Switching jobs in the midst of a global pandemic is already a stressful enterprise. Even more so if the job comes with the responsibility to secure and protect hundreds of employees, their systems and data at a multi-million-dollar enterprise.

That’s the situation Jessica Nemmers, chief security officer for Elevate Credit, found herself in last year. She canvassed her friends and colleagues who had made similar leaps to get advice.

The security team had already fast-tracked their Microsoft Teams deployment, set up VPNs for employees and were busily updating their threat model to account for a (now) mostly stay-at-home workforce.

Impressed with the team’s proactive posture, Nemmers said her first instincts were not to jump in and start putting her stamp on the security program, but rather to learn more about the team, her partners and the IT architecture.

“I spent, actually, the first three months just listening and participating in meetings and asking a lot of questions,” said Nemmers. “I think when a CISO is assuming an intact security program, it’s really important to see what’s working and what’s not before you start making changes, because as complex as security is, one wrong change could be that one time you think ‘I shouldn’t have done that’ and then it could be an entry point for a threat actor.”

Whether she knew it or not, Nemmers was actually following research-backed best practices from companies like Forrester that recommend new incoming CISOs spend their first three months focused on relationship building and learning the lay of the land before making any big decisions or changes.

Click here for full coverage of the 2021 SC Media Women in IT Security

Elevate’s loans are all processed online, so strong data security practices are essential to keeping the core business up and running. Nemmers colleagues credit her with shifting the security team’s focus to risk management, something that has in turn elevated the profile of the team throughout the company and made security more relevant to other business units.

She also pushed to increase the difficulty on internal phishing tests, drawing on her previous background running a global training organization. Many CISOs automatically enroll anyone who fails a phishing test into remediation training, but Nemmers often gives employees at Elevate “a few chances” first, something she said is important to demonstrate to her workforce that the underlying purpose of the tests is not to punish but rather to educate and improve. Her oversight and changes have lead to a substantial decrease in the overall “phish-prone” rate of employees.

“I think practice makes perfect, I think making sure that people feel comfortable around why you’re being tested [is important], said Nemmers. “Something near and dear to my heart is that you never make your employees feel bad about clicking on a phishing link. We realize we’re all very busy, we get a lot of emails every day. So understanding how quickly we’re working, it does happen, but just knowing what to look out for and keeping that in the forefront of your mind is really powerful, and could be a huge defense to most companies.”