How Stryker's First-Ever CISO Reined In Cloud Chaos

From her post as deputy CIO of The White House to being named the first-ever CISO at Stryker, a medical device manufacturer, Alissa Johnson is no stranger to challenges. Here's a look at how she reined in an environment loaded with cloud applications and shadow IT.

Curtis Franklin Jr., Senior Editor at Dark Reading

March 7, 2016

6 Min Read
<p align="left">Dr. Alissa Johnson</p>

8 Secret Habits Of Successful CIOs

8 Secret Habits Of Successful CIOs

8 Secret Habits Of Successful CIOs (Click image for larger view and slideshow.)

It's one thing to become the CISO of an organization. When the organization has to deal with significant regulations in the healthcare and financial sectors, it's quite another. And when you're the first CISO the company has had, responsible for setting the security policies that will govern the enterprise and its dealings with the outside world, then you find yourself in a very special situation.

That's the position Dr. Alissa Johnson, CISO of medical-device manufacturer Stryker, found herself in when she took the job in March 2015.

It's not as though Johnson wasn't accustomed to a high-profile position. Previously a CTO with Lockheed-Martin in a government-facing division, she dealt with serious issues. And as deputy CIO for the White House, with security organizations reporting into her office, the issues were as serious as they come.

The position with Stryker was different, because everything was happening for the first time. "I am the first CISO because they had a hunger for information security and thought it was the right time to bring in a CISO. It was a new role for the company, which gives me a green field," said Johnson, who explained that establishing the position opened the organization's eyes to new opportunities.

Create a culture where technology advances truly empower your business. Attend the Leadership Track at Interop Las Vegas, May 2-6. Register now!


Johnson said that, coming into the position, "I was prepared to be appalled and surprised, and so was the CIO. We were all prepared to be surprised." She anticipated the surprise because there was no baseline for security. No one at the company had a firm grasp on what the situation looked like.

Mysteries in the Network

"Any CISO who says he knows everything about the network is lying," said Johnson, but that didn't mean she was comfortable with a high level of uncertainty. "You have to be in the mindset of chasing the unknown," she said. For Johnson, that chasing included trying to figure out what employees were using, and which vulnerabilities the applications and services brought with them. "There were lots of vulnerabilities, both those we knew about and those we didn't," she said.

"When I came in, I was flabbergasted by the number of cloud services being used," Johnson continued. "I was counting the number of cloud services in my head, and there are things like URL shorteners that I don't think about as cloud services, but I found that the world was much bigger than I thought it would be." The initial "baseline" effort found scores of cloud services and applications in use by the company's 27,000 employees worldwide that weren't on any IT list.

Johnson said that it wasn't merely the number of cloud services, but the nature of those services that gave her pause. "I have teenagers, and I think of myself as pretty savvy, but coming here and getting the number of cloud services, and then finding which ones were high risk -- about 75% -- was eye opening," she said. "I've used a lot of them, but in an enterprise setting that's not where you want your data sitting."

A Gradual Approach to a Win

After getting a handle on the situation, she moved to improve security while gaining the trust and support of management around the company. It wasn't as though she suffered from a lack of options on where to start her efforts. "There was a lot to get done, so I could have thrown a dart at the wall to choose a first step," she said. The point of her dart found "define acceptable cloud services" as its bullseye. Johnson said that they adopted Office 365 as the center of the company's new cloud initiative and began to steer users toward Microsoft's applications and several related services.

"My first purchase was Skyhigh" cloud security software, said Johnson. It was important to Johnson to focus on the way the change was made. "We didn't instantly cut people off from services. I allowed the Skyhigh tool to pop up information when employees went to something we would eventually block," Johnson said. Once the warnings started going up, blocks were put in after a few weeks to allow employees to move data and change routines.

The gradual approach paid dividends throughout the organization. "This was low-hanging fruit. The board saw cloud services being standardized and could support the whole security plan," Johnson said. Board buy-in was critical, but support from the rest of the organization was important, as well. She said total organizational acceptance is key to minimizing the growth of the "shadow IT" that she sees as part of the new normal in enterprise IT. "We've got to look at where [shadow IT] started," she said. "No matter where it started -- infosec or something else -- IT started showing up as the team of 'no.' So people went around and got around the process."

Positive Change

Johnson's approach to minimizing shadow IT is one of being relentlessly positive. "Instead of saying no, you say 'yes, and...' Yes, you can use this, and we'll secure it this way. Yes you're using this, and it's not approved so we need to do this instead," she said. "We have to be more in tune with the business. Shadow IT will be here as long as we say no and don't offer alternatives."

Ultimately, Johnson was able to break her strategy into concepts and words that the organization could accept. "I broke it out into three areas: Stop the bleeding, build the muscle, and sustain the health. This is a medical technology company, so these terms resonated with the company," she said.

The other thing that resonated within the company was the understanding that they had to take a new approach to security. "There are so many new threats, and so many new products to protect on the network. I had a board that was hungry for security, and that's the only way this would work," Johnson said. She is an example of a new CISO who has taken a fresh set of eyes to an old set of problems. Stryker seems ready to reap the fruits from the security green field Johnson was given.

Rising stars wanted. Are you an IT professional under age 30 who's making a major contribution to the field? Do you know someone who fits that description? Submit your entry now for InformationWeek's Pearl Award. Full details and a submission form can be found here.

About the Author(s)

Curtis Franklin Jr.

Senior Editor at Dark Reading

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and other conferences.

Previously he was editor of Light Reading's Security Now and executive editor, technology, at InformationWeek where he was also executive producer of InformationWeek's online radio and podcast episodes.

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has contributed to a number of technology-industry publications including Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most popular book, The Absolute Beginner's Guide to Podcasting, with co-author George Colombo, was published by Que Books. His most recent book, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, with co-author Brian Chee, was released in April 2010. His next book, Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, is scheduled for release in the Fall of 2018.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in amateur radio (KG4GWA), scuba diving, stand-up paddleboarding, and is a certified Florida Master Naturalist.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights