Cybersecurity leaders today face an increasingly difficult balancing act. They must protect organisations from fast-moving threats while enabling innovation, supporting customers and navigating regulatory fragmentation. Meanwhile, preparing for an AI-driven future that is evolving at what Precisely CISO Marcus Johnston describes as “non-human speed”.
For Marcus, the answer lies not in fear-driven security programs or restrictive governance models. It’s about building trust, reducing complexity and creating scalable operational frameworks that allow innovation to flourish safely.
As Chief Information Security Officer at Precisely, Marcus oversees a federated security model. It is designed to embed accountability across the organisation while maintaining central governance and operational oversight. Since joining the company following the acquisition of Infogix in 2021, he has helped transform a nascent security capability. It is now a mature, scalable program focused on compliance, operational resilience and AI readiness.
His approach is shaped by decades of experience across consulting, internet-era technology companies, SaaS transformation and cybersecurity leadership. As well as an unlikely influence from his time working as an EMT during college.
“In an emergency situation, what’s the most important focus?” he says. “Triage to find the priority and assess the scene.”
That philosophy now underpins how Precisely approaches cybersecurity in an era where AI-powered threats, rapidly evolving vulnerabilities and geopolitical uncertainty are redefining the risk landscape.
Building Cybersecurity Through Shared Responsibility
Marcus describes Precisely’s information security structure as a federated model, similar in philosophy to those used by Microsoft and AWS. The global CISO office operates as a governance function aligned closely with the principles of the NIST Cybersecurity Framework 2.0, while ownership of assets and controls is distributed across business units and functions.
“We’re responsible ultimately for the governance and the performance of that,” he explains, “as well as operationally some of the governance around performance of the security operations centre, the attestation compliance, the policy and standards framework.”
The model reflects Marcus’ belief that cybersecurity cannot operate as a siloed function disconnected from business operations. Instead, InfoSec must work to help the organisation innovate safely while communicating risk clearly to stakeholders, customers and partners.
“The way I view the role of InfoSec is as a trusted partner advisor in the goals of the company to innovate, to introduce new technology, new platforms, to constantly be on the watch for changes in the threat environment,” he says.
Reducing Complexity to Increase Security
When Marcus arrived at Precisely, the company was navigating significant transformation following multiple mergers and acquisitions. The security program, while operationally strong in certain areas, remained immature in terms of standardisation and governance.
“Our guiding first principle has been that the reduction of complexity leads to an increase in security,” he says.
That principle became foundational as the company integrated disparate systems, products and processes inherited through acquisition activity.
“Where we can, we’re trying to reduce needless complexity in order to get a better grasp and have less distractions, less exceptions, less noise in the environments so we can focus on what’s really important and what’s emergent.”