Americas

  • United States

Asia

Oceania

Johnson & Johnson CISO Marene Allison: ‘You can’t sit on today’s technology’

Feature
Jul 15, 20226 mins
Healthcare IndustryIT LeadershipSecurity

The CSO Hall of Fame inductee stresses the importance of having a roadmap that allows you to anticipate what’s coming and pivot quickly.

Marene Allison, CISO, Johnson & Johnson
Credit: Johnson & Johnson

The oath Marene Allison took years ago to defend and protect the United States is the same tenet that now guides her work maintaining cybersecurity at one of the largest pharmaceutical and consumer packaged goods manufacturers in the world.

“It’s like I raise my hand [in an oath] every morning and the mission is to protect and ensure the viability of my company in the cyber world,” says Allison, who has been the CISO at Johnson & Johnson for more than 12 years. “It’s important to understand I’m here to protect this company that is focused on human healthcare. It’s a very, very important mission that I take seriously every single day.”

Allison is accustomed to missions.

She was a member of the first class of women to graduate from the United States Military Academy at West Point, earning her Bachelor of Science degree. Her ties to the august academy have remained strong, becoming a member of the Board of Directors of West Point Women, and a Military Academy Liaison Officer/Congressional Coordinator for the State of New Jersey. And before joining the corporate world, she served as a Special Agent in the FBI, working on undercover drug operations in Newark, N.J. and terrorist bombings in San Diego. 

Securing Johnson & Johnson

For the past dozen years, though, Allison’s focus has been on securing Johnson & Johnson’s worldwide information technology systems and business. It’s a big job. 

The 136-year-old U.S.-based company is a household name, manufacturing and selling ubiquitous products like Tylenol pain medication, Band-Aid adhesive bandages, Listerine, and Aveeno body lotion, along with orthopedic implants and medical devices. However, since the COVID-19 pandemic hit in 2019, the Fortune 100 company garnered global headlines for developing a COVID vaccine that quickly became a critical tool to protect people from the highly contagious and deadly disease. 

Keeping information systems, data, and people safe at a healthcare company has its own challenges. Ensuring those protections when suddenly that company is a focus of the world’s attention, especially when the pandemic is embroiled in a heated political firestorm, becomes exponentially more difficult.

“I think what COVID did was put healthcare in the spotlight,” says Allison. “At J&J we had cyber defenses and data protection already created, so we had resiliency in place that kept us above the fray. You had to understand what was coming at you and have those defenses in place.”

That fits in with Allison’s philosophy that it’s important to look beyond the technology being used today and the issues immediately in front of them. She focuses on looking ahead, not only at the devices and software Johnson & Johnson employees are going to want to use in the future, but at what challenges might be heading toward them. 

“Mature companies with large security organizations are looking at roadmaps all the time. You have to look at what is needed and what is out there and have plans in place to pivot quickly,” she explains. “You can’t sit on today’s technology and not think about what you’ll need for the future. Whether it’s artificial intelligence or machine learning, you have to look ahead—the workforce wants to be able to lean into new technologies.”

Security during the pandemic

That eye-to-the-future helped when Johnson & Johnson’s workers left their offices in droves to work remotely when the pandemic hit. When employees needed to be able to use Zoom to connect and communicate from their living rooms and kitchens, the question was if it was secure enough. It was a question Allison had asked and answered before COVID hit; she had evaluated Zoom before it was critical to the company’s remote work needs. 

“We were digitally ready,” she says. “We look at our technology platforms and assess what needs to happen before we start using them every single day. Security has to be the department of, ‘yes and here’s how.’ When new technologies come out, people say, ‘We’re going to use these things.’ I say, ‘I certainly hope so. They’ll help us in so many ways.’”

Another aspect of security during the time of COVID was protecting employees by educating them about the dangers of oversharing on social media. 

“We looked at the use of social media—how we communicated, what platforms were being used, how much information was being shared,” says Allison. “Because everyone was home and on social media, people had to learn how to be more secure on social media. It was more about making sure they didn’t become targets.”

Creative team building

Staying ahead of tech advancements and enabling employees to safely work from home, while securing Johnson & Johnson’s computer systems and data is an enormous job. But it’s one Allison doesn’t take on alone.

The CISO says one of the things she’s most proud of is the team she’s built around her – the team that keeps all the trains running.

“I think it’s really about creating a team that’s able to handle the risks that are out there today in a very dynamic and very changing cyber world, while helping protect our business so they’re free to operate and to solve the issues of healthcare for humanity,” she says. “It’s creating a team with diversity of thought so they can look at things from all angles and understand the technology, the business, and the threat. The real thing is the talent that’s been created in the organization we have at J&J.”

To build a top-notch cyber security team when there’s a shortage of people trained for tech jobs takes vision.

Allison says she’s had to be creative in the way she looks at people and what they can do. There are a lot of people who may not have started out with a tech degree, for instance, but that doesn’t mean they can’t be a valuable part of her team.

“I believe in investing in people and knowing they can grow,” she says. “I’ve seen police officers who have turned into forensic experts and the head of security operations. The creativity is in believing in people and what they’re capable of…. You can’t say, ‘You went to school for mainframes so you can’t be a cloud expert.’ [They] can. That’s what makes security people so special. They’re always looking to solve problems. If you find someone like that, you seize on the opportunity.”