0:00:01.6 Max Havey: Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, max Havey, and today we're talking about the roles of CIO and CISOs with our guest, Jadee Hanson, CISO At Vanta. Jadee, welcome to the show.
0:00:21.2 Jadee Hanson: Thanks for having me.
0:00:22.4 Max Havey: So to get things started here, can you share a little bit about your career background? I know you've worked for a number of companies and done a lot of different security leadership roles over the years. Can you give us a little bit of a background here?
0:00:31.8 Jadee Hanson: You bet. Yeah. I got into cyber pretty young. I actually started doing cyber work at my high school, believe it or not, worked for the technology coordinator at my high school. We did all sorts of different things for the school. He had me putting together computers in order to save money for our school district, which was sort of like my entry into the world of tech and the world of cyber. I started my career at Deloitte doing pen testing, security audit work, and this is when I moved into my first management role. I then moved over to Target Corporation where I decided to be part of every function of the cyber team there. When I finally decided I didn't want to travel that much anymore and move into more of a startup role, I moved over to Code 42. At Target I got an intro into the startup world because I did a lot of due diligence for some of the companies that Target Corp bought.
0:01:35.0 Jadee Hanson: We actually purchased a few small Silicon Valley based tech companies when I was at Target. And so got a little bit of a intro into the startup world that way and really enjoyed the culture of the startup world, how fast paced it moved and decided to join Code 42 and was at Convery two in the CIO CISO role for about eight years and then recently moved over to Vanta. And Vanta we're also a security software company and we're really building a product that changes how people think about the governance risk and compliance section of a security program.
0:02:18.6 Max Havey: Absolutely. So I know in your past role you talked about having both sort of a CIO and a CISO role. Can you tell us a bit about what it was like navigating that sort of dual role operating on both sort of the technology and the security side of things? I know they can often be opposing forces, so can you tell us a little bit about how that functioned?
0:02:34.7 Jadee Hanson: Yeah, I think many of the listeners probably know that CIOs are sort of like always pushing new technology investments while the CISO role is cautiously bringing up risks with new technologies. And so my running joke was that holding both roles, I was able to have an internal argument with myself every day, but CIO roles and the CIO role that I held is really a strategic business leader role. And I think that is how my boss saw me while I was at Code 42 leading the security team. So while I was the CISO at code 42, I was reporting directly to our CEO and I had a chance to be part of many of the strategic business decisions being made. And I think my leader at the time saw me beyond a cyber leader and recognized that I had a strong business sense and that is what ultimately ended up getting me the CIO role. And I do think that the CIO role and the CISO role are more alike than they probably are different both c-level roles in an organization. And in that regard, both roles should be focused on having that strong business sense and the strong ability to evaluate risk to make sure that you're making the right technology decisions for the organization.
0:04:01.5 Max Havey: And so I think I maybe was a little bit leading in my question before, but so in taking on both of those roles then, did you run into that sort of opposing forces the way that technology teams are trying to optimize for performance a lot of the time or securities trying to make sure there are proper controls around it? Were you running into those sorts of issues as you were doing those two roles concurrently?
0:04:19.9 Jadee Hanson: Yeah, I mean I think it's trade-offs, it's 100% trade-offs and understanding and evaluating each technology decision from like a cost benefit analysis, risk outcome analysis to really make the best decision and having both roles report directly to me. I think that certainly helped bridge that gap at Code 42 and then as well at Vanta, I do have the IT teams reporting directly to me, and I think it's a model that a lot of CISOs in smaller companies have in place today that certainly I think works really well. If you're doing the CISO role correctly, you're ultimately trying to identify business initiatives that drive success for the organization, which is really not that different than the CIO role itself. And if you can align the CISO function and the CIO function together to address those agreed upon business objectives, the teams working underneath you, I think do a great job coming together to address common outcomes.
0:05:27.8 Max Havey: Absolutely. And in that same vein, what are some strategies that you came across while having these dual roles that you'd recommend other CISOs who are looking to bridge that gap within their organization as well? What sorts of strategies or advice would you offer to them around that?
0:05:40.3 Jadee Hanson: Yeah. I think one of the most impactful strategies that I pushed within the teams is the concept of integrated processes. So there are many different desired outcomes that require the participation of security and IT, and by developing this like joint process to deliver the outcomes, you find that the teams really come together. It's much like I said before in terms of finding joint goals so that each team is committed to the final outcome or the final success. Simple example would be like a zero day patching process. Security certainly has a vested interest that things get patched and get completed, but they definitely need to rely on IT to make it happen. And so by implementing like a framework and a process where both parties are involved and held accountable to the final outcome, you see the teams work a lot closer together.
0:06:38.8 Max Havey: Absolutely. That equal accountability, I think cross-functionality is a word that gets thrown around in that as well. And last season our theme was around the idea of security as a team sport. And I think bringing it together in that sort of way and thinking toward those joint goals is a great way to think about security and infrastructure as a team sport.
Max Havey: Definitely. It's the same sort of cross-functional thinking and working cross-functionally while also working independently and finding a way to bring those things together so that you can do this in the best possible way and get the best possible outcome.
0:06:55.0 Jadee Hanson: Yeah, absolutely. We're in large part influencing without authority and so trying to get everybody accountable to security and many times I say to the Vanta organization, Security is everyone's responsibility and really does require everyone's participation.
0:07:14.1 Max Havey: As someone who does have years of CIO experience too, how is that sort of influencing the way that you are approaching your role as a CISO now?
0:07:21.0 Jadee Hanson: Yeah, again, I'll go back to the concept of the CISO role is really a strategic leader role within the organization and we want the best for the business and we want the best business outcomes. And that's no different than the CIO role. And so when I think about like the CIO role, my job previously was to choose all the right technology for the organization, make sure we're making all the right trade-off choices, make sure we're financially responsible. The CISO role that I have today, I have elements of IT as part of that, but it really is very similar in the sense that from a security perspective, I wanna influence in the right places so that we have the right business outcomes. I want to make sure that we're like applying the right security practices in place in order to make sure that we don't have any sort of ancillary impact of event. And so I don't see it really that different. I think many of the c-level roles in an organization have their area of expertise, but at the end of the day, really it's about like strategic decision making to impact the business in a positive way.
0:08:34.8 Max Havey: Absolutely. To an extent you are finding ways to help make those decisions regardless of your role, whether you're a CISO or a CIO, you are still making those business level decisions and helping to enable the business at large regardless of whether you're talking about security or the technology or some amalgam of both.
0:08:50.5 Jadee Hanson: Yeah, absolutely.
0:08:53.8 Max Havey: A word you keep saying that I kinda wanna double click on here. As you talk about the idea of creating influence in between all of these different teams and working cross-functionally, what are some ways that you create that influence to try and help folks to better understand the needs of say like a technology team or of a security team to get them to see why this is an important thing they should be taking seriously?
0:09:11.0 Jadee Hanson: Yeah I think a lot of it has to do with like approach. And so as I think about the way that we work at Vanta, we focus very much on principles of being approachable and being a partner and collaborating and certainly not being the department of no, but the department of come to us with a problem and let's help get to the best outcome for the organization. I think that having that type of approach across the organization ends up getting us the right impact. Again, I'll go back to the fact that we really are influencing without authority. We don't get to make the decisions in every organization. And so some of our most important work is getting the right influence into the organization, educating them with the right education aspects that they need to making sure that we take the time to explain the why. Not everybody sees what we're seeing from the external landscape. And so taking time to make sure they understand, hey, these are the threats that we're seeing externally that may impact what you're doing. And describing that so that we're not coming in and just saying it must be done this way, but we're really educating as part of that.
0:10:28.7 Max Havey: That education part seems especially important as we talk about the idea of CISO becoming more prevalent in the boardrooms and being more prevalent, talking to like higher level executives within a company. I think being able to influence and to educate the folks who who are not technical, who don't have that sort of background with security or with technology to help them to understand, I think that's a key to all of this.
0:10:48.6 Jadee Hanson: Yeah, absolutely. Our job is really to take the concepts that we know and turn them into like higher level business language that turns into like impact for them. Like how could this impact your ultimate objectives?
0:11:05.3 Max Havey: Absolutely. And thinking a bit bigger thinking, further down the line here, the idea of convergence gets talked about a lot when you talk about CISOs and CIO roles. What sort of your vision as you're looking at the future of these sorts of roles, what sorts of changes do you believe are in store for the CISO role over the coming years as it relates to the technology side of things?
0:11:27.3 Jadee Hanson: In terms of the CIO role and the CISO role convergence, let me address that first. I think in a lot of like smaller and mid-market companies, the CISO role will end up having responsibility over it. And so you could almost argue that it's somewhat of a combined role without like the named CIO aspect of it. In larger companies, I think it'll still stay largely separate, but I do see a world where these two organizations work very much hand in hand and are seen more as equal as it relates to the future of the CISO role for the coming years. I think it's important to remember that the CISO role is still a relatively new C-level role. So I think there's going to be constant changes as things move forward. That said, there are two primary changes I think that are in store for us more in the coming years and the first being an increased strategic importance or increased responsibility within the organization.
0:12:33.5 Jadee Hanson: So CISOs are starting to be seen more and more than just technology leaders in an organization and instead seen as one of the strategic leaders of the company that hold that collective interest for positive business outcomes among the rest of the leadership team. I think that is a very much a change from what we've seen in the past. CISOs are starting to play that like integral role in shaping business strategy, balancing the right like risks and then resilience as the company grows. And at the enterprise level we almost see this increased strategic importance being driven in large part by like all the aspects of what's happening with the SEC and the SEC holding large enterprise public companies accountable for CISO actions and CISOs are now at that level of being held accountable for key disclosures for shareholder requirements, which is certainly elevating the CISO role leading to just a much broader and more impactful role for that CISO.
0:13:40.2 Jadee Hanson: I think the second sort of change I see in the coming years for the CISO role is this shifting of the role from just that peer security play to that of like technology strategy and risk. So a little bit more of like that CIO convergence and a little bit more of like the chief risk officer convergence. So in many cases today's CISOs hold many of the same responsibilities as CIO and chief risk officer, we talked about this before, but many responsibilities for making key technology decisions within the organizations end up landing in the CISOs lab. And then the CISO role today has moved beyond just security and technology, but instead having a seat at the table to evaluate security as like solutions are being brought into the organization.
0:14:32.9 Max Havey: And having that visibility at the front end if CISOs are being held accountable for more things like around SEC filings and disclosures and things of that sort. I think being able to have that sort of vision into what technology is risky, what practices can we do to eliminate this risk, having those things on the front end versus when you find out about them as they're happening. I think that's a key strategy for making your security and your technology better at the same time I've heard from a lot of security leaders over the years of working on this show is that having a proactive approach is one of the keys to being a good CISO and to having a good security strategy as an organization.
0:15:11.1 Jadee Hanson: Yeah, 100%. As many times as we can get involved early, there's a bunch of studies out there of the cost of doing a security change early and even just like the development cycle versus trying to implement a change in a product after the product's been shipped. And certainly like the cost is incredibly low if you can get involved early and influence the right people to make the right decisions versus after the fact.
0:15:38.0 Max Havey: Absolutely. And I guess to wrap things up here, what excites you most as someone who's been in the security industry in CISOs and CIO roles? What excites you about seeing these sorts of roles converging and seeing the responsibilities coming together around technology and security?
0:15:53.6 Jadee Hanson: I think the thing that excites me is from a CISO perspective, we've been jumping up and down saying, Hey, pay attention to us for years and recently I think we've gotten a lot of limelight, a lot of spotlight sort of pointed on the CISO role. And I think that in many cases that's a good thing. Certainly we have more to do to make sure that government bodies understand our space really deeply. But that said, I think that having the visibility to the role and what we do and how we operate is really, really important. And that excites me. I think also what I'm seeing in the industry of like more and more technology decisions becoming part of the CISO role too. So you would think of like the CIO decision making on technology, and this partnership with like the CISO and now you sort of see like CISOs leading different technology teams and decision making happening at the CISO role, which I think is incredibly important. And it's really exciting because I think in that regard, the CISO's not just holding on and trying to catch up, but they're part of the decision making process.
0:17:12.8 Max Havey: Definitely no longer playing catch up and finally getting their time in the spotlight, their time to shine and their time to lead the pack.
0:17:18.0 Jadee Hanson: Absolutely.
0:17:18.9 Max Havey: Absolutely. Well, Jadee thank you so much for taking the time here today. This was an excellent conversation digging into sort of the dichotomy between the CIO and the CISO roles and how they converge. So thank you so much for taking the time. We really appreciate it.
0:17:30.2 Jadee Hanson: Yeah, absolutely. Thank you so much for having me.
0:17:32.7 Max Havey: Absolutely. And you've been listening to the Security Visionaries podcast. I've been your host, Max Havey, and if you've enjoyed this episode, share it with a friend and subscribe to Security Visionaries on your favorite podcast platform. There you can listen to our back catalog of episodes and keep an eye out for new ones, dropping every other week, hosted either by me or my co-host, the wonderful Emily Wearmouth. And with that, we'll catch you on the next episode.
Why Netskope 
){kind=icon}
