CSO success favoured by team culture, not executive buy-in: J&J CISO

Establishing a broad sphere of influence and building a good security team are the most important ways to being an effective CISO, according to the award-winning worldwide vice president of information security with global healthcare giant Johnson & Johnson.

Marene Allison – a frequent security-industry speaker who was recently honoured with the CSO Magazine-Alta Associates sponsored Women of Influence (WoI) Award from Alta's Executive Women's Forum – manages a global team of 104 security professionals and told CSO Australia that the most important part of succeeding as a CISO is ensuring that team both supports the business, and supports itself.

“If you have good staff, it takes so much of the burden off of the CISO,” she explains.

“I can go to sleep at night knowing my team in the Asia-Pacific region are on the ball, empowered to make the right decisions, and can get us to the right place. Instead of me trying to work 12 hours a day, I have a team doing 24x7 work. It makes my life much easier.”

Johnson & Johnson's regional CIO, Angela Coble, recently told attendees at the CSO Perspectives Roadshow about the extent to which having a people-focused, sales and marketing background has facilitated her work as a CSO.

This approach resonates with Allison, who has found that the most effective empowerment for the security organisation has come not from targeting senior business executives and lobbying for greater involvement in business decision-making – a common suggestion by many in the industry.

Rather, Allison says, a more effective tool is for CSOs to expand the range of people with whom they engage on a regular basis.

“In some companies, whom you report to is an extremely important thing,” she says. “But my role as CISO is recognised, and in any given moment I may be talking to the CFO or the guard at the desk downstairs.”

“It's not about who you report to,” she continues. “It's really about your sphere of influence. Do you have credibility? Do people believe what you say? Do you have a plan? If you have those things, where you report is less important.”

That's a different philosophy to that of many other CSOs, but then again Allison has never been a conventional sort of CSO. A graduate of the first class of women educated at the United States Military Academy at West Point, an extremely prestigious institution that put her amongst exclusive company as a leader and security-minded investigator.

Her career subsequently took her through roles with the military – including 20 years as a US Army military academy liaison officer, six years as an FBI special agent, and security-related roles with companies including massive grocery retailer A&P and IT giant Avaya.

That varied experience has helped shape her tenure as CISO, in which she has focused on perpetuating an evidence-based approach to security that spans both physical and information security.

“Once an investigator, always an investigator, I always say,” Allison laughs. “Physical security thinks of the person who has broken the door, and IT security thinks it's always the person who broke into the network. Sometimes it's both, or not even that but a privileged user on the network. It's rather interesting when you combine them.”

The growing flood of information-security threats continues to test those methodologies, with new malware and threats adding “a whole new dimension to the role of CISO,” Allison says.

“It's about being able to interpret intelligence and translate it back down to your business so you can continue to protect it. But it's also about the skill of your staff, and being able to countermand what's going on in the environment.”

“Can you get ahead of the curve? Yes. Can you stay ahead of the curve? I don't know. How good are you at your game? Today you have to continue to move forward, staying abreast of what's going on, and looking at new methods to make sure you have something to work with.”

Crucial to keeping up, Allison reiterates, is having a strong team around you – and that doesn't necessarily mean building an army of sycophants.

“It's not just about hiring people that like you or sound like you,” she explains. “If you have a diversity of thought and looking at things in all different ways, you're much more likely to stay ahead of the curve.”

“You just never can be complacent – and that's why I absolutely love this job. You've always got something new.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AltaAvayaCrucialCSOFBIUS ArmyWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place