LJ Johnson

Global Information Security Officer, Nike

How do you manage security in an organization that works with so many far-flung suppliers and other third parties?

If an internal organization is remote from the corporate office, we find someone in that organization to become a security advocate. They know their environment and user community best. They communicate back to centralized security about their needs. If corporate security imposes a new policy or technology, they also can vet and validate that.

With external relationships, there's usually a person who has an account relationship with that supplier or business entity. It's better to work with the account representative first. The account rep knows that entity's business and understands their issues.

You built a "virtual security organization" within Nike comprising 50 to 60 business execs who champion security within their own groups. How?

It's a volunteer organization. It isn't something you can mandate. These are busy people. I take time to build a relationship first. I show that they get something out of the time and commitment, whether they're attending a meeting or just e-mailing feedback on our direction. I try to show them that what we're doing can grow the business and add business value. As long as they feel they're getting something out of it, I think that's the best I can do.

You've said security should help grow the business, but how do you show ROI, for example?

ROI is tough. There's running the business, and then there's growing the business. Running the business involves protecting our infrastructure. But at the end of the day, that's not really going to show value to our business customer.

We look at intellectual property protection as a way to grow the business. It increases your competitive advantage. We also try to reduce time to market from a security perspective. Companies like Nike have fast innovation cycles. Time to market is critical. We can reduce it through identity management or enterprise sign-on solutions that allow people to get more information quickly. Or we can provide secure, integrated portal solutions. We're also looking at taking the cycle time for application development in-house. If we can build security services that are extensible and repeatable, then our application development teams don't have to sweat the security of say, authentication services. It dramatically reduces their time to produce an application. That in turn reduces development costs and helps get applications out the door faster.

What advice do you have for protecting intellectual property?

At one time, we were thinking mostly about the infrastructure and technology that protect hardware and operating systems and so on. Rarely did we talk about data. We started asking business leaders what information they care about most. What security professionals think is important may not be what business teams think is important. When I talk with product development staff, their main concern is information around new products, new technology and so on. You can prioritize when you understand what they care about. Otherwise, you might take the "peanut butter spread" approach to security. You spread it thin across the enterprise to make sure you've got everything covered. But you may not cover some things enough. Or you may cover other things too much.

You've taken pains to ensure you're not isolated from business group leaders--even physically moving your desk out of the security group. Why is that important?

It's the best way to find the pain points and risk concerns of the business. Then, when I focus on architecture, I know I'm aligning it with business needs. Many security professionals become isolated. We forget whose needs we're meeting. If I'm connected with those people, I can link my architecture to their needs. And I can link business value to my initiatives, which is sometimes tough in security.

As a member of Women in Technology International and an IT veteran, what changes have you seen in women's roles in the security field?

I've read that the number of women in the technology field has decreased over the years. But I'm starting to see more women in information security--the risk side and the privacy side. Many women know those are great areas to leverage both technical skills and communication skills. You can't do that in some IT roles--technical skills are important, but the communication side is less so. In security, we get a chance to leverage other skill sets, plus it's a lot more interesting. It's more challenging, but more mentally stimulating too.