Cultivating Cybersecurity at John Deere

Moving the world forward comes with its own set of risks. 

That’s why John Deere formed the Cyber Security Defense Center to continuously help defend the company’s systems, products and infrastructure from external threats and cyberattacks. According to Group Engineering Manager Jason Beneke, who leads the initiative, the creation of the center was a significant milestone in the company’s cybersecurity efforts. 

“We needed to move from secure to resilient,” Beneke said. “To be able to do that, we started with building a team of talented, intelligent engineers and analysts who understood the landscape of threats and who work with partners and industry peers to share intel and best practices. It’s foundational that we use industry-leading technologies to monitor and remediate threats.”

Of course, building a center of this magnitude is no simple feat, requiring a culture that fosters a focus on building knowledge and skills. Megan Wheelock, who serves as business information security officer of John Deere Financial and director of enterprise governance risk and compliance, believes the company’s cybersecurity work is most suitable for individuals with a hunger to learn. 

“Our adversaries are only getting faster, better and stronger,” she said. “We must be invested in lifelong learning in order to remain vigilant.”

“Our adversaries are only getting faster, better and stronger. We must be invested in lifelong learning in order to remain vigilant.”

This education begins internally through the company’s security training and awareness team, which informs employees about key security concepts and trends, giving them the knowledge they need to defend against cyberattacks. 

“We have an internal saying, ‘You are the shield,’ and it signifies to employees that each one of us has a shared responsibility to help protect our company from cyberattacks,” said Director of IT Internal Audit Lynn Bestold. “We use this saying in all of our security training and communications, and it’s an important reminder for all of us to stay vigilant.”

Empowerment lies at the heart of John Deere’s cybersecurity efforts, driving the organization’s commitment to safeguarding its operations, from its people to its products. For Chief Information Security Officer James Johnson, this focus echoes an overarching aim to weave cyberdefenses into the fabric of the organization. 

“We’re building security into the DNA of John Deere, because we understand that security is a core component of the high-quality products and services our customers depend on,” he said.   

Security by Design

What’s an effective way to embed security into the backbone of John Deere’s technology? Add it to the code while it’s still being written. 

There are many products that make up John Deere’s technology suite, from websites and mobile apps to infrastructure and embedded systems. The company’s Security by Design program strives to instill a security mindset among product developers throughout the organization. 

The program combines people, processes and technologies to create a culture of security throughout the product development lifecycle, with security professionals sitting on development teams to secure code, educate and share best practices. By leveraging code-scanning technologies, program members can find potential vulnerabilities in software code while it is still being written, enabling the team to address them proactively. 

According to Director and Deputy CISO Carl Kubalsky, Security by Design aims to make security second nature in product development and is an ongoing initiative that will help the company keep up with ongoing industrywide changes. 

“Threat and technology landscapes are constantly changing,” he said. “We’re focused on continuous learning, innovation and improvement to ensure ongoing success in defending customer value unlocked by John Deere’s technology stack.”

“We’re focused on continuous learning, innovation and improvement to ensure ongoing success in defending customer value unlocked by John Deere’s technology stack.”

The heart of these efforts lies in the company’s Cyber Security Defense Center, a global team tasked with understanding the ever-evolving cybersecurity threat landscape and putting measures in place to protect the organization’s systems and data. Beneke explained that the team protects the perimeter of Deere systems, searching for clues of malicious activity. Team members also develop detailed playbooks for use in incident response and monitor ongoing threats in other industries, using that information to help protect the organization.

“The team shows up every day ready to use a combination of their skills and knowledge, along with our telemetry and technologies to protect Deere and defend against potential cyberattacks,” Beneke said. “You won’t find a team of more fierce protectors of Deere systems.”

To further strengthen the company’s cyber defenses, Beneke noted, the Cyber Security Defense Center recently switched vendors who manage the organization’s security, information and event management, which performs event log correlation to find malicious activity; a decision that has proven to be highly beneficial. 

“Our new partnership has brought some real positives and wins to the team,” he said. “We’re able to look more broadly across our cyber landscape for malicious activity.”

A Culture of Security

If cybersecurity is a “shared responsibility” at John Deere, then the company’s security training and awareness team is the force that unites team members in this effort. 

The team educates employees in various ways, such as through cybersecurity training, phishing simulations and phishing prevention training. In addition to being informed about critical potential incidents, including fraudulent emails and phishing through text messages, team members are offered industry examples and guidance on how to report suspicious situations to the company’s Cyber Security Defense Center.

“We hear great feedback from employees on how our training has helped them not fall prey to scams both at work and in their personal lives, and this reinforces our mission and keeps us motivated to think of new ways to engage and educate employees about cybersecurity,” Bestold said. 

“We hear great feedback from employees on how our training has helped them not fall prey to scams both at work and in their personal lives.”

By embedding a focus on cyber education into the employee experience, the company aims to cultivate a culture of security that extends beyond its dedicated cybersecurity teams. Beneke explained that, to do this, the company hands out “challenge coins” to individuals and teams who help support the organization’s security initiatives, deeming them “guardians of our digital realm.” 

But this is simply one way in which the company fosters cybersecurity fervor. According to Wheelock, the organization hosts global security hackathons throughout the year, which give participants the chance to demonstrate their work to the wider company and impact broader technological endeavors. 

“These are incredible opportunities for teams and individuals to research new skill sets and tools and put them into practice,” she said. “Many projects have seen their way into production solutions.”

At John Deere, cybersecurity is a true community effort, offering team members the chance to stretch their skills, think outside the box and leave their own mark on the company. In Johnson’s mind, it’s an ongoing undertaking that highlights the organization’s commitment to continuously improving its security, attracting the best talent and embracing the latest technologies. 

“Creating a security-focused culture doesn’t happen overnight,” he said. “We’ve established a strong foundation, and we’re committed to keep building.”