On today’s episode, George Finney, the CISO of Southern Methodist University, joins us to discuss how cybersecurity is a team sport that depends on openness and collaboration, and examine how culture can directly impact the likelihood of future breach. 

 

How a Law Degree Helped George 

George Finney is an accomplished CISO with a more unique background: he has a JD. While it’s becoming more common for CISOs to get an MBA, it’s rare that they would have a law degree. He attended night law school while working full time, reading thousands of pages of dry legal cases. George reflects on the process and says it helped push him to a new level of work, made him more efficient, and helped him understand the big picture of “why” with cybersecurity. 

George says receiving higher education made him more curious and gave him more of a global understanding of the business. While he doesn’t encourage every CISO to apply to law school, he points out how useful it can be to understand security through another lens than just a technological one. Additionally, higher education degrees help CISOs more with employment opportunities. 

 

Advice for 25-year-old George 

George reflects on what advice he would give his younger self. He focuses on how your career is a process; he’s worked corporate jobs, startups, and attended law school. He believes that those different experiences can help prepare someone for a leadership position. He tells his younger self to embrace variety and wishes he had pursued more diversity in his career. 

He touches on how he’d tell his younger self that cybersecurity is a team sport, which we delve more into later.

The Healthy Leadership Mindset 

Traditionally, there is the idea in cybersecurity that the problem is always people-based, or that certain people are to blame. However, this pervasive attitude discredits employees and doesn’t allow them rise to the occasion. George speaks on how leadership needs to include mentorship, and needs to want people to succeed, instead of just waiting for them to fail. 

Listen to the episode to hear more about the dangers of writing people off as “dumb” instead of taking the time to help them improve. 

The CISO that Cried Wolf

George also discusses how the fear of being poorly perceived can impact security. He gives the example of Robert Ebeling, the engineer who tried to warn NASA about the space shuttle the Challenger. Unfortunately, he was ignored, as he told his management something NASA didn’t want to hear, and as a result, the astronauts died. 

We speak on the nuances of trying to navigate the CISO position, as its purpose is to raise alarm when necessary. We talk about how you don’t want to be the CISO that cried wolf every time there is potential for risk. However, you also don’t want to keep quiet out of fear. Listen on to hear what George has to say on this topic. 

Well-Aware: Master the Nine Cybersecurity Habits to Protect your Future 

Whether you are a technical or non-technical leader, you can benefit from this book through the lessons you learn in his historical and psychological examples 

 

George wrote the book because he wanted to help CISOs bridge the gap in speaking to other leadership positions within the company 

 

Professional development book for CISOs specifically 

 

Focusing on habits and small challenges that can make a huge difference 

 

Potentially adjusting these habits can help prevent attacks 

 

Listen to the episode to hear more on the nine habits and more about George’s book

Leadership in the Time of COVID

George urges team leaders to have extra compassion in this time. People are now in a seven-month long stress period—whether with kids at home or worrying after elderly parents. As a leader, it’s important to understand that your team isn’t going to perform as well as they did last year, and to be empathetic. 

 

Phishing 

As a result of COVID, phishing is up, perhaps because they recognize people are vulnerable in this time. George discusses how he sends out phishing emails to staff in order to test what campaigns are more effective than others. In studying psychological data, he discovered that analytical thinking is much higher in the mornings than in the afternoons, and that users are 10x more likely to click on his simulated phishing messages. Listen to the episode to hear how to incorporate this knowledge into training and how to adjust behavior to avoid this. 

Culture 

We reflect on how company and national culture can have an impact on culture. The company culture of the never-ending workday, i.e. the expectation to answer emails at any time, even late at night, also feeds into phishing. 

In certain nations, questioning is more accepted than others. This culture on top of corporate culture can influence the likelihood of a future security breach. If people understand that learning and asking questions is safe, they may be less likely to click on a phishing email. 

Cybersecurity and the Culture Audit 

Diving further into this topic, George looked at the Glass Door of every company that had a security breach in 2018 and discovered that those with breaches were 3x more likely to have a below average culture score. This was across industries and included both small and large companies. Listen to the episode to hear more about the impact of culture—and diversity—on a company’s success. 

 

The New CISO

George believes that the key to success is building relationships. To him, being smart isn’t enough. As security is everyone’s job, he believes that people are the solution, so it is essential to treat everyone well. 

 

Links: 

Exabeam: Website

New CISO Podcast

George Finney - LinkedIn

Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future