Securing Digital Transformation with Vulnerability Disclosure: A Q&A with John Deere CISO, James Johnson

John Deere’s CISO, James Johnson, and his team are committed to ensuring that the people who depend on John Deere for their livelihood rest easy knowing their information and products are secure. To help fortify security defenses for their customers, dealers, suppliers, and employees, John Deere recently launched a public Vulnerability Disclosure Program (VDP) with HackerOne.

Read on to learn why James and the John Deere security team leverage ethical hackers to help identify security gaps and increase their product and data security.

Q: Tell us who you are and your role at John Deere.

I’m James Johnson, John Deere's Chief Information Security Officer. I joined John Deere about seven years ago to lead the security organization and build a security-focused culture.

Q: Tell us a bit about John Deere and why cybersecurity is so important.

James: Integrity, Quality, Commitment, and Innovation are the core values that define John Deere, and cybersecurity is critical to these core values.

There are a lot of people depending on John Deere – from our customers, dealers, and suppliers, to our employees around the world. Cybersecurity is so important because we need to protect our data and systems and avoid business disruption to live up to John Deere’s role to meet the world’s food and infrastructure needs. We need to live up to the promises we have made to our customers, dealers, suppliers, and employees, and that’s something that motivates our security team members every day.

Q: Tell us about the security challenges you faced that led you to HackerOne.

James: At John Deere, like many other companies, we are integrating more technologies, increasing connectivity, and producing more data than ever. This digital evolution has brought on more challenges within cybersecurity, and our teams have risen to the occasion. As we evolved our vulnerability management process, we realized a missing component was an easy way for an external security researcher to report an issue. HackerOne has helped fill that gap, helping us further mature our approach to vulnerability management.

Q: What made you decide to launch a public VDP?

James: We followed the advice from HackerOne, starting with a private program then transitioning to a public program after working out our internal processes. Before taking the program public, it was important that we knew we would be able to respond to the researchers participating in our program in a timely manner and create a good experience for them. Once we were confident in our processes, it was a collaborative discussion between our John Deere team and the HackerOne representatives that made us decide to go public.

Q: How have ethical hackers helped you reduce risk?

James: The speed at which new vulnerabilities can arise is challenging for any company to keep up with. The researchers we have worked with are subject matter experts on these vulnerabilities and have found ways to quickly test and report them. Their skill and talent help us reduce risk because speed matters. We want vulnerabilities to be found and fixed before they can be exploited, and we’ve been able to accomplish this with help from researchers.

Q: How do you leverage insights throughout the software development life cycle?

James: Over the past several years, we have developed a Security by Design program, which has instilled a security mindset within the development community at John Deere. Security by Design combines people, processes, and technologies to create a culture of security throughout the software development life cycle. Security professionals sit on teams with developers to secure code, educate, and share best practices. We are able to learn from our VDP and bring those examples as learning opportunities directly to development teams through the Security by Design program.

Q: What advice would you give to other CISOs planning to start a VDP?

James: Having a VDP is a core component to a robust vulnerability management program. Cultivating a positive relationship with the researcher community is incredibly valuable to your overall security program.

Q: What about advice for program leads planning to start a VDP?

James: Start by benchmarking with other companies and hearing their lessons learned.  Make sure your internal teams are ready to handle the submissions from your VDP, will provide a timely response to researchers, and will give them a positive experience with your program.

Q: What will long-term success look like?

James: We are excited to continue to learn from our VDP, and we want to keep maturing the program. We want our program to attract the best researchers and give them a great experience working with our teams. To this end, we are exploring offering bounties in the future.

--

Click here for more information about Vulnerability Disclosure Programs.