As a longtime information security professional at Johnson & Johnson, Mike Wagner helped shape the Fortune 100 company’s security approach and security stack. Wagner recently became the first CISO of J&J’s year-old spin-off Kenvue, which was previously J&J’s consumer healthcare division. In that role, he aims to combine the best of J&J with an efficient and modern approach that fits the new standalone company.
“We wanted to create a streamlined and cost-effective architecture with maximum security,” Wagner explains.
The first step was defining key roles required to build an effective security program. That included architects and engineers to implement tools; identity and access management (IAM) experts to enable secure authentication; risk management leaders to align security with business priorities; security operations staff for incident response; and dedicated staff to for each cyber function.
To ensure maximum effectiveness and future scalability for the cyber architecture, the newly created cyber team knew it wanted to embed machine learning and AI. That included automating IAM, streamlining supplier assessments through automated questionnaires, implementing AI for behavioral analysis, and using machine learning to improve threat detection.
Which Cyber Tools to Keep and Which to Replace
With the basics ironed out, the next step was choosing which tools and processes should be retained from J&J and which should be replaced. While J&J’s cybersecurity architecture was solid, it was a patchwork of systems created by decades of acquisitions.
To determine what to keep and what to replace, Wagner’s team first inventoried J&J’s tools, mapping them to Kenvue’s operating model and choosing the ones with capabilities Kenvue would need. In many cases, the team found that J&J’s security tools were more full-featured than the smaller spin-off needed. In other cases, J&J’s technology was duplicative. In still others, existing J&J technology wasn’t affordable, or didn’t provide the maximum security footprint for Kenvue’s mission.
And sometimes, it simply came down to how well-integrated J&J’s security architecture was.
“Take something like endpoint detection and response (EDR),” Wagner says. “Where J&J may have had two to three pieces of software on the endpoint to accomplish that mission due to different acquisitions over time, we consolidated it into one more modern solution.”
The ultimate decisions for each type of security function also depended on the number and type of dependencies. For example, applications tend to be dependent on IAM, which meant that for the time being, Kenvue would stick with J&J’s IAM systems. Over time, though, Wagner plans to migrate to a more modern IAM system.
In the end, Kenvue chose to adopt about half of its tech stack from J&J.
Choosing what to retain and what to replace can be tricky, notes Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence. Typically, though, it comes down to weighing the tool’s functionality and how well it will fit into the new company’s architecture against other options that might be a better fit. In some cases, it may require new investments, while in others, subscription or licensing terms will have to be determined as part of spin-off costs, he says.
The Right People, Working Together
Another challenge Wagner faced was assembling the right combination of expertise for his cyber team. After evaluating the capabilities of existing J&J employees along with external candidates, he chose a combination of former J&J employees with deep business knowledge and new hires with modern technical and cyber skills. They included architects and engineers to implement defense controls, IAM experts, risk management leaders, and SecOps staff.
Wagner also chose to add one other type of personnel to his team: business information security officers (BISO), which act as intermediaries between the cyber organization and different business units. Wagner says that the BISO role is critical to his team’s success.
“They focus on scouting what’s new, the direction it’s going, and how we can make sure the business is going about it securely,” he explains.
With the tools and team in place, the final challenge was maintaining security for both J&J and Kenvue during the transition. It required constant communication between different functions, with daily meetings that included J&J leaders, Kenvue leaders, and suppliers to ensure that everything went smoothly.
With the foundation in place, Kenvue’s security team is operating smoothly, but Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.
Continuing to improve cybersecurity programs is critical to helping ensure scalability and adaptability over the long term, Crawford says. That means making greater use of automation to handle overwhelming volumes of data at speed and scale. “Automation will have to become even more trusted to handle problems at the scale and level of detail,” he said. “Forward-thinking CISOs are without doubt looking at these opportunities seriously.”