Chemical Bank, Vice President, Chief Information Security and Privacy Officer
Like the builder of a complex jigsaw puzzle, Chris Mandelaris has masterfully put his career together, piece by piece, to reveal the overall picture. For years he has been steering his education, certifications, and series of roles toward his goal of becoming a Chief Information Security Officer—and now he is one.
His goal wasn’t always so straight-forward, though. Right around the start of the millennium, Mandelaris was a pharmaceutical representative doing sales, marketing and promotions. While the money was good, he lacked passion for the job.
What he did have passion for was IT. “I had done IT work on the side and always enjoyed it,” says Mandelaris. “One evening I had an epiphany and was noticing a big gap between the technologist and the business side of organizations where, at that time, IT could talk IT and business could talk business but there was no middle person that could bridge the gap between IT and business requirements and vice versa.”
At that time, IT infrastructure was seen as an afterthought and a business area that just helps keep the lights on. This is where Mandelaris saw an opportunity and took a big leap of faith. “I love being a connector, looking at the business side all the way down to the IT side, to make sure they are all connected and everyone is marching to the same beat. I decided to quit my job as the pharmaceutical rep on the spot and put both feet into IT.”
Getting on the bottom rung of the IT ladder
He began his new IT career by getting some basic certifications – the A+, Network+, MCP and MCSA – and got his first real IT role with Ford Motor Company. “I was lucky enough to be a systems analyst working in infrastructure,” says Mandelaris. “I took a big pay cut to go from making a lot of money as a pharmaceutical rep to near nothing as an entry level infrastructure guy—but I knew it would pay off in the long term. I knew where I wanted to go. From then on it was like drinking from the fire hose.”
Ford Motor Company provided a great foundation for his learning. “I was very fortunate to join that organization, not only from being in infrastructure but also that I was able to participate in projects and become certified as a Project Management Professional (PMP) and Six Sigma process improvements,” says Mandelaris. “I can’t begin to tell you the benefits of having that programmatic, end-to-end system mindset. To this day I still utilize a lot of the skill sets I learned, from program management to process improvements – what’s the input, what’s the process, what’s the output. It helps keep things organized and simplified.”
While at Ford, Mandelaris had the opportunity to work many sides of IT. “I did a lot of website design, internally coding and designing. I did process improvements, and infrastructure from cabling to desktops to mounting servers. I traveled to all the service centers in the country as well as Canada, putting in 80 to 90 hour work weeks at times while traveling to sites—just putting in my time, as they say. It was a great experience and I got a lot of knowledge from different areas within IT and mainly within infrastructure.”
All the while Mandelaris continued to pursue more certifications and education. He earned the PMP credential and a Master’s in Information Technology (MSIT) degree which focused on preparing an IT professional to optimize information technology management to support business strategies and goals. Walsh College is a Center of Excellence in Cyber Defense (CAE/CD), which identifies Walsh as one of a small set of academic institutions in the country to achieve this status.
Going from infrastructure to GRC
When the auto industry went through a downturn, Mandelaris moved on to Flagstar Bank. “That was a time when SOX was becoming very important to organizations but still in its infancy in terms of what the controls were and what people had to do to comply with the law. I saw Sarbanes-Oxley (SOX) and vendor management reviews and requirements/risks as growing areas of focus and where the industry was heading. I got out of the technical weeds of IT and went into more of the governance, risk and compliance side, which allowed me to pick up new knowledge and skills.”
When Mandelaris went to Flagstar, he worked closely with the internal and external audit teams, performing some of the IT audits and a lot of vendor management third party risk assessments, which now is on the forefront of all the regulators’ reviews. He spent four years at Flagstar Bank before Electronic Arts courted him for a global role to manage the gaming company’s SOX program.
“That was an amazing role, from the standpoint of working with different countries and different individuals from India, Germany, Singapore, Asia-Pacific as well as the US,” says Mandelaris. “It gave me great experience in working with different people with different styles, and how to approach different individuals and communication, whether it is through speaking or PowerPoint presentations and so forth. It really helped me from that perspective. I was still doing SOX program management and testing like I did at Flagstar, but this was on a global scale, which I really loved. But also, it wasn’t a bank anymore—it was a gaming company, which wasn’t as regulated. The way I had to approach regulations within a company that wasn’t as heavily regulated was a completely different approach, requiring buy-in from the control owners and performers. Soft skills and teamwork played a much larger part in getting things done.”
After a few years, Mandelaris moved across Austin to take a position as the IT governance and compliance program manager with Dell. “This was another step up in terms of the responsibilities of my role,” he says. “Not only did I manage the SOX initiatives but I also took on business continuity planning, disaster recovery planning, and vendor management in a GRC tool, still at a global level. The position continued to round out my skill set.”
Once Dell became a private company once again, much of the functionality that Mandelaris was hired to do was no longer needed, especially the SOX aspect. He packed his bags yet again and moved to Memphis to take a position as a manager for IT risk and compliance for First Tennessee Bank. “This job gave me great exposure to working directly for the CISO, and I knew that role is where I wanted to be,” says Mandelaris.
Just one more role stood between where he was and his ultimate goal of becoming a CISO. “I went to Bank of America to be a senior IT audit supervisor,” according to Mandelaris. “That would be the last piece of the puzzle to round out my background. I was only there for a short time when I got a call from an executive recruiter asking me if I would be interested in working at Chemical Bank in Michigan as their CISO. The location was in the Detroit suburbs, a half a mile from where I used to live. I laugh because I had to go all around the country to come back to right where I started. I guess it was meant to be.”
“I feel very fortunate to be given the opportunity to not only be in this role but also working for a great and growing organization such as Chemical Bank. Being a part of a great team, developing new processes and programs, building out and strengthening the information security and cybersecurity team as well as the bank’s cyber posture is what keeps me motivated and excited to go into work every day.”
Now is the perfect time to be a CISO
He says he loves the role he is in today. “Every day is challenging and exciting. There is no better time to be a CISO than right now, with the changing requirements and the changing needs of the board. Even just mapping out what the CISO role really is compared to what it used to be is incredibly exciting,” says Mandelaris. “Putting all the certifications together, along with the Master’s degree and all the roles I’ve played—everything seems to have come together really nicely and actually I can utilize all those toolsets in my current position as a CISO.”
“Looking at the big picture of my career, I was very strategic in the roles that I chose,” he says. “It was with a lot of thought of where I wanted to be eventually with the role. I didn’t want to just stumble accidentally into a role of CISO; I wanted to have the credibility, credentials, background and experience to account for growing and ever changing requirements the CISO role demands. So that’s what I ended up doing to make sure that each role built on itself and helped me to better myself professionally. In this industry, the day you stop learning something new and staying on top of latest threats and trends, you’re obsolete. With technology changing, adapting and evolving so quickly, if you’re not reinventing yourself to adapt to the ever changing landscape you’re going to find yourself at the back of the pack rather quickly.”
Mandelaris says the credentials that he has earned help validate his experience. “Today’s certifications aren’t like the paper certifications of the past. With today’s professional credentials, you have to have the time in a particular role, have to have the experience – sometimes five years or more in certain domains – to show that you really have done the work, as well as written attestation from a current or former manager to validate experience. To me it’s important because when I talk to another project manager or IT professional, we are talking the same language. When using certain terminology, we know exactly what we are talking about. As a professional I think it’s incredibly important to always be learning continually and bettering yourself,” says Mandelaris.
He also strives to help others learn and get better at what they do. He is a mentor for students at Walsh College, his alma mater; teaches certification classes for a local ISACA chapter; and actively participates at CISO executive thought leadership events, presenting and discussing current and emerging Information Security trends in the industry throughout the country.
On the personal side, Mandelaris is an avid athlete. “I’ve competed and won Red Bull Pro-Am freestyle competitions in Vail, CO and had an Ironman problem for about 12 years. I have competed seven full distance Ironman competitions, including Kona, as well as several half Ironman races. I was All-American for three years in the sport of triathlon. I have run eight or nine marathons, including Boston twice, Detroit, Ventura and New York to name a few. Most memorable was completing the Athens original Marathon in Greece. That was just breathtaking and was something very special to me being of Greek heritage and decent.”
Mandelaris has retired from competing at such a strenuous pace, but he hasn’t given up the sport entirely. “I love the structure and I love challenging myself,” he says. “In the running and triathlon world, you come across people who are very driven and passionate about what they do in all areas of their life and I like hanging around with people like that. Looking back, doing everything with ‘purpose’ has been the common denominator recreationally or professionally for me or I just don’t do it.”
Clearly, he is very driven, and that has suited him well as he assembled the puzzle pieces of his very successful career.