Cyber Leaders of the World: Marc Johnson, CISO at Impact Advisors

Please tell us a bit about yourself, your background, and your journey of becoming a CISO at Impact Advisors

I have been in IT for quite some time. I started in infrastructure solving for the risk of availability which logically led to Disaster Recovery and then into Business Continuity. I led a tremendous team of advisors at Symantec focused on transforming customers’ risk postures. I used that experience to expand a boutique information security consultancy beyond a Symantec-only service provider. 

An opportunity availed itself to further enable customer risk mitigation through program development and automation with various toolsets on a larger scale with a large reseller.  It was challenging yet exhilarating to see a customer goal and make it a reality. I then had the opportunity to be a turnaround agent at a recently spun-off Symantec business which saw immense revenue gains while delivering the first Disaster Recovery as a Service to the market.

I stood up a consultancy of my own and for many years advised executives as a virtual CISO until I was presented with another opportunity in a late-stage SaaS startup. I took on the responsibility initially as the CIO which quickly led to taking over as the CISO and COO. 

After leading the organization into a venture capital buyout, I was given the opportunity to drive similar progress within Impact Advisors. As a leader in healthcare management consulting, Impact Advisors was a logical place for me to further expand upon my experience as a CISO.

What drew you into working in the Healthcare industry for Impact Advisors and what does your current role entail?

I was looking for a challenge but wanted a firm that was recognized in an industry for its leadership and expertise. Impact Advisors stood out, having been recognized among the top healthcare consulting organizations in the market as judged by KLAS for over 16 years. Impact Advisors also has the culture I was looking for. Many organizations claim and can produce documentation of a positive culture when the truth behind the curtain is entirely different.

My current role at Impact Advisors is assisting our customers in maturing their Information Security programs. I am often “on loan” to customers as a virtual CISO while I also maintain ownership of our internal security program. To be clear, the program is the construct that establishes controls and enables the people to execute. I then use technology to automate the program.

How do you prioritize cyber risks within your organization and what factors do you consider when making these decisions?

The easiest and most direct way I prioritize cyber risk is by using a risk register. The more complex answer is multifaceted. Where and when possible, I derive risk posture from an Information Classification exercise (data grouped into records that create value for the organization). This is not data classification (bits, bytes, & types of files). 

I correlate this knowledge with the risk qualification and quantification weighed against the mission of the organization. Not every organization has the same focus or risk appetite even considering direct competitors in the same market. Each organization is unique and that needs to be built into the risk management equation within the Information Security program as part of IT Service Assurance. Boards of Directors are also unique. What is valuable to one Board is not to another.

What do you see as the biggest cyber and risk trends in your industry, and how is your organization preparing to address these trends?

Of course, there are multiple trends that are too numerous to mention here, so I will keep it short by only mentioning a couple:

  1. Organizations will look for partners to team up with to fend off the malfeasance of bad actors.
    • The sum of the whole is greater than the individual parts, and partners must work together to help protect each other.
      • Vendors will fade as true partnerships between ‘manufacturers’ and customers become more prevalent.
      • Partners are accountable to each other.
    • Outsourcing will continue to rise to overcome the lack of expertise and people.
  2. Managing third parties will become one of the key elements for every organization’s IT Service Assurance Program
    • Third parties have become vulnerabilities that can blindside organizations (Solarwinds, Log4j, etc.)
    • API vulnerabilities will become a huge point of emphasis for larger segments of every vertical.

Impact Advisors has developed a program to help clients manage third parties which is inclusive of existing relationships as well as those that are in the infancy stage. 

Vetting an organization (IT vendor or not) before a purchase decision is made is the single most misunderstood but key process. This process is not a ‘no’ gate. It is a point of emphasis in the purchasing decision process that outlines the level of risk with any one entity. If the business is willing to accept the risk, then so be it. 

Nonetheless, it may come with certain requirements such as the development of multi-factor logins in a specified time frame, the attainment of SOC 2 attestation, or the purchase of an ancillary product to facilitate the stated risk level of the information contained in the solution, as an example.

On a more personal note, if you weren’t doing what you do today, what would you be doing?

I would probably be an artist of some sort. I was afforded the opportunity to do many things during my school years. My mantra was to be involved in as many things as possible. I played three sports, sang in four competitive choirs, had six different roles in various theater productions, etc. Albeit I knew computers were my jam. I leverage this background to engage with people and in my presentations. I still enjoy performing and entertaining.

Skip to content