Jadee Hanson is chief information security officer and chief information officer at Code42, leading global risk and compliance, security operations, incident response, and insider threat monitoring, and investigations. To her position, she brings more than 15 years of information security experience and a proven track record of building security programs.
Prior to Code42, Jadee held a number of senior leadership roles in the security department of Target Corporation, where she implemented key programs, including compliance, risk management, insider threat assessments and more. Jadee also spearheaded the effort to embed security resources into the development process as well as the security plans behind the acquisition of software development and online retail companies. She was the security lead for the sale of Target Pharmacies to CVS Health.
Before joining Target, Jadee worked at Deloitte, where she served as a security consultant for companies across diverse industries, such as healthcare, manufacturing, energy, retail, and more.
In addition to her day job at Code42, Jadee is the founder and CEO of the non-profit organization Building Without Borders, which serves those in poverty-stricken areas throughout the world through housing services. Since April 2015, Building Without Borders has built 39 homes in areas of the Dominican Republic. In her spare time, you can find Jadee working for her non-profit, enjoying time with her husband and three girls, and spending time on the lake.
If you work in cyber security, you know that an organization can have an incredibly mature or sophisticated security program and still experience a breach. There is no silver bullet to prevent this type of event at your company, but over the years I have found ways to continue to push our program forward and never get comfortable with where we are at.
I had the pleasure of sitting down with NetSPI’s Nabil Hannan to discuss some of those strategies as part of the Agent of Influence podcast. During our conversation, we discussed four strategies to stay focused on the highest priority actions and help keep a company safe.
1. Leverage and Listen to Your Red Team
You can learn a lot about your security program from red team engagements – namely, its areas of strength and weakness. Red teams can come up with some fantastic attacks against your company and open the door to new security considerations your blue team hadn’t thought of. You don’t necessarily need a large team to succeed at red teaming. At Code42, we have two people responsible for our red team engagements. And if you don’t have an internal red team, find a partner to collaborate with you on the engagement.
Many red teams today are leveraged for a standard monthly kill chain exercise. That’s a great practice, but try leveraging your red team for a larger, more complex engagement. An engagement that emulates the most likely attack against your organization will force them to think creatively about how to carry that attack out and how to prevent it from happening to your organization.
2. Perform Regular Threat Assessments
The second activity I encourage is to establish regular threat assessments. As security leaders, we can get stuck doing simple, straightforward compliance assessments. While compliance assessments can uncover a lot of risks, you start with a list of requirements rather than starting with what could go wrong at the company – and sometimes those don’t align.
In my current role as CIO and CISO at Code42, we do the traditional controls assessment, maturity assessment, and we use NIST, ISO, among other compliance frameworks. In addition, we take time every year to bring different leaders from various parts of the organization together, along with security experts from production and research and development (R&D), to complete a deep dive threat assessment. On this brainstorming day, we discuss all the terrible things that could happen to our company and assess what controls and processes we have in place – or do not have in place – for prevention and incident response. From there, we create a laundry list of actions to prioritize and ensure we improve our security posture.
3. Prioritize Existing Security Gaps, Then Do a Benchmarking Exercise
When building out a security program, chances are you have existing security gaps. My advice is to find and fix those first. For example, the volume and magnitude of risk from email phishing was prevalent when I first started as a CISO. So that’s where we started.
There are going to be security issues that are obvious. I think it’s important to tackle those right off the bat and earn some quick wins for your team. After that, pause and do a benchmarking assessment to figure out what activities to prioritize next. A benchmarking assessment is particularly important to do when things become less clear as to what to go after. Many leaders start with benchmarking – hear Nabil’s take on the timing of benchmarking during our podcast conversation – but I have the opposite advice. If you know what’s broken and you’re hearing about it, that’s where you should start.
4. Understand That The Importance of Application Security Has Never Been Greater
My team spends a majority of our time on application security. Why? Because that is where the majority of our risk lies today. There are a couple shifts in application security that are worth paying attention to.
First, is the rise of the serverless concept. This means that an application can be built where we don’t have to connect to the underlying OS and/or database aspects of it, which expands the attack surface at the application layer. It is more important than ever to focus on protecting the application layer knowing that the attack surface is expanding there today.
Another application security focus area that is incredibly important is to figure out where to plug in security resources and security scanning processes into your development lifecycle. At Code42, we built a standalone product application lifecycle security embedded within our R&D team. They’re part of the scrum teams, listening to the story mapping, embedding testing early on, and bringing up security concerns. I believe that the more security is seen as a partner and embedding themselves early on with development teams, the better. Security is still considered the outsider in many organizations, but we’re starting to be part of the larger development team at Code42. In a dream world, I would love for developers to be security developers – that’s utopia.
The speed at which applications are being built, updated, and deployed is always going to be a constant challenge for security. This ties back to the idea that comfort is the enemy. As security professionals, we need to continuously evolve and evaluate our security program to protect against adversaries. If you become too comfortable with your program, it’s likely that there’s something you’re missing.
If you work in cyber security, you know that an organization can have an incredibly mature or sophisticated security program and still experience a breach. There is no silver bullet to prevent this type of event at your company, but over the years I have found ways to continue to push our program forward and never get comfortable with where we are at.
I had the pleasure of sitting down with NetSPI’s Nabil Hannan to discuss some of those strategies as part of the Agent of Influence podcast. During our conversation, we discussed four strategies to stay focused on the highest priority actions and help keep a company safe.
1. Leverage and Listen to Your Red Team
You can learn a lot about your security program from red team engagements – namely, its areas of strength and weakness. Red teams can come up with some fantastic attacks against your company and open the door to new security considerations your blue team hadn’t thought of. You don’t necessarily need a large team to succeed at red teaming. At Code42, we have two people responsible for our red team engagements. And if you don’t have an internal red team, find a partner to collaborate with you on the engagement.
Many red teams today are leveraged for a standard monthly kill chain exercise. That’s a great practice, but try leveraging your red team for a larger, more complex engagement. An engagement that emulates the most likely attack against your organization will force them to think creatively about how to carry that attack out and how to prevent it from happening to your organization.
2. Perform Regular Threat Assessments
The second activity I encourage is to establish regular threat assessments. As security leaders, we can get stuck doing simple, straightforward compliance assessments. While compliance assessments can uncover a lot of risks, you start with a list of requirements rather than starting with what could go wrong at the company – and sometimes those don’t align.
In my current role as CIO and CISO at Code42, we do the traditional controls assessment, maturity assessment, and we use NIST, ISO, among other compliance frameworks. In addition, we take time every year to bring different leaders from various parts of the organization together, along with security experts from production and research and development (R&D), to complete a deep dive threat assessment. On this brainstorming day, we discuss all the terrible things that could happen to our company and assess what controls and processes we have in place – or do not have in place – for prevention and incident response. From there, we create a laundry list of actions to prioritize and ensure we improve our security posture.
3. Prioritize Existing Security Gaps, Then Do a Benchmarking Exercise
When building out a security program, chances are you have existing security gaps. My advice is to find and fix those first. For example, the volume and magnitude of risk from email phishing was prevalent when I first started as a CISO. So that’s where we started.
There are going to be security issues that are obvious. I think it’s important to tackle those right off the bat and earn some quick wins for your team. After that, pause and do a benchmarking assessment to figure out what activities to prioritize next. A benchmarking assessment is particularly important to do when things become less clear as to what to go after. Many leaders start with benchmarking – hear Nabil’s take on the timing of benchmarking during our podcast conversation – but I have the opposite advice. If you know what’s broken and you’re hearing about it, that’s where you should start.
4. Understand That The Importance of Application Security Has Never Been Greater
My team spends a majority of our time on application security. Why? Because that is where the majority of our risk lies today. There are a couple shifts in application security that are worth paying attention to.
First, is the rise of the serverless concept. This means that an application can be built where we don’t have to connect to the underlying OS and/or database aspects of it, which expands the attack surface at the application layer. It is more important than ever to focus on protecting the application layer knowing that the attack surface is expanding there today.
Another application security focus area that is incredibly important is to figure out where to plug in security resources and security scanning processes into your development lifecycle. At Code42, we built a standalone product application lifecycle security embedded within our R&D team. They’re part of the scrum teams, listening to the story mapping, embedding testing early on, and bringing up security concerns. I believe that the more security is seen as a partner and embedding themselves early on with development teams, the better. Security is still considered the outsider in many organizations, but we’re starting to be part of the larger development team at Code42. In a dream world, I would love for developers to be security developers – that’s utopia.
The speed at which applications are being built, updated, and deployed is always going to be a constant challenge for security. This ties back to the idea that comfort is the enemy. As security professionals, we need to continuously evolve and evaluate our security program to protect against adversaries. If you become too comfortable with your program, it’s likely that there’s something you’re missing.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.
