Brown-Forman might not be a household name, but it would be difficult to find someone who doesn’t recognize at least a few of the company’s brands. Jack Daniels, Woodford Reserve Bourbon, Finlandia Vodka, Slane Irish Whiskey, Benriach Gins, and Sonoma Contraire Wines are just a few of the products Brown-Forman makes and sells across 170 different countries.
“Last year was our 150th birthday,” says Tim Nall, Brown-Forman’s Chief Information Officer. “The company was started by George Garvin Brown when he had the innovative idea to put bourbon in a glass bottle. It sounds pretty normal these days but, back in the day, that communicated to the consumer that we're all about quality.”
The company is now publicly traded, but it’s still privately held, with members of the Brown family on the board and the executive leadership team. “We get the benefits of being a publicly traded company, plus a really nice relationship with the founding family,” says Nall. “They're just as passionate as our employees are about our brands and community contributions.”
Putting the business first
Brown-Forman takes great pride in the quality of its products, chalking a lot of its success up to innovation. “We're a 150-year-old beverage alcohol company that is very tech-forward, very cloud-forward, very collaboration-forward,” says Nall. “We're always looking for modern technology to help us make, market, sell, and communicate with our customers, in real time, at scale.”
The company differs from some other technology-focused companies in one significant way, however. Instead of focusing on technology that makes life easier for IT teams, Brown-Forman looks for tech that will help the company reach its business goals.
“I try to get the IT team to think of itself as a service team for the rest of Brown-Forman,” says Nall. “When we bring in new applications and subscriptions, the impact they’ll have on our partners in the wider organization is of paramount importance to us.”
This hasn’t always been the case, however. When Nall joined the company, Brown-Forman’s IT team was focused heavily on projects that benefitted IT—improving its SAP system, for example. These projects are important, of course, but they don’t necessarily contribute to the overall success of the company.
Nall saw an opportunity to contribute to the company’s business objectives. “We're not a technology organization that sells technology products—we're selling beverage alcohol,” he says. “We could bring in new technology because it’s cool, but that's not our purpose. Our purpose is to help the business improve customer communication, manage our pricing with our distributors or our retail partners, and understand how effectively we’re using our marketing dollars.”
All-encompassing security
Brown-Forman also wanted to improve its security strategy. Like most legacy companies, it historically relied on firewalls and anti-virus software. As Brown-Forman increasingly turned to cloud-based apps, it began to accumulate other identity management products like Mobile Iron, Ping, and Quest. However, the company needed a comprehensive identity access management solution that would allow Brown-Forman to collaborate with in-house and retail partners while protecting its endpoints against breaches.
“Everybody was working on their devices in every time zone and every geography,” says Nall. “Logging on from a Starbucks, logging on from a hotel in Hong Kong, you name it. We needed to ensure our technology could be used safely, securely, and transparently in any location, at any time, and on any device.
The company also wanted to be able to ensure a user-friendly experience, and maintain a flexible IT stack. To accomplish this, the company needed to find a trustworthy, like-minded technology vendor. “We ask ourselves, ‘Does the company share some of our values?’ We're an environmentally conscious, socially conscious corporation, so we want to make sure that our partners out there share some of those same values, too.”
An all-in-one solution
Brown-Forman went to market for an identity access management solution that would suit its needs and meet the high standards the company expects from its partners. The company looked into Duo Security, Azure AD, and Ping Identity, but in 2015, after attending a few meetings with Okta and reviewing customer testimonials, Brown-Forman made its decision.
“We were drawn to Okta by the wide range of pre-built APIs within the Okta Integration Network,” says Nall. “If you look at what runs Brown-Forman, SAP is our ERP, Workday is our HR system of record, and Salesforce is our employee portal and our CRM. All of our transactions flow through SAP, Coupa is our invoice processing system, and Concur is our travel and expense reimbursement system. All of these applications were floating around in the cloud and we needed a way to get to them easily. That’s where Okta came in—and the APIs were already built. All the hard work was done.”
There was another benefit to the Okta Integration Network too—it added flexibility to Brown-Forman’s IT stack. “We wanted a solution that would play with everybody,” says Nall. “We didn't want it to be overly tied to a particular vendor because we wanted to continue to be able to choose from the best solutions possible.”
Next, Nall considered his other objectives. While the pre-built APIs would make it easy to knit together Brown Forman’s disparate IT environment, the company also needed to streamline user access and secure the authentication process—and Okta was well-positioned to satisfy both of these requirements.
“Security is valuable, but if we can minimize the labor involved and maximize security, I can direct that energy towards increasing marketing effectiveness, growing revenue, and doing the yield modeling that we do for our global production group,” says Nall. “As long as I can get that high level of security, it's a win-win.”
A resistance-free rollout
The company purchased a set of Okta products designed to protect and enable its workforce: Single Sign-On (SSO), Universal Directory, Adaptive Multi-Factor Authentication (MFA), and Lifecycle Management.
Before rolling out the new products in 2016, the company spent some time adding its own branding to the SSO dashboard, to make the portal feel more familiar to employees. As the implementation progressed, Nall and his team continued to put employees’ experiences first because they knew that if the new security measures were too difficult or time-consuming, employees would simply find work-arounds.
“That’s why we look for products with minimal user impact and maximum security,” says Nall. “With Okta, it was minimally invasive—the employees had to do it, and so they did.”
It helped that people were also starting to get used to increased security in their personal lives, whether they were paying taxes on a government website or logging into their Netflix account.
“It was really one of the more seamless go-lives we've had,” says Nall. “I actually feel a little guilty because I got a lot of kudos as a new CIO for this seamless thing—and really, I didn't have a lot to do with it except for picking a really solid partner.”
In 2019, Brown-Forman decided to extend the Okta experience to external partners, including its wholesalers, distributors, and lawyers. “We wanted to give them access to certain things within our environment—but not necessarily the keys to the kingdom,” says Nall. “We wanted to be able to see them coming and going like everyone else.”
Nall and his team used Okta B2B Integration to allow and control Brown-Forman’s external partners to access the company’s internal tenant. “It's just a very simple provisioning process,” says Nall. “We only need one admin to manage our global partner ecosystem—it’s simple, and there’s very little labor required.”
Trial by fire
By the time 2020 arrived, Okta was fully ingrained in the day-to-day lives of Brown-Forman employees and partners, but the company’s IT environment was about to be tested—twice.
Like everyone else, the COVID-19 pandemic caught Brown-Forman by surprise. Fortunately, the company was already used to supporting a remote workforce.
“Our headquarters has a core workforce, plus finance, IT, and legal teams, but we have little Brown-Formans all over the world,” says Nall. “These could have anywhere from a few dozen to a few hundred employees, and they operate with finance, marketing, and sales organizations. We've operated successfully remotely for a very long time.”
Regardless, the company was still concerned that its office employees—who hadn’t had a lot of experience with Okta—would have trouble adjusting to the additional off-network security measures, so Nall and his team developed an initial two-week plan for employees to work from home. At the end of that period, they assessed the results with the intention of making any necessary adjustments.
“We learned that lot of the work that we had been doing over the years to make us collaborative, to move to the cloud, to have accessibility at any time, any time zone, any device—all of that made it very easy to transition into the remote work environment that we've all enjoyed for the last year or more,” says Nall.
But Brown-Forman still had another hurdle to jump. In the summer of 2020, the company’s security was put to the test when its IT environment was breached. Okta detected the suspicious activity, and sent Nall and his team an alert. The team was able to track the breach in the activity logs, and from there, they were able to act quickly to mitigate the situation by turning on untapped MFA features.
“Turning on additional MFA features helped us secure our environment within 48 hours of detection, when we were still scrambling to understand who was in and what was going on,” says Nall. “I was pleased that some of the work we did pre-breach really allowed us to get as much of an early alert as possible. It wasn't instantaneous, but we believe it helped us take certain steps to prevent other bad things from occurring within our environment.”
For Brown-Forman’s employees, the breach drove home the importance of following IT’s security guidelines and recommendations.
“As we’ve moved into an accelerated Zero Trust security approach, we’ve explained our layers of security to employees using the analogy of a keycard and a building,” says Nall. “Previously, they could walk into a building, wave their keycard on the first floor and it would get them anywhere. Now that keycard might only get them to the first or second floor. People understand those types of analogies, where we bring the virtual world into the real world, so that’s really helped our employees understand where we're going. They’re very accepting of it.”
A more effective team
Looking back at this multi-year journey, Nall is pleased with how Okta has helped enable Brown-Forman’s business and raised security awareness for employees.
“Helping Brown-Forman with employee awareness is perhaps even more beneficial than anything else IT does, because it impacts everyone—and they are much more aware than they ever would have been without Okta,” says Nall. “The Okta logo is one of the first things employees see when they come in in the morning, and it reminds them there are security measures in place, without being intrusive. Instead, it almost leaves them with a sense of wellbeing.”
With most of the available MFA features activated, all employees are now able to work safely and securely on any device, at any time of day, anywhere. “Even if our employees are working within our network, they’re still authenticating with Okta—and I view that as such a big thing,” says Nall. “This level of MFA is a basic thing that companies need to do.”
“If I were to rank our partners, I would say Okta has been one of the best,” adds Nall. “Before Okta came along, our security posture was probably about a two on the Gartner scale. We've gained several points since then and I'd attribute a good chunk of that increase to our Okta products.”
Nall also credits Brown-Forman’s strong partnership with Okta. From the very beginning, when Nall and his security team first met with Okta, Nall was impressed with the account representatives’ focus on customer service, but he was also a bit skeptical. “Every technology group comes in talking about customer service, but Okta is truly focused on it,” he says. “I would rank Okta with the best out there in that they really do believe in the importance of customer service.
The company purchased a customer success package that included a designated Customer Success Manager (CSM). Having a CSM in place means that Brown-Forman benefitted from having an Okta expert on its team throughout the planning and implementation phases. The support package also includes regular success meetings and a VIP support line.
“Okta’s Customer First team has been outstanding for us throughout the years,” says Nall. “When we were going live, we set dedicated web access for people to send in questions, and they were right there with us. During the breach, when we reached out to say we wanted to adjust our MFA features, they were right there helping us. So there wasn't really lost time.”
What’s next
A glance at Brown-Forman’s IT roadmap makes it clear that moving towards a Zero Trust security model is high on the company’s priority list. “That perimeter-based strategy still existed a little bit when our world came crashing down in the breach last July,” says Nall. “It really highlighted the vulnerabilities that we were somewhat aware of, but hadn't considered to be as high on the priority list as other concerns. That accelerated our transition into a Zero Trust model and that’s a big change because our network was never architected for that.”
Nall will also continue to automate more of its onboarding and offboarding processes, and to gain better access to analytics that can provide true insight into areas like revenue growth management and distillery yields—and help the company make more informed, data-driven decisions.
“It’ll just give us a clearer picture of how our business is doing,” says Nall. “That's where I see our IT and analytics teams. Aside from providing a secure workplace and secure infrastructure, the next biggest benefit we bring to the company is access to analytics, and our ability to highlight those insights for our commercial partners, our marketing partners, and our production partners.”
About Brown-Forman
The Brown-Forman portfolio of more than 25 mid-priced to super-premium brands includes such well-known spirits as Jack Daniel's, Canadian Mist, Finlandia, and Southern Comfort. Its wine labels include Fetzer and Korbel. Offering some 30 brands of wines and spirits, the company's beverages are available in 135 countries throughout the world.