Johnson & Johnson CISO Marene Allison Talks About How the NTSC Keeps Her Informed About National Cybersecurity Policy

Marene Allison, Vice President and Chief Information Security Officer for Johnson & Johnson, has responsibility for protecting the company’s information technology systems and business data worldwide. This includes ensuring that the J&J information security posture supports business growth objectives, protects public trust in the J&J brand, and meets legal/regulatory requirements. She is a member of the company’s Regulatory Compliance Council and regularly reports to the Johnson & Johnson Board of Directors on cybersecurity risk. Before joining the corporate world, Allison served as a Special Agent in the FBI working on undercover drug operations in Newark, New Jersey and terrorist bombings in San Diego. She holds a Bachelor of Science degree from the United States Military Academy at West Point and was part of the first class to include women.

As a member of the NTSC’s Board of Directors, Allison notes that the organization’s value stems from its ability to distill complex legislative information down to the essentials—giving CISOs actionable information about national cybersecurity policy while providing them a unified voice in Washington, D.C. In this short Q&A, Allison discusses why she joined the NTSC, why its mission is so important, and why other CISOs need to get involved.

Why did you join the NTSC?

I joined because of the value it adds to my role as CISO and the force multiplier it creates for the CISO community. It’s impossible today for a CISO in the United States, or anywhere in the world, to understand the multitude of international, federal, state, and local laws descending on data and technology security. And while I use the term “security,” a lot of the impact in our industry also originates from privacy laws that affect IT and security. The NTSC provides me with knowledge and understanding about national cybersecurity policy from a security perspective instead of just an attorney’s perspective. Through the NTSC, I also gain visibility into what’s going on in the CISO space and what other CISOs think is most important right now.

Why is the NTSC's mission so important?

The NTSC’s mission is important because 50 states and the federal government don’t always agree on what “good” national cybersecurity policy looks like—including definitions and how laws and regulations are applied to CISOs. Not all legislators or their staff may have the experience or opportunity to really understand a CISO’s perspective on the use of technology. Instead there may be a focus on “hot button” projects and not topics that drive impact for consumers, patients, and businesses. It’s the role of the NTSC and CISOs to help policymakers fully understand the security and technology ramifications of laws and regulations on different industries and businesses.

Also, the NTSC helps CISOs understand some of the implications of proposed laws and regulations. The NTSC is able to distill complex legislative and regulatory information down to important items, rally industry behind those items, and come up with a resolution path instead of individual CISOs doing it themselves.

What are a few examples of ways that you've personally benefited from participating in the NTSC?

The NTSC’s work around IoT has complemented the important work I’ve done with the Aspen Institute. In healthcare, our medical devices could be described as Internet of Healthcare Things. The NTSC is helping to ensure that national policy doesn’t become too broad-based. Using the example of IoT, while many requirements can be included about IoT, there are distinct differences between healthcare IoT and general IoT requirements. For example, when a medical device is implanted in a patient, you potentially have a need for updates to be more controlled and personalized rather than automatic. The NTSC has helped frame the understanding of legislators and lawmakers with regards to IoT legislation and enabled the FDA to manage the cybersecurity of medical devices.

For CISOs currently not participating in the NTSC, why do they need to get involved? What are they missing?

CISOs need to focus on their company’s priority items and specific initiatives related to their companies. The NTSC speaks the language of CISOs, providing insightful perspectives on national cybersecurity policy so that we are informed and able to ensure security in our organizations.

Plus, Patrick Gaul is wonderful. His energy, expertise, and ability to bring people together around national cybersecurity policy is just awesome. We’re lucky to have him as our Executive Director. Believe me, I wasn’t looking to join another CISO group of any type. But the NTSC happens to be a group that provides a lot of value to me.