Cyber veterans, Leadership

Elevate Credit’s Jessica Nemmers: Listening, learning and best practices

Jessica Nemmers is vice president and chief security officer at Elevate Credit.

Switching jobs in the midst of a global pandemic is already a stressful enterprise. Even more so if the job comes with the responsibility to secure and protect hundreds of employees, their systems and data at a multi-million-dollar enterprise.

That’s the situation Jessica Nemmers, chief security officer for Elevate Credit, found herself in last year. She canvassed her friends and colleagues who had made similar leaps to get advice.

The security team had already fast-tracked their Microsoft Teams deployment, set up VPNs for employees and were busily updating their threat model to account for a (now) mostly stay-at-home workforce.

Impressed with the team’s proactive posture, Nemmers said her first instincts were not to jump in and start putting her stamp on the security program, but rather to learn more about the team, her partners and the IT architecture.

“I spent, actually, the first three months just listening and participating in meetings and asking a lot of questions,” said Nemmers. “I think when a CISO is assuming an intact security program, it’s really important to see what’s working and what’s not before you start making changes, because as complex as security is, one wrong change could be that one time you think ‘I shouldn’t have done that’ and then it could be an entry point for a threat actor.”

Whether she knew it or not, Nemmers was actually following research-backed best practices from companies like Forrester that recommend new incoming CISOs spend their first three months focused on relationship building and learning the lay of the land before making any big decisions or changes.

Click here for full coverage of the 2021 SC Media Women in IT Security

Elevate’s loans are all processed online, so strong data security practices are essential to keeping the core business up and running. Nemmers colleagues credit her with shifting the security team’s focus to risk management, something that has in turn elevated the profile of the team throughout the company and made security more relevant to other business units.

She also pushed to increase the difficulty on internal phishing tests, drawing on her previous background running a global training organization. Many CISOs automatically enroll anyone who fails a phishing test into remediation training, but Nemmers often gives employees at Elevate “a few chances” first, something she said is important to demonstrate to her workforce that the underlying purpose of the tests is not to punish but rather to educate and improve. Her oversight and changes have lead to a substantial decrease in the overall “phish-prone” rate of employees.

“I think practice makes perfect, I think making sure that people feel comfortable around why you’re being tested [is important], said Nemmers. “Something near and dear to my heart is that you never make your employees feel bad about clicking on a phishing link. We realize we’re all very busy, we get a lot of emails every day. So understanding how quickly we’re working, it does happen, but just knowing what to look out for and keeping that in the forefront of your mind is really powerful, and could be a huge defense to most companies.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.