John Deere employed its first CISO in 2014, and James Johnson has remained in that function on the agricultural gear firm to today. Johnson sat down with InformationWeek to speak about how he acquired began in his profession, why working via a nation state assault was pivotal to his love of safety, and the way John Deere is constructing a expertise of pipeline within the time of the cybersecurity expertise hole.
From Community Engineer to Chief Info Safety Officer
Johnson began his profession as a community engineer at home windows and doorways firm Pella. He liked working within the community area however quickly realized that he may develop bored there given sufficient time.
Derek Benz, a good friend of Johnson’s and now CISO of Coca-Cola, steered wanting into safety. Johnson went out and acquired a Licensed Info Techniques Safety Skilled (CISSP) certification, which helped him land a job as a pen tester at manufacturing and know-how firm Honeywell.
Throughout his time at Honeywell, the corporate was hit by Titan Rain, a collection of coordinated cyberattacks carried out by a Chinese language APT.
James Johnson, CISO
“Getting an opportunity to see how nation states goal firms and what they’re able to doing, I feel actually made the mission much more vital to me at that time,” Johnson shares. “Once you do have the nation-state assault early in your profession, it’s type of a sport changer … simply excited about the worth of the work that you just’re doing and why it issues.”
He spent 11 years at Honeywell, steadily working up the ranks to turn out to be a CISO overseeing varied divisions inside the firm. After which, a name got here from John Deere.
John Deere’s First CISO
That decision got here on the proper time. Johnson had reached a degree at Honeywell the place his progress would possible be restricted for a time frame.
“I used to be pleasantly stunned by the chance,” says Johnson. “I had an ideal connection to John Deere popping out of Iowa, rising up within the farming group, seeing lots of that … nice model and a chance to essentially construct one thing that from scratch once more.”
Whereas constructing a safety program as a first-time CISO is an thrilling alternative, it comes with its challenges. When Johnson arrived, he observed how trusting the tradition was at John Deere.
“It’s an ideal worth that John Deere has … they actually attempt to attempt to do the suitable factor with integrity, however that’s not the best way the world operates on the digital entrance,” he says.
One in all his mentors early on in his tenure at John Deere advised him that he was going to have work on shifting the complete firm tradition as he constructed his safety group.
And he has made strides. When he first acquired there, everybody was utilizing comparatively easy passwords. But, the method to alter these passwords was cumbersome and time-consuming.
“Immediately, MFA is deployed throughout the corporate. We’ve got complicated passwords,” he says. “We’re looking for methods to make use of biometrics extra.”
An Evolving Function
His duties within the CISO function have grown over time. When he first joined, he was overseeing IT safety and operations. Monetary product safety, knowledge safety and governance; his crew have taken on an increasing number of over time.
“We constructed this system from about 32 folks to … 220 folks robust now in our group,” he says.
Johnson has been with John Deere for greater than a decade. Not each CISO or CIO sticks with the identical firm for that lengthy, however Johnson has discovered that longevity has its advantages. He has constructed relationships with the board and his C-suite friends
“It is fairly laborious to get good at one thing in two or three years,” he explains. “You’re there longer. You’ve acquired the relationships. You’ve acquired the flexibility to affect issues and actually make a much bigger distinction.”
Immediately, he’s working alongside John Deere’s management to navigate the thrilling potentialities and safety considerations of AI.
Constructing a Expertise Pipeline
Whereas the potential of a safety incident at all times looms in a CISO’s thoughts, Johnson is considering expertise, too. “We is not going to succeed with out the suitable folks in our group driving the suitable change,” he says.
John Deere is taking a number of approaches to bringing the suitable folks to his crew. First, he appears to different groups for people who find themselves specialists and never essentially in safety. He appears for promising expertise and asks, “Can I educate that individual safety?” And the reply to that query in lots of circumstances has been “sure.”
“We’ve acquired of us who was lead engineers on the product aspect who now are operating our product safety division, and so they had been by no means curious about safety in any respect,” he says.
John Deere additionally makes use of cyber expertise via its bug bounty program, which has paid out greater than $1.5 million since 2022.
Having been a pen tester, Johnson is aware of how irritating it may be for somebody to find a vulnerability solely for an organization to do nothing to repair it. “We’ve got service-level agreements to get sure vulnerabilities which might be vital, excessive, medium, low, fastened inside a sure time frame, and typically, we beat these numbers,” he says.
John Deere additionally works with Iowa State College to domesticate expertise. “We put some companies on campus, a part of their tech middle, which might be companies you in all probability would by no means get an opportunity to essentially work with or study in faculty,” says Johnson.
He is aware of it might be tough to seek out cloud safety specialists, for instance, so they’re serving to develop these specialists at Iowa State. “We’ve constructed a pipeline of expertise out of Iowa State College as a result of they know our model,” says Johnson.
