Alissa Johnson is a rarity among technology executives: She has said no to a President of the United States.
“I have said no to certain things,” over her term as deputy CIO for the White House during the Obama administration, she admits with a laugh.
And in her current job as vice-president and CISO of Xerox Corp., she has said no to the executives of that multi-billion corporation.
It’s part of the job that any CIO or CISO has to do, she said in an interview Thursday. The trick is knowing how to do it in a way that you’re not known as “the CISO of No” to the entire organization.
“There are times when you have to say ‘This is not the best idea.’ You’ve got to be OK with saying that. And I think you’re more valued as a leader when you can say no and give a really good reason why not.
“I can’t be the one to stall innovation. I’ve got to be the one that says, ‘You can do that, but these are the ramifications, or, These are the ways we need to mitigate the risk.’ That’s an easy discussion to have with our CEO, with our CTO.” But, not she admits, with a President, especially one like Obama who wanted to live a (relatively) normal life.
Johnson was interviewed on a wide range of issues, from her introduction to technology after being hired by the National Security Agency to the role of a CISO.
Born in Albany, Ga., she was recruited by the NSA in 1996 after graduating with a degree in mathematics from Savanna State University. No, she was not a spook, but developed cryptographic algorithms, which led to being involved in software implementations.
“It was a good experience, great background, great entry into a lot of the things you can do with math and technology and computer science.”
Later she earned a Master of Science in telecommunications and computer networks from George Washington University, and a PhD in information technology management from Capella University. After working for the government she held positions in the private sector before working for the White House.
Albany is what she calls a very small town (its 2010 population was 77,500), the kind of place she says where folks assume a mathematician must be a teacher. “It was so interesting to me to do something else, something that was very valuable … and serving the country.” The city is also small enough that it’s a big deal when a former resident works in the White House, and comes home for a spell.
She says Albany is also part of who she is. “I don’t just bring a female perspective, or a minority perspective” to a job, she stresses. “I’m bringing a cultural diversity in thought perspective as well.”
As expected, being a woman in technology hasn’t been easy. “I constantly find myself being the only one in a meeting, I constantly find myself being the only one at a lot of executive-level meetings. I have, at a company I worked at before, been the only one there.
“I’m kind of desensitized to it” she adds, “because I’ve been doing this so long. I still notice it, definitely, but it doesn’t really bother me at a meeting … It’s not as scary as people may think it is.”
It’s helped that she’s outgoing. “I’m a really aggressive personality that loves to stand out, that loves to constantly contribute — whether I should or not. If I have something to say I’m going to say it,” she laughs. “There’s a lot of passion I have in this area, so it’s an easy transition for me.”
Women don’t have to be one of the guys to succeed, either, she says. “I actually think there are certain attributes that women have – and there’s some studies that have said this, too –that make them very effective in technology fields. We over-process, sometimes our emotions and gut will lead us in a direction. Let me tell you, there’s nothing wrong with that … and so I don’t think she has to be macho. I think you have to be who you are.” But, she adds, women should find ways to bring energy and passion into the workplace.
Still, she ducks when asked about her reaction to the controversial memo on women written by a (now former) Google engineer who said that women have “a stronger interest in people rather than things” and that they “prefer jobs in social or artistic areas.”
“I’m going to stay away from that,” she replied, “because I would be giving a personal opinion and I don’t want that to be portrayed as Xerox’s position.” But she did say organizations should not only consider diversity in gender but also in thought and in leadership. “Sometimes that is brought in through different genders, sometimes through different cultures, sometimes through different ethnicity. Diversity is not just a gender discussion.”
The security incident that most worried her recently is the outbreak of the WannaCry ransomware. “WannaCry alarmed me because I could no believe something that happened on this massive scale that really could have been prevented with basic security practices,” she says. Then, she adds, that alarm changed to resignation when she realized a lack of basic security practices was the cause.
Sometimes, she believes, infosec pros are mesmerized by a “shiny widget” and ‘look at this new great thing’ and sometimes forget about basic obligations such as patching and testing. “The warning for WannaCry came out in March,” she complains. “We can’t continue to be surprised when the adversary is continually hitting holes that should have been patched.”
Some CISOs at larger enterprises might object, it was pointed out, arguing they need time to test patches in their complex environments. True enough, she concedes. But there are still ways to test the impact of patches through modeling software. And if it costs too much to replace a legacy system at least isolate it – unplug it from the Internet or install a firewall, she says.
The worst mistake CISOs make is creating a governance structure that matches the organization’s culture, Johnson says. “Sometimes we fall into a trap of making decisions based on how our culture will accept cyber security: ‘I can’t implement multifactor authentication or digital rights management. That’s going to be difficult for my company.’
“A lot of times you’ve got to turn that around and make the culture understand what is needed for good security governance. It’s not the other way around. That shift changes how you do your security investment, your risk appetite.”
The way CISOs can be persuasive in the C-suite is to talk there in business terms, explaining how technology enables business, she maintains – which, she adds, is the lesson CIOs learned. “When I talk to the CEO of Xerox [NYSE: XRX] about cyber security (it’s about) what our risks are, how those risks will impact our growth, will impact our innovation – those are things he cares about … We have to translate our technology language into business language – profits, growth, revenues, and risk.”
The last time she (politely) said no to Xerox chiefs was in May. She wouldn’t detail the issue, but said “my advice and recommendations were taken seriously. They were outlined in a very strategic way where they would understand the strategic repercussions and the direction of how it would affect Xerox strategically, and they accepted that direction.”
“I like to use this phrase: Technology is an enabler, cyber security is a differentiator.” Show the C-suite cyber security makes your organization valued with customers will make it an easier an easier conversation.
Certainly better than saying no.