It's one thing to become the CISO of an organization. When the organization has to deal with significant regulations in the healthcare and financial sectors, it's quite another. And when you're the first CISO the company has had, responsible for setting the security policies that will govern the enterprise and its dealings with the outside world, then you find yourself in a very special situation.
That's the position Dr. Alissa Johnson, CISO of medical-device manufacturer Stryker, found herself in when she took the job in March 2015.
It's not as though Johnson wasn't accustomed to a high-profile position. Previously a CTO with Lockheed-Martin in a government-facing division, she dealt with serious issues. And as deputy CIO for the White House, with security organizations reporting into her office, the issues were as serious as they come.
The position with Stryker was different, because everything was happening for the first time. "I am the first CISO because they had a hunger for information security and thought it was the right time to bring in a CISO. It was a new role for the company, which gives me a green field," said Johnson, who explained that establishing the position opened the organization's eyes to new opportunities.
Johnson said that, coming into the position, "I was prepared to be appalled and surprised, and so was the CIO. We were all prepared to be surprised." She anticipated the surprise because there was no baseline for security. No one at the company had a firm grasp on what the situation looked like.
Mysteries in the Network
"Any CISO who says he knows everything about the network is lying," said Johnson, but that didn't mean she was comfortable with a high level of uncertainty. "You have to be in the mindset of chasing the unknown," she said. For Johnson, that chasing included trying to figure out what employees were using, and which vulnerabilities the applications and services brought with them. "There were lots of vulnerabilities, both those we knew about and those we didn't," she said.
"When I came in, I was flabbergasted by the number of cloud services being used," Johnson continued. "I was counting the number of cloud services in my head, and there are things like URL shorteners that I don't think about as cloud services, but I found that the world was much bigger than I thought it would be." The initial "baseline" effort found scores of cloud services and applications in use by the company's 27,000 employees worldwide that weren't on any IT list.
Johnson said that it wasn't merely the number of cloud services, but the nature of those services that gave her pause. "I have teenagers, and I think of myself as pretty savvy, but coming here and getting the number of cloud services, and then finding which ones were high risk -- about 75% -- was eye opening," she said. "I've used a lot of them, but in an enterprise setting that's not where you want your data sitting."
A Gradual Approach to a Win
After getting a handle on the situation, she moved to improve security while gaining the trust and support of management around the company. It wasn't as though she suffered from a lack of options on where to start her efforts. "There was a lot to get done, so I could have thrown a dart at the wall to choose a first step," she said. The point of her dart found "define acceptable cloud services" as its bullseye. Johnson said that they adopted Office 365 as the center of the company's new cloud initiative and began to steer users toward Microsoft's applications and several related services.
"My first purchase was Skyhigh" cloud security software, said Johnson. It was important to Johnson to focus on the way the change was made. "We didn't instantly cut people off from services. I allowed the Skyhigh tool to pop up information when employees went to something we would eventually block," Johnson said. Once the warnings started going up, blocks were put in after a few weeks to allow employees to move data and change routines.
The gradual approach paid dividends throughout the organization. "This was low-hanging fruit. The board saw cloud services being standardized and could support the whole security plan," Johnson said. Board buy-in was critical, but support from the rest of the organization was important, as well. She said total organizational acceptance is key to minimizing the growth of the "shadow IT" that she sees as part of the new normal in enterprise IT. "We've got to look at where [shadow IT] started," she said. "No matter where it started -- infosec or something else -- IT started showing up as the team of 'no.' So people went around and got around the process."
Johnson's approach to minimizing shadow IT is one of being relentlessly positive. "Instead of saying no, you say 'yes, and...' Yes, you can use this, and we'll secure it this way. Yes you're using this, and it's not approved so we need to do this instead," she said. "We have to be more in tune with the business. Shadow IT will be here as long as we say no and don't offer alternatives."
Ultimately, Johnson was able to break her strategy into concepts and words that the organization could accept. "I broke it out into three areas: Stop the bleeding, build the muscle, and sustain the health. This is a medical technology company, so these terms resonated with the company," she said.
The other thing that resonated within the company was the understanding that they had to take a new approach to security. "There are so many new threats, and so many new products to protect on the network. I had a board that was hungry for security, and that's the only way this would work," Johnson said. She is an example of a new CISO who has taken a fresh set of eyes to an old set of problems. Stryker seems ready to reap the fruits from the security green field Johnson was given.
Rising stars wanted. Are you an IT professional under age 30 who's making a major contribution to the field? Do you know someone who fits that description? Submit your entry now for InformationWeek's Pearl Award. Full details and a submission form can be found here.