Bristol Myers Squibb physical security operations. Like most traditional programs, the security of people, sites and assets is paramount to BMS's operations, but at BMS, these responsibilities go well beyond the norm.
“What we strive to do is to enable the business to accomplish their missions by evaluating the security risk to company operations and recommending risk mitigation best practices,” Lyons explains. “This is why building the Global Security Risk Intelligence Program (GSRIP) was so important. We built an intelligence-based security program to best evaluate risk and address the multiple security risks the complex pharmaceutical industry faces.”
The intelligence-based strategy allowed CS to be more embedded within the business rather than operate in siloes. “We are now using data in a much different way than ever before. In the GROC, we map and track our critical supply chain routes, sites, and partner sites, gathering and analyzing risk intelligence, such as natural disasters, civil unrest, disruptions within the roadways, or terrorist activity to assist business leaders in operational decision-making. This information is used to protect business travelers as well. We have improved security risk management, and in turn, improved BMS operations and effectiveness,” she says.
The GSRIP supports BMS's Centers of Expertise and the Business Continuity Management program. Protecting patient safety is a company priority, and the GSRIP plays a significant role in that responsibility. This begins with a product risk assessment to evaluate the potential for products being misused, counterfeited, or diverted. Based on this assessment, product packaging safeguards are determined by the business, which reduces the risks to patients and makes BMS products less susceptible to criminals seeking to counterfeit products.
Product counterfeiting poses a significant global risk, causing harm to patients. In turn, this can lead to an erosion of trust and confidence in the brand and the healthcare space. Lyons explains, “To address product counterfeiting BMS has an integrated Supply Chain Integrity team led by Quality Manufacturing to unite all aspects of product surety to address this challenge. Security technology for packaging and products is critical to make them less vulnerable and identify falsified products. The Security Illegal Trade team plays the lead role in investigating alleged counterfeit products and the transnational criminal organizations engaged in this activity. This team conducts global intelligence-led investigations to assist law enforcement in the prosecution of these criminal organizations. After identifying and confirming a counterfeit product, an investigation is initiated. A high-value target package containing valuable information, including: where the counterfeit medicine was discovered; how it was sourced; the differences in packaging; and other intelligence is assembled. Since counterfeiters typically fabricate products from many companies, often, this information is shared with other pharmaceutical company’s investigators to share intelligence to 'connect the dots,' thereby stopping this dangerous activity more rapidly,” she says.
CS maintains active membership and participation in the Pharmaceutical Security Institute (PSI), a non-profit organization dedicated to protecting public health, sharing information on the counterfeiting of pharmaceuticals and initiating enforcement actions through appropriate law enforcement. Lyons, who sits on the Board of PSI, says, “We work very closely with PSI to share intelligence, data analysis and engage in private-public sector cooperation. In this way, PSI serves to coordinate industry-wide intelligence and investigative efforts, as well as assist in international inquiries.”
Through BMS's Online Brand Protection Program, CS partners with the Law Department Trademark Team to conduct open-source internet monitoring for the unauthorized sale or advertisement of key BMS products, often by on-line pharmacies. “When we identify trademark violations by on-line pharmacies, we send cease and desist letters, and if they are resistant and do not take the site down, CS will investigate these sites. Often these medicines are diverted or falsified
products, and controls to maintain the product integrity are ignored,” Lyons says. “We’ll investigate to understand where that product was sold and identify if there was a breach in our supply chain through one of our distributors.”
As part of stifling illegal trade, BMS also relies upon a comprehensive supply chain risk management program in which risk assessments are conducted, and mitigation recommendations are provided to the business to strengthen ‘cradle to grave’ security controls. This includes conducting background and reputation checks of potential distributors, buyers and waste destruction facilities to deter the potential for counterfeit, stolen or diverted product entering the supply chain.”
A new initiative for the investigations group is the Workforce Risk Analysis Program — a cross-functional group comprised of CS, Cybersecurity, Employee Relations, Legal and Medical. Working in partnership with key stakeholders who confidentially share concerns related to the workforce, the program is designed to heighten efforts to identify and mitigate risks to the wellness and safety of BMS employees. The program develops a proactive and responsive operational model to identify workforce vulnerabilities and responds to identified concerns via an integrated response plan.
Establishing strong and supportive partnerships both internally and externally is essential to successful security and business continuity operations. “Noreen, Sydney and I have a strong working relationship. We recognize that we are most effective when all stakeholders have established a trusting partnership and delivered the expertise of our teams to generate positive results, to protect our patients, workforce and the reputation of BMS. I am proud of that partnership. Not all companies have this smooth convergence of roles, but we do it well,” Lyons says.
Lyons is a believer in hiring diverse talent and empowering employees to do their job. “Hiring great talent and building on their strengths so they can advance their careers has allowed all of us to demonstrate the unique value that we provide to the business. We are fortunate to work for a company that makes diversity a priority.”
In addition, Lyons is a fierce believer in taking traditional leadership models and turning them upside down. She subscribes to the servant 'leader' approach. She says, “This is the key to accomplishing the organization’s mission. I believe that my role is to serve my team first. I hire very talented people, and I then help further build upon their expertise, so they are equipped with the right skills to excel in their roles and grow professionally.”
Building a reputation for valuing differences, backgrounds and perspectives has helped attract highly-skilled leaders to her team that includes racially and gender diverse veterans, LGBTQ, and differently-abled individuals who have helped enrich and carve out a best-in-class team in CS, especially in the private sector.
“Women are underrepresented in the security industry. What we have done at BMS and CS shows that women and diverse individuals can and should pursue careers in the security industry. We have certainly paved the way,” Lyons explains. “The opportunities are absolutely there. I highly encourage people to develop their expertise, network in diverse industry associations and programs, and build trusting and lasting relationships. Lastly, set high aspirational goals and develop a plan for achieving them because a career in security is very rewarding.“
Noreen Gleason – Executive Director, Business Continuity, and Corporate Event Response Team Lead
After serving as a substitute teacher, Noreen Gleason was forced to reevaluate her career trajectory. Growing up in a very disciplined home with a father who had served in the military, she knew she possessed a calling and passion for law enforcement.
Shortly after Gleason graduated with a degree in education and exercise physiology, a New Jersey State Police class opened up. “I applied and passed the tests required to be accepted into the academy class. I was a state trooper for seven years, and it was challenging for several reasons,” Gleason says.
After recognizing she needed to seek different opportunities, Gleason joined the FBI in 1991 as a Special Agent, where she investigated and led high-level, transnational organized crime investigations. Bound by federal law at the time, however, the FBI could not offer Gleason and her partner the same work-family benefits and support for their daughter that other employees were entitled to. “I loved my job and was committed, but we needed more benefits.” As a result, Gleason retired from the FBI after more than two decades with the organization. “Coincidentally, my retirement day was also the day I could finally obtain benefits from the federal government after the Supreme Court announced marriage equality,” she recalls.
Gleason left the FBI to join the BMS CS group as Director of Operations. “For quite some time, Amy asked me to join the team. She said, ‘This company is diverse, and there are great opportunities for women. There are great opportunities for everyone.’”
The transition to BMS and the private sector was smooth, Gleason says, because the organization’s mission resonated with her. “My purpose and mission have always been to protect and serve. At BMS, I get to protect and serve all assets so patients can have safe and secure access to their medicines. I am truly delighted to be here and make an impact in the communities we serve. The company and its organizational culture embrace inclusivity and diversity, and I couldn’t be happier to be part of this culture and mission.”
Lyons directly hired Gleason for her extensive experience and skillset in investigations. In her role, Gleason oversaw cybersecurity threats investigations and regularly performed security risk mitigation strategies designed to reduce cost while ensuring personnel, facility and product safety and security. Gleason was also responsible for periodically aligning with her cross-functional partners and developing and implementing a successful insider threat program and company-wide workplace violence prevention and preparedness program.
In 2017, after Hurricane Maria — a Category 5 hurricane that resulted in $90 billion in damage — Gleason coordinated sending BMS employees in Puerto Rico critical supplies such as generators, water, food and money and helped them get back on site. Operations for large manufacturers and crucial pharmaceutical companies came to a halt after Hurricane Maria devastated Puerto Rico, which accounted for 25% of total U.S. pharmaceutical exports, valued at $14.5 billion, in 2016. “Ensuring the continuity of operations was key to avert shortages of medically necessary products. We followed emergency procedures that enabled us to maintain adequate inventory at manufacturing sites to ensure a reliable supply of medicine for patients. But, just as critical was the health and safety of our employees in their time of need, to include the restoration of electricity, food, water and critical supplies during this crisis,” Gleason says.
In the aftermath of the disaster, numerous questions and gaps emerged, Gleason explains. “We identified, documented and analyzed all lessons learned. The upshot of this process resulted in the creation of the Corporate Event Response Team (CERT) — a group focused on prevention, response and recovery of significant risks and enterprise crises.”
Since the creation of CERT, the team comprised of 40 subject matter experts working toward recovery and response to a crisis has become the go-to organizational leader for recovery. The decision-making entity has full access to, and support of, BMS Chief Executive Officer Giovanni Caforio and the leadership team.
Since January 2020, Gleason has led BMS’s Business Continuity Management (BCM). “Business continuity is the business process that prepares the company to keep our products and services, and therefore our revenue flowing under extremely adverse circumstances such as natural or manmade disasters, pandemics or civil unrest,” Gleason says. “We monitor the disruption of IT services, workplace disruption, workforce disruption and supply disruption. If a disaster impacts manufacturing, commercial operations, supply chain or research and development, CS and BCM play an integral role in supporting on a local, regional and corporate level with initial guard response and coordination with law enforcement and first responders, both during the initial crisis as well as through the recovery phases.”
An integral aspect of the BCM program, Gleason says, is to ensure problem-solving and decision-making addressing significant risks and issues by identifying, documenting, resolving, communicating or escalating to senior leadership when appropriate. “We proactively identify and facilitate risks, mitigations, resolution and escalation of issues while tracking and communicating the status of the risk to key stakeholders, including the leadership team. Collaborating with key stakeholders and recommending strategic direction to develop a clear strategy, approach and plan are absolutely critical.”
Gleason, who also leads CERT, says, “During the pandemic, CERT has more than proven its value to the company. We became very well known for making risk and science-based recommendations to leadership, which led us to be a trusted entity. By following the science, we developed trust and transparency with leadership and with BMS employees. And, as a science-based company, trust and transparency were absolutely a core value to us, especially during the pandemic and a tumultuous presidential election.”
Managing such a complex and rapidly evolving situation, Gleason says, the health, well-being and safety of the BMS workforce was always a priority. “We followed data to make decisions and guide our principles to moving to remote work and taking the highest precautions to keep our essential workers onsite to ensure we continued to meet the needs of our patients,” Gleason explains. “Similarly, we are using data and science to take a carefully crafted approach to return our workforce to our sites, based on local conditions, government and health authority guidance.”
Through it all, Gleason concentrates on leading with transparency, courage and vulnerability. “I think [transparency] shows vulnerability to our teams that tells them we are in this together. In turn, that motivates them to bring their best to work every day as well as keeps them engaged in our mission,” she says.
She also believes in storytelling to keep people engaged. “This is a true calling, and I liken it to the same mission in the FBI; therefore, I need people to stay utterly engaged and motivated. To boost employee engagement, I use storytelling principles to promote our mission and values, as well as communicate effectively how critical all employees are to achieving that mission. Leaders need to connect with their teams to build trust, but as a leader, it’s also critical to understand the unique strengths and weaknesses of your team,” Gleason explains.
Implementing a culture that values and constantly assesses strengths and areas of improvement goes a long way in fostering engagement, Gleason says. “Allow them to learn and grow, create opportunities for development and make everyone feel valued and appreciated, especially during a crisis.”
As an LGBTQ+ female leader, Gleason says, she has learned to build relationships with mentors and advocates. “You must have an excellent support system and diverse network to bring each other up. It’s also important to gain competitive edges by developing and cultivating your skillset to add value to your team and to the enterprise,” she says.
Having this robust support system and leaders who can serve as mentors can help pave your career. “A mentor can be a powerful way to not only accelerate and boost your leadership skills, but to assist you in tapping into your knowledge, experiences and skillset to take on different executive and leadership roles,” Gleason says. “That mentorship relationship is incredibly valuable. You need advocates and mentors who can help you determine what your role entails and how you can help expand your value as well as the organization’s value.”
Sydney Klein – Chief Information Security and Data Officer
According to Sydney Klein, her entry into cybersecurity was a happy accident. “When I graduated from college, cybersecurity wasn’t a field,” she adds.
After receiving her Bachelor of Science degree in Integrated Science and Technology with a double concentration in Information Knowledge Management and Health Systems, Klein joined Capital One Financial, where she led various programs, including business information security, information assurance third-party management, application security, payment card industry data security standards and cyber incident management.
It was at Capital One where she found cybersecurity, Klein says. “At the time, information security was a very new field, and the program just consisted of firewalls and access management. For me, it was an opportunity to be part of a program from the ground up, and no one had done it before.”
After nearly 19 years of professional growth at Capital One, Klein realized she was looking for a different role. “I bought a journal and started writing. What are the things I’m passionate about? What are the things I’d like to focus on? And what industries am I interested in? After soul-searching, BMS called — they checked every single one of those boxes. BMS exceeded all expectations I would have,” she says.
The interview process convinced Klein it was at BMS that she could find a true sense of belonging and a true passion. “At that time, I had not worked for a company that had women on the leadership team. During the interview process, not only was I surrounded by a real diverse panel composed of BMS General Counsel and Chief HR Officer, who are both women, but it was one where I got to see the leaders of the team interact together. The respect, passion and energy that I felt were addictive. I found a sense of belonging, and I fell in love with the culture of BMS and their commitments to inclusivity, equity and diversity.”
Joining Bristol Myers Squibb in 2018 as Senior Vice President, Chief Information Security Officer, Klein has had the opportunity to evolve her career. Her role now as Chief Information Security and Data Officer is a combination of two roles in the cybersecurity space, and the first of its kind. Klein credits Chief Information Officer Paul von Autenried, whom she reports to, for having a vision of cybersecurity and data coming together, positioning the pharmaceutical company for success in the rapidly evolving digital age. “It’s two different sides of the same coin. Our goal in cybersecurity is to have a well-balanced approach that enables the company to discover, develop and deliver lifesaving medications for our patients. Both the data and security aspects of that strategy are critical,” Klein explains. “Like Amy and Noreen, I work across the organization, from a risk management perspective, to ensure the company’s information assets and operations are reliable, accessible and secure to truly protect our assets and serve our patients.”
Now that there is a great appreciation and understanding for the cybersecurity threats that may impact the enterprise, companies regard cybersecurity as an enabler, rather than a policing function within the organization, Klein says. “Now, it is easier to communicate our message and to do so in a way that encourages employees to understand that they are the first line of defense.”
One silver lining of the pandemic, according to Klein, is that it has allowed the best sides of BMS to come out. “The pandemic has allowed us to partner together on decisions that impact our entire enterprise, from the supply chain to our patients, to the principles and values that we hold very dear in the company,” she says.
Devoted to leading with kindness, Klein carefully fosters a workplace culture of setting employees up for success by focusing on transparency. “Building a team is a two-way street, so treating everyone with respect and providing them transparency empowers them to do their best work and helps build a sense of community. Through kindness and transparency comes empathy and accessibility.” When leading through a crisis, empathy goes a long way, Klein says.
Klein dedicates much of her time fostering a sense of inclusion and a diverse environment that hires and promotes people who typically come from tangential industries, roles and experiences. “I have the great honor of sponsoring our IT Diversity and Inclusion Council and serving as a member of our company's Diversity and Inclusion Council. We hear several estimates about the cybersecurity skills gaps and the global demand for those skills that exceeds our current supply of qualified individuals,” Klein explains. “I’m a big believer in a growth mindset and in hiring somebody for great potential. Consequently, we’ve made numerous changes in how we hire and develop leaders who come from tangential skillsets, especially those who can be excellent cybersecurity and risk management leaders.”
Klein says that hiring for diversity of thought, background and experiences has helped expand cybersecurity preparedness and response. “No company can successfully defend against cyberattacks on their own, so we have focused on enhancing our defenses by focusing on inclusion, diversity and collaboration across the industry,” she explains. “We are regularly in contact with all the chief information security officers at peer companies. There’s a focus on how we can have intelligent sharing, which the healthcare industry does well.”
Supported by the global, non-profit member-driven organization Health Information Sharing and Analysis Center (H-ISAC), the center focuses on fostering relationships and networking. Leveraging all community members helps enable timely, actionable and relevant information to be shared with all members, including intelligence on threats, incidents and vulnerabilities and data such as indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. “We not only have the support of H-ISAC, but we are also supported by each other. It’s a wonderful entity that exists,” Klein explains. “It’s one that I felt immediately welcomed into, as I come from the financial services industry — where it’s common to operate with confidentiality.”
It’s networking that has allowed Klein to advance in her career and become the leader she wants to be. “When I reflect on my career, I did not have a destination in mind. I always have had the support of my peers, and they have been my biggest advocates, encouraging me to go after different roles. Let people know that you’re open to feedback — it allows people to be transparent, and that can have the potential to change the trajectory of your career. Allow yourself to be vulnerable, let people in and be open to possibility.”