As a longtime cybersecurity professional at Johnson & Johnson, Mike Wagner helped shape the Fortune 100 company’s security approach and security stack. Wagner recently became Kenvue’s first CISO, the spin-off off of J&J born a year ago, which was previously J&J’s consumer healthcare division. In his new role, Wagner aims to combine the best of J&J with an efficient and modern approach that fits the new autonomous company.
“We wanted to create a streamlined, economical architecture with maximum security,” explains Wagner.
The first step was to define the key roles needed to build an effective safety program. This included architects and engineers to implement tools, identity and access management (IAM) experts to enable secure authentication, risk management leaders to align security with business priorities, security operations staff for incident response and dedicated staff for each IT function.
To ensure maximum effectiveness and future scalability of the cyber architecture, the newly created cyber team knew they wanted to incorporate machine learning and artificial intelligence (AI). This included automating IAMrationalizing supplier evaluations through automated questionnaires, implementing AI for behavioral analysisand using machine learning to improve threat detection.
Decide which IT tools to keep or replace
With the basics sorted out, the next step was to choose which tools and processes J&J should keep and which should be replaced. While J&J’s cybersecurity architecture was robust, it was a patchwork of systems created by decades of acquisitions.
To make its decisions, Wagner’s team first took an inventory of J&J’s tools, mapping them to Kenvue’s operating model and choosing those with the capabilities Kenvue would need. In many cases, the team found that J&J’s security tools were more comprehensive than the smaller spinoff required. In other cases, J&J’s technology was duplicative. In still others, existing J&J technology was not cost-effective or did not provide the highest level of safety for Kenvue’s mission.
And, sometimes, it simply came down to how well integrated J&J’s security architecture was.
“Let’s take something like endpoint detection and response,” Wagner says. “Where J&J might have had two or three pieces of software on the endpoint to accomplish that mission due to several acquisitions over time, we consolidated it into a single, more modern solution.”
The final decision for each type of security function also depended on the number and type of dependencies. For example, applications tend to depend on IAM, which means Kenvue will stick with J&J’s IAM systems for now. Over time, however, Wagner plans to migrate to a more modern IAM system.
Ultimately, Kenvue chose to adopt about half of its technology stack from J&J.
Choosing what to keep and what to replace can be tricky, notes Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence. Typically, however, it comes down to evaluating the functionality of the tool and how well it will fit into the new company’s architecture compared to other options that may be better suited. In some cases new investments may be needed, while in others subscription or licensing terms will need to be determined as part of the spin-off costs, he says.
The right people, working together
Another challenge Wagner faced was putting together the right mix of skills for his cyber team. After evaluating the capabilities of existing J&J employees along with external candidates, he chose a combination of former J&J employees with deep business knowledge and new hires with modern technical and IT skills. They included architects and engineers to implement defense controls, IAM experts, risk management leaders, and SecOps personnel.
Wagner also chose to add another type of personnel to his team: corporate information security officers (BISOs), who act as intermediaries between the IT organization and the various business units. Wagner says BISO’s role is critical to his team’s success.
“They’re focused on exploring what’s new, where they’re going and how we can make sure the company moves forward safely,” he explains.
With the tools and team in place, the final challenge was to maintain security for both J&J and Kenvue during the transition. It required constant communication between different functions, with daily meetings that included J&J leaders, Kenvue leaders and suppliers to ensure everything ran smoothly.
With the foundations in place, Kenvue’s security team is operating steadily, but Wagner says there’s still more to do. Next, he plans to lean on modern security strategies, including adopting zero trust and improving technical controls.
Continuing to improve cybersecurity programs is critical to help ensure long-term scalability and adaptability, Crawford says. This means making greater use of automation to handle huge volumes of data quickly and at scale.
“Automation will have to become even more reliable to handle problems at scale and level of detail,” he said. “Forward-thinking CISOs are, without a doubt, seriously evaluating these opportunities.”