The CISO Transformation
Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson. And on today's episode of "Afternoon Cyber Tea," I am joined by Marene Allison. Marene is currently an advisory board member for Covenant Technologies, which is a leading IT and cybersecurity staffing firm, and also adviser at Balbix, a leading cybersecurity posture automation platform. Prior to Marene's current roles, she was the vice president and chief information security officer for Johnson & Johnson and has had a magnificent and storied career in the military, in intelligence, in technology and in health and life sciences. Welcome to "Afternoon Cyber Tea," Marene. I am absolutely thrilled to have you on.
Marene Allison: Oh, Ann, it's great to see you. I don't think we've seen each other in almost a year, but - at the last RSA, but good to see you and be here with you.
Ann Johnson: Thank you so much. And hopefully, I'll see you in person soon. You've had this amazing career, right? There's a lot of women that look up to you. I was talking to Lisa Lee on my team that mentioned we were going to have you on the podcast, and she was thrilled because in addition to your advisory roles and your time at J&J, you've spent time at the FBI. You've spent time at A&P. And you spent time at Avaya. But you were also one of the first women to graduate from the United States Military Academy at West Point. And of course, you served as a board member on the Health-ISAC, at ASIS International, and you've had numerous awards. And congratulations on being inducted into the CSO Hall of Fame in 2022. You've had this incredible career, so I'd love to hear more about the journey in your words. How did you find your way to cyber, and why did you decide cyber would be a focal point for you?
Marene Allison: So, Ann, when we started out, there was no such thing as cyber. There wasn't even computer science. It was electrical engineering. Electrical engineering was a brand-new degree. I always loved technology, so at West Point, I leaned that. But even before I got into West Point, I had a woman who was a sponsor, Margaret Heckler, the congresswoman from Massachusetts, who decided to give me her principal nomination to West Point, versus the Air Force Academy, where I had applied. And I think that was a strong lesson on looking at what your sponsors are suggesting. Don't fight it. You know, sometimes, you don't understand it. And I've had a number along the way that have helped to guide my career. The other thing is that there's a lot of lemons, and instead of trying to - it's sour, and it's awful and whatever, every lemon I'm handed, I'm turning it into something sweet with lemonade and spreading it out and making it better. That's what we need to do in our industry. The other thing is that we have to sponsor and look after our talent and grow our talent. And that's very important. You know, no matter if someone tells me, no, you can't do something, first thing I'm going to do is run in there and get her done, and that's the way we have to look at it. I can't be defined what other people think I can do. I can only be defined what I know I can do.
Ann Johnson: I love the you can only be defined by what you know you can do, right? And you're not going to try to be defined by the different cliches we may have in the industry because I think as I look at your career, from the military to the FBI to the private sector, you've really carved out your own path in a place that was really hard. Can you just talk a little bit about that, about the obstacles you faced and just how your attitude just overcame them?
Marene Allison: Well, at West Point, they had never had women attend, so being in the first class, everything we did physically or mentally, military, there was no history of women being able to do it. And even something called the enduro run that they have so you can get a badge for your military skills in your second summer there, they said, well, a woman never has done this. Women can't do it. And my partner and I - we just said, OK, we're going to do this because we're both going to pass. And we went, and we did it. And that's where people will tell you, oh, you can't because you're a girl, or you can't. And what I find is that, hey, I have to push myself to my limits. And 9 times out of 10, I can do it, and I get it done. And then if I can't get it done, I'll come back and do it again till I get it done. And things like airborne school or driving a tank or doing undercover drug operations - there's no manual for things like that in the FBI of how to do undercover drug operations. You have to learn and adapt and be resilient to your situation.
Ann Johnson: I think that's the - resilience, tenacity, perseverance. Most people that I interview on the show who have had long and successful careers - those are the words they use, right? You just have to be persistent. You have to be resilient. You have to be tenacious. And you can't let obstacles get in your way. I love it. I just absolutely love it. And you've also, throughout your career, had the opportunity to see all of these different paradigm shifts. Like you said, there was no computer science. It was electrical engineering, right? So you've seen shifts in technology. Mobile cloud - I tell my - I have a 21-year-old, and I tell her regularly that I have more computing power in my phone than I ever had in a computer at my desk at work for the first 10 to 20 years, literally. And now we're working from anywhere. And all of these things have changed the cyber world, right? Just this phone that I can do my work on. What excites you about the technology we have today and the promise of the technology today? And on the flip side of that, what do you worry about? What do you think the criminals can do based on the technology we have, we are leveraging today?
Marene Allison: I have seen technology change all the way from RACF and mainframe computing and no internet to internet, Voice Over IP, and it would be very easy for OSINT security to worry about all the gremlins that are going to be there. I think we have to understand how the gremlins might attack the technology, but if we were to do that, we'd still have rotary phones, and we'd have no connected computer devices. And we can't. We have to lean into the future and especially as data and AI and ML become the way of the universe. But think of what can happen. A doctor can read - I think I saw 80,000 articles in their entire life, but can you imagine what a computer can read and all the data it can pull forward?
Marene Allison: So when as we're trying to solve disease states, you're going to have to have this huge computing power that's going to be able to look at all this data and look at correlations like humans can never look at correlations. Yes, maybe with 5G or quantum computing, it's, oh, somebody is going to crack encryption codes. Yeah, they will. It just is going to happen. Let's plan for it, and let's move to the future where we can overcome that because when you can use quantum for bad, you will also use it for good in security and in health care and banking. All the different areas is going to help us, as well as create a potential risk. But we've lived our entire lives, and for centuries, that's how people have lived. You see the new risk and you move through it to protect, and that's what we do as cyber professionals. We get to come up with all the solutions now.
Ann Johnson: I think that that's a really good way to look at it because you can have a perfectly, as you know, secure environment, and nothing will get done because no one can get into your environment. No one can get out of your environment, right? We have to realize that security drives productivity, and the future is coming whether we want it or not, so we need to figure out a way to secure the future rather than worry about the technology that's coming down the line. I know the joke in security is they pay us to be paranoid, and that's fine, but that paranoia should lead to constructive conversations and constructive solutions, not ways to block business from happening.
Marene Allison: Correct. It's ways for us to lean into the new technology. I was working at Avaya when they started using Voice Over IP, and my job was to run the security operations center at the World Cup in Korea and Japan. Daunting. There were no technologies to detect and protect, and it was kind of we were out there on our own. Scanning by friendly governments and adversarial governments occurred, but it was, how do we keep the network up and running and to create that first use of Voice Over IP? Which then has led to, you know, what we see today, that small computing device in your hand called a cell phone that has more power than any mainframe computer that was out there in the '60s and '70s. And so you have to lean into it and also then look at, what are we going to do to make sure that we can still operate in our environment securely?
Ann Johnson: I love that attitude, and it also goes to the question I want to ask you about, what does it take to be a CSO today? There are some folks that feel like being a CSO, you need to be deeply technical. There's other folks that believe you need to be a really great businessperson, but what are the requirements? What does it take today to be a CSO, to talk to the board, to talk to regulators, to even be external and talk to customers or partners?
Marene Allison: Yeah, you know, we grew out of being security engineers, and so a lot of us that are at the senior levels of the CSO ranks - we started out as security engineers, but the ones that have risen into the large company CSOs, it's because they understand the business they're in. And, you know, for a while there, CSOs were - 18 months was as long in the CSO suite. All of my engagements have been - I had one for three years - but for the most part, 10-year engagements. And the reason is understanding the business and what it's doing and why it's doing it. And it's also understanding regulatory. You have to be a Jill of all trades. It can't be one thing. And the folks that are very IT security, engineer-focused also have to understand that we're the department of yes, and here's how, not the department of no. And that's where the CSOs become enablers of their business so that they can lean in.
Marene Allison: I'll go over to that Voice Over IP example with Avaya. I wouldn't have gotten very far if I had told them, no, you can't use this new technology in the World Cup, versus OK, this is going to be interesting. Now let's figure out what we need to do to secure an operational environment that's going to be seen by the world. And then once we got to those parameters and had the resiliency necessary, we had a great outcome. And then off went Voice Over IP in a new direction. And I think that's where the CSO has got to be the - understand technology. They no longer - you know, as soon as you get your hands off the keyboard for six months, you're irrelevant in this space, but you still have to understand it. And then you also have to understand the business like the business folks, understand the risk environment, be able to collaborate even when people are not 100% buying the security mission. We become salespeople of why it means something for that company that you're in and help them to be the best company they can be. I love that because if you do that, you're going to get brought in earlier, right? A lot of our cyber problems are because people are afraid of the security org, so they bring them in really late, and then you're playing catch-up and trying to solve for something rather than being part of the planning process on the front end.
Marene Allison: Right. I mean, as I tell people, bad news early is good news, right? If - hey, let's talk about what it takes, and then we can talk about risk. And the other thing is to be reasonable. Do you need to protect it to this nth degree if it doesn't have the type of data that would cause a risk for your organization? You don't have to do that on day one. What's the sliding scale of moving up the security posture? J&J went into the cloud. We went into the cloud very early, you know, over eight years ago. And there were not the secure technologies that there are today to help us. Even the big companies like a Microsoft or a Cisco didn't have the products, and we had to wait for a little bit of the catch-up. But the risk of not moving was greater than the risk of moving and then protecting the environment in a way that made sense. And that's where you really - you have to know your environment and the technology very, very well so that you can help your company the way it's supposed to.
Ann Johnson: With that framing, what would you tell folks that are trying to be a CSO, either a new CSO or someone that aspires to be a CSO? What advice would you give them? What skills do they need? What experiences must they have? What do they need to be thinking about, you know, for the role over the next 10 years?
Marene Allison: I really think the role of the CSO depends upon the company you're in, and the large multinational CSOs are a much different role than, say, some of the smaller one-product companies or smaller, flatter companies. And it's really, which one of the roles do you need? One of the areas that I do find that I think helped me is when I went and started at A&P Foods, I reported to the head of internal audit for five, six years, and that was probably one of the best experiences because I understood what audit was doing, things like assessment, the regulations - it was at the time that the SOX requirements, the Sarbanes-Oxley requirements were coming in - understood something called IT controls and what the tests were. And as we see the rise of things like privacy laws and cybersecurity frameworks around the world, the more and more you grow into a larger company, the more and more understanding - I think there's, like, over 50 or 60 different frameworks out there - with the controls, and how they apply to your company becomes very, very important. Also, for CISOs, we're good. We can skip from food retailing to telecommunications to health care because if we understand the areas that are important to those - so you have to understand your industry and what applies and what doesn't apply to that industry. And that comes - for me, my last two engagements, my longest engagements, the last 18 years of my life were in health care. So I got a very good understanding of health care, versus somebody in banking. Not that you can't do it early on, but you should look at, OK, my industry, and what does that mean? Because that'll be very important to your success.
Ann Johnson: I wonder if we - the burden that's being placed on CSOs right now and the potential regulatory fines, the potential personal liability, criminal prosecution - do you think that we're going to be more challenged in filling CSOs' roles? It's already a big challenge today, but do you see people or hear, anecdotally, people you've talked to moving away from that industry and desire?
Marene Allison: Probably not. And what I mean by that is people always want to rise to the top - and if the CSO role is at the top. What I do think will happen, Ann, is that we'll likely see some protections put in. So if you look in, like, the HIPAA security rule around health care, it has a provision for the - naming someone as the security official and also the protections around that - so if you disclose information timely that you can't be sued later on because you did that. Now, I mean, let's look at what the SEC is requiring disclosure. HIPAA requires disclosure, privacy laws, disclosure of a breach or an incident. What I think for the CSO is going to get very, very confusing, and so get friendly with the lawyers. You're going to spend a lot of time with the lawyers. And one of the things that I'm happy with is in all the companies that I worked in, I was very good friends with lawyers and, in the last couple of years, bringing in cybersecurity-specific lawyers to help with the complications of some of the laws because they actually compete against each other in some areas, what you report or don't report. And so to be able to have the legal backing of your company becomes - will become very, very important. You know, you asked something, and I just thought of it, and I wanted to get this point out. I saw more people in the CSO roles that said, I'm out after NotPetya, than I have because of this increase of legislation and regulation.
Ann Johnson: Yeah, I actually think that stress drives more people out of the industry than legislation or regulation because - and to your point, I think people are - A, there are protections, but also, people are getting closer to their lawyers, to the folks that are going to protect them, to their boards. I see more CSOs maturing through that process. and The stress of things like NotPetya or WannaCry or SolarWinds - i've had several people say it's just not worth it, right? Or I need a couple-year break.
Ann Johnson: Right. I mean, you know, I know with NotPetya - and we had been dealing with some malware, the Kwampirs virus. We were actually patient zero for the Kwampirs virus, and we saw it with Ukraine, and Russia and something was going on. And when NotPetya happened, I truly believed I could dig the moat deeper and I could put the wall higher and I was good, and NotPetya just changed that dynamic. And it took me about 30, 60 days to go, oh, it's about cyber resiliency - and to completely change the strategy of the - you know, I was going to be able to detect and protect, and we'd all be good, to, oh, yeah, maybe I won't. Let me make sure we're resilient and then go with my supply chain to kind of pivot that strategy into a business strategy and make sure that my business understood the risks to their business.
Ann Johnson: You know, we could dedicate a whole episode to supply chain, not just cyber, but we've seen over the past few years of the pandemic how not resilient the global supply chain is - right? - with shipping delays, with manufacturing delays, with factories being closed down, with this globalization that we had, and then you have the cyber risk on top of that. Given the business you were in, I mean, from a supply chain standpoint, I just want to ask one quick question of you. What do you think - and there's probably not an answer, but I'm going to ask it that way anyway - what is the single most important thing a CSO could do to protect their supply chain today?
Marene Allison: Is have their business understand that the supply chain - when you outsource to a third party, you have not outsourced the management and the quality of that product. You have to be still responsible. And it's not that the CSO can own all the cybersecurity, and we're good. No, it really is the education and training of your procurement team, as well as your business team in the supply chain that brings those products in and brings them in to understand. And then again, also the resiliency because if you can't have a single source of supply for something in this day and age, not only because of weather-related but also because of cyber-related, is somebody going to come after them? And as we all know, whether it's a SOC 1 or a SOC 2 or NIS standards or HIPAA or you name it, you can have everybody be certified in something, but it comes down to operations. And there's so many details in the operations. No matter how good a framework is, you cannot be 100% sure.
Ann Johnson: I like the you can't outsource the quality of your product, and it doesn't matter what your product is. So I think that's a really good framing. And if you start from that paradigm, a lot of stuff will flow downhill from there - right? - about how you think about how you actually build the product.
Marene Allison: Correct. If the product is getting your name on it, then you're responsible for how it's manufactured and its supply chain. And there is no, hey, you know, I hired a third party. No, it's your brand on the front page. You need to - you own it.
Ann Johnson: So we don't have a lot of time left, and I want to thank you. Your insights are always invaluable. We like to be a positive and optimistic podcast, not talking about the doom and gloom of cyber, and I'm always inspired about the future. I tell people the reason I get up every day is because I believe that we can stay one step ahead of the, you know, the bad actors and the attackers. But why are you optimistic about the future of cyber? What would you send off our audience with?
Marene Allison: You know, I'm so optimistic is because of the used - the people coming up in the industry. I came in with an electrical engineering degree. There was no cyber. And if I can do it, then what can you imagine that the individuals that are in college today or technical school today or military are going to bring to the table in 20 years? And so I love the talent that's out there and growing this talent and seeing where they're going to go, and I truly believe in it. And, you know, as a gray-haired, you know, moves on to an advisory role, I'm just excited about this exuberance and intellectual capacity of the next generations coming after us. So I'm excited about that, Ann.
Ann Johnson: Well, thank you so much for joining me today. It's always a pleasure to talk to you, and I loved having your insights on the show.
Marene Allison: All right. Thank you, Ann. It's been a pleasure. Have a great day.
Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea."
Ann Johnson: I invited Marene Allison to join me on "Afternoon Cyber Tea" because she's just this human dynamo of a woman who is incredibly inspirational to so many women in the industry, as one of the first female graduates of West Point. She was at the FBI. She spent many years in life sciences, as a CSO at J&J. And she just has this amazing perspective but also this tenacity and perseverance. And a lot of folks can learn from her resilience and how she's run her career. So it was a wonderful conversation. I'm sure you'll enjoy it.