Secret CSO: Brent Johnson, Bluefin

What metrics or KPIs do you use to measure security effectiveness? “No. 1 is breach of customer data. We can’t have a breach, or we’ve clearly missed our security goal.”


Name: Brent Johnson

Organisation: Bluefin

Job title: Chief Information Security Officer, CISSP, CISA

Date started current role: March 2020

Location: Atlanta, Georgia

Brent Johnson is the Chief Information Security Officer, CISSP, CISA at Bluefin. He is responsible for managing the point-to-point encryption (P2PE) program and was brought on for his expertise in PCI. Jonson has 12 years of experience in cybersecurity and has previous PCI certifications: QSA, PA-QSA, P2PE-QSA, and was an approved Visa Security Assessor. He previously worked at Coalfire, GDS Associates and VisionTek.

What was your first job? I obtained a work permit when I was 15 years old so I could start working at Target in Littleton, Colorado – specifically in the Toys and Food Avenue sections.

How did you get involved in cybersecurity? I’ve always loved technology and even though my bachelor’s degree centered around computer science and programming, I started to realise that wasn’t where my passion lied.

Six years after graduating and having gained experience in technology as a systems engineer and managing software implementations, an opportunity presented itself 1,200 miles away in Atlanta at a consulting firm to manage critical infrastructure protection (power grid) standards for clients. Despite not knowing a single person in Atlanta, the job, opportunity to travel and the chance to move to a new city intrigued me, so I took the leap. 

Twelve years later, 10 of which I spent as a consultant in cybersecurity standards (CIP and PCI), it was the best career decision I could have made. Technology and security are fascinating and always evolving, and I’ve had the chance to see the world through client engagements (not to mention, the pay isn’t half bad).

What was your education? Do you hold any certifications? What are they? I graduated with a B.S. in Computer Science from Colorado State University and my current certifications include Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

My previous PCI certifications include QSA, PA-QSA and P2PE-QSA, and I was an approved Visa Security Assessor. You can only hold the QSA PCI certifications while working at an approved firm.

Explain your career path. Did you take any detours? If so, discuss. I’m one of those people who never knew exactly what I wanted to do for a career, but I knew I wanted to be around technology. Right after college, I worked as a systems engineer at a medium-sized company and then at a software startup managing software implementations and customer support. After getting my start in software and realising it wasn’t my passion, I transitioned to cybersecurity – first as a consultant – and never looked back.

Was there anyone who has inspired or mentored you in your career? It’s hard to name just one person, but there a few that come to mind immediately – many of whom I met during my time consulting. I’m a huge advocate for people to try consulting as you get the chance to meet so many people, observe different environments and learn a myriad of approaches to how companies operate. It afforded me the opportunity to learn and observe companies and their employees (good and bad), as well as make connections that have and will continue to shape my career.  

What do you feel is the most important aspect of your job? Protection of customer data is the most important aspect of my role as CISO. Privacy and data confidentiality, as well as the associated security processes and controls to meet that goal, are always top-of-mind. 

What metrics or KPIs do you use to measure security effectiveness? No. 1 is breach of customer data. We can’t have a breach, or we’ve clearly missed our security goal.

In addition, we perform multiple third-party assessments each year to measure security controls and processes. Assessors for PCI, SOC and HIPAA, as well third-party vulnerability and penetration tests, help measure our security effectiveness.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We’re finding difficulty filling senior-level technology positions. There appears to be a large influx of entry-level applicants, but applicants with advanced security skills have been harder to come by.

Cybersecurity is constantly changing – how do you keep learning? I’m always reading up on trending security technology through websites, blogs and books while looking out for my next certification. The certifications currently on my radar include CISM, CIPP and CMMC.

What conferences are on your must-attend list? You can find me at Defcon and the PCI Conference each year.

What is the best current trend in cybersecurity? The worst? The global push to enforce data protection and privacy standards like the GDPR, CCPA, PIPEDA, LGPD, etc. is the best trend we’re currently seeing in cybersecurity. Fake news and deepfakes are the most concerning trend. With more accessibility to creation tools, along with the proliferation of bots and social media, deepfakes are difficult to stop. 

What's the best career advice you ever received? Be uncomfortable. This may sound strange, but the times I’ve had to push myself outside my comfort zone – moving across the country alone, leading a large client engagement or speaking in front of a large audience – these are the moments that have propelled my career forward the most.

What advice would you give to aspiring security leaders? I’d offer the same advice: push yourself outside your comfort zone. Being uncomfortable has a unique way of forcing preparation and creating opportunities to grow. I’d also recommend keeping your skills as up to date as possible. While this may be difficult based on your available resources, researching new technologies and obtaining certifications are good places to start. In our acronym saturated field, I’ve always found having a wide breadth of knowledge on current technologies and processes critically important.  

What has been your greatest career achievement? It’s easy to say achieving a “C-level” title, but I don’t feel that way. If I were to pick one thing, it would be feeling that I’m at the point where my voice gets heard (not that it’s always correct).

Looking back with 20:20 hindsight, what would you have done differently? I don’t think there’s much I would change as each challenge has served as a stepping-stone to where I’m at today. Having graduated college with a technical degree as the dot com bubble burst, I recall the struggle finding any job related to my field. A stagnant economy tends to limit options, but it’s important to use downtime to stay relevant in technology and build relationships. There’s no one right answer, but I’ve found having technical knowledge and a strong network of people will open many doors.

What is your favourite quote? “If I tell you I'm good, you would probably think I'm boasting. If I tell you I'm no good, you know I'm lying.” -Bruce Lee

What are you reading now? I’m currently reading the All in One Certified Information Security Manager (CISM) Exam Guide.

In my spare time, I like to… Exercise, dine out, and maybe a bit of gambling/poker for good measure.

Most people don't know that I… Grew up as a gymnast and competed nationally.

Ask me to do anything but… You can ask anything. Doesn’t mean I’ll tell….