Establishing a broad sphere of influence and building a good security team are the most important ways to being an effective CISO, according to the award-winning worldwide vice president of information security with global healthcare giant Johnson & Johnson.
Marene Allison – a frequent security-industry speaker who was recently honoured with the CSO Magazine-Alta Associates sponsored Women of Influence (WoI) Award from Alta's Executive Women's Forum – manages a global team of 104 security professionals and told CSO Australia that the most important part of succeeding as a CISO is ensuring that team both supports the business, and supports itself.
“If you have good staff, it takes so much of the burden off of the CISO,” she explains.
“I can go to sleep at night knowing my team in the Asia-Pacific region are on the ball, empowered to make the right decisions, and can get us to the right place. Instead of me trying to work 12 hours a day, I have a team doing 24x7 work. It makes my life much easier.”
Johnson & Johnson's regional CIO, Angela Coble, recently told attendees at the CSO Perspectives Roadshow about the extent to which having a people-focused, sales and marketing background has facilitated her work as a CSO.
This approach resonates with Allison, who has found that the most effective empowerment for the security organisation has come not from targeting senior business executives and lobbying for greater involvement in business decision-making – a common suggestion by many in the industry.
Rather, Allison says, a more effective tool is for CSOs to expand the range of people with whom they engage on a regular basis.
“In some companies, whom you report to is an extremely important thing,” she says. “But my role as CISO is recognised, and in any given moment I may be talking to the CFO or the guard at the desk downstairs.”
“It's not about who you report to,” she continues. “It's really about your sphere of influence. Do you have credibility? Do people believe what you say? Do you have a plan? If you have those things, where you report is less important.”
That's a different philosophy to that of many other CSOs, but then again Allison has never been a conventional sort of CSO. A graduate of the first class of women educated at the United States Military Academy at West Point, an extremely prestigious institution that put her amongst exclusive company as a leader and security-minded investigator.
Her career subsequently took her through roles with the military – including 20 years as a US Army military academy liaison officer, six years as an FBI special agent, and security-related roles with companies including massive grocery retailer A&P and IT giant Avaya.
That varied experience has helped shape her tenure as CISO, in which she has focused on perpetuating an evidence-based approach to security that spans both physical and information security.
“Once an investigator, always an investigator, I always say,” Allison laughs. “Physical security thinks of the person who has broken the door, and IT security thinks it's always the person who broke into the network. Sometimes it's both, or not even that but a privileged user on the network. It's rather interesting when you combine them.”
The growing flood of information-security threats continues to test those methodologies, with new malware and threats adding “a whole new dimension to the role of CISO,” Allison says.
“It's about being able to interpret intelligence and translate it back down to your business so you can continue to protect it. But it's also about the skill of your staff, and being able to countermand what's going on in the environment.”
“Can you get ahead of the curve? Yes. Can you stay ahead of the curve? I don't know. How good are you at your game? Today you have to continue to move forward, staying abreast of what's going on, and looking at new methods to make sure you have something to work with.”
Crucial to keeping up, Allison reiterates, is having a strong team around you – and that doesn't necessarily mean building an army of sycophants.
“It's not just about hiring people that like you or sound like you,” she explains. “If you have a diversity of thought and looking at things in all different ways, you're much more likely to stay ahead of the curve.”
“You just never can be complacent – and that's why I absolutely love this job. You've always got something new.”