Webinar Recording: CISO George Finney

Posted by Dave Winter
August 27, 2021

Share Article

On Thursday, August 26, we are honored to host the CISO of Southern Methodist University, George Finney, as part of our monthly Breaking Security Awareness Webinar Series.

George and our CEO Ashley Rose engaged in a lively discussion regarding how a CISO can keep their training programs engaging and build continual engagement & application of the material to keep your organization protected from cybersecurity breaches. A full video of of the conversation can be viewed below, you can also read the entire transcript posted below in this blog post.

Webinar_GeorgeFinney_SMU_26AUG21

 

During the webinar, we received 4 additional questions that we didn't have time to answer. Here are those queries and responses.

If you had an unlimited security awareness budget, what would you spend it on?

Invest in a program that empowers your team by making them the solution, not the problem. A great way to start is to plan an effective Cybersecurity Awareness Month program that not only educates your team but entertains, engages, and fires them up with interactive team building activities around security awareness training with Living Security. 

Take a look at our Cybersecurity Awareness Month package here. We have a simple, ready-to-go Cybersecurity Awareness month package to help you set up and execute a successful month. Plus, you’ll gain access to our customer success team to help you plan it out to be as effective as possible.

Dr. Eric Haseltine, Former Director of Research for the NSA, says that if you design an unreasonable system, people will behave unreasonably. How do we prevent our security awareness training programs from becoming unreasonable (a roadblock, a time sink, a nuisance, etc.)?

Develop a security training program that is based on behavioral science, which accounts for the fact that people learn best when they are engaged via participation in a group, motivation from teammates, and an educational environment that is broken up into smaller segments to account for attention spans & focus.  

Also, incorporate both intrinsic and extrinsic motivators to help your organization move through your training program successfully. As the University of Michigan’s Center for Academic Innovation notes “while tapping into intrinsic motivation may have a longer lasting and more meaningful impact, it’s not always a luxury we can rely on. The extrinsic motivators we have access to are often better at encouraging students to do something they may not obviously see value in.”  

In the case of security awareness training, you may not find many individuals are intrinsically motivated to engage in security awareness training, however you can use extrinsic motivators like public appreciation of individuals or groups with high participation/training scores, a leaderboard where your organization can win prizes, and fun training sessions your team can do interactively with a group to encourage individuals to work together and not let their teammates down. All of these extrinsic motivators are incorporated into Living Security security awareness training programs. A great place to start is our cyber escape room, you can book a free demo here.

You spoke to this a bit, but we have a question about how do you actually engage faculty? They often think they already know everything in regards to cybersecurity and have no interest in participating.

Thankfully, the extrinsic motivators outlined above work well with faculty as well. The key is to personalize the rewards to your particular audience. In the case of SMU faculty, we’ve found that offering extra vacation days can be an effective way to keep them engaged with our training. However, every institution is different, and it’s important to find out what types of rewards work best for your faculty.

Does your approach meet any compliance requirements ?

Absolutely, Living Security security awareness training programs meet compliance requirements, but meeting those requirements is an extremely low bar. Our programs are built based on feedback from our Fortune 100 clients. We use this feedback to ensure that not only the training programs check the compliance box, but the information conveyed is retained for a long period of time based on highly interactive, engaging, and fun training.

Here is the full transcript of the webinar:

Brandyn Hampton: All right. Good afternoon, everyone. I'm Brandyn Hampton, the event marketing manager here at Living Security. Welcome to our Breaking Security Awareness webinar number five, the CSO perspective. Today, we're going to be talking to George Finney, Chief Security Officer for SMU and Ashley Rose, our CEO and co-founder of Living Security. Ashley will be talking to George about all of the things from his perspective today. And I will introduce Ashley now. 

Ashley is the CEO and co-founder of Living Security. She's passionate about helping companies build a positive security culture with their organizations. An adoptable problem-solver, Ashley's thoughtful and transparent and [inaudible 00:00:44] running the company and working with clients with a singular goal: reduce risk by making people a security asset instead of a liability. Welcome Ashley, and Ashley will introduce George. 

Ashley Rose: Thanks so much for having me here, Brandyn. Thank you so much for everybody who has joined us on the webinar today. I saw some people from pretty far away and so,it maybe late your time, we appreciate you guys staying up. I'm really excited to be here today with George Finney. We just spent the last 20 minutes preparing for the webinar and kind of going through the questions, but we are not a couple of sidetracks. So I think you guys are going to be in for some fun conversation and maybe talking a little bit about security personalities, because he's got a pretty awesome quiz out there that we'll put out later. 

But first, let me just do a quick introduction. George Finney is the Chief Information Security Officer that believes that people are the key to solving cybersecurity challenges. You and I have that in common, George. George is the bestselling author of several cybersecurity books, including the award-winning book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2021 as one of the top 100 CSOs in the world of CSOs connect and has worked in cybersecurity for over 20 years. He also helps startups, global telecommunication firms and nonprofits improve their security posture. Thank you so much for joining us George.

George Finney: Thank you so much for having me. It's an honor to be here.

A: Awesome. Well, I've been looking forward to this conversation for quite some time. We also did get to record a podcast for your podcast a little while back, and I just felt like the conversation wasn't over. We had so much more to discuss and I wanted to hear from your perspective hence, the CSO perspective today.

So I wanted to dive into a couple of questions and we'll see where this leads us. We'll also be taking questions in the chat. So if any of you guys have questions for George or myself that you want us to talk about, please pop them in there. But we'll start. One of the things I love about the way you described your role as a CSO is that you call yourself a bridge builder. And at Living Security, we always tell our customers that the only way to really try lasting change and to secure an enterprise is to get every single team member on board. So tell me a little bit about how you go about doing that as a CSO.

G: So, I think, the time that we live in now, we're in a pandemic it's gotten even harder to be a bridge builder, I think. But we've got to find ways to connect with people and I think it starts with empathy. So particularly with when we were beginning the pandemic and still today as kids are going back to school, and families are struggling with different issues, gosh, I mean, it all comes back to how much do you care? And, I mean, I've said about trying to build personal relationships with everyone. I mean, and it's impossible to do with everyone in an organization, but going to lunch, just calling people, checking in with them, being open, we've had morning coffee kind of things with our IT group, I've helped sponsor different folks to go through various trainings that aren't in my department or even in IT but I want to help build them up so that they can understand privacy where they can understand security.

I think the impact for them, again, it's always personal. So the way that I try and frame it, and this is how I also ended up writing a book about it, is I think security, no matter what career you're in, you might be in sales, you might be a dentist or an accountant, but I think security is going to be critical to everyone's career as we move forward. And I think we know that CEOs are being fired today for not getting security right. And I think if your aspiration one day is to be a CEO or a CFO, or any higher level position, we are going to need to know about security. And I think, gosh, that's an amazing position for us to be in security because we can help educate them. We can help demystify some of the scary things out there that people are worried about. And whether it's talking about ransomware or whether it's talking about protecting our kids online, there's so many ways for us to help people as individuals. And I think that's the first step at learning to be a bridge builder. And I think that's going to help us be that much more effective in our security programs when people know us, that they trust us and they're willing to work with us on things because they get something out of it too.

A: Yeah, I absolutely agree. And it, actually, one of the things you said made me think back to that security personality quiz that I just took right before the call. And one of the questions said when you're doing your job, if something comes up, how do you respond to that? Do you want somebody else to take care of it and go back to focusing on your job or is it something that you dive into? And I think so many times I hear from employees, companies that we work with when we were back, when they were onsite training, we heard a lot of like, well that's the security team's job, it's not mine. [inaudible 00:06:14]. And so like, oh, there's somebody to help me with that or IT should know what to do. And so I think to your point of being that bridge builder, one of the outcomes we're looking to drive and I'd be curious, you talked about relationships, but how do we help everyone to take a personal responsibility for security and to be an active contributor part of the security team? I think that's one challenge. And then, so what messaging or tactics have worked? And then how do you scale that out? Like you said, I mean, if we’re in large organizations, we can't go to coffee with everyone. So I know before we jump through our list of questions, I'd love to hear your thoughts on those two items.

G: Again, I think it's so true that security is everyone's job. And that's the way that I approach my team at SMU. When I say my team, I just don't mean the folks that are direct reports to me. I think of all 2,500 faculty and staff that play a role here. And so I mean, we were joking earlier, like I'd love to have little bracelets made up for everyone that says what would George Finney do? And in a way I think that personal touch, it's not necessarily that there's a division of labor and they can always say George is just going to go do it. I want them to channel their inner George Finney's and help think about, okay, this is the way I ought to be thinking about things. And this is who I ought to be when I'm at the office. 

So in terms of scale it's a huge challenge. And I think, gosh it’s easy to say that I'm just too busy, I'm in meetings, I'm working on something, I've got a presentation to give, I'm under a deadline. All of those things are true. But we also know that George can't make all of the decisions for everyone at the university, and nobody wanted me to do that anyway. So we've got to find that balance of figuring out okay, I know when they pick up the phone and call George if there's some kind of incident. But I've got to help them prepare so that they're educated enough to make the right decisions and to know when they need help or when they've got enough information to make the call themselves.

A: Yeah. That makes a lot of sense. And so I think going down that track, one of the challenges that I've heard from our customers and we work with people every day trying to solve for this is okay, I'm going to work on relationships. I'm going to go have a coffee, I'm going to go make bracelets, I'm going to make maybe a mascot for the security team. We have all these great and creative ideas, and I love it. I think it's been awesome. But then oftentimes we're left wondering, did we actually make an impact? Are people actually joining my security team? Do they feel they're powered to be part of the security organization or your extended team as a champion? And of course CSOs like yourself wear so many hats, and one of those has to be that sort of data analyst. And so I would be curious, how do you most accurately measure security behavior to determine whether you're actually making change? Are you moving the needle and getting people to buy into security?

G: So totally. And I think there's a lot of security awareness training out there. And some of them give you the option of measuring, doing the test before they take the training and then during the test after and I think that's teaching to the test. And it's measuring knowledge, which is maybe easier to measure. And the question is right on. All right, how do we measure behavior change? And so I mean, things like simulated phishing start to get at that because they're starting to measure what you would actually do in a real life situation. And I think we ought to do more of that. I love the idea of a tabletop exercise. And I think typically we focus tabletop exercises on executives or its staff. But I'd love to see us broaden that and have it be more experiential so that we can take a step back and have a no consequences environment where people are free to make mistakes and learn from them. 

But we also need to get to know them. And I think we'll probably talk about habits in a second. But we know that 50% of all human behavior is based on habits. And so when we're thinking about behavior change, a lot of the things that we're doing that aren't habits, we're using our critical thinking skills, we're solving problems, we're diving into coming up with creative solutions for our respective businesses. I think that the normal parts of our brain are totally consumed. And I think the way that we can really make a difference is by changing people's habits. And there's so much there, but in terms of seeing yourself as someone who values security, and then they can play a role in security, that identity is really where I want to start. Because if they don't believe that they can have an impact in security, then they're not going to. They're not going to think that it's their job, they're going to think it's George's job. 

However, I've had to shift my gears a little bit because we have a secret motto in security. We say that people are the weakest link. We've tricked ourselves into believing that the people around us can't make a difference. And if we believe that, then they're going to. So I think we need to shift gears a little bit. And once we start to believe that other people can play a role then we can help them build that identity and empower them to make change on their own.

A: Yeah. I mean, those are really good points. And something came to mind when you were talking about what security is typically known, or basically the bias maybe that we have as security professionals. But it's almost like we have to break down the barriers first and then build the bridge. Because a lot of our team members, our employees, and then maybe even ourselves are coming into this new organization, a new culture that we're trying to build, and they already have a lot of junk there. So we have to overcome the junk, break down the barrier and then work to build that bridge and that will help inform that positive culture. Is that where you're going with that?

G: That's exactly right. So in writing the book, I spent the last three years doing a deep dive into psychology and neuroscience. And one of the fascinating things that I found is when you train to be a psychologist or a counselor, they have this theory that as a counselor, they have to not make any judgements over the person. Whatever their baggage may be, whatever issues they may have, if they start judging their clients, they're not going to have a good experience, they're not going to be able to change outcomes. And so we have to have that same... the psychologists, they call it unconditional positive regard. And we have to have that same view of all of our constituents.

So I was at a conference back when we were still having in-person conferences and I heard a couple of people discussing someone who had clicked on a phishing link and the first thing they said was they should be fired. And I think that overlooks all of the human reasons why maybe they would have done that. And I think again, it has to be a different conversation about helping people. And certainly we need to hold people accountable when they're negligent and when they aren't doing their jobs right, but at the same time, we have to treat them like human beings and understand where they're [inaudible 00:14:40]

A: Absolutely, we need to think about security as a partner, I think is what we're going for. So I love that. So back on the track to metrics, because you talked about these nine habits. So my assumption would be that those are the metrics that you'd be measuring, you'd want to be measuring. Are we moving the needle across these nine habits? And so in your latest book, Well Aware, do you actually go into detail of what those nine habits are and that every person needs to master them in order to combat cyber security problems? So I'd love for you to talk today and go a little bit deeper into each of those, and then why they're all important.

G: Yeah. So I'll just start by saying I think, I have my own biases and how I view security but everybody's got a role to play. And understanding that different people have their different strengths means that we see the world in different ways. And sometimes I think that can feel like conflict. But really it takes all of our different perspectives working together to see the whole picture. And so I have this story where when I first started writing the book, I tried to reverse engineer all of the different tips and tricks that we give to people and put them in their categories. And that's really the genesis of the nine habits, but it starts with literacy and then skepticism, vigilance, secrecy and then culture diligence, community, mirroring and deception.

So the first four habits are all things that you do internally to yourself and then the final five are all things that you do with other people. But you need to do both. And so I have this theory that probably introverts are better at the internal habits and maybe extroverts are better at the external ones. But again, it takes all of us bringing our own unique strengths to the table to help us improve. And so really the first question I usually get when I talk about the nine habits and Well Aware is, okay, nine habits is a lot to start with, which one do I start with first? Is it literacy? Is there another one? 

And again, I think we ought to make security easy for people. And the way to make it easy is defined your unique strengths and to focus on those strengths first. So when I worked with executive coaches or leadership coaches over the years, and the best ones, they don't focus on your weaknesses to fix those, like you're broken, they focus on your unique strengths because that's what makes you incredibly valuable to your organization. So focusing on those and developing them really is what can take your security to the next level. And guess what, it's also easy because you feel like you value those things, you want to do them, and I think you can start to build from there.

A: Yeah. I think I like that a lot, and I've done the same. I've worked with some coaches and I think we do need to lean into our strengths and then there's also a balance of figuring out, okay, well, what do I really need to work on and how do I dig deeper? So I'd love to get your perspective on that. You mentioned literacy and some of these other ones. Can you give some examples of actual behaviors or things that we'd be looking to track or think about ourselves, like some of the quick areas that we could start in assessing, okay, am I doing well here or am I not?

G: Yeah. So I love the community habit. I think community is really the most important of all of the nine habits. So we come together as social animals as a form of protection. And I think we've evolved over time to reinforce that. So really it's about a community. And I think no matter what your strengths are, if you bring together a team of other folks that have other strengths, then you can have a really well-balanced organization. And so the example in security of that information security advisory councils, inside organizations or outside, you've got the Rem-ISAC here in higher ed, but you've also got FS-ISAC. Those are examples of great communities that add so much value. We know the bad guys collaborate and talk to each other. But if we do that together we get that much better.

Another great example for deception, for that as a habit, we teach our employees to lie when they're answering password challenge questions. We know password challenge questions aren't necessarily as well protected as maybe other parts like your password and easy to guess what your hometown is or what your mother's maiden name is. And so if you lie and have that as your habit, whenever you create a new account, and they're asking for your password challenge questions, as a habit, you want to develop that and that can influence other parts of your environment as well. And if the bad guys can't trust the answers you're giving them they're going to move on down the road.

A: Yeah. I was thinking about password management usage, and I love my password manager. And this is not a plug for password managers, but I do like this helps me keep all my passwords secure and safe and different. And just thinking about it, we almost need a password challenge question manager. Because at some point I'm going to lose track of all the different security questions I’ve had to answer, and I'm going to lose track of which security answers apply to which site.. So I don't know, you can't write sticky notes, so we got to put them somewhere. So maybe in those password managers.

G: I'm going to call my friends at LastPass and Dashlane and see if they can help us out.

A: Yeah. A little side project there. Awesome. So last night I we're here in Austin, Texas. We brought together about 16 different people from the cybersecurity community. So thinking about your habit around being in community and learning and sharing, I'll tell you, I think a lot of them came because we had a fantastic dinner planned at Jeffrey's. And if anybody's in Austin, Texas, check out Jeffrey's, an amazing prime rib and amazing appetizers. But it makes me think about incentives. And we know that one of the best ways to get fully on board with security initiatives and to really develop those positive habits is by offering incentives, whether it's dinner or coffee, or maybe it's a bracelet, what would George Finney do? But what are the best incentives that you've seen, or that you've used that have actually affected change with behavior?

G: So, again I think I love rewards and incentives. So we know from neuroscience there's a habit price. So if you're forming a new habit, if there's the cue that gets you to do the habit, there's the habit itself, the behavior and maybe we want to change behaviors or just reinforce the good ones that we already have, but the final step in the habit loop is the reward. And different things work for different people and I think you've got to work with your community to understand what the right ones are for different people. Some might be monetary, some might be something else. Maybe winning a new TV might get some folks excited. Others, I don't watch that much TV, so maybe that's not a great incentive for me. 

But by far Ashley, to actually answer your question, the most effective incentive that I've offered are free vacation days. So a couple of times a year, I'll call up our head of HR and say, "Hey, I'm doing this new security thing. I want to offer a reward." And she's like, "Okay, dude. How many vacation days are you asking for?" And honestly, for wellness programs, generally speaking, if you participate in them, you can win some sort of prize or get a free vacation day. So organizations are already doing that with HR. HR should be pretty willing to work with you. So if you can't get free vacation days, just magically appear out of the air, I think it's also possible to partner with your HR groups and maybe get credit in your security training for their overall wellness program. Again wellness programs are awesome because they're already tricking people into eating healthy or exercising or the things that have a benefit and the benefit to the organization, lower insurance premiums, fewer sick days, I think it's the same benefit for security training.

A: Yeah. Yeah. I love that. We've kind of seen a mix across our customer base. So if we see PTO days, I think that's a great one. One of the things that I've seen [inaudible 00:24:05] companies have used, and I think it's brilliant. They have something like this, they should, but it's like, it's all about partnering again. Tap into one of those programs that already exists. And sometimes they have those swag stores or things that you can combine points on. And just, I mean, to your point earlier, how do we make things easy? How do we reduce friction? Let's get security tapped into what's already there within the business. We don't need to create all of our own things, our own incentive program. If there's something that's already running, it's already working. So I think that makes a lot of sense. 

So we obviously talked a lot about security awareness training at Living Security. And the reasons really that why we founded the company to even get away, that traditional cybersecurity learning programs simply don't work. So what do we see as the future of training? What do you see as the future of training and really the importance of it for data security?

G: So a couple of thoughts there, I really think a lot of the "innovation" around security training has been, well we'll make the videos funny. And I mean, maybe the outcome of that is the people don't complain as much because it's not as painful to watch. And that's fine. But I have an older you know user population here at SMU. A lot of our faculty are maybe 50 plus. So having a funny video might work for a younger audience, but is it the same kind of humor that an older audience would work for? I really think we've gone a lot too online to scale the number of users that our security awareness training programs can support, but I really like the idea of making it more custom, I guess. And I think again, knowing our user populations better, getting to know them. And if our awareness training allows them to get us to know them better, I guess, I think having a more custom tailored approach to each individual and what works for them, what incentives work for them what their strengths are, knowing all those things about them I think will help us custom tailor that program to help them get better faster.

A: Yeah. I like that, about kind of relevancy and tailoring your program to your audience and then even to the individual. So I'm curious, given your security personality quiz, have you had all of your students and faculty go through that so that you can understand who they are and how to bucket them into groups before we can really tailor and target training?

G: Yeah. So I started small here. And it's interesting, and I do these other training programs whether it's like StrengthsQuest or DISC, there's a lot of personality assessments. But I think I've done them on a group by group basis so I want to take a whole team and then show it to the whole group after they've taken the test where everyone else shows up. And does that group makeup really align with what your goals are for your team or your organization? So for a security operations team, maybe they need to have a team that's heavily focused on folks who have to have vigilance, because they're always on the lookout for bad things. Maybe that group, if they're really great at deception, that's cool. But maybe we can find some projects where those kinds of habits are more valued. Or maybe you need more of a balance on your team because of the things you work on. So I like to, again, do smaller groups and focus on, hey, does this align with what you guys are trying to work through. And having those conversations again, I love the team building aspect of it. Because teams if you know what your teammates strengths are, you can go to them when you need help if those aren't your strengths and vice versa.

A: Yeah. Maybe another reason is social learning and putting people on teams and doing some of the team-based exercises. It's another by-product right, another product of that. Not just the learning components, but building strengths across the teams, building community, giving you somebody to go to when you need help or have questions and really scaling the effects of the security team. 

So we have some questions in the chat, but before we jump over there I'd love to understand what are your biggest concerns right now when you look at the state of cybersecurity? And obviously there's a new attack every day, every hour sometimes. And then maybe you can speak a little bit more specifically about threats to the educational higher ed, educational institutions and university networks from ransomware and other cyber threats. Love to understand what are those real-time policies and tactics that you're focused on right now to combat this?

G: Yeah. So in higher ed, gosh, the last year and a half has been a big challenge for obvious reasons. Some campuses have moved to more online learning. Lots of folks are working from home. But some folks have to come into campus to be here for onsite support reasons. So yeah I think we've seen in the last year that probably half of universities last year were hit by ransomware, which has a huge impact. We know enrollments at some colleges are down, so financially we can't necessarily afford to make the critical investments that we need to keep making a difference. Higher ed has traditionally been thought of as a soft target. 

I think we have really focused on things like two factor authentication and other modern EDR tools. So from a technology approach, you have to have some basic blocking and tackling in place. And it just takes a lot longer in higher education organizations to do some of those things. So the fun example I give, we had a lot of pushback over deploying two factor authentication to students because faculty were really concerned when they are sitting down to take a test in class, that the students would say, "Ah, my cell phone battery died and I can't take the test." So I think the lesson there more globally is as we think about security technologies, we really have to be thinking about the user experience. And we have to partner with the experts, and in our case faculty members to really hear what their concerns are and try and find good ways to both increase security, as well as improve the outcomes for the business, which for us are our learning outcomes or our research outcomes.

We don't want to stand in the way of the university getting that next grant to do an amazing thing and so how do we... I think the challenge for us is to have security. It's so scary in the media, there's all this ransomware and stuff, but how do we transform security into a business enabler? How do we make that a competitive difference that lets us get more grants to keep doing more and more research? I think that's where our focus on security needs to be, as more of an enabler.

A: I love that. Yeah. Security is a partner or a business partner and enabler mapping to business outcomes. So a lot of the hot topics, I think, that are going around our industry right now and even taking that step further, what you said, security has a competitive advantage because we know that for falling for cyber attacks, for getting breached, there's obviously tons of reputational damage. And as you're thinking about all different things that you might be going for, whether that's grants or a funding round for us as a security startup, there's a lot of negative business impact that can come from not being secure at the foundation.

Our second big takeaway, throughout our conversation today, was making it easy. How do we reduce friction for our users? How do we get them to buy-in? How do we help them and really empower them to be secure? So yeah, the security by design and making sure that the user experience, or UX is involved in some of the decisions that we're making in things that we're rolling out. Those are really, really good points and great takeaways. I think we're... Time to pause and get some community questions. So Brandyn, what do we have going on in the chat today? 

B: So first question, the biggest challenge is to measure the direct relationship of the effectiveness of cybersecurity awareness, mediums programs. Besides phishing simulation training, and then testing, what else do others do with real numbers to show they're making a difference? Ashley, you may want to speak to this as well. 

A: Yeah, absolutely. I think we kind of go back and forth, and I obviously want to hear George's perspective on this as well. So a lot of things are tied together. So for us as an organization, this is something we're actively helping people to move beyond to help mature their program, because as George mentioned in his talk, phishing simulations are a great place to start. They're indicative of potential behaviors. But what we really want to help organizations move to are what are those actual behaviors that are occurring within our environment? And this comes from a lot of partnerships within the security organization, connections, integrations, whether that'll be into your web, that your email, your endpoint, and really first identifying what are the behaviors that we need to change? Where are we most at risk as an organization? Start from the outcomes that we're hoping to drive and then move back. Where's that data live? How do I get access to it? Sometimes we can get spreadsheet downloads, or maybe we do have a direct API connection. And then working to say, hey, here's where we're at, here's where our baseline is. Let's implement some sort of, whether it's training or policy control, or we're going to have a conversation, we're going to drive incentives, we're to do something, we're to take an action, and then we need to measure the output and the ROI. 

So I think it's going to be different for organizations. And I'd love to hear what George's opinion is here and also how those map to habits, which was brought to my question earlier. What are those behaviors and habits that we should really be diving into, we should be measuring outside of phishing?

G: For us, again, we're very focused on data science. We've got a data science program here at SMU that's a great master's degree, if I can plug my master's in data science, but the fascinating thing that's come out of some of these programs is yeah, we get a lot more data. So we're very focused on student outcomes, for example, in terms of behavior. So being able to take all of our data around student engagement and define students at risk so that we can make sure that they don't drop out because they feel disengaged from their community, I think we can do the same things with security awareness. And again, it takes measuring those things. So for two factor authentication, seeing how frequently people use it is interesting but also understanding things like, well, are they using the remember me feature or are they jumping in every day? How do they understand the value of two-factor. Do they think it's an impediment to their getting their work done or do they think it's an enabler? And knowing where they're at, gosh, or why aren't we doing more surveys to ask those perception questions from our populations? I think those are awesome. 

Seeing one point a few years ago, we ran a report on how many jailbroken smartphones that we had. And okay, I think as we've come across things like that, we can go back to our quarterly security newsletter that we do and have articles that are relevant to those populations that help educate, okay, well, maybe this ought to be our next step, and this is what's... And so it's not just, hey, ransomware is in the news, let's do another article about that. It's well, how is our population interacting with technology? And where do we need to nudge them in the right directions to get that next step along the way accomplished, and break down barriers and to make people feel like this is something that they do value.

A: Yeah. I mean, just kind of wrap that point up, and I love the examples that you gave. You started and said, what do we need from a business perspective? What are the outcomes that we're looking to drive, or what risks do we face as a business? Okay, what behaviors would lead to those risks or would stop us from accomplishing a business outcome, for instance you said you implemented multi factor authentication. So we're doing that to obviously protect our applications and protect our sensitive data. So I'm assuming one of the measures of success is adoption of multifactor, to your point. And so we might say, okay, that's a behavior that we're looking to measure a change, well, now let's set up our systems, let's figure out where that data lives, let's set up accountability so they can track that over time, develop a baseline, and then take action. Is it an email campaign? George is getting on a webcast to the entire community and talking about why it's important to download the multi-factor authentication, why it's important to use it? How does this affect the person? And then taking off that temperature, taking that assessment afterwards. So we did this email campaign, 30 days later, were we able to move the needle? Did people download? Are they used? 

I think another one is back to phishing again, maybe not just the click rates. We know we all are trying to get our click rates down, but how much faster is your incident response team, able to actually respond when you can reduce your report rate? And so that's another core metric that we're seeing across the community right now. It's how we need to tap into our ITSM systems. And we're looking at report time when the first phishing email hits the inbox, how long does it take for the security team to be made aware? And that can be mapped to all types of business outcomes, obviously times [inaudible 00:39:29] in response and data cleanup and how fast the attackers can move across our systems in our environment. And so, again, you have to look at the furthest point away, like what's the business outcome, what's the business goal we're looking to achieve and then work back to those metrics that we're tracking. But no, great question.

G: Can I just say, I mean, I think we know that, I don't know, what's the last Verizon Data Breach Report? It probably says 98% of all breaches are because of people. But we really only put 2%, 3% of our budgets toward people, toward educating them, toward building data lakes, or data science repositories, and doing those kinds of things. And man, I mean, I think if we know the problem is the human parts, we definitely need to be investing in that area specifically. My personal view, we always talk about people, processes, and technology but we're myopically focused on technology as the solution to everything. Man, I think we really need to change that perception. Because it's people who create the technology, it's people who configure the technology, it's people who write the processes and follow the processes. So it's not like three equal slices of a pie, it's really all people. Not to sound like Soylent Green, right? But I think man, there's so much more that we could be doing but it really has to go beyond just the standard 30 minutes with some  security expert, I think somebody in the chat mentioned, Kevin Mitnick. No, let's not do that. Let's have more regular check-ins. Let's build more connections and more relationships and help people understand the risks we're facing.

A: Absolutely. And I know we didn't have a ton of time for questions. I think George and I could go all day, so what we'll probably do is I know Brandyn will take note of all the questions that were in the chat. George, you and I can go back and forth and maybe answer them and we can post a blog post to the site and then just get it out to people on the webinar to make sure we get all their great questions answered. I did want to... Yes, let's remind everyone and give another [inaudible 00:41:50] for George's Cyber Personality Test. I think that's a great opportunity. It's really fun and engaging. It's probably something that you could maybe even use across your teams. So we will share the link in the chat and do follow ups. 

Another big opportunity that we have coming up, and honestly, this is where a lot of companies get started is October is Cybersecurity Awareness Month. For a lot of organizations, it's sort of the one time that they get those extra resources. So maybe it's 2% of the budget, but a big part of that is maybe geared towards something that's let's just start over. Let's do a differentiated approach. Let's really raise awareness, get people excited. You can think about it as like an injection into your security programmers [inaudible 00:42:34], security awareness program. And so splitting security highs an entire cybersecurity awareness [inaudible 00:42:39] package. We're also offering some free content, free marketing materials, entire resource guide. So if you're looking to inject fun and gamification and culture into your program, we would love to send that out. So I know my team will follow up here on emails and just get some of that content out. George, any last words to wrap us up? Any takeaways?

G: Did you want to reveal live on air what your cyber personality was?

A: Oh, I can do that live on air. So I am, if you guys go through it, I am a Cybersecurity Scientist. And I'm not going to spoil all the goodness of what that means. You're going to have to go through the personality [inaudible 00:43:21] by yourself and then read George's book to figure it out. But I was surprised, but then when I read in depth what it actually meant, I was like, yes. This is absolutely my internal and external approach to cybersecurity. So I love that.

G: Cool.

A: Now George tell the team here because I did it, what are you? 

G: So I am a Cybersecurity Explorer, which... I built the test. I created it. I didn't know what personality I was going to end up with until I took the test myself. And again, it makes total sense, not just because I'm a Trekkie and I have that Explorer mindset, but being high diligence and high vigilance I mean, totally fits my personality to T. So definitely for folks who were on the call, oh my gosh, definitely need your help. I'd love to be able to answer the question. For a CSO, what are the top two or three personality types or a security ops person or CEOs or whatever. So eventually I'll have that research out there and I'll post it publicly on my website or on LinkedIn. So follow me. Wherever you interact on social I'm at @WellAwareSecure on Twitter, but feel free to connect with me on LinkedIn.

A: Awesome. Thank you so much for coming, George. It was great to [inaudible 00:44:46] with you today. We'll be in touch soon.

G: Thanks so much, Ashley.

B: Thanks everybody for joining us today. This recording will be available via email to everyone who registered and also on our resources tab on our website, livingsecurity.com. And we will also be raffling off five of George's books to two lucky winners. And join us again next month. We do this every month where we talk about really important security issues facing us today. So thank you everybody for joining us. Thank you to our guests, George, and Ashley. Everybody have a great day.

 

 

Subscribe to Learn How to Prevent Cybersecurity Breaches

Additional Reading