1 day ago
1
What keeps James Johnson up at night is the fear of a “one-to-many” attack, which would involve a bad actor uncovering a system vulnerability at Deere & Co. and in a nightmare scenario, take control of the company’s network of farming machinery.
Though no such dire event has occurred, if it did, this type of hacking event would erode the hard-earned trust that Deere has cultivated over a 188-year history. “Our customers trust us a lot,” says Johnson, chief information security officer at Deere since 2014. “Our executives are laser focused on making sure we do the right things with data, as well as our equipment.”
To keep the manufacturer safe, Johnson deploys various strategies including “continuous attack surface management,” which constantly monitors a company’s digital footprint, and “pen testing,” a staged cyberattack to help uncover security vulnerabilities in a computer system.
But Johnson is also quick to laud a Bug Bounty program that he established in 2022. The initiative has united Deere with HackerOne, a cybersecurity company that verifies researcher testers, who are empowered to examine Deere’s applications and network. When these researchers spot vulnerabilities before any bad actors are able to, they are entitled to compensation from Deere. Payouts vary on a sliding scale that’s based on the potential severity and risk of the security issue.
Over the past three years, Deere has paid more than $1.5 million to the external researchers it works with to keep the company safe. Around 85 ethical hackers work with Deere as part of the program and Johnson predicts that number will rise to 150 by the end of 2025.
The hackers report their findings to Deere’s internal team of cybersecurity researchers, who then assess each potential vulnerability. “Once we can validate it and get it fixed, they actually help us test it to make sure it’s fixed,” says Johnson.
Due to the constant nature of change at a company, including how data is handled, Johnson says that new information is constantly at risk of being exposed. One example he shared was a directory of names and phone numbers that wasn’t intended to be made public. The researchers found it and flagged it to Deere, which was able to protect the information before a malicious individual could find it. “They found it very quickly and we were able to get it resolved,” says Johnson.
Another area of focus for Johnson is promoting stronger cybersecurity skills at the collegiate level, which can bolster in-house expertise at Deere once those grads are ready to enter the workforce. “One of the hardest things we do in security is to find talent,” he says.
Deere hosts an annual “CyberTractor Challenge,” which initially was a company initiative but has grown to become so popular that it is now an agricultural-focused, cybersecurity event that’s brought in peers including CNH Industrial and AGCO Corporation. The week-long program, now run as a nonprofit, attracts college students to Iowa State University where they learn about tractor operating systems. They also attempt to hack into the equipment and then discuss how to keep the machines secure from those attacks.
Deere also hires Iowa State students to work part time for the company and learn how to keep cloud environments like Amazon Web Services and Google secure.
“Frankly, most college programs can’t keep up with technology and how fast it’s moving,” Johnson says. Many of those students in that part-time program later become interns or full-time employees at Deere.
With nearly 76,000 employees, Johnson aims to make cybersecurity accessible to the broader workforce through a mix of phishing tests sent to employees to assess their ability to identify scams, annual training certification courses, and a digital security newsletter that’s distributed companywide each month. Other initiatives include a recent guest lecture from former New York Times cybersecurity reporter Nicole Perlroth and the launch of a CISO awards program to honor top security practices developed by Deere dealerships, factories, engineering teams, and suppliers.
HackerOne and offensive security services provider Bishop Fox are among the vendors that Deere leans on, but Johnson says he doesn’t spend too much time directly talking to vendors. He empowers his team to manage those relationships on Deere’s behalf. He says he’s witnessed a lot of consolidation in the cybersecurity industry, but expects that AI will be an even greater disrupter.
Recently, Deere has been using agentic artificial intelligence solutions to help determine if a phishing email reported by an employee is in fact malicious and then, proactively delete the messages that are deemed harmful from all company inboxes. Before AI, Deere had a goal of completing that assessment process within four hours. AI has trimmed that response time to under 20 minutes.
When asked to assess his cybersecurity efforts, Johnson has a simple barometer to gauge success.
“We’ve not been on the front page of any newspapers,” he says. “That feels pretty good.”
John Kell
Send thoughts or suggestions to CIO Intelligence here.
This story was originally featured on Fortune.com
English (US) ·