Question: Congratulations on your huge week 2 score, and securing Manager of the Week honors. How are you liking the CISO Phish Bowl series so far?
George: I love the CISO Phish Bowl – it’s been awesome getting to know other CISOs out there in a totally different setting!
Q: As one of the true thought leaders in the field of cybersecurity awareness, you've always got a lot going on when rolling into October Cybersecurity Awareness Month. It's kind of like your Super Bowl season. But this year, extra congratulations are in order with the upcoming publication of your new book, Project Zero Trust. Do you have any general security tips or specific tips on zero trust you'd like share?
George: My security tip is that you should drop what you’re doing buy a copy of Project Zero Trust for everyone on your team. All the hype out there around Zero Trust has clouded the simplicity of the idea behind Zero Trust. Project Zero Trust makes the ideas behind Zero Trust approachable to everyone in IT, not just security professionals.
Q: What is your top cybersecurity football analogy thus far into the CISO Phish Bowl season?
George: My fantasy football analogy to cyber is that most draft strategies focus on getting big name wide receivers, running backs, and quarterbacks. We have a tendency to focus on the “sexy” parts of our team…like who we will draft #1 overall. There’s always a lot of competition for these players, but when it comes down to it, once you get past the elite players, there’s not a lot of difference in terms of production between the medium tier players you might have picked up in the middle of your draft.
To go deep into your fantasy playoffs, sure you need depth, but it’s more important to have a complete team.
In fantasy football, there are only a handful of Tight Ends, Defenses, and Kickers that can consistently contribute double digit points to your team. You might have already picked up a good Tight End, but most people wait until the last rounds of a draft to get a defense and a kicker. Once you get into the season, those positions that were an afterthought often come back to bite you. Just like the afterthoughts in cybersecurity!
In Cybersecurity, there are lots of highly effective options when it comes to the main security technologies like firewalls or antivirus. But to have a complete security program you also need to invest in tools and processes that support the basics of security like scanning and patching. It may take years and millions of dollars to implement a solid Identity and Access Management program, but you also need to carve out time drilling your incident response and business continuity plans. Your security job postings might require CISSPs, but are you providing enough ongoing/hands on security training to your technical teams to keep up their skills and are you just checking the box when it comes to security awareness?
Learn more about George Finney and his thought leadership on building meaningful cybersecurity culture and awareness