Taking a Hack: JPMorgan's Anthony Johnson
Anthony Johnson discusses race, management, and cybersecurity in the capital markets.
Anthony Johnson sits and contemplates the question for a second: In your career, have there been instances where you’ve felt that you were held back or passed over because of your color? He takes a beat, acknowledges that there have been “a couple” of instances, although these moments never paralyzed him or made him bitter.
“I don’t want to say it’s ‘crappy’ but sometimes you just have to work harder and it sucks,” he says. “You need to find those mentors who will help you out. I’ve been blessed in that I’ve had a number of mentors who have helped me to figure things out, but I also think it’s important to figure out how to be passionate about something and to give back. It’s a tough question because when people feel like the deck is stacked against them, you can get into this spiral. The better answer is to find a reason in spite of it: It sucks, but let’s figure this out.”
Nontraditional
To better understand where Johnson is coming from, there are a few things you have to understand about the man. First, he’s the kind of guy who often uses the word “super” to punch up adjectives: that’s super cool; I’m super excited. He watches motivational YouTube videos in the morning to get himself hyped up for the day ahead, which can at times drive his wife, Hillary, crazy. Also, he doesn’t have the typical background of a technology executive working in finance—or any industry, for that matter.
Anthony was born in Seoul to an African-American father and a Korean mother. His father was in the US Army and could speak Korean when he met his mother. The two had Anthony, and when he was a baby, the family moved to Tacoma, Washington. The couple had another child—a daughter—but when Anthony was four, his father left and Anthony hasn’t seen him since.
“We’re starting to see innovation come out of Silicon Valley over the last year or so. But a lot of the stuff we’re wrestling with is still firefighting: passwords, firewalls and access certifications. When you get diversity of thought, you look at problems a little bit differently.”
His mother, Yun, who was from a small village in the Republic of Korea, could only speak broken English. She had to figure out how to make a living in a foreign land without knowing the language. She did so by cobbling together jobs, such as piecing building blinds by hand.
While Johnson credits numerous mentors for his career’s arch, his mother taught him determination, willpower and doing whatever it takes to make ends meet.
“For me, my mother was important. She didn’t speak English and worked minimum-wage jobs and had that grit, so I was able to tap into that whenever I got frustrated,” he says.
The other great influence on him growing up was his grandfather, Tommie Hamilton, the father of Anthony’s dad. After his father left, Tommie remained to serve as a father figure. Tommie was a World War II Army veteran. While he has since passed away, he taught Anthony the value of having a strong work ethic and of not taking things for granted.
Johnson loves his job and the daily challenges it poses, but he also wants to mentor others and teach them the lessons that Yun, Tommie and others have passed on to him. And now that he’s the proud father of a baby girl—Lianna—he also wants to help not just people of color, but also talented women navigate the information security sector.
New Ideas
When you walk into Anthony Johnson’s midtown Manhattan office at the JPMorgan building on Madison Avenue, it’s hard not to notice that there aren’t many chairs in the room. In fact, on this chilly December afternoon, there are, in fact, zero chairs in the room. Yep, he’s the kind of guy who prefers to stand at his high-countertop desk when working. That’s something else you need to know about Johnson to better understand him—he served in the US Air Force and carries himself with that distinctive military air in that he stands erect, makes constant eye contact and delivers a firm handshake.
Johnson is the managing director and business information security officer for JPMorgan’s Corporate and Investment Bank (CIB). He joined the firm one year ago from Fannie Mae, where he was the government-sponsored entity’s global chief information security officer (CISO) in Washington, D.C., for two years. Prior to that, he spent two-and-a-half years as GE Capital’s Treasury CISO.
Every cyber program fundamentally begins with education, which entails trying to get senior leaders to understand vision, direction and make sure everyone is grounded in the same program. But no longer a global head of information security—at JPMorgan, that job belongs to Rohan Amin—Johnson’s remit is dealing with the relevant cyber threats specifically for the firm’s CIB unit, which processes $5 trillion in payments daily.
Johnson is black—so he’s obviously very connected to this issue—but he believes that building diversity throughout the industry will be key to handling new threats.
“When people come from different backgrounds, you get completely different perspectives to a problem that needs to be solved,” Johnson says. “So within cybersecurity today, we really haven’t had a unique idea in maybe 20 years if you really think about it: 20 years ago we were talking about privileged accounts, passwords, knowing where your data is, knowing your systems, patching vulnerabilities and so on, but what is the innovative thinking that we’ve pushed through? Now, we’re starting to see innovation come out of Silicon Valley over the last year or so. But a lot of the stuff we’re wrestling with is still firefighting: passwords, firewalls and access certifications. When you get diversity of thought, you look at problems a little bit differently.”
Risky Business
Johnson wears a three-piece suit Monday through Thursday, and on Fridays—when many others in the building are wearing jeans—he’s the kind of guy who allows himself the comfort of going sans vest…but still wears the suit. He doesn’t care much for eight hours of sleep, because, he reasons, if you can limit yourself to five hours, in nine months you’ll have been an extra month more productive than most in the world.
He believes it’s important to educate people about the hype curve when it comes to cyber. The first cyber-attack a company takes, the board offers up a blank check; more mature organizations understand that it’s not as simple as throwing money at the problem, though cybersecurity comes with its fair share of green. Case in point: JPMorgan spent over $600 million on cyber last year.
JPMorgan—being one of the biggest targets in finance—is well along the maturity curve. But as an industry, Johnson believes that firms need to move beyond just thinking about cyber as a security issue and view it more as a risk-tolerance issue. “In cyber, we keep talking about the return on investment and capital, but why are we thinking like that?” he asks. “We should think of it like fraud—you don’t want fraud, but there’s a certain amount that has to be written off because you know it’s going to happen. Looking at cybersecurity today, you’re not going to stop everything and there’s a certain amount that you have to manage through. As a result, it becomes more of a cyber-risk tolerance discussion; that’s something that organizations have to migrate to. Just like how you have a fraud-risk tolerance or credit-risk tolerance, you should have a cyber-risk tolerance.”
Knee-jerk reactions are commonplace in the financial services industry, especially with something that can leave a firm feeling vulnerable and helpless. That’s where education plays its role. “Cyber is a little bit different than fraud because it can be fully catastrophic to a company, so you have to prepare for those black-swan cases. But you also have to look at normal cyber events and ask, ‘Is this within our tolerance?’ The only way to do that is through consistent engagement,” Johnson says. “After time, it will become a more normalized discussion. This wasn’t on the minds of boards and CEOs five or 10 years ago.”
Cybersecurity is part industry standard, part firm-specific. Consider the scenario at Fannie, a firm that was one of the hardest rocked by the global financial crisis, where budgets were essentially frozen in the wake of the crisis. Then, as the threat of a major hack became increasingly worrying, the frim went from a standstill to a period of heavy investment to bolster its defenses.
At JPMorgan, it’s been more about simplifying cybersecurity. What that means is reducing silos and footprints, and getting rid of systems and permissions that aren’t necessarily going to reduce the likelihood of suffering a major hit. “The model that I used at Fannie Mae for the entire program was: get right, get small and see big. That’s how I explained all cybersecurity to everybody,” Johnson says. “That’s not the exact same model that I’m using here because we’re a little bit different, but there are similar aspects. We have to simplify what we’re doing.”
While education is not a silver bullet to the cybersecurity threats facing banks, there’s also not any one piece of technology that will protect a firm. When it comes to cybersecurity, hackers will always be ahead of the curve. “Most people want security to be like a ninja: You don’t want to see it or be intrusive, but you want to know you’re safe. But we’re not there from a technology perspective yet,” he says.
[Click here to read Anthony’s thoughts on how CISOs need to better understand the business in order to be most effective.]
A Mover
Another thing about Johnson is that he has moved around … a lot. He’s lived for varying degrees of time in Seoul, Tacoma, Colorado, Virginia, Connecticut, DC, and now New York. Whether from his family, from the military or from colleagues in the information security sector, Johnson’s movements have provided him with a well-rounded education that he’s now looking to pass on to others.
Education and mentoring are in the same sphere. While at Fannie Mae, he would work closely with DC public schools. He remembers giving a talk to a classroom of 13-year-olds, discussing how he got his start in technology. There was one black teenager in the room who didn’t appear to be paying much attention. The boy’s teacher walked up to Johnson and said that while it might look like the kid was disinterested, he was in the middle of compiling three programs that would soon be going live in the app store and that the boy could write code in seven different languages. Johnson thought that was cool, but knew that the boy was a rarity.
“I think the problem that we face is that of a pipeline,” he says. “People are self-selecting themselves out, for whatever reason. There aren’t a lot of role models where you can say, ‘That person kind of looks like me.’ That’s not everywhere, but it’s more the exception and not the rule. So that’s something that I’m super passionate about and trying to figure out how I can get involved.”
Like it or not, hackers are becoming more sophisticated and technology is becoming cheaper for them to posses. Effective cybersecurity programs, therefore, are going to require new ideas. Maybe Johnson will help provide those ideas or maybe they will come from someone he mentors. Maybe…just maybe…they will come from his newborn daughter years down the road.
“My sister and my mother never really had the types of opportunities their male counterparts had. It’s also struck home after having a daughter and thinking about what types of opportunities she would have. She should be able to do whatever she wants, but we don’t have that in our ecosystems today,” he says. “So I’m passionate about that. There’s massive underrepresentation of minorities, in general.”
Johnson wants that to change. And he hopes to slowly show the industry why it should want that, as well.
Anthony Johnson Fundamental Data
Name: Anthony Johnson
Age: 35
Hobbies/Interests: Cryptocurrency, sci-fi
Greatest Business Success: “I’ve overseen a lot of cyber projects and initiatives, but I think what I’m most proud of are the number senior cyber leaders that I’ve been able to help develop, mature and grow in the industry.”
Greatest Business Mistake: “The biggest mistake I’ve made was associated with a project a long time ago where I didn’t understand the business value of a process and system we were trying to secure. Without the context of what we were protecting, I failed to really be a part of the solution beyond a check box. That’s when I learned how important it is to understand the business. Be a business leader first then a cyber-security leader.”
Most Influential Mentors: Brett Justice (former Senior NCO in the US Air Force); Grandfather, Tommie Hamilton; YouTube and books (I watch leadership talks, and TED talks on YouTube nearly every day).
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
Bond tape hopefuls size up commercial risks as FCA finalizes tender
Consolidated tape bidders say the UK regulator is set to imminently publish crucial final details around technical specifications and data licensing arrangements for the finished infrastructure.
The Waters Cooler: A little crime never hurt nobody
Do you guys remember that 2006 Pitchfork review of Shine On by Jet?
Removal of Chevron spells t-r-o-u-b-l-e for the C-A-T
Citadel Securities and the American Securities Association are suing the SEC to limit the Consolidated Audit Trail, and their case may be aided by the removal of a key piece of the agency’s legislative power earlier this year.
BlackRock, BNY see T+1 success in industry collaboration, old frameworks
Industry testing and lessons from the last settlement change from T+3 to T+2 were some of the components that made the May transition run smoothly.
How ‘Bond gadgets’ make tackling data easier for regulators and traders
The IMD Wrap: Everyone loves the hype around AI, especially financial firms. And now, even regulators are getting in on the act. But first... “The name’s Bond; J-AI-mes Bond”
Can the EU and UK reach T+1 together?
Prompted by the North American migration, both jurisdictions are drawing up guidelines for reaching next-day settlement.
Waters Wavelength Ep. 293: Reference Data Drama
Tony and Reb discuss the Financial Data Transparency Act's proposed rules around identifiers and the industry reaction.
Clearing houses fear being classified as DORA third parties
As the 2025 deadline looms, CCP and exchange members are seeking risk information that’s usually deemed confidential.