On today’s episode, George Finney, the CISO of Southern Methodist University, joins us to discuss how cybersecurity is a team sport that depends on openness and collaboration, and examine how culture can directly impact the likelihood of future breach.
How a Law Degree Helped George
George Finney is an accomplished CISO with a more unique background: he has a JD. While it’s becoming more common for CISOs to get an MBA, it’s rare that they would have a law degree. He attended night law school while working full time, reading thousands of pages of dry legal cases. George reflects on the process and says it helped push him to a new level of work, made him more efficient, and helped him understand the big picture of “why” with cybersecurity.
George says receiving higher education made him more curious and gave him more of a global understanding of the business. While he doesn’t encourage every CISO to apply to law school, he points out how useful it can be to understand security through another lens than just a technological one. Additionally, higher education degrees help CISOs more with employment opportunities.
Advice for 25-year-old George
George reflects on what advice he would give his younger self. He focuses on how your career is a process; he’s worked corporate jobs, startups, and attended law school. He believes that those different experiences can help prepare someone for a leadership position. He tells his younger self to embrace variety and wishes he had pursued more diversity in his career.
He touches on how he’d tell his younger self that cybersecurity is a team sport, which we delve more into later.
The Healthy Leadership Mindset
Traditionally, there is the idea in cybersecurity that the problem is always people-based, or that certain people are to blame. However, this pervasive attitude discredits employees and doesn’t allow them rise to the occasion. George speaks on how leadership needs to include mentorship, and needs to want people to succeed, instead of just waiting for them to fail.
Listen to the episode to hear more about the dangers of writing people off as “dumb” instead of taking the time to help them improve.
The CISO that Cried Wolf
George also discusses how the fear of being poorly perceived can impact security. He gives the example of Robert Ebeling, the engineer who tried to warn NASA about the space shuttle the Challenger. Unfortunately, he was ignored, as he told his management something NASA didn’t want to hear, and as a result, the astronauts died.
We speak on the nuances of trying to navigate the CISO position, as its purpose is to raise alarm when necessary. We talk about how you don’t want to be the CISO that cried wolf every time there is potential for risk. However, you also don’t want to keep quiet out of fear. Listen on to hear what George has to say on this topic.
Well-Aware: Master the Nine Cybersecurity Habits to Protect your Future
Whether you are a technical or non-technical leader, you can benefit from this book through the lessons you learn in his historical and psychological examples
George wrote the book because he wanted to help CISOs bridge the gap in speaking to other leadership positions within the company
Professional development book for CISOs specifically
Focusing on habits and small challenges that can make a huge difference
Potentially adjusting these habits can help prevent attacks
Listen to the episode to hear more on the nine habits and more about George’s book
Leadership in the Time of COVID
George urges team leaders to have extra compassion in this time. People are now in a seven-month long stress period—whether with kids at home or worrying after elderly parents. As a leader, it’s important to understand that your team isn’t going to perform as well as they did last year, and to be empathetic.
Phishing
As a result of COVID, phishing is up, perhaps because they recognize people are vulnerable in this time. George discusses how he sends out phishing emails to staff in order to test what campaigns are more effective than others. In studying psychological data, he discovered that analytical thinking is much higher in the mornings than in the afternoons, and that users are 10x more likely to click on his simulated phishing messages. Listen to the episode to hear how to incorporate this knowledge into training and how to adjust behavior to avoid this.
Culture
We reflect on how company and national culture can have an impact on culture. The company culture of the never-ending workday, i.e. the expectation to answer emails at any time, even late at night, also feeds into phishing.
In certain nations, questioning is more accepted than others. This culture on top of corporate culture can influence the likelihood of a future security breach. If people understand that learning and asking questions is safe, they may be less likely to click on a phishing email.
Cybersecurity and the Culture Audit
Diving further into this topic, George looked at the Glass Door of every company that had a security breach in 2018 and discovered that those with breaches were 3x more likely to have a below average culture score. This was across industries and included both small and large companies. Listen to the episode to hear more about the impact of culture—and diversity—on a company’s success.
The New CISO
George believes that the key to success is building relationships. To him, being smart isn’t enough. As security is everyone’s job, he believes that people are the solution, so it is essential to treat everyone well.
Links:
Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future