John Deere employed its first CISO in 2014, and James Johnson has remained in that function on the agricultural tools firm to at the present time. Johnson sat down with InformationWeek to speak about how he received began in his profession, why working via a nation state assault was pivotal to his love of safety, and the way John Deere is constructing a expertise of pipeline within the time of the cybersecurity expertise hole.
From Community Engineer to Chief Data Safety Officer
Johnson began his profession as a community engineer at home windows and doorways firm Pella. He beloved working within the community house however quickly realized that he would possibly develop bored there given sufficient time.
Derek Benz, a pal of Johnson’s and now CISO of Coca-Cola, recommended wanting into safety. Johnson went out and received a Licensed Data Techniques Safety Skilled (CISSP) certification, which helped him land a job as a pen tester at manufacturing and know-how firm Honeywell.
Throughout his time at Honeywell, the corporate was hit by Titan Rain, a collection of coordinated cyberattacks carried out by a Chinese language APT.
James Johnson, CISO
“Getting an opportunity to see how nation states goal firms and what they’re able to doing, I feel actually made the mission much more necessary to me at that time,” Johnson shares. “If you do have the nation-state assault early in your profession, it’s type of a recreation changer … simply enthusiastic about the worth of the work that you just’re doing and why it issues.”
He spent 11 years at Honeywell, steadily working up the ranks to grow to be a CISO overseeing varied divisions inside the firm. After which, a name got here from John Deere.
John Deere’s First CISO
That decision got here on the proper time. Johnson had reached a degree at Honeywell the place his development would possible be restricted for a time frame.
“I used to be pleasantly stunned by the chance,” says Johnson. “I had a terrific connection to John Deere popping out of Iowa, rising up within the farming neighborhood, seeing plenty of that … nice model and a chance to actually construct one thing that from scratch once more.”
Whereas constructing a safety program as a first-time CISO is an thrilling alternative, it comes with its challenges. When Johnson arrived, he seen how trusting the tradition was at John Deere.
“It’s a terrific worth that John Deere has … they actually attempt to attempt to do the proper factor with integrity, however that’s not the best way the world operates on the digital entrance,” he says.
Considered one of his mentors early on in his tenure at John Deere advised him that he was going to have work on shifting the complete firm tradition as he constructed his safety group.
And he has made strides. When he first received there, everybody was utilizing comparatively easy passwords. But, the method to alter these passwords was cumbersome and time-consuming.
“At the moment, MFA is deployed throughout the corporate. We now have complicated passwords,” he says. “We’re looking for methods to make use of biometrics extra.”
An Evolving Function
His obligations within the CISO function have grown over time. When he first joined, he was overseeing IT safety and operations. Monetary product safety, knowledge safety and governance; his crew have taken on increasingly more over time.
“We constructed this system from about 32 individuals to … 220 individuals sturdy now in our group,” he says.
Johnson has been with John Deere for greater than a decade. Not each CISO or CIO sticks with the identical firm for that lengthy, however Johnson has discovered that longevity has its advantages. He has constructed relationships with the board and his C-suite friends
“It is fairly arduous to get good at one thing in two or three years,” he explains. “You’re there longer. You’ve received the relationships. You’ve received the flexibility to affect issues and actually make an even bigger distinction.”
At the moment, he’s working alongside John Deere’s management to navigate the thrilling potentialities and safety issues of AI.
Constructing a Expertise Pipeline
Whereas the opportunity of a safety incident at all times looms in a CISO’s thoughts, Johnson is considering expertise, too. “We won’t succeed with out the proper individuals in our group driving the proper change,” he says.
John Deere is taking a number of approaches to bringing the proper individuals to his crew. First, he seems to different groups for people who find themselves consultants and never essentially in safety. He seems for promising expertise and asks, “Can I educate that individual safety?” And the reply to that query in lots of instances has been “sure.”
“We’ve received people who was once lead engineers on the product facet who now are working our product safety division, and so they have been by no means curious about safety in any respect,” he says.
John Deere additionally makes use of cyber expertise via its bug bounty program, which has paid out more than $1.5 million since 2022.
Having been a pen tester, Johnson is aware of how irritating it may be for somebody to find a vulnerability solely for a corporation to do nothing to repair it. “We now have service-level agreements to get sure vulnerabilities which can be important, excessive, medium, low, fastened inside a sure time frame, and usually, we beat these numbers,” he says.
John Deere additionally works with Iowa State University to domesticate expertise. “We put some providers on campus, a part of their tech heart, which can be providers you most likely would by no means get an opportunity to actually work with or study in faculty,” says Johnson.
He is aware of it might be tough to seek out cloud safety consultants, for instance, so they’re serving to develop these consultants at Iowa State. “We’ve constructed a pipeline of expertise out of Iowa State College as a result of they know our model,” says Johnson.