Expanse’s New CISO in Residence, Anthony Johnson: What You Need to Know

Expanse CISO in Residence Anthony Johnson.

Expanse is happy to welcome our new CISO in residence, Anthony Johnson! Anthony is a Managing Partner at Delve Risk, where he leads a practice focused on driving technology and risk management transformation on behalf of its clients. He brings extensive technical and executive leadership experience and will serve as a technology advisor and CISO in Residence to Expanse. Our CMO, Sherry Lowe, recently sat down with Anthony to talk about his background, what brought him to Expanse, security in 2020, and more.

Sherry: What brought you to Expanse?

Anthony: I met Tim and the Expanse team while I was on the buy side. When I saw the technology offered by Expanse and started getting into what Expanse is and what it can actually do, joining the Expanse Team was a no-brainer for me. What really draws me to Expanse is the applicability of the technology and how can it be used in a rapid manner for an organization to reduce risk. Something I always look for and value are the people I work with. At Expanse, the character of the team, the quality of the product, and the direction the company is heading are really what brought me to want to work with the company.

Sherry: What perspective do you bring to the vendor side?

Anthony: A lot of solution providers, particularly the more advanced technology solution providers like Expanse, don’t always have an available feedback cycle with buy-side executives. They’re working to craft a message and go-to-market strategy without necessarily being able to have all the data that other counterparts and other marketing organizations have. From my experience as CISO at JP Morgan to GE and leading massive teams to a lot of the advisory work that I’ve done, I am able to provide buy-side insight and perspective. I’ve pushed teams to think through operations before taking next steps and making decisions.

Sherry: How do you see the role of a CISO changing?

Anthony: It’s going to change fairly dramatically. Security leaders have had to validate their existence for a very long time. Today, CISOs are a must-have, and need to change the way they approach security and shift strategy from defending their position to paving the way, becoming thought leaders and innovators of some sort. Today, security leaders need to be much closer to the business, understand the directional value of assets while still being able to advocate for the right tools, technology and processes and flows in business. Additionally, with more regulations being put into place such as GDPR and CCPA, security leaders need to be aware of the regulatory impacts, making sure to not only make the right decisions to appease regulators but also do right by their consumers.

Sherry: What aspects from an organization can benefit from a complete asset inventory?

Anthony: It’s fundamentally a game-changer. Being able to understand your entire ecosystem is important for a couple of reasons. I like to use a different example for this, namely zombie movies. In a zombie movie, you run into a house and you’re setting up booby traps all around the house. To do so successfully, you have to know where all the doors and windows are. And if you don’t, you’re probably going to have a bad night, right? It’s going to be important for you to say, “Hey, these are the entry points and exit points of this thing that we’re protecting.” One of the things I love about Expanse is you really get that visibility of saying, “Hey, these are all the doors and here are the windows. Hey, by the way, we keep seeing somebody peek through that door. Did you know someone was breaking into your house right under your nose? We can help you fix that.”

The aspect of complete visibility is similar and very powerful because it enables you to make different decisions. A lot of security organizations will say that they monitor every aspect of the network, but security teams will invest time, money and resources to monitor things that probably aren’t needed on the high priority scale. Full visibility into the asset inventory enables you to apply resources and protection mechanisms where they are needed for most impact.

Sherry: What are some struggles that occur when an organization moves to the cloud?

Anthony: Part of it is making sure that everyone is clear on what the definition of complete is. Without a complete asset inventory, you don’t know what may be left behind or which parts are still struggling. Even more so when an organization acquires or merges with another organization that is in the cloud, making it more difficult to know what parts of that organization are vulnerable or open to bad actors. That’s where comprehensive visibility and solutions like Expanse provide an organization with the ability to know what was left behind and what areas in their network are still exposed.

Sherry: What are the front-burner threats for organizations?

Anthony: One of the largest threats for an organization is the security team not understanding the business of the organization. If that is the case, they’re going to make risk decisions that don’t actually relate to the overall business of the company. In short, they will make the business go slower than it needs to, because of a lack of understanding.

Sherry: Should there be a Sarbanes–Oxley Act for security?

Anthony: There should be some sort of a requirement or minimum standards for service providers that are supporting and providing services to the broader masses. For example, for small to medium businesses that can’t keep up with the complexity of threats, there should be some aspect of legislation or model such as a utility service or the government taking over a certain aspect of security to aid them with the complexity of threats.

Sherry: What is your proudest professional moment?

Anthony: A very proud moment was when I worked with a junior associate who when I came into the organization, I was told she needed to go. The org told me, “This is someone who is not salvageable, you need to find an exit path for her.” Instead, I spent time with her and helped her develop a plan and define what success was, together. I realized that she had a good skill set but she was in the wrong role. Through coaching and mentoring, we put her on a project management path. She is now a successful program manager.

Sherry: What do you like to do outside of work?

Anthony: Outside of work, I am a PC gamer. I’ve had a group of friends for around 13 years that meet up and play different PC games. Beyond that, I really enjoy tinkering with every aspect of technology. I actually spent a couple of years of programming drones before they became commercialized. However, my real R&R is PC gaming.