In this episode, host Raghu Nandakumara chats with George Finney, best-selling author and Chief Security Officer at Southern Methodist University, about his experiences with Zero Trust in higher education, the cultural elements of cybersecurity, his new book “Project Zero Trust” and why some Zero Trust projects fail.
In this episode, host Raghu Nandakumara chats with George Finney, best-selling author and Chief Security Officer at Southern Methodist University, about his experiences with Zero Trust in higher education, the cultural elements of cybersecurity, his new book “Project Zero Trust” and why some Zero Trust projects fail.
--------
“That understanding fundamentally of trust is something we don't necessarily talk about a lot in organizations. When you get into Zero Trust, the real trick is how do I spot the trusts? When I look at a computer, router, firewall, server config — what's the trust? How do I go through and get rid of them?
That's what Zero Trust is about. It's not about not trusting people. It's about finding those trusts in our digital systems and getting rid of them.” - George Finney
--------
Time Stamps
* (5:40) Establishing a unified security culture
* (11:10) What Zero Trust isn’t: “Don’t take the cynical approach”
* (16:50) The secret sauce to being a CSO today is building in security from day 1
* (24:00) Understanding your “protect surface” to maximize ROI
* (28:30) The reason some Zero Trust projects fail isn’t because of tools - it’s people
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com/
--------
Links
Connect with George on LinkedIn
Check out George's best-selling book "Project Zero Trust"
0:00:03 Raghu Nandakumara: Welcome to the segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust segmentation company. Today, I'm joined by George Finney, Chief Security Officer at Southern Methodist University. At SMU, George oversees all aspects of cyber and physical security, finding creative ways to enhance new and existing protections. George is also the bestselling author of several cybersecurity books, including Project Zero Trust and Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George is joining us to talk about his experiences with Zero Trust in higher education. Today, we are unpacking the cultural elements of cybersecurity, what Zero Trust isn't and why Zero Trust projects fail. George, it's an absolute pleasure to have you as the guest on our podcast. The first thing I wanna ask you is, how does a law graduate go from graduating in law to doing a law internship, to becoming a network engineer, to then becoming the Chief Security Officer at SMU? That's quite a few direction changes.
0:01:16 George Finney: So I actually, my undergrad was in liberal arts, which meant I studied a lot of philosophy and math, different things, languages, I learned to speak ancient Greek. Really, really awesome experience. And I thought when I got out of college that I was gonna go be a stockbroker. I actually interviewed on Wall Street and realized like, "Yeah, I totally wouldn't wanna do that." So actually, I got a job at GTE, so started out working on their DSL lines, their department. Became a network engineer from there, and actually I went to a couple of different startups, one in Denver and then another in Dallas. And I've realized I love startups, I love open source, and that was actually the genesis of why I went to law school was, hey, there's this thing, the GPO, I really wanna get into that, there's a lot of open source licensing out there. While I was in law school, the GPL version 3 came out, I actually did a directed research around that. And again, I thought I was gonna go be like a lawyer, never expected to be at SMU for 20 years, but I got that tap on the shoulder from our CIO and said, "Hey, we really need a Chief Security Officer." The writing's on the wall, all of the security folks at the time reported into our infrastructure networking department. And I had that background as a CIS admin, one of my startups doing Linux support or whatever in addition to being a network engineer.
0:02:35 George Finney: So I had this crazy background of law, network security and CIS admin, so it made a lot of sense to bundle all that up and we brought the team under me. And gosh, it's just been fun. Being in higher ed, it's like the wild, wild west, so really rewarding and that's what's really enabled me to write some of these books, is just being in this environment that's really thoughtful about the way we do things. And I've been there so long, I've had the chance to grow the whole program and be a part of every facet, whereas if I was at a large organization, I'd be much more specialized. So gosh, it's been such an awesome, incredible journey.
0:03:15 Raghu Nandakumara: Oh, that's fantastic. And I think the loss of Wall Street and the loss of the Bar has been the gain of the InfoSec community. So you talk about your role as a CSO at SMU and about how interesting it is and how varied it is. I just think the role of a chief security officer at a education institute must be so varied and demanding for a number of reasons. Because I was reading some of the blog posts you'd written and you spoke how when you came to talking about enhancing security, I think one of the research fellows fairly high up in the organization said, "Oh, no way, research should be open and free." And your again sort of academic freedom. How do you balance all of these things in your role?
0:04:01 George Finney: So it's interesting. I didn't realize this when I started, of course. Higher ed is really highly regulated. If for example you were at a bank or at a retail shop, you'd have some good guardrails on what you do, whereas in higher ed, we do all of it. We have student loans, that makes us compliance wise under the same obligations that a bank would have. At the same time, we've got a health center and we've got HIPAA, we do credit card processing, we've got student records, we've got European folks we do. So dealing with privacy laws and everything, the variety is really challenging. And that's actually what appeals to me, and I think just generally speaking, in the security world, we have to stay on the bleeding edge. We're always having to secure that next new thing. Okay, containers are coming in, how do we do that? How do we just do security in this whole new ball game? And frankly, I get bored really easily. And I think if I were doing the same job for 30, 40, 50 years, no knock on the folks out there that are still doing COBOL programming, but man, I would have gotten way burnt out from doing the same thing that long. I need to keep up with the latest thing, and security is that career that gives that to me.
0:05:12 Raghu Nandakumara:Completely. I'm fascinated by just new interesting things that security, cybersecurity in all its manifestations throws up. And actually, you described such that, that we often don't think of educational organizations, academic institutions as actually being this... It's almost is like conglomerate of lots of different industries bundled together. So how do you bring all of these various departments that all have different priorities and different challenges, how do you go about establishing a unified security culture?
0:05:48 George Finney: It's really hard. And some people say it's up down, others say it's bottom up, it's both. And the really unique thing about SMU, and I didn't have anything to do with this, it was way before my time. But the thing that most people know about Southern Methodist University is that we got the NCAA death penalty, we're the only university. So back in '88, remember there was the big football scandal where we were paying players before it was cool to pay players? Everybody was doing it right, we're the ones that got caught. Fascinating to be a part of the university 15 years later, and that's not something that George did as the CISO, I inherited that. But thinking, oh my gosh, every decision we make, every new vendor, the way we handle financial decisions, all of it, I think is influenced by that one incident. And lots of organizations have had breaches or smaller incidents, there's that famous saying out there, never let a good crisis go to waste. So again, I think those things are the things that stand out in people's memories and that collectively drives culture, and so I wanted to find ways to be proactive instead of reactive.
0:06:56 George Finney: So those are great opportunities, and you can also create those opportunities and you can also build relationships with your leadership team, again, that's something that takes time, but I remember when I rolled out my simulated phishing program, this is eight years ago now, and the first campaign I sent I caught my president and I didn't get yelled at, I didn't get punished. But it is fascinating because I know other CISOs that have launched simulated phishing campaigns that did catch their CEO or whatever, and they don't do simulated phishing campaigns anymore, so you've gotta have that trust that everybody's gonna work together towards the common goal. And again, when you can align that to the mission of the organization we need to protect our community, we're here to protect our students who are vulnerable, who are growing and learning, that's magic, tapping into that to help drive culture is again, something that it's so amazing that we can be a part of that in the security world.
0:07:50 Raghu Nandakumara: And I think just on that last point something that is regularly expressed is that in order to do your job as a security professional, the first thing is that you need to understand the organization that you're protecting, and essentially their value prop and then your own value prop that ties in with this. So can you express how you express your value prop to your board?
0:08:15. George Finney: Yeah, so I don't know if you've ever seen the Charlton Heston movie, Soylent Green, Back in the 1970s, kind of a sci fi thing.
0:08:23 Raghu Nandakumara: No, I'd love to hear about it.
0:08:24 George Finney: I'm gonna spoil the ending, but essentially the world has grown so much, they've run out of food, and so there's this special food, it's called soylent green that people love and it saved the world, 'cause we can feed everyone now, and it turns out... The famous saying Charlton Heston runs out when he figures out what's happening, he's like... Soylent green is people... You're feeding people back to the people, but oh my gosh, in security security is people, it's not the technology to... When I have conversations with our board or with our leadership team, I tell stories about humans, what's the human impact to our organization. When I started out doing this, I had a security... A monthly security report, it was all like metrics focused, and okay, we gotta how many firewall blocks have we seen or whatever, it wasn't human. It's just numbers. It's huge numbers, but okay, cool, what does that mean? When you can tie it back to, okay, we had a person who was faced with identity theft, here's the impact to them, and so I turned it into more article driven, more storydriven things, and again that changed the audience from just being really concerned about...
0:09:34 George Finney: I don't want people to share the metrics, this is really just something for executives to... I'm gonna send this newsletter to everyone at the organization, including students. I'm gonna make it publicly accessible to the interwebs or share it on LinkedIn or whatever, and that response again, oh my gosh, that's very different than the traditional way of people do security where it's a black box, I'm gonna play my cards close to the vest, I'm not gonna talk about things, and that's what I saw with... In writing some other books that I've written, when I talk to people, people want to help and then they're like, it has to be off the record, 'cause I can't tell these stories, our PR department doesn't want me to or I've got an NDA or whatever. And man if we're not sharing our stories then the next generation of security people are gonna have to learn all of this over from scratch, and we can't do that, we have to stay ahead of the bad guys out there and to again, telling stories as an author they always say, "show don't tell." And I think there's a lot of telling when we give security advice instead of show. That's the difference.
0:10:38 Raghu Nandakumara: Absolutely, and I think almost to apply that whole security through obscurity is no security at all. It's the same with stories, if you don't understand the issues that you're here to combat, how can you possibly understand how you're gonna secure them or the value of the security that is being built. So everyone here is here to learn about Zero Trust and learn about Zero Trust from you. Alright, so let's start with an easy one. Give me your favorite Zero Trust analogy.
0:11:06 George Finney: Oh man, gosh. And I think... Well, I'll give you the worst analogy and we'll go from there. So what Zero Trust isn't... Obviously, it'd be two words imply like The XFiles, right? That's like the Fox Mulder Trust No 1, and that's not what Zero Trust is. So Zero Trust... The analogy... Don't use the analogy Xfiles. You actually have to work with other human beings to make Zero Trust happen. Although Zero Trust implies don't trust, don't take the cynical approach of, okay, gosh, I can't trust anyone but what we're doing there is we're substituting cynicism for good judgment. Zero Trust takes analysis, it takes thoughtful exercise of the practice of security to help protect our communities. Gosh, probably my favorite analogy is just a Jawbreaker. So instead of an m&m, which is the Crunchy outside with the soft chewy inside, Jawbreaker is hard all the way through. So in terms of a candy, if you wanna do Zero Trust, make your organization a Jawbreaker and hopefully the bad guys will break their teeth on the Jawbreaker when they try to bite into it.
0:12:17 Raghu Nandakumara:: Takes you back to late days of primary school, where you go into these penny stores and fill up your sweet bag with a bunch of Jawbreakers and colored little bottles, etcetera, and then wish that you'd be careful with those Jawbreakers as your teeth ache from chewing into them. Okay, so I absolutely love the way you described what Zero Trust is, and more importantly what it's not. And definitely the bit about Zero Trust doesn't mean no trust, and it's often something that we hear in at conferences, etcetera, almost people saying that I don't wanna hear about Zero Trust anymore, and I don't like the term, so what is a better way to express Zero Trust?
0:12:57 George Finney: The way that I think about Zero Trust, there's a phenomenal book by Stephen Covey, who is actually the son of the Stephen Covey, who wrote 7 Habits of Highly Effective People, the son Stephen Covey also wrote a book called Speed of Trust. And in his book, he argues that you have to have both trust and analysis at the same time to have good judgment. So think of a matrix on the Xaxis is trust, it's not a binary thing. Like a spectrum, I either trust or don't, you actually have a Y-axis and the Y-axis is analysis or skepticism or whatever you wanna call it, but you have to have both at the same time, if you have low trust and low skepticism, that's kind of gullibility, if you have low trust and high skepticism, you're gonna have indecision. You're not gonna be able to get anything done. Covey talks about a trust tax on an organization, where if you don't trust any of the human beings around you, you're not gonna get anything done or it's gonna take a really long time.
0:13:57 Raghu Nandakumara: Yeah absolutely.
0:13:58 George Finney: Same thing with partners out in your different organizations or outside of your organization. So having both really critical, and I think that understanding fundamentally, of trust is something we don't necessarily talk about a lot in organizations, and frankly, when you get into Zero Trust, real trick is, how do I spot the trust? When I look at a computer router or firewall server config, what's the trust? How do I go through and get rid of them? That's what Zero Trust is about, it's not about not trusting people, it's about finding those trusts in our digital systems and getting rid of them. We've been doing this for years, whether that's deperimeterization is a tactic that falls under Zero Trust. Maybe server hardening just as simple as that removing all the bloatware that comes from whatever OS vendor you have and you only need the things that you need to run, that's really what Zero Trust is all about, it's bringing all of those separate tactics... 'Cause that's what we were doing. We were implementing tactics all across the board to remove trusts, Zero Trust is the overarching strategy that helps bring us all onto the same page and gets us marching in the same direction.
0:15:03 Raghu Nandakumara: So without getting too philosophical, what is the meaning of trust in the context of Cyber.
0:15:10 George Finney:I think yeah, what is a trust? There's a lot of different folks that talk about trust out there, and I think in terms of a digital system, it's about ease of connection. And that's why we put trusts in, I'm gonna put in a firewall rule to allow me to talk to any server in my data center, don't do this by the way, this is bad influence. This is what not to do, but that's a trust. Okay, cool. Now, when my computer or my device gets compromised, that's what the bad guys exploit to go and have free rein into an organization, that's what the bad guys exploit in terms of multifactor authentication, I trusted that device for however long you're allowed to set up a trust for. That's a challenge, and we've gotta find the right balance, and I don't think there's a tradeoff between usability and security, I think that's a myth. But that's the way that a lot of folks think about, well, my end user is my clients are gonna revolt if I don't... And actually, I think you touched on this in the beginning, when the highest ranking academic person at my university said, "don't put a firewall between me and the internet."
0:16:16 George Finney: Okay, what they were saying in the background was, "I don't wanna slow down my organization, I wanna be able to perform my research without restriction whatever my research is." And we need to enable that. And I think Zero Trust actually helps us, so at some point our clients or our customers or at SMU which is our students, they began starting to ask, why aren't you doing X? And I think, gosh, if you're signing up for a bank today and they don't set you up with multifactor authentication, well, hang on, now I'm not gonna do business with that bank, so at some point in our history, it became Table 6 to have security, and I think for every industry, for every technology that's the path, they're just figuring out how this stuff works, we're innovating and we didn't necessarily think about security like, oh man, we're gonna go out of business if we're not doing security, and I think the secret sauce of being a CISO today moving that maturity model over to where you're building in security from day one.
0:17:15 Raghu Nandakumara: So you've talked about things like, I think to quote you, it's like you don't believe that usability, productivity and security are contradictory to each other, you very much believe that those go hand in hand, but and then you also... And this is to quote something from your book, you said the DevOps folks are all like Ricky Bobby, they just wanna go fast. So as the CSO, how do you provide the security framework to allow the Ricky Bobbys to go fast, but do so safely?
0:17:48 George Finney: I think, again, it comes back to understanding humans. I love the joke of Ricky Bobby actually I use that with permission from John Kindervag who created Zero Trust. So thank you, John, for that. So when I wrote the book, I had the huge benefit of having John Kindervag riding shotgun, being able to bounce ideas off of, but I also went, I'm not an expert in every domain of security, so I'm not an identity expert necessarily, I'm not a cloud or DevOps Sec, so I tried to find as many experts as I could, and when I sat down to some of the folks who are really great at DevOps, the developers, it's not that they don't wanna do security, it's that they're incentivized to... All of their bosses need to get code out the door again, that's great, it's really needed for lots of organizations, and actually that's a benefit so... Zoom is a great example. Zoom is a DevOps company, so when I'm not gonna call them a cybercriminal, a hacker, former NSA person disclosed to Zero Days, but what do they do? They're like, Cool, we're stopping everything else, and we're going to dedicate all of our DevOps cycles to fixing this.
0:18:59 George Finney That's incredible. That's one story of how DevOps enables security. And again, we in the security community have some norms, and I think we like to disclose to a company first and give them some time, I don't think that process was followed in that case, so really, it's hugely unprecedented for an organization to be able to turn around a fix in 24 hours with no prior notice it's an incredible story, but it just shows you how much security and DevOps can be aligned, and I think we have to be able to come to our partners and work with them and meet them where they are a lot of what we can do with Zero Trust in the DevOps world, but in particular is to just be a part of their pipeline, they're already doing testing as a part of the pipeline, so let's... Let just add a few tests. Can we check for secrets before the code gets pushed, so thinking about it instead of trying to secure the code at the end of the pipeline, Zero Trust is really about Problem Management, let's eliminate whole categories of issues before they become a problem, Let's think about prevention, let's get everyone on the same page and actually that enables CTOs and DevOps folks to not have to go and do those fixes at the end of the cycle, it's just built into the process.
0:20:14 Raghu Nandakumara: So I'm gonna quote your book again, I think at the start of the introduction chapter, you say, the most effective means we have available to protect ourselves inside security is prevention, and the most effective strategy for prevention is Zero Trust. And I'm gonna challenge you slightly and so bare with me, is that if we think about the whole, the era of perimeter security, so think of, let's say, '90s 2000s was very much sort of the era prevention, the bad actors were on the outside, everyone on the inside is trusted, so as long as we shut the front door or you keep that tightly locked we're all good. And then we have to sort of, then we realize that actually that was failing, they were still getting in, and then it was a focus around sort of detection and response. Okay, let's put all our efforts or majority of our effort in being able to detect, being able to respond, being able to recover, and that kind of became the driving, I would say 2010s. And I'm gonna say too, that the current era is around containment, assuming that the bad actor is gonna get in, we may not be able to detect them.
0:21:22 Raghu Nandakumara: So the focus is around minimizing the impact of that, what are your thoughts on that, so it's not a... Zero Trust is really about containment, more than prevention. What are your thoughts?
0:21:34 George Finney: Technically, the definition we use for Zero Trust, it is John Kindervag's definition, and we go with that in the book, but the definition is Zero Trust is about as a strategy for preventing or containing breaches, we wanna remove the trust in Digital Systems and ideally will prevent them and prevention is possible, and I think a lot of folks have maybe given up on that, and one of the tenants of Zero Trust is to assume breach and we also will attempt containment. So I think it's about both, an ounce of prevention is worth a pound of cure is really true in security, they've done studies about this to show, again, getting at the beginning of your code pipeline, much less expensive than having to fix things after the fact. So I argue that Zero Trust is actually the only thing in security today that actually meets the definition of a strategy. Great, so I had an argument with another CISO about whether defense in depth meets the definition of a strategy, I argue that it does not, but when you think about it, a strategy has to have two things, you have to have a goal that you're trying to reach.
0:22:35.2 George Finney: And you have to have a plan for how to get there, and ideally with a good strategy, you can measure how far along you are towards achieving that, so when you think about something... Again, I think of defense in depth as a tactic, but when you think about defense in depth, okay, cool. What's the goal? I think if you look at the technical definition of defense in depth is actually the goal is to have multiple layers in order to prevent a failure, in one of the layers, so ultimately, if there's a goal for defense in depth it's about and dealing with failure, not preventing or containing breaches. With defense in depth you're not actually addressing why a particular layer failed, and a lot of folks will call defense in depth expense in death, because what do we do? We just add more layers that's great. Not efficient. Great, and so when you're pitching your board on something that sounds like, we're just gonna add a bunch of layers. How do you know when you're done George? Well, how much money do you need? Honestly, if JP Morgan can spend a billion dollars a year and get breached, in my University, I pursued that same approach.
0:23:38 George Finney: How do you know it's gonna be effective? It's not an effective strategy. I think it's more like a tactic, Zero Trust is that strategy to help get all of the teams engaged in the right ways, we can leverage the right tactics and at the right time so that we're not having tool that we don't need 50 or 100 tools to accomplish what we can do with three or four.
0:24:00 Raghu Nandakumara: Of course, I agree with that, [chuckle] but there's a few really interesting things that you said, you spoke about the cost associated with when you're just pursuing a defense in depth approach without really having a strategy around it. Today, particularly with the macro conditions, there is this whole sort of if ever there was a real pointed focus on ROI, we have that at the moment. So how does... Following a Zero Trust strategy really deliver not just security benefits, but ROI, cost, operational efficiencies, a simplicity in architectures. How does a Zero Trust strategy deliver these things?
0:24:40 George Finney: Yeah, so in the book, we used John Kindervag's design methodology for Zero Trust, so there's a five step process, and really the foundation of that five step process is this concept of a protect surface. So protect surface is like the opposite of an attack surface, and I understand that Gartner has a whole buzzword like attack surface management in Hype circle or magic quadrant, attack surface management is a lot. It's a marketing term that gives you the idea that if you only you could shrink your attack surface, then you'll be more secure and you can't shrink your attack surface, your attack surface is any device in the world. So when you look at the Peloton or Parlay breaches, what do they do both organizations had an API one to go to mobile phones, one to go to treadmills or exercise bikes or whatever.
0:25:27 George Finney: Well, guess what? The bad guys just reverse engineered that API. There was a blind spot to those organizations. They didn't see or have controls around it to be able to detect anything through the API. And the bad guys export traded all the data through helpfully through the API that the company provided. That's a, attack surface management, if you've got a mobile app, any mobile phone in the world is your attack surface. So instead, contrast, a Zero Trust uses this concept of a protect surface. What am I trying to protect, that requires that I have to understand how the business works, that I have to have an inventory, I have to know what my top apps are or where my critical data is. So I'm gonna get my arms around that which I'm trying to protect inside a protect surface. And I'm gonna have a repeatable process that I follow to protect that.
0:26:09 George Finney: So when I think about deploying tools as a CISO, in the olden times I think, okay I gotta deploy firewalls everywhere. I've gotta deploy EDR everywhere. Actually, when I think about just a protect surface, I'm gonna provide bespoke controls to just that protect surface. So instead of licensing for my whole organization, all of these different tools I'm gonna only use the ones that are needed inside that given protect surface. So if I have a protect surface that has an API, for example, I'm gonna go to one of those awesome companies that have API security baked in. I'm gonna put that in there. If it's web facing, I'm gonna have a web application firewall. If it's a device, obviously I need endpoint EDR, I'm gonna have a firewall, but I'm gonna bake that and have a custom tailored, if you will, to protect that individual, protect surface the way that it needs to.
0:26:59 George Finney: And okay, if that gets... Again, I've got multiple protect surface, this is the concept of microsegmentation, another tactic that falls under Zero Trust. I'm gonna put like assets together. And so I'm gonna contain that incident to just that one protect surface. And understand how those other protect surfaces interact and hopefully I've contained that to a single protect surface. That's really the power of this Zero Trust design methodology is really having bespoke controls. And then again, iterating, monitoring, logging everything. Again, another one of the tenants of the design methodology. But having that feedback loop, again, it's about, okay now that I've got my protect surface, how do I spot the trusts? How do I remove them? Sometimes that's through proactive architecture. I can think ahead. Sometimes that's through pen tests or table type exercises or other things that help me find my own blind spots. And hopefully I'm being proactive and doing that before the bad guys find them for me.
0:27:51 Raghu Nandakumara: Had the pleasure of sort of having a few conversations with John and that sort of the concept of the protect surface. Obviously that's, he constantly stresses that again, and I think again, and it absolutely makes sense because I think some of the challenges with Zero Trust adoption when organizations say that, alright, it's really difficult for us to follow Zero Trust strategy because how am I gonna apply it to absolutely everything. And you say, actually no, you've almost gotta flip it on its head and say, what do I most need to protect and focus on that? Why are we still having this challenge? Because again, to me it comes as a Zero Trust strategy that to me is common sense, thinking about the protect surface that is common sense. As to where to start. And then as you iterate, you constantly look at that, what is the next thing you move to, but why still the barrier to adoption.
0:28:42 George Finney: Yeah, it's fascinating. I've talked to a lot of CISOs both before and after the book came out and honestly the common denominator of folks who have launched their Zero Trust initiatives and failed is because people. It's not the technology, it's not that they didn't have all the tools they needed or whatever it was about politics. It was about people didn't know what to do. They didn't know where to start. And again, I'm harping on people here, but my gosh, if security, if Zero Trust is just for us security nerds, we're gonna fail. 'Cause it's not the security nerds that are having to go out and do all the things. You've got infrastructure teams, you've got DevOps teams, you've got help desk or desktop support folks. So everyone in IT needs to be able to understand Zero Trust.
0:29:30 George Finney: And if I as a CISO can't understand Zero Trust 'cause all of the marketing hype or whatever out there and there's so many competing like things, if I can't understand it, how do I expect a new network engineer to my organization to be able to go and deliver on Zero Trust? Oh my gosh. Obviously, the right answer here is now go buy George's book Project Zero Trust available on Amazon and Audible and have them [chuckle] to break down the barriers. Or we can just make it really simple. But again, everybody has to understand Zero Trust in order for our projects around Zero Trust to be successful.
0:30:03 Raghu Nandakumara: Yeah, I agree. And I think what I love about the book and there's that, lots to love in it, but what I liked is that sort of the validation of the progress, the tabletop exercise. That they run and those of you who haven't read the book yet or listened to it, you'll get the reference when you do. Sort of how does that, 'cause validation is so important, I think that as security practitioners we don't do enough real validation. So why is this particularly important to show sort of or a why in your sort of Zero Trust program, but also in short get validation that you are making progress?
0:30:40 George Finney: Yeah, and again, this is another one of the reasons why Zero Trust projects fail. When I've talked to other CISOs, the average time it takes for a Zero Trust transformation is 35 years depending on where you're starting from, it can vary by a couple of years, but oh my gosh, think about executive turnover and think about CISO turnover and think about the budget cycle. So if you're not showing progress from year to year, well how do you keep justifying that? How do you, continue to get support as a CISO you ought to be out there developing relationships, building trust, but part of that is breaking Project Zero Trust down into height, size chunks. And so in the book we suggested that their journey lasts six months and that was driven by a new product project release.
0:31:26 George Finney: And so they had to get it done by a certain day. I think that really aligned well with the business. All the business leaders realized, yeah, we got this new project or product coming out, we had some security incidents, we want people to be a part and feel comfortable that we are gonna deliver good security, good products. If we don't, we think [chuckle] the new product isn't gonna compete on the market. And again, that's aligning with the business, that's connecting the dots. That's not saying, we got we know we have this new project, product coming out in six months. We'll be done with Zero Trust in five years. No, that's, again, there is a Zero Trust maturity model out there folks. There's one in a book that is blessed by Kindervaug himself. There's also one now from CISA.
0:32:08 George Finney: And so I'm a part of, the cloud security alliance working group on Zero Trust and Kindervaug and Chase Cunningham and others are collaborating with CISA to get that document right. But wow, I think collective we are working together, oh my gosh, the security community is working together to have one consistent definition of Zero Trust. Something to start with instead of, I gotta go look at Forrester and Gartner and get behind the paywall and I hear all these startups throwing Zero Trust products at me. Okay, let's go to a consistent definition that we can all get behind. And talk about, okay, I have a tool that can help you in your Zero Trust journey. Not, I have the tool that is all of your Zero Trust needs all in one. That's what we're really about. And again, we've gotta make it simple and bring everybody to the table.
0:32:52 Raghu Nandakumara: Yeah. I think I... Absolutely like the whole sort of thing about being able to almost look at it in sort of six months blocks at a time. And align to a maturity model and being able to say that in six months we wanna be here in 12 months, we wanna be here, is just such a more digestible way of being able to adopt and also course correct because otherwise it's kind of fund this five year program, but don't come and ask us anywhere between now and five years' time what we've been up to.
0:33:22 George Finney: Again, in two years the company might be using entirely different technology. How do you keep up with that in terms of Zero Trust? Gosh, yeah. You've gotta make it a step by step approach. So the motto for the fictional company in the book, so the company name is March Fit, and their company motto is every step matters and every step matters because you have to take one step to enable the step after that. They don't have to be big steps. You don't have to be running you can walk baby steps count and yeah, I think that approach to Zero Trust. We're always improving step by step. Everybody can come walk with us and make it inclusive. That's what we're, that's really what's gonna move.
0:33:53 Raghu Nandakumara: Yeah. 100%. So just kind of looking forward, let's looking into 2023 as a CSO, what are you most worried about?
0:34:02 George Finney:Gosh, people, I think honestly, there's a lot of burnout that's happened with the pandemic. I think recruiting obviously is the big challenge. I think the great resignation is a huge concern that battle is being waged in our leadership teams across different organizations. How do we continue to enable security? How do we continue to lift up the organizations and our, each of our own unique digital transformations? I think we've gotta keep investing in people to keep making progress. And if we stop doing that again, security is always at the bleeding edge. So if we're not dedicated to continuous learning, the lifelong learning, we're eventually gonna start to fall behind. And I think when you're overloaded and you're getting burnt out, that's the first thing to go is, I'm gonna stop reading, I'm gonna stop listening to books on tape or whatever.
0:34:47 George Finney: However it is you get your education man that is gonna set us back years. We've gotta be welcoming new people to security. I keep hearing people are turned off by security 'cause it's the spooky fox molder types and I wanna do something that helps people and security does help people, but if we're turning people away from security because we're, again, we're not investing in folks, we're putting out job descriptions that are supposed to be entry level, but they're requiring 20 years of experience [laughter] and Zero Trust, admittedly like, think about some of the job descriptions that say 20 years experience with Zero Trust. Guess what, Kindervaug invented Zero Trust 12 years ago.
0:35:26 Raghu Nandakumara: Yeah. Excellent. Exactly.
0:35:28 George Finney: Anyway, I'll get down for my soapbox.
0:35:29 Raghu Nandakumara: You are, preaching to the converted here. So [laughter] I completely agree. I think I almost feel that it's, that it's not far off us seeing sort of academic institutions offering undergraduate degrees in Zero Trust. So George, it's been an absolute pleasure to speak to you today. Just really enjoyed the conversation and could have gone on forever. Please everyone do go and check out George's latest book Project Zero Trust story about a strategy for aligning security in the business on Amazon or like me if you prefer it through your ears rather than through your eyes, go and check it out on Audible. George will be very pleased to know that I'm fairly sure that I hold the world record for how quickly that book is finished. So yeah, I sort of found the time between yesterday and today to just whizz through it. Didn't miss a word except for the appendix. I have to admit I didn't listen to the appendix. It's fantastic. I feel that today in our conversation I have been the Dylan or the Luke Skywalker from the story and you have very much been the ObiWan, so I appreciate the time George, thank you so much for spending this time with us.
0:36:32 George Finney: Thank you so much for having me.
[music]
0:36:37 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You could also connect with us on LinkedIn and Twitter at Illumio. And if you'd like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.