George Finney is an award-winning CISO and the bestselling author of several cybersecurity books, including the award-winning book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2021 as one of the top 100 CISOs in the world by CISOs Connect and has worked in Cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.
That’s George’s bio. Well, actually it’s just part of his bio. George’s diverse background in finance, law, and IT shines through his work. So do his interests in 80s cartoons and art. When you talk to George and read his work, you realize you are in the presence of a truly original thinker.
His book, Well Aware, is required reading. Entertaining, informative, and just as elegantly written as it is intelligently conceived, it's what Malcom Gladwell or the Freakonomics team would write if they took on cybersecurity. Well Aware weaves a tapestry of historical events and scientific research around specific security concepts to advance his theory on cybersecurity habits. The resulting 180 pages of his book goes by fast but stays with readers a long time. It changes the way you think about security. And it does so without ever making you feel dumb or afraid of this traditionally fear-infused topic.
Senior Content Marketing Manager, Eliot Baker caught up with George in the CISO Sandbox. They talked not only about the nine cybersecurity habits, but George's brand new research into developing and applying personality testing to successful cybersecurity training programs.
What’s the most important part of security?
George Finney: The more I learn about security, the more I think people are the most important part. In security we talk about people, processes and technology as though they are three equal slices of a security pie. But really, not to make a Soylent Green reference (70s dystopian movie in which, spoiler!, people are turned into food to support a futuristic perfect society), but the pie is people! It’s 100% people! People are the ones who creat andrun the technology. People are the ones who follow or don’t follow policy and procedures.
So the more we think about technology, gosh, it’s just another word for a tool. And it’s all about the people using the tools and how we use the tools to achieve our goals. And thinking of security that way, gosh, we have to get the people part of security right.
How can 100% of breaches involve the human element ?
Hoxhunt: You make a bold statement that even more than 90% of breaches involve the human element, as is commonly reported in the Verizon DBIR. How can 100% of breaches involve the human element ?
George Finney: There’s a secret motto in the security industry. We say: “People are the weakest link.” And that is 100% wrong. People aren’t the weakest link. People are the only link. That’s all there is. So how do you focus on changing the way we think about people? From a psychology perspective, if we believe people are the weakest link then we are going to make that our reality.
Flipping that notion, if we can somehow be an optimist and find inspiration and hope, and believe that we can get better, then that’s the missing ingredient for success, which is believing it.
What do habits have to do with security?
George Finney: We know that 50% of human behavior is based on habits. These are behaviors we perform without thinking about it. At a certain time of day I brush my teeth. As I drive to work I kind of go on autopilot. That autopilot bheavior is what we do for most of our lives. We are not going to have a ton of success at changing people’s intentional behavior. .. I think oftentimes when we give people advice on security, we are asking them to do the hard part. They can take the statement, “OK, never write your password down,” but they’ve got to go figure out how to build that into their lives and incorporate that behavior. Or not!
It's really the habits. It’s those unconscious behaviors. If we can tap those, I think security starts to feel easy.
Is building habits about tearing people down or building them up?
George Finney: I did a lot of research into people who quite smoking or drinking, or started a healthy workout routine. … To do this successfully, I have to believe that I am the type of person who can stop smoking. I have to believe that I am the type of person who wakes up at 5 AM and goes for a run every morning. That’s who I have to see myself as.
And I think that (focusing on) all of the negative aspects that surround security (isn’t helpful). ‘It’s scary.’ We tend to use fear to motivate people to do whatever we are trying to motivate them to do. And instead it shuts them down.
How does personality factor into building up cybersecurity habits?
George Finney: With the nine habits, I’ve built a personality test around it. The first four habits are Literacy, Skepticism Vigilance, and Secrecy. Those are all things you can do inside yourself. I mapped those internal behaviors with the personality test and contast them against the final five external habits: Culture, Diligence, Community, Mirroring, Deception. All involve working with other people. So your biggest internal strength combined with your biggest external strength makes you the unique personality type that you are when it comes to cybersecurity habits. For me, I’m a cybersecurity explorer. That means I have high vigilance on the internal side and high diligence on the external side.
You can take the personality test on Well Aware Security.
How do you build a risk-based approach to a security program around personality types?
George Finney: I have risk personas, or security personas that I’ve developed. I map out those different personality types in a way that I can build my security awareness program around. I want to focus on people that have sensitive creds; level of access. That might be a server admin, or that might be an executive who has authority to access certain things. I want to craft my awareness around that risk profile…
I have actually mapped my user base at SMU and they fit kind of neatly into really four main categories or personas. You could maybe go deeper and do three different iterations of level of access or three different iterations of uses of technology. ..
What’s the secret to executing an effective awareness program?
George Finney: I find that you can’t forget about relationships. Relationships are one-on-one. Part of my message, and part of my strategy of focusing on security awareness as a CISO, is because I am building those direct relationships with my head of HR or with department heads that I’m talking to. And I think those relationships are what has allowed my security program to succeed because everyone knows who I am. Everyone feels comfortable and trusts that I’m going to do a good job.
I think our number one job as CISOs is to help educate folks as to the risks that are out there because often the technology that we use hides the fact that email is the number one threat vector.
You can find out more about George’s work at Well Aware Security, George’s company whose motto is: The solution to cybersecurity is not technology. The solution is people.
Order his book, Well Aware, from Amazon.
Read more expert interviews
- Dan Lohrmann: Cyber Mayday and leadership & incident response
- Barak Engel: From Virtual CISO To The Security Hippie
- Interview: Virtual CISO, Barak Engel, Part II
- Webinar With Garrett Cook and Michael Barone From G2
- Mastering the Management of Cybersecurity Risk, with David X Martin
- CISO: From Business Blocker Nerd To Rockstar Enabler
- Key Takeaways From Hoxhunt Webinar with Dr. Rebecca Wynn
- Key Takeaways: The Security Leader's Communication Playbook
- Women in Cybersecurity: It’s time to get more diverse
- Webinar with Kevin DeLange, CISO at IGT
- Ten key learnings from the webinar with IGT CISO Kevin DeLange
- Prof. Shoemaker: Integrating Cybersecurity & The C-Suite
- Prof. Dr. Andreas Heinemann: The Corporate Phishing Threat