Afternoon Cyber Tea with Ann Johnson

Episode: Why Cybersecurity Fails Without Trust
Date: March 3, 2026
Guest: George Finney – Cybersecurity Executive, CISO, Author (“Project Zero Trust,” “Rise of the Machines”)

Episode Overview

In this thoughtful episode, host Ann Johnson explores the crucial role of trust, communication, and human factors in successful cybersecurity leadership with guest George Finney, a renowned CISO and author known for demystifying Zero Trust concepts. Drawing from their experiences in higher education, executive environments, and publishing, Ann and George discuss why traditional approaches often fail, how to make cyber risk resonate with leadership, and why effective security depends less on technical controls and more on people, relationships, and culture.

Key Discussion Points & Insights

1. Security Culture in Open Environments

[01:10]

• Ann highlights universities as “open by default,” facing the same threats as large enterprises.
• George notes that higher education’s foundation in transparency and openness forced him to rethink traditional security assumptions.
• Building relationships and trust with long-tenured stakeholders ensures program longevity; fear tactics don’t work here.
  • Quote:

    “If you burn a bridge, that’s going to impact your program for a long time.” — George Finney [01:44]

2. The Human Side of Cybersecurity

[02:51]

• Ann suggests making cybersecurity “more palatable for the masses” by shifting away from fear.
  • Quote:

    “Cybersecurity is everyone’s job.” — Ann Johnson [02:51]

[03:36]

• George recounts a story where his curt communication almost damaged a crucial relationship, highlighting how people, politics, and silos routinely cause Zero Trust projects to fail.
  • Quote:

    “The common denominator...on why their Zero Trust projects failed was people. It was politics, it was communication, it was silos.” — George Finney [03:36]

3. Effective Communication with Executives

[05:00]

• Ann stresses the importance of moving away from constant crisis messaging (“the boy who cried wolf” problem).
• George shares that dumbing things down isn’t the answer; rather, make complex concepts approachable and relatable.
  • Personal anecdotes (like campus bicycle theft) humanize cybersecurity risk.
  • Reference to Maslow’s hierarchy of needs: Security is a fundamental, universal concern.
  • Quote:

    “It’s not about dumbing it down. I think you need to make it approachable and connect with them.” — George Finney [05:44]

4. Boards, Risk, and New Technology (AI & Cloud Analogy)

[10:15]

• Ann draws parallels between adoption hesitance for cloud and current unease around AI.
• George observes that business leaders see risk as opportunity (“risk equals reward”), so security teams must reframe conversations:
  • Talk about danger where existential risks exist.
  • Boards now expect CISOs to bring solutions and strategic thinking to new tech (AI, cloud).
• George’s restaurant analogy for AI:
  • Data = ingredients, Models = recipes, Tools = kitchen equipment, SaaS AI = “Uber Eats” delivery. Provides relatable structure for governance discussions.
  • Quote:

    “We can’t think about AI like it’s magic. It’s super complicated math...but if you can break it down...that starts to help us have the conversation...” — George Finney [13:20]

Notable Segment:

• AI as restaurant analogy – how roles, boundaries, and risks fit familiar frameworks, resonating with leaders.
  [12:00–15:03]

5. De-Buzzwording Zero Trust for Leaders

[15:52]

• Zero Trust fatigue is real; leaders care about exposure and impact.
• George: Messaging Zero Trust as a strategy (“for preventing or containing breaches by removing unnecessary trust relationships”) lands with leadership because it’s about organizational strategy, not just technical tactics.
  • Involving all departments (HR, legal, audit) in security efforts makes Zero Trust meaningful.
  • Quote:

    “A strategy is really about getting multiple different groups to work together towards the same goal.” — George Finney [17:50] “Security is everybody’s job.” — Ann Johnson [15:52]

6. What Weakens Security Messaging

[18:50]

• George’s “soapbox moment”: The phrase “people are the weakest link” is counterproductive and alienates both executives and staff.
  • Reframes: “People are the only link.”
  • CISOs must see themselves as team coaches or conductors, orchestrating people, process, and technology.
  • Quote:

    “If we could just get rid of all the employees in our company, we’d be great. We’d be totally secure. ...So, man, I think shifting that message...people are the only link.” — George Finney [19:13]

• Ann introduces “digital empathy”: Systems should be resilient and empathetic to humans, not the other way around.

7. Leadership, Lifelong Learning, and Career Growth

[21:40]

• George stresses the importance of seeking out supportive environments, embracing risks outside of one’s comfort zone, and adopting lifelong learning to stay current in cybersecurity.
  • His law degree (earned while working in higher ed) broadened his effectiveness, even if not actively practicing law.

Notable Quotes & Moments

• “The more you can make it appear open, is something that will actually make us more secure.”
  — Ann Johnson [02:51]

• “Man, we don’t talk about [people, politics, communication] enough in security, about how do we break out of just the tactics and really make progress in a much bigger way.”
  — George Finney [03:36]

• “It’s not about dumbing it down. It’s about connection.”
  — George Finney [05:44]

• “We can’t think about AI like it’s magic. ...If you can break it down...that starts to help us have the conversation.”
  — George Finney [13:20]

• “People are the only link.”
  — George Finney [19:13]

• “If your systems are so weak that one human being clicking a bad link causes a wholesale outage, then it’s not a people problem, it’s a systems problem.”
  — Ann Johnson [20:58]

Optimism and Looking Forward

The Future of Cybersecurity & AI

[23:51]

• George shares a story about helping his child use AI (ChatGPT) for a creative project, emphasizing that the power of technology is limited only by our initiative and imagination.
  • Quote:

  “The power that we have today is only limited by our own initiative and imagination. I’m really optimistic that we’re going to be able to unleash an amazing amount of creativity to the world. But it starts with us and aspiring to something higher.” — George Finney [25:18]

• Both George and Ann agree: AI is a hugely beneficial tool—a “toddler” that must be harnessed responsibly.

Segment Timestamps

• [01:10] — Openness in higher education and security leadership
• [03:36] — The role of people, politics, and communication in Zero Trust
• [05:00] — Communicating cyber risk; relatability vs. dumbing down
• [10:15] — Explaining risk, governance, and new technology (AI/Cloud)
• [12:00–15:03] — AI as a restaurant analogy; making complex risk approachable
• [15:52] — Zero Trust for boards and executives
• [18:50] — Messaging pitfalls and people as “the only link”
• [21:40] — Leadership, risk-taking, and lifelong learning
• [23:51] — Optimism for cyber’s future and responsible use of AI

Conclusion

This episode of Afternoon Cyber Tea underscores that cybersecurity fails without trust—both organizational and interpersonal. George Finney’s practical stories, approachable analogies (from campus bikes to AI restaurants), and emphasis on communication resonate at all levels, offering actionable ways to unite people, process, and technology. The future, far from bleak, is bright for organizations that embrace empathy, inclusion, and lifelong learning—where “security is everybody’s job.”