“If someone wants to hack you, they will,” says Christine Vanderpool, chief information security officer of Molson Coors. She knows that a hack can come from anywhere, at any time. She also knows the best way to minimize attacks and ultimately prevent them is to move faster with technology and processes than hackers do. “The best thing you can do is be prepared and have the right people, processes, and technologies in place that make sense to address the risks your business faces,” she says.
It’s a constant battle for Vanderpool, and something that has occupied much of her time lately. But cybersecurity is just one facet of her job; Vanderpool must also balance the needs of a global business to harness technology with its need to keep data and employees safe from any potential dangers in cyberspace.
Vanderpool says one of her biggest challenges since she took over as CISO in 2013 is juggling the different compliance rules among the many locations of Molson Coors’ operations. “In one country, encryption may be very important to keep things inside the borders, while in other countries encryption may be illegal,” Vanderpool says. “How do we deal with that while keeping costs down and our operations efficient?” The answer to that question is far from simple. Vanderpool must stay on top of each country’s shifting laws and governments to the best of her ability.
There are cultural differences, as well. For instance, she says attitudes about privacy are looser in the United States relative to Eastern Europe. “You realize that you have to make trade-offs and decisions that work for 80 percent of the workforce but probably not 100 percent,” she says.
Vanderpool doesn’t have much time to dwell on this because hackers are an ever-present danger. It used to be limited to banks and health-care institutions, she says, where the value of the data is obvious. But now, every company has data that could be considered valuable to someone. “These days, hackers do massive hacks, often where they’re just trying to find the easiest targets,” she says.
Vanderpool explains that once the data is extracted, hackers take it to the black market to see what they can get for it. Molson Coors has the added risk of selling a product that is not accepted in certain parts of the world. “I always fear that there may be hackers out there with a social agenda to attack products like alcoholic beverages,” she says.
The fact that Vanderpool hasn’t dealt with that yet has not made her any less vigilant. Molson Coors, she says, is a “24-7-365 shop,” producing, shipping, and selling beer around the clock in most parts of the world. “Even though someone may not be hacking us directly, if something gets into our system it may impact our ability to do business,” she explains. “Another part of my job is making sure there are no viruses that can bring our system down and keep us from doing what we need to do every day.”
To put it simply, Vanderpool must keep an eye on just about everything—government regulations, technology trends, current events, and more. It all fits in with a shift in the way in which she and her CISO peers are dealing with online attacks. “For years in security, we’ve been behind the eight ball, waiting for signatures to come out from this or that attack,” she says. “Now we’re figuring out how to stop those attacks from occurring in the first place. How do we deploy technology or processes to be that frontline defense?”
Part of the solution doesn’t involve technology at all. Educating Molson Coors’s massive workforce, which reaches more than 9,000 people, is key, says Vanderpool. More employees today are using their own devices to do their job, which helps her get through to them. “It’s just going to make them stronger if they see what’s in it for them,” she says. “If we can teach them how to be more vigilant in the day-to-day world on their own devices, they will use that knowledge to protect our company.”
Vanderpool has encouraged this paradigm shift by making herself available to all kinds of security questions, not just the ones directly related to Molson Coors. For example, she’s helped employees concerned about identity theft, and has advised parents who inquire about monitoring their children’s online activity. “I don’t mind,” she says. “If it’s one less thing they have to worry about, they will be more focused on work.”
Vanderpool understands the value in advice-seeking. She’s part of an informal network of fifteen CISOs in the Denver area that meet once a month over dinner to talk shop. The topic changes each month, and has ranged from setting up anti-phishing campaigns to creating mobile security systems that work on all kinds of devices.
“We all face the same challenges and issues,” she says about the diverse group, who represent banks, manufacturers, health-care service providers, and more. “When we can work together collectively, it just makes us all the more efficient and able to come up with really good solutions and ways to attack problems.”
Vanderpool says conversations used to focus on the latest tool or piece of technology. Now they talk about what they’ll do when a hack inevitably occurs. “There is no tool or technology that will protect you from everything,” she explains. “Talking to people who have been through it already is a great way to know how to put things in place to make your business stronger in the end.”
Vanderpool has risen through the ranks at Molson Coors since joining the company as an application security manager in 2004, but she says that she still learns something new at every meeting. “Those meetings have helped me go back and think about my program and how I will build out my program in areas that are important,” she says. “That’s the biggest thing—making sure I’m including everything I should be.”
Speaking of inclusion, Vanderpool says that she would love to see more women entering the security field in the future. “When I walk into a room of CISOs, I’m usually the only woman, or one of two or three,” she says. To that end, she has plenty of advice for women who are thinking about joining the fight at the forefront of cybersecurity. “One thing is to realize that there are multiple areas of security and IT,” she explains. “It’s not just about stopping hackers. There are just so many different aspects of it: strategy and oversight, government compliance, technology.”
Vanderpool suggests that women have the built-in characteristics to be good at all of these various components. “Our whole thing is to control things or provide a way to control access to something,” she says. “There is that natural fit and tendency for a woman to play that role. Also, women tend to be detail-oriented, and you have to have an eye for detail in this business.”
But the biggest reason that women should be interested in security work, she says, is because it’s exciting. It’s why she still loves what she does for a living. Not coincidentally, it’s also why she’s been so effective at staying ahead of any potential threat to Molson Coors.