A

You're listening to the Cyberwire Network, powered by N2K. Welcome to Afternoon cybertea, where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. This week on Afternoon Cybertea, I am joined by George Finney. George is a cybersecurity executive, CISO and author known for his practical, leadership focused approach to zero trust and enterprise security transformation. Among his books are Project Zero Trust and Rise of the Machines, which both help articulate complicated frameworks in a simple and a practical way. Welcome to Afternoon Cybertea, George.

B

Thanks so much for having me. I hope it's okay. I only got coffee, not tea.

A

That's fine, that works. It's morning my time, so anything with caffeine is helpful. It's great that you joined me today. You've obviously led security in environments where openness, trust and autonomy aren't just values. They're foundational to the institution itself. And universities themselves are fascinating environments from a security perspective. They are designed to be open by default. They're open to ideas, to collaboration, to research. And yet universities face the same threat pressures as many large enterprises. So how does all of that reality shape the way you think about security leadership?

B

I think that commitment within higher education to transparency and openness, I think helped change a little bit of the way that I think about security. I think we take some things in security for granted, and I've had to kind of shift the way I approach things just to challenge some of the accepted notions that we've had. For me, that's really resonated with my leadership. You know, when I'm talking to my general counsel, our auditors, or my cfo, I think they appreciate seeing the full picture on why we're doing things. And, you know, just using the standard fear, uncertainty and doubt. I mean, it was pretty clear that was never going to work. So, you know, I think instead building those relationships and trust, particularly over time, I mean, higher education is a little unusual that our leaders tend to stay for a lot longer than other industries. So, I mean, if you burn a bridge, that's going to impact your program for a long time. So that has been influential in the way that I think about cybersecurity culture, and hopefully that's a good thing.

A

I think so, definitely. I will be candid with you. I haven't completely read your books, but knowing you were going to Be a guest. I did a little bit of research on them just to understand them. And I think that when you take that philosophy and your approach, it's something that will make cybersecurity better for the masses, are more palatable for the masses. People are afraid of it. Right. So that fear of cybersecurity, the more that you can actually make it appear open, is something that will actually make us more secure. I keep saying that we won't need cybersecurity departments anymore because cybersecurity is everyone's job. Right. We'll need some expertise, but cybersecurity should be everyone's job. And the more we do that and the more you advocate for that, I think is a great thing. And Zero Trust certainly lends to all of that.

B

I think you're spot on. Folks are scared enough about cybersecurity. I mean, they see it in the headlines every day. I had to reach out to one of my department heads. This is several years ago. You know, there was a vulnerability. It was an issue, and we needed their help in fixing some things. You know, just the tone of your voice matters. I was very curt, shall we say? You know, we needed to get this done. And I think I was anticipating some pushback. And so I took a tone that had I not already had a relationship with the person, you know, she pulled me aside after we had fixed everything in the incident, and she was just like, hey, so, you know, I noticed this was a different George that I was hearing. And, you know, had we not known each other, that might have become a barrier for us working together, moving forward. And when you think about really important things like Zero Trust, after having written the book and toured all over the world, you know, talking to security leaders about it, the common denominator that I've heard from other sisos on why their Zero Trust projects failed was people. It was politics, it was communication, it was silos. And, man, we don't talk about that enough in security, about how do we break out of just the tactics and really make progress in a much bigger way. And I think all of that comes back to people and relationships.

A

Yeah, and communication. Right. I worked with a CISO at one point in my career that as a child, I read this book in school called the Boy who Cried Wolf, and then suddenly everyone stopped listening to the boy. And I worked with a CISO once that everything was a crisis, right? And at some point, the executives just started tuning out because they were like, okay, everything can't be a crisis. Right? It's just they Just stopped listening to that person. So how do you explain cyber risk to boards and executives? When they're hearing a lot of noise, they're hearing a lot about risk. The answer isn't more control, but it's better communication. It's better judgment. It's better accountability. How do you land those messages in a. People are listening to you, and they're not just tuning you out because they were like, oh, it's just another problem.

B

You know, I, I love this question. You so often hear folks talk about, you know, just basic things like stop using jargon and acronyms. But I, I think what people hear when they hear that advice is you, you've got to dumb it down. And I, I, I got into a bit of a, a debate with one of my CISO peers at a, at a large organization a few years ago, and, you know, they were basically saying their board is stupid. And I'm like, do you really believe that? And I think when you work with executives, leaders, or boards, they are very talented. Right? These are very intelligent people to have gotten where they are. I don't think the answer is to dumb things down. I think you need to make it approachable and connect with him. One of my board members was. He was, I don't want to name the name, but everyone has seen him on TV at some point. And I was giving a presentation about physical security. And we at a university ran a, what we call a bait bike program. So one of the most common things that gets stolen off of college campuses are bicycles. So our PD had a bicycle with a GPS in it, and they would all get a text anytime, you know, the bicycle moved, and they would all kind of descend on the area. And, you know, our bike theft problem went way, way down. But I'm talking to a billionaire, right? That is a household name. And this resonated with so much because when he was in college, his bicycle was stolen. So when you can connect that back. Whatever people's backgrounds are, I mean, security matters to people. It's a part of who we are. I mean, it's a part of Maslow's hierarchy of needs as the foundation of who we are as people and how we set ourselves up for success and how we set our organizations up for success. People get that we need security. And I think, you know, making it not just relatable, but making it approachable. Right. And that's what I've done with the books. And I think that's the most special thing that I've gotten from writing Project Zero Trust. And Rise of the machines is that it's a story. And when I talk to folks, whether they're brand new to technology or whether they've been in security for 30 years, they get something out of it. And it's because I've made it approachable that I can go into the super technical deep dives and connect those dots. I think that's probably what got this. Last year, Project Zero Trust was inducted into the Cyber Security Canon hall of Fame. And I think that's why that message kind of connected with so many different people. I made it approachable.

A

I miss, by the way, the Cyber Security Canon hall of Fame. I used to be on that group. And then I had to tell Rick, I just don't have the time to read and review all the books. It was such a wonderful group. And by the way, I use the Maslow reference a lot, so it's lovely to hear you say it seriously, because it's like, folks, shelter and safety priorities one and two, right? So you can't get to anything else unless people feel safe. And cybersecurity is a really good way to emotionally connect to that conversation. And to your point, if you can, with my family who are not cybersecurity professionals, I connect a lot of the reason we have locks and cameras and alarm on the house now. Think about defense in depth with cybersecurity. If you can make the connections human, you don't have to dumb it down. You just make the connections the same as what people encounter in their everyday life. And it helps. It really helps connect. So it's lovely to hear you talk like that. Can we talk a little bit about risk and governance and boards? So the one thing about boards is no matter what type of organization you're in, boards are focused to a certain extent, a large extent on risk. And when new technologies emerge, everything from I was talking last night to a friend about the emergence of AI versus the emergence of cloud. In the middle of a sort of boring football game, we got into a technology discussion because there wasn't a whole lot happening on the field. And one of the comments observations I made was that people are not always early adopters. And with AI, there are certainly some good use cases. And I remember the days of cloud, right? There are a lot of people that were like, oh, it's way too much risk to trust somebody else with my infrastructure, regardless of what the cost savings is. And then governance and risk lag that adoption. So can you talk just a little bit about how you talk to boards about governance, how you Talk about risk, and particularly in terms of newer technology and how they should be thinking about it, so they're confident asking the right questions.

B

I love that parallel with cloud, right? AI is really along the same journey. So with cloud, right. A lot of the security community was doing exactly what you said, right? We were saying, don't do it, it's not secure, we're not ready, et cetera. And I think when you talk to a business leader, anybody who's gone through an MBA program has been taught something very specific. They all think this way. They understand that risk equals reward. When we talk about risk, like, oh, there's risk in moving to the cloud, your CEO or your board member is thinking, I got you. Yeah, let's do that risk, because we're going to make some money out of this, and I think we've got to have a different way of talking about things, right? So with cloud, it did take years for the technology on the security side to be able to go and address some of those gaps, right? The visibility that we lost from a security perspective was no joke, right? Losing that visibility, like, hampered our capabilities in a lot of ways. With AI, again, the conversations that folks are having with ChatGPT, man, it's really hard to get logs out of ChatGPT. It's not necessarily intended as an enterprise product. Some of the challenges with copilot, you need to be able to assure that your leadership, your executive team, that you're protecting your data. Do we have a good data governance program before we roll AI in? And does the AI get access to different things? What does it. Oh, my gosh. So I've started talking about it in a slightly different way because I don't want folks to key in on the risk reward kind of thing. I talk about danger, right? There are some things, not everything in AI, but there are some things that are an existential threat to the organization. And we've got to find a way to talk about those and connect with folks to change their narrative. There are some differences with the AI versus cloud kind of parallel, I think more so than ever. Security teams, CISOs, have a seat at the table. We're now talking to leaders about AI where we maybe weren't even included in the conversation, like 15 years ago. So that's really good news. So Project Zero Trust and Rise of the Machines tell a story, right? It's a fictional company with characters. It's kind of a case study in doing Zero Trust. And then Rise of the Machines is, you know, the same company. They now have to respond to AI and figure out how to apply zero trust to all of these different LLMs or what have you that are out there. And what I kind of realized coming into it was the problem today is that it's like the old sci fi saying, right? Any sufficiently advanced technology is basically magic for people. We can't think about AI like it's magic. It's super complicated math that hardly anybody understands, including me. But I think if you can break it down into something maybe more understandable or approachable again, that starts to help us have the conversation about how we can use it, how we can leverage it without the danger aspect or element. So I use an analogy for understanding AI and rise of the machines. And essentially you already know how AI works because it works like a restaurant. Data are the ingredients, right? When it comes in the back, your models that essentially are recipes, you might, might come up with your own brand new recipe or you might use someone else's. That's just like the frontier models versus maybe some of the small language models that are more curated. There are tools, right? You might have a fancy pizza oven in your restaurant that you imported from Italy, or you might just have a fryer if you're a hole in the wall burger joint. But depending on the tools you have, that kind of dictates the kind of restaurant you're going to be. And generally speaking, you like to keep the customers out of the kitchen and there needs to be infrastructure to separate that out. You know, there's guardrails, but there are AI firewalls now that you need to understand how to, how to operate those. And most of us aren't actually even operating a restaurant. We're doing like Uber Eats and getting our AI delivered to us through SaaS applications or embedded in our existing tools. So thinking about that big picture, right, we know the bad guys are attacking the restaurants. They're stealing the ingredients, they're stealing the recipes, they're manipulating the tools or, or Yelp reviews or whatever to get us to change the way we're doing things or. Oh my gosh, this is such a great analogy. Now I can think about, well, I just need to integrate these AI things into my existing security stack and figure out how to address the underlying lack of visibility. That's the fundamental issue parallel with cloud, because if we don't see it, we can't secure it. And oh my gosh, that has just really revolutionized my conversations with the leaders that I work with in my organization.

A

I think that's fantastic because again, you've broken it Down. I hate to say it into ingredients that they understand. Silly pun intended, but the old expression how to eat an elephant one bite at a time, it's the same thing with all of this technology. And it makes it again, you're speaking in a language they can understand. Instead of talking about all the things we talk about like detonation chambers and all those lovely things that terrify people about cybersecurity. Let's talk about Zero Trust then in more depth. But Zero Trust, unfortunately has become a buzzword and there's a little bit of exhaustion around it. However, if you again take it to the level that a board or executives understand, they care about their exposure, they care about the impact. How have you seen security leaders successfully message Zero Trust to explain cyber risk in a way that resonates beyond just the security team or the technical teams.

B

I would say besides helping me launch an award winning book, I think it helped me get my current job. I think that message resonated so much because I was able to articulate security in a way that maybe executives hadn't heard about it before. Zero trust, the definition I use. And I collaborated with the gentleman that created Zero Trust to write the book, John Kinderwog. He just happens to be a friend of mine. He lives just a couple miles away from me here in Dallas. But Zero Trust is a strategy. It's a strategy for preventing or contained breaches and we remove the trust relationships that that we have in digital systems to effectuate that. We know from studying the bad guys that trust is the thing that they exploit to get into different systems. But when I talk to a leader with CEO or a board member and I talk about strategy, how am I going to be successful at this job that I do that they don't necessarily really fully understand. They do understand strategy. They understand to be successful in any part of the organization, I'm in that that you need a strategy for success. How am I going to get there? How am I going to measure those things? Okay, those are all things that we can start to talk about, but that gets us out of the down in the weeds tactics. Conversation about I need this new tool, that's another budget ask to go address this risk that maybe is real or we don't really know what it's going to look like in a few years, it's going to evolve. So instead if I can reframe the conversation, here's how we're going to go about doing the things. This is the goal, preventing breaches. This is the path to get there. I can connect everything back to that. And even more than that, a strategy is really about getting multiple different groups to work together towards the same goal. And, man, if I can get create a cohesive cyber program that not just includes security and it, but I can involve my accounting group in that, I can involve legal in it, right? Hr, Right. All these groups already do security in some way today. Whether it's HR doing background checks, whether it's audit prevention, preventing fraud, or whether it's accounts payable, not falling victim to business email compromise, or identifying suspicious activity. All these things are already security functions. They're not on my team, but they're a part of my team. Because like you said earlier, security is everybody's job. That you want to bring in a strategic leader who can get all the things working together in concert. That's really transformative when you're becoming a cybersecurity leader. I think the other folks that are talking about tools and tactics and, and threat intel and other. Well, that's not something that's actually going to resonate as much with leaders inside different organizations.

A

Makes perfect sense. Can we talk then just a little bit? We've talked about what works. Now let's talk just a little bit about what do you hear from your fellow peer security leaders that they actually unintentionally weaken their message when they're talking to executive audiences or they're talking to boards.

B

This is my favorite question, and I'm going to get up on my soapbox. I haven't been up on my soapbox yet, but I don't know if you know this. We have a secret motto in the cybersecurity industry. Like, everybody says it, like it's gospel. What do we say? We say people are the weakest link. What are we doing when we're telling that to other people? We are undercutting our own message.

A

We're offending them, too.

B

When you talk to any CEO, right, what do they say the organization's biggest asset is? They say the people, right? They can't get the job done without people to get it there. And so if you come at them saying, man, if we could just get rid of all the employees in our company, we'd be great. We'd be totally secure. Well, that's true. We could also unplug all the technology in our organization and we'd be perfectly. We're not going to do that. So, man, I think shifting that message, and I like to say people are the only link, right? Because it's not just, you know, technology Right. It's people using the technology. It's not just process. It's people following the processes. And so when. When you can connect all of that together and talk differently about security, I think that does resonate. I definitely have seen that in my own career. I've seen that with. With some of the folks I work with. I think the. The role of the CISO itself is evolving away from being the. The technical person that is down in the weeds. So five or ten years from now, I think that that evolution is going to continue. I think that's where we're going is really having the CISO be more of a conductor, conducting all of the things in the organization. I think of myself more like a coach. I do things like a coach. I drill folks, I train them, I put them in the right roles to be successful. And at the end of the day, the team is the one that plays the game. You know, I'm just maybe calling the plays. But, yeah, I think you can have different elements and have them come together to be successful. So, anyway, I think that, to me, is one of the biggest issues is getting away from that mindset that people are the weakest link or people are the problem, and finding a different way to frame that.

A

Yeah, it's actually awful to articulate it that way. We talk a lot about digital empathy, which is the concept. One of the concepts in cyber is that, you know, if your systems are so weak that at one human being clicking a bat link causes a wholesale outage, then it's not a people problem, it's a systems problem. And that's how we try it. The systems need to be empathetic to the humans that are using them, and they need to be resilient to the humans that are using them. So I've been trying to get that messaging out. It's great to hear you say it, too, because humans are the weakest link is actually reasonably offensive to people, and it doesn't make them want to work with the security organization, certainly. So looking back on your career, what's one insight about leadership or risk or anything that you wish you had understood earlier?

B

Gosh, I've just been so lucky to have had some influential leaders in my career that have helped me kind of become who I am today and to challenge that. And I think culture is so important when it comes to organizations. And, man, I'm an introvert. Talking to people is draining. I can do it. Obviously, I write books and I go on podcasts and give speeches, but. But it's a challenge. And I think you've got to build that culture that's supportive of folks so that they can reach their full potential. But, you know, really seeing that and believing it takes that experience that really, I think shaped a lot of who I am. And, you know, I think I was always relatively driven. But being able to take risks in your career is also really important. So, you know, doing different things that maybe are outside of your comfort zone and in many ways, insecurity. We have to be dedicated to lifelong learning because we're having to secure the tech that's right on the bleeding edge, whether it's AI or whatever the next new thing is. So for me, that's been one thing, like, oh, my gosh, how do I stay current? I can teach classes that helps, writing books as a part of my own professional development. But kind of embracing that has, I think, changed the game. But again, it was about that early culture that I had here in higher education that was really supportive. Well, one of the reasons I moved over to higher education was so I could get a law degree. And I'm a lawyer today, but I don't practice. But I think embracing that and feeling like it's something you can go do and it's something that you'll get benefit out of even if you don't practice law, I think thinking about that is huge. And especially in security, we really do have to understand all of the things about an organization. And, you know, it just takes a lot of time and dedication to get there, there.

A

Well, George, we're just about wrapping up. And every time we wrap up afternoon cybertea, we like to wrap up with a bit of optimism because despite all the issues and challenges we have, I am always optimistic about the future of cyber because I know for everything you see in the news, there's thousands of things that have been blocked by cyber professionals or detected. So tell me what you're optimistic about with cyber today and the future of cyber.

B

I don't want this to be an anti AI conversation. So I just want to say I love AI. I use it every day. I have a kid at home and she came and asked me, hey, dad, can I use ChatGPT on this project that I'm going to work on for school? It was like, extra credit. She didn't have to do it, but of course she came to me the day before, like most kids do, right? And I was like, no, you can use ChatGPT, but we're going to spend the same amount of time that you would have if you would have just done this by yourself. So, I mean, we probably spent four or five hours on it. But. But at the end of the project, she wrote a choose your own adventure story. And it was. The assignment was like four pages. It ended up being a 16 page choose your own adventure story with full illustrations. And at the end of it, I mean, it was a good five hours. But I was like, I would have been proud to have written this as a senior in high school. And we produced it together. She was in the third grade at the time. So I would say I love AI, but I think it's up to us to challenge ourselves to do even more. I look at kids going into college today, and you could take a business course for one semester and completely stand up a business, not just with a business plan. Maybe you might have 10 years ago, but you would be able to build a product and a website and a marketing plan. And the power that we have today is only limited by our own own initiative and imagination. And I think I'm really optimistic that we're going to be able to unleash an amazing amount of creativity to the world. But it starts with us and aspiring to something higher. So that's what I get optimistic about.

A

I completely agree with you. AI is a great tool, but it is one of the tools, and we have to treat it like that. It is another tool. It's a very powerful tool in ours. So the funny thing, you're talking about your child. I have a daughter who's out of college now, and we were literally having a conversation the other day about the fact that she doesn't write in cursive. She went to Catholic school, so she certainly learned to write in cursive, but she doesn't write in cursive. But the other thing is, she cannot read time on an analog clock. And I never even realized that until recently because she's never had to. She's never had to read time on an analog clock. She's like, I don't know what that says. And I'm like, I've told you over the years. She said, yeah, I tuned it out because I've always had some type of access to a digital clock. I'm like, wow, is that a skill we're going to really miss? Right? I don't know. Things change. We don't use abacus much, you know what I'm saying? So I don't know if an analog clock is a skill we're going to need in the future. But I do know that AI is a very powerful tool, but it does have to be hardest. I think the best quote I had was from our deputy CISO for AI who told me AI is a toddler. He said as long as you remember that AI is a toddler and you have to harness the power of it, you're going to be very successful with it. He said it'll grow and become but you just have to learn how to use it well. George, thank you so much. This has been a wonderful conversation. I appreciate you joining me and hope you have a great rest of your day.

B

Thank you so much for having me.

A

And to our listeners, thank you so much for joining us on Afternoon Cybertea and join us next time. We asked George to join Afternoon Cyber Tea because he is a subject matter expert. He also has a very human approach to cybersecurity and makes it really practical for any audience. So you're not always communicating in technical terms. It was really a pleasure to have him on. Very engaging and I was just thrilled.