Mike Wagner was a longtime information security professional at Johnson & Johnson, where he helped shape the Fortune 100 company's security approach and security stack. Mr. Wagner recently became Kenvue's first CISO, having left J&J a year before he left. Kenvue previously worked for J&J's consumer healthcare division. In his new role, Mr. Wagner aims to combine the best of J&J with an efficient, modern approach suited to the new, independent company.
“We wanted to create a streamlined, cost-effective architecture with maximum security,” Wagner explains.
The first step was to define the key roles needed to build an effective security program. This includes architects and engineers who implement the tools, identity and access management (IAM) experts who enable secure authentication, risk management leaders who align security with business priorities, and security operations staff who respond to incidents. , includes dedicated staff for each cyber function.
To ensure maximum effectiveness and future scalability of the cyber architecture, the newly formed cyber team wanted to incorporate machine learning and artificial intelligence (AI).For that IAM automationstreamlining supplier evaluation with automated surveys; Behavioral analysis using AIwhich uses machine learning to improve threat detection.
Deciding which cyber tools to keep or replace
With the basics completed, the next step was to choose which tools and processes from J&J to keep and which to replace. J&J's cybersecurity architecture was strong, but a patchwork of systems created over decades of acquisitions.
To make the decision, Wagner's team first created a list of J&J's tools, mapped them to Kenvue's operating model, and selected tools with the features Kenvue needed. In many cases, the team found J&J's security tools to be more full-featured than the smaller spin-offs they needed. In other cases, J&J's technology overlapped. Additionally, in some cases, his existing J&J technology was not affordable or could not provide the maximum security footprint for Kenvue's mission.
And in some cases, it was simply a matter of how integrated J&J's security architecture was.
“Think about things like endpoint detection and response,” Wagner says. “At J&J, we've made different acquisitions over time, so he might have had two or three pieces of software on the endpoint to accomplish that mission, but we've turned it into one piece of software. integrated into the latest solution.
The final decision on each type of security feature also depends on the number and type of dependencies. For example, applications tend to rely on her IAM, so Kenvue will continue to use his J&J's IAM system for the time being. However, Wagner plans to migrate to his more modern IAM system over time.
Ultimately, Kenvue chose to take about half of its technology stack from J&J.
Choosing what to keep and what to replace can be difficult, says Scott Crawford, research director for S&P Global Market Intelligence's 451 Research Information Security channel. However, you will typically want to weigh the tool's capabilities and how well it fits into your new company's architecture against other options that may be a better fit. In some cases, new investments may be required, while subscription and licensing terms may need to be determined as part of the spinoff costs, he said.
The right people work together
Another challenge Wagner faced was getting the right mix of expertise on the cyber team. After evaluating the capabilities of her existing J&J employees and external candidates, she selected a combination of former J&J employees with deep business knowledge and new employees with the latest technical and cyber skills. They included architects and engineers implementing defensive controls, IAM experts, risk management leaders, and SecOps staff.
Wagner also opted to add another type of talent to his team. Business Information Security Officer (BISO), acts as an intermediary between the cyber organization and various business units. Wagner says the BISO's role is critical to the team's success.
“They're focused on investigating what's new, what direction it's going in, and how to move the business forward safely,” he explains.
With the tools and team in place, the final challenge was maintaining the security of both J&J and Kenvue during the migration. To make sure everything ran smoothly, we had daily meetings that included J&J leadership, Kenvue leadership, and suppliers, and there had to be constant communication between the various departments.
Although the foundation is in place and Kenvue's security team is operating steadily, Wagner says there is still more work to be done. Next, we plan to focus on modern security strategies, including adopting zero trust and strengthening technical controls.
Continuously improving cybersecurity programs is key to ensuring long-term scalability and adaptability, Crawford says. This means leveraging more automation to process overwhelming amounts of data at high speed and scale.
“Automation needs to become even more reliable to handle problems at scale and at a granular level,” he said. “Forward-thinking CISOs are definitely considering these opportunities seriously.”
