Tune in to this episode of Ask A CISO to learn:
- The research on social engineering for the book Well Aware
- The book that social engineers live by, and the Defenders’ playbook
- Key lessons from a phishing exercise
- How do we effect behavior change with humans?
- Rewards vs punishments in effecting behavioral change
- What is Zero Trust?
- Who or what is the Zero Trust strategy for?
- The very first step of all of Zero Trust
- Getting people to understand their role in Zero Trust
About The Guest: George Finney
George Finney is a Chief Information Security Officer that believes that people are the key to solving our cybersecurity challenges.
George is the bestselling author of several cybersecurity books, including the latest, Project Zero Trust, co-authored with John Kindervag, father of Zero Trust, and the Book of the Year award-winning, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future.
George was recognized in 2021 as one of the top 100 CISOs in the world by CISOs Connect and has worked in Cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.
George also has his own podcast — The Well Aware Security Show.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
My name is Jeremy Snyder. I'm the founder and CEO of FireTale. I'll be hosting today's episode, and today we've got a real treat for our audience here. We've got a real luminary in the cybersecurity space, George Finney.
George Finney is a Chief Information Security Officer that believes that people are the key to solving our cybersecurity challenges.
George is the best-selling author of several cybersecurity books, including the latest Project Zero Trust, co-authored with John Kindervag, the father of Zero TrustZero Trust, and previously, the Book of the Year, the award-winning Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2001 as one of the top 100 CISOs in the world by CISOs Connect.
George has worked in cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.
In addition to all of this, George has his own podcast, The Well Aware Security Show.
I'm not really sure where you find the time, George, but we really do thank you for taking the time to join us today. Thanks so much.
Jeremy, I'm so excited to be here and chat with you.
Thanks so much for having me.
It's a real pleasure and it's really a treat for us to be able to talk to somebody who has the breadth and depth of experience that you have, and there's a bunch that I want to get into with you today, but I guess where I want to kick it off is with your previous book Well Aware, we're gonna come to Zero Trust a little bit later, but Well Aware has been really highly praised for helping business leaders to harness cybersecurity techniques drawn from psychology, neuroscience, history, and economics.
I'm really curious about several things in there, but I guess just to start off with, why were those sciences or those backgrounds the inspiration or how, what was the connection there that led you to tap on, you know, that kind of research?
So, oh my gosh, let me get on my soapbox for a second. We're starting out strong, right?
So, you know, I think that, you know, there's a secret motto that we say in the cybersecurity industry, right? Everybody knows it, and we can all say it all at once, right?
We say that people are the weakest link.
Oh my gosh, we need to stop saying this. Not only is it, like, wrong on its face, you know, people are the largest attack surface for sure. But are they the weakest link?
Well, I actually think they're the only link when it comes to whatever it is we're doing, right?
Humans are the things that, that are working in our organizations. And if we believe that they're the weakest link, then, you know, what we think in our heads is going to create that as our reality. That happens, by the way, so often, in the human experience, psychologists have a name for it.
They call it the Pygmalion effect, right? You know, you're the things you think become reality.
So I kind of started there. Oh my gosh. We're, you know we're trying to think about human beings and cybersecurity. But there's, I mean, there's a century of great psychology that can help inform us. And so really where I got started was, you know, I felt like as a CISO, you know, I talked to these social engineers that had these really great insights about human experience and human behavior and how they exploit it.
And I thought, okay, well, as a CISO, I need to know that just as well as they do, if not better.
Because I've gotta put it into practice every day to help shape and change the way my organization works, the way our culture exists. And, you know, if I do figure that out, I've gotta tell that to other people on how do I do that?
So the way that I did that is I just shamelessly stole Stephen Covey's book idea, you know, so the Seven Habits of Highly Effective People. I'm like, okay, well, I think there are cybersecurity habits and as I started writing the book, I think there are nine cybersecurity habits.
But that's the way that humans also experience that as professional development, right?
So, you know, when you know you're in sales or accounting or, you know, you're a dentist, I don't know. Right? Everybody has this professional development track that they go on and they read these great books about how to do things better.
So I wanted to capture those things, but also convey them back to, in a non-technical way so that people can consume them and have that be a part of their professional development, right?
So we know CEOs are being fired today for not getting cybersecurity right. And, and like going in front of Congress and testifying that, oh, it was the intern's fault!
Wow. You know, if we don't have a resource today for CEOs to change their outlook, man, we're failing as an industry. So Well Aware was my take on how we can start to shift that, and my outreach to the business community.
That's really interesting.
There's a couple things I wanna unpack in that, starting with kind of how did you go about researching, let's say, the social engineers' take on this? Cuz this is one of the things that I've said for a long time.
I've been working in cloud security for the last several years and one of the things I always tell people is, you know, focus on your own security posture first before you go into more advanced things like, let's say, threat intelligence or you know, ML AI, for detection and response on logs, things like that. Cover the basics first because that's where your attacker is gonna go look after first.
And I think, you know, a lot of well-informed cyber programs kind of focus on taking an attacker's view of an organization. And so to your point, if humans are broadly spoken to be this large, let's just call it the larger attack surface, not the weakest link, how did you engage with social engineers to try to learn, you know, on how they approach organizations?
I actually just reached out to a bunch of connections, whether they're local in the community, whether I worked with vendors that, that had social engineers on staff. I've hired social engineers over the years. There's some great ones out there, you know, Rachel Tobac, I think is one of my big influences,
And, you know, when you talk to them, they're gonna start to reference, they all start to reference the same book, right? It's Robert Cialdini's book Influence. And in his book, he talks about he five or six different ways that humans use to influence and change other people's behavior.
And that's, by the way, you know, the, I mean the textbook, that social engineers kind of live by.
And so, gosh, I wanted to know like, okay, you know, how do I take this and turn it into something that's more of a defender's playbook, if you will.
How did defenders over ... And so, you know, I started talking to people like, okay, well you, you know, you go to a car salesman and to buy a new car. How do you defeat their social engineering techniques to trick you into paying more for a car than you don't want to?
And I think when you think about it in terms of, you know, general human experience, right? Then you're, you can take those lessons away, from whatever social engineers are doing, to do things differently.
And, you know, there are, I think people who exemplify those different habits. And so I tried to tell their stories in the book, right? It's not all about George and what George does. It's really trying to help people follow an example, right?
And again, you know, when you look at, you know, the best business books out there, they're really trying to tell stories of how people had to struggle with an issue and how they learned to overcome it, right? Cause those are the lessons you can internalize, and think about changing the way you do things.
And after you had those conversations and you got those learnings from the social engineers, did you find that, you know, your previous assumptions about how to engage with people to talk about cybersecurity were like dramatically off base or just a little off base?
Or I guess, what were some of the key things you picked up?
Well, you know, I think one of the things we do, right, referencing Cialdini's book, Influence, one, you know, theory out there is, well, we can just teach people the five or six steps of influence in order to ... And actually as it turns out, I don't think that's enough.
So, you know, I work at a university. They let me randomly experiment on my employees. And so, you know, I did this voluntary simulated phishing, like, month-long engagement.
So if you signed up, you could win a vacation day or some other prizes, right? So we wanted to make it fun and, you know, an opt-in experience versus the normal simulated phishing where you just like get it and you feel terrible and, and people complain.
But what I did is, you know, so for part of this group that signed up, I pulled them aside and I let them write the simulated phishing messages that I would then send out to the rest of the crew.
So, as I was, like, training them on how to write a simulated phishing message, and of course, I said, well, here's Cialdini's, you know, six principles of influence, like, use these principles as you're writing.
And so we go through the month and it was an awesome experience. But at the end of it, I took a look at the people who learned to write simulated phishing messages, and they were trained on the principles of influence.
And as it turns out, there's no statistical evidence to show that those group, I mean, they clicked on the phishing messages just as often as the control group, right?
So if training them on influence isn't enough, how do we affect behavior change with humans, right? So everybody complains about, you know, security awareness training. Most people are just checking the box. Like, I gotta watch five-minute video.
Well, okay, cool. So, you know, you, probably in the last, like, you know, month or two, seen a Pepsi commercial, right? So 30 seconds. You didn't change your behavior! You didn't stop drinking Coke or whatever. I apologize to any of the Pepsi drinkers out there.
But you get the idea, right?
Watching a short, funny, entertaining video with celebrities is not necessarily gonna change your behavior.
What is gonna change your behavior is creating new habits. Habits are 50% of all of human behavior, right? So whether, you know, it's you're driving to work, you just follow the same path. Whatever it is.
We've gotta effect change on habits.
And it turns out that there's been an incredible amount of research into habits over the last decade. There's James Clear's book, Atomic Habits. There's Charles Duhigg's book, The Power of Habit. My favorite is actually BJ Fogg's book, Tiny Habits.
But all of them kind of agree that there's this three-step habit rule that we use, right? You know, it's the prompt that gets us to do the behavior. There's the behavior itself, and then there's the reward that tricks our brain into releasing endorphins the next time we see that cue to doing the behavior, right?
So it's this loop and as it turns out, right, as humans, we've got the unique ability to decide what those things are and to be intentional about, Okay, if I do this thing, I'm gonna give myself a reward so that I can start to trick my brain into doing things that I want to do versus, you know, just reacting to factors in my environment, right?
That's the power of the human neocortex. That's why it was so important to do that deep dive into psychology, and neuroscience, and human theory. Right? And so, yeah. If you think about this habit process, that's what changes behaviors. That's also how we can measure behavior change to know if we've been successful or not.
And you know, like every antivirus or firewall tool out there, they've got their marketing slides that you know, that say they're the most effective and they've done some sort of, like, testing on that. We don't have that for security training, right? We don't do A/B testing to say, like, actually this is the best course for you cause of these factors or because we've seen this work in other people.
That's where we've gotta be going with security awareness to really make a difference, right? We can't just keep checking the box and letting things stay the way they are.
We've gotta be intentional and really move the needle when it comes to what matters, which is behavior change.
Yeah, and it's such an interesting point because, I mean, along the lines of what you just talked about with security awareness training, what I tend to see from organizations is actually nothing regarding behavior. Simply regarding exercises, and if anything, you know, they follow the security awareness training with some simulated phishing and things like that, that always leads to kind of more punishment and shame, and never leads to reward, and also never really kind of has any focus around trying to change a behavior or to teach a behavior to people within an organization.
It's really interesting. It's almost a perverse set of dynamics there where we know that we as humans respond better to reward. And yet what do we do?
We actually don't put rewards anywhere in the equation.
We focus psychologically on exactly the wrong kind of stimulus and response loop. So it's a really fascinating point to consider.
When you think about your other book Zero Trust, it's a huge buzzword and it's something that's out there all the time. I think every conference I've been to in the last several years, even before the Pandemic, Zero Trust was bubbling up. Nowadays, I would say it's probably the number one, well, maybe Cloud security is up there as well.
But you know, Zero Trust Cloud Security lists two or three others that are kind of front and center right now. I guess just to start things off, where do you think is the core message or the core value that people should think around Zero Trust?
Is it around kind of, you know, network segmentation? Is it around the mindset of assuming that you've been breached? Is it around, you know, kind of starting with a default deny attitude?
How, how do you approach it when you have these conversations with people who really ask you what is Zero Trust?
So, thank you for that.
And you know, gosh, Zero Trust is definitely the biggest buzzword out there right now. And I think the challenge with Zero Trust is just the messaging has gotten muddled over the years, right?
Every marketing, group out there is trying to kind of, like, take their piece of the pie. I think of Zero Trust in terms, the, the, I know this is gonna be really surprising given the conversation so far, I think of it in terms of people.
And you know, there's this tendency with Zero Trust to tend towards cynicism, right?
So don't do anything. Lock everything down. Don't have any humans in your organization. Don't have any computers ...
and you'll be secure.
Which, you know, Okay, cool, we still have businesses to run.
But I, Zero Trust, you know, at its heart is a strategy. It's a strategy for preventing or containing breaches by removing the digital, by removing the trust relationships we have with digital systems. One sentence, right?
That's the definition of Zero Trust.
But as a strategy, right?
What is the strategy for? The strategy is for the human beings and the organization to figure out how to work together well enough to achieve that strategy, right? And so I see Zero Trust as a rallying cry. And the way that, the reason I think that is because today, you know, I mean, 20 years ago, security was, Oh, okay, you could have some success with a security team. They did everything.
Today, everyone's so specialized. So, you know, you've got the firewall team or the network team needs to think about segmentation and architecture. You've got an identity team that's thinking about least privilege. You've got developers that are doing DevOps or DevSecOps. You've got cloud, you know, multi-vendor, kind of multi-cloud options that, you know, sometimes you have visibility, sometimes you don't.
Sometimes it's SaaS sometimes it's, you know, Infrastructure as a Service. Sometimes it's Platform as ... Oh my gosh, you've got the desktop consulting teams that, that are working on people's desktops. You've got trainers that are training people how to use ...
All of those people need to be a part of your Zero Trust program, right? All of them have a role to play when it comes to Zero Trust.
And I think again, as that rallying point, right? Once everyone is kind of pointed in the same direction, right? We're all working towards the same goals. That's how you achieve success as a strategy.
And so, you know, I think it's limiting when we think of Zero Trust in terms of Zero trust network architecture.
Because now we've already narrowed it down and, and we're just thinking about, okay,
It's just the network. Yeah.
Here's Yeah, exactly.
It's not just the network. I think when you look at the NIST standard 800-207, they, they're already bringing in, you know, identity, right? Identity is really the cornerstone of what you need to accomplish.
But man, what about your ERP system and how, how did you figure out, uh oh, like, okay, that's really challenging. And you know, I think one of the things that people forget in John Kindervag's model, the very first step of all of Zero Trust is to understand the business.
And, you know, again, that's missing from the NIST Zero Trust standard, right? You know, you don't necessarily have to understand, you know, how the business works, what the business' risk appetite is, what the industry is, all of those things really matter when it comes to, again, that strategy of getting people all on the same page, working in the same direction.
Yeah, it's a really interesting point, and to your point, I think that is something that people tend to do when they look at, Okay, I'm supposed to do Zero Trust, Least Privilege, Cloud Security, what have you, they look for, kind of, one area where they can implement a solution and call it done, and feel good about it.
And to your point, I do feel like networking is where so much of the conversation has turned around Zero Trust.
But it's interesting, you know, a few episodes back, we had a guest on, James Mckinlay, who was talking about how in his work around incident response and when he goes in, one of the things that ends up happening is they usually have to leave a new cyber program behind for organizations that they've engaged with.
And one of the very first things they do is they talk to them about, Okay, the users that you have within your organization, what applications should they have? Let's actually start by going to maybe the endpoints or going through an MDM, and let's actually put our known good applications on an Allow list and put everything else either on a Deny list or at least on a "Let's ask the question" list.
And so, you know, there's kind of a Zero Trust approach inherent there in the applications. And that can probably also reduce kind of the, it doesn't really reduce the attack surface, but maybe it limits the vectors that are applicable against that attack surface. And that can be a really powerful way to kind of streamline your risk, right?
So I kind of wonder when you think about that getting people aligned is, is kind of a consistent theme that I've heard in several of the things that you've shared with the audience and with me here today.
How do you think about getting people to understand the concept of Zero Trust and their role in it?
So the name of the book is Project Zero Trust. It'll be available on Amazon in a few weeks or, I guess, actually in about a week.
But you know, the reason that I wrote the book as a story, right?
So it's a fictional story about a company that makes standup treadmill desks. And they really did really well in the pandemic and they've gotta go implement Zero Trust before their next product comes out because they've been the victim of a breach. The reason that I wanted to tell it as a story is so that individuals out there, you know, again, everybody in IT has to be able to see themselves in Zero Trust.
So there's characters that you can start to identify with, right? There... My favorite character is actually the network person but the IT trainer, a character, turns out to be one of the most important characters to the story. The main character, you know, this fictional company didn't have a CISO. They only have a CIO and so the fictional character, the main character, Dylan, comes in as a, an IT director of infrastructure but he's put in the role of having to do security now and figure out Zero Trust.
So I think wherever you're coming from, you need to be able to see, you know, a role model, right?
You've gotta have somebody who's walking in your same shoes. And I think that's the way that people like, you know, resonate, right? And I was really inspired by Gene Kim's book, The Phoenix Project.
In part because, right, you see the power of, wow, gosh, I'm just like that guy in the book, or I'm just like that woman in the book. And yeah, it really makes a difference. So, you know, Zero Trust can get so technical, but really when it boils down to values, it boils down to identity and that's what resonates with people. That's what matters to people in their careers. So why not connect with that?
And, you know, you leverage that to help improve the security at an organization. That's what we should be doing.
And I mean, and we should be rewarding people who do play their part in, you know, keeping organizations safe and, and more secure, right?
I guess, you know, just a change of topics for a second here.
I love the artwork behind you, and I always love when our guests have something fun about themselves. I also greatly appreciate that that's an old-school Cylon, you know, that's kind of version 1.0 from the late seventies, right?
So about four or five years ago, I, for some reason, my wife, you know, humors me, and I decided to start doing spray paint, pop-art robots. So we've got like a robot theme for the house.
I've done all the classic robots like, you know, Robbie the Robot, you know, "Danger, Will Robinson!", you know the Jetsons, you know, uh, Rosie the ... Anyway, um, so, you know, this is just like the hobby I'll do like three or four robots a year.
And so the robot behind me, if you're able to see it, is the old-school Cylon from Battle Star Galactica, but I did this thing where he's actually making himself smile. So there's this iconic scene from the latest Joker movie where, you know, Joaquim Phoenix is stretching his smile out painfully so, uh, so much that he actually, like, starts crying.
But you know, he's smiling so there's this like contrast. So the Cylon, like with the spray paint, like I let it, like, drip down a little bit, like a, like a tear. And so it's a, I call it my Smile-on, which is a terrible ...
Oh, very nice.
I'm so sorry, but yeah, but I, it ... again, it's just, you know, I feel like you've gotta have creative outlets in your life, whatever your hobbies are.
Well, it sounds like you've got plenty of them between the book writing and the, he spray paint art and everything. I guess quick question for you on your robots.
Which of your robots do you think is the best and the worst at cybersecurity?
Um, so, you know, yeah, that's a hard question.
Um, I know he's the most popular of all the robots, but I think R2D2 is the best at cyber security, right?
So if you're watching Star Wars, if you're a Star Wars like I am, right?
Who's the best hacker in Star Wars?
It's gotta be R2, right? I mean, you know ...
A hundred percent.
He shred, I mean, he shreds the Empire security and, I don't know if the Empire has much security, frankly, but, you know, I guess he's got all the codes and can get in whenever he wants.
Also, like, you know, the other humans kind of listen to him and do what he tells them a lot of the time. Man. So R2D2, I'm gonna go with R2 as the best.
Probably the worst. You know, again, nobody listens to Robbie the Robot. Um, actually, I'm sorry, it's Robot B9 is the "Danger, Will Robinson!" Robot. Robot B9.
You know, he's saying "Danger, Will Robinson!" all the time. And, man, and they, they don't seem to. Um, you know, you would've thought he would've listened to the first ... anyway. Yeah, that's ...
There you go.
Yeah. They still went off and got lost in space, right? So ...
If only they listened to the robot.
I know. We should all listen to the robots more. They're so much better at security than we are.
Well, George, it's been a real pleasure having you on the show today. I've really enjoyed this conversation and, you know, the themes that we've touched on are valuable things that we should all be thinking about in our own organizations with our Zero Trust initiatives, with engaging with people, and helping them support the organization's goals.
Both business goals and the security goals that enable the business. I think those are crucial things, and let's remember, it's rewards not punishment that work on human psychology, right?
Absolutely. Well, George Finney is the author of the forthcoming book. You wanna give the title again one more time for our audience?
It is called Project Zero Trust, and it's available right now on Amazon, Barnes and Noble, or wherever you find your books.
You heard it from George. Please go out, pre-order, get the book coming up, I think released in just about a week and a half, right?
Yeah, yeah. October 4th.
October 4th. Well, less than a week away.
Fantastic stuff! George, thanks again for taking the time to join us.
That's it for me, Jeremy, and for George Finney for today's episode of the Ask A CISO podcast.
Thanks very much. We'll talk to you next time.