Q&A with Dr. Alissa Johnson, Chief Information Security Officer, Xerox

She served as Deputy Chief Information Officer for the White House during the President Obama administration and has since moved her skillset to the private sector. Now, as Xerox’s CISO, she fulfills several functions, collaborating with divisions within the document and IT company, as well as protecting the organization as a whole and working with clients.

Dr. Jay spoke to Canadian Security about wearing different security hats in a multi-tiered organization and how government and industry share many of the same pain points. An edited version of that conversation follows.

Canadian Security: How do you fit into the Xerox organization?

Alissa Johnson: I am the chief information security officer, the “speaker of the house” for security for Xerox: the security of information services, and that includes applications, data, processes and infrastructure. Product security as well, as an advisor and making sure we have the right security baseline in our products and making sure we elevate our baseline every year, as well as doing the right things for our customers and protecting their data. I wear two hats… One is the vice-president of global security services and the other hat is CISO, which gives me more breadth and responsibility.

CS: How do you juggle those roles on an ongoing basis?

AJ: There’s a lot of collaboration. Even when you have a CISO who is not speaking in terms of products, you have to have some synergy between the two. When I think about product [security] versus internal security, I am protecting an infrastructure, but also I am putting pieces in place in other people’s infrastructure. I have to make sure I’m not only doing the right thing for Xerox, I’m making sure that our integration is seamless. I’m a consumer of the goods and I’m a producer of the goods. I know what my pain points are.

CS: Do you collaborate with other security professionals in the organization?

AJ: I work with a physical security team and I share various security services so we can leverage each other’s wealth of knowledge. There is no “CSO” — I am the overall point person for security.

CS: With all the public breaches and large companies affected, does the problem become insurmountable?

AJ: Someone asked me, “Are we going to get used to being breached? Will we become desensitized?” But I think as the Internet of Things rolls out, it’s not just a big company that got breached, now this really affects [the individual]… “You mean my [home security camera] got breached and now a hacker could be watching me?” People will start thinking about the Internet of Things from their own perspective.

CS: How does your public sector security experience relate to what you’re doing now on the private sector side?

AJ: We’re not holding nuclear secrets at Xerox, but what I’ve found is that the tools hackers are using to get into the White House are the same tools that they’re using with Xerox. That’s what the Dark Web is for.

The “beauty” of the Dark Web is the information sharing that happens. Hackers don’t say, “I’ve got to do all of this coding…” What they do is search the Dark Web and say, “I want a piece of code that does this, a piece that does this, etc.” They will either find it for free or pay $2.99 for it. That’s the benefit of the Dark Web.

When you come over to our side, the right side of the law, the information sharing isn’t the same. We are so fearful, even sharing between government agency and government agency, private sector to private sector, industry to industry. We are so protective of what we share.

That level of protection, I think, hinders us from closing the gap sometimes between the right side of the law and the wrong side of the law. When I think about my experience being in public sector and private sector and how we’re all really trying to fight the same fight — that is the gap.