CIO Spotlight: Jadee Hanson, Code42

Are you leading a digital transformation? “Every CIO right now is leading a digital transformation - expedited in light of the pandemic - and driving as much efficiency and collaboration across the organisation.”

IDGConnect_ciospotlight_suppliedart_jadeehansoncode42_1200x800
Code42

Name: Jadee Hanson

Company: Code42

Job title: CIO and CISO

Date started current role: January 2019

Location: Saint Paul, Minnesota

As CISO and CIO at Code42, Jadee Hanson leads global risk and compliance, security operations, incident response, and the insider threat program. Prior to Code42, Hanson held senior leadership roles in security at Target Corporation, where she implemented compliance, risk management, and insider threat programs. Cyber Defense Magazine named Hanson one of the Top 100 Women in Cybersecurity for 2020 and SC Magazine called her a Women in Security: PowerPlayer in 2019. She is regularly quoted in cybersecurity media outlets and co-authored the book, Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore.

What was your first job? I worked at a women’s clothing store in the mall where I grew up when I was 16 years old.

Did you always want to work in IT? I did, but I didn’t really know what that would look like. During high school I did a ton of volunteer work for the technology coordinator at my school. Some of that volunteer work included assembling computers and building networks to enable student labs.

What was your education? Do you hold any certifications? What are they? I hold a Bachelor’s degree in Computer Information Systems from the University of North Dakota. My certifications include: Certified Information Security Auditor, Certified Information Systems Security Professional and AWS Cloud Security Practitioner.

Explain your career path. Did you take any detours? If so, discuss.  Right after I graduated college, I didn't really know what I wanted to do nor where I wanted to go. I was accepted to graduate school, so I initially thought I was going to get my MBA. Instead, I decided to apply to Microsoft and was offered a job. However, after I accepted the job at Microsoft, I got engaged and made the personal decision to live in the same city as my fiancé which led me back on the job hunt. Ultimately I ended up turning down the Microsoft offer to join Deloitte.

What business or technology initiatives will be most significant in driving IT investments in your organisation in the coming year? At Code42 we are looking to explore and strengthen our technologies that help to enable remote work and further push teams to collaborate. When we were unexpectedly thrust into remote work last year, we quickly adapted, but technology can always be improved. We have been focused on enabling our employee base and also making sure we stay on top of the shifting security risk landscape.

What are the CEO's top priorities for you in the coming year? How do you plan to support the business with IT? The top priorities for any IT leader that works at a software company is figuring out new and effective ways to enable our sales and marketing organisations. In just the first quarter of this year we have already onboarded five new applications to support Code42’s teams. Throughout 2021 it is going to be important that we continue to find the right solutions to empower this part of our business.

Our other main priority is to continue to define the insider risk category. For years, security has only defined data leaks or file exfiltration committed by insiders (i.e. employees, contractors, etc.) as threats. What we’ve found though is that the majority of these breaches are committed unintentionally, and are more the product of our increasingly connected workforce. For example, an employee who accidentally syncs company data to their personal iCloud is technically causing a breach, but we know they don’t have malicious intent. We’d call this an insider risk and an act that can easily be corrected.

Does the conventional CIO role include responsibilities it should not hold? Should the role have additional responsibilities it does not currently include? I may sound biased, but I do believe the CIO should also be the CISO. The CIO shouldn’t just have security responsibilities tacked onto their job description. They should share the CISO title with the CIO title so the responsibilities to the organisation are equal. Traditionally, CIO roles have the security function of the organisation bolted on, but we’re finding that’s not often good enough and the overall security posture falls flat. Only by empowering the CIO and CISO do you make it clear that security is a priority and you’re treating it as such.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? Every CIO right now is leading a digital transformation - expedited in light of the pandemic - and driving as much efficiency and collaboration across the organisation. As with everything the CIO does, it’s a mass balancing act. It all comes down to the risk you’re taking on, and the security risk that you’re taking on to do it. One notable aspect of digital transformation that we’re most focused on, since Code42 provides insider risk management cloud software, is the growth of collaboration software and tools, which raises challenges of striking the right balance of security and visibility.

Describe the maturity of your digital business. For example, do you have KPIs to quantify the value of IT? At Code42, we measure all the standard IT KPIs such as budget, SLAs on tech delivery, down time, etc. These tell us how we are delivering in the organisation and if we need to modify things to deliver more quickly and more efficiently. The thing that these KPIs don’t tell us is how impactful we are to our most important metric which is overall annual recurring revenue (ARR). These metrics are more unique than the standard KPIs and require a more thoughtful approach in measuring.

For example, one of the things that we have delivered from our IT organisation is a way to view and interact with our product demo on our website. We believe that this delivery will generate more leads into our sales funnel, and in turn generate more ARR. Measuring this is specific to Code42 but a very important point of measurement for us to be able to truly talk about the impact we are having within the organisation.

What does good culture fit look like in your organisation? How do you cultivate it?  First and foremost, I like to define a brand statement for my team. Of course this can change based on what’s going on within the organisation, but it’s meant to describe how we want other departments to talk about us. For example, we want to be innovative business enablers, a team that says “yes” when asked to do something, transparent in our actions, respected when we have to call out risks, etc. And we try really hard to find ways every day that our team delivers on that brand statement – and celebrate those moments every month.

Second, as both the CIO and CISO, security is a core function of my everyday job. So that includes determining what the risk posture is that the organisation wants us to take – and making sure all decisions map back to that. That security posture is defined from the board level, down. How we see this play out is when other departments and teams talk about us in the way we want to be talked about. This all ultimately leads to a culture of self-awareness and transparency where the security organisation isn’t afraid to “tell on itself” if something went wrong and admit to their mistakes, and they’re honest about potential risks they may be bringing to company data. And on the IT side, people come to us as a trusted partner.

What roles or skills are you finding (or anticipate to be) the most difficult to fill? It’s no secret there’s a cybersecurity talent shortage, so in turn security roles are harder to fill right now. What I’ve found is, a lot of students aren’t getting proper, sufficient security education as it’s not made part of their core education.

Additionally, developer skills to support the IT and security functions are increasingly tough to come by. In part due to this reason, in 2020 I asked my security team to learn the basics of coding. At Code42 we believe in automation and driving key control points through code. We have invested a lot of time and energy in this area, so, I found it crucial that security understands what needs to be done to make this a reality. To do this, I asked the team to learn the basics of a coding language. From there, we asked them to think through things within their daily job that they could automate leveraging code. In turn, many of our ongoing processes have in turn matured through this educational approach.

What's the best career advice you ever received? I truly value the career advice I’ve received over the years, and have spent a great deal of time in leadership programs and with mentors to ensure I can be the best version of myself. Over the years, each piece of advice I’ve been given has meant something to me based on where I was in my journey. However, I think the one piece of advice that seems so simple, yet still resonates today, is “do something that scares you every day.” This could mean respectfully challenging a leader, taking a new role or simply doing something you haven’t done before. It’s in these “scary” moments that we learn the most and grow the most. While the things that scare you may not always work out, I can guarantee you they are the things that you will learn the most from.

Do you have a succession plan? If so, discuss the importance of and challenges with training up high-performing staff. What’s funny is, currently nobody that works for me really wants my job. To put it bluntly, leading IT and security teams every day can be stressful and a constant juggling act but it also leads to countless rewards. I’d love to coach and mentor a few people on my team to eventually take on my role.

What advice would you give to aspiring IT leaders? IT is broad - and there are so many roles within the field. Just because one aspect of IT may not be your thing, another aspect may be better suited to your interests and skills. So I encourage aspiring IT leaders to be on the lookout for what is your natural fit and align the passion you have with the purpose of the role. As with other career paths, there are certainly challenging days in IT. So it’s important you have passion for what you’re doing each day. This is the true magic in making your job not really feel like work at all. It’s also worthwhile to find peer networks to continue learning and help broaden your insight by seeking diverse points of view from seasoned professionals.

What has been your greatest career achievement? When I look back on my career thus far, my greatest achievement is the impact I believe I have had on others. I think about the people that worked for me at one point in other roles that have stepped up and into positions I once had. I think about people that have left my team to take on higher responsibilities, even CISO roles, at other companies. It's a true joy to watch employees on my teams grow and continue to push to the next level. The idea that I could have impacted their career and development, in even the smallest way, is highly rewarding and what I consider my greatest achievement.

Looking back with 20:20 hindsight, what would you have done differently? Like most business leaders, your job can take over your life. This is all the more challenging as a mother, so it was a difficult decision when I took a short leave of absence from work a couple of years ago to dedicate my time towards a personal family matter pertaining to my daughter. During this time, and leading up to it, I beat myself up over the decision even though I knew deep down that it was the right move for my family. What I learned was that work will always be there and putting family first is never the wrong decision.

What are you reading now? I just started reading The Effective Executive: The Definitive Guide to Getting the Right Things Done by Peter F. Drucker. In this book, Drucker identifies five practices essential to business effectiveness that should be learned.

Most people don't know that I… Got hit in the face with a bowling ball in seventh grade that knocked out my front teeth.

In my spare time, I like to…Spend quality time with my family at my lake house and travel.

Ask me to do anything but… Anything medical. As someone with two young children I'm no stranger to cuts and scrapes but I can’t help getting queasy at the sight of blood – which is ironic since my sister and mother both worked in the medical field!