From global cyberthreats to the security echo chamber: 4 questions with Xerox's CISO
Technologists and enterprise strategists have a tendency to silo industries. That means IT and cyberthreats are treated differently across sectors, from healthcare to retail to government.
But a siloed approach to technology does not allow for a full glimpse of what is happening in the current threat landscape, said Dr. Alissa Johnson, VP and chief information security officer at Xerox, in a conversation with CIO Dive. After all, attackers are using the same tools against targets whether their victims are in government or industrial IT.
Johnson previously served as the deputy chief information officer in the office of The White House, before making the jump to the private sector in March 2015 and taking the role as Xerox's CISO in October 2016.
The White House was an "always on" environment, though IT decisions were isolated to the immediate office, Johnson said. But now, at Xerox, Johnson is part of a global company and has to take into consideration international policies, such as GDPR. For her, the scope is different.
The following conversation has been edited and condensed.
What was your role at the White House?
Johnson: I was responsible for White House technology, Camp David and Air Force One ... certain pieces of it.
I'll tell you this, it was an interesting time ... [but] it's very predictive. And what I mean by that is, depending on what the president (Obama) said, you could see, 'oh, nation state is going to now come against us.' If he spoke on gun control, it may be hactivist groups or special interest groups that are now targeting us.
Even [after the] State of the Union, that's like our Super Bowl, we would be able to see different threats based on what his comments were. We could trend it. We could do some predictive analysis on where we thought we were going to get the most activity in that 72-hour period. ...
But [when], you come out of that and plant me into private industry, it's not that predictive. I have no indicators. I have nothing. ... Aside from all of the indicators, aside from the predictiveness, I kind of look at the threats and things I was going against there [and] hackers are using the same tools and the same methods that they were using when I was in the White House. Xerox doesn't have any nuclear secrets, but [hackers are] using the same [tools].
What is it like being at a company as large as Xerox and what are you security priorities?
Johnson: My priorities are more against prevention. So you think about the NIST framework and all of the different layers. My priorities are at the top and at the very bottom: The prevention and then the respond and recover.
I want to prevent things from happening. Then the gooey stuff that's in the inside — the defend, the detect, all of that — the stuff that makes a solid security posture.
But then you want to also put your investments [into] responding and recovering. Because you want to be prepared when something happens. ...
Something is bound to happen. Something is probably already happening in everyone's network. But it is, how you respond to it and then how do you defend against it in the future.
How do you look at a case like Equifax and then augment and pivot your security approach internally at Xerox?
Johnson: Here's the thing, and I'm not going to pick on Equifax, I'm going to pick on all breaches that have happened in the past three years.
If you get down to the basics of what has happened in those breaches ... we've been going towards the shiny object, the shiny widget, the newest innovation ... and have forgotten, we need to patch, we need to sunset legacy systems, we need to make sure that there's proper network segmentation if needed.
There's certain things, key things, that we have left on the table. Even as we continue to help enhance innovation and help secure innovation, we've got to do those things on the foundation that have been taught as the basics. ...
If you look at the failures of WannaCry. Security operations centers knew WannaCry was coming out before it even came out. It was released and bugs were happening in the dark web and other areas months before WannaCry came out.
So there's your red alert. There's your time to say 'oh my goodness, I haven't patched. Let me remember that I've got all of these legacy systems and I've got to patch and I've got to do all of these other things.' But I think sometimes we don't pay attention to the alerts and we have to. That's our responsibility.
How do you communicate these emerging threats outside of the security echo chamber?
Johnson: You can't talk to the geeks about it. To really make an impact, I have to be talking to the C-suite. And the way that I do that is turn all of this [into] terms of profit, growth and revenue.
Security is all good as long as nothing happens. When something happens, it affects profit, growth and revenue. Our conversations have to be turned in that way, which means the [CEO's] job is to be aware of all the profit, growth and revenue that's coming in and out. ...
So I can't talk — and I don't — I don't talk to [Xerox CEO Jeff Jacobson] about 'oh, WannaCry is coming and this is what we're doing.' I raise it up a level and tell him 'hey, we've got some systems that need to be patched, we've got things that need to happen.' ...
CISOs, it's our responsibility to make sure we're having the right conversation at the right level, because we can geek out.
Follow Naomi Eide on Twitter