In a Zero Trust model, you have to always assume a breach. This is a model that everyone needs to be aware of because everyone wants to know that they are being protected, especially in school. Parents want to know that their children are in a safe environment. This is what the Chief Information Security Officer at SMU, George Finney is tasked with daily.
Join Matthew Stephenson as he talks to George Finney about his career as a CISO and how cybersecurity in a higher education environment feels. George also talks about his newest book about cybersecurity called Project Zero Trust: A Story about a Strategy for Aligning Security and the Business. Learn more about Zero Trust security and how it keeps people safe. Discover how George deals with the continuing evolution of technology and cybercrime and how he keeps everyone in his team up to date. Start upgrading your security today!
Listen to the podcast here
George Finney: Zero Trusts Given
Welcome to the show brought to you by Elevate Security. For some of you that may be new to the show, you may know me from pm73media or perhaps The InSecurity Podcast once upon a time, where I may have done something awesome with our guests or a lot of other security events around the world over the years. The key thing is here on the show, we are bringing you all of the top experts in the industry for a chat about anything that’s either cool or horrifying about keeping our world secure. Speaking of that, I’ve had some fun with this guest before. He’s super cool. We are excited to welcome George Finney to the show.
George is the Chief Security Officer at Southern Methodist University, a senior fellow at CyberTheory, and an author. His book is called Project Zero Trust: A Story about a Strategy for Security and the Business. Another best seller on Amazon is Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, and previously, No More Magic Wands: Transformative Cybersecurity Change for Everyone. He has a Master’s degree in Computer Science from the University of Texas at Dallas and a Juris Doctorate from SMU. For those of you who don’t know what that is, it’s the law equivalent of a PhD. He also had his first art exhibit with his original paintings.
Dr. Finney, welcome to the show.
What’s up? That’s the best intro I’ve ever gotten. I’m like, “Who is he introducing?”
For the last time you were at one of my shows, but we had to add to that a new book, the art exhibit, and all kinds of cool stuff.
It’s so awesome to be here. I’m so excited to jump into it again.
I can’t believe that you even have the time because school is back in session. You are a CSO at a university with over 12,000 students and 1,100 faculty and staff. If we were to put this in a sports analogy, I assume that all of the summer is preseason as you’re getting ready for this and the season has started. Let me ask. Is this a dream job or a nightmare?
It is both. I’ve been here for nineteen years. In a lot of ways, it is a dream job. Not every job would allow you to be able to get the time to go write a book or teach. Not every employee is super supportive of their employees in that way, and SMU is. The nightmares aren’t that often, but you gotta keep on your toes. In any job in security, you’re going to have challenges and weird stuff come up. You get better because of those things. That’s how you keep going. It’s not that you want those things to happen, but it keeps life interesting.
To a degree, you grew up inside SMU. You have this massive responsibility of protecting the students and the faculty surrounding everything that is going on. Is that a different perspective compared to you being hired from somewhere else?
First, I did grow up at SMU. I’m here. I’m from Dallas. I remember coming to the campus to see one of my favorite Beatnik poets read poetry in the ‘90s.
There were Beatniks in the ‘90s? Were there black turtlenecks in the ‘90s?
They were Beatniks from the ‘60s that were doing new book tours. SMU has been forever a staple. To be able to work here is amazing. When I told my mom, “I’ve got an interview at SMU,” she was like, “My son has achieved something in his life.” It’s such a cool place to be. I was pretty young when I started here. The culture has formed. If I had jumped to be at another startup, a security vendor, or in some corporate job, I would be a different person after these several years. I would look at it differently.
For the ponies, when they play, it gets into your blood, whereas if you were coming in and you’re new, it is just another job to you. It is maybe a stepping stone. You’re jumping in and you don’t know. I have this interview question that I always ask. I ask people, “Why do you want to work at SMU?” This is the most important question I ask. If they answer, “I want to continue growing in my career,” that’s cool, but if there is a, “I want to be here specifically,” that changes your culture. That changes everything about your organization.
Being a part of SMU can really change your culture.
That’s interesting because SMU is woven into the fabric of Dallas. Dallas is woven into the fabric of Texas. You mentioned rooting for the ponies. I’ve tried hard not to make an Eric Dickerson or Craig James reference, but here we are, so I have to. When you are building your team as the leader of the information security organization, how much does that answer matter? You might have somebody who is a total rockstar.
Technically, the talent is amazing, but their answer may be, “It’s a great opportunity for me. It’s an interesting sock,” as opposed to someone who feels SMU and its relevance to the community, city, and state. How is that, culturally, a way that you want to assemble your team? You’re probably around 20,000 people that you are charged with keeping safe and secure.
On game day, we could get 50,000 or 60,000 people on the campus connected to Wi-Fi, using our different systems, or doing streams. It’s such a big part of the community. Everybody knows. In Dallas, for sure, it is like, “I know SMU. I’ve been there. I took a class there one time. I had a friend who went there,” or, “I had a family member who went there.”
It’s not necessarily a strategy that works for everybody, but the average tenure of someone on my team is 15 to 20 years. It’s not something that you could build overnight if you even wanted to. Having a long-term history, everybody knows you. In terms of the trust, they know who George is. Everybody knows the name. You see me in meetings. If there’s an issue, they’re going to ask. They’re going to reach out. That long-term visibility is incredible. It is not something that you get everywhere. It’s special. That’s part of why it’s a dream job. I’ve built a team over decades and we like working with each other. How crazy is that?
I hear the stories about what Millennials are like. We all want that. Most of us have had that beaten out of us over the last couple of years. You can never have it. You take care of your people. You invest in them. That’s what SMU is about. That’s the reason that, selfishly, I came here. I wanted to have SMU pay for my law degree, and they waived the cushion.
That speaks a lot about you as a leader, as you have been able to build a team over the years. You’ve been able to stay here and your team stays here. Given your role as a CSO at a large university with 12,000 students and over 1,000 faculty and staff at all of the other things that we’re talking about, that is utter chaos. With the idea that we have been talking about on the show, with the thread being insider threats, witting or unwitting, there is so much for you to deal with. I got five sub-questions on this. Give me a moment as I try to sort out how we start.
I’ll start out with a story. I forget which one it was. It was Nimda or one of those. We were dealing with that infection on campus. You talk about chaos. At the time in 2003, we’ve got 2,000 or 3,000 kids living in our residence halls. We had hubs back then. We hadn’t made the switch yet to switches. When one kid would get infected with whatever self-propagating worm, the entire campus went down. The inbound of bandwidth being consumed was incredible.
Picture, if you will, network engineers running from room to room, unplugging the connection. They’re like, “Is that it? Let’s try this next one. The lights are flashing faster.” We take dorm by dorm down to see, “We’ll isolate it to a floor, but we’ve got five infections going.” It’s crazy. We’ve gotten better since then. In the world of zero trust, we say, “Assume breach.”
In the world of zero trust, assume breach.
It’s weird. We’ll get vendors sometimes that come in. They’re like, “You guys encouraged us to tell you all the bad news.” I was like, “I expected there to be bad news. I would be disappointed if I paid you that and you didn’t find something.” I get the impression that maybe at other organizations, some people don’t assume breach. I have to in higher ed because it is chaos. Maybe you think you’re in control at corporation X, or maybe you aren’t and you’ve got that false sense of security.
I am of an age. I was post-college when Napster, file sharing, and Kazaa all became the rage, but there are still things like BitTorrent, user groups, and those types of things. Given the student population you have and their access to high-speed internet, is that a wrinkle that matters, or am I a criminal pirate and that’s not part of the scene?
I have my feelings on free and open-source software. I’m a huge advocate that ideas should be free. Let’s start there. Since I’m put in charge, I’m effectively “big brother” for a bunch of cool college kids that the man’s got to keep them down. Congress passed a law back in the late 2000s.
They were like, “You can’t steal copyrighted material on the internet.”
We have been going through DMCA requests for years. A lot of universities had to have full-time staff to respond to DMCA requests.
An actual full-time position for DMCA?
Yeah, especially for the larger schools that have a lot of students and residents on their networks. Ours was much lower. We don’t have quite that number of students. Not as many live on campus, but it was a struggle. You would get in and it disrupts your whole day. It is the security team’s job. For us, at least, it was because we had the access to go look at the logs.
We went through the process of validating whether the DMCA request was legitimate. We were like, “Was there traffic at the time? Did it look like it matched?” We did that before we would even consider implicating a student and having some response for them, which wasn’t always disciplinary. Sometimes, we just made them watch the stupid five-minute Don’t Steal DVDs video.
Having that inside access, we want to make sure that they’re not doing bad things. Some of the later file-sharing software was just malware. We wanted to help educate students to do what they were going to do safely. Eventually, when we put our next-gen firewall in, all of the DMCA notices stopped for us. That’s happened with a lot of other universities. Eventually, it trailed off. Those kinds of things can shape a program.
Sometimes, you can create friction with your user populations that maybe you don’t want to have. You’re put in the position of having to navigate those waters. I jokingly introduce myself as the big brother to faculty sometimes. They don’t necessarily appreciate my humor, but the idea is like, “We’re trying not to do that. We realize we want to protect your privacy. We also realize you’re never going to believe that we’re protecting your privacy, but we’re trying.” There is a lot of chaos.
We worry sometimes whether some of our foreign or national students coming in are spies. They got hired as a graduate assistant and then they’re an employee of the university. What vetting happened before that even got to where I can know? If the Chinese government wanted that to happen, it would happen. It’s not that I’m saying we know that or can vow or disavow whether that has ever happened.
I am going to let you talk your way into or out of that one. You mentioned open-source software for file sharing. I got to give a shout-out to BonziBuddy and the purple gorilla that I’m sure was the bane of your existence early on. With people coming in internationally, I’m sure that they were properly vetted in order to be hired, but all of these different things, what does that do to your team’s approach to insider threats? The line that I’ve heard from Donald Rumsfeld, but apparently, it’s much older than that is that we don’t know what we don’t know. How much can you anticipate, and how much do you have to read and react to every day, you wake up and be like, “What do we have?”
This is where zero trust started to help me. John’s original paper was coming out as I was promoted to CSO. We realize we only have so much we can control. We were like, “What are we going to do?” We’re focusing on those controls and making silos, if that’s the right word. John’s term is protect service. You’re locking down those parts of the network. You’re trying to move students, so they’re as separate as possible, which is impossible given they’ve got free access to all of your buildings and whatnot. It’s a challenge.
One of the cool things we were doing when I first started was we had this network access control solution. Before all of the ones we used, there was an open source that came from the University of Connecticut. It was magical. I had spent all these years becoming a network engineer learning how to basic operate a network. I then come in and we’re using this software that’s doing art poisoning attacks against users. It acts as a method of quarantining them in your NAC to force them to register before they’re moved to a clean network.
By doing NAC, we are able to find your users and isolate them. We were way early on doing it with bubble gum and duct tape. We started to think, “We’ve got to prevent as much as we can. We’ve got to find ways to create at least pockets of security in an otherwise chaotic environment.” That has evolved into, “Here’s how we do these other things. Here’s what guides the philosophy or strategy of our program.”
Is being a CSO at a large university the hardest version of being a CSO? Would you rather be the CSO of NORAD as opposed to the idea of how many variables you have to take into consideration every day?
I like the university environment in a lot of ways. Everybody will say the big difference with universities after you get over the weird politics is the pace. It’s a lot slower pace than in a corporate environment.
Being a CISO in a university environment is much slower than in a corporate environment.
That surprises me. I would think that it would be faster knowing that you’ve got a constant churn of new students and new things, but it’s slower.
It is less money. Maybe that’s the reason. There is also lower staffing. We’ve been able to slowly migrate over time, and people are accepting of that. A lot of the customer-facing stuff and the student experience, we keep that. With all the backend stuff, it is like, “Does that need to be upgraded for ten years now?” It varies.
In a corporate environment, particularly if you’re a publicly traded company that you’ve got all those regulations, it is weird because, in higher ed, you have those same regulations. We’ve got healthcare data. We’ve got financial data. From a compliance perspective, we’re at the intersection of a lot of different compliance reasoning. I don’t know. I haven’t worked in another industry. I like higher ed. It has been a rewarding thing for me. Who knows what’s next? It’s been fun so far.
You have a new book coming that we referenced at the beginning, where you chose to illustrate zero trust in a fictional setting. People who are not in this industry don’t even know what zero trust is. Why take that route?
I was inspired first by Gene Kim’s book, The Phoenix Project. If you know what DevOps is, The Phoenix Project is like the Bible for that. It tells a story. There have been lots of great books like this, like The One Minute Manager. It also tells a story. The idea is to make the concepts you’re throwing at people approachable. I’m not going to pull my punches. This is a technical book with lots of depth in a lot of different areas, but I wanted something that someone brand new could come in and understand what zero trust is. They need to understand zero trust. Your CIOs or infrastructure folks need to know what zero is. It’s not just something that’s for security nerds.
If we’re being honest, most security professionals probably work in the top 3% of companies in the world. 99% of businesses out there are small businesses. They can’t afford to have dedicated security teams. They need to do zero trust, too. Boards of directors and executives need to understand zero trust. The way to do that is I told a story about a fictional company. They’re ransomed and they decide to implement zero trust before their next big product comes out in order to ensure that the future of their company is protected.
It’s such a fun story. People will get into it because they like the characters. You build a team with zero trust. It can’t just be one person doing zero trust. It’s got to be all of the departments working together for the common good. I would love it if somebody out there were to catalog all of the pop culture references that I put into the book. I didn’t do that myself.
It sounds like an episode of a show someone might be interested in.
There’s a lot there. I’ve got some pretty deep cuts that you have to be weird like me to get some of those references.
Is this required reading in the syllabus for all incoming freshmen at SMU?
Once this episode drops and it is rocketing up the charts on both New York Times and the Amazon list, you’ll be like, “We need to get this in there.” Is zero trust something that you either need to or want to communicate to the student body or is that too esoteric for them because that’s more inside baseball from a security perspective?
At the end of the day, whether they’re students, your bank clients, or what have you, everybody’s customers want to know they’re protected. I don’t know that the term zero trust is going to resonate with everybody off the street. It probably never will. I was in our library. We have a Starbucks in our library, which is amazing in itself. I was hanging out in the Starbucks in the library. They happened to have an admissions tour going through the campus. They remodeled the place, so it was gorgeous. This was a popular stop because kids like going to Starbucks. They don’t want to have to walk all the way off campus.
I love that you were quietly sitting there, having coffee, and doing work, and then over here is someone explaining how safe and secure SMU is. There was a little part of you that wanted to raise your hand and be like, “I did that. That’s my team. We keep your children safe. You’re welcome.”
I thought about it.
Leaning into that outside of zero trust, I cannot pound this point enough. You have a massive responsibility. There is a huge campus. You have this very diverse culture that you have to protect. For your team, what is your biggest security concern? I hate the question, “What keep you up at night?” It’s more interesting when it is like, “What do you think about first when you wake up in the morning?” You could forget about the first thing when you wake up in the morning. You wake up and you have this thought. You get in the car and you have this thought. Every fifteen minutes, there’s another one coming in.
It seems like technology changes in waves. We’re in the midst of one of those tech refresh cycles that happen to catch us off guard a little bit because of some other upgrades that started happening. We need to make some upgrades on the security side to match that. That is going to force us to rethink the way we do antivirus, our centralized logging, and network detection.
In a way, we’re thinking about our program from an objective perspective. We’re like, “With technology the way it is today, not the way it was five years ago when we were making some of these other decisions, what would we do now if we’re starting from scratch?” We’re not necessarily starting everything from scratch. That’s a good exercise to go through. I’m not going to be married to one vendor forever.
Other companies out there and startups have innovated and maybe, in some cases, out-innovated organizations. You can’t absorb too much churn because you’ve got a team that has invested a lot of time in learning how to run existing tools. You’ve got to be able to challenge yourself and be willing to get out ahead of the curve. It’s like Alice in Wonderland. You always have to run to stay in the same place. Whether it’s your technology life cycle, managing change or new initiatives, or acquiring new third parties, we’ve done all of that in a higher ed environment.
We got all of the same things in higher ed that you’ve got in other larger organizations in a weird mélange. We’re an ISP for a large number of human beings. We have five different sporting and event venues. We look more like a city in some cases because we occupy a couple of square miles of real estate. We’ve got underground infrastructure and generators. We’ve got it all. It’s little pockets of everything.
I do physical security, for example, whereas another CSO might not have to understand physical security or take that on. There’s so much to do. The footprint of everything you have to protect is a lot to wrap your head around, especially if you come into it from some other segment where you didn’t have to have most of that.
We could do five episodes on that answer alone, parsing each one of them out into separate topics for that particular show. I love that physical security is part of your purview. We’ve had several guests in your role where some do have physical and some don’t. To some, they want it as part of their team and some specifically want it separate from their team.
We also had the legendary Freaky Clown on. He is a physical pen tester who’s been breaking into banks for many years and has never been caught. Please check that episode out anywhere that you get your show. When you meet with your peers outside of higher ed, what is the exchange like? With everything that you laid out, it is the fact that you have to do so many different things as opposed to someone who, in their particular vertical, the role allows them to specialize. Your team has to diversify. How do you learn from each other and take the benefits from each of your particular milieus?
I personally learned a lot from taking on physical security. There are practices in the physical security world that we can operationalize in cyber in an interesting way, like the way that they interoperate because of UL listings and things. Cyber tech doesn’t necessarily play nice in those same ways. At the same time, cyber innovation is at a much more rapid pace than the physical security world.
Cyber innovates at a much more rapid pace than the physical security world.
People still have mag stripes on their ID cards, and those were invented many years ago. There’s no encryption on there. What are we doing? If you have learned card readers, you’re not necessarily thinking about the encryption of keys. When you bring those two together, that’s helpful also. On the cyber side, if you’ve got a SIM or a security operations center and you’re seeing two-factor requests, it’s gotten difficult to know what location data is real or not anymore.
Those impossible travel alerts that we were getting for a while aren’t as reliable as they used to be. If someone swipes their ID card on a badge reader in one of your buildings, that’s probably a high degree of likelihood that they’re with that card. If you’re seeing two-factor requests from another country and you’re seeing them log in from a VPN or whatever locally, there are some questions that need to get answered.
Having that complete layer of visibility into all of the security is beneficial. There are lots of reasons why a CSO might not have physical security under its purview, but there ought to be a partnership between those two areas, even if they’re not directly under the same leadership. We’ve got so much to learn from one another.
We’re doing a hard pivot. You had the first exhibit of your original paintings. I don’t know if most of our audience considers a CISO as someone who’s going to be putting brush to canvas and doing some fun, interesting stuff. Why do that? What does George say?“Do you know what I need to do? I need to get this painting of Optimus Prime out of my head. I need to get it in front of people. We have to go.”
Technically, I don’t flip brush to canvas. I shoot the paint directly on the canvas with a spray paint can.
How did I miss that? You’re a graffiti artist. What’s your tag name?
I don’t have a tag name.
When I go to Dallas and I go look at buildings, I need to see what I’m looking for. Let’s crowdsource that. To the audience, please, you could reach us @Hello_Elevate for suggestions for George Finney’s tag name as his graffiti artist career unfolds.
For some reason, it’s lost to the mysteries of time. I have no idea why I started this thing. I wanted more art in my life. I’ve seen people do spray paint art. I watched a boatload of YouTube videos on it. I was like, “I can do this. This seems fun. What would I do?” I wanted something that I could pull off in stencils and figure out how to lay all that stuff out. I thought, “Let’s do Optimus Prime. I love a good Transformer.” I’ve got a Transformer collection if you can see me.
Dear audience, know that over one shoulder is an original Finney painting of Optimus Prime. Over another shoulder is a Voltron movie poster. Directly behind his head are a couple of what I am sure are very limited edition Transformers.
I’ve got three Voltrons. I’ve Jetfire, which is one of my favorite Transformers. I love robots. That’s one of my things. For some reason, my wife lets me keep hanging these up in the house, so I kept doing it. I got too many and my wife was like, “If you want to keep painting, you got to do something with some of these.” I’m like, “All right.”
There was a security conference. I know the guys that run it, so I’m like, “Can we do a silent auction? I could sell some of these off. We could use the proceeds to go to pay for cybersecurity scholarships at the local community college.” They were like, “Heck yeah. Let’s all do that.” We raised $1,500 for the Collin County Community College scholarship fund, which is awesome.
I haven’t told you this part yet. There’s a CEO of a security company who was at the show. He saw the painting. He was like, “You have to come to do our logo.” I flew out to San Francisco. They filmed me doing it in front of the San Francisco Bridge. They were filming it in 4k and slowmo. One of the things I love doing is dual wield spray paint cans. Those are two different colors to blend as I’m spraying.
Imagine that in close-up, 4k, and in slowmo. That will drop in the next couple of weeks. They made a video marketing thing for them. I can’t wait to see that. I started out watching YouTube videos and somebody paid me to do one for them. I’m so lucky. I love where you started. SMU is pretty much a dream job. I get to have this thing that I don’t know that I would’ve ever thought of or got to if I went another route.
Dear friends, CSO of SMU and ambidextrous spray paint artist, George Finney. We could go for three more hours on this. I want you to come back because we got a lot more to talk about. I would like to ask you about the influence that animation and science fiction has had on your approach to security. Unfortunately, we don’t have time, so we are going to shift into the leadership corner. We’ve already talked about one of the things you’re doing when you’re not doing this, but as far as the rest of it, what’s on your playlist? Are you reading anything? Are there magazines on the coffee table, bathroom, or car that you read at red lights? What’s going on?
I was in Austin for a speaking event for small businesses. It was cool. I have to shout out this. This book was written in ’66. I’m coming across it. It is Babel-17. It’s a great read. It is by Samuel Delany. It was not a long read. I wish it would be rewritten. Why don’t they do book reboots? They do movie reboots all the time.
This book was so good, but it should have been three times as long. It was some of the most interesting sci-fi concepts that I’ve ever come across. The main character is a warrior poetess. It is so fascinating. I don’t even want to describe it because it’s so good. You got to go into it. One of my goals is to teach myself how to edit a film. It’s basic. Don’t be impressed by this because I suck at it. I’m a Trekkie. One of the greatest episodes of Star Trek of all time is called Inner Light. I don’t know if you’re Trekkie enough to know.
Inner Light is the episode of Next Generation, where Picard gets sucked into an ancient civilization that sent out a satellite. He lives a whole separate life as this alternate character in that 1,000-year-old dead civilization so they can pass on some remnant of what their culture is like. It is a phenomenal episode. Patrick Stewart, the actor, was also in the original Dune movie.
That’s right. He had hair, but he had more hair.
I’m recutting an episode of Star Trek to put the scenes from Dune into those flashbacks. I’m going to call it Inner Doom. It’s going to be magical. If you want a bootleg copy, we’re going to figure out the Star Trek fan net as it used to be back in the ‘90s when people were sending bootleg VHS tapes.
With all due respect to every guest who has been on the show leading up to this, you don’t have crap on George Finney. That’s amazing. We got to call it right there. Give out shameless plugs. Where can they find you? What’s going on? Tell us good things about what you’re doing at SMU. Where should we go?
My website is WellAwareSecurity.com. My last book was called Well Aware, so it is Well Aware Security. In the book, I shamelessly stole Stephen Covey’s Seven Habits. There are Nine Cybersecurity Habits on the website. As if that wasn’t enough, you can take my free Cybersecurity Personality assessment on my website. Based on the nine habits, it will tell you what your cyber personality is. The idea was I wanted to help people develop an identity around security. Security seems so scary, technical, and unapproachable. We need to make it more approachable for everyone.
I want to help you find your identity in security. That helps us collaborate better together as teams, even if we’re a mix of technical and non-technical people. Everybody’s got to work together to get security. We need lots of different perspectives, not just our own, whether it’s skepticism, vigilance, or whatever your natural gift is. I should mention the book Well Aware. I would love for you to read it. If you can’t afford to buy a copy, that’s cool because you can also go to my website, WellAwareSecurity.com, and download the eBook for free. We made that for folks because we want to keep getting that message out there.
I don’t even have the words. I am sorry, dear audience, that this is an audio thing only because I was holding up my copy of Well Aware, waving it at George. He then held up his copy because he has to wave it back. It’s good. I love that you said that it’s what you’re doing. That is unbelievable. We’ve got a lot more things to talk about. I want to dig deeply into the notion of zero trust and how fiction can be used as a storytelling device for this. Will you come back?
Absolutely. I’d be happy to come back again.
Once the ponies are in the college football tournament, that will be the thing. Thank you for taking the time. It is unbelievable, all of the things that you were doing and still have time to do the other things that you were doing. We appreciate you coming to join us on the show.
Thank you so much for having me.
That is it for this episode. For more information on all that is good in the world of cybersecurity, make sure that you check us out. You can find us on LinkedIn, Facebook, and the mothership, ElevateSecurity.com. You can find me @PackMatt73 across all of the socials. As far as the show goes, wherever you go, that’s where we are. Whether it’s Audible, Spotify, Apple, Gaana, or any of those cool things, that’s where we’re going to be. That’s where you can find cool people like George.
I’ll tell you this. He goes on other shows, too. He’s fun and interesting out there. Please, go follow George on all the cool stuff. As far as we go, all we ask is you subscribe, rate, and review. You’ll never miss all the great folks who are coming in to talk about all the things that keep you safe. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Southern Methodist University
- Project Zero Trust: A Story about a Strategy for Security and the Business
- Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future
- No More Magic Wands: Transformative Cybersecurity Change for Everyone
- The Phoenix Project
- The One Minute Manager
- Well Aware
- Cybersecurity Personality – Well Aware Security
- Twitter – Matt Stephenson
About George Finney
George Finney is a Chief Information Security Officer that believes that people are the key to solving our cybersecurity challenges. George is the bestselling author of several cybersecurity books, including the award-winning book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2021 as one of the top 100 CISOs in the world by CISOs Connect and has worked in Cybersecurity for over 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture.