John Deere employed its first CISO in 2014, and James Johnson has remained in that position on the agricultural gear firm to at the present time. Johnson sat down with InformationWeek to speak about how he bought began in his profession, why working via a nation state assault was pivotal to his love of safety, and the way John Deere is constructing a expertise of pipeline within the time of the cybersecurity expertise hole.
From Community Engineer to Chief Info Safety Officer
Johnson began his profession as a community engineer at home windows and doorways firm Pella. He cherished working within the community area however quickly realized that he would possibly develop bored there given sufficient time.
Derek Benz, a buddy of Johnson’s and now CISO of Coca-Cola, recommended trying into safety. Johnson went out and bought a Licensed Info Programs Safety Skilled (CISSP) certification, which helped him land a job as a pen tester at manufacturing and expertise firm Honeywell.
Throughout his time at Honeywell, the corporate was hit by Titan Rain, a collection of coordinated cyberattacks carried out by a Chinese language APT.
James Johnson, CISO
“Getting an opportunity to see how nation states goal corporations and what they’re able to doing, I believe actually made the mission much more necessary to me at that time,” Johnson shares. “Once you do have the nation-state assault early in your profession, it’s sort of a recreation changer … simply eager about the worth of the work that you simply’re doing and why it issues.”
He spent 11 years at Honeywell, steadily working up the ranks to develop into a CISO overseeing numerous divisions throughout the firm. After which, a name got here from John Deere.
John Deere’s First CISO
That decision got here on the proper time. Johnson had reached some extent at Honeywell the place his progress would doubtless be restricted for a time period.
“I used to be pleasantly shocked by the chance,” says Johnson. “I had a fantastic connection to John Deere popping out of Iowa, rising up within the farming neighborhood, seeing loads of that … nice model and a chance to actually construct one thing that from scratch once more.”
Whereas constructing a safety program as a first-time CISO is an thrilling alternative, it comes with its challenges. When Johnson arrived, he seen how trusting the tradition was at John Deere.
“It’s a fantastic worth that John Deere has … they actually attempt to attempt to do the correct factor with integrity, however that’s not the way in which the world operates on the digital entrance,” he says.
One in all his mentors early on in his tenure at John Deere instructed him that he was going to have work on shifting the whole firm tradition as he constructed his safety group.
And he has made strides. When he first bought there, everybody was utilizing comparatively easy passwords. But, the method to vary these passwords was cumbersome and time-consuming.
“Immediately, MFA is deployed throughout the corporate. We now have advanced passwords,” he says. “We’re looking for methods to make use of biometrics extra.”
An Evolving Function
His obligations within the CISO position have grown over time. When he first joined, he was overseeing IT safety and operations. Monetary product safety, knowledge safety and governance; his crew have taken on increasingly over time.
“We constructed this system from about 32 individuals to … 220 individuals sturdy now in our group,” he says.
Johnson has been with John Deere for greater than a decade. Not each CISO or CIO sticks with the identical firm for that lengthy, however Johnson has discovered that longevity has its advantages. He has constructed relationships with the board and his C-suite friends
“It is fairly onerous to get good at one thing in two or three years,” he explains. “You’re there longer. You’ve bought the relationships. You’ve bought the flexibility to affect issues and actually make an even bigger distinction.”
Immediately, he’s working alongside John Deere’s management to navigate the thrilling potentialities and safety considerations of AI.
Constructing a Expertise Pipeline
Whereas the opportunity of a safety incident all the time looms in a CISO’s thoughts, Johnson is considering expertise, too. “We won’t succeed with out the correct individuals in our group driving the correct change,” he says.
John Deere is taking a number of approaches to bringing the correct individuals to his crew. First, he appears to different groups for people who find themselves consultants and never essentially in safety. He appears for promising expertise and asks, “Can I train that individual safety?” And the reply to that query in lots of instances has been “sure.”
“We’ve bought people who was lead engineers on the product aspect who now are operating our product safety division, and so they had been by no means all for safety in any respect,” he says.
John Deere additionally makes use of cyber expertise via its bug bounty program, which has paid out greater than $1.5 million since 2022.
Having been a pen tester, Johnson is aware of how irritating it may be for somebody to find a vulnerability solely for an organization to do nothing to repair it. “We now have service-level agreements to get sure vulnerabilities which might be crucial, excessive, medium, low, fastened inside a sure time period, and most often, we beat these numbers,” he says.
John Deere additionally works with Iowa State College to domesticate expertise. “We put some companies on campus, a part of their tech middle, which might be companies you most likely would by no means get an opportunity to actually work with or study in faculty,” says Johnson.
He is aware of it will be troublesome to seek out cloud safety consultants, for instance, so they’re serving to develop these consultants at Iowa State. “We’ve constructed a pipeline of expertise out of Iowa State College as a result of they know our model,” says Johnson.
