EP 9 – J&J’s former CISO on trust, identity, and the future of cybersecurity

David Puner: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

Let’s take a quick trip back to 2020 when the global race to develop a COVID-19 vaccine was on. And the groundwork for distributing it around the world was already underway. While scientists worked in labs, cyber criminals and nation states lurked in the shadows, threatening to disrupt progress. At Johnson & Johnson, the stakes were enormous.

Delays didn’t just mean downtime. They could impact lives. Hospitals, regulators, third-party manufacturers, and global supply chains all had to be secured. Fast. Leading that charge was Marene Allison. Today on Security Matters, Marene joins us to reflect on her extraordinary career—from West Point to the FBI to nearly 13 years as CSO at J&J, a Fortune 50 company with more than 138,000 employees worldwide.

We unpack identity, innovation, trust, and what it means to lead in moments of crisis, whether it’s a zero-day exploit or a vaccine rollout. Oh, and if you’ve picked up a pint of organic blueberries lately, you might have already sampled a sweet side of Marene’s post-CSO pivot. Let’s dig in.

David Puner: Marene Allison, retired CISO, Johnson & Johnson, thanks so much for coming on to Security Matters. Really appreciate having you here.

Marene Allison: David, thank you for having me. It’s great to be here.

David Puner: Thanks so much. Let’s get right to it. You’ve had an extraordinary journey from West Point to the FBI to leading cybersecurity at one of the world’s largest healthcare companies, and you’re also our first guest that we know of who’s a member of the Florida Blueberry Growers Association, which we’ll probably try to get to later on. What inspired you to pursue a career in security?

Marene Allison: I was at West Point and I was looking at the branches and I had taken electrical engineering as my engineering sequencer, and it’s already a lot of engineering—21 credit hours a semester for a couple of years. Maybe my class rank wasn’t high enough to get into either engineering or into aviation or into Signal Corps, which is a precursor to computers. And so I decided that the branch that had the best opportunities for women and men at the time that I liked, I decided to go military police. And that’s the story of how I could get here.

David Puner: In the military police, what kind of things were you doing at that time that helped to foster that career in cybersecurity later on?

Marene Allison: Probably the best part of it was understanding how to manage an organization—the leadership skills that you get as a second lieutenant. The skills then were road controls, convoys, security for major events, kind of the white glove MP, and then fighting in the woods, like infantry. I don’t think that many of those skills, other than the leadership skills that you learn with a group of 30 and then 20 people, would really translate into cyber other than it was national security and securing our nation.

David Puner: I should mention that at West Point, you were in the first class that included women. At the time, did you realize that this was a momentous thing or was it something that just happened to be happenstance?

Marene Allison: I didn’t realize the magnitude of it at the time. I think by the time as a senior—or firstie, as we are called, the cadets that are there even today—all they’re looking for is to graduate. Can I make it through and graduate? And it wasn’t until years later that I realized, wow, this was pretty interesting. Because you have to realize in 1974, women couldn’t get a credit card by themselves. Women weren’t allowed to have families in the military. And even when we joined West Point up to 1978, we were part of the Women’s Army Corps. We were not part of the regular army. It wasn’t until years later that I realized that, wow, this was really the changing of what women could do—serving in national security, serving in the military, and even serving in law enforcement because it wasn’t until the early seventies with Title IX and law enforcement changes.

David Puner: Fast forward a few years and cybersecurity world. Let’s talk about being a CISO and level setting here at the beginning. Overall perspective: what does it mean to be a mission-driven CISO in today’s environment?

Marene Allison: That is a huge thing to unpack, but it’s having an understanding of what your company does and what they’re producing. It also is understanding the principles that are needed in cybersecurity to defend and protect the company that you’re a part of, and also to understand where you fit in national security. Are you a critical infrastructure company? What do you produce? What is its importance to the nation?

David Puner: You spent almost 13 years at Johnson & Johnson, retiring in 2023. What was your biggest cybersecurity challenge during your time as CISO at J&J?

Marene Allison: There’s a couple of ways to look at this. One is the technical challenge of bringing a large company around the world as they’re consolidating their IT and bringing their cybersecurity game up. That was certainly a challenge, not one that you can’t do, and certainly I had the support of my CEO, my CIO, as well as the board of directors to get that done. Challenge overall was helping Johnson & Johnson in securing its systems and its production facilities to bring the COVID vaccine to the table in less than 13 months.

David Puner: What were the primary underlying challenges with that, other than the obvious?

Marene Allison: All your third parties that help you create a drug, China and Russia and Iran all trying to stop you from not getting it done. In reality, a mission-driven CISO understands what their company does, how it works and operates, and in pharmaceuticals where it takes 10 to 12 years to get most regular drugs to market, to do a vaccine that quickly accelerated and to make sure that the team was aware of what was going on—working with all the different departments that maybe you had a relationship with in the past, but all of a sudden they were front and center. And then understanding all the third parties that you have to deal with between the manufacturer of product to the regulatory agencies—whether it be the FDA or the European Medical Association—and then the delivery of vaccine throughout the United States and working with the federal government to ensure what was going on in this space so that we didn’t have any issues throughout the whole process.

David Puner: At that point, you’re about a decade into your tenure there at Johnson & Johnson. So understanding what a company does and how it does it—I would presume you probably knew it pretty well at that point. How long with an organization like that did it take to really truly understand it inside and out?

Marene Allison: Johnson & Johnson being so large and at the time was three different divisions—not only did you have the pharmaceutical, but you also had a consumer division that was spun off as a company called Kenvue, which was all your over-the-counter type products and Tylenol, and then you had medical devices. I think if I was there another 20 years, I’d almost get to know everything they did and how they did it. As a CISO, every time you’re looking at a new line of business and having conversations, what I learned is you have to understand the nuances of the business and the environment that they’re in. So medical devices in Asia is different than medical devices in the United States. Part of it is making sure that you’re open and understanding. There’s the cybersecurity piece, but then it’s: how is my business? How do they need this? And how is that delivered so that they’re most effective and that it works for them and they accept the solution that needs to come in place.

David Puner: Going back in general to the CISO role, how have you seen the CISO role change over the last few years, especially in large complex organizations?

Marene Allison: I think the biggest change was when CISOs started going to board of directors and what their role was there. It was seen as a position that was much different in the past, and I’ll say the CISO was kind of like the head of physical security where you had a C role, but it wasn’t of the magnitude of the other C-suite executives: Chief Operating Officer, Chief Financial Officer. As we changed into reporting to the board and we saw the impact of ransomware on companies and being able to bring down hospitals, what you saw was that CISO role start to evolve into a true C-suite position.

David Puner: So then getting more into the nitty-gritty of it, with the explosion of cloud services and AI, identity has become the new perimeter.

Marene Allison: Oh, identity was always the perimeter, Dave.

David Puner: I’m glad you pointed that out.

Marene Allison: It’s just that zero trust—people thought, hey, we’ll keep it to the side, and now everybody’s bringing it up. It’s always been the fundamental: who touches your data, why are they touching it, how much access do they have, and where can they send that data? That’s always been the security problem.

David Puner: Thanks for coming on to Security Matters. It’s been a great interview. Appreciate it. How should CISOs be thinking about identity security today and identity, for that matter?

Marene Allison: You have to look at it as more than some of what I’ll call the easier places to secure, detect, and protect in the network. Not that it’s an easy thing to do, especially with advanced malware coming at you or zero days, but it’s much easier than truly understanding the entire identity structure. If we go back—having IDs and passwords and having applications that have been developed—many times that identity structure was put into the applications. Today, in all the applications it’s going to externalize, there’s going to be APIs, there’s going to be extensions. You are not going to have it inside that application like you do in some of the more legacy applications. In a corporation, you have everything from CFO or finance people that have built little small apps or widgets that they’re using that have identity structures, to bots—the Blue Prism type—where somebody, a third party, may have set something up and you have to understand all the areas that the data is, what’s being accessed by, what it’s being accessed by. And it’s not an easy proposition. In the old days when there were apps and mainframes and rack F, it was relatively a two-dimensional problem versus today where we’re seeing three and four dimensions of identity.

David Puner: So then in a regulated industry like healthcare—we’ve talked about data a couple times and I’m sure it’s going to come up a few more times—but how do identity and identity security factor particularly into healthcare cybersecurity, in the context potentially of data and whatever else you can think of?

Marene Allison: Probably the best thing that happened in healthcare was HIPAA, which was around protected health information around patients. That at least set the foundation in healthcare that we needed to understand data and where data was and who was accessing it. As you look into something like pharmaceuticals, where you also have de-identified clinical data, and you’ll have proprietary data around molecules, understanding where all that data is and how it’s accessed and where it goes—especially as we move in. I mean, the cloud wasn’t most difficult in that you had to figure out where is it going and what kind of systems is it residing on and who could potentially have access to it. But as we go into AI, and it opens up huge data sets, it can be an explosion of your data going outside your network, and people aren’t aware of it, and it’s potentially more dangerous in healthcare with people’s data. But also in financials. I was talking to a group of CEOs this past week and one of the things—they were small companies, a couple of M&A companies, a couple of financial investment companies. The idea they love ChatGPT and using ChatGPT. And I said, yeah, use it, but know what you’re connecting to because as soon as you start opening it up to databases, it’s going to take all your data out. And is it data you want out or is it your client data? And if it is your client data, it will become a brand problem more than a security problem. But it’ll ultimately be solved by cybersecurity people.

David Puner: So then while on the subject of AI, how is AI transforming both offense and defense in cybersecurity?

Marene Allison: There’s no way a CISO today couldn’t be using products that have AI embedded in it—whether it’s stated as AI, it’s at least machine learning. Because there is no way, when you have billions and billions of events a day, that there’s going to be analysts that are going to be sitting there and looking at it and seeing the correlation. When you can do that all through machine learning and then ultimately that machine learning will bring you to AI, and most of the technology that’s out there, that’s the advanced technology, has AI built into it to help it to understand what’s going on and present potential incidents or events.

David Puner: Bad actors—

Marene Allison: AI is my friend. It’s your friend. But it also—and I look at it, you know, I’ve been around a week or two there, David—so I look at it when voice over IP was coming out. You remember those days?

David Puner: Mm-hmm.

Marene Allison: And it was, oh my God, we’re not going to be able to know where a 911 call came from. Oh, this is bad. We should block it. We shouldn’t use it. Can you imagine? We wouldn’t be having this call today without voice over IP.

David Puner: Right.

Marene Allison: I mean, there’s good and bad and we have to utilize it for good versus evil. Now the evil will be evil and we’ll have to then have controls put in place so evil doesn’t happen.

David Puner: Is it always going to be good trying to catch up with evil though, or is it not necessarily that equation?

Marene Allison: Well, it depends upon if you consider innovation evil.

David Puner: Okay.

Marene Allison: I consider innovation like we have to be there. That’s the only way cyber is going to stay ahead of the curve. Innovation will create issues that will have to be solved, but without that innovation, we’re not going to get to the next place.

David Puner: Really interesting. I like the way you put that.

Marene Allison: And so it’s easy to say AI or cloud or voice over IP are evil. But it’s part of the innovation that we deal with every day, and so there’ll be people that are CISOs that get to defend their companies because a new innovation came out, but there’ll also be people in those innovations that are creating the solutions so that we can operate securely.

David Puner: Does the rise of AI make the CISO job easier or harder?

Marene Allison: Both.

David Puner: Okay. How?

Marene Allison: I can look back to the day of rack F and mainframes or steel piping stuff between—you know, when I was at A&P our mainframe was in Maryland and our corporate headquarters were in New Jersey. And yeah, steel piped it all the way through, but I got green bar reports out of it, David. They weren’t very—you know, I had five different districts with 35,000 different SKUs, and they were all different. Frito-Lays in one place was salami in another place. And so those days are gone, right? It’s all about data. We all have smartwatches on that are monitoring our data, looking at AFib, looking at what our heart rate is, did I get my walk in, did I sleep right? All that data potentially could be used for harm or it could be used for good.

David Puner: Mm-hmm.

Marene Allison: So I’m going on the good side.

David Puner: I currently have 910 steps today, so probably not ideal data.

Marene Allison: Oh, come on now.

David Puner: Nor’easter out there. I gotta do something about that after this interview, that’s for sure. Let’s go to machine identities for a little bit here.

Marene Allison: Aha, my friend.

David Puner: Yes. All right. So what are the biggest blind spots organizations have when it comes to securing machine identities?

Marene Allison: Machine identities tend to be the purview of the infrastructure department and not the cybersecurity department. That’ll be the biggest blind spot. And that also—even people identities traditionally have been more infrastructure than with the CISO. And so understanding the full stack of identity and the identity around the data and where it goes becomes an extremely important part of the CISO’s purview, even if they don’t own it.

David Puner: How do they wrap their heads around that? How do they get control around that? We just recently put out our identity security landscape study that found machine identities outnumber human identities now by more than 80 to one. The previous study had it somewhere around 45 to one, and that was just about a year or so ago. So obviously an exploding number of machine identities. How do we keep up?

Marene Allison: Well, we use technologies like CyberArk and Venafi. That’s how we do it. I wouldn’t even say this is one of those, “Hey, you can do this alone. You can build it yourself.” No. Just buy. Venafi itself—I’ve known them for years and used them in the companies that I’ve been with for years. You have to be able to manage that. And if you want a way to see how unmanaged it is, just look at how many certs expire in an organization.

David Puner: Mm-hmm.

Marene Allison: And who manages that? The CISO always gets yelled at because the cert expired. But rarely do they have the ownership of managing all the certs and making sure the identities—the handshakes—are right.

David Puner: Venafi now, of course, part of CyberArk, acquired last year. Let’s move on to trust. Trust is a word we hear a lot in security. What does it take to build and maintain trust with stakeholders from the boardroom to the front lines?

Marene Allison: I don’t think I’ve had a problem with trust with any of the organizations that I’ve worked with or the stakeholders I’ve worked with. It’s because I come in wanting to learn about their business and what they’re looking for versus giving them a list of, “Hey, this is what you must know and you must do this.” I find having tabletop exercises with executives and then three weeks later the exact subject of the tabletop exercise occurs brings a lot of trust with people. And to be able to be honest: “Hey, we know this. No, I don’t know if this is going to happen, but this is the potentiality of it.” Cyber starts becoming a risk just like any of the other business risks—not trying to elevate it into something larger than it is, but also making sure the importance of it stays relevant. I know the board presentations—I had a CIO, Stuart McGuigan, who always said, “Marene, just throw in a little engineering so they know how smart you are.” And we’d always just put a little bit in. But most of the time, the presentation was to give them words that they understood, in what things meant, so that they understood the attacks that were coming, where they were coming from, how the landscape changed, what we were doing to secure ourselves, and what things we were looking at. I think being open and honest, even when you don’t know the full answer, is always the best policy.

David Puner: And then what about trust when it comes to patient trust in healthcare? And I guess that would probably factor in with data.

Marene Allison: HIPAA was very prescriptive around what you were going to do with the data. What I found was HIPAA was a very good way to build a program around patient data. And so if you secured it in those manners—now, of course, what we originally did in what, 2002 to 2005, is much different today—but the reality is, the best thing about patient data is knowing where you have it and who has access to it, and being able to show that and be able to monitor it is the best way to create trust. Don’t lose their data.

David Puner: Mm-hmm.

Marene Allison: That sounds kind of simple, but don’t let people access it who shouldn’t, and don’t lose it, and you get trust.

David Puner: Okay, thank you. We’ve already touched upon innovation a bit, but how do you balance innovation with governance and compliance, especially in regulated industries as a CISO?

Marene Allison: I love the IT guys that are always trying to fidget with something and come up with something new. And what I’ve found in most of the healthcare organizations that I’ve worked with—the ability to create a sandbox where people can play and create the technologies that they’re trying to develop. The one thing that most IT people will try to use: “Oh, well, we have a database. Let’s use this database.” And that’s real data.

David Puner: Mm-hmm.

Marene Allison: And the answer is, no. We can’t do that. Let’s de-identify it. Let’s do something and then set up the parameters. The other thing that we saw, and especially as a company like Johnson & Johnson is trying to move to the cloud, is trying to change what the standards were for, say, the regulations or our regulatory environment and have equal. So in the olden days, it might be show physical evidence of log data. And then when you go to the physical evidence of log data, it would be truckloads and truckloads coming from Google or Amazon, which is not feasible. So it’s also helping the regulatory and translate into what is going to be required around the new technology. The other is never say no. Let’s say, let’s look at it and see what it has. Do you remember before smartphones were out and we had a Blackberry? We all had a BES server onboard and it was secure and we were running that thing and it was costing us to run it because we had to have people do it. And then they came out with: “Hey, we could do it outside the company.” Companies like IronPort came out. Well, it was easy. The tech people liked it: “Yeah, this is gonna be—it’s in the cloud. This will be great.” But working with the security teams, being able to say, “Oh, wait a minute, right? As it transitions here, the data’s—the passwords aren’t encrypted. If somebody puts a sniffer right there, everything’s gonna go out.” So let’s talk with these companies and see what we can do and where their roadmap is, and working with companies with their roadmaps to see where it’s gonna meet the corporate standards for security. And then having them move there. And a lot of that is a lot of extra work, but it also secured the company and helped us move very quickly to smartphones.

David Puner: So many things that you have to be prepared for as a CISO. You have to be prepared for the unknown. How can CISOs prepare for the unknown, and how can they best position themselves to anticipate and respond to evolving threats?

Marene Allison: As a CISO, I did not have my hand a lot into the venture capital world or any of the PE of what was going on. I had my security architect do that so that I could make financial decisions on the technologies based on what was provided to me versus personal relationships. You have to have a group of people in your organization that are looking at the new technologies out there. My security architect and I, we always used to love RSA. We always did the back row. Right? Not the front row, not the big booth, but the back row. Who’s back there and what are they coming out with? Looked at GRC software for probably 10 years before they hit the floor and they’re off running. Having the meetings with the small companies. As we went to the cloud, there wasn’t a Wiz or a Dazz out there to help us, that you could just bring them in. We were using small companies to figure out: how do we get the best in breed for what we’re doing, and then how do we secure it in another way till that technology is going to get there? Knowing where your tech people are headed helps tremendously. Knowing where your business wants to go helps tremendously. And bringing those together like a big Rubik’s Cube of, okay, do I need the best right now? No. Maybe I don’t need what the Army needs, but I need something over here that’s going to protect us till we get to here. And maybe I can encrypt data at rest or encrypt data at use, which will get me over the hump until something else changes.

David Puner: What do you miss most about being in that CISO seat, and what do you miss least?

Marene Allison: I miss my team. I had about 600 people around the world. I loved visiting them. I loved working with them. I loved hearing their ideas, their points of view. They taught me so much. I don’t miss sitting there awake 20 hours a day looking at stuff around the world as the vaccine is being created and wondering, “Is that that goes bump in the night? Is that—is that going to be the next DDoS attack? What’s going to happen? Are we defended enough?” I do not miss the operational part of it. And from the time I graduated from West Point at 21 until I retired—a little over 40 something years of operational work—I’m happy to ride my horses and pick blueberries.

David Puner: Yeah, I mean, that’s a lot of stress. Were there any kind of tricks or routines that you had in order to be able to manage that stress?

Marene Allison: For a long time, it was running and doing other things. I’m one of those—I find if I’m doing something that completely engages me. So like if you’re downhill skiing—right—you’re doing double black diamonds. If you think about work for even a millisecond, you are down.

David Puner: Yep. Absolutely. Been there.

Marene Allison: So doing those types of activities, and same thing with my horses. If you’re riding a horse and you’re jumping or you’re out in the woods galloping, if you think about anything else, you’re on the ground. So I’ve learned: stay off the ground and relax your mind, and your body will come with it.

David Puner: That’s really great. I want to get back to the blueberries in a moment, but first, mentioning the team and missing the team—as far as organizations go and organizational culture—how can organizations create a culture that attracts and retains top cyber talent?

Marene Allison: You have to look at what you have and then grow a team that’s going to meet the organization that you’re with. And there’ll be some organizations that will have, you know, I have 100 people, I’m going to have 100 engineers. But what I found was I needed people with all different types of skills. Having an engineer do your security awareness and education program—not the best use of their time. Good people, they probably can do it at, you know, a B level. But let’s bring somebody in that has a gift of gab and can have the conversations and works with the business and get an A-plus person in front of them they’re going to listen to. Does the person have to have all the skills of the security engineer? No. You have a security engineer, and they talk to each other, and they can help each other grow in their organizations. I took someone that was a police officer in Ohio and he ran my physical security for me when I worked at Medco, one of our C2 dispensing plants out in Ohio. And I sent him to cyber forensics course. He tells me today—and he is now the CEO of his own company that does cyber recruiting—he told me that he didn’t even barely know how to turn on a computer. And then he became a cyber forensics guy and now has pivoted over to understanding cyber talent to hire it and develop it. And so it’s taking these jewels and listening, and I would bring my five or six top captains in and many times we would all disagree. And I told them: vote, vote. We were going to do it democratically, except I had 1,000 votes.

David Puner: Yeah.

Marene Allison: And they still laugh at that, where ultimately I was in charge and I was going to be responsible, so I would have to make the decision. But we’d make it with everybody’s input. And I’d have the deep technical, I’d have the people, the BISOs, the business, I’d have my application security people—we’d all sit there and figure out what is going on before we made a decision.

David Puner: So that’s really interesting that you’ve got all different types of talent and it’s not necessarily one skill set or background that makes for somebody who would be a great cybersecurity practitioner. But then as far as cybersecurity leadership goes—CISOs—what qualities do you look for in the next generation of cybersecurity leadership?

Marene Allison: Today we are lucky because the colleges and universities are actually teaching cybersecurity. I had FORTRAN programming. Not Python. But what I would say is today we have people that are learning in the universities, which will allow them to come in with a breadth of knowledge and understanding that maybe wasn’t there 40 years ago. But they will also have to understand people because ultimately it will be their people that will—they’ll be the ones that say, “Hey, I’m looking at this AI and this real-world database, and I think I’ve found a problem.” It is on the backs of people. And that’s where I say the leaders are going to have to have that one foot in the technical side, one foot in the people management side, and the other foot—I think I’m using a Yogi Berra-ism there—and the other foot in understanding the business you’re in.

David Puner: Really interesting. So then going from your previous career as a CISO now into retirement, from the looks of things and what the internet is telling me, you’re not exactly taking it easy. You’ve got a lot going on, including the blueberry farming, which sounds very low tech, but I’m sure there’s a lot of tech involved in it. What are you up to these days? And I definitely want to know all about the blueberry farming.

Marene Allison: Retirement is something I think people in the seventies did.

David Puner: Mm-hmm.

Marene Allison: Which included a Barcalounger. But I think today, most of the people I know who are—and I’ll say that’s when you could say, “I’m a former CISO.” Right? I’ve reinvented myself. I really should have been a cowgirl.

David Puner: Okay.

Marene Allison: So through some mentors—mentorees of mine—I now have four horses. Every morning I’m out there, out in the barn.

David Puner: And this is in Florida, Northern Florida?

Marene Allison: This is in North Florida. Barn time is just absolutely fabulous to clear your mind and to think of things and to also de-stress—completely de-stress—because you know when you’re moving with a 1,000-pound horse, again, it’s like skiing. If you don’t watch what you’re doing, you’re going to be under it.

David Puner: Mm-hmm.

Marene Allison: So you have to be there. And before I get to the blueberries, I would tell you I’m still doing things like this podcast. I’m still working with VC, small companies and also working with PE firms looking at new technologies. I’m kind of a geek at heart and I didn’t really do it as a CISO because I didn’t want to sway decisions on things that my tech people needed to make a decision on. So I’m enjoying myself. And then who knew? I fell into the identity space working with companies like SPHERE and CyberArk and Venafi and ForgeRock, and there are just all sorts of companies that I found fascinating. And then I started talking to a number of women CEOs. Now I have met a couple of these women and am working with them to help them understand how to sell to CISOs, what space they need to go into. I heard or read something recently that right now there’s about $2.7 billion in the identity space, and over the next five years it’s supposed to grow to 6.6. So if anybody thinks identity is not important, seeing those numbers grow like that is certainly going to show how important identity is. And there’s a lot of women CEOs in that space, which I enjoy working with. And then I’m also on the board of the Association of Graduates at West Point. I truly believe in giving back to the organizations that helped grow you and help set you up for success. And I’m president of the group for the West Point Women, which represents the 6,500 women West Point graduates. So I’ve given back—check that box.

David Puner: Yeah. Remarkable.

Marene Allison: But the most important one is my husband and I own an organic blueberry farm of 219 acres in North Florida. My husband worked in the FBI as a chief bomb technician for World Trade Center I and II, and to be able to then reinvent ourselves. And it’s not about the blueberries as much as can I learn something completely new that I’m not an expert at and then become good at it. And so we’re now one of the largest organic blueberry producers in North Florida.

David Puner: Can I get my hands on some of these blueberries up here at my local grocery store, or how do I get my hands on those?

Marene Allison: They’re through Michigan Blueberry Growers Association and the Naturipe label. And if you pull up the little clamshell and if you see 1493—the year after Columbus—that’s our farm. You have gotten the mother lode of berries.

David Puner: Marene Allison, I can say with confidence: we have to have you back on again soon. Really fascinating. Really great to speak with you. Thanks so much for coming on to Security Matters. Really enjoyed it.

Marene Allison: David, thank you so much to you and the team for having me. I love CyberArk—always have—and have loved working in the identity space. So thank you for having me.

David Puner: All right, there you have it. Thanks for listening to Security Matters. If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review. We’d appreciate it very much—and so will the algorithmic winds. What else? Drop us a line with questions, comments, and if you’re a cybersecurity professional and you have an idea for an episode, drop us a line. Our email address is securitymatterspodcast (all one word) @ cyberark.com. We hope to see you next time.