Award-winning CISO and bestselling author, George Finney, is perhaps the world's leading authority on security awareness. He joined the CISO Sandbox and talked not only about his nine cybersecurity habits, but his brand new research into developing and applying personality testing to successful cybersecurity training programs.
George Finney is an award-winning CISO and the bestselling author of several cybersecurity books, including the award-winning book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2021 as one of the top 100 CISOs in the world by CISOs Connect and has worked in Cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.
That’s George’s bio. Well, actually it’s just part of his bio. George’s diverse background in finance, law, and IT shines through his work. So do his interests in 80s cartoons and art. When you talk to George and read his work, you realize you are in the presence of a truly original thinker.
His book, Well Aware, is required reading. Entertaining, informative, and just as elegantly written as it is intelligently conceived, it's what Malcom Gladwell or the Freakonomics team would write if they took on cybersecurity. Well Aware weaves a tapestry of historical events and scientific research around specific security concepts to advance his theory on cybersecurity habits. The resulting 180 pages of his book goes by fast but stays with readers a long time. It changes the way you think about security. And it does so without ever making you feel dumb or afraid of this traditionally fear-infused topic.
Senior Content Marketing Manager, Eliot Baker caught up with George in the CISO Sandbox. They talked not only about the nine cybersecurity habits, but George's brand new research into developing and applying personality testing to successful cybersecurity training programs.
George Finney: The more I learn about security, the more I think people are the most important part. In security we talk about people, processes and technology as though they are three equal slices of a security pie. But really, not to make a Soylent Green reference (70s dystopian movie in which, spoiler!, people are turned into food to support a futuristic perfect society), but the pie is people! It’s 100% people! People are the ones who creat andrun the technology. People are the ones who follow or don’t follow policy and procedures.
So the more we think about technology, gosh, it’s just another word for a tool. And it’s all about the people using the tools and how we use the tools to achieve our goals. And thinking of security that way, gosh, we have to get the people part of security right.
Hoxhunt: You make a bold statement that even more than 90% of breaches involve the human element, as is commonly reported in the Verizon DBIR. How can 100% of breaches involve the human element ?
George Finney: There’s a secret motto in the security industry. We say: “People are the weakest link.” And that is 100% wrong. People aren’t the weakest link. People are the only link. That’s all there is. So how do you focus on changing the way we think about people? From a psychology perspective, if we believe people are the weakest link then we are going to make that our reality.
Flipping that notion, if we can somehow be an optimist and find inspiration and hope, and believe that we can get better, then that’s the missing ingredient for success, which is believing it.
George Finney: We know that 50% of human behavior is based on habits. These are behaviors we perform without thinking about it. At a certain time of day I brush my teeth. As I drive to work I kind of go on autopilot. That autopilot bheavior is what we do for most of our lives. We are not going to have a ton of success at changing people’s intentional behavior. .. I think oftentimes when we give people advice on security, we are asking them to do the hard part. They can take the statement, “OK, never write your password down,” but they’ve got to go figure out how to build that into their lives and incorporate that behavior. Or not!
It's really the habits. It’s those unconscious behaviors. If we can tap those, I think security starts to feel easy.
George Finney: I did a lot of research into people who quite smoking or drinking, or started a healthy workout routine. … To do this successfully, I have to believe that I am the type of person who can stop smoking. I have to believe that I am the type of person who wakes up at 5 AM and goes for a run every morning. That’s who I have to see myself as.
And I think that (focusing on) all of the negative aspects that surround security (isn’t helpful). ‘It’s scary.’ We tend to use fear to motivate people to do whatever we are trying to motivate them to do. And instead it shuts them down.
George Finney: With the nine habits, I’ve built a personality test around it. The first four habits are Literacy, Skepticism Vigilance, and Secrecy. Those are all things you can do inside yourself. I mapped those internal behaviors with the personality test and contast them against the final five external habits: Culture, Diligence, Community, Mirroring, Deception. All involve working with other people. So your biggest internal strength combined with your biggest external strength makes you the unique personality type that you are when it comes to cybersecurity habits. For me, I’m a cybersecurity explorer. That means I have high vigilance on the internal side and high diligence on the external side.
You can take the personality test on Well Aware Security.
George Finney: I have risk personas, or security personas that I’ve developed. I map out those different personality types in a way that I can build my security awareness program around. I want to focus on people that have sensitive creds; level of access. That might be a server admin, or that might be an executive who has authority to access certain things. I want to craft my awareness around that risk profile…
I have actually mapped my user base at SMU and they fit kind of neatly into really four main categories or personas. You could maybe go deeper and do three different iterations of level of access or three different iterations of uses of technology. ..
George Finney: I find that you can’t forget about relationships. Relationships are one-on-one. Part of my message, and part of my strategy of focusing on security awareness as a CISO, is because I am building those direct relationships with my head of HR or with department heads that I’m talking to. And I think those relationships are what has allowed my security program to succeed because everyone knows who I am. Everyone feels comfortable and trusts that I’m going to do a good job.
I think our number one job as CISOs is to help educate folks as to the risks that are out there because often the technology that we use hides the fact that email is the number one threat vector.