A Hacker’s Vision

How Joey Johnson’s background influences the way the Premise Health CISO handles his role today

Joey Johnson, Premise Health

Joey Johnson has a knack for pursuing his passions. Right now, the chief information security officer for Premise Health is most passionate about employing security fundamentals with a hacker’s vision in order to keep the company’s systems safe.

Johnson’s first passion, however, was anthropology, a subject he pursued in college until his now-wife helped him realize that career paths in the field were limited. So, he started looking elsewhere.

“I had a friend in IT sales who was making $80,000 a year,” Johnson recalls. “I thought that was spectacular, so I started studying computer networking.”

His timing couldn’t have been better. In the late 1990s, many companies and organizations were just beginning to understand the importance of IT security. At the outset of his technology career, Johnson landed an internship with the Metropolitan Washington Airport Authority in 2000, and the experience left quite an impression. A colleague at the time also introduced Johnson to the idea of hacking as a means to solve and prevent security breaches.

“He showed me that a hack is just an interesting solution to a challenging problem,” Johnson says. “At the time, there was no such thing as ethical hacking or that being a career path. It was still this mysterious world of people up to no good.”

Johnson admired that hacking made him look at network security challenges from different perspectives. It was like solving a fascinating puzzle. The more he did it, and the more he met other IT professionals doing the same thing, the more he enjoyed it.

“This whole world of fascinating people and characters with a unique way of perceiving the world opened up to me,” he says. “In a way, it really appealed to my anthropology roots. I appreciate different cultures and diverse ways of perceiving the world.”

Before joining Premise Health in 2010, Johnson served as chief security officer for the US Department of Commerce, Office of Computer Services. He now has almost two decades of experience in cybersecurity that includes leadership roles in both the public and private sectors. In February 2017, the Nashville Technology Council named Johnson its CISO of the Year. A month later, he was separately named the 2017 Southeast US Security Executive of the Year by the Technology Executives Network.

A hacker’s vision has helped Johnson succeed just as much as a willingness to go against the grain. He doesn’t think of himself as a maverick in the world of IT, though.

“When you’re the one walking in your own shoes, you don’t necessarily think you’re doing anything different,” he says. “You’re just doing things the way you do them. I’m always looking for ways to reach goals in the most efficient way possible.”

That can get lost in a vast corporate culture, where IT personnel often keep doing things the way they’ve always been done. Johnson doesn’t believe in that.

“I’m always taking opinions and thoughts from other people, but I never was afraid to go down a path that seemed different just because it was different,” he says.

Johnson explains the idea with a metaphor of a door that has eight locks on it. Asking how to get past those eight locks is the wrong question. A better idea is looking around the room for other ways out, like that open window on the other side of the room.

Johnson’s value to Premise isn’t only his ability to see challenges from different perspectives, though. He also has an ability to articulate his methods in nontechnical terms to leadership so that everyone can understand what he’s doing. That’s a rare quality in the IT world, and it presents a challenge to him now as a hiring manager.

“There’s a massive shortage in cybersecurity skill,” Johnson explains. “People are not at the right level for those jobs, but they’re being put in those roles anyway. The work has to get done, but there are not enough people currently in the market to do it.”

This challenge is recognized throughout the industry, but Johnson tries to address the problem from a different perspective. “We keep hearing that we have a cybersecurity talent deficit,” he says. “We don’t. What we have is a skill deficit. The talent is out there.We just have to be more creative in identifying it and drawing it out. As a society, we’ve taken this approach in finding new ways to get to elusive pockets of oil reserves. We should be using similar tactics to draw the raw talent out from places beyond the job boards. The white male saturation of the cybersecurity market is embarrassing. We need diversity, not just gender and racial diversity, but also diversity of thought and perspective. That’s what being successful in this field is all about.”

Another challenge Johnson and other IT executives face is the flood of security solutions in the marketplace.

“We’ve actually reached a tipping put of diminishing returns,” Johnson says. “Companies are throwing these solutions at problems, and what they should be doing is focusing on the fundamentals.”

The Equifax data breach last September, for instance, came at the expense of the company failing to deploy a patch. These aren’t always easy fixes. Systems patches take IT teams a lot of time and effort, but it’s fundamental work that doesn’t cost companies the price of new security solutions.

“A lot of the solutions out there are great,” Johnson says, “but if you don’t know the right requirements for the tools you need, then you won’t get what you need at the end of it.”

Johnson has also shown his expertise in prioritizing risk. Again, he uses a metaphor to explain his outlook.

“The Great Wall of China is massive, but when you get out to the far reaches of the Gobi Desert, it’s crumbling,” Johnson says. “You can only protect so much. Is all of it worth wrapping a wall around? You need to know which assets are most valuable to you, and you need to know those assets intimately to protect them.”

Johnson’s skills will only get more valuable as the importance of CISOs becomes more apparent. The role used to be behind the scenes, but now it’s front and center in many companies, including Premise Health.

“Corporate boards want to hear where the IT organization is at because they know something can go bump loudly in the night, and the company can collapse over it,” he says.

Fortunately for Premise Health, its CISO has a knack for vigilance, both night and day.

Photo:


As the leading provider of healthcare security operations solutions, Syncurity congratulates Joey Johnson and the Premise Health team on the well-deserved recognition of their efforts. Syncurity is proud to continue working with Joey and the Premise Health team to reduce cyber risk and drive efficiencies across their security operations processes.