How Stryker's First-Ever CISO Reined In Cloud Chaos - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
08:06 AM

How Stryker's First-Ever CISO Reined In Cloud Chaos

From her post as deputy CIO of The White House to being named the first-ever CISO at Stryker, a medical device manufacturer, Alissa Johnson is no stranger to challenges. Here's a look at how she reined in an environment loaded with cloud applications and shadow IT.

8 Secret Habits Of Successful CIOs
8 Secret Habits Of Successful CIOs
(Click image for larger view and slideshow.)

It's one thing to become the CISO of an organization. When the organization has to deal with significant regulations in the healthcare and financial sectors, it's quite another. And when you're the first CISO the company has had, responsible for setting the security policies that will govern the enterprise and its dealings with the outside world, then you find yourself in a very special situation.

That's the position Dr. Alissa Johnson, CISO of medical-device manufacturer Stryker, found herself in when she took the job in March 2015.

It's not as though Johnson wasn't accustomed to a high-profile position. Previously a CTO with Lockheed-Martin in a government-facing division, she dealt with serious issues. And as deputy CIO for the White House, with security organizations reporting into her office, the issues were as serious as they come.

The position with Stryker was different, because everything was happening for the first time. "I am the first CISO because they had a hunger for information security and thought it was the right time to bring in a CISO. It was a new role for the company, which gives me a green field," said Johnson, who explained that establishing the position opened the organization's eyes to new opportunities.

Create a culture where technology advances truly empower your business. Attend the Leadership Track at Interop Las Vegas, May 2-6. Register now!


Johnson said that, coming into the position, "I was prepared to be appalled and surprised, and so was the CIO. We were all prepared to be surprised." She anticipated the surprise because there was no baseline for security. No one at the company had a firm grasp on what the situation looked like.

Mysteries in the Network

"Any CISO who says he knows everything about the network is lying," said Johnson, but that didn't mean she was comfortable with a high level of uncertainty. "You have to be in the mindset of chasing the unknown," she said. For Johnson, that chasing included trying to figure out what employees were using, and which vulnerabilities the applications and services brought with them. "There were lots of vulnerabilities, both those we knew about and those we didn't," she said.

Dr. Alissa Johnson

(Image: Stryker)

Dr. Alissa Johnson

(Image: Stryker)

"When I came in, I was flabbergasted by the number of cloud services being used," Johnson continued. "I was counting the number of cloud services in my head, and there are things like URL shorteners that I don't think about as cloud services, but I found that the world was much bigger than I thought it would be." The initial "baseline" effort found scores of cloud services and applications in use by the company's 27,000 employees worldwide that weren't on any IT list.

Johnson said that it wasn't merely the number of cloud services, but the nature of those services that gave her pause. "I have teenagers, and I think of myself as pretty savvy, but coming here and getting the number of cloud services, and then finding which ones were high risk -- about 75% -- was eye opening," she said. "I've used a lot of them, but in an enterprise setting that's not where you want your data sitting."

A Gradual Approach to a Win

After getting a handle on the situation, she moved to improve security while gaining the trust and support of management around the company. It wasn't as though she suffered from a lack of options on where to start her efforts. "There was a lot to get done, so I could have thrown a dart at the wall to choose a first step," she said. The point of her dart found "define acceptable cloud services" as its bullseye. Johnson said that they adopted Office 365 as the center of the company's new cloud initiative and began to steer users toward Microsoft's applications and several related services.

"My first purchase was Skyhigh" cloud security software, said Johnson. It was important to Johnson to focus on the way the change was made. "We didn't instantly cut people off from services. I allowed the Skyhigh tool to pop up information when employees went to something we would eventually block," Johnson said. Once the warnings started going up, blocks were put in after a few weeks to allow employees to move data and change routines.

The gradual approach paid dividends throughout the organization. "This was low-hanging fruit. The board saw cloud services being standardized and could support the whole security plan," Johnson said. Board buy-in was critical, but support from the rest of the organization was important, as well. She said total organizational acceptance is key to minimizing the growth of the "shadow IT" that she sees as part of the new normal in enterprise IT. "We've got to look at where [shadow IT] started," she said. "No matter where it started -- infosec or something else -- IT started showing up as the team of 'no.' So people went around and got around the process."

Positive Change

Johnson's approach to minimizing shadow IT is one of being relentlessly positive. "Instead of saying no, you say 'yes, and...' Yes, you can use this, and we'll secure it this way. Yes you're using this, and it's not approved so we need to do this instead," she said. "We have to be more in tune with the business. Shadow IT will be here as long as we say no and don't offer alternatives."

Ultimately, Johnson was able to break her strategy into concepts and words that the organization could accept. "I broke it out into three areas: Stop the bleeding, build the muscle, and sustain the health. This is a medical technology company, so these terms resonated with the company," she said.

The other thing that resonated within the company was the understanding that they had to take a new approach to security. "There are so many new threats, and so many new products to protect on the network. I had a board that was hungry for security, and that's the only way this would work," Johnson said. She is an example of a new CISO who has taken a fresh set of eyes to an old set of problems. Stryker seems ready to reap the fruits from the security green field Johnson was given.

Rising stars wanted. Are you an IT professional under age 30 who's making a major contribution to the field? Do you know someone who fits that description? Submit your entry now for InformationWeek's Pearl Award. Full details and a submission form can be found here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/8/2016 | 9:55:13 AM
Top down approach
Protecting the organization and its data resources requires the complete support of the executive management team with the top business technology leader as a fully functioning member of this group with control and influence over business technology spend regardless of the department or group doing the spending.  It can't be done by an IT manger several levels down in the organization reporting to the head of accounting which is still the organization structure at the majority of corporations.  Otherwise shadow IT results in extreme exposure, risk, and potentially high losses.  Few non-technology executives understand these consequences particularly by the revenue generating areas that seem to always be getting "their" way right or wrongly.
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll