Simply Solving Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simply Solving Cyber
Marene Allison's Journey in Cybersecurity and the Power of Mentorship
Unlock the secrets of effective insider risk management with Marene Allison, the former CISO of Johnson & Johnson, as she takes us on a journey through her illustrious career in cybersecurity. From her intriguing transition from military police to managing IT security for the World Cup, Marene shares captivating stories like thwarting a logic bomb attempt at Medco. Her emphasis on prioritizing process over technology offers invaluable insights into tackling insider threats, legacy technology challenges, and strategic loss prevention. Marene's thoughtful approach to cybersecurity underscores the impact of collaboration, highlighting the necessity of engaging with non-IT departments to safeguard critical data assets.
In a conversation rich with wisdom and experience, we also explore the transformative power of mentorship with Cody, an advocate for the "pay it forward" philosophy. By fostering a culture of reciprocity, Cody inspires his mentees to guide others, amplifying the positive effects of mentorship in the cybersecurity field. This episode celebrates the unique skills that military veterans bring to the corporate world, emphasizing their significant contributions to data protection and security strategies. Join us for a thought-provoking dialogue that not only educates but also inspires a new generation of cybersecurity professionals to build a more secure future through collaboration and mentorship.
Thanks for tuning in to Simply Solving Cyber. My name's Aaron Pritz.
Speaker 2:And I'm Cody Rivers.
Speaker 1:And today we're here with Maureen Allison, formerly retired CISO of Johnson Johnson, active practicing board member and recently started her own consulting firm, maureen Allison Consulting, and I won't steal any more thunder, we'll let her talk about that and her focus. Maureen, welcome to the show.
Speaker 3:Well, thank you Aaron, Welcome Cody. I'm glad to be here and to be associated with you both. Yeah, you know, I retired almost two years ago. It seems like time has flown and I thought, you know, retirement was going to be a Barca lounger and bonbons, watching old episodes of TV, but here I am. Or Netflix, but here I am. I'm busier than I could ever want to be and doing all sorts of great things. And, you know, throughout my entire career, throughout my entire career, whether it be on government side or on physical security or IT security, so it's come full circle.
Speaker 1:Glad to be here. Yeah, thanks again for joining. Well, I'll kick off with first question. Tell us your origin story getting into cyber. What can others learn from your path in and give us a little taste of that.
Speaker 3:Yeah, I'm one of those folks that, even though I had electrical engineering concentration from West Point, I didn't actually start with bits and bytes in computer science. No, I started more on military police and I started in physical security. And when I got out of the army and FBI I actually started on head of loss prevention for A&P Foods, which was around shrink and loss in a grocery store, and I backed into a little bit of the IT as I went into business continuity for Y2K. And then when I left A&P, I went over to Avaya Telecommunications and though I was physical security, the IT security left and they said, hey, maureen, you have IT security now. And I said, ok, that's cool. And then they go. And oh, by the way, and this is February, in June we're going to provide voice over IP, the first production used for the network in the World Cup in Japan and Korea, and you have to run the security operations center. So I jumped in with both feet all at once on a grand stage with both feet all at once on a grand stage.
Speaker 1:Very nice. I'm sure you said thank you for the opportunity and booked your tickets to Japan right.
Speaker 3:I did and thank you, whichever airline I went on, because I lost my luggage and I didn't have luggage in Japan and had to go to a store, and I'm a good-sized girl, so it was hard to find Japanese clothes that fit me.
Speaker 1:Well, as a former BCP owner in the prior role did you have a good travel BCP that you enacted.
Speaker 3:I did after that trip. I had always, you know, my luggage had always caught up with me. But after that, everyone who was coming over to support the World Cup, I told them to make sure that in their carry-on they carried, and gave them a full list. So after that, and forevermore, I'm covered.
Speaker 2:Well, that's awesome, maureen, this is a special podcast for me just because our relationship and our past and a lot of the reason I wanted to get you on here was just to hear a lot of your stories and you've tackled some really cool things in your career and have a very, very interesting and cool stories I think we can all learn from.
Speaker 2:But one thing that we hear a lot of today that Aaron and I focused on a lot recently are going to be around like insider threat and insider risk management. It's. It's and I like how you said loss prevention earlier on the physical side, because that's also a key thing with DLP programs. I think when they took off early it was credit cards and PCI numbers and then it quickly moved to like how do I prevent like crown jewels and IP and that kind of stuff, and so really want to hear your take at maybe some some cool, some stories from the from. So really want to hear your take and maybe some cool stories from the front lines and over the time that where you kind of had some challenging insider risk topics or challenges and how process maybe won the day versus technology.
Speaker 3:Yeah, you know, technology is great if the technology is aligned to actually work so that whatever you put in place works.
Speaker 3:What I would tell you there's a lot of corporations over the years that maybe is not so right.
Speaker 3:They have potentially legacy technology or legacy processes that create so that that brand new technology isn't going to work just as you need it. And early on when I was at a company called Medco, we were looking at the program that was needed to stand up, hipaa, and there weren't a lot of the technologies or they were so industrial, like logging of access, they were so difficult to manage that they didn't work or didn't work on a mainframe the way that you needed them to do, or you had to do the coding. So we instituted something which was the supervisor once a week got to review their employee's code that they had inserted. That was going into the mainframe as part of the change control to make sure that it was accurate and correct. And supervisors looking and going wait a minute, there's something wrong with this. Why is this going in? And come to find out it was someone was trying to put a logic bomb on a mainframe computer that actually housed 65 million Americans pharmacy benefit history.
Speaker 2:And we said wait a minute, that's not good.
Speaker 3:That's not good. And come to find out, the guy thought he was going to be laid off, um, and because layoffs were happening and um, he was never intended to be laid off, but he let. He wanted to make sure his code went and so, uh, we called in the fbi and did a full investigation. He went to jail for uh 37 months and then was deported. Uh after uh, uh after his his prison sentence.
Speaker 1:So sometimes it's the easy stuff. Was the logic bomb intended to destroy his code? Or was it kind of like the movie Office Space where they were shaving the cents off of every dollar to feed an account?
Speaker 3:Classic, no, he wasn't in it for money gain. He was in it for revenge. Yeah, and you know I found this in a lot of instances where people it's just revenge because they think they can and no one's looking. And you know people always want to say big brother is looking. Actually it's big sister.
Speaker 2:Like that. So to think about this, a lot of our clients are looking at now and say, hey, people we work with like where do I start? Either I've got a program that's it was too big and never got off the ground, I don't have executive support, or I'm just not sure what is good enough, what, what's some advice that you would say as to to a practitioner working and saying how do they approach insider risk or insider threat program?
Speaker 3:practitioner working and saying how do they approach insider risk or insider threat program? Yeah, you know there's a lot of places to start and you'd be surprised at how many insiders can be in a corporation and even looking at some areas like you may have a third party risk. And you say, hey, we're pretty buttoned down on access. But do you have a portion of your company that maybe doesn't go through the procurement process the same way as everybody else? And the one that I have found over the years is the legal department, the lawyers. Lawyers will give full access to the SharePoint for discovery by a third-party firm and you go well, wait a minute, why do they have full administrative rights to the SharePoint? And so you know you can look in a lot of areas and close a lot of doors when you go through without a lot of you know advanced technology.
Speaker 3:Then there's certain technologies that you're going to start bringing in, and you know I've always the DLPs are great, but you have to have a plan with them and what is it you want to do?
Speaker 3:And until you can see that, hey, wait a minute, I have clinical data here and it looks like this and it's tagged, then you can say wait a minute, where's it going? You know what's somebody doing with it. And that's where I say is have a plan. That's around the business data that you're trying to protect versus we, as cybersecurity professionals, like I'm going to protect it all. And I got to you and I've seen that I had an internal audit department that wanted me to put in a DLP when I didn't have an intrusion detection system in my company or we didn't have a proxy. We didn't have a proxy and they wanted me to put in DLP. And I'm like, yeah, no, that's not going to work. And so it's having logic and then having a plan and being able to articulate it, because you're going to ultimately have to report it to senior executives and the board and the funding for it. So know where you're going.
Speaker 1:Yeah that's a great point. We've seen a huge reflux or reoccurrence of the topic of information classification and obviously that's not a new topic. It's not a new concept. You were probably using it in your reflux or reoccurrence of the topic of information classification and obviously that's not a new topic. It's not a new concept. You were probably using it in your military days long before you know the corporate world even adopted it. But we've really seen and you mentioned pushing DLP and I've seen companies try to do it without understanding their crown jewels. But give us your thought on InfoClass and you know maybe where you've seen it done right and wrong and you know how do companies make a difference if they're trying to protect data.
Speaker 3:Yes. So you know I always like it because you know you have the regulated data, like HIPAA data or Gramm-Leach-Bliley data, social security number. We all know are things that need to be protected. They're fairly easy because it's constructed data that you can find very easy, but the reality is it goes back to. You are a business, what is driving your revenue stream and then also the brand behind that revenue stream and identifying that data and where it is. The reality of today is will every bite of data be 100% protected and not go anywhere? Yeah, that's not going to happen. So it's really looking at the data sets that are extremely important to you and important to the business.
Speaker 3:And that could be a regulatory importance. You know certainly the HIPAA, the protected health information, but it also can be brand reputation. But when you start trying to protect all data equally everywhere all at once, that's when you start getting into trouble, versus getting it down a line of business for the business outcome.
Speaker 1:Great point. It's a great point.
Speaker 2:Yeah, excellent. So in that same vein you know InfoClass we see a lot of information, classification or what we've shortened as InfoClass, and I think a challenge is and you are a big proponent of this is like talk to the business, talk to the business process, because it's in a vacuum. Just to release these distribution controls and classification controls in parallel is the hard part, because a lot of it's training people and teaching people what they handle. So if you're putting these controls and heavy things up front, there's a high chance you're going to break business process and then lose some of those allies that you may not have worked hard to create. So any advice on how to create the alignment or the partnerships with the non-IT or non-security function?
Speaker 3:Yeah, go talk to them, it's really easy. Go buy them a cup of tea and I have a little program. People who know me, I call it three cups of tea. And the first time you go and they're not even talking to you, they like talk to the hand.
Speaker 3:The second time you're there, you know you can start to have a conversation. They think you might be their help desk and they, you know, like, hey, do you know how to do this on the computer? And then by the third time you're, you're talking strategy, what is? What is their important data? How you can work with their senior leaders to be able to identify what their crown jewels are and what's important to their reputation, and then you're golden. I mean, then you're into your business continuity planning and your recovery. You're ready for a tabletop exercise and once they see the exposure they potentially could have, they're the ones they're driving you. I mean there's a lot of business leaders I had to say, wait a minute, we can't do all that this week. Let's look at a plan on how we can get that in to do this and what are the necessary steps so that you can have the assurity, the availability, the confidentiality of your data.
Speaker 1:Yeah, no, that's a great point. And you had all this tea back in the day. Now the Gen Alpha kids are saying you know, I got the tea here. That means the gossip, the juice. So you had the tea back in the day before. The tea was cool.
Speaker 3:Exactly. Well, it comes from an old parable about you know you make friends after three cups of tea.
Speaker 2:There you go, nice, I like that, I like that. So the CISO rule has changed over the past decade and I know we had good conversations on this as well. You're saying the CISO's you know of now, with the SEC rule and breach and everything. So I'm thinking of the CISO's now if you get a phone call to call Marine fresh out of military at West Point so you're fresh out of military and you're embarking on a career in security what are a couple tips that you're going to tell yourself that you know now, that maybe at the time you did not know, and some of the things where you bumped your head or said, hey, I wish I would have known this.
Speaker 3:The most important one and I learned it about 10 years, eight years in at A&P Foods collaboration is the way to go, that even if I'm right and I'm 100% right 100% of the time if others feel part of the process and help to come up with a solution that it's more adopted so you get better adoption, I can just say, hey, do this, this is perfect, you'll get great security. But if I get you to tell me the five things you could do, then you own the five things. The five things you could do, then you own the five things. And it's part of that being able to work with people to come up with it. And then those other areas oh, after we get these five in, what about these three? And as you move that adoption up, then people become owner and their pride of the security of their organization and making sure that the privacy data is kept private. They will tell you things and that's what I would tell myself is collaborate more.
Speaker 2:I came from the military right Military police officer and then I was an FBI agent.
Speaker 3:I did undercover drug operations, hey, you know what. But the reality is just like when I you know, as I told people, as I developed informants in the FBI, just go have a conversation and ask them what's going on, and people will tell you, and then you can work with them to help their situation.
Speaker 1:That's great. Maybe one follow-up and you mentioned FBI and military police and all of your history. We've had several military veterans on our team and I love especially the newer ones that have come across to the private sector, helping them explore their experiences and pull out of them maybe something of value that they didn't realize it translated into the corporate world. And a good example I had was a gentleman that helped deploy troops out of Camp Atterbury and taught the war gaming principles, concepts to some of the officers and you know leaders that were going to be being deployed and you know, quickly my mind went to. You know tabletops and incident response plan and readiness and the whole. You know Dwight Eisenhower, it's not about the plan, it's about the planning process. So what have been some of your? You know, probably having some military veterans on your team and being a military veteran, what have been some of your biggest aha moments or surprises of talent from that community that was very applicable in cyber, that maybe it wasn't intuitive up front.
Speaker 3:So one of the things is and it's not just military, but military comes with it is a sense of duty and mission Right, and I tell folks, when I was 17 and raised my right hand on the plane at West Point and said I would defend against all enemies, foreign and domestic, when I retired from J&J I was doing the exact same mission.
Speaker 3:And when you get people that are tied to mission versus salaries or what their title is, you know, I had people who had to do e-discovery down in Brazil because we had a Brazilian authority that came that wanted data on the 4th of July.
Speaker 3:So it was the soldiers that we had brought in through a military program that on the 4th of July, because they knew if they could get that data there, we would have employees that would not have to go and go to the police barracks or the prison or the jail. They knew if they gave that data. So they gave it their all on that day and it wasn't about hey, am I getting overtime or whatever. They just did it. We took care of them a little bit later. But it's those things, it's about the mission. You get a cyber hunter that is a military person. They're not going to stop, because it's just like they're in the military and they're looking and they're hunting and they're going to do the forensics till they figure it out when someone who's just doing it for a job may not have that same drive and mission orientation.
Speaker 1:Great point, yep.
Speaker 2:Totally agree. Well said, well said too. And I think for other listeners. Maybe tell us an interesting fact. What would the listeners if they see Marina Allison? You know they got the retired Johnson Johnson CISO for a long time this career.
Speaker 3:what maybe is not on paper as much and we don't need to say any confidential, but maybe a fun fact about you and that others wouldn't know generally, my husband and I run a 219-acre organic blueberry farm in North Florida so we have commercial production of organic blueberries, one of the first crops in the United States of blueberries that get shipped out.
Speaker 2:That's excellent.
Speaker 1:You have an adjacent blueberry winery. I know that's popular up in Michigan which is a state of many blueberries.
Speaker 3:No, no, we don't. You know, we're pretty good. At the end of the season we do a U-Pick operation and help the community and we do something with our veterans in the area to give back. So, yeah, I wish I had you know the wherewithal for a blueberry winery. But nope, just in some sense that, yeah, I wish I had you know the wherewithal for a blueberry winery, but no, that's awesome.
Speaker 2:Two of the things I know too, and I think I may have told you this, but Marina is also a class of 80 at West Point, the first class of females. So as a very prestigious program, probably a lot of new things that you were faced with and challenges that you overcame there. And then recently it was a 2023 distinguished graduate at West Point, so I'll brag a little bit on her there. So very, very proud of Maureen there and appreciate her service.
Speaker 3:Well, thank you. Thank you. I'm just going to brag a little on Cody. Cody didn't know that his father and I were classmates and Cody is so active in trying to grow in the cybersecurity space that he actually approached me because he saw me as a CISO leader and he wanted me to do some career counseling with him. And at some point I was talking to his father and he said oh yeah, my son, cody and I'm like Cody Rivers is your son.
Speaker 3:And he goes yeah, do you know him? And I said, yeah, I'm going to talk to him next Tuesday, I'm mentoring him and that's one of the things I will tell people is just reach out, because everybody wants to help everybody else.
Speaker 1:That's a great point and you should know as well. Cody does a lot of mentoring himself of others and up and coming talent. So I think you know what goes around comes around and if you're going to take, you should give. That's kind of my philosophy.
Speaker 2:Right yeah, I tell all my, all my mentees and the ones listening will hear this too. I say there's never a cost for you know for mentoring. Only thing is you got to pay it forward. You got to find two more impetus. One thing I say I require of you know for a mentor someone is you got to pay it forward and help somebody else.
Speaker 1:Awesome. Well, I think we're about out of time. I really appreciate you coming on the show and have a great rest of the week and weekend.
Speaker 3:Thank you very much, gentlemen. I certainly appreciate it and I wish you the best of luck.
Speaker 2:Thank you.
