The professional life of a CISO in 2024 is becoming ever more complicated. Cyber threats take many forms, coming from both within an organisation, as well as externally. And with a shift towards remote working, the complexity of keeping an organisation's data safe and compliant is a constant challenge. However, with Jadee Hanson’s two decades of experience as a security professional – spanning both startups and billion-dollar brands – her new role as inaugural CISO for security and compliance platform Vanta is one she is most definitely prepared for.

“It is a little bit different when you are the CISO for a security company,” explains Hanson. At Vanta, she is responsible for not only building and maturing an internal security framework, but also helping the rest of the organisation in its core business of compliance and security solutions for its 7,000 customers. Hanson’s cross-industry background means she “truly understands the security buyer”.

Vanta’s rapid growth from start-up to trust management platform of choice for clients including Atlassian, Chili Piper, Flo Health and Quora has seen the company double its client base throughout 2023 and reach $100m in annual recurring revenue for the financial year ending 31 January 2024. While it is an exciting time to join the company, such growth presents an ongoing challenge for Hanson, who plans on adding headcount, expanding existing roles, carrying out technology assessments and driving automation in everything the company does.

Indeed, AI is something that Hanson says is top of mind not just for Vanta, but for her peers within the wider CISO community. “How do we embrace it with the right guardrails in place, so that it doesn't become a problem for our companies? This is something we talk about every day, all day within our communities,” says Hanson, who caveats these challenges with a palpable excitement about the efficiencies that Vanta is delivering back to its customers by integrating AI throughout its platform.  

Vanta's AI-first approach

In October 2023, the company introduced Vanta AI, which offers AI-driven vendor security reviews, generative questionnaire responses and intelligent control mapping, which Hanson says can significantly improve efficiencies within enterprise security teams.

However, keeping pace with rapid AI development poses a regulatory risk. To guard against the current AI regulation gap, Hanson says that businesses should follow the framework developed by the National Institute of Standards and Technology (NIST), the US government agency that oversees the country’s innovation and industrial competitiveness.

Vanta launched its NIST AI Risk Management Framework in January 2024, a product that customers can use to centralise their AI risk management workflows. “That is what we have today; we are going to see more to come from the government related to AI,” says Hanson, adding that she recommends following the NIST framework as a starting point.

Also, in January this year, the company announced that Vanta AI also incorporated automation to analyse security documents within Vanta’s Vendor Risk Management product, import user access data from images and PDFs, and map existing test and policies to relevant controls.

Regulation a perennial worry for CISOs

Regulation is a perennial worry for Hanson and her CISO peers, and never more so than in today’s shifting global regulatory landscape. With customers that straddle international markets, Hanson must keep a close eye on developments in global regulation, particularly Europe’s Digital Markets Act – which is making its way through various stages of implementation as European tech regulation takes a global lead.

Some of the most robust privacy aspects of Vanta’s programme are a result of European regulatory changes. “We try to address our security programme holistically,” says Hanson, so that disparate geographies do not create inefficiencies. Taking developments both in Europe and the US into account and making sure that Vanta is structuring its security programme to cover everything is key. In doing so, changing privacy regulation has perhaps had the most impact on Vanta’s security programme, according to Hanson.

Broadly speaking, macro regulation has increasingly moved towards mandating transparency. Hanson cites the recent Change Healthcare security breach, which impacted 90% of US pharmacies, as a milestone case because it was the first breach that resulted in a formal Securities and Exchange Commission filing, she says, adding: “We are watching how governments are going to be influencing different companies. Security teams need to be a lot more transparent about their controls and status of their security programmes.”

Hanson’s approach to the big challenges around breaches and their reporting is collaborative-first. Security professionals need to have a certain element of industry-wide trust to combat what should be viewed as what it really is – a collective problem. “We hear about a breach every other day, and it kicks off this chain,” says Hanson, who is referring to an industry-wide informal communication network to discover who is using the vendor with the security vulnerability as an example.

“It is not a very efficient and effective way to prove the trust across organisations,” says Hanson, who believes a more transparent and proactive way of sharing information is needed. Hanson’s solution is to create what she describes as ‘trust centres’ where companies – or customers from a Vanta perspective – can report breaches, whether they are impacted, which vendors were involved and what documentation might be useful for other companies trying to mitigate the breach. This public ‘without prejudice’ transparency could be transformative.

Cybersecurity's 'women' problem

A collaborative approach is often one of the benefits ascribed to attracting more women to the technology industry. Scrolling through 2023's Forbes CIO Next List, it is not difficult to spot Hanson. Sadly, cybersecurity has a gender balance problem. One reason Hanson was drawn to Vanta was a sense of shared values, and Vanta is somewhat of an anomaly within the tech ecosystem for having both a women co-founder and a majority of women at executive level.

As a recognised thought leader within the CISO and chief information officer (CIO) community, Hanson is minded to ensure that she provides mentoring for ascending the profession, just as she has sought and found help on the way up throughout her career. In the dual role of CIO and CISO at security software company Code42, Hanson led enterprise security and technology strategy for five years and says that she owes much to the both the men and women who mentored her there. ”I have had a lot of women alongside me in my career journey, and I hope that I can do the same for others,” she says.

Women still make up only around 26% of the technology industry workforce, and that figure is said to be lower within cybersecurity. Attracting more women into tech is fairly simple, according to Hanson. “Making them feel welcome,” she says. In terms of practical ways to make a difference, Hanson says simply being visible to younger women helps, as do policies such as Hanson’s request that whenever a line manager interviews for a new role, they include at least one women on the applicant roster.

Positive comments about Hanson's leadership style posted online demonstrate she is a new breed of leader that places collaboration and open-mindedness at the forefront of her approach. "She does not follow the old school hierarchy of force and coercion; she believes in the ability of working with her group instead of against them," according to one former colleague, who also noted that Hanson's team would be "willing to follow her in the heat of battle". No higher praise for a leader on the front line of cyber protection against increasingly hostile forces.