John Deere hired its first CISO in 2014, and James Johnson has remained in that role at the agricultural equipment company to this day. Johnson sat down with InformationWeek to talk about how he got started in his career, why working through a nation state attack was pivotal to his love of security, and how John Deere is building a talent of pipeline in the time of the cybersecurity skills gap.
From Network Engineer to Chief Information Security Officer
Johnson started his career as a network engineer at windows and doors company Pella. He loved working in the network space but soon realized that he might grow bored there given enough time.
Derek Benz, a friend of Johnson’s and now CISO of Coca-Cola, suggested looking into security. Johnson went out and got a Certified Information Systems Security Professional (CISSP) certification, which helped him land a job as a pen tester at manufacturing and technology company Honeywell.
During his time at Honeywell, the company was hit by Titan Rain, a series of coordinated cyberattacks carried out by a Chinese APT.
James Johnson, CISO
“Getting a chance to see how nation states target companies and what they’re capable of doing, I think really made the mission even more important to me at that point,” Johnson shares. “When you do have the nation-state attack early on your career, it’s kind of a game changer … just thinking about the value of the work that you’re doing and why it matters.”
He spent 11 years at Honeywell, steadily working up the ranks to become a CISO overseeing various divisions within the company. And then, a call came from John Deere.
John Deere’s First CISO
That call came at the right time. Johnson had reached a point at Honeywell where his growth would likely be limited for a period of time.
“I was pleasantly surprised by the opportunity,” says Johnson. “I had a great connection to John Deere coming out of Iowa, growing up in the farming community, seeing a lot of that … great brand and an opportunity to really build something that from scratch again.”
While building a security program as a first-time CISO is an exciting opportunity, it comes with its challenges. When Johnson arrived, he noticed how trusting the culture was at John Deere.
“It’s a great value that John Deere has … they really try to strive to do the right thing with integrity, but that’s not the way the world operates on the digital front,” he says.
One of his mentors early on in his tenure at John Deere told him that he was going to have work on shifting the entire company culture as he built his security organization.
And he has made strides. When he first got there, everyone was using relatively simple passwords. Yet, the process to change those passwords was cumbersome and time-consuming.
“Today, MFA is deployed across the company. We have complex passwords,” he says. “We’re trying to find ways to use biometrics more.”
An Evolving Role
His responsibilities in the CISO role have grown over time. When he first joined, he was overseeing IT security and operations. Financial product security, data security and governance; his team have taken on more and more over time.
“We built the program from about 32 people to … 220 people strong now in our organization,” he says.
Johnson has been with John Deere for more than a decade. Not every CISO or CIO sticks with the same company for that long, but Johnson has found that longevity has its benefits. He has built relationships with the board and his C-suite peers
“It’s pretty hard to get good at something in two or three years,” he explains. “You’re there longer. You’ve got the relationships. You’ve got the ability to influence things and really make a bigger difference.”
Today, he is working alongside John Deere’s leadership to navigate the thrilling possibilities and security concerns of AI.
Building a Talent Pipeline
While the possibility of a security incident always looms in a CISO’s mind, Johnson is thinking about talent, too. “We will not succeed without the right people in our organization driving the right change,” he says.
John Deere is taking multiple approaches to bringing the right people to his team. First, he looks to other teams for people who are experts and not necessarily in security. He looks for promising talent and asks, “Can I teach that person security?” And the answer to that question in many cases has been “yes.”
“We’ve got folks who used to be lead engineers on the product side who now are running our product security department, and they were never interested in security at all,” he says.
John Deere also makes use of cyber talent through its bug bounty program, which has paid out more than $1.5 million since 2022.
Having been a pen tester, Johnson knows how frustrating it can be for someone to discover a vulnerability only for a company to do nothing to fix it. “We have service-level agreements to get certain vulnerabilities that are critical, high, medium, low, fixed within a certain period of time, and in most cases, we beat those numbers,” he says.
John Deere also works with Iowa State University to cultivate talent. “We put some services on campus, part of their tech center, that are services you probably would never get a chance to really work with or learn in college,” says Johnson.
He knows it would be difficult to find cloud security experts, for example, so they are helping develop those experts at Iowa State. “We’ve built a pipeline of talent out of Iowa State University because they know our brand,” says Johnson.