It's fair to say that Kristin Lovejoy understands IBM's information security approach inside and out, largely because she helped shape both the corporation's internal and customer-facing infosec strategy.
The dynamic executive, who now holds the position of general manager of IBM's Security Services Division, has in fact played three significant information security roles at the IT goliath. When she first joined IBM in 2007, the company didn't have a security division, and Lovejoy was charged with helping IBM understand what the market looked like and their strategic approach to it, and carve out new opportunities to reach out to CISOs at client companies.
Later on, Lovejoy was pulled into IBM's internal organization to help develop policies and resources for the company to manage its own information security in-house as the corporation's vice president of technology risk and global CISO. It was only about 18 months ago, after making a well-received presentation to IBM's board, that Lovejoy was invited to step into her current position: molding and managing a professional services organization around information security to deliver to customers.
The challenges of each successive job have fueled Lovejoy's energy and interest in the field. “I like chaos,” she says. “When I came to IBM, my old boss said ‘the trick to keeping Kris happy is to constantly make sure she is fixing something.'” In her current job, she is helping companies make their critical information security decisions, such as whether or not to outsource, and evangelizing with customers about the importance of information security.
“Kris has always been very hands-on, and still is even as the general manager of the security services division,” says Koos Lodewijkx, director and CTO of IT risk at IBM CHQ. “Whether it is writing presentations or articles, or investigating the security posture of a client, she will roll up her sleeves and do it herself. She's known for using the few spare minutes waiting for her appointment with a client to do a quick search on Shodan, to see if there's anything she can tell the client about their security that they may not even be aware of.” Lodewijkx has known and worked with Lovejoy since 2001, when the two both worked for Consul, a security audit and compliance solutions firm with dual headquarters in the United States and the Netherlands.
“One of her major strengths is that she can make security relevant for non-technical audiences,” Lodewijkx says. “A few years ago, when the topic of malware infections from untrusted devices—USB memory sticks for example—got a lot of attention, she said, ‘if you find a toothbrush in the street, do you stick it in your mouth?'”