Doctrine In Depth
Making the business case by being a business enabler
Add bookmarkChristine Vanderpool is an Executive Board Member for Cyber Security Hub. She was Inteligenca’s 2019 Woman Cyber Security Leader of the Year and Molson Coors’ CISO before being whisked away to the world’s larges sugar cane refiner- Florida Crystals (which includes Domino Foods).
So Christine is certainly an excellent current example of a CISO. Her company is an industry leader, she’s the ultimate cyber security leader at her organization and she’s winning awards for her work. But her background doesn’t add up to what we once understood as a good example of a cyber security leader. She doesn’t have any military experience and “well, I'm definitely an extrovert.”
Business case
It’s safe to say that the ‘old guard’ of cyber security leaders is not a group of extroverts. “I love to use analogies and storytelling. It's really important for me that my user community, my executives, my leadership, they understand what it is that I'm trying to do. They don't just blindly believe me because I'm scared the bejesus out of them, but they actually get what I'm trying to tell them. They understand what our risks are. They understand how I want to mitigate those risks. And I try to do it in ways that are appropriate for our business at hand.”
Budgets
In describing her mission, Christine doesn’t use the word technology. And it’s not because she’s some marketing person- her formative years were spent with IBM, Hitachi and SAP technology- she’s a technology person. But she realizes that just talking tech won’t get the job done. As noted, her job is for her stakeholders to understand what she is doing.
The Cyber Security Hub Mid Year Report showcased the fact that budgets are mostly flat or down. If Christine was arguing for budget, tech first- she would not find success. Her executives and leadership understand the risks and how to mitigate those risks in a way that’s appropriate for the business because she’s made the business case.
Enabling business
“I'm not going to buy the latest and greatest gadget just cause it's really cool, if we don't need it. My philosophy is you could take that same budgetary funding and use that on a marketing project or a product development project that is going to increase your revenue. If your revenues increase, then my bonus increases. So I'm not stupid.”
She says she’s not stupid- which of course, is obvious. But that statement actually shines a spotlight on her brilliance. She’s going in to budget meetings and telling her leadership to spend money on product development and marketing based on the confidence she has in the business case she’s made. She is not worried about losing her needed budget.
Doctrine In Depth
And there’s depth to that doctrine. She does things “that elevate and help the business rather than just saying no.”
When asked if she’s a BISO- a Business Information Security Officer with a CISO title, she responds, “I wouldn't have a job if, if we weren't doing what it is that we do as a company. I work for a consumer packaged goods organization. So I need to always remember that that is the purpose of why we are here. We are not here because of security. We are here because we make a product that is sold to consumers. And that should be the focus.”