In this episode, we sit down with Joey Johnson, Chief Information Security Officer at Premise Health. Joey shares his unconventional path from archaeology and the restaurant industry to cybersecurity leadership. He emphasizes the importance of building strong relationships, understanding business risk appetite, and communicating with empathy. Learn how aligning security initiatives with business goals can drive better outcomes and foster organizational trust.
Guest: Joey Johnson, CISO, Premise Health
LinkedIn: https://www.linkedin.com/in/joey-johnson-6453999
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of Soulful CXO, host Dr. Rebecca Wynn welcomes Joey Johnson, CISO at Premise Health, who brings a unique background in archaeology and hospitality to cybersecurity leadership. Joey discusses how strong internal relationships and understanding business risk tolerance are essential for aligning security with organizational strategy. He shares how storytelling, not just metrics, resonates with boards, and why listening is one of the most powerful tools in a leader’s toolkit. As healthcare and tech rapidly evolve, Joey offers a grounded, human-centered approach to managing risk and enabling innovation.
________________________________
Resources
Diverse Experiences: The Key to Stronger Security Leadership: https://www.linkedin.com/pulse/diverse-experiences-key-stronger-security-leadership-dr-rebecca-ouvvc
Lead with Authenticity: Embrace Your True Self: https://www.linkedin.com/pulse/lead-authenticity-embrace-your-true-self-wynn-soulful-cxo-563rc
Sustaining a Feedback Culture: Advanced Techniques and Real-Life Examples: https://medium.com/@soulfulcxo/sustaining-a-feedback-culture-advanced-techniques-and-real-life-examples-d5030c3e2c8e
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Bridging the Gap Between Technical Risk and Business Risk | A Conversation with Joey Johnson | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have us today. Joey Johnson. the award-winning chief Information Security officer at Premise Health, a provider of large employer sponsored health and wellness centers for employees.
Before joining Premise Health, he was Chief Security Officer for the United States Department of Commerce, office of Computer Services. Other cybersecurity industries included leadership roles in both public and private sectors, focusing on organizations in federal government, information technology, healthcare and transportation industries.
Joey, my friend, welcome to the show.
Joey Johnson: Thank you very much, Rebecca. I think it could be summed up to say I stayed pretty busy.
Dr. Rebecca Wynn: You sure do. Doing you travel quite a bit too. Your background is super fascinating because I can't think of another CISO or in our field who started out in archeology.
Can you walk us through that story ?
Joey Johnson: Sure. I think, going way back to when I was, 18, [00:01:00] 19 and just outta school, and honestly, my passion was really around anthropology and archeology, just the people sciences.
I think from the time I was as little as I can remember I found, in old box of national Geographic magazines outside that someone was getting rid of. It had 50 of them in it, and it was like, I had found treasure, ever since then I was hooked on it and really interested in different cultures and philosophies and all the historical cultures that brought 'em together.
And so I just always grew up with the bent towards it, And so it was always just really interesting to me. I met, my lovely bride when I was 19, and she said I.
So what are you gonna do with anthropology? Exactly. And I said, I don't know. I had a friend who, at the time he was in sales for Microsoft, and I said maybe I'll give that a shot. I was never really a person who wanted to go into sales, but I just turned it into something I studied in school I found out that I was really interested in technology, and I was really interested in the security side of it, so it went from there.
But I will tell you that I think as I look back, the lessons I learned from that school of study [00:02:00] working in restaurants and dealing with people are actually some of the greatest lessons I've taken with me into my leadership today.
Dr. Rebecca Wynn: Can you share some of those lessons that you think have transferred into your leadership?
Joey Johnson: Yeah, absolutely. everybody knows, and for those who've worked in restaurants, they certainly the customer's always right. But,
One unique thing that I think that's different and maybe even controversial in, in my security outlook typically security leaders are really focused on risk reduction, which is great. It's our job, but, I look at it from a business leader perspective of understanding what the business risk appetite is.
And as crazy as it sounds, those were lessons that I learned when working in restaurants. You'd have people that would come in and they were upset. they didn't even come there to have a good time. Like they showed up and they're like, I've had a bad day. I'm gonna make you have a bad day.
you had to learn how to diffuse those situations, right? You had to learn how to spend more time. Listening than talking and really understanding where someone was coming from. And I made it my personal mission when I had someone who came in that was so frustrated, I was like, I wanna make sure that they have a good time when they leave here.
I wanna make sure that, we find a way to be creative and solve their problem and [00:03:00] make sure that they have the good time they came here for it sounds like an odd, analogy, but the corollary is in business, specifically in security leadership, you're dealing with very high stakes security issues go straight to the top very quickly and people get panicked very quickly.
And so you are having to manage. Multiple different things, right? You have to manage a leadership audience, who, understand these are high stakes games. You have to manage a technical team who could be running in different directions and you have to calm that audience down and walk them through it.
You're having to deal with, legal audiences who are, saying, Hey, what's going on? Where are we customers? You have to keep happy. So there's really this massive sort of, People skills, soft skills side, side to thing that I think is really critically, important to just be able to get out of the technology.
And at the end of the day, you're working with people
Dr. Rebecca Wynn: You mentioned about tying into the risk appetite of the organization, but a lot of companies, when you ask them, what's your enterprise risk management, what is your risk appetite? They haven't had it defined or well defined. how do you recommend that we navigate that?
Joey Johnson: I think everything starts with relationships, doesn't it? I've been the [00:04:00] CISO at this organization for 14 years now. I joined Premise Health when I was the only security person. we've grown 10 to 15 times in that time.
now I've got a team that's almost 50 people. through that whole time, it was really building relationships and listening to the other leaders, Hey, what are you guys dealing with? What are you working on? What's hard for you? What's challenging? I found that there's always a security underpinning that can contribute and help the business in pretty much every vertical.
But when you look at it, what I found is in talking with other leaders, the world that we live in, It's moving really fast. every one of us knows, you go to any conference every year there's new acronyms that are getting thrown out by Gartner or whoever, and we're just sometimes we laugh, but we know it's moving really quick and it's hard enough for us to keep up with it.
for a non-technical audience, this is a completely foreign language You really have to change that message. But what I found was that those leaders. do understand risk. Even if they don't have their risk appetite defined, they inherently know what it is and their level of comfort.
They understand execution risk, they understand financial risk, they understand market perception [00:05:00] risk. They understand all of these risk elements. What they don't always understand really well the cyber world and where the security risk is, what I have found is Where you're trying to close the risk appetite gap, the challenging thing is they know there's this big scary monster called cyber and the cyber threats, but they don't understand where to allocate resources to it in the best way to get the best.
It seems like there's 500 things that they can apply resources to, and so how do they get that bang for the buck and make sure they're making the right investments?
Dr. Rebecca Wynn: One of , the things that I know that's always a bigger challenge is when we're trying to present that to the executives or the leadership board, have you found , the secret sauce, holy grail, an effective way to try and present those to the board or to the executives?
Joey Johnson: I think we've found an effective mechanism in our world, but also sitting on the other side of the table when I'm on boards and advising them, I actually think it's not a one size fits all thing. Every board is different. We know right now, looking at, s e c outcomes, that there's really this push to get that cyber presence directly [00:06:00] on boards, but not all of them have 'em.
So it really depends upon, who is the board? What is their personality? What is their outlook? What is their risk appetite? How well do they understand what's happening? Usually at the board level, I have found, it's a narrative.
I'm fortunate enough that I meet with my board fairly regularly, formally and informally, with different members of those groups. I have found that they don't really care as much about specific metrics. What they care about is the narrative and the trajectory of the business and what the direction of the business is and where it could introduce risk.
For example, we started having conversations to say, I can manage all these metrics over here with my executive team, but at the end of the day, If we were not a software development company and we now want to look at making acquisitions of companies that are, because strategically that benefits us, you need to understand there are subsequent investments we're gonna need to make to implement a secure SDLC To make sure we can develop software end to end, release it appropriately and have all the security controls in place. We're gonna have to protect our source code. We're gonna have to protect, how we. Build secure code, we're gonna have to worry about open source [00:07:00] security issues.
Those were the kind of things understood okay, I understand that there's an ancillary additive cost and level of work and effort to do this. it drove a conversation to say, Hey, The thing is that we can scale things pretty well. If you want to buy one software company, you're gonna need to make the same investment as you do if you wanna buy 10.
But if we make those investments, you can then go buy 10 and not have to do this over and over. Because what I found was a lot of times the concern the cost to do this thing securely seemed disproportionate. to this investment that we wanna make And it's on a one-to-one basis that's true.
It could be. our job is to make sure that we build a safe hotel for all the people. If you put one person in it, or 10,000 people, we still need to build the same safe hotel with the same supplies. So that was part of it. The other thing that I've found is really understanding as a security leader, what your relationship is with your own internal executive audience.
the one thing that you don't wanna do, Is throw the rest of your executive team under the bus is make it look like, hey, I have either an adversarial relationship with [00:08:00] them or I don't have an audience with them. And put things that create more consternation and tension within your organization.
You really need that alignment with your own executive leaders. to say, Hey, what is the narrative you guys are presenting? Cuz if you're coming in cold from a security story without the context of everything else they're hearing. It's probably gonna fall on deaf ears or they're not gonna know what to do with it.
But if you can say, Hey, what's the narrative you're presenting? What are the things you're asking the board to make a decision on, weigh in, opine on, and align the message to that. That tends to be very helpful.
Dr. Rebecca Wynn: I know I've witnessed it myself personally, and I've known other peers where we just have maybe one or two executives that will not listen. They will not have ears to listen at all. Have you run into that and if you have you been successful in overcoming it? I know the people I've talked to, we haven't been so successful, so do you have any words around those about how to be successful with people who maybe not innately want to listen to security, or maybe you just have a personality clash with.
Joey Johnson: Yeah. I think it can be all those things, right? there's a reason that I've stayed with this organization for so long. everyone rallies around and respects the [00:09:00] security mission. But in past lives, that was not the case.
We had people that just, it was a nuisance. It didn't matter what I said. It was unimportant. They were gonna do the minimum they had to do, and do it begrudgingly, it's like anything, right? If there's an audience you're not going to win over, focus your attention elsewhere.
As security folks, we're not gonna run out of things to do. you can get inertia behind enough other initiatives that eventually, you can circle back around to them and pull them in, But if you're spending all your time swimming upstream, you're not gonna get a bunch of other stuff done.
that gave me time to be creative. I would still try to keep the relationship open with those leaders, even if I knew they were against the security mission to understand what they're working on, what their challenges are,
And I found that over time we would find ways. To launch security initiatives that could actually benefit them, right? So if it was my chief medical officer that was super annoyed about all this stuff, cuz MFA is a big pain and they don't want us in their clinical engineering team messing with their medical devices we could come back the other way and say, Hey, by the way, I'm not sure if you guys are interested in adopting this, some other business units are, but we found ways to really streamline [00:10:00] logins through SSO and through some other things.
Here's what that could look like for some of your clinicians. that was a different approach to saying, Hey, I'm coming with a hammer saying, Hey, I'm coming with some things that I think can really be beneficial. And I'm curious if you're interested, that did tend to change the conversation again.
Rebecca, it's kinda like going back to the restaurant analogy, right? Like, how do I get you to a better place? What are the things that I can do to influence the outcome the way that I want it? And it's not always gonna be successful, but it doesn't mean that you abandon it.
Dr. Rebecca Wynn: one of the things I've seen, is where like when you said multifactor authentication is we're just gonna flip it on for everybody and we're not gonna look to see how they might be impacted with applications they need and things along those lines. Is that what you see too?
is us not understanding the business enough that it's all in or nothing and we will not do that gradual. Do you find that holistically as being an issue on our part?
Joey Johnson: I totally agree. It's hard. It requires discipline for us as security leaders. we see things that are on fire and really need to be addressed.
there's an urgency behind that. that's a balance we have to have, right? We need that sort of outlook and urgency to, to be effective to [00:11:00] protect our organizations. But at the same time, if you do that recklessly, You're gonna, you're gonna not build advocates, right? And in an MFA rollout thing you could dis, you could disrupt workforce operations that are critical.
You could cause a deluge on your help desk support team. And every time you do one of those, you're gonna lose confidence with all those other organizational departs that are gonna say, this person's gonna go off recklessly and do whatever they wanna do. And I'm not gonna get on board unless I have some kind of stake in it, or unless I have some kind of influence on the outcome.
You can the, the path to failure has paved with good intent, right? So you can be well intended to try to get something rolled out, but you're not building advocates in the organization. And I actually feel like it's the old saying make sure you reserve a little dry powder.
Like you, you wanna build up enough organizational confidence. That when you do need to hit that nuclear button and say something's wrong and I need to shut something down right now you have that organizational belief you've established a track record of being responsible and understanding the business operations.
Listen first, act later, when you do need to do that, you have the leverage too.
Dr. Rebecca Wynn: We do see a lot of, CISOs, I say really reevaluating their [00:12:00] position in CISOs cuz some companies out there that might not be supporting you, maybe it's just the wrong company. But now as we look at more emerging technologies and we see, our avenues of attack gone up exponentially. How do you see that's being dealt in healthcare holistically? Because healthcare is one of those ones that you're trying to get out of legacy systems , and dealing with all the emerging technologies just took off on steroids.
Joey Johnson: Yeah. It's a great question. the first thing I would say is, have to look at healthcare as different verticals.
The operating maturity point of, biomed and pharma. Is it a far higher level? The operating maturity of sort of the insurance side of the equation on the healthcare side, payers is at a far higher level, and then you look to some of the provider entities and that, that's where it's lagged.
And a lot of is because you have. Hospital groups that have grown by acquisition and, security has been a side function through the acquisitions, they're trying to manage multiple different technology stacks and operating, principles and all of that. A lot of different cultures in the organization.
it is hard. But even outside of healthcare, One of the questions that I've been asked by my executive team and even the [00:13:00] board is Hey, what keeps you up at night? That old question, is it ransomware?
Everybody's scared of ransomware. And I said that's actually when it terrifies us the most. I'm not saying it's not a threat that's imminent, but we have playbooks for it. We've gone through it. we've seen it, we've responded to it. We have it worked out how the team's get in a room and deal with all of that.
We've got our backup strategies and we have all the things that we need to say, Hey, we've looked at this. And we think we have a plan around it. What concerns me more is exactly what you just said, right? The business problem is the rate at which the business is adopting new technology.
So everybody thinks about the adversarial threat, but really sometimes from a security perspective, we're our own or worse enemy because, if you think about every new technology that comes into the business, There's usually a business owner who wanted this for some purpose.
Hopefully there's some kind of technology owner, that helps shepherd it and manage it and whether they live inside the technology department or out of it, there's some kind of technology owner of it, but you very rarely have a specific security owner of it. And so what happens is a security team, Know, they have to understand whatever this new technology is and the underpinnings of it that make it come together.
What's the glue and [00:14:00] tape that's holding it together, right? Or the APIs and what kind of scripting is happening there and what is all that doing? And then they have to understand where could the weaknesses be and what do we have to look out for there? a lot of times they have to learn some kind of ancillary security tooling to do whatever enforcement needs to happen That's a lot to ask of a small team and whether they're successful or not. We're still held accountable for that. That's a hard enough challenge. In a static environment, but no environments are static, in an ideal world, our defense, in depth architecture will be just as dynamic as the threats, presented.
But none of us live in an ideal world. AI and gen AI specifically are like jet fuel to that equation. even if my CFO said, here's 50 million, go hire all the people you need.
That's not even easy to execute against, right? Cuz it's not out there. You gotta find that talent. build that talent. look in unique places to get the talent and build it up. it's complex. I'm not gonna say that's a simple problem.
Dr. Rebecca Wynn: And like you said, you gotta work on getting that buy-in where you're not the solo person. But if you can have eight or nine departments or executives who will also back you with that [00:15:00] vision, that at least takes some of the burden off of you. I think that'd be really welcome today for a lot of CISOs.
Our time, unfortunately, has flown by, Joey thanks so much.
Joey Johnson: All right. Thanks so much Rebecca.