CVS – ‘IT leaders need to understand that the world has changed’
Code42’s Jadee Hanson discusses the security challenges posed by collaboration tools and how security leaders need to re-evaluate their strategies.
As CISO and CIO at cybersecurity company Code42, Jadee Hanson leads global risk and compliance, security operations, incident response and the insider risk programme.
Prior to Code42, Hanson held senior leadership roles in security at US retail corporation Target, where she implemented compliance, risk management, and insider risk programmes. She also served as the security lead for the sale of Target Pharmacies to CVS Health.
Before that, Hanson was a security consultant at Deloitte. Cyber Defense Magazine named her one of the Top 100 Women in Cybersecurity for 2020.
‘What’s critical is that our data protection tools evolve as our workflows mature’
– JADEE HANSON
Describe your role and your responsibilities in driving tech strategy.
At Code42, I am charged with joint responsibilities as both the company’s CIO and CISO. On the IT side of things, I am constantly looking to explore and strengthen our technologies that help to enable our business to drive value for our customers and support our employees to deliver in their roles.
On the security side of things, my responsibilities are simple – keep our company and our customers’ data safe. This includes constantly balancing risk throughout the organisation and implementing technologies to protect data. In large part this is the ongoing maturity of our security programme through people, process and technology.
Are you spearheading any major product or IT initiatives you can tell us about?
The top priorities for any IT leader that works at a software company is figuring out new and effective ways to enable our organisation to support new and future customers. In just the first quarter of 2021, we onboarded five new applications to support Code42’s teams. Throughout the year it is going to be important that we continue to find the right solutions to empower these parts of our business.
How big is your team?
Our security team is about 25 people split into SOC [security operations centre], red team/blue team, training and awareness, corporate risk, insider risk management and vendor security teams. Our IT team is similarly about 25 people split between help desk, system administration, endpoint management and network support.
Even though we don’t outsource, we do look to drive efficiency where we can by automating as many manual processes as we can. We see many companies outsource their first-level SOC work; this is something we don’t believe works for our environment.
I strongly believe that deep knowledge of your environment and technology organisation is critical to maturing your programme. This type of knowledge comes from having dedicated employees in your organisation versus having employees that split their time among a number of different organisation models.
What are your thoughts on digital transformation?
Every CIO right now is leading an expedited digital transformation in the wake of the pandemic and is looking to drive as much efficiency and collaboration across the organisation.
We’ve seen tremendous benefits play out as a result of this rapid digital transformation. Productivity and collaboration are up and employees are able to enjoy more flexibility in their work day. However, these benefits don’t come without drawbacks, particularly when it comes to security.
One notable aspect of digital transformation that we’re most focused on at Code42, since we provide insider risk management software, is the growth of collaboration software and tools which raise challenges around balancing security and visibility.
Companies want to enable as much collaboration among employees as possible, but disparate cloud applications can make securing data a challenge. As a result, safeguarding employee data activity has become paramount.
The challenge is that you don’t want to become ‘big brother’. We’re looking to address this issue directly by providing technology that gives the security team visibility to all data exfiltration across the organisation. The security team can then take a risk-based approach to follow up on data exfiltration that is critical for the company to address.
What big tech trends do you believe are changing the world and your industry specifically?
There’s no denying the shift to remote and hybrid work has forever changed the way we work, and how we approach information technology and data security. Remote work means there are now more data perimeters to secure, therefore there is a greater variety of exfiltration vectors.
This raises significant data security risks. As companies embrace new technologies and new ways of working, the CISO will play a greater role in helping to provide risk-based decision making to address data exposure.
In terms of security, what are your thoughts on how we can better protect data?
What’s critical is that our data protection tools evolve as our workflows mature. Unfortunately, we’re not seeing as much progress across industries as we’d like as many organisations rely on their more traditional data loss prevention (DLP) solutions.
However, recent data shows that more than three-quarters of organisations have suffered a data breach despite having this in place. It’s important to understand that most DLP and CASB [cloud access security broker] solutions do not provide full visibility into untrusted destinations, such as personal email and private cloud environments.
These technologies also do not provide visibility for all file movement but rather focus on areas you have set policies, which is no longer enough. Security and IT leaders need to re-evaluate their strategies and understand that the world has changed, and data security needs to evolve to keep up.
Ultimately security and IT leaders need to come together and recognise the extent of the problem while giving teams a clear signal of the riskiest activity and a streamlined workflow to address it. This approach allows them to mitigate file exposure and exfiltration risks without disrupting employee productivity and collaboration.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.