Lisa Johnson: The Team Builder

To Nike CISO Lisa Johnson, rock-climbing trips with her security staffers are more than a team-building exercise: They are symbols of the way she approaches her life and careerone relationship at a time

It's not unusual to see Nerf darts whizzing across Nike's information security office. And right in the middle of all that flying foam you'll predictably find Lisa Johnson, Nike's charismatic CISO. Johnson, who goes by the nickname "LJ," and her small staff of seven spend a lot of time together both on and off the job. The group has gone rock-climbing, skiing and wine-tasting together. A few brave souls even accompanied Johnson skydiving. To an outsider, this might just look like a group of thrill-seeking oenophiles, but Johnson sees some serious business benefits to the downtime she spends with her team.

"We're not always the most popular people at the party," she acknowledges of security professionals. "Our jobs tend to involve a lot of intensity and stress, and it's important to balance that with a little fun and silliness."

Because of the time the group has spent together, Johnson knows that when the pressure is on, she has a tightly bonded and cohesive team, a group of people who know their boss trusts and respects them.

Braun Tacon, Nike's global security operations manager, has worked for and with Johnson for the past three years. He describes the experience as "rowdy, raucous, ever-challenging and extremely satisfying." The time that she has spent getting to know her team has taught her how to get the best from them. "LJ leads by planting seeds," says Tacon. "Her method of delegation is to come over, describe a problem, then ask your opinion of what could be done. The conversation bounces back and forth, each side feeding off the ideas of the other. She has a knack for making you think that her idea was your own, and she allows you to carry the idea to fruition, never claiming any of your success, but always willing to take her share of the blame if things don't go well."

Relationships with a Purpose

But Johnson's efforts at team-building are not limited to her staff. Building relationships is a skill that comes naturally to her, and she does it with the conscious knowledge that it will make her a more effective CISO. She is currently reaching out to her fellow executives at Nike, encouraging them to take ownership of security within their individual business units. And to help herself in that effort she went back to school for a master's in management so that she could talk to business executives in the terms they feel most comfortable with.

Johnson says she is also always looking for new ways to reach out to her peer security executives in the Pacific Northwest, to glean whatever knowledge she can from their experience and to share what she sees. "I'm always reading, listening and learning," says Johnson, who turns 44 this month. "I don't believe we can ever stop learning, and we must be prepared to change our strategy and the way we see the world."

Johnson's team-focused approach to security is a far cry from her early experience in IT, when she was the team. She started out as the sole computer manager (and later network administrator) for a small engineering firm. In 1993, she moved into the IT group at US Bank, where she was first introduced to security at the bank's operations center. Surrounded by people with security backgrounds, Johnson absorbed as much information as she could. What kinds of controls did they use? What did security people care about? Security seemed to touch every single layer of technology, from the switches and routers to the applications. "I couldn't stay within a single comfort zone," Johnson recalls. "I had to learn a lot about all the various areas of technology." She quickly discovered that the variety of this new discipline was a good match for her own strengths and interests. "That's a trait of mine. I'm always open to new challenges," she says.

In 1998, tired of the merger mania that had overtaken the banking industry and eager for another new challenge, Johnson joined Nike as the senior security architect and engineer. Her new job focused primarily on security architecture and operations. In this role, she sought to integrate security with business strategies and processes while working with legal, audit and risk management executives and promoting security awareness throughout Nike. In 2000, Johnson became global IT security manager for the $12 billion company, responsible for security operations, architecture, project consulting and awareness.

From the start, Nike executives were impressed with Johnson. Ralph Diiorio, Nike's director of global subsidiary IT, was Johnson's manager for the first few years of her Nike career. "LJ is very adaptable to change, and there was a lot of change happening at Nike at that time" in IT security operations, recalls Diiorio. "When she first started, her role was very technically focused, but in the last five years security has become more of an enabling process, there is more of a business focus." One of Johnson's defining characteristics and a secret to her success, according to her peers, is that she is a perpetual student, always trying to learn as much as she can and looking for new ways to improve herself.

In 1997, Johnson went back to school part-time for her master's of management in science and technology at Oregon Health & Science University in Nike's hometown of Beaverton, Ore. "I felt like I needed something that had that blend," she says of the program that mixes business management and technology. "I had to get those fundamentals of finance and strategic planning. We did case studies within a high-tech context that I could apply directly to my role." She also committed herself to learning as much as she could about Nike's business. Johnson became a voracious reader of quarterly reports and started to learn the terminology that she would need to communicate effectively with her peer executives in the other business units. "I started to network outside of my technology teams, and what I found was a different nomenclature and set of priorities that I needed to learn so that I could understand what was important to our business leaders."

Education Dividends

Johnson has put her business education to good use particularly in Nike's intellectual property protection efforts. She drew up a proposal to build partnerships with Nike's China-based footwear design groups, production teams and factory partners that would improve collaboration and production processes and also reduce information leakage. With her proposal she was able to show that enhanced security would have a direct benefit to the company's bottom line. "I hadn't done that before," says Johnson. "The epiphany that I had is, if [security] doesn't help grow the business, then why are we doing it? If we're not providing value to the bottom line, then we're not doing our job."

Johnson also started to network with her security peers outside of Nike. She founded the Portland chapter of the Information Systems Security Association (ISSA) in 2000, and got involved in groups such as the Information Systems Audit and Control Association and Women in Technology International.

Howard Schmidt, former chief security strategist at eBay and at the Department of Homeland Security's Computer Emergency Response Center, recalls meeting Johnson when he was president of ISSA and she was the president of her regional chapter. "When I met her, it was clear that she got it," says Schmidt, referring to the need for security professionals to look beyond technology to the people and processes that form the other legs of the stool.

Schmidt started to work with her, and when he went to the White House to direct the national strategy to secure cyberspace, he began introducing Johnson to national organizations and events due to her expertise. Johnson describes Schmidt as her networking guru, but it is clear that she was a star student and the admiration goes both ways. Several times when Schmidt has been unable to accept a speaking engagement he has recommended Johnson to take his place. "She is a natural person to reach out to because she has the experience and can articulate it," says Schmidt.

To this day, Johnson relies on networking to glean best practices and to exchange strategies with her peers. She played a key role in organizing a recent meeting in Seattle where the top security managers and executives from Nordstrom, Starbucks, Premera and Nike (about 10 to 12 people in total) gathered for a day to discuss common challenges and issues. The meeting was held to talk about projects and current security issues in an intimate setting that fostered a lot of give and take. "The meeting went all day, and then we had a great dinner with more collaboration and storytelling," says Johnson.

Johnson was the driving force behind this event, recalls Barbara Padagas, director of information security for Starbucks. "She called me up and said, I'm taking my engineers on the road!' And that's just one example of how well she uses her network." Padagas praises not only Johnson's networking skills but also her attitude, which enables her to take the advice and experience she gleans from her counterparts and put it into practice. "She doesn't feel that she has the corner on the market for being right," says Padagas. "She'll learn from other people what works well and apply it, and she'll learn what doesn't work and won't do thatshe's got a gift that way." Johnson's willingness to make a road trip to reach out to her peers epitomizes her leadership style in Padagas' view.

As an executive, Johnson is described as driven and outspoken. However, even when the message is potentially unpopular, it's usually well received because she has established herself as a trusted voice in the company. "She is looked to as someone that has a very high level of integrity," says Diiorio. "Her input is never self-serving; it's always what she feels is best for the company."

An Outstretched Hand to Business Leaders

In 2004, Johnson took an uncommon responsibility for the evolution of her role within Nike. She presented the CIO with a proposal for advancing Nike's security program to the next levela focus on business outreach and alignment that would also change her title to CISO. Although the proposal involved uncoupling Johnson from her operational duties for the IT group, the CIO viewed it favorably because it was the logical next step to the global security program Johnson had proposed, launched and successfully enacted two years earlier. "[To reach out to the business units,] it was critical that I not be tied to the daily security operational issues," says Johnson. "I restructured our team so that only strategic planning and awareness functions were on my plate. I also physically moved my office out of the security area so that I would not be tempted to be pulled into the operational issues and daily fires." Next, she began meeting with vice presidents and key business unit leaders to better understand their security concerns. How could security help them? How could it enable market growth or productivity? What did the business units consider to be an acceptable level of risk? From those meetings Johnson was able to generate a new set of directives for the security team.

Johnson believes that influence and marketing skills are critical to a security executive's success. "Ninety-nine percent of the time, we don't have the responsibility or authority to make people do what we want," she says. "We have to influence upwards to get executive support for what we need, and also influence the employee population as a whole to make them understand the value of what we do." Diiorio applauds her for her work in building a "virtual security organization" at Nike with 50 to 60 line-of-business executives who are critical partners to the security team. Johnson needed those executives to champion security within their own groups, and she convinced them by helping them understand that they have "skin in the game," to borrow one of her favorite phrases. "She creates shared vision and shared value very well," Diiorio notes. "She explains the value [of security] to them in terms they understand."

Johnson also emphasizes the importance of people skills in communicating value and marketing a security program to customers. Security executives and IT folk in particular have traditionally been short on those softer skills. She says she's always been a "social person," but continues to practice ways to connect with others. "Building relationships builds mutual trust and grows knowledge," she adds.

"She's articulate and friendly and open," says Padagas. "She makes friends easily, and I gravitated to her right away." Schmidt agrees. "She's someone that you'd like to be friends with, and that gives her the entrée to talk to senior people and junior people and carry the message."

Since Johnson is always looking to take on a new challenge, it's not surprising that she still thinks she has some work to do in the CISO role. One objective that she continues to struggle with is moving security away from the traditional position as the corporate enforcer. "I'm trying to figure out how best to put the steering wheel back in the hands of the people that need to drive. I'd like to move us into more of an advisory role so that instead of telling them how to drive, we can help them to make a turn here and there."

She has also developed a fascination with risk management, noting that there are so many entities within the corporation that are focused on risk that it seems inevitable that these areas should converge under a single risk umbrella. "If I were an executive who had six people coming into my office asking me to be on their risk council, I'd say, Why aren't you talking to that other guy who just came in?"

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful cybersecurity companies