{"id":211444,"date":"2025-06-11T04:01:00","date_gmt":"2025-06-11T04:19:15","guid":{"rendered":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/"},"modified":"2026-04-07T13:37:16","modified_gmt":"2026-04-07T17:37:16","slug":"ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity","status":"publish","type":"podcast","link":"https:\/\/www.cyberark.com\/it\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/","title":{"rendered":"EP 9 – J&J\u2019s former CISO on trust, identity, and the future of cybersecurity"},"content":{"rendered":"

In this episode of Security Matters<\/em>, host David Puner sits down with Marene Allison, former Chief Information Security Officer (CISO) of Johnson & Johnson, for a candid and wide-ranging conversation on trust, identity, and leadership in cybersecurity. From securing global vaccine supply chains during the COVID-19 pandemic to navigating the rise of AI and machine identities, Marene shares hard-earned insights from her decades-long career in national security and the private sector.<\/p>\n

They explore what it means to be a mission-driven CISO, how to build trust from the boardroom to the front lines, and why identity has always been the true perimeter. Marene also reflects on her post-CISO chapter and the evolving role of cybersecurity leaders in a rapidly evolving threat landscape.<\/p>\n

David Puner: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.<\/p>\n

Let’s take a quick trip back to 2020 when the global race to develop a COVID-19 vaccine was on. And the groundwork for distributing it around the world was already underway. While scientists worked in labs, cyber criminals and nation states lurked in the shadows, threatening to disrupt progress. At Johnson & Johnson, the stakes were enormous.<\/p>\n

Delays didn’t just mean downtime. They could impact lives. Hospitals, regulators, third-party manufacturers, and global supply chains all had to be secured. Fast. Leading that charge was Marene Allison. Today on Security Matters, Marene joins us to reflect on her extraordinary career\u2014from West Point to the FBI to nearly 13 years as CSO at J&J, a Fortune 50 company with more than 138,000 employees worldwide.<\/p>\n

We unpack identity, innovation, trust, and what it means to lead in moments of crisis, whether it’s a zero-day exploit or a vaccine rollout. Oh, and if you’ve picked up a pint of organic blueberries lately, you might have already sampled a sweet side of Marene\u2019s post-CSO pivot. Let’s dig in.<\/p>\n

David Puner: Marene Allison, retired CISO, Johnson & Johnson, thanks so much for coming on to Security Matters. Really appreciate having you here.<\/p>\n

Marene Allison: David, thank you for having me. It’s great to be here.<\/p>\n

David Puner: Thanks so much. Let’s get right to it. You’ve had an extraordinary journey from West Point to the FBI to leading cybersecurity at one of the world’s largest healthcare companies, and you’re also our first guest that we know of who’s a member of the Florida Blueberry Growers Association, which we’ll probably try to get to later on. What inspired you to pursue a career in security?<\/p>\n

Marene Allison: I was at West Point and I was looking at the branches and I had taken electrical engineering as my engineering sequencer, and it’s already a lot of engineering\u201421 credit hours a semester for a couple of years. Maybe my class rank wasn’t high enough to get into either engineering or into aviation or into Signal Corps, which is a precursor to computers. And so I decided that the branch that had the best opportunities for women and men at the time that I liked, I decided to go military police. And that’s the story of how I could get here.<\/p>\n

David Puner: In the military police, what kind of things were you doing at that time that helped to foster that career in cybersecurity later on?<\/p>\n

Marene Allison: Probably the best part of it was understanding how to manage an organization\u2014the leadership skills that you get as a second lieutenant. The skills then were road controls, convoys, security for major events, kind of the white glove MP, and then fighting in the woods, like infantry. I don’t think that many of those skills, other than the leadership skills that you learn with a group of 30 and then 20 people, would really translate into cyber other than it was national security and securing our nation.<\/p>\n

David Puner: I should mention that at West Point, you were in the first class that included women. At the time, did you realize that this was a momentous thing or was it something that just happened to be happenstance?<\/p>\n

Marene Allison: I didn’t realize the magnitude of it at the time. I think by the time as a senior\u2014or firstie, as we are called, the cadets that are there even today\u2014all they’re looking for is to graduate. Can I make it through and graduate? And it wasn’t until years later that I realized, wow, this was pretty interesting. Because you have to realize in 1974, women couldn’t get a credit card by themselves. Women weren’t allowed to have families in the military. And even when we joined West Point up to 1978, we were part of the Women’s Army Corps. We were not part of the regular army. It wasn’t until years later that I realized that, wow, this was really the changing of what women could do\u2014serving in national security, serving in the military, and even serving in law enforcement because it wasn’t until the early seventies with Title IX and law enforcement changes.<\/p>\n

David Puner: Fast forward a few years and cybersecurity world. Let’s talk about being a CISO and level setting here at the beginning. Overall perspective: what does it mean to be a mission-driven CISO in today’s environment?<\/p>\n

Marene Allison: That is a huge thing to unpack, but it’s having an understanding of what your company does and what they’re producing. It also is understanding the principles that are needed in cybersecurity to defend and protect the company that you’re a part of, and also to understand where you fit in national security. Are you a critical infrastructure company? What do you produce? What is its importance to the nation?<\/p>\n

David Puner: You spent almost 13 years at Johnson & Johnson, retiring in 2023. What was your biggest cybersecurity challenge during your time as CISO at J&J?<\/p>\n

Marene Allison: There’s a couple of ways to look at this. One is the technical challenge of bringing a large company around the world as they’re consolidating their IT and bringing their cybersecurity game up. That was certainly a challenge, not one that you can’t do, and certainly I had the support of my CEO, my CIO, as well as the board of directors to get that done. Challenge overall was helping Johnson & Johnson in securing its systems and its production facilities to bring the COVID vaccine to the table in less than 13 months.<\/p>\n

David Puner: What were the primary underlying challenges with that, other than the obvious?<\/p>\n

Marene Allison: All your third parties that help you create a drug, China and Russia and Iran all trying to stop you from not getting it done. In reality, a mission-driven CISO understands what their company does, how it works and operates, and in pharmaceuticals where it takes 10 to 12 years to get most regular drugs to market, to do a vaccine that quickly accelerated and to make sure that the team was aware of what was going on\u2014working with all the different departments that maybe you had a relationship with in the past, but all of a sudden they were front and center. And then understanding all the third parties that you have to deal with between the manufacturer of product to the regulatory agencies\u2014whether it be the FDA or the European Medical Association\u2014and then the delivery of vaccine throughout the United States and working with the federal government to ensure what was going on in this space so that we didn’t have any issues throughout the whole process.<\/p>\n

David Puner: At that point, you’re about a decade into your tenure there at Johnson & Johnson. So understanding what a company does and how it does it\u2014I would presume you probably knew it pretty well at that point. How long with an organization like that did it take to really truly understand it inside and out?<\/p>\n

Marene Allison: Johnson & Johnson being so large and at the time was three different divisions\u2014not only did you have the pharmaceutical, but you also had a consumer division that was spun off as a company called Kenvue, which was all your over-the-counter type products and Tylenol, and then you had medical devices. I think if I was there another 20 years, I’d almost get to know everything they did and how they did it. As a CISO, every time you’re looking at a new line of business and having conversations, what I learned is you have to understand the nuances of the business and the environment that they’re in. So medical devices in Asia is different than medical devices in the United States. Part of it is making sure that you’re open and understanding. There\u2019s the cybersecurity piece, but then it’s: how is my business? How do they need this? And how is that delivered so that they’re most effective and that it works for them and they accept the solution that needs to come in place.<\/p>\n

David Puner: Going back in general to the CISO role, how have you seen the CISO role change over the last few years, especially in large complex organizations?<\/p>\n

Marene Allison: I think the biggest change was when CISOs started going to board of directors and what their role was there. It was seen as a position that was much different in the past, and I\u2019ll say the CISO was kind of like the head of physical security where you had a C role, but it wasn\u2019t of the magnitude of the other C-suite executives: Chief Operating Officer, Chief Financial Officer. As we changed into reporting to the board and we saw the impact of ransomware on companies and being able to bring down hospitals, what you saw was that CISO role start to evolve into a true C-suite position.<\/p>\n

David Puner: So then getting more into the nitty-gritty of it, with the explosion of cloud services and AI, identity has become the new perimeter.<\/p>\n

Marene Allison: Oh, identity was always the perimeter, Dave.<\/p>\n

David Puner: I’m glad you pointed that out.<\/p>\n

Marene Allison: It\u2019s just that zero trust\u2014people thought, hey, we\u2019ll keep it to the side, and now everybody’s bringing it up. It’s always been the fundamental: who touches your data, why are they touching it, how much access do they have, and where can they send that data? That\u2019s always been the security problem.<\/p>\n

David Puner: Thanks for coming on to Security Matters. It\u2019s been a great interview. Appreciate it. How should CISOs be thinking about identity security today and identity, for that matter?<\/p>\n

Marene Allison: You have to look at it as more than some of what I’ll call the easier places to secure, detect, and protect in the network. Not that it\u2019s an easy thing to do, especially with advanced malware coming at you or zero days, but it\u2019s much easier than truly understanding the entire identity structure. If we go back\u2014having IDs and passwords and having applications that have been developed\u2014many times that identity structure was put into the applications. Today, in all the applications it\u2019s going to externalize, there\u2019s going to be APIs, there\u2019s going to be extensions. You are not going to have it inside that application like you do in some of the more legacy applications. In a corporation, you have everything from CFO or finance people that have built little small apps or widgets that they\u2019re using that have identity structures, to bots\u2014the Blue Prism type\u2014where somebody, a third party, may have set something up and you have to understand all the areas that the data is, what\u2019s being accessed by, what it\u2019s being accessed by. And it\u2019s not an easy proposition. In the old days when there were apps and mainframes and rack F, it was relatively a two-dimensional problem versus today where we\u2019re seeing three and four dimensions of identity.<\/p>\n

David Puner: So then in a regulated industry like healthcare\u2014we\u2019ve talked about data a couple times and I\u2019m sure it\u2019s going to come up a few more times\u2014but how do identity and identity security factor particularly into healthcare cybersecurity, in the context potentially of data and whatever else you can think of?<\/p>\n

Marene Allison: Probably the best thing that happened in healthcare was HIPAA, which was around protected health information around patients. That at least set the foundation in healthcare that we needed to understand data and where data was and who was accessing it. As you look into something like pharmaceuticals, where you also have de-identified clinical data, and you\u2019ll have proprietary data around molecules, understanding where all that data is and how it\u2019s accessed and where it goes\u2014especially as we move in. I mean, the cloud wasn\u2019t most difficult in that you had to figure out where is it going and what kind of systems is it residing on and who could potentially have access to it. But as we go into AI, and it opens up huge data sets, it can be an explosion of your data going outside your network, and people aren\u2019t aware of it, and it\u2019s potentially more dangerous in healthcare with people\u2019s data. But also in financials. I was talking to a group of CEOs this past week and one of the things\u2014they were small companies, a couple of M&A companies, a couple of financial investment companies. The idea they love ChatGPT and using ChatGPT. And I said, yeah, use it, but know what you\u2019re connecting to because as soon as you start opening it up to databases, it\u2019s going to take all your data out. And is it data you want out or is it your client data? And if it is your client data, it will become a brand problem more than a security problem. But it\u2019ll ultimately be solved by cybersecurity people.<\/p>\n

David Puner: So then while on the subject of AI, how is AI transforming both offense and defense in cybersecurity?<\/p>\n

Marene Allison: There\u2019s no way a CISO today couldn\u2019t be using products that have AI embedded in it\u2014whether it\u2019s stated as AI, it\u2019s at least machine learning. Because there is no way, when you have billions and billions of events a day, that there\u2019s going to be analysts that are going to be sitting there and looking at it and seeing the correlation. When you can do that all through machine learning and then ultimately that machine learning will bring you to AI, and most of the technology that\u2019s out there, that\u2019s the advanced technology, has AI built into it to help it to understand what\u2019s going on and present potential incidents or events.<\/p>\n

David Puner: Bad actors\u2014<\/p>\n

Marene Allison: AI is my friend. It\u2019s your friend. But it also\u2014and I look at it, you know, I\u2019ve been around a week or two there, David\u2014so I look at it when voice over IP was coming out. You remember those days?<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: And it was, oh my God, we\u2019re not going to be able to know where a 911 call came from. Oh, this is bad. We should block it. We shouldn\u2019t use it. Can you imagine? We wouldn\u2019t be having this call today without voice over IP.<\/p>\n

David Puner: Right.<\/p>\n

Marene Allison: I mean, there\u2019s good and bad and we have to utilize it for good versus evil. Now the evil will be evil and we\u2019ll have to then have controls put in place so evil doesn\u2019t happen.<\/p>\n

David Puner: Is it always going to be good trying to catch up with evil though, or is it not necessarily that equation?<\/p>\n

Marene Allison: Well, it depends upon if you consider innovation evil.<\/p>\n

David Puner: Okay.<\/p>\n

Marene Allison: I consider innovation like we have to be there. That\u2019s the only way cyber is going to stay ahead of the curve. Innovation will create issues that will have to be solved, but without that innovation, we\u2019re not going to get to the next place.<\/p>\n

David Puner: Really interesting. I like the way you put that.<\/p>\n

Marene Allison: And so it\u2019s easy to say AI or cloud or voice over IP are evil. But it\u2019s part of the innovation that we deal with every day, and so there\u2019ll be people that are CISOs that get to defend their companies because a new innovation came out, but there\u2019ll also be people in those innovations that are creating the solutions so that we can operate securely.<\/p>\n

David Puner: Does the rise of AI make the CISO job easier or harder?<\/p>\n

Marene Allison: Both.<\/p>\n

David Puner: Okay. How?<\/p>\n

Marene Allison: I can look back to the day of rack F and mainframes or steel piping stuff between\u2014you know, when I was at A&P our mainframe was in Maryland and our corporate headquarters were in New Jersey. And yeah, steel piped it all the way through, but I got green bar reports out of it, David. They weren\u2019t very\u2014you know, I had five different districts with 35,000 different SKUs, and they were all different. Frito-Lays in one place was salami in another place. And so those days are gone, right? It\u2019s all about data. We all have smartwatches on that are monitoring our data, looking at AFib, looking at what our heart rate is, did I get my walk in, did I sleep right? All that data potentially could be used for harm or it could be used for good.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: So I\u2019m going on the good side.<\/p>\n

David Puner: I currently have 910 steps today, so probably not ideal data.<\/p>\n

Marene Allison: Oh, come on now.<\/p>\n

David Puner: Nor\u2019easter out there. I gotta do something about that after this interview, that\u2019s for sure. Let\u2019s go to machine identities for a little bit here.<\/p>\n

Marene Allison: Aha, my friend.<\/p>\n

David Puner: Yes. All right. So what are the biggest blind spots organizations have when it comes to securing machine identities?<\/p>\n

Marene Allison: Machine identities tend to be the purview of the infrastructure department and not the cybersecurity department. That\u2019ll be the biggest blind spot. And that also\u2014even people identities traditionally have been more infrastructure than with the CISO. And so understanding the full stack of identity and the identity around the data and where it goes becomes an extremely important part of the CISO\u2019s purview, even if they don\u2019t own it.<\/p>\n

David Puner: How do they wrap their heads around that? How do they get control around that? We just recently put out our identity security landscape study that found machine identities outnumber human identities now by more than 80 to one. The previous study had it somewhere around 45 to one, and that was just about a year or so ago. So obviously an exploding number of machine identities. How do we keep up?<\/p>\n

Marene Allison: Well, we use technologies like CyberArk and Venafi. That\u2019s how we do it. I wouldn\u2019t even say this is one of those, \u201cHey, you can do this alone. You can build it yourself.\u201d No. Just buy. Venafi itself\u2014I\u2019ve known them for years and used them in the companies that I\u2019ve been with for years. You have to be able to manage that. And if you want a way to see how unmanaged it is, just look at how many certs expire in an organization.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: And who manages that? The CISO always gets yelled at because the cert expired. But rarely do they have the ownership of managing all the certs and making sure the identities\u2014the handshakes\u2014are right.<\/p>\n

David Puner: Venafi now, of course, part of CyberArk, acquired last year. Let\u2019s move on to trust. Trust is a word we hear a lot in security. What does it take to build and maintain trust with stakeholders from the boardroom to the front lines?<\/p>\n

Marene Allison: I don\u2019t think I\u2019ve had a problem with trust with any of the organizations that I\u2019ve worked with or the stakeholders I\u2019ve worked with. It\u2019s because I come in wanting to learn about their business and what they\u2019re looking for versus giving them a list of, \u201cHey, this is what you must know and you must do this.\u201d I find having tabletop exercises with executives and then three weeks later the exact subject of the tabletop exercise occurs brings a lot of trust with people. And to be able to be honest: \u201cHey, we know this. No, I don\u2019t know if this is going to happen, but this is the potentiality of it.\u201d Cyber starts becoming a risk just like any of the other business risks\u2014not trying to elevate it into something larger than it is, but also making sure the importance of it stays relevant. I know the board presentations\u2014I had a CIO, Stuart McGuigan, who always said, \u201cMarene, just throw in a little engineering so they know how smart you are.\u201d And we\u2019d always just put a little bit in. But most of the time, the presentation was to give them words that they understood, in what things meant, so that they understood the attacks that were coming, where they were coming from, how the landscape changed, what we were doing to secure ourselves, and what things we were looking at. I think being open and honest, even when you don\u2019t know the full answer, is always the best policy.<\/p>\n

David Puner: And then what about trust when it comes to patient trust in healthcare? And I guess that would probably factor in with data.<\/p>\n

Marene Allison: HIPAA was very prescriptive around what you were going to do with the data. What I found was HIPAA was a very good way to build a program around patient data. And so if you secured it in those manners\u2014now, of course, what we originally did in what, 2002 to 2005, is much different today\u2014but the reality is, the best thing about patient data is knowing where you have it and who has access to it, and being able to show that and be able to monitor it is the best way to create trust. Don\u2019t lose their data.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: That sounds kind of simple, but don\u2019t let people access it who shouldn\u2019t, and don\u2019t lose it, and you get trust.<\/p>\n

David Puner: Okay, thank you. We\u2019ve already touched upon innovation a bit, but how do you balance innovation with governance and compliance, especially in regulated industries as a CISO?<\/p>\n

Marene Allison: I love the IT guys that are always trying to fidget with something and come up with something new. And what I\u2019ve found in most of the healthcare organizations that I\u2019ve worked with\u2014the ability to create a sandbox where people can play and create the technologies that they\u2019re trying to develop. The one thing that most IT people will try to use: \u201cOh, well, we have a database. Let\u2019s use this database.\u201d And that\u2019s real data.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: And the answer is, no. We can\u2019t do that. Let\u2019s de-identify it. Let\u2019s do something and then set up the parameters. The other thing that we saw, and especially as a company like Johnson & Johnson is trying to move to the cloud, is trying to change what the standards were for, say, the regulations or our regulatory environment and have equal. So in the olden days, it might be show physical evidence of log data. And then when you go to the physical evidence of log data, it would be truckloads and truckloads coming from Google or Amazon, which is not feasible. So it\u2019s also helping the regulatory and translate into what is going to be required around the new technology. The other is never say no. Let\u2019s say, let\u2019s look at it and see what it has. Do you remember before smartphones were out and we had a Blackberry? We all had a BES server onboard and it was secure and we were running that thing and it was costing us to run it because we had to have people do it. And then they came out with: \u201cHey, we could do it outside the company.\u201d Companies like IronPort came out. Well, it was easy. The tech people liked it: \u201cYeah, this is gonna be\u2014it\u2019s in the cloud. This will be great.\u201d But working with the security teams, being able to say, \u201cOh, wait a minute, right? As it transitions here, the data\u2019s\u2014the passwords aren\u2019t encrypted. If somebody puts a sniffer right there, everything\u2019s gonna go out.\u201d So let\u2019s talk with these companies and see what we can do and where their roadmap is, and working with companies with their roadmaps to see where it\u2019s gonna meet the corporate standards for security. And then having them move there. And a lot of that is a lot of extra work, but it also secured the company and helped us move very quickly to smartphones.<\/p>\n

David Puner: So many things that you have to be prepared for as a CISO. You have to be prepared for the unknown. How can CISOs prepare for the unknown, and how can they best position themselves to anticipate and respond to evolving threats?<\/p>\n

Marene Allison: As a CISO, I did not have my hand a lot into the venture capital world or any of the PE of what was going on. I had my security architect do that so that I could make financial decisions on the technologies based on what was provided to me versus personal relationships. You have to have a group of people in your organization that are looking at the new technologies out there. My security architect and I, we always used to love RSA. We always did the back row. Right? Not the front row, not the big booth, but the back row. Who\u2019s back there and what are they coming out with? Looked at GRC software for probably 10 years before they hit the floor and they\u2019re off running. Having the meetings with the small companies. As we went to the cloud, there wasn\u2019t a Wiz or a Dazz out there to help us, that you could just bring them in. We were using small companies to figure out: how do we get the best in breed for what we\u2019re doing, and then how do we secure it in another way till that technology is going to get there? Knowing where your tech people are headed helps tremendously. Knowing where your business wants to go helps tremendously. And bringing those together like a big Rubik\u2019s Cube of, okay, do I need the best right now? No. Maybe I don\u2019t need what the Army needs, but I need something over here that\u2019s going to protect us till we get to here. And maybe I can encrypt data at rest or encrypt data at use, which will get me over the hump until something else changes.<\/p>\n

David Puner: What do you miss most about being in that CISO seat, and what do you miss least?<\/p>\n

Marene Allison: I miss my team. I had about 600 people around the world. I loved visiting them. I loved working with them. I loved hearing their ideas, their points of view. They taught me so much. I don\u2019t miss sitting there awake 20 hours a day looking at stuff around the world as the vaccine is being created and wondering, \u201cIs that that goes bump in the night? Is that\u2014is that going to be the next DDoS attack? What\u2019s going to happen? Are we defended enough?\u201d I do not miss the operational part of it. And from the time I graduated from West Point at 21 until I retired\u2014a little over 40 something years of operational work\u2014I\u2019m happy to ride my horses and pick blueberries.<\/p>\n

David Puner: Yeah, I mean, that\u2019s a lot of stress. Were there any kind of tricks or routines that you had in order to be able to manage that stress?<\/p>\n

Marene Allison: For a long time, it was running and doing other things. I\u2019m one of those\u2014I find if I\u2019m doing something that completely engages me. So like if you\u2019re downhill skiing\u2014right\u2014you\u2019re doing double black diamonds. If you think about work for even a millisecond, you are down.<\/p>\n

David Puner: Yep. Absolutely. Been there.<\/p>\n

Marene Allison: So doing those types of activities, and same thing with my horses. If you\u2019re riding a horse and you\u2019re jumping or you\u2019re out in the woods galloping, if you think about anything else, you\u2019re on the ground. So I\u2019ve learned: stay off the ground and relax your mind, and your body will come with it.<\/p>\n

David Puner: That\u2019s really great. I want to get back to the blueberries in a moment, but first, mentioning the team and missing the team\u2014as far as organizations go and organizational culture\u2014how can organizations create a culture that attracts and retains top cyber talent?<\/p>\n

Marene Allison: You have to look at what you have and then grow a team that\u2019s going to meet the organization that you\u2019re with. And there\u2019ll be some organizations that will have, you know, I have 100 people, I\u2019m going to have 100 engineers. But what I found was I needed people with all different types of skills. Having an engineer do your security awareness and education program\u2014not the best use of their time. Good people, they probably can do it at, you know, a B level. But let\u2019s bring somebody in that has a gift of gab and can have the conversations and works with the business and get an A-plus person in front of them they\u2019re going to listen to. Does the person have to have all the skills of the security engineer? No. You have a security engineer, and they talk to each other, and they can help each other grow in their organizations. I took someone that was a police officer in Ohio and he ran my physical security for me when I worked at Medco, one of our C2 dispensing plants out in Ohio. And I sent him to cyber forensics course. He tells me today\u2014and he is now the CEO of his own company that does cyber recruiting\u2014he told me that he didn\u2019t even barely know how to turn on a computer. And then he became a cyber forensics guy and now has pivoted over to understanding cyber talent to hire it and develop it. And so it\u2019s taking these jewels and listening, and I would bring my five or six top captains in and many times we would all disagree. And I told them: vote, vote. We were going to do it democratically, except I had 1,000 votes.<\/p>\n

David Puner: Yeah.<\/p>\n

Marene Allison: And they still laugh at that, where ultimately I was in charge and I was going to be responsible, so I would have to make the decision. But we\u2019d make it with everybody\u2019s input. And I\u2019d have the deep technical, I\u2019d have the people, the BISOs, the business, I\u2019d have my application security people\u2014we\u2019d all sit there and figure out what is going on before we made a decision.<\/p>\n

David Puner: So that\u2019s really interesting that you\u2019ve got all different types of talent and it\u2019s not necessarily one skill set or background that makes for somebody who would be a great cybersecurity practitioner. But then as far as cybersecurity leadership goes\u2014CISOs\u2014what qualities do you look for in the next generation of cybersecurity leadership?<\/p>\n

Marene Allison: Today we are lucky because the colleges and universities are actually teaching cybersecurity. I had FORTRAN programming. Not Python. But what I would say is today we have people that are learning in the universities, which will allow them to come in with a breadth of knowledge and understanding that maybe wasn\u2019t there 40 years ago. But they will also have to understand people because ultimately it will be their people that will\u2014they\u2019ll be the ones that say, \u201cHey, I\u2019m looking at this AI and this real-world database, and I think I\u2019ve found a problem.\u201d It is on the backs of people. And that\u2019s where I say the leaders are going to have to have that one foot in the technical side, one foot in the people management side, and the other foot\u2014I think I\u2019m using a Yogi Berra-ism there\u2014and the other foot in understanding the business you\u2019re in.<\/p>\n

David Puner: Really interesting. So then going from your previous career as a CISO now into retirement, from the looks of things and what the internet is telling me, you\u2019re not exactly taking it easy. You\u2019ve got a lot going on, including the blueberry farming, which sounds very low tech, but I\u2019m sure there\u2019s a lot of tech involved in it. What are you up to these days? And I definitely want to know all about the blueberry farming.<\/p>\n

Marene Allison: Retirement is something I think people in the seventies did.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: Which included a Barcalounger. But I think today, most of the people I know who are\u2014and I\u2019ll say that\u2019s when you could say, \u201cI\u2019m a former CISO.\u201d Right? I\u2019ve reinvented myself. I really should have been a cowgirl.<\/p>\n

David Puner: Okay.<\/p>\n

Marene Allison: So through some mentors\u2014mentorees of mine\u2014I now have four horses. Every morning I\u2019m out there, out in the barn.<\/p>\n

David Puner: And this is in Florida, Northern Florida?<\/p>\n

Marene Allison: This is in North Florida. Barn time is just absolutely fabulous to clear your mind and to think of things and to also de-stress\u2014completely de-stress\u2014because you know when you\u2019re moving with a 1,000-pound horse, again, it\u2019s like skiing. If you don\u2019t watch what you\u2019re doing, you\u2019re going to be under it.<\/p>\n

David Puner: Mm-hmm.<\/p>\n

Marene Allison: So you have to be there. And before I get to the blueberries, I would tell you I\u2019m still doing things like this podcast. I\u2019m still working with VC, small companies and also working with PE firms looking at new technologies. I\u2019m kind of a geek at heart and I didn\u2019t really do it as a CISO because I didn\u2019t want to sway decisions on things that my tech people needed to make a decision on. So I\u2019m enjoying myself. And then who knew? I fell into the identity space working with companies like SPHERE and CyberArk and Venafi and ForgeRock, and there are just all sorts of companies that I found fascinating. And then I started talking to a number of women CEOs. Now I have met a couple of these women and am working with them to help them understand how to sell to CISOs, what space they need to go into. I heard or read something recently that right now there\u2019s about $2.7 billion in the identity space, and over the next five years it\u2019s supposed to grow to 6.6. So if anybody thinks identity is not important, seeing those numbers grow like that is certainly going to show how important identity is. And there\u2019s a lot of women CEOs in that space, which I enjoy working with. And then I\u2019m also on the board of the Association of Graduates at West Point. I truly believe in giving back to the organizations that helped grow you and help set you up for success. And I\u2019m president of the group for the West Point Women, which represents the 6,500 women West Point graduates. So I\u2019ve given back\u2014check that box.<\/p>\n

David Puner: Yeah. Remarkable.<\/p>\n

Marene Allison: But the most important one is my husband and I own an organic blueberry farm of 219 acres in North Florida. My husband worked in the FBI as a chief bomb technician for World Trade Center I and II, and to be able to then reinvent ourselves. And it\u2019s not about the blueberries as much as can I learn something completely new that I\u2019m not an expert at and then become good at it. And so we\u2019re now one of the largest organic blueberry producers in North Florida.<\/p>\n

David Puner: Can I get my hands on some of these blueberries up here at my local grocery store, or how do I get my hands on those?<\/p>\n

Marene Allison: They\u2019re through Michigan Blueberry Growers Association and the Naturipe label. And if you pull up the little clamshell and if you see 1493\u2014the year after Columbus\u2014that\u2019s our farm. You have gotten the mother lode of berries.<\/p>\n

David Puner: Marene Allison, I can say with confidence: we have to have you back on again soon. Really fascinating. Really great to speak with you. Thanks so much for coming on to Security Matters. Really enjoyed it.<\/p>\n

Marene Allison: David, thank you so much to you and the team for having me. I love CyberArk\u2014always have\u2014and have loved working in the identity space. So thank you for having me.<\/p>\n

David Puner: All right, there you have it. Thanks for listening to Security Matters. If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review. We\u2019d appreciate it very much\u2014and so will the algorithmic winds. What else? Drop us a line with questions, comments, and if you\u2019re a cybersecurity professional and you have an idea for an episode, drop us a line. Our email address is securitymatterspodcast (all one word) @ cyberark.com. We hope to see you next time.<\/p><\/div>\n","protected":false},"featured_media":213765,"template":"","class_list":["post-211444","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\nEP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity | CyberArk<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity\" \/>\n<meta property=\"og:description\" content=\"In this episode of Security Matters, host David Puner sits down with Marene Allison, former Chief Information Security Officer (CISO) of Johnson & Johnson, for a candid and wide-ranging conversation on trust, identity, and leadership...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberArk\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/CyberArk\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-07T17:37:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"1400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@CyberArk\" \/>\n<meta name=\"twitter:label1\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data1\" content=\"32 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/\",\"url\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/\",\"name\":\"EP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity | CyberArk\",\"isPartOf\":{\"@id\":\"https:\/\/www.cyberark.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg\",\"datePublished\":\"2025-06-11T04:19:15+00:00\",\"dateModified\":\"2026-04-07T17:37:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg\",\"width\":1400,\"height\":1400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cyberark.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EP 9 – J&J\u2019s former CISO on trust, identity, and the future of cybersecurity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cyberark.com\/#website\",\"url\":\"https:\/\/www.cyberark.com\/\",\"name\":\"CyberArk\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.cyberark.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cyberark.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cyberark.com\/#organization\",\"name\":\"CyberArk Software\",\"url\":\"https:\/\/www.cyberark.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"CyberArk Software\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/CyberArk\/\",\"https:\/\/x.com\/CyberArk\",\"https:\/\/www.linkedin.com\/company\/cyber-ark-software\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"EP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity | CyberArk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/","og_locale":"it_IT","og_type":"article","og_title":"EP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity","og_description":"In this episode of Security Matters, host David Puner sits down with Marene Allison, former Chief Information Security Officer (CISO) of Johnson & Johnson, for a candid and wide-ranging conversation on trust, identity, and leadership...","og_url":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/","og_site_name":"CyberArk","article_publisher":"https:\/\/www.facebook.com\/CyberArk\/","article_modified_time":"2026-04-07T17:37:16+00:00","og_image":[{"width":1400,"height":1400,"url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@CyberArk","twitter_misc":{"Tempo di lettura stimato":"32 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/","url":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/","name":"EP 9 - J&J\u2019s former CISO on trust, identity, and the future of cybersecurity | CyberArk","isPartOf":{"@id":"https:\/\/www.cyberark.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage"},"image":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg","datePublished":"2025-06-11T04:19:15+00:00","dateModified":"2026-04-07T17:37:16+00:00","breadcrumb":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#primaryimage","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/06\/MzRlMS5qcGc-1.jpg","width":1400,"height":1400},{"@type":"BreadcrumbList","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-9-jjs-former-ciso-on-trust-identity-and-the-future-of-cybersecurity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cyberark.com\/"},{"@type":"ListItem","position":2,"name":"EP 9 – J&J\u2019s former CISO on trust, identity, and the future of cybersecurity"}]},{"@type":"WebSite","@id":"https:\/\/www.cyberark.com\/#website","url":"https:\/\/www.cyberark.com\/","name":"CyberArk","description":"","publisher":{"@id":"https:\/\/www.cyberark.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cyberark.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/www.cyberark.com\/#organization","name":"CyberArk Software","url":"https:\/\/www.cyberark.com\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","width":"1024","height":"1024","caption":"CyberArk Software"},"image":{"@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/CyberArk\/","https:\/\/x.com\/CyberArk","https:\/\/www.linkedin.com\/company\/cyber-ark-software\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.cyberark.com\/it\/wp-json\/wp\/v2\/podcast\/211444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyberark.com\/it\/wp-json\/wp\/v2\/podcast"}],"about":[{"href":"https:\/\/www.cyberark.com\/it\/wp-json\/wp\/v2\/types\/podcast"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cyberark.com\/it\/wp-json\/wp\/v2\/media\/213765"}],"wp:attachment":[{"href":"https:\/\/www.cyberark.com\/it\/wp-json\/wp\/v2\/media?parent=211444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}