Or listen in your favorite podcast app
“I trust the data more than I trust the programmer.” — Marene Allison of @JNJNews #ITVisionaries
Marene Allison (LinkedIn) has seen a lot in her career and her life. She was one of the first women to graduate from West Point and then went on to a role at the FBI bringing down some of the largest drug rings on the East Coast. Eventually, she moved on to the private sector to head up security for A&P Foods and today, she is the Vice President and Chief Information Security Officer for Johnson & Johnson.
On this episode of IT Visionaries, Marene discusses her entire journey, as well as everything she’s learned, what it means to lead IT and security for a worldwide organization, what the future of AI and consumer privacy looks like, and much more.
Topics Discussed: Intelligence, security, AI, machine learning, data, West Point, military, women in tech, leadership, FBI, tech, digital threats, cybersecurity
Introducing Marene and her extensive background — (1:20)
- First FBI special agent on to be interviewed on IT Visionaries.
- As a special agent in the FBI, I was working on applicants in San Diego, CA. Also worked on the terrorism squad.
- “At the time terrorism was a very physical event and so the security was around the physical world.”
- There is still a physical threat, but today there is a greater online threat.
- It used to be you needed to go to another nation’s sovereign land to attack them, now those attacks can happen online. This changed how nations look at sovereignty, terrorism, and crime in general.
Threats in the digital world — (8:30)
- Digital threats were not as visible until the laws requiring the disclosure of attacks were changed.
- Probably the most important thing, even in the cyber world is know thy enemy.
- Signatures and other identifiers are available that will give you information into who is attacking or hacking you. By finding that it will also help inform your level of response.
What type of behavior or endgame are attackers looking for? — (10:50)
- A couple of things are happening. In some cases, you see that there has been exposure and hacking of data that has been linked back to China. But that data never makes it to the street or onto the dark web. So what is being done with that data because it’s not technically disruptive, at least not yet?
- On the other hand, certain viruses are designed and unleashed to cause mass destruction
- Investigators do see things in the environment that makes them question things and environmental clues can provide breaks in hacking cases.
What percentage of cyber attacks are for financial gain? — (15:15)
- Most of the criminal element of cyber is based on finding data for money, and not necessarily even for extortion. Data, in general, is just being monetized.
- 90% of email that comes into Johnson & Johnson is stripped off and filtered out because it’s mostly phishing and malware.
- “Today, sophisticated technologies are what makes me excited to be a CISO. We get to work with end users, design new systems, …and I have a huge cloud and machine learning infrastructure to look at data and find the needle in the haystack. So When the invisible man comes in to try to steal my data, I man never see him come in, but I can see the impressions on the carpet. We can identify them, surround them, and then prevent them from moving and taking any data.”
- Marene has been able to combine all the experience from the military, the FBI, electrical engineering and I’ve been able to find the perfect job.
What does information security look like at Johnson & Johnson? — (18:15)
- Johnson & Johnson is a global company with a high risk profile.
- “I enjoy making things simple and keeping things simple. …It’s about the diversity of thought and including everyone’s thoughts into the conversation.”
- The J&J credo is about coming up with solutions that are good for our customers, doctors, patients and all who use the products. The business of J&J is all about solving some of the most important and hardest medical problems in the world and to do that the systems have to be secure.
Growing responsibilities of CIOs and CTOs and what it means to blend information security and IT — (20:20)
- Information security has one foot in IT, one foot in the business and one foot in governance. It’s a three-legged operation.
- The reality is that the mission is to protect the company and the business data of customers. That could mean being at odds with IT or with the business. Ultimately it comes down to business risk.
- Everyone always wants perfect security, but perfect security may not be what’s needed. As long as the data is protected, even if it’s in an experiment, then you’re doing the right thing.
The best way to give everyone a seat at the table — (23:30)
- “ It gets down to diversity and inclusion and realizing who are the stakeholders needed to make the right decision. If you only have sales and marketing people, you’ll make a sales and marketing decision. If you only have IT people, you make an IT decision. You need a blend.”
- There isn’t a one-size-fits-all solution when it comes to the responsibilities of CIOs, CTOs, CISOs, etc.
- CIOs and CISOs can transfer skills and experience from one industry to the next.
- Marene learned from experience location security versus cybersecurity and more.
- How do you move a million dollars in cash? That was a problem Marene had to solve when she was working in a different industry. There are different tech and security needs depending on the business you’re in.
- You have to understand the business your in and the needs that go with it and it has to be part of the business strategy.
Integrating technology into the company — (27:00)
- Integrating technology has to be a big part of the business strategy.
- You have to look at what are you purchasing — technology, intellectual capital, molecule, etc — and then make sure you don’t lose sight of that. Then you need to strategize around those purchases.
- “When it comes down to the special sauce of what makes a company a company, it’s up to the business to realize what needs to happen.”
- There are many more options today and bringing acquisitions into a company can be easier. Using the cloud makes it 10 times easier than it ever was in the past.
Looking at innovation internally — (29:45)
- “We do everything everywhere. J&J has innovation centers around the world.”
- The innovation centers help grow the industry itself, not just the company. There are smart R&D folks working on innovative technologies in-house. From the IT side, many of the technologies that are the latest and greatest can be used, but with things like an outside cloud, J&J would rather use a bigger, specific internal cloud.
- “AI might be out on the street, but it’s not where I want it to be yet for use in primetime.”
- “We can get lost in shiny objects in IT. But at the end of the day if you’re not doing IT 101 — if you’re not patching and fixing minor problems— those oversights end up being as much a vulnerability as not having the latest and greatest tech to utilize.”
How AI must mature before implementation can happen — (33:35)
- “ If you look at the maturity curve it’s at a 0.5 and we need it to be at a 6 on the maturity scale, especially depending on what you’re utilizing it for. In healthcare, we need to be sure. It has to be exact.”
- “AI sounds so good, it sounds sexy, but it’s a marketing term at this point. But when will we get real, true intelligence, and what intelligence are we going to use and trust?”
- Any time you do data science you have to do the curation of the data, you have to make sure you are curating the right data to you have to make sure it’s accurate.
- There can be unconscious bias when curating based on who is programming the curation.
- “I trust the data more than I trust the programmer.”
- Things like data ethics, which we haven’t even touched the surface of yet, eventually will be taught at universities in the future.
The emphasis on customer experience, is it good or bad? — (37:10)
- There are pros and cons to everything. Customer experience and customer intimacy are phrases that have been out there for a while. But you have to think about when is Amazon creepy and why does it keep following me when I go to other places or other sites? There have to be opt-outs, but then what happens to data sets when you opt out?
- It’ll be interesting to see what changes need to happen in terms of click data and private data.
Marene’s experience at West Point and as a woman in the armed forces — (42:15)
- Grew up in Massachusetts and was told women could not go to military academies. Her plan was to do ROTC at MIT when the academies opened up to women.
- Marene never applied for West Point, she applied for the Air Force Academy. But Margaret Heckler, who served in the United States House of Representatives, gave Marene her principal nomination to West Point and Marene accepted and went to West Point sight unseen.
- Took electrical engineering at West Point, graduated and got the very last position in her class for Military Police. The Military Police was the only branch in the army where Marene could do almost all the same jobs as a man so she was excited to be looked at as an equal.
- Got out and went to the FBI and eventually moved to the East coast and worked as an undercover drug agent.
- Was approached by A&P Foods, which was looking for a female in law enforcement with a security background and was a West Point grad to run their security.
- “If you’re locked into the idea that you are a thing and you’re not anything else, you will always be that thing. I always kept myself open to other options. I never would have thought of myself as fearless, but I am fearless.”
- Ran network security at the World Cup. Providing security on a world stage like that and having to deal with the South Korean government and other agencies and intercultural relationships allowed Marene to grow and move in the security space.
- “What I tell people is that if you have a sponsor, listen to them and follow their advice. There will be sponsors for you, recognize them and don’t discount their advice.”
- “If you believe you can do it, you have a chance of doing it. If you believe you can’t you’ll never get it done.”
Lightning Round — (49:55)
- Waze is her favorite app.
- She and her husband own a 182-acre organic blueberry farm in north Florida. “We’re the largest producer of organic blueberries in Madison County, FL.”
- Best advice: “Talk with your peers. Find a friend, someone you can chat with and talk with them at will.”