After a dominating 194 point performance in Week 2 of the Fantasy Football Season, the CISO Phish Bowl Manager of the Week goes to George Finney, the CSO for SMU in Dallas, Texas. George is the author of the upcoming Project Zero Trust, a novel--yes, a novel--on the concept of zero trust. His previous book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future is one of the best books I've read in popular science and technology. We are thrilled that to have George in the Phish Bowl Thought Leadership Series, and he delivers some great insights in this article. George is a CSO that believes that people are the key to solving our cybersecurity challenges. As a part of his passion for education, George has taught cybersecurity at Southern Methodist University and is the author of several cybersecurity books. Finney is an attorney and is a Certified Information Privacy Professional as well as a Certified Information Security Systems Professional and has spoken on Cybersecurity topics across the country.
Question: Congratulations on your huge week 2 score, and securing Manager of the Week honors. How are you liking the CISO Phish Bowl series so far?
George: I love the CISO Phish Bowl – it’s been awesome getting to know other CISOs out there in a totally different setting!
Q: As one of the true thought leaders in the field of cybersecurity awareness, you've always got a lot going on when rolling into October Cybersecurity Awareness Month. It's kind of like your Super Bowl season. But this year, extra congratulations are in order with the upcoming publication of your new book, Project Zero Trust. Do you have any general security tips or specific tips on zero trust you'd like share?
George: My security tip is that you should drop what you’re doing buy a copy of Project Zero Trust for everyone on your team. All the hype out there around Zero Trust has clouded the simplicity of the idea behind Zero Trust. Project Zero Trust makes the ideas behind Zero Trust approachable to everyone in IT, not just security professionals.
Q: What is your top cybersecurity football analogy thus far into the CISO Phish Bowl season?
George: My fantasy football analogy to cyber is that most draft strategies focus on getting big name wide receivers, running backs, and quarterbacks. We have a tendency to focus on the “sexy” parts of our team…like who we will draft #1 overall. There’s always a lot of competition for these players, but when it comes down to it, once you get past the elite players, there’s not a lot of difference in terms of production between the medium tier players you might have picked up in the middle of your draft.
To go deep into your fantasy playoffs, sure you need depth, but it’s more important to have a complete team.
In fantasy football, there are only a handful of Tight Ends, Defenses, and Kickers that can consistently contribute double digit points to your team. You might have already picked up a good Tight End, but most people wait until the last rounds of a draft to get a defense and a kicker. Once you get into the season, those positions that were an afterthought often come back to bite you. Just like the afterthoughts in cybersecurity!
In Cybersecurity, there are lots of highly effective options when it comes to the main security technologies like firewalls or antivirus. But to have a complete security program you also need to invest in tools and processes that support the basics of security like scanning and patching. It may take years and millions of dollars to implement a solid Identity and Access Management program, but you also need to carve out time drilling your incident response and business continuity plans. Your security job postings might require CISSPs, but are you providing enough ongoing/hands on security training to your technical teams to keep up their skills and are you just checking the box when it comes to security awareness?