Lance Bellers - Fotolia
Published: 01 Nov 2017
Xerox CISO Alissa Johnson, known as Dr. Jay, is the former deputy CIO of the Executive Office of the President, where she managed cloud services, virtualization and other IT initiatives during the Obama administration, from 2012 to 2015. Her nickname sprang from her years of education: She holds a doctorate in information technology management, a Master of Science in telecommunications and computer networks, and a Bachelor of Science in mathematics. She is also a National Security Agency-certified cryptologic engineer. She transitioned to the role of CISO immediately after leaving the White House.
In March 2015, Johnson became the first CISO at Fortune 500 medical equipment maker Stryker Corp., where she is credited with reining in out-of-control shadow IT practices. She joined document services provider Xerox in the role of CISO in 2016, with a wealth of private and public sector experience. Earlier in her career, she served as associate vice president for enterprise solutions at Catapult Technology, where she managed government contracts. She also worked in the defense industry as deputy CTO at Lockheed Martin, senior network engineer at Northrop Grumman and at the Department of Defense as a cryptologic mathematician.
Information Security magazine spoke with Johnson about her decision to become a CISO, challenges in the private sector and the role of federal government in cybersecurity.
Your early IT career was not focused on security. What attracted you to this field?
Alissa Johnson: I am a person who classifies herself as very nosy and intrigued by everything. I try to figure things out, and I don't follow the path of the status quo. It is a mixture of traits. What led me directly to being a CISO was serving as deputy CIO at the White House. I was looking to leave and thinking about the next step in my career, which I hoped would be a CIO position. However, an executive recruiter recommended focusing on the role of CISO.
What was the state of cyber awareness and preparation at the White House when you arrived?
Johnson: The White House is essentially a startup every four or eight years when a new president comes in. The technology and initiatives are based on what the new administration wants. There was a good amount of preparation done when we inherited the White House from the Bush administration. However, we were met with desktop systems and floppy drives, so we needed to modernize both from a tech perspective and from a security perspective. And, of course, the new president wanted a BlackBerry and access at all times so he could be in touch with the American people. It was a challenge to do that without risking security.
What was the big takeaway from your role as deputy CIO at the White House, either directly related to cybersecurity or in general?
Johnson: One is that there are a lot of instances where we allowed the culture to drive the security governance, and, a lot of the time, we found ourselves behind the adversary. You have to let security governance drive things -- for example, with multifactor authentication. There may be a better way of doing that, but when we let the culture in a company or agency drive security governance or innovation, that's a problem.
The second thing that I learned was that there really isn't a lot of difference between there and here. ... Xerox has no nuclear secrets, but hackers are still attacking us and trying to get data using the same tools and technology. What they want to get is different, but how they get it is the same. All organizations have unique aspects, but when you peel it back and look at the way the attackers come in, [it] is largely the same.
What are your biggest concerns at Xerox, and how are you addressing them?
Johnson: We are putting our energy into being proactive. It sounds simple, but lots of cybersecurity operations put a lot of investment into being reactive. They plan how they will respond when something happens. That is good in terms of the [National Institute of Standards and Technology Cybersecurity] Framework. Detect and respond are at the start. However, I want to focus on prevention.
Could you discuss any specific cyberthreat or attack you have had to respond to at Xerox?
Johnson: We haven't had any real red-alert situations, but the top of mind for us is the security of the internet of things. We are known as the document company, but our products are in hospitals, government agencies and the financial sector, and we have to make sure we are not inadvertently providing a conduit for attacks into customer networks or perhaps letting outsiders see what is being printed.
At Xerox, we want to make sure that the products we introduce into other environments integrate well and don't need lots of bells and whistles to help prevent attacks.
How is that being accomplished?
Johnson: It is through providing notification and through ease of integration and the whitelisting technologies embedded through our partnership with McAfee. That helps prevent attacks and provides notification if something looks fishy or unfamiliar.
Do you play a direct part in that in your role of CISO?
Johnson: Yes, I do. We look at it as all part of our responsibility to protect the brand. We have a product security group that is heavily looking at advancements in security, but the role of CISO is the layer that speaks and advises on that. Those things are super important, especially as we think about where future investments should be.
What do you see on the future horizon for cybersecurity?
Johnson: It is not just one future; there are different kinds of breaches and evolving concerns around privacy as well as growing regulations. Any one of those things can change the future of cyber, which is why I think the future leads to [artificial intelligence] and machine learning. I am thinking especially about allowing systems with AI to take actions on my behalf.
We already do that in a sense when we set firewall and network policies now that we are in the era of data analytics engines that can tell us so much about the data. What's missing is they don't do anything about it. That is where I believe we have to let the process play out so the smart engine can analyze data, tell you about it and take the logical step of doing something about it.
With the economy heating up, are you finding it difficult to attract and retain the people you need? And does this vary much by location?
Johnson: Yes. We have a big contingent in Rochester, N.Y., and our headquarters is in Norwalk, Conn. I sort of ripped the Band-Aid off and said that we can no longer simply decide that a team has to be in one location or another. The cybersecurity shortage is so bad that we can't afford to be localized. Like the cognitive computing discussion, this is another way to close the skill gap.
What do you see as the role of the federal government in cybersecurity, and how is that evolving in the current administration?
Alissa JohnsonVice president and CISO at Xerox
Johnson: There are many changes in cybersecurity, even without the new administration making policies and bringing in new ideas. I think it is the responsibility of all of us, federal and private sector, to do more information sharing. When I was in the White House, we tended to think we needed to keep information closely held. There can be some good reasons for that -- but the adversary doesn't care. They are sharing [information] widely in that community; on the dark web, the amount of information sharing is exponentially greater.
We are afraid that someone will mention an exposure, so we are fearful of sharing. We do have ISACs [Information Sharing and Analysis Centers] and coalitions that help, but we still protect [information] to an extent that really makes it hard to attack the problem effectively.
CISO role leads to opportunities for change
Should you invest in a CISO training program?
Challenges faced by the D.C.'s first CISO