Susan Jackson Email and Phone Number

• Responsible for standing up and implementing Software Security, Cloud Security, and DevSecOps as part of the digital transformation and in alignment with NIST CSF and CSA frameworks. Delivered security controls embedded in the CI/CD pipeline with security automation, gating, and guardrails. Developed a comprehensive internal strategy and roadmap for the delivery of static code analysis, source code analysis, container security, API security, and infrastructure as code. Developed a bug bounty program and a vulnerability disclosure program. Led an enterprise tool rollout and training program for developers. Instituted OKRs, key risk indicators, and key performance indicators to tack success of the portfolio. Developed a strategy for implementing a software bill of materials (SBOM). • Accelerated the delivery of security within the IaaS and PaaS frameworks for AWS and Azure. Moving from established detective controls to preventative controls utilizing guardrails and templates. Established a security permit to operate gate process to improve technical debt for applications migrating to the cloud with a focus on container security with Kubernetes. Set the mission and vision of the organization's cloud security program, procedures, policies, and standards to foster a business-oriented culture leading a team of engineers delivering security architecture, identity and access management, network security, data security, configuration management, vulnerability management, and security operations of the cloud environments. • Responsible for virtual distributed team management of 17 employees (8 direct reports) motivating people, foster accountability, high trust, phycological safety and value of security risk management.

Led the cloud security strategy for enterprise migration to a hybrid cloud environment with three lines of business all with different set of requirements. Partnered with the cloud enablement leadership to deliver a comprehensive secure from start strategy. Served as the cloud security architect subject matter expert and as the Software Security Group subject matter expert. Designed the application security migration strategy. Driving the cloud security strategy for software defined networking, infrastructure as code, and software defined infrastructure. Responsible for evaluating the top public cloud providers against CVS Health cloud strategy. Led a special working group reporting to the Deputy CISO to accelerate cloud friendly security controls. In the first 30 days, security established relationships within the cloud organization to ensure roadmaps and strategy were aligned. Facilitated communication and learning sessions for control owners and subject matter experts to deep dive into each area. Built the cloud delivery acceleration program. Responsible for designing a technical cloud security program to meet and mature NIST Cloud Security Framework audits. Results briefed to the CVS Health Board of Directors. Responsible for organizing and responding to internal and external cloud security audits. Software Security Subject Matter Expert expanding a world class software security program to CVS. This includes establishing security mavens, static code analysis, and identifying opportunities where application teams can utilize additional tools to shift code analysis to the left in the lifecycle. Provided confidence and leadership to project teams in cross-functional environments and efforts. Responsible for budgeting, forecasting, and business case analysis for projects, programs, and the software security team. Led the 2020 PCI Penetration Testing effort for the combined companies. This was the first time Aetna and CVS attested together.