Marene Allison: In cyber everything changes every six months, and there's a new lens and there's a whole new set of new technologies that are going to be out there. And as CISO I got to take the new threat, my IT environment that doesn't change as rapidly as security environment does, and then wrap it again and look at what works. I think we have an awesome job because we get all these new technologies. We get to look at all the different ways an adversary is going to come after us. And then look at how we're going to secure it.
Speaker 2: Hello and welcome to Security Visionaries, hosted by Jason Clark, CISO at Netskope. You just heard from today's guest, Marene Allison, Chief Information Security Officer at Johnson & Johnson. At 17 years old Marene took an oath at the US Military Academy at West Point to defend her country against all enemies, foreign and domestic. Today, Marene is upholding another oath to protect her company from invaders trying to steal their data. In the evolving world of cyber security, threats can come at every turn. As security leaders, it's our duty to translate those threats into actionable information for executives. And with a talented team, you'll always be prepared to protect your company from attack. Before we dive into Marene's interview, here's a brief word from our sponsor.
Speaker 3: The Security Visionaries Podcast is powered by the team at Netskope. Netskope is the SASE leader, offering everything you need to provide a fast data centric and cloud smart user experience at the speed of business today. Learn more at N-E-T-S-K-O-P-E.com.
Speaker 2: Without further ado, please enjoy episode 10 of Security Visionaries with Marene Allison, CISO at Johnson & Johnson and your host, Jason Clark.
Jason Clark: Welcome to Security Visionaries. I'm your host, Jason Clark. And today I am joined by an amazing colleague Marene Allison. Marene, how are you doing?
Marene Allison: I'm doing great Jason, thank you for having me. This is a great program.
Jason Clark: Thank you. I'm excited to bring out some of the things that I think that the community will be really interested in about you. You've got a really amazing background. I'm actually jealous of your background, to be honest. I wish I went to West Point. I wish I joined the FBI. And you gone that unique path of yours. I went in the army, but that's a big difference than going to West Point, which many of my family members have been at. So maybe we can start by talking about you being the first class of women to graduate from West Point, and what that still means to you today.
Marene Allison: Yeah, actually I never wanted to go to West Point. I wanted to go to the Air Force Academy. And probably the first person even before we knew the word sponsor that sponsored me and helped me with direction in my life was Margaret Heckler, Congresswoman from Massachusett. She gave me her principal nomination to West Point. And I went sight unseen, never seen the place, walk in and walk out four years later, commissioned as a second lieutenant. And yeah, it was life defining. I'm from Massachusetts, so the idea that women can't do anything that a man can do, and some of those preconceived, I guess the 70s view of the world. I didn't know what that was. And I walked into this environment and I did well, obviously I graduated and I got commissioned in the military police, but that's where I went for electrical engineering. Of course, in the olden days back then we didn't have computer science and we didn't have cybersecurity degrees. So I took electrical engineering and that became my major at West Point and certainly made all the difference, right? It's been huge. I'm president of West Point Women today and represent the over 6,000 women and West Point grads and all that's been accomplished.
Jason Clark: Wow, that's unbelievable. So if you tell us a little bit about that transition into cyber and then that path.
Marene Allison: Well, as I said. I got commissioned as a second lieutenant into the military police, and then I left. What I would say is my second sponsor in my life was General Sam Wetzel, who was on the board of director of a A&P Foods. And he and another female board member were looking for a head of security for A&P female West Point graduate in law enforcement, and that was me. I was the one as an FBI agent in Newark. And then transitioned over into the corporate security, physical security. And then after I left A&P after about 10 years, I went to a via telecommunications. And I was the physical security, global security person in six weeks there. They said to me, "Hey Marene, our head of IT security is leaving. And... Oh, by the way, we are doing the World Cup, the first time we've ever used voice over IP in production. And we need somebody to run our security operation center." Hey, I'm your woman. I'm there. I'm going to do that. And so that was my transition from not being able to spell IT, to running the sock for the World Cup in 2002.
Jason Clark: So, and then you are now right at the J&J or Johnson & Johnson CISO, which you've been there since 2010. So when we think about what things looked like in 2010, versus the state of security in general, the industry today. How would you talk about those differences over the last 11 years?
Marene Allison: So when you look at 2010, we were a client server. People were just starting their big toes. Bezos could only afford a dinging, not a $540 million yacht, and Amazon wasn't making any money. So we were a client server and our networks were the perimeter, not the internet like it is today, not as we are in the digital world. I was over at Medco, a company called Medco, it's no longer in existence. The pharmacy benefit. We had a client website that had data of 65 million Americans on that website. And 2005, putting in HIPAA, Sarbanes–Oxley, and PCI all at the same time to make sure the data was secured. And it gave us a certain level. I use the term, I even use it today is staying ahead of the bear, right? And you're slightly ahead of the bear, but you wanted somebody behind you, but you didn't want to be too far ahead because you were spending too much money in the space. And so it made a huge difference, but it also changed the way we did IT security because of some of those frameworks, it was great. And [inaudible 00:07:03] in there and then NISS came out, and ISO 27001. But they were all just frameworks to help CISO's get better at the craft.
Jason Clark: So we'll talk a little bit more about that, because I think there's been a lot of change in a last 11 years. But I think even right now the amount of change is pretty significant when we sit down and think about where things are going, but just even taking the last two years, which challenging for everybody. But when I think about your shoes, you're coming out with one of the first vaccines and then also dealing with a spit off. Would you say that the acquisitions 10 years ago used to be a lot harder technology wise because you'd want to light up a new lease line or you'd send one of dropship new equipment and we need to get it into South Africa and to Brazil and to Russia, that's a six month project by itself just even get the hardware there versus now in a cloud world you can get things up a lot faster. You can deliver the software, right? To be able to make that happen. Do you think that it's gotten a lot easier from a security standpoint to do acquisitions in the last 10 years?
Marene Allison: Just in general, during acquisitions and divestitures now is a lot easier. If you remember, how long did it take us 10 years ago to set up a server? And then get it all configured and pass through everybody. That was months, days. It certainly wasn't hours, right? The cloud vendors actually helped us change, even if you're doing it internally, they helped because if we were going to be viable, a business value in IT, we had to change how we do things and we had to become automated, right? And so Hey, if I can get a server from a cloud vendor in a few minutes and it takes me three months to do it internally, guess where you're going to go? And so what's happened is just the change to the cloud. And certainly being able to pivot and taking everything and being able to move it to a cloud environment certainly makes it far easier even than putting it on client server if you're doing an internally, no matter how fast it is.
Jason Clark: So think about your amazing background in history. What was one of your greatest learning experiences in cyber specific?
Marene Allison: I think probably a really defining moment for me was in June, 2016 with notPetya. I think for us as CISO's, oh, I can defend against that. Bigger modes, bigger firewalls. I can do this and I'm okay. I'll get more detection and protection will be good. Will be good. When notPetya occurred, it was the realization that you need cyber resilience. If you don't have cyber resilience, you are not going to survive in the new threat environment. And I know I have some very good friends who at the time just said, "Marene, I'm punching out, I'm gone. I'm leaving cyber. I'm going to go back in a venture capital. I'm going to do some other thing," because the CISO having to understand where a company needed to go in the thinking of a company around cyber. And in resiliency is not wholly in the heart of the CISO's realm. It really is the company, right? And we saw then again with the rise of ransomware. Very few CISO's I know were doing backups and restores, but it all became around how you configure your backup and restore, and are you high in availability. And how ransomware comes in and propagates against an environment and the adversary, looking at those things that we did for efficiency, all that automation and dual redundancy, and automated backups also can be your achilles heel in a ransomware event. And so that's where I think for me was that notPetya event was that moment of like, "Okay, now what do we do? And then how do we go forward?" It was less IT security and more information security risk management and cyber resiliency.
Jason Clark: You just hit a number of really important points there, which I want to pull out, which is... We'll start, the first one is the CISO job, it's a very complicated and difficult job because of one, just the stress level of it, is going to happen. You're going to have an event that's going to cause you to miss family vacations or family Christmases, or your best friend's wedding, right? That happens to everyone. So you've got the balance of these stressful moments and how you're managing that combined with trying to not create friction of the business, but needing some level of friction so that there is a little bit of controls in place, maybe speak to your views on what makes the CISO job so stressful. Most CISO's I know after they've done CISO job three times, they say, "Okay, I think maybe I have one more time or I need to go to a smaller company, or I need to jump over to something else. But I just can't go this hard again," right? What do you think does that mean?
Marene Allison: Except for me, Jason. Except for me, right?
Jason Clark: I think living in Florida, right? Maybe it helps you relax a little bit more.
Marene Allison: And I would say that there's a couple of types of CISO's. There are the CISO's that are working a true IT security mission, it's around protecting the IT. And then there are CISO's that really are business executives. IT security is just one small piece of what they do. And then they have cyber risk. They're looking at things like the IT control for Sarbanes–Oxley. And that is a much different role because you're translating all the time. What I know about what's going on versus trying to translate that to the senior executives, it's a fine art. It's absolutely a fine art that we have to do. And having teams of very talented folks that either have government service, technical acumen, business acumen, and bringing that together is a very, very important versus having just an organization, which is primarily security engineers. And the game changed, right? It's... We're all going to board of directors now and talking about cyber risk and operational metrics and do the individuals you were talking to truly understand where a CISO is coming from. And I think that game has changed and being able to articulate it in a manner that makes sense. I raised my hand when I was 17 years old at West Point to defend our country against all enemies, foreign and domestic. And I can tell you even years later, and I won't tell you how many years later. I could still raise my hand and say, "I defend my company against all intruders in those trying to steal or deface our data."
Jason Clark: That's what's amazing about our mission. We're really just getting started. The problem is getting harder and we're going to continue to grow as security, which I do want to talk about a little bit. I think that your answer was perfect on... I think the stress is they're being stretched in one way technically, but they're also being stretched in another way from a business risk standpoint and resiliency. And not everybody can manage both of those at the same time. And that's where people potentially fall down, right? Or the organization around the business supportive, maybe they have a boss that's not supportive of that, right? See you can have a CIO who's not supportive of you sitting and spending once a month with the board, and they've met with the board. You see that happen all the time, or you have somebody say to you... and I've seen this way too many times, "Hey, I need you to sign off on this risk." And well, yeah, I can't do that, it's a massive risk. Well, why don't you sign it? And they're like, "Well, no, that's your job." And then you get the, "If you don't sign it, then maybe you should walk out the door and we'll find somebody else that will sign it," right? You end up with that kind of stress as well.
Marene Allison: I've actually had that occur, not at J&J but at a previous company where the individual didn't have dual redundancy for their call center. And I brought it up as a business continuity of risk. And the president of that business unit needed to sign off and she didn't want to do that. So I said, "Okay, I'm just going to write the memo here that you refused to sign off on it, is that okay?" Yep. That's okay. And then a year and a half later, floods took out the one data link to the call center, and we both got taken to the CEO's office and asked the question. And I said, "Well, here's where the signoff wasn't needed, even though it was reported as being necessary." And I got to leave the office.
Jason Clark: Love it. Yeah.
Marene Allison: Yeah. It's that accountability and IT is mysterious, isn't it, Jason? You know who's doing what. But I think on the IT side, the IT world to me it would be boring, right? In cyber everything changes every six months, and there's a new lens and there's a whole new set of new technologies that are going to be out there. And as CISO I got to take the new threat, my IT environment that doesn't change as rapidly as security environment does, and then wrap it again and look at what works. I think we have an awesome job because we get all these new technologies. We get to look at all the different ways an adversary is going to come after us. And then look at how we're going to secure it.
Jason Clark: I think it's the only place in technology where you have an adversary who is constantly pushing and innovating, right? There is no other space in tech where you... that has a direct adversary, right? That is constantly coming after you. And so you combine that with the fact that you the business is moving, and you need to be moving at the speed at business at the same time. So you have these two massive forces that are pushing on you in actually opposite directions, right?
Marene Allison: Right. And then we also have the regulatory environment, anybody doing work with a China cybersecurity law and the China data localization, same thing with Russia localization. We continually have to wrap the environment in a different way, so the business can continue to operate in the environments they're in without as much friction as we probably would want, if we were all just IT security.
Jason Clark: So what percent of your time is, A doing... let's call it the geeky year part of IT security, versus regulators, versus the business from a G&A, finance, legal HR aspect?
Marene Allison: I would probably say 10 to 15% is the geeky stuff. And to be honest with you, my team probably would wish that it was further out even from 10 to 15%, because I look and find things and talk about it and see how it could work. And then...
Jason Clark: Well, it's fun too.
Marene Allison: Yeah. It's fun. It's really fun, right? And I always like to look at, "Well, what are we going to do now?" Right? So they love those challenges I'm sure. If you interview them they'll say something different I'm sure. The business part of it is probably 20, 25%. So what are we? 35, 40%. And then dealing with what the IT controls are, no matter which regulation it is, whether it's a privacy regulations, a Sarbanes–Oxley missed HIPAA is the most of the rest of the time, because I'm literally having to work with other areas of the business from an assessment or an audit or a third party regulator. What does good look like?
Jason Clark: That 50% doesn't sound as fun.
Marene Allison: It is interesting. I was just... We had some of our auditors getting into the cyber space. And what framework are you using to do the assessment? And because it's an opportunity to play coach. I love IT auditors, right? I love them because what I see is somebody who's going to work in my department one day, or work in cyber one day. And so look looking at those IT auditors and then challenging and questioning and asking, why are we looking at this? That provides me that opportunity to coach and I love coaching.
Jason Clark: What is your favorite domain in cyber?
Marene Allison: What is my... Forensics. Computer forensics. Yeah, my poor sock, the people who run my sock and the senior director on that side, they know that I can jump in half a heartbeat. I'll ask a million questions, why are we doing this? Should we be doing that? And then I'll tie it back into the technology, some random event that occurred three years ago I'll remember. And then they love that. They love that a lot.
Jason Clark: I'm sure they do. But... So, lets come back into... We started going down into innovation and I wanted to touch on in the last few minutes here. So, there's a lot of change happening. Where are the areas that you think need the most innovation technically, right? As we look at cyber security, it could be just security in the cloud. It could be data security. It could be SIMS. It could be the perimeter of converging to SASE and SSE but API security, just all the above. Curious, just your view of where innovation is needed. If you were talking to a hundred amazing CTOs and entrepreneurs and you're like, "Go build this. These are the things we need." What would you say?
Marene Allison: The S-form of applications, us having to manage every line of code in an application is not going to be sustainable. We need CTOs and technology that can containerize those applications and move them out of the vulnerable state that they're in today. I was not as a new... like, Okay, the application security piece is big but until Log4j, because Log4j is in applications and it's in servers and it's everywhere. And Hey, I love it when you can patch. But a lot of the code can't be patched because of what it's doing and where it's at. So it's going to have to have some type of containerized. The other piece of this is data, right? There's the physical things. And even today I call the application itself, it's a physical contained space or the server, or the cloud or the network. Those are all physical things that get to have our expertise on them to secure. But data, data's going everywhere. It's going to permeate everywhere. 5G, the data that's coming off of sensors, a ring on your finger's going to talk to your watch, it's going to send stuff to your doctor. Please don't send it to somebody who's trying to sell me a weight loss program, right? All of these things are going to become very, very important. And are we prepared? Do we know where data goes? We continue to try to manage data by where it sits or the pipes it goes on. How do we manage data itself?
Jason Clark: Everywhere. And how do the security controls follow the data essentially? Which I would call Security Nirvana, that's what we need. And what's funny is 90 something percent of security conversations doesn't talk about data. They talk about threats and vulnerabilities, and likelihood, and audit, and compliance and all that stuff. And the reality is it's in the end, grand strategy security is protect the data. But there's resiliency there for sure, right? There's up time, but most is data. You don't find... Most the conversations are actually most the tech around it, other than...
Marene Allison: Right. Exactly. It's a container. It's the container that it moves through. It's the container it sits in. But we don't talk about it. And then what do we need to do with it? And then that gets into... One of my favorite topics around Zero Trust and access, and who's touched the data. And all of those things because come very, very important. And where will the technology take us and how will we protect it for the future?
Jason Clark: Most people I talk to view Zero Trust and definitely at most the vendors. They view it as binary, trust is binary. So you either have access or you don't have access. I'm like, "No, you're not just allowed in my house or not allowed of my house. You... I might let you in my house, but as soon as I see bad behavior out, or I won't let you of my safe." And we just need to be thinking about things that there's a leveling of access. And that constantly is evaluated based off of many risk factors. And I think that's where we need to get to, where there is a little bit of, we can trust more, right? There are instances where you can give people a little bit of benefit of the doubt for a second, if they... let's say type one sentence. Type the one sentence reason you need this data. And 99% of people will say, "No, nevermind. I'm backing out." 1% will type the reason. It's logged now. And it was one record, right? Versus saying, "Just no. And go file a request for the security team," right? And so it's a very different, I think engagement level where you can have Zero Trust be automated and built in.
Marene Allison: But you know what? We should also be asking, "So where we're going to put the data?" Right? And can you imagine a world. This is where I like to ideate where, "Oh, your put is you're going to download it to what? SharePoint, a database and you knew what it was." And the data knew if it didn't go there, it told you, "Hey, the developer put it in the wrong place, right? Come find me. Mom, come get me," right? Can you imagine that world. We'll get there. We'll have data that looks like that at some point, but it will take a while. But that will help the security industry. Look at encryption, right? Encryption was... it's Zero Trust. I don't trust you unless I give you the keys. But if I give you the keys, you have access to everything, right? And-
Jason Clark: Yeah. So, that's on or off, right? That's the problem.
Marene Allison: Yeah. That's not a great model because now they put the keys in weird places, right?
Jason Clark: Mm-hmm (affirmative). Exactly. Complete on or off binary.
Marene Allison: On, off. Right?
Jason Clark: That's it.
Marene Allison: And you're right. And it may be just on dependent time. It's like user behavior analytics or contextual access, right? And we saw a lot of this when, Oh, your two factor authentication. If you're on the J&J network, and you have access and you're single sign on to J&J and you're on VPN, you can have access to this. But if you're off network and you come in, then you need to do another two factor, right? And that's just contextual, right? Or if you're in a certain place or you're not in an IP address that's... Can you imagine where all Starbucks salons will be deemed as secure or not secure.
Jason Clark: And I think that this world of moving everything out of our data center, and it either being in the cloud or in SaaS or on our devices allows us this. It pushes us to have to have this kind of... what I like to say is the perfect reset of security. It allows us to go and say, "Okay, everything talks to everything. Everything's an API now. And let's automate this stuff in a much better way." So we're rebuilding security in the last few years and we have much more work to do, but I feel like we started doing that.
Marene Allison: Yeah. And even imagine, because the third party risk and they've talked of supply chain risks. They've talked about these risks. Can you imagine if your data had the ability to call you if it was not being handled correctly?
Jason Clark: Yeah.
Marene Allison: Can you imagine what those conversations... Probably 10, 15 years from now, but can you imagine CISO to CISO, "Hey, excuse me. My data called me and it said you're abusing it."
Jason Clark: Yep. It's not where it should be.
Marene Allison: [crosstalk 00:29:16] unauthorized access and I want to talk to you about that. Or it went to the internet, it was not supposed to go there.
Jason Clark: Why is my data setting in China that I gave you as my third party, right? Yeah. It's calling home. Yeah.
Marene Allison: Exactly. Can you imagine that though? Yeah and then some of the problems that CISO's deal with today, data loss, data exposure, data protection, third party risk. They will have a different dimension that they do today. And that's what's exciting about our job, right?
Jason Clark: So it's like intelligent data.
Marene Allison: Intelligent data.
Jason Clark: That knows whether it's being used properly and safely. So one last question for you, just more on a personal level, what's a hobby that you love to do outside of cyber or two?
Marene Allison: Yeah. I have three horses on a farm in North Florida, and my husband and I raise organic blueberries commercially.
Jason Clark: Wow. On that same farm?
Marene Allison: On that same farm. It's over 200 acres, so there's plenty of room. And we have about 50 acres or so of organic blueberries.
Jason Clark: How much time do you spend on the farm versus your...
Marene Allison: One might consider the farm the main house, because once one has a farm, there's very little other stuff you do. I work from home from both places and head up to Jersey to go to the office about once a month.
Jason Clark: That's awesome. Well, thank you. This has been an amazing session and I know that the listeners will have very much enjoyed this conversation, where we covered a lot of topics and it's been fun. So thank you so much Marene, and always a pleasure talking to you. And...
Marene Allison: It's a pleasure being here, Jason. And anytime we can have a conversation is a great day for me. Thank you.
Speaker 3: The Security Visionaries Podcast is powered by the team at Netskope. Looking for the right cloud security platform to enable your digital transformation journey? The Netskope Security Cloud helps you safely and quickly connect users directly to the internet from any device to any application. Learn more at N-E-T-S-K-O-P-E.com.
Speaker 2: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone you know who might enjoy. Stay tuned for episodes releasing every other week, and we'll see you in the next one.