Dr. Alissa Johnson, CSIO of Xerox and Former Deputy CIO at the White House, "We Need to Always be Raising Our Security Baseline"

The cybersecurity industry is one of the most evolving technologies today, and Dr. Alissa Johnson says one of the most important things that we–as a whole–need to do is continually raise the security baseline in order to prevent cyberattacks.
Johnson–who is also widely known as Dr. Jay–has been serving as the chief information security officer at Xerox (NYSE:XRX) since the fall of 2016. Prior to that, she told the Investing News Network (INN) that she spent three years working as the Deputy CIO at the White House under the Obama administration, she was responsible for internal technology at the White House, and even some of the Camp David and Air Force One technologies. After leaving the White House, Dr. Jay spent some time at Stryker (NYSE:SYK) before joining Xerox.
In our interview, Dr. Jay said that in order to be successful in preventing cyberattacks, it’s important to remember the basics.

“Security is not just the responsibility of the security team, but as we’re learning and realising–especially with all the spear phishing attacks–security is everyone’s responsibility,” she said.
Other highlights of the conversation include what businesses need to do differently in order to prevent insider attacks, what companies should be doing differently to prevent severe attacks, if businesses should be taking cyberattacks more seriously, what the role of her department is at Xerox, and her thoughts on blockchain technology being used in approaching cybersecurity moving forward.
Below is the transcript of our conversation. It has been edited for clarity and brevity.
INN: To provide a bit of background, can you speak a little bit about your role and responsibilities as deputy CIO under the Obama administration, and how you’ve transitioned into your role at Xerox?
Dr. Jay: As the deputy CIO, I was responsible for internal White House technology and that included technology at Camp David and Air Force One. All of the inner workings, the technology that the President holds under … the President of the United States. The President has two hats. One is Commander-in-Chief, and that is the commander of all military forces on the military side, and then there’s the president of all the US citizens. So the deputy CIO holds that role.
When I left the White House, I left before my term was up. I was due to leave at the same time the President left. As appointees, we can be kind of fluid, so I was there at the White House for three years. I left and went to medical technology, Stryker, and then left there and came over to Xerox as the company was splitting and became the CISO of Xerox.
INN: The first half of 2017, we’ve seen an increase in cyberattacks–both the amount of units compromised and the severity of attacks–what has made it so easy, so to speak, for these kinds of attacks, like WannaCry to happen?
Dr. Jay: When I look at WannaCry, I see a lot of synergy between WannaCry and a lot of the attacks in 2016. We kind of forget some of the basics. Technology is so evolutionary. It’s always evolving, there’s always new and great things coming out, and a lot of the time we forget the basics.
WannaCry came out, but from the security side–security professionals–we knew about it well before it came enough. Enough time had passed, and enough time to be prepared, and sometimes we need to remember the basics in order to be successful.
INN: What kind of basics do you mean?
Dr. Jay: I’m talking about patching. A lot of patch levels were not consistent with best practices which allowed a lot of [the] WannaCry [attacks] to happen. There are some upgrades. There are a lot of places where we allow the culture to dictate the governance. And what I mean by that, we may say ‘oh my goodness, this culture is not going to accept multi… authentication,’ or is not going to do well with changing their passwords every six months, or every three months, or whatever the system has directed, or said what the best practice is for that industry.
Well, take that and say, ‘well our culture is not accepting of that, let’s loosen it a little bit of it.’ We have to instead say what is the best governance for our industry, for our company and then teach the culture to be accepting of that. Educate the culture to be accepting of that.
When you do it the other way around, you make compromises. Sometimes they aren’t the best compromises. If you do it with a government directing, then you’re really thinking … risk appetite, what the … profile is. All of those things come first and then you educate the culture to make sure everyone knows.
Security is not just the responsibility of the security team, but as we’re learning and realising–especially with all the spear phishing attacks–security is everyone’s responsibility.
Those are some of the basic things. Even on our printers and print offerings, we recommend and really work with our partners and our customers to tell them, ‘what ports are open on the printer, those ports should be closed, those ones don’t have information coming through them.’ People should remember to look at their configurations to see if they’re still applicable from when you first set it up. Things like that that need some diligence.

INN: A lot of cyberattacks happen internally as well. What should businesses be doing differently to prevent insider attacks?
Dr. J: There has to be more education. This goes really to my comment that the government feeds the culture. It really goes into that mindset. Spear phishing attacks and different types of security campaigns to prepare our culture isn’t enough. There are some areas where we may think ‘oh that’s too much information, this is not a tech company, or this is not a security company, we may be feeding the culture too much information.’ But what we really come to realise is, even when they get home these practices that we’re teaching and invoking should translate into things that they’re doing at home as well. A lot of people have computers at home.
INN: With the severity attacks that we’ve seen in 2017, a new bar has been set to defend cybercrimes. What should companies be doing to match the severity so that those things don’t happen?
Dr. Jay: We need to always be raising our security baseline. That’s one of the things that we … do at Xerox by looking at our product offering, and even from an information services and how we handle our own infrastructure. We look at the baseline and say, ‘okay, next year we need to be adding more security. There should be more layers continuously being added.’
What that does is, that counters the new hacker tools, the new methods that they’re using. We are increasing the baseline slowly but surely every year. At some point, we’ll get this gap closer and closer and close in, and the gap will be smaller and smaller and smaller.
INN: In Canada, it’s estimated that roughly half of Canadian businesses were victims of cybercrimes in 2016. In June and July of this year, malware infections were in the 60,000 range. Should businesses be taking cybersecurity more seriously?
Dr. Jay: I think the savviness of hacker attacks is built around our inherent trust that we have. We as human beings trust to a fault sometimes. So that’s how spear phishing happens. They throw it out just like the actual sport. They throw the spear out into the water, hoping to get one. All you need is one, and that’s all it takes. It’s on our inherent trust, we don’t ask first, we trust first and then we ask questions later.
INN: At Xerox, can you speak a little bit more about what your department does to help organizations protect themselves against cybercrimes?
Dr. J: We partner a lot. One of our main focuses is our external partnerships. As I think about cybersecurity in the future, we really have to focus on external partnerships. When you’re getting a Xerox device or buying one of our document technology offerings, you’re not just buying a printer, you’re getting an external partner–a long lasting partner–because that’s the only way we’re going to make this work. Security, we have to continue to tweak, and fine-tune and adjust. Dropping it off and walking away doesn’t allow that relationship to happen.
So we focus a lot on our partnerships, we focus a lot on our channel partners who also sell as well on our behalf and making sure they know there’s always us to reach back to. When I say we bring our partnerships, we have a long-lasting partnership with McAfee. McAfee has added various layers of security within our print devices. When you get Xerox, not only are you getting Xerox, but you’re getting Xerox and McAfee. If there’s issues, we have all of these different layers that we bring to the table to help solidify what that looks like.
When you think about the Internet-of-things, it’s really about integration as well. You’re trying to integrate not only with the system, but it’s got to integrate with security, platform. It’s got to talk and send analytical information as well. We’ve got an analytics engine in our printers. We want that to feed into whatever you need.
When I talk about partnerships, it’s all of those different levels.
INN: Does that apply when there’s an attack on a Xerox device? Is that when those partnerships come into play?
Dr. Jay: The partnerships come into play. When something happens to our device … it’s really about protection of the brand as well and making sure the brand stays in a good light. We continue to maintain that high level of assurance that when we deliver, we’re delivering for long term.
INN: A lot of cyberattacks are asking for ransomware like a cryptocurrency such as bitcoin to retrieve stolen information. As a result, blockchain technology is becoming more popular in approaching cybersecurity. What are your thoughts on this trend moving forward?
Dr. Jay: I think it’s definitely the new direction and we aren’t at place–and when I say we I mean those on the right side of the law–we have not evolved quickly enough to address, so that’s why I really talk about continuing to raise our baseline, because we hear the buzz. We hear that happening, we hear ransomware going to bitcoin and things like that, but we on this side haven’t really dealt with it and packaged it enough to say, ‘this is how we want to deal with it.’ We’re still trying to remediate legacy issues, figure out why we’ve got Windows and these devices on the manufacturing floor. It’s things like that that kind of hold s back from continuing to look forward.
While we continue to look forward–and I say we as technologists–tend to look forward and sometimes forget ‘these are the basic things I need to continue to do while I look at bitcoin.
What we are lacking in all areas is information sharing. When you think about it from the hacker side, that’s what the dark web is all about. The dark web is about information sharing. A hacker doesn’t even have to write his own code. He can say, ‘I want this, I want this, and I want that.’
We on this side, we’re sometimes afraid to share vulnerabilities that we have in our system with another company for fear that it may get leaked … and it hinders us in a way. We’re trying to protect ourselves, but we have to think about this a little differently in how we want to protect ourselves, and the right ways to protect ourselves.
Don’t forget to follow us @INN_Technology for real-time news updates!
Securities Disclosure: I, Jocelyn Aspa, hold no direct investment interest in any company mentioned in this article.
The Investing News Network does not guarantee the accuracy or thoroughness of the information reported in the interviews it conducts. The opinions expressed in these interviews do not reflect the opinions of the Investing News Network and do not constitute investment advice. All readers are encouraged to perform their own due diligence.