Christine Vanderpool was happy to take on a new job as CISO of Florida Crystals six months ago for two reasons. First, she was tired of shoveling snow – “I am not a winter person,” she says. More importantly, she wanted to build a security program from the ground up so that she could develop and fine tune the strategy and apply all the lessons she’d learned from her long career in cybersecurity.
Her previous assignment was with a big, established healthcare company which had a good security program. “Everything was already pretty much in place, and even advanced.” But with Florida Crystals, an agriculture and consumer manufacturing company, Vanderpool has the opportunity to set in motion all the lessons she has learned from previous assignments as well as determine what the organization needed specifically according to purpose.
The best fit
Florida Crystals is, as Vanderpool describes it, a “24x7x365 company.” The main challenge is to keep operations running continuously, because any disruption would be detrimental to the business. “For example, if you get one instance of ransomware, that spreads into your system and you can’t operate.”
She counts herself fortunate for enjoying support and understanding from the executive leadership.
“I don’t ask for the latest and greatest tools. I don’t ask for an endless amount of money to do this stuff. I’m right-sizing it. Risk-basing it,” she says. “I’m very deliberate in what I choose and how I choose, and in implementing solutions in a way that is more flexible and adaptable to what we need.”
“I don’t want to have just a shelf full of security products.”
Support from the C-suite comes from a heightened awareness of what could happen if a security breach or disruption takes hold of the company. “You would have been living under a rock if you didn’t see the news stories and the impact of security on organizations – and how the damage spread like wildfire.”
Vanderpool calls it the forest service problem. “The forest service goes out to stop a forest fire on 100 acres of land, but the wind kicks off and 100,000 acres are burning all of a sudden.”
Indeed, everyone is vulnerable, and anyone can be attacked. “These things really opened up the eyes of the world,” she says.
Always a tradeoff
In the next few years, artificial intelligence and machine learning will be more than ever a part of our daily lives, but these come at a cost. “We have to keep up with the fourth industrial revolution. We have to make sure we go there and move into the next world with open eyes.”
Part of it is knowing how to balance convenience with security. “How do you protect and secure humans while also allowing some of the flexibility in the things we’ve come to know and love? Look at Facebook – we find that they are sharing our data and everybody’s appalled but at the same time we all love it and continue to use it anyway.”
Another thing we enjoy is direct marketing – how technology knows it should feed us this information relevant to our lifestyle. “But it’s also scary that it knows that it will take me 14 minutes to get to the gym from where I am. How do you balance the fact that this device gives me relevant information, but also knows my every move?”
Stranger danger
“We teach our kids not to talk to strangers, accept candy, or climb into that white van. Why can’t we also teach them, at their tender age, what the risks are in going online?” Vanderpool says. This is her advocacy and hopes she can reach out to more organizations and educational institutions. “Sure, we are teaching young people how to use tech, but alongside this it is also important to use tech in a secure way.”
“This is something I am passionate about, but I obviously cannot do it alone so I want to be connected with others who also have a passion for this.”
CISO qualities
For Vanderpool, there are three attributes that a good CISO must have. First is a strategic awareness of what the organization truly needs, and not about grabbing what appears to be cool at any one time. “These days there are a lot of tools and vendors. How do you go beyond the “oooh…shiny!” moment, or respond to some immediate need, into building a truly good program that will stand the test of time? A good CISO is deliberate in making smart decisions on tools and partners.
Second, a CISO has to know the business. “Whatever your organization and industry, you should understand it end to end. It does not matter if the business is financial services, health care, manufacturing. You need to dive into it and talk to people,” Vanderpool says, narrating that when she was CISO for a health care company, she sat on committees with actual physicians and conversed with them to know if she is securing them appropriately, and to the correct level.
“I can’t protect them if I don’t understand what it’s like for them day in and day out.”
Finally, despite shifting from her formal education in marketing, Vanderpool has also been able to use her marketing skills in her CISO job. “I have been able to build security programs because I am good at marketing them to boards and executives and delivering my message in layman’s terms,” she says. “It’s always a challenge to cyber professionals to explain technology in an easy-to-understand way.”
Shedding stereotypes
Finally, Vanderpool believes that people have to shed their tendency to pigeonhole others. “I have had the experience of being mistaken for somebody doing software sales – not that there is anything wrong with software sales – just because I’m a woman, I wear a dress and I have long blond hair.”
Each person brings to the table a different perspective, she says, and so we have to break down these stereotypes and grow the number of people interested in the field. “It all ties back to education,” she says.
Throughout her career Vanderpool has seen some swerves and surprises. She’s changed plans, moved states, shifted from big to small. “Who knows what it would have been like had I not gotten into tech? Now I cannot imagine not being in tech. It all works out.”