November 5, 2024 • 23 mins
Unlock the secrets of effective insider risk management with Marene Allison, the former CISO of Johnson & Johnson, as she takes us on a journey through her illustrious career in cybersecurity. From her intriguing transition from military police to managing IT security for the World Cup, Marene shares captivating stories like thwarting a logic bomb attempt at Medco. Her emphasis on prioritizing process over technology offers invaluable insights into tackling insider threats, legacy technology challenges, and strategic loss prevention. Marene's thoughtful approach to cybersecurity underscores the impact of collaboration, highlighting the necessity of engaging with non-IT departments to safeguard critical data assets.
In a conversation rich with wisdom and experience, we also explore the transformative power of mentorship with Cody, an advocate for the "pay it forward" philosophy. By fostering a culture of reciprocity, Cody inspires his mentees to guide others, amplifying the positive effects of mentorship in the cybersecurity field. This episode celebrates the unique skills that military veterans bring to the corporate world, emphasizing their significant contributions to data protection and security strategies. Join us for a thought-provoking dialogue that not only educates but also inspires a new generation of cybersecurity professionals to build a more secure future through collaboration and mentorship.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Thanks for tuning in to Simply Solving Cyber.
My name's Aaron Pritz.
Speaker 2 (00:07):
And I'm Cody Rivers.
Speaker 1 (00:09):
And today we're here with Maureen Allison, formerly
retired CISO of Johnson Johnson,active practicing board member
and recently started her ownconsulting firm, maureen Allison
Consulting, and I won't stealany more thunder, we'll let her
talk about that and her focus.
Maureen, welcome to the show.
Speaker 3 (00:28):
Well, thank you Aaron , Welcome Cody.
I'm glad to be here and to beassociated with you both.
Yeah, you know, I retiredalmost two years ago.
It seems like time has flownand I thought, you know,
retirement was going to be aBarca lounger and bonbons,
watching old episodes of TV, buthere I am.
(00:50):
Or Netflix, but here I am.
I'm busier than I could everwant to be and doing all sorts
of great things.
And, you know, throughout myentire career, throughout my
entire career, whether it be ongovernment side or on physical
(01:11):
security or IT security, so it'scome full circle.
Speaker 1 (01:13):
Glad to be here.
Yeah, thanks again for joining.
Well, I'll kick off with firstquestion.
Tell us your origin storygetting into cyber.
What can others learn from yourpath in and give us a little
taste of that.
Speaker 3 (01:27):
Yeah, I'm one of those folks that, even though I
had electrical engineeringconcentration from West Point, I
didn't actually start with bitsand bytes in computer science.
No, I started more on militarypolice and I started in physical
security.
And when I got out of the armyand FBI I actually started on
(01:52):
head of loss prevention for A&PFoods, which was around shrink
and loss in a grocery store, andI backed into a little bit of
the IT as I went into businesscontinuity for Y2K.
And then when I left A&P, Iwent over to Avaya
Telecommunications and though Iwas physical security, the IT
(02:16):
security left and they said, hey, maureen, you have IT security
now.
And I said, ok, that's cool.
And then they go.
And oh, by the way, and this isFebruary, in June we're going
to provide voice over IP, thefirst production used for the
network in the World Cup inJapan and Korea, and you have to
run the security operationscenter.
(02:38):
So I jumped in with both feetall at once on a grand stage
with both feet all at once on agrand stage.
Speaker 1 (02:46):
Very nice.
I'm sure you said thank you forthe opportunity and booked your
tickets to Japan right.
Speaker 3 (02:51):
I did and thank you, whichever airline I went on,
because I lost my luggage and Ididn't have luggage in Japan and
had to go to a store, and I'm agood-sized girl, so it was hard
to find Japanese clothes thatfit me.
Speaker 1 (03:08):
Well, as a former BCP owner in the prior role did you
have a good travel BCP that youenacted.
Speaker 3 (03:15):
I did after that trip .
I had always, you know, myluggage had always caught up
with me.
But after that, everyone whowas coming over to support the
World Cup, I told them to makesure that in their carry-on they
carried, and gave them a fulllist.
So after that, and forevermore,I'm covered.
Speaker 2 (03:37):
Well, that's awesome, maureen, this is a special
podcast for me just because ourrelationship and our past and a
lot of the reason I wanted toget you on here was just to hear
a lot of your stories andyou've tackled some really cool
things in your career and have avery, very interesting and cool
stories I think we can alllearn from.
But one thing that we hear a lotof today that Aaron and I
focused on a lot recently aregoing to be around like insider
(04:02):
threat and insider riskmanagement.
It's.
It's and I like how you saidloss prevention earlier on the
physical side, because that'salso a key thing with DLP
programs.
I think when they took offearly it was credit cards and
PCI numbers and then it quicklymoved to like how do I prevent
like crown jewels and IP andthat kind of stuff, and so
really want to hear your take atmaybe some some cool, some
(04:23):
stories from the from.
So really want to hear yourtake and maybe some cool stories
from the front lines and overthe time that where you kind of
had some challenging insiderrisk topics or challenges and
how process maybe won the dayversus technology.
Speaker 3 (04:37):
Yeah, you know, technology is great if the
technology is aligned toactually work so that whatever
you put in place works.
What I would tell you there's alot of corporations over the
years that maybe is not so right.
(04:59):
They have potentially legacytechnology or legacy processes
that create so that that brandnew technology isn't going to
work just as you need it.
And early on when I was at acompany called Medco, we were
looking at the program that wasneeded to stand up, hipaa, and
there weren't a lot of thetechnologies or they were so
(05:21):
industrial, like logging ofaccess, they were so difficult
to manage that they didn't workor didn't work on a mainframe
the way that you needed them todo, or you had to do the coding.
So we instituted somethingwhich was the supervisor once a
week got to review theiremployee's code that they had
(05:43):
inserted.
That was going into themainframe as part of the change
control to make sure that it wasaccurate and correct.
And supervisors looking andgoing wait a minute, there's
something wrong with this.
Why is this going in?
And come to find out it wassomeone was trying to put a
(06:03):
logic bomb on a mainframecomputer that actually housed 65
million Americans pharmacybenefit history.
Speaker 2 (06:16):
And we said wait a minute, that's not good.
Speaker 3 (06:18):
That's not good.
And come to find out, the guythought he was going to be laid
off, um, and because layoffswere happening and um, he was
never intended to be laid off,but he let.
He wanted to make sure his codewent and so, uh, we called in
the fbi and did a fullinvestigation.
(06:38):
He went to jail for uh 37months and then was deported.
Uh after uh, uh after his hisprison sentence.
Speaker 1 (06:46):
So sometimes it's the easy stuff.
Was the logic bomb intended todestroy his code?
Or was it kind of like themovie Office Space where they
were shaving the cents off ofevery dollar to feed an account?
Speaker 3 (07:02):
Classic, no, he wasn't in it for money gain.
He was in it for revenge.
Yeah, and you know I found thisin a lot of instances where
people it's just revenge becausethey think they can and no
one's looking.
And you know people always wantto say big brother is looking.
Actually it's big sister.
Speaker 2 (07:23):
Like that.
So to think about this, a lotof our clients are looking at
now and say, hey, people we workwith like where do I start?
Either I've got a programthat's it was too big and never
got off the ground, I don't haveexecutive support, or I'm just
not sure what is good enough,what, what's some advice that
you would say as to to apractitioner working and saying
(07:43):
how do they approach insiderrisk or insider threat program?
Speaker 3 (07:46):
practitioner working and saying how do they approach
insider risk or insider threatprogram?
Yeah, you know there's a lot ofplaces to start and you'd be
surprised at how many insiderscan be in a corporation and even
looking at some areas like youmay have a third party risk.
And you say, hey, we're prettybuttoned down on access.
But do you have a portion ofyour company that maybe doesn't
(08:08):
go through the procurementprocess the same way as
everybody else?
And the one that I have foundover the years is the legal
department, the lawyers.
Lawyers will give full accessto the SharePoint for discovery
by a third-party firm and you gowell, wait a minute, why do
they have full administrativerights to the SharePoint?
(08:30):
And so you know you can look ina lot of areas and close a lot
of doors when you go throughwithout a lot of you know
advanced technology.
Then there's certaintechnologies that you're going
to start bringing in, and youknow I've always the DLPs are
(08:52):
great, but you have to have aplan with them and what is it
you want to do?
And until you can see that, hey,wait a minute, I have clinical
data here and it looks like thisand it's tagged, then you can
say wait a minute, where's itgoing?
You know what's somebody doingwith it.
(09:13):
And that's where I say is havea plan.
That's around the business datathat you're trying to protect
versus we, as cybersecurityprofessionals, like I'm going to
protect it all.
And I got to you and I've seenthat I had an internal audit
department that wanted me to putin a DLP when I didn't have an
(09:33):
intrusion detection system in mycompany or we didn't have a
proxy.
We didn't have a proxy and theywanted me to put in DLP.
And I'm like, yeah, no, that'snot going to work.
And so it's having logic andthen having a plan and being
able to articulate it, becauseyou're going to ultimately have
to report it to seniorexecutives and the board and the
(09:54):
funding for it.
So know where you're going.
Speaker 1 (09:57):
Yeah that's a great point.
We've seen a huge reflux orreoccurrence of the topic of
information classification andobviously that's not a new topic
.
It's not a new concept.
You were probably using it inyour reflux or reoccurrence of
the topic of informationclassification and obviously
that's not a new topic.
It's not a new concept.
You were probably using it inyour military days long before
you know the corporate worldeven adopted it.
But we've really seen and youmentioned pushing DLP and I've
(10:21):
seen companies try to do itwithout understanding their
crown jewels.
But give us your thought onInfoClass and you know maybe
where you've seen it done rightand wrong and you know how do
companies make a difference ifthey're trying to protect data.
Speaker 3 (10:35):
Yes.
So you know I always like itbecause you know you have the
regulated data, like HIPAA dataor Gramm-Leach-Bliley data,
social security number.
We all know are things thatneed to be protected.
They're fairly easy becauseit's constructed data that you
(10:58):
can find very easy, but thereality is it goes back to.
You are a business, what isdriving your revenue stream and
then also the brand behind thatrevenue stream and identifying
that data and where it is.
The reality of today is willevery bite of data be 100%
(11:24):
protected and not go anywhere?
Yeah, that's not going tohappen.
So it's really looking at thedata sets that are extremely
important to you and importantto the business.
And that could be a regulatoryimportance.
You know certainly the HIPAA,the protected health information
, but it also can be brandreputation.
(11:45):
But when you start trying toprotect all data equally
everywhere all at once, that'swhen you start getting into
trouble, versus getting it downa line of business for the
business outcome.
Speaker 1 (12:00):
Great point.
It's a great point.
Speaker 2 (12:02):
Yeah, excellent.
So in that same vein you knowInfoClass we see a lot of
information, classification orwhat we've shortened as
InfoClass, and I think achallenge is and you are a big
proponent of this is like talkto the business, talk to the
business process, because it'sin a vacuum.
Just to release thesedistribution controls and
(12:24):
classification controls inparallel is the hard part,
because a lot of it's trainingpeople and teaching people what
they handle.
So if you're putting thesecontrols and heavy things up
front, there's a high chanceyou're going to break business
process and then lose some ofthose allies that you may not
have worked hard to create.
So any advice on how to createthe alignment or the
(12:46):
partnerships with the non-IT ornon-security function?
Speaker 3 (12:52):
Yeah, go talk to them , it's really easy.
Go buy them a cup of tea and Ihave a little program.
People who know me, I call itthree cups of tea.
And the first time you go andthey're not even talking to you,
they like talk to the hand.
The second time you're there,you know you can start to have a
conversation.
They think you might be theirhelp desk and they, you know,
(13:13):
like, hey, do you know how to dothis on the computer?
And then by the third timeyou're, you're talking strategy,
what is?
What is their important data?
How you can work with theirsenior leaders to be able to
identify what their crown jewelsare and what's important to
their reputation, and thenyou're golden.
I mean, then you're into yourbusiness continuity planning and
(13:36):
your recovery.
You're ready for a tabletopexercise and once they see the
exposure they potentially couldhave, they're the ones they're
driving you.
I mean there's a lot ofbusiness leaders I had to say,
wait a minute, we can't do allthat this week.
Let's look at a plan on how wecan get that in to do this and
what are the necessary steps sothat you can have the assurity,
(14:00):
the availability, theconfidentiality of your data.
Speaker 1 (14:04):
Yeah, no, that's a great point.
And you had all this tea backin the day.
Now the Gen Alpha kids aresaying you know, I got the tea
here.
That means the gossip, thejuice.
So you had the tea back in theday before.
The tea was cool.
Speaker 3 (14:18):
Exactly.
Well, it comes from an oldparable about you know you make
friends after three cups of tea.
Speaker 2 (14:27):
There you go, nice, I like that, I like that.
So the CISO rule has changedover the past decade and I know
we had good conversations onthis as well.
You're saying the CISO's youknow of now, with the SEC rule
and breach and everything.
So I'm thinking of the CISO'snow if you get a phone call to
call Marine fresh out ofmilitary at West Point so you're
(14:49):
fresh out of military andyou're embarking on a career in
security what are a couple tipsthat you're going to tell
yourself that you know now, thatmaybe at the time you did not
know, and some of the thingswhere you bumped your head or
said, hey, I wish I would haveknown this.
Speaker 3 (15:06):
The most important one and I learned it about 10
years, eight years in at A&PFoods collaboration is the way
to go, that even if I'm rightand I'm 100% right 100% of the
time if others feel part of theprocess and help to come up with
(15:29):
a solution that it's moreadopted so you get better
adoption, I can just say, hey,do this, this is perfect, you'll
get great security.
But if I get you to tell me thefive things you could do, then
you own the five things.
(15:49):
The five things you could do,then you own the five things.
And it's part of that beingable to work with people to come
up with it.
And then those other areas oh,after we get these five in, what
about these three?
And as you move that adoptionup, then people become owner and
(16:10):
their pride of the security oftheir organization and making
sure that the privacy data iskept private.
They will tell you things andthat's what I would tell myself
is collaborate more.
Speaker 2 (16:26):
I came from the military right Military police
officer and then I was an FBIagent.
Speaker 3 (16:31):
I did undercover drug operations, hey, you know what.
But the reality is just likewhen I you know, as I told
people, as I developedinformants in the FBI, just go
have a conversation and ask themwhat's going on, and people
will tell you, and then you canwork with them to help their
situation.
Speaker 1 (16:52):
That's great.
Maybe one follow-up and youmentioned FBI and military
police and all of your history.
We've had several militaryveterans on our team and I love
especially the newer ones thathave come across to the private
sector, helping them exploretheir experiences and pull out
of them maybe something of valuethat they didn't realize it
(17:15):
translated into the corporateworld.
And a good example I had was agentleman that helped deploy
troops out of Camp Atterbury andtaught the war gaming
principles, concepts to some ofthe officers and you know
leaders that were going to bebeing deployed and you know,
quickly my mind went to.
You know tabletops and incidentresponse plan and readiness and
(17:38):
the whole.
You know Dwight Eisenhower,it's not about the plan, it's
about the planning process.
So what have been some of your?
You know, probably having somemilitary veterans on your team
and being a military veteran,what have been some of your
biggest aha moments or surprisesof talent from that community
that was very applicable incyber, that maybe it wasn't
(18:02):
intuitive up front.
Speaker 3 (18:04):
So one of the things is and it's not just military,
but military comes with it is asense of duty and mission Right,
and I tell folks, when I was 17and raised my right hand on the
plane at West Point and said Iwould defend against all enemies
, foreign and domestic, when Iretired from J&J I was doing the
(18:28):
exact same mission.
And when you get people that aretied to mission versus salaries
or what their title is, youknow, I had people who had to do
e-discovery down in Brazilbecause we had a Brazilian
authority that came that wanteddata on the 4th of July.
(18:51):
So it was the soldiers that wehad brought in through a
military program that on the 4thof July, because they knew if
they could get that data there,we would have employees that
would not have to go and go tothe police barracks or the
(19:12):
prison or the jail.
They knew if they gave thatdata.
So they gave it their all onthat day and it wasn't about hey
, am I getting overtime orwhatever.
They just did it.
We took care of them a littlebit later.
But it's those things, it'sabout the mission.
You get a cyber hunter that isa military person.
(19:35):
They're not going to stop,because it's just like they're
in the military and they'relooking and they're hunting and
they're going to do theforensics till they figure it
out when someone who's justdoing it for a job may not have
that same drive and missionorientation.
Speaker 1 (19:54):
Great point, yep.
Speaker 2 (19:55):
Totally agree.
Well said, well said too.
And I think for other listeners.
Maybe tell us an interestingfact.
What would the listeners ifthey see Marina Allison?
You know they got the retiredJohnson Johnson CISO for a long
time this career.
Speaker 3 (20:13):
what maybe is not on paper as much and we don't need
to say any confidential, butmaybe a fun fact about you and
that others wouldn't knowgenerally, my husband and I run
a 219-acre organic blueberryfarm in North Florida so we have
(20:34):
commercial production oforganic blueberries, one of the
first crops in the United Statesof blueberries that get shipped
out.
Speaker 2 (20:43):
That's excellent.
Speaker 1 (20:44):
You have an adjacent blueberry winery.
I know that's popular up inMichigan which is a state of
many blueberries.
Speaker 3 (20:51):
No, no, we don't.
You know, we're pretty good.
At the end of the season we doa U-Pick operation and help the
community and we do somethingwith our veterans in the area to
give back.
So, yeah, I wish I had you knowthe wherewithal for a blueberry
winery.
But nope, just in some sensethat, yeah, I wish I had you
know the wherewithal for ablueberry winery, but no, that's
(21:12):
awesome.
Speaker 2 (21:19):
Two of the things I know too, and I think I may have
told you this, but Marina isalso a class of 80 at West Point
, the first class of females.
So as a very prestigiousprogram, probably a lot of new
things that you were faced withand challenges that you overcame
there.
And then recently it was a 2023distinguished graduate at West
Point, so I'll brag a little biton her there.
So very, very proud of Maureenthere and appreciate her service
.
Speaker 3 (21:39):
Well, thank you.
Thank you.
I'm just going to brag a littleon Cody.
Cody didn't know that hisfather and I were classmates and
Cody is so active in trying togrow in the cybersecurity space
that he actually approached mebecause he saw me as a CISO
leader and he wanted me to dosome career counseling with him.
(22:01):
And at some point I was talkingto his father and he said oh
yeah, my son, cody and I'm likeCody Rivers is your son.
And he goes yeah, do you knowhim?
And I said, yeah, I'm going totalk to him next Tuesday, I'm
mentoring him and that's one ofthe things I will tell people is
(22:22):
just reach out, becauseeverybody wants to help
everybody else.
Speaker 1 (22:27):
That's a great point and you should know as well.
Cody does a lot of mentoringhimself of others and up and
coming talent.
So I think you know what goesaround comes around and if
you're going to take, you shouldgive.
That's kind of my philosophy.
Speaker 2 (22:39):
Right yeah, I tell all my, all my mentees and the
ones listening will hear thistoo.
I say there's never a cost foryou know for mentoring.
Only thing is you got to pay itforward.
You got to find two moreimpetus.
One thing I say I require ofyou know for a mentor someone is
you got to pay it forward andhelp somebody else.
Speaker 1 (22:57):
Awesome.
Well, I think we're about outof time.
I really appreciate you comingon the show and have a great
rest of the week and weekend.
Speaker 3 (23:05):
Thank you very much, gentlemen.
I certainly appreciate it and Iwish you the best of luck.
Speaker 2 (23:12):
Thank you.
Thanks for tuning in to Simply Solving Cyber.
My name's Aaron Pritz.
Speaker 2 (00:07):
And I'm Cody Rivers.
Speaker 1 (00:09):
And today we're here with Maureen Allison, formerly
retired CISO of Johnson Johnson,active practicing board member
and recently started her ownconsulting firm, maureen Allison
Consulting, and I won't stealany more thunder, we'll let her
talk about that and her focus.
Maureen, welcome to the show.
Speaker 3 (00:28):
Well, thank you Aaron , Welcome Cody.
I'm glad to be here and to beassociated with you both.
Yeah, you know, I retiredalmost two years ago.
It seems like time has flownand I thought, you know,
retirement was going to be aBarca lounger and bonbons,
watching old episodes of TV, buthere I am.
(00:50):
Or Netflix, but here I am.
I'm busier than I could everwant to be and doing all sorts
of great things.
And, you know, throughout myentire career, throughout my
entire career, whether it be ongovernment side or on physical
(01:11):
security or IT security, so it'scome full circle.
Speaker 1 (01:13):
Glad to be here.
Yeah, thanks again for joining.
Well, I'll kick off with firstquestion.
Tell us your origin storygetting into cyber.
What can others learn from yourpath in and give us a little
taste of that.
Speaker 3 (01:27):
Yeah, I'm one of those folks that, even though I
had electrical engineeringconcentration from West Point, I
didn't actually start with bitsand bytes in computer science.
No, I started more on militarypolice and I started in physical
security.
And when I got out of the armyand FBI I actually started on
(01:52):
head of loss prevention for A&PFoods, which was around shrink
and loss in a grocery store, andI backed into a little bit of
the IT as I went into businesscontinuity for Y2K.
And then when I left A&P, Iwent over to Avaya
Telecommunications and though Iwas physical security, the IT
(02:16):
security left and they said, hey, maureen, you have IT security
now.
And I said, ok, that's cool.
And then they go.
And oh, by the way, and this isFebruary, in June we're going
to provide voice over IP, thefirst production used for the
network in the World Cup inJapan and Korea, and you have to
run the security operationscenter.
(02:38):
So I jumped in with both feetall at once on a grand stage
with both feet all at once on agrand stage.
Speaker 1 (02:46):
Very nice.
I'm sure you said thank you forthe opportunity and booked your
tickets to Japan right.
Speaker 3 (02:51):
I did and thank you, whichever airline I went on,
because I lost my luggage and Ididn't have luggage in Japan and
had to go to a store, and I'm agood-sized girl, so it was hard
to find Japanese clothes thatfit me.
Speaker 1 (03:08):
Well, as a former BCP owner in the prior role did you
have a good travel BCP that youenacted.
Speaker 3 (03:15):
I did after that trip .
I had always, you know, myluggage had always caught up
with me.
But after that, everyone whowas coming over to support the
World Cup, I told them to makesure that in their carry-on they
carried, and gave them a fulllist.
So after that, and forevermore,I'm covered.
Speaker 2 (03:37):
Well, that's awesome, maureen, this is a special
podcast for me just because ourrelationship and our past and a
lot of the reason I wanted toget you on here was just to hear
a lot of your stories andyou've tackled some really cool
things in your career and have avery, very interesting and cool
stories I think we can alllearn from.
But one thing that we hear a lotof today that Aaron and I
focused on a lot recently aregoing to be around like insider
(04:02):
threat and insider riskmanagement.
It's.
It's and I like how you saidloss prevention earlier on the
physical side, because that'salso a key thing with DLP
programs.
I think when they took offearly it was credit cards and
PCI numbers and then it quicklymoved to like how do I prevent
like crown jewels and IP andthat kind of stuff, and so
really want to hear your take atmaybe some some cool, some
(04:23):
stories from the from.
So really want to hear yourtake and maybe some cool stories
from the front lines and overthe time that where you kind of
had some challenging insiderrisk topics or challenges and
how process maybe won the dayversus technology.
Speaker 3 (04:37):
Yeah, you know, technology is great if the
technology is aligned toactually work so that whatever
you put in place works.
What I would tell you there's alot of corporations over the
years that maybe is not so right.
(04:59):
They have potentially legacytechnology or legacy processes
that create so that that brandnew technology isn't going to
work just as you need it.
And early on when I was at acompany called Medco, we were
looking at the program that wasneeded to stand up, hipaa, and
there weren't a lot of thetechnologies or they were so
(05:21):
industrial, like logging ofaccess, they were so difficult
to manage that they didn't workor didn't work on a mainframe
the way that you needed them todo, or you had to do the coding.
So we instituted somethingwhich was the supervisor once a
week got to review theiremployee's code that they had
(05:43):
inserted.
That was going into themainframe as part of the change
control to make sure that it wasaccurate and correct.
And supervisors looking andgoing wait a minute, there's
something wrong with this.
Why is this going in?
And come to find out it wassomeone was trying to put a
(06:03):
logic bomb on a mainframecomputer that actually housed 65
million Americans pharmacybenefit history.
Speaker 2 (06:16):
And we said wait a minute, that's not good.
Speaker 3 (06:18):
That's not good.
And come to find out, the guythought he was going to be laid
off, um, and because layoffswere happening and um, he was
never intended to be laid off,but he let.
He wanted to make sure his codewent and so, uh, we called in
the fbi and did a fullinvestigation.
(06:38):
He went to jail for uh 37months and then was deported.
Uh after uh, uh after his hisprison sentence.
Speaker 1 (06:46):
So sometimes it's the easy stuff.
Was the logic bomb intended todestroy his code?
Or was it kind of like themovie Office Space where they
were shaving the cents off ofevery dollar to feed an account?
Speaker 3 (07:02):
Classic, no, he wasn't in it for money gain.
He was in it for revenge.
Yeah, and you know I found thisin a lot of instances where
people it's just revenge becausethey think they can and no
one's looking.
And you know people always wantto say big brother is looking.
Actually it's big sister.
Speaker 2 (07:23):
Like that.
So to think about this, a lotof our clients are looking at
now and say, hey, people we workwith like where do I start?
Either I've got a programthat's it was too big and never
got off the ground, I don't haveexecutive support, or I'm just
not sure what is good enough,what, what's some advice that
you would say as to to apractitioner working and saying
(07:43):
how do they approach insiderrisk or insider threat program?
Speaker 3 (07:46):
practitioner working and saying how do they approach
insider risk or insider threatprogram?
Yeah, you know there's a lot ofplaces to start and you'd be
surprised at how many insiderscan be in a corporation and even
looking at some areas like youmay have a third party risk.
And you say, hey, we're prettybuttoned down on access.
But do you have a portion ofyour company that maybe doesn't
(08:08):
go through the procurementprocess the same way as
everybody else?
And the one that I have foundover the years is the legal
department, the lawyers.
Lawyers will give full accessto the SharePoint for discovery
by a third-party firm and you gowell, wait a minute, why do
they have full administrativerights to the SharePoint?
(08:30):
And so you know you can look ina lot of areas and close a lot
of doors when you go throughwithout a lot of you know
advanced technology.
Then there's certaintechnologies that you're going
to start bringing in, and youknow I've always the DLPs are
(08:52):
great, but you have to have aplan with them and what is it
you want to do?
And until you can see that, hey,wait a minute, I have clinical
data here and it looks like thisand it's tagged, then you can
say wait a minute, where's itgoing?
You know what's somebody doingwith it.
(09:13):
And that's where I say is havea plan.
That's around the business datathat you're trying to protect
versus we, as cybersecurityprofessionals, like I'm going to
protect it all.
And I got to you and I've seenthat I had an internal audit
department that wanted me to putin a DLP when I didn't have an
(09:33):
intrusion detection system in mycompany or we didn't have a
proxy.
We didn't have a proxy and theywanted me to put in DLP.
And I'm like, yeah, no, that'snot going to work.
And so it's having logic andthen having a plan and being
able to articulate it, becauseyou're going to ultimately have
to report it to seniorexecutives and the board and the
(09:54):
funding for it.
So know where you're going.
Speaker 1 (09:57):
Yeah that's a great point.
We've seen a huge reflux orreoccurrence of the topic of
information classification andobviously that's not a new topic
.
It's not a new concept.
You were probably using it inyour reflux or reoccurrence of
the topic of informationclassification and obviously
that's not a new topic.
It's not a new concept.
You were probably using it inyour military days long before
you know the corporate worldeven adopted it.
But we've really seen and youmentioned pushing DLP and I've
(10:21):
seen companies try to do itwithout understanding their
crown jewels.
But give us your thought onInfoClass and you know maybe
where you've seen it done rightand wrong and you know how do
companies make a difference ifthey're trying to protect data.
Speaker 3 (10:35):
Yes.
So you know I always like itbecause you know you have the
regulated data, like HIPAA dataor Gramm-Leach-Bliley data,
social security number.
We all know are things thatneed to be protected.
They're fairly easy becauseit's constructed data that you
(10:58):
can find very easy, but thereality is it goes back to.
You are a business, what isdriving your revenue stream and
then also the brand behind thatrevenue stream and identifying
that data and where it is.
The reality of today is willevery bite of data be 100%
(11:24):
protected and not go anywhere?
Yeah, that's not going tohappen.
So it's really looking at thedata sets that are extremely
important to you and importantto the business.
And that could be a regulatoryimportance.
You know certainly the HIPAA,the protected health information
, but it also can be brandreputation.
(11:45):
But when you start trying toprotect all data equally
everywhere all at once, that'swhen you start getting into
trouble, versus getting it downa line of business for the
business outcome.
Speaker 1 (12:00):
Great point.
It's a great point.
Speaker 2 (12:02):
Yeah, excellent.
So in that same vein you knowInfoClass we see a lot of
information, classification orwhat we've shortened as
InfoClass, and I think achallenge is and you are a big
proponent of this is like talkto the business, talk to the
business process, because it'sin a vacuum.
Just to release thesedistribution controls and
(12:24):
classification controls inparallel is the hard part,
because a lot of it's trainingpeople and teaching people what
they handle.
So if you're putting thesecontrols and heavy things up
front, there's a high chanceyou're going to break business
process and then lose some ofthose allies that you may not
have worked hard to create.
So any advice on how to createthe alignment or the
(12:46):
partnerships with the non-IT ornon-security function?
Speaker 3 (12:52):
Yeah, go talk to them , it's really easy.
Go buy them a cup of tea and Ihave a little program.
People who know me, I call itthree cups of tea.
And the first time you go andthey're not even talking to you,
they like talk to the hand.
The second time you're there,you know you can start to have a
conversation.
They think you might be theirhelp desk and they, you know,
(13:13):
like, hey, do you know how to dothis on the computer?
And then by the third timeyou're, you're talking strategy,
what is?
What is their important data?
How you can work with theirsenior leaders to be able to
identify what their crown jewelsare and what's important to
their reputation, and thenyou're golden.
I mean, then you're into yourbusiness continuity planning and
(13:36):
your recovery.
You're ready for a tabletopexercise and once they see the
exposure they potentially couldhave, they're the ones they're
driving you.
I mean there's a lot ofbusiness leaders I had to say,
wait a minute, we can't do allthat this week.
Let's look at a plan on how wecan get that in to do this and
what are the necessary steps sothat you can have the assurity,
(14:00):
the availability, theconfidentiality of your data.
Speaker 1 (14:04):
Yeah, no, that's a great point.
And you had all this tea backin the day.
Now the Gen Alpha kids aresaying you know, I got the tea
here.
That means the gossip, thejuice.
So you had the tea back in theday before.
The tea was cool.
Speaker 3 (14:18):
Exactly.
Well, it comes from an oldparable about you know you make
friends after three cups of tea.
Speaker 2 (14:27):
There you go, nice, I like that, I like that.
So the CISO rule has changedover the past decade and I know
we had good conversations onthis as well.
You're saying the CISO's youknow of now, with the SEC rule
and breach and everything.
So I'm thinking of the CISO'snow if you get a phone call to
call Marine fresh out ofmilitary at West Point so you're
(14:49):
fresh out of military andyou're embarking on a career in
security what are a couple tipsthat you're going to tell
yourself that you know now, thatmaybe at the time you did not
know, and some of the thingswhere you bumped your head or
said, hey, I wish I would haveknown this.
Speaker 3 (15:06):
The most important one and I learned it about 10
years, eight years in at A&PFoods collaboration is the way
to go, that even if I'm rightand I'm 100% right 100% of the
time if others feel part of theprocess and help to come up with
(15:29):
a solution that it's moreadopted so you get better
adoption, I can just say, hey,do this, this is perfect, you'll
get great security.
But if I get you to tell me thefive things you could do, then
you own the five things.
(15:49):
The five things you could do,then you own the five things.
And it's part of that beingable to work with people to come
up with it.
And then those other areas oh,after we get these five in, what
about these three?
And as you move that adoptionup, then people become owner and
(16:10):
their pride of the security oftheir organization and making
sure that the privacy data iskept private.
They will tell you things andthat's what I would tell myself
is collaborate more.
Speaker 2 (16:26):
I came from the military right Military police
officer and then I was an FBIagent.
Speaker 3 (16:31):
I did undercover drug operations, hey, you know what.
But the reality is just likewhen I you know, as I told
people, as I developedinformants in the FBI, just go
have a conversation and ask themwhat's going on, and people
will tell you, and then you canwork with them to help their
situation.
Speaker 1 (16:52):
That's great.
Maybe one follow-up and youmentioned FBI and military
police and all of your history.
We've had several militaryveterans on our team and I love
especially the newer ones thathave come across to the private
sector, helping them exploretheir experiences and pull out
of them maybe something of valuethat they didn't realize it
(17:15):
translated into the corporateworld.
And a good example I had was agentleman that helped deploy
troops out of Camp Atterbury andtaught the war gaming
principles, concepts to some ofthe officers and you know
leaders that were going to bebeing deployed and you know,
quickly my mind went to.
You know tabletops and incidentresponse plan and readiness and
(17:38):
the whole.
You know Dwight Eisenhower,it's not about the plan, it's
about the planning process.
So what have been some of your?
You know, probably having somemilitary veterans on your team
and being a military veteran,what have been some of your
biggest aha moments or surprisesof talent from that community
that was very applicable incyber, that maybe it wasn't
(18:02):
intuitive up front.
Speaker 3 (18:04):
So one of the things is and it's not just military,
but military comes with it is asense of duty and mission Right,
and I tell folks, when I was 17and raised my right hand on the
plane at West Point and said Iwould defend against all enemies
, foreign and domestic, when Iretired from J&J I was doing the
(18:28):
exact same mission.
And when you get people that aretied to mission versus salaries
or what their title is, youknow, I had people who had to do
e-discovery down in Brazilbecause we had a Brazilian
authority that came that wanteddata on the 4th of July.
(18:51):
So it was the soldiers that wehad brought in through a
military program that on the 4thof July, because they knew if
they could get that data there,we would have employees that
would not have to go and go tothe police barracks or the
(19:12):
prison or the jail.
They knew if they gave thatdata.
So they gave it their all onthat day and it wasn't about hey
, am I getting overtime orwhatever.
They just did it.
We took care of them a littlebit later.
But it's those things, it'sabout the mission.
You get a cyber hunter that isa military person.
(19:35):
They're not going to stop,because it's just like they're
in the military and they'relooking and they're hunting and
they're going to do theforensics till they figure it
out when someone who's justdoing it for a job may not have
that same drive and missionorientation.
Speaker 1 (19:54):
Great point, yep.
Speaker 2 (19:55):
Totally agree.
Well said, well said too.
And I think for other listeners.
Maybe tell us an interestingfact.
What would the listeners ifthey see Marina Allison?
You know they got the retiredJohnson Johnson CISO for a long
time this career.
Speaker 3 (20:13):
what maybe is not on paper as much and we don't need
to say any confidential, butmaybe a fun fact about you and
that others wouldn't knowgenerally, my husband and I run
a 219-acre organic blueberryfarm in North Florida so we have
(20:34):
commercial production oforganic blueberries, one of the
first crops in the United Statesof blueberries that get shipped
out.
Speaker 2 (20:43):
That's excellent.
Speaker 1 (20:44):
You have an adjacent blueberry winery.
I know that's popular up inMichigan which is a state of
many blueberries.
Speaker 3 (20:51):
No, no, we don't.
You know, we're pretty good.
At the end of the season we doa U-Pick operation and help the
community and we do somethingwith our veterans in the area to
give back.
So, yeah, I wish I had you knowthe wherewithal for a blueberry
winery.
But nope, just in some sensethat, yeah, I wish I had you
know the wherewithal for ablueberry winery, but no, that's
(21:12):
awesome.
Speaker 2 (21:19):
Two of the things I know too, and I think I may have
told you this, but Marina isalso a class of 80 at West Point
, the first class of females.
So as a very prestigiousprogram, probably a lot of new
things that you were faced withand challenges that you overcame
there.
And then recently it was a 2023distinguished graduate at West
Point, so I'll brag a little biton her there.
So very, very proud of Maureenthere and appreciate her service
.
Speaker 3 (21:39):
Well, thank you.
Thank you.
I'm just going to brag a littleon Cody.
Cody didn't know that hisfather and I were classmates and
Cody is so active in trying togrow in the cybersecurity space
that he actually approached mebecause he saw me as a CISO
leader and he wanted me to dosome career counseling with him.
(22:01):
And at some point I was talkingto his father and he said oh
yeah, my son, cody and I'm likeCody Rivers is your son.
And he goes yeah, do you knowhim?
And I said, yeah, I'm going totalk to him next Tuesday, I'm
mentoring him and that's one ofthe things I will tell people is
(22:22):
just reach out, becauseeverybody wants to help
everybody else.
Speaker 1 (22:27):
That's a great point and you should know as well.
Cody does a lot of mentoringhimself of others and up and
coming talent.
So I think you know what goesaround comes around and if
you're going to take, you shouldgive.
That's kind of my philosophy.
Speaker 2 (22:39):
Right yeah, I tell all my, all my mentees and the
ones listening will hear thistoo.
I say there's never a cost foryou know for mentoring.
Only thing is you got to pay itforward.
You got to find two moreimpetus.
One thing I say I require ofyou know for a mentor someone is
you got to pay it forward andhelp somebody else.
Speaker 1 (22:57):
Awesome.
Well, I think we're about outof time.
I really appreciate you comingon the show and have a great
rest of the week and weekend.
Speaker 3 (23:05):
Thank you very much, gentlemen.
I certainly appreciate it and Iwish you the best of luck.
Speaker 2 (23:12):
Thank you.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com