Mergers and acquisitions create challenges for CISOs, including allocating resources to meet the information security needs of newly united companies, says Joey Johnson, CISO of Premise Health.
Premise Health, which provides on-site health services for employers - was formed as a result of the merger of Take Care Employer Solutions - a former subsidiary of Walgreen Co. - and CHS Health Services. Johnson had previously held the CISO role at CHS, while information security at Take Care Employer had been handled primarily by its parent company prior to the merger, he explains in an interview with Information Security Media Group.
Information security functions at Take Care Employer Services "stayed with the mother company" even after the merger, he says. And that became one of Johnson's biggest problems after the merger was completed.
"We had to bring together two companies that had gotten a lot larger, without complementary supporting resources for information security" coming from Take Care Employer Services, he says. "Given the constraints today in the industry for good security talent, identifying the specific talent we were going to need, and then lining that up and putting it into place, was a real challenge."
Also, combining the two companies changed the overall security demands, requirements and needs of the merged entity, he adds. "Having to cover that gap [in defining the information security needs of the acquired Take Care Employer Services] while trying to find resources was a real challenge."
"Every M&A transaction is going to be different," he says. "But one of the things to be cognizant of is what is the role of the security function in the [combined organization] you're going into." For instance, infosec leaders should consider whether privacy requirements are a function of the CISO and his or her team, he suggests. "Also, does [the infosec role] contain other areas around compliance, or is there a separate function for that? I think it's very important to consider all the potential areas of responsibility that will fall under the security shop to ensure a smooth transaction."
In the interview (audio link below photo), Johnson also discusses:
- How the skillset and experience requirements for the CISO job is evolving;
- Advice for information security professionals who aspire to become CISOs;
- Why information security staffing has consistently been the biggest challenge that he's had to tackle during his tenure as a CISO.
Johnson has more than 15 years of cybersecurity experience. As the CISO of Premise Health, he leads all organizational efforts related to cybersecurity, IT and security compliance and policy development, as well as security audit and vendor risk management. Previously, Johnson held technical and program leadership roles in the public and private sectors. He formerly served as chief security officer for the U.S. Department of Commerce - Office of Computer Services, and held various security and network architecture roles leading the design and implementation of complex enterprise networks for airports, hospitals, universities and federal agencies.