Recently, for the SSE Forum we were excited to talk to George Finney as part of our ‘Breaking Down Zero Trust’ series. We discussed how he started his journey in IT and security, why you need to consider the human side to run a security program, his thoughts on Zero Trust, and his new book Project Zero Trust.
IT and Security can be stressful places to work. The stakes are high and information on the best way forward tends to be scarce to find and isn't always shared. We are trying to change this. Sharing makes us all better.
George is the CSO for the Southern Methodist University where he has worked for almost 20 years. When George was in college he thought he was going to be a stockbroker as he went and interviewed at wall street but realised that wasn't the journey for him. He then started to work with computers and that led to the world of security. He worked in a few startups where he worked in networking and as a sysadmin. He bounced around in a few startups before going to law school and qualified as a lawyer.
He said he loves working at a university because of its great quality of life and it offered him the opportunity of writing a few books as well as teach and be able to give back and share his experiences throughout his career. He believes one of the things we need to do is set the next generation of cyber security professionals up for success. We don't want them to relearn all the same lessons as we did. He always wanted to be a writer so being able to share that with a career in cyber has been amazing.
George doesn't believe people need a degree in IT or cyber to make it in these areas. He has stopped asking for this in his job descriptions. He believes curiosity and passion are the core things that will make people successful in these areas. Find out what you are curious about. Is it Pentesting, is it networking, what makes you tick? He believes curiously it will pay off in your career, especially in security because we are always on the bleeding edge. Things will change significantly over the next 5-10 years. We have to be really embracing of lifelong learning as there are always new attacks coming and we always have to secure the bleeding edge.
Another piece of advice he offers to people is that the key to success in your career will be your soft skills. Being able to interact with people is going to be key. You will need to be able to communicate with people and be collaborative and have conversations about risk. It doesn't need to be my way or we will get hacked.
Building relationships and building your network is key to learning more than what you can learn on your own. There are places to go and meet other people and connect. Things like LinkedIn didn't exist back in the day so embracing those things is going to help you if used carefully with focus. Work on your people skills. George said he identifies as an introvert even though he sounds like he is outgoing.
In his last book Well Aware George wrote about his observation that 50% of human behavior is based on habit. George broke down the habit of security into 9 unique habits. The personality test helps you to identify what your own strengths are when it comes to cyber security habits. George has found working in IT with some of his peers he has caught himself saying they don’t get security and it's hard to work with this person. But taking the personality approach has helped him understand that people have different approaches. In Maslow's Hierarchy of needs, safety and security are part of the foundation of our human experience and we can't reach our full potential unless we have met that need for safety and security.
The personality test helps you know who you are and what your identity is. This is a great place to start. For technical folks feedback has been that this really helps people collaborate across teams. Not everyone is doing 100% of the job. People have different habits. Some are more detailed and do things like documentation and white papers whilst some are on the lookout for new threats. Not everyone is technical. If you align with your values then long-term career burnout is less likely. Just because you are good at something doesn't mean you want to do it forever.
When it comes to cyber, some people feel intimidated by it. Maybe it's technical and they are not technical. We need to break down that fear and help people find an identity when it comes to security even in non-technical roles. This has led George to work on training material to assist people to build habits.
When asked what Zero Trust means to him George responded with ‘I hate that question’. Geroge said this makes it sound like people can have their own opinion but John had a specific vision when he coined the term zero trust. George got to work with John on his book Project Zero Trust and they collaborated on how to tell the story and John shared all of his notes and background. George took his inspiration for the book from the book The Phoenix Project.
In the book, a fictional company gets breached and they decide they want to implement zero trust after that. George commented that John's definition is very simple. Zero Trust is a strategy and the strategy is to prevent and contain breaches. We do that by removing trust relationships in our different computer systems. The way we do that can differ widely but the strategy is still the same. George feels that the reason zero trust is so appealing (such as boards or the president) is that the only way to have success is to have a strategy.
George feels that there is no other well-defined strategy in cyber security. Defense in depth. Cool. Good concept. But not a strategy. A strategy has two parts. A goal and a way to get there. There is no way to measure how you have achieved defense in depth.
Helping people understand what it really means to have trust in a digital system and how to spot and remove it really takes time, focus, and energy from human beings. It takes all of them working together. In the story, he brings together a team of people as he believes everyone in IT has a part to play in zero trust. Everyone needs to move in the same direction. Zero Trust is that rallying cry. You need to build a team and develop that habit and practice doing that work every day.
Everyone knows that in IT there are many ways to deliver a project but did you just do the minimum to finish the project? There are lots of competing interests. Everyone needs to be aligned to be able to focus on what's important and deliver that.
Security is a process. Organizations are always evolving, we are always upgrading, people are coming and going, and business sometimes pivots to new markets. Security is a living breathing thing. Can we ever reach zero? Even at a point in time? George didn't believe it could be measured to that degree. But you can get to the goal of preventing and containing a goal without getting to zero percent.
You have to align security with the business. Some businesses have a significantly higher risk appetite than other businesses. When you align security in a business sometimes they say they can't fund all the initiatives and give you all the resources you need to get to zero. We think an acceptable risk tolerance is slightly higher than that. Different organisations will have different answers and it's always an evolution. We should press as hard as we can to get to zero with whatever resources we have.
When asked where you should start your zero trust journey George said he didn't have a super sexy answer. He mentioned the quote from Socrates ‘know thyself. You have to start with your inventory, your risk register, and your business impact assessment. He felt they were all prerequisites for your zero trust journey. You can't protect stuff when you don't know what is there.
To have a really good zero trust initiative you need to start with understanding yourself. John uses the concept of protect surfaces so you need to know what they are before you can get started. You have to know the business. You have to understand how the company makes its money and what are the risks associated with it.
George believes that building trust from the business is critical to having them engaged. This starts on the first day of your job. A lot of organisations will push fear to get a budget. This is the underlying dirty truth behind the security industry but George said he tries not to do that. The unvarnished truth is key. Speak truth to power. This is a fine line to walk but when he approaches a new proposal or new program he builds a business case.
A business case is something that organizations and business leaders understand and it's not just asking for another half million dollars to do X thing. They have confidence then. They know and trust that you have done your homework and research. Don't treat them like they are dumb. Get data to support proposals. Don't ask for the moon. Understanding what is reasonable is very important. We don't have to spend six figures on a commercial tool if there is a free tool in existence that meets the need.
George commented that it takes time to build trust and he was concerned about reports that say the average tenure of a CISO is now 2 years. That is really just one budget cycle. That's a big challenge for us collectively to be able to deliver on things as they sometimes take a lot of time. Statistics show that most people are not effective for almost a year, this takes around 2 years and real benefits come in years 2-4.
When asked who would be in his Avengers of Zero Trust team George said that the first thing you need to do is bring in the network/firewall person. These people are core to the team. The 2nd element he feels that underpins zero trust is identity. So you will need someone from that arena. Identity ties into the whole of the business.
Next, you need a project manager. This project manager does not need to be super technical but they need to help make sure the project moves smoothly and that security is baked into the project process. Then there is a trainer. All of the individuals in the organization need to be trained. Security should be included in all training programs.
You will also need the DevOps folks. They need good security baked in. Then you need desktop support and help desk support involved in the team. These people will also need a seat at the table. This is your A team. The battle is difficult, and you need a large team to fight it.