Black Hat Executive Summit | July 22, 2015
John D. Johnson, Global Security Architect, John Deere

Dr. John Johnson

John D. Johnson, Global Security Architect, John Deere

John D. Johnson, Global Security Architect, John Deere, has been architecting solutions that have been critical to maintaining global network security at John Deere since 1999. He’s also been a leading voice for change in the security industry to address the evolving risks brought on by new technologies like mobile, cloud, and IoT. As a member of the Black Hat CISO Summit Advisory Board, John is providing expert guidance on the program to better address the most pressing concerns of CISOs. We spoke with John about his vision for improved enterprise security and a preview of the all-star panel he’ll be moderating at the summit, called “The CISO in 2016: How Leading Organizations Will Leverage Technology and Information to Gain a Competitive Advantage and Grow."

Brian Gillooly, Co-Host, Black Hat CISO Summit: What are some of the key issues that your panel – “The CISO in 2016” – will be addressing at the Black Hat CISO Summit?

John D. Johnson, Global Security Architect, John Deere: The panel will be discussing how the CISO must evolve to cope with the rapidly changing threat landscape, and business adoption of new technologies such as cloud and mobile. The skillset of today's security leader needs to mature and expand, and we will explore just what skills the successful CISO will need.

Gillooly: You speak with a lot of your security chief peers – what seems to be the biggest concern you hear about?

Johnson: How difficult it is to keep up with new threats while the security organization remains a part of the IT budget and is subject to significant resource constraints. The capabilities necessary to defend against – and detect and respond to – new threats needs to be built out, and it takes an aligned and prioritized strategic security plan to do that. It also takes leadership on the part of the CISO to sell that vision and make it happen.

Gillooly: Many people see security as a defense mechanism and in some cases an obstacle; you’ve referred to security as “an enabler.” What do you mean by that?

Johnson: Security should be more than a cost center; more than just blocking and tackling. The panel will discuss how a risk-based approach can allow the CISO to prioritize resources to focus on the greatest risks and ones that matter most to the business. Knowing the direction the business wants to go, security can be an enabler by providing solutions that will better manage risk and enable the business to leverage new technologies to gain a competitive advantage.

Gillooly: What is your current feeling about metrics for effective cybersecurity – are we properly using metrics, do you feel they’re effective, and what more can we do?

Johnson: A good approach to metrics will ensure that the security program is aligned and operating effectively and efficiently. Demonstrating that the CISO can run security like a business, sensitive to resource constraints, can help to elevate the status of the security organization with executives. Once you have a prioritized security strategy, metrics will tell you if you are getting the intended value out of your security investments. If something isn't working, resources should be shifted and your strategy should change. The panel will illustrate how metrics are often poorly implemented and suggest how to develop more meaningful and impactful metrics.

Gillooly: Poorly developed software is becoming a huge security concern. As more companies ramp up software development cycles to meet business needs – think DevOps – how should security executives pivot to address this phenomenon?

Johnson: Legacy systems were often developed without much consideration to security, which is why we see so many applications on the Internet that still have common vulnerabilities like SQL Injection. Purchased systems are often hard to patch, or they contain unsupported open source code. Even new Web and mobile applications are often developed with no security development lifecycle in mind. There need to be standards on how applications are developed. In particular, more companies are moving data and applications to cloud hosting such as Amazon. In this kind of environment, many of the standard enterprise development and security tools are lacking. It becomes crucial to develop a SecOps capability to leverage native and third-party security tools to manage and safeguard these systems. For all the benefits of adopting new technologies, like cloud and mobile, the associated risks must be addressed and we must not let security be thrown under the speeding bus.

Gillooly: What are the two or three primary things you think attendees of the Black Hat CISO Summit need to walk away with?

Johnson: The panel will provide a roadmap for the 2016 CISO: First, what skills will evolving threats and business change require from the 2016 CISO? Secondly, how can risk management and metrics help the 2016 CISO run security to more efficiently and effectively deliver value to stakeholders? And finally, why will it take leadership for the 2016 CISO to effectively market security and mature capabilities to better support business strategy, build a culture of security, and elevate the role of security in the organization?