For this interview, I'm pleased to welcome Dr. John Johnson, who is the global security strategist and domain architect for John Deere. John has been responsible for architecting solutions that have been critical to maintaining global network security at John Deere since 1999. His projects have involved every aspect of corporate security, from the management of enterprise security systems, to developing standards and policies, and overseeing the security of business acquisitions and divestitures.
Prior to John Deere, he worked at Los Alamos National Laboratory as a staff physicist and network security manager. John has spoken at such industry conferences as Black Hat, RSA Conference and SC Magazine World Congress on various computer security topics. John has developed computer security courses for St. Ambrose University, ITT Tech, Laureate/Walden University and Excelsior College. He is an Advisory Board Member for the University of Advancing Technology and an adjunct faculty member for St. Ambrose University, Eastern Iowa Community Colleges and Excelsior College, having taught more than 30 courses since 2003. John serves on industry boards and advisory councils, and he is an active security blogger.
In the podcast, we discuss John's background as a nuclear physicist turned security professional and why nhe believes in an "evidence-based" approach to security. John further explains what he means when he says, "Our future relies on our ability to take advantage of opportunities related to social, mobile, big data, analytics, and cloud, and security is the enabler."
The following is a brief excerpt of our interview:
Jeff Williams: So when you say, "evidence-based," tell me a little bit more about what you mean there. My experience is that, especially in the application security world, that there really is no evidence-based security. Most applications go live with, at best, a pen test or some static analysis or something, but no real evidence that the properties of that application are what we would like to see in a secure application.
John Johnson: I think evidence can come from many sources. You're correct that often times a company may not have a body of historical evidence on which to base their estimates and their claims for security metrics, for example. An application goes live and I think that you have done your due diligence - performed your due diligence - but until it goes live, you may not have evidence. But I think that we need to look for both qualitative and quantitative data to support our decisions, and I guess that's what I'm getting at. We need to have a rationale, a consistent approach to what we do.
And I think that we should be looking for, as we deploy applications, as we have security projects and services, we should be developing metrics. We should be measuring what it is that we do, both from a performance standpoint and from a risk management standpoint. Is what we're doing having some impact on how we assess the risk, knowing that the risk associated with an application may not be always that tangible? I certainly agree with that.
But there are things that we can measure, and as we learn, as we gain and build some data, then I think we need to improve our models and improve our measurements and our metrics. And we should always be looking at the results. And I think that the results are what should drive us in a particular direction. I like to think of it as making a cake. When I was in high school, I had to make a cake once in a while for bake sales, and I had all the ingredients. In fact, they came in a box, right? I just needed to get eggs and milk and this box and mix things together. But sometimes the results were not what we anticipated. And I think that's a natural thing to occur. Sometimes our cake is a little bit lumpy, and we have to say, "Okay, let's go back and revise our processes, maybe use the appropriate tools." Maybe I tried to mix it by hand instead of using a mixer. And we look at the results. And I think that we need to have that cycle, and that's sort of what I refer to, I think, as "evidence-based security."
Jeff Williams: Yeah, I love the cake analogy. I did a talk a few years ago at an ISSA conference about this, and my thoughts on it were that there is a ton of different ways to make great cakes, everything from a big factory, like a Tastykake kind of factory, all the way to like a high-end boutique wedding cake art kind of kitchen. And it seems very strange to me that the way that we measure - at least in applications security - the way we measure organizations is by comparing them to each other, when really, they could be wildly different and still producing fantastic cake.
John Johnson: Yeah, I agree with you. We may be measuring along the same dimensions, as we build our spider graph and sort of look for what our level of maturity is, assess what tools and processes we need. But it really is based on your organization, your organizational objectives, your regulatory environment, your risk appetite. And so for some companies - I happen to be working for a manufacturing company - and we may have a little different approach then a large financial institution, right?
Jeff Williams: Sure.
John Johnson: And so we might like a little bit more home-style cake, whereas a financial institution, they might be moving so fast, all they have time to eat is Twinkies. I don't know.
Jeff Williams: Interesting. So you had a recent presentation you did on security metrics, and you said, "Our future relies on our ability to take advantage of opportunities related to social, mobile, big data, analytics, and cloud, and security is the enabler." Let's focus on big data, and how does that security become an enabler for big data?
John Johnson: Well, I know that in my experience, the legal and compliance folks are going to be very reluctant to put sensitive company data, PII customer data, classified data in the cloud. There is an inherent lack of trust there in moving beyond our data center. And so I think that security has the knowledge and the ability to architect solutions that are perhaps innovative, taking into account the real risk that needs to be managed. It's our job to assess that risk, to present the options, and oftentimes, the legal team, the business owner, the data owner, they may not be aware of all the options that are out there. And so I think that we have a responsibility to have very technical experts and to have the ability to facilitate conversations, bring the right experts that aren't on our team to the table to architect solutions.
And we also have a leadership role that I think the CSO needs to be able to really take that technical information and metrics and present that, communicate that in a way to executives that's very understandable. And I think that the CSO has to really step up and take a leadership role to lead the security team and to develop good governance and metrics and to be able to demonstrate that security can be run like a business, in that we can be efficient, we can have an effect on the bottom line. If we're not there, and if we're not doing our jobs the way that we should be, I think that the business may be slow to move into a new market, may fail to take on some new opportunity, because they feel that the risk is too great, and so I see security - a mature security organization - as being an enabler, because we can help to develop solutions that will have an impact on the bottom line.
It really takes leadership, because we don't often come from a place where we have our capabilities matured to the level that we need them to be as proactive and to anticipate where the business is going next. We really need to be on the top of our game if we really want to enable the business the way that I feel we need to, and with the threats accelerating and becoming more sophisticated, and with the business opportunities as technology advances coming faster and faster, we just don't have that luxury of taking years to develop solutions or living with the status quo, or else the roulette wheel is going to come around and our company is going to be in the Wall Street Journal, when we don't want that.
Jeff Williams: I couldn't agree more. I've always viewed security as an enabler, and it's so frustrating when people throw out those old aphorisms like "Which is more important, security or usability?" I see that as false dichotomy here. I think you're exactly right, that security can be a huge enabler in the new economy. And you look at companies like Apple, who are really taking advantage of this. Their new Apple Pay, I think, is going to be a big deal. I think they're going to change that. And the reason that it's going to be successful is because of security, not despite it.
John Johnson: Sure. I think that the Apple Pay is a great example of an innovative and secure solution that meets the demands of today's consumer. And it's not that our solutions are always perfect. And that's why we don't just push out a solution and then forget about it. We have to continue to measure and take feedback and always be in a continuous improvement loop. But I think that we live in a day and age where so much of what we do involves technology and the internet and being interconnected to this internet of things, right?
Jeff Williams: Yep.
John Johnson: Our personal data is in the cloud. I just got a new iPad, and I was in New York City. I wasn't anywhere near my computer. But I was able to just click "restore from the iCloud" and my iPad brought over all of my data and my preferences. And I mean that's great, and that's very convenient. It's also a little scary, being a security professional. So we've got a real tough job cut out for us.
Jeff Williams: Absolutely. Let me ask you a little bit about applications security and vulnerability of management. What are some of the key metrics that you think companies ought to be tracking?
John Johnson: Well, I think we need to be comprehensive in knowing that we are, at least at a basic level, and I think that network vulnerability management or dynamic assessments of web applications is sort of a baseline. It's sort of a minimum bar that we should all be striving for. And so I think that maybe the first metric that I'd look at is "What percentage of systems or websites are we actually assessing?"
Jeff Williams: Right, so portfolio coverage metric?
John Johnson: Yeah. I think it's very common, in a large, complex organization like I'm familiar with, to have new applications added to the portfolio that you're not aware of, or to even have new address paces added to your data center, or to have applications that spin up in the cloud at a hosted service, and you might not be aware of them. So knowing that you're at least out there aware of and attempting to establish a baseline with all that you have out there, and especially what you have exposed to the internet.
To listen to the rest of my interview with John, click here.