Jadee Hanson

Jadee Hanson is chief information security officer and chief information officer at Code42, leading global risk and compliance, security operations, incident response, and insider threat monitoring, and investigations. To her position, she brings more than 15 years of information security experience and a proven track record of building security programs.

Prior to Code42, Jadee held a number of senior leadership roles in the security department of Target Corporation, where she implemented key programs, including compliance, risk management, insider threat assessments and more. Jadee also spearheaded the effort to embed security resources into the development process as well as the security plans behind the acquisition of software development and online retail companies. She was the security lead for the sale of Target Pharmacies to CVS Health.

Before joining Target, Jadee worked at Deloitte, where she served as a security consultant for companies across diverse industries, such as healthcare, manufacturing, energy, retail, and more.

In addition to her day job at Code42, Jadee is the founder and CEO of the non-profit organization Building Without Borders, which serves those in poverty-stricken areas throughout the world through housing services. Since April 2015, Building Without Borders has built 39 homes in areas of the Dominican Republic. In her spare time, you can find Jadee working for her non-profit, enjoying time with her husband and three girls, and spending time on the lake.
More by Jadee Hanson
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "79"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "79"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "79"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "79"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "79"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "79"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "79"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "79"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
					SELECT   wp_posts.ID
					FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{c5ec05909daf6e66d818047773e4645cf22a89a1d9e82ef7124e270ab9af97c6}\"79\"{c5ec05909daf6e66d818047773e4645cf22a89a1d9e82ef7124e270ab9af97c6}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{c5ec05909daf6e66d818047773e4645cf22a89a1d9e82ef7124e270ab9af97c6}\"79\"{c5ec05909daf6e66d818047773e4645cf22a89a1d9e82ef7124e270ab9af97c6}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					GROUP BY wp_posts.ID
					ORDER BY wp_posts.post_date DESC
					
				
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 23126
                    [post_author] => 79
                    [post_date] => 2021-03-16 13:51:00
                    [post_date_gmt] => 2021-03-16 13:51:00
                    [post_content] => 

If you work in cyber security, you know that an organization can have an incredibly mature or sophisticated security program and still experience a breach. There is no silver bullet to prevent this type of event at your company, but over the years I have found ways to continue to push our program forward and never get comfortable with where we are at.

I had the pleasure of sitting down with NetSPI’s Nabil Hannan to discuss some of those strategies as part of the Agent of Influence podcast. During our conversation, we discussed four strategies to stay focused on the highest priority actions and help keep a company safe.

1. Leverage and Listen to Your Red Team

You can learn a lot about your security program from red team engagements – namely, its areas of strength and weakness. Red teams can come up with some fantastic attacks against your company and open the door to new security considerations your blue team hadn’t thought of. You don’t necessarily need a large team to succeed at red teaming. At Code42, we have two people responsible for our red team engagements. And if you don’t have an internal red team, find a partner to collaborate with you on the engagement.

Many red teams today are leveraged for a standard monthly kill chain exercise. That’s a great practice, but try leveraging your red team for a larger, more complex engagement. An engagement that emulates the most likely attack against your organization will force them to think creatively about how to carry that attack out and how to prevent it from happening to your organization.

2. Perform Regular Threat Assessments

The second activity I encourage is to establish regular threat assessments. As security leaders, we can get stuck doing simple, straightforward compliance assessments. While compliance assessments can uncover a lot of risks, you start with a list of requirements rather than starting with what could go wrong at the company – and sometimes those don’t align.

In my current role as CIO and CISO at Code42, we do the traditional controls assessment, maturity assessment, and we use NIST, ISO, among other compliance frameworks. In addition, we take time every year to bring different leaders from various parts of the organization together, along with security experts from production and research and development (R&D), to complete a deep dive threat assessment. On this brainstorming day, we discuss all the terrible things that could happen to our company and assess what controls and processes we have in place – or do not have in place – for prevention and incident response. From there, we create a laundry list of actions to prioritize and ensure we improve our security posture.

3. Prioritize Existing Security Gaps, Then Do a Benchmarking Exercise

When building out a security program, chances are you have existing security gaps. My advice is to find and fix those first. For example, the volume and magnitude of risk from email phishing was prevalent when I first started as a CISO. So that’s where we started.

There are going to be security issues that are obvious. I think it’s important to tackle those right off the bat and earn some quick wins for your team. After that, pause and do a benchmarking assessment to figure out what activities to prioritize next. A benchmarking assessment is particularly important to do when things become less clear as to what to go after. Many leaders start with benchmarking – hear Nabil’s take on the timing of benchmarking during our podcast conversation – but I have the opposite advice. If you know what’s broken and you’re hearing about it, that’s where you should start.

4. Understand That The Importance of Application Security Has Never Been Greater

My team spends a majority of our time on application security. Why? Because that is where the majority of our risk lies today. There are a couple shifts in application security that are worth paying attention to.

First, is the rise of the serverless concept. This means that an application can be built where we don’t have to connect to the underlying OS and/or database aspects of it, which expands the attack surface at the application layer. It is more important than ever to focus on protecting the application layer knowing that the attack surface is expanding there today.

Another application security focus area that is incredibly important is to figure out where to plug in security resources and security scanning processes into your development lifecycle. At Code42, we built a standalone product application lifecycle security embedded within our R&D team. They’re part of the scrum teams, listening to the story mapping, embedding testing early on, and bringing up security concerns. I believe that the more security is seen as a partner and embedding themselves early on with development teams, the better. Security is still considered the outsider in many organizations, but we’re starting to be part of the larger development team at Code42. In a dream world, I would love for developers to be security developers – that’s utopia.

The speed at which applications are being built, updated, and deployed is always going to be a constant challenge for security. This ties back to the idea that comfort is the enemy. As security professionals, we need to continuously evolve and evaluate our security program to protect against adversaries. If you become too comfortable with your program, it’s likely that there’s something you’re missing.

[post_title] => 4 Ways to Avoid Getting Too Comfortable with Your Cyber Security Program [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => comfortable-cyber-security-program [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:57 [post_modified_gmt] => 2022-12-16 16:50:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=23126 [menu_order] => 420 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 1 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 23126 [post_author] => 79 [post_date] => 2021-03-16 13:51:00 [post_date_gmt] => 2021-03-16 13:51:00 [post_content] =>

If you work in cyber security, you know that an organization can have an incredibly mature or sophisticated security program and still experience a breach. There is no silver bullet to prevent this type of event at your company, but over the years I have found ways to continue to push our program forward and never get comfortable with where we are at.

I had the pleasure of sitting down with NetSPI’s Nabil Hannan to discuss some of those strategies as part of the Agent of Influence podcast. During our conversation, we discussed four strategies to stay focused on the highest priority actions and help keep a company safe.

1. Leverage and Listen to Your Red Team

You can learn a lot about your security program from red team engagements – namely, its areas of strength and weakness. Red teams can come up with some fantastic attacks against your company and open the door to new security considerations your blue team hadn’t thought of. You don’t necessarily need a large team to succeed at red teaming. At Code42, we have two people responsible for our red team engagements. And if you don’t have an internal red team, find a partner to collaborate with you on the engagement.

Many red teams today are leveraged for a standard monthly kill chain exercise. That’s a great practice, but try leveraging your red team for a larger, more complex engagement. An engagement that emulates the most likely attack against your organization will force them to think creatively about how to carry that attack out and how to prevent it from happening to your organization.

2. Perform Regular Threat Assessments

The second activity I encourage is to establish regular threat assessments. As security leaders, we can get stuck doing simple, straightforward compliance assessments. While compliance assessments can uncover a lot of risks, you start with a list of requirements rather than starting with what could go wrong at the company – and sometimes those don’t align.

In my current role as CIO and CISO at Code42, we do the traditional controls assessment, maturity assessment, and we use NIST, ISO, among other compliance frameworks. In addition, we take time every year to bring different leaders from various parts of the organization together, along with security experts from production and research and development (R&D), to complete a deep dive threat assessment. On this brainstorming day, we discuss all the terrible things that could happen to our company and assess what controls and processes we have in place – or do not have in place – for prevention and incident response. From there, we create a laundry list of actions to prioritize and ensure we improve our security posture.

3. Prioritize Existing Security Gaps, Then Do a Benchmarking Exercise

When building out a security program, chances are you have existing security gaps. My advice is to find and fix those first. For example, the volume and magnitude of risk from email phishing was prevalent when I first started as a CISO. So that’s where we started.

There are going to be security issues that are obvious. I think it’s important to tackle those right off the bat and earn some quick wins for your team. After that, pause and do a benchmarking assessment to figure out what activities to prioritize next. A benchmarking assessment is particularly important to do when things become less clear as to what to go after. Many leaders start with benchmarking – hear Nabil’s take on the timing of benchmarking during our podcast conversation – but I have the opposite advice. If you know what’s broken and you’re hearing about it, that’s where you should start.

4. Understand That The Importance of Application Security Has Never Been Greater

My team spends a majority of our time on application security. Why? Because that is where the majority of our risk lies today. There are a couple shifts in application security that are worth paying attention to.

First, is the rise of the serverless concept. This means that an application can be built where we don’t have to connect to the underlying OS and/or database aspects of it, which expands the attack surface at the application layer. It is more important than ever to focus on protecting the application layer knowing that the attack surface is expanding there today.

Another application security focus area that is incredibly important is to figure out where to plug in security resources and security scanning processes into your development lifecycle. At Code42, we built a standalone product application lifecycle security embedded within our R&D team. They’re part of the scrum teams, listening to the story mapping, embedding testing early on, and bringing up security concerns. I believe that the more security is seen as a partner and embedding themselves early on with development teams, the better. Security is still considered the outsider in many organizations, but we’re starting to be part of the larger development team at Code42. In a dream world, I would love for developers to be security developers – that’s utopia.

The speed at which applications are being built, updated, and deployed is always going to be a constant challenge for security. This ties back to the idea that comfort is the enemy. As security professionals, we need to continuously evolve and evaluate our security program to protect against adversaries. If you become too comfortable with your program, it’s likely that there’s something you’re missing.

[post_title] => 4 Ways to Avoid Getting Too Comfortable with Your Cyber Security Program [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => comfortable-cyber-security-program [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:57 [post_modified_gmt] => 2022-12-16 16:50:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=23126 [menu_order] => 420 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 1 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 6223b14a420a4b1495c276306e3f70cf [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X