Clarke Rodgers (00:08):
Mike, thanks so much for joining me today.

Mike Wagner (00:10):
Hey, thanks Clarke. Glad to be here.

Clarke Rodgers (00:12):
So, if you'd be so kind, please tell me about your role and your responsibilities.

Mike Wagner (00:16):
Clark, I'm the CISO for a company called Kenvue. Kenvue was part of the Johnson & Johnson family of companies. You'd probably recognized it by understanding some of the products that we manufacture, such as Tylenol, Motrin, Aveeno, Neutrogena, and Johnson's Baby.

And my role in the business is to make sure that that data, the systems, the people are protected adequately from the threats that are out there. While we're making sure that we're protected, we're also enabling the business to make sure faster, more streamlined and cost-effective access is there for our consumers, for our customers, for our suppliers, and certainly for our workforce.

Clarke Rodgers (01:01):
Just going a little bit deeper, prior to this role, can you tell me a little bit about your background in security? I understand it didn't necessarily start off in being a CISO.

Mike Wagner (01:11):
That's true, yeah. Well, I went to the Air Force Academy and was in the Air Force Cyber organization, basically, doing different roles. One of those roles was with the Office of Special Investigations, was in the DC area during 9/11. I separated early in 2000s, but I stayed as a reservist. So, it was nice having a little parallel track with corporate America and the Air Force.

In a career like cyber, they complement each other really nicely because you're getting the intel and being able to practice on the reservist side or the National Guard side. And being able to apply those techniques, those lessons, that intel in the corporate space. In the corporate space, I'd been in a couple different verticals. I started off in telecommunications. Quick stint in financial services, and been mainly in healthcare the last 15 or so years.

The last five, six years I've been focused on our supply chain, our enterprise and global supply chain. And focused a lot on the OT part of security as the company was going with its digital supply chain strategy. Making sure that as different windows were opened up in the corporate network, making sure that they were protected and only the appropriate access was coming through. As well as dealing with all our suppliers, logistics, network, third-party logistics providers, et cetera. Making sure that they were squared away and/or working with them in the case of an incident.

Clarke Rodgers (03:01):
Interesting. So, can you talk a little bit about your transition from the military to corporate life? Was that a big transition for you, or because cyber sort of weaves its way through everything, it maybe was not so harsh?

Mike Wagner (03:16):
You know, what was interesting was when you're an officer in the military, you come out and boom, you're 22 years old and you have like 25 people reporting up through you. In the corporate world, you’ve got to prove yourself a little bit more. They just don't give you that type of credibility right away. So in the leadership sense, it was just getting back to the basics, building trust, building credibility, relating to what people were up to and were doing.

But from a professional standpoint, in terms of the technical abilities, the cyber and the military, and protecting a network — the same techniques and tactics apply to protecting a corporate network. Also, you can get behind that with your own inner purpose too. Inner purpose is so important to all of us, and defending networks, defending data, defending people.

Clarke Rodgers (04:11):
Having that mission.

Mike Wagner (04:13):
Yeah, part of my purpose. It's core to my DNA.

Clarke Rodgers (04:17):
That's awesome. So, in the corporate world and in your current role, we typically see that CISOs have evolved over time. It used to be a very, very technical role and not so much business focused, but now we're seeing CISOs and CSOs really being part of the senior leadership of organizations — reporting to the board regularly and really speaking the language of business over the language of the bits and the bytes and the firewalls. How have you made that transition? We talked about trust just a minute ago. How do you earn trust with the other senior executives at your organization?

Mike Wagner (04:58):
Yeah, so one of the biggest skills I think for any security professional, certainly for a CISO, is the ability to relate to people, you know? To have a connection, something in common that is going to get them to listen to what you're talking about. So, once you are able to build that connection and set a goal to educate folks on what cyber is and why it's important to them, it becomes a lot easier.

And that’s just the fundamentals, but basically, getting out there to that executive level and making sure that they understand cyber, that they understand that it's a business responsibility. And frankly, they should be using our services to help enable their business.

We are a large consumer health business. We have over a billion consumers, and we want to continue to grow. Consumers are going to be buying more and more from us directly. So how can we make their path to our products, which we feel make them better people, healthier people — whether it's sunscreen, whether it's Tylenol, or maybe for making their babies feel better.

So we want to make access easier. We also want to make sure that they know we can protect their data. And certainly, beyond the consumer, working with our great customers, our great suppliers, and then certainly the workforce. Make that user experience, that experience of people interfacing with our systems much easier, much more seamless, and much more secure.

Clarke Rodgers (06:33):
So, what you just described is a common challenge for CISOs, right? It's building that security culture outside of the security organization. So people understand, hey, it is good business to have security built in early and often, right? So how do you go about, or what kind of programs have you put in place to help build that culture of security at your organization?

Mike Wagner (06:58):
One program we put in place, which has been really successful is this concept — I talked a little bit about operational technology or OT. We're a global manufacturer. We have tens of plants and hundreds of third-party logistics providers. We put in place, what we call an OT champion program, where we know and have a point of contact that's a champion for security within the business of supply chain.

Clarke Rodgers (07:28):
Oh, interesting.

Mike Wagner (07:29):
Yeah. I mean, these people, we train them up, sort of like a “train the trainer” program. But more than that, we are a resource for them. We're advocates for them, and they advocate our program. It's been successful because it's allowed us to penetrate spaces where we wouldn’t otherwise be able to penetrate.

We talked earlier about what we have in common, being in the military. It's like when the US goes overseas or the troops go overseas, they rely on locals to get them around. They know the geography, they know the terrain. They know where to watch out and where you'll be best positioned. It's much in that same type of mentality that by getting or deputizing people in the business, in this case in supply chain, they can help us be more successful and in turn, we're helping them secure the business, stay out of the papers. Deliver our products to the consumers that need that product.

Clarke Rodgers (08:33):
And that program, as you've released it, have those business leaders seen the advantages that that brings?

Mike Wagner (08:40):
Oh, absolutely. As security has become more in the mainstream, the business leaders within these units know that their people have connections into our program. And in many cases, we've already spoken to their leaders. So there's a comfort, the wheels are greased already so it's a smoother entry point. They're primed and ready to receive the input that we're giving them, the education that we're giving them.

Clarke Rodgers (09:15):
When you report risk to them, can you describe a little bit about how you do it and how do you make security real for them? Traditionally, I guess, sort of the old school CISOs, the report would be an eye chart of vulnerability matrices and patching programs and things like that that often doesn't resonate with boards. How are you communicating risks to the boards?

Mike Wagner (09:38):
We put it in terms of business risk, impact to the business. Certainly we're working to minimize that impact through the controls that we have in place. We're also talking about our program and how it's evolving and how the capabilities in our program are enabling the business to grow. A lot of people think about security as a defensive play, maybe in the context of like an insurance play.

Clarke Rodgers (10:04):
Sure.

Mike Wagner (10:05):
We look at security from not only a defensive play, but also access. And access is an enabler. I already mentioned access for the consumers, access for our customers, access for our suppliers, certainly our workforce. If we can make access easier, more seamless, we can enable the business to go faster. In our development processes, making sure that security is shifted left and a part of the pipeline as we roll out new releases for technology. These were lessons we learned early on in the game, which has enabled us to be a real partner to the business and one with a lot of credibility.

Clarke Rodgers (10:49):
That's fantastic. So, if we switch gears a little bit, and let's talk about sort of staffing your security program, right? You know, you already talked about your champions program and the OT side of things. Outside of OT, do you have any way that is effectively a force multiplier for your security team inside of your organization?

Mike Wagner (11:10):
Certainly we rely on bringing in folks with software engineering skills. We've hired quite a few military folks. Skills such as understanding software deployment and code are much more important and have been more of a focus recently. Certainly, as we're looking into how can AI help our security program, and how can we cover a global manufacturing footprint with a finite number of employees? So, we're looking forward to exploring more options that AI can provide.

But from the human aspects, I keep tabs on folks that are in the Air Force and in different military forums. We've had programs where we brought in veterans after their tour of duty has ended. Some of these programs allow the veterans to get their college degrees while they're working. So that's been very successful.

For those veterans that are in the company, we have a fantastic benefits program. We're very military friendly in the sense of going out on their two weeks or if they get called up for instance. Certainly making sure the benefits there are good and solid for our veterans.

I hear a lot of times people are having a hard time hiring and that hiring good talent is one of the challenges that CISOs face over the next few years, actually, and have been facing in the past. I often use the analogy, I feel like I'm like a college football coach. I go out and recruit before we even have the jobs open. I'm targeting the talent, making the relationships, getting out to different forums where I know there's going to be good talent.

And in the end, it's the people business. You're shaking hands, you're keeping the connections, you're making a connection with that special person that, ultimately, you're hoping is going to pan out when you need it. And in the case of building the cyber staff for Kenvue, we were fortunate enough to get some very talented folks in from some great companies to make sure that we had our cyber organization staffed very, very efficiently and very, very productive.

Clarke Rodgers (13:50):
That's a fantastic story. Staying on the culture side of things, again, as the CISO role has evolved over time, the CISO and the security department in general has often been looked at as the department of “No.” Right? And our most successful CISO customers today are really looking at the security department as being an enabler and a department of “Yes, but.” Right? So less cop, more coach. How are things at your organization and how has that transition happened over the years?

Mike Wagner (14:29):
We want to be recognized as enablers. We want to make sure that the cyber department is not viewed as just on the defense, but also enabling access. So how have we been able to do that? Really through education. And when we are getting out education and awareness to the business, they have an understanding. Whether it's, “Hey, look what happened to one of our competitors,” or maybe a company that you know, or a third-party logistics provider that may have gotten ransomed. They recognize they don't want to be in that position themselves.

So, through that education, the business has really been very good with us in terms of allowing us to prescribe a good way to go. I'm a firm believer that our relationships with the cloud providers is making our stuff not only more secure, but also allowing the speed in which that technology needs to be deployed, get done a lot faster, better, and cheaper. And business likes that. I mean, if the business sees that we're behind getting the product to our customers at an affordable price, faster, better, cheaper, then they're going to buy in.

Clarke Rodgers (15:52):
That's awesome. So, I appreciate that you don't have a crystal ball, but if we were to have this conversation again in five years, what would we be talking about as some of the greatest challenges and opportunities for CISOs?

Mike Wagner (16:08):
Well, I think it's going to be, in five years, I would say we’d be much more mature and understanding on how these AI robots certainly work to help augment the force that we have. I think education will continue so that the business will be even better equipped in understanding what we're doing. Certainly, we're at the table now. I think that'll continue and mature as maybe not only a technology voice, but also a business voice.

I'm not so sure that the CISO will be in the IT department or under the CIO traditionally. I think there's different places where it could be, but certainly I think it'll be a big contributor and a big part of the business decisions that are made and the different suppliers and customers that we're dealing with.

Clarke Rodgers (17:15):
That's awesome. Mike, thanks so much for joining me today.

Mike Wagner (17:19):
Great. Thanks a lot, Clarke.