John Johnson doesn’t mince words when he addresses what works and what doesn’t in the security industry.
“If this is how you view security architecture,” one post on his blog begins, “you are doomed to failure.” Below this, a picture of a Swiss army knife, fully unfolded in all its spiky, useful glory, illustrates his point. “Tools alone cannot keep up with threats,” he continues, “or solve all of our problems.”
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
Education in technology security is important to Johnson, who works as an adjunct professor at three colleges and is active in several professional organizations. His work as the global security strategist at John Deere helps him stay in the know about the latest security threats and developments in the technology sector, which he can pass on to the students and young professionals he mentors.
Johnson started at John Deere fifteen years ago, and since then, the pace of threats and sophistication of attacks has increased, though he adds that the manufacturing industry isn’t targeted as much as other businesses. Still, John Deere collects data that serves as a tempting target for pirates. Equipment and customer data and analytics are growing within the company’s model and, Johnson notes, could eventually become as or more important than the machinery John Deere is known for. Because of this, Johnson says it is absolutely crucial for businesses to treat security as a key partner in the business structure. As technology continues to evolve, security departments can’t afford to become stagnant; embedded systems, applications, and a growing reliance on cloud computing force security experts to stay flexible.
The necessity of a continuing education is nothing new for security professionals. An individual starting out in cybersecurity tends to have specific knowledge in one area, such as application security or pen testing, Johnson says. “When you hire somebody, say, a programmer, they don’t know twenty different languages. They know one or two,” he explains. “They focused on one thing in college.”
Any individual who wants to advance has to become more of a generalist and needs to learn good business practices as well as security and computing tactics. Employees who studied business rather than engineering or computer science, on the other hand, may have a broader mind-set, but even they tend to have expertise in one area. For Johnson, the method to develop a deeper, long-term understanding of the industry in an employee is through mentorship by management. This is one of the reasons he values education so highly and spends so much of his time working with students and young professionals. But he admits that even this approach has limits. “You can train a person on technical issues,” he notes, “but you can’t train someone to be ethical.”
When Johnson began working in security in the mid-nineties, the practice was fairly new, and he had to motivate himself to learn what was necessary to thrive. He now he instills that drive in his students, but acknowledges that staying up to date on security risks can’t come just from a traditional education. “We need to do more than rely just on college degree programs,” he insists. “We need to be willing to look at people who are smart, curious, and sincerely interested in a cybersecurity career. There are some very capable, self-taught candidates out there that we should not overlook.”
It’s important for the next generation of cybersecurity professionals to be self-motivated and understand that they will continue learning throughout their professional lives. Technology is constantly changing, and security employees in every industry have to learn to stay ahead of criminals and new threats. Mind-set and attitude are crucial in this line of work. “For the most part, we can train them to use security tools if they have the right mind-set,” says Johnson, who insists that after finding these individuals, it is the business’s responsibility to build trust and expertise. “They need to know that we are here to help them grow and advance in their career, and we need to help them build both technical skills and soft skills necessary for senior cybersecurity roles.”