Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

An Interview with Marene Allison, Former Global CISO at Johnson & Johnson: From West Point Pioneer to Global CISO

In this session, hear from Marene Allison who is a former Global CISO at Johnson & Johnson and responsible for protecting the company’s information technology systems and business data worldwide

Johnson & Johnson's former CISO Marene Allison shares how her groundbreaking military career shaped her approach to cybersecurity leadership, revealing why resilience and diverse teams have become essential in today's threat landscape.

Session Summary

In this thought-provoking conversation from RSA Conference with Bishop Fox's Tom Eston and Allan Cecil, former Johnson & Johnson CISO Marene Allison reflects on her pioneering career journey and the evolution of cybersecurity leadership. Allison begins by introducing herself as a "recovering CISO," whose career has spanned the Army, FBI, and corporate security leadership, most recently concluding a 12-year tenure as CISO at Johnson & Johnson. When asked about her experience as part of West Point's first class of women—a group she still maintains close connections with—Allison shares how repeatedly hearing "women can't do this" throughout her military career instilled a determination summarized by her response: "watch me, we can do this."

The conversation shifts to Allison's leadership of Johnson & Johnson's security program during the company's COVID-19 vaccine development, a period that put the healthcare giant "on the world stage" and dramatically elevated its threat profile. She reveals that during this critical time, her military background and engineering expertise proved invaluable in navigating unprecedented challenges. Allison describes how the healthcare industry experienced three consecutive years of 30% increases in ransomware attacks from 2020-2022, alongside a surge in DDoS attacks targeting healthcare organizations. Her response exemplifies the importance of public-private collaboration—her first call was to then-CISA Director Chris Krebs, leveraging their pre-existing relationship to coordinate protection efforts within Operation Warp Speed.

Throughout the interview, Allison emphasizes how the evolving threat landscape has fundamentally transformed security leadership. She marks 2016-2017's NotPetya attacks as a pivotal moment that shifted the CISO's role from building "higher walls and deeper moats" to focusing on organizational resilience—acknowledging that determined nation-state actors with substantial resources will eventually breach defenses. This perspective informs her current advisory work, where she helps security technology vendors understand how their solutions fit into broader ecosystem needs rather than functioning as standalone tools. Allison concludes with powerful insights on diversity, noting that effective security teams require not just technical specialists but also professionals with backgrounds in audit, communications, and marketing—drawing an analogy to a "quiver" of diverse arrows that leaders can deploy strategically to achieve superior outcomes.

Key Takeaways

  1. Military experience provides essential security leadership foundations - Allison's West Point training and military service instilled a determination to overcome challenges and the ability to respond effectively during crisis situations.
  2. Public-private partnerships are crucial during security crises - When J&J began developing COVID vaccines, immediate collaboration with government agencies became essential to protect critical healthcare infrastructure.
  3. The healthcare sector faces escalating targeted attacks - Healthcare organizations experienced three consecutive years of 30% increases in ransomware attacks from 2020-2022, alongside rising DDoS attacks.
  4. NotPetya marked a fundamental shift in CISO thinking - The 2016-2017 destructive malware attacks transformed security leadership from focusing primarily on prevention to emphasizing organizational resilience.
  5. Diversity extends beyond demographics to experience domains - Effective security teams need more than technical specialists—they require professionals with backgrounds in audit, communications, and marketing.
  6. Security technology value depends on ecosystem integration - Vendors should focus less on standalone capabilities and more on how their solutions complement existing security architectures and frameworks.
  7. Relationships remain security's most valuable currency - The ability to "pick up the phone" during a crisis, as Allison did with Chris Krebs, often proves more valuable than any technical control.

VJ

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.