This is one in a series of profiles of tech leaders named as a finalist for the 2019 ITAC CanadianCIO of Year Award. Vleeming was part of a Nov. 14 Town Hall discussion for finalists focused on the changing role of the CIO. The ITAC CanadianCIO of the Year winners will be announced Nov. 27 at the Ingenious Awards.
The rapidly growing marijuana industry has opened the door for new technologies to improve the way businesses operate and manage data, but it’s also become an increasingly attractive target for cybercriminals.
Imagine protecting a company within that industry while growing from 250 employees to 3,500, and expanding operations from two provinces in Canada to 24 countries around the globe and implementing a range of IT systems that are required to catch up to that growth.
This is the task that Darryl Vleeming, the chief information officer for Aurora Cannabis, has been saddled with since starting in the role in October 2017. Vleeming was the CIO for Capital Power, a multinational power supplier that regularly had to work with Canadian Security Intelligence Service and Homeland Security to protect its assets.
But working in the marijuana industry, he said, is a different beast entirely.
“We get attacked more than any other company I’ve ever been with,” said Vleeming. “It’s such a new industry… cybercriminals are focusing on it because it’s new and there’s an expectation we won’t be as mature. But the second reason is that there’s so much money around this industry, so we get attacked on a daily basis.”
Criminals expect a company in the marijuana industry to be less mature in regards to cybersecurity, privacy, and compliance, but Vleeming has spent a majority of his efforts over the last two years in changing that narrative for Aurora Cannabis.
And due to the multinational nature of Aurora’s business dealings, that task becomes all the more complicated when taking into account the sheer amount of compliance laws and regulations the company must abide by.
Because they are publicly traded on both the TSX and NYSE, they must be CSOX and SOX compliant, and since they store patient information, they must also be PIPEDA compliant. People use credit cards to interact with the business, so they must be PCI compliant. And, of course, let’s not forget about GDPR for their business dealings in Europe.
When Vleeming began in his role two years ago, the only IT systems in place were email, QuickBooks, and a basic ecommerce system.
Since then he implemented controls, systems, and processes to ensure the protection of the company and compliance under the previously mentioned regulations.
He also oversaw the implementation of a cloud-first strategy that has resulted in 95 per cent of Aurora’s systems being cloud-based. Vleeming also spearheaded the establishment of a business intelligence and analytics team with a data science team that performs a myriad of tasks.
Vleeming attributes some of these wins to the fact that he has gotten all the support he has needed from leadership at the company, which is not something every CIO gets, he indicated.
But even with that support, the sheer vastness of the task made it quite difficult to know where to start, he said. But by prioritizing their energy and efforts, they have been able to get from basically no IT systems two years ago, to where they stand today.
“When you go from 300ish people to 3,500 in less than two years… and two countries to 25 countries… and with all of that you have no IT systems while you’re being listed on the New York Stock Exchange and the Toronto Stock Exchange… there is just an incredible volume of work,” said Vleeming. “The most difficult decisions really come around trying to prioritize what is most critical to the company. Is it around supporting our growth? Is it around making sure our financial statements have the proper controls around it? Is it around forming collaboration systems to ensure that we as a company can work globally together?”
