More Articles
Information Technology

Master These 9 Habits to Combat Cybersecurity Issues

George Finney

George Finney

Chief Security Officer at Southern Methodist University

George Finney Southern Methodist University

Cyber risks are consistently touted as one of the biggest challenges to an organization, yet even the top business schools in the nation lack courses in cybersecurity.

Quartz Network Executive Correspondent Britt Erler sat down with George Finney, Chief Security Officer at Southern Methodist University (SMU) to share the top cybersecurity habits that will help your organization combat the majority of today’s security issues.

George explains the nine habits that must be mastered including:

  1.  Literacy
  2. Skepticism
  3. Vigilance
  4. Secrecy
  5. Culture
  6. Diligence
  7. Community
  8. Mirroring
  9. Deception 

Quartz Network: Can you share a bit about your background and your current role with SMU?

George Finney: I’ve actually been at SMU for a long time. I came to SMU to get my law degree, which I know is weird for an IT guy and also a little unusual for a CISO. But I have always been in technology. I was inspired by open source software and getting to understand how the business operates, working through contracts and compliance. Security was just a natural fit for me.

To be able to take some of those lessons that I’ve learned from business or from the law and translate those back into conversations that can help people is incredibly valuable.

I also get to teach here at SMU as well. It’s a fun job and everything’s new every day. It’s just like everything else in cybersecurity.

Quartz Network: You recently decided to publish a book called, “Well Aware” that really dives in and discusses these nine cybersecurity habits that people within an organization should master in order to combat a lot of the security issues that we’re seeing today. What inspired you to write this book?

George Finney: I actually got the inspiration several years ago when I was working with a leadership coach after I became a CISO. And, of course, I’ve read lots of professional development books over the years, but I was actually talking with him about how he works with other executives to coach them. And I realized that there really wasn’t a resource out there for coaches to use to help improve the security mindset of all the executives they work with. And ultimately, I think security is a leadership issue.

The challenge there is CEOs today are getting fired for not getting cybersecurity right. You hear board of directors say that cybersecurity is one of their most important things on the roadmap. But when you look at business schools, the top 20 MBA programs in the country don’t even offer a cybersecurity course. So I think that means cybersecurity is going to continue to be an issue for years to come, unless we do something now.

And “Well Aware” is my attempt to help bridge that gap with business leaders in a non-technical way. To highlight the examples of successful leaders who’ve made a difference in security, rather than just focusing on what people do wrong.

It released and I was blown away by the response from the business community. I found out that I won Book of the Year by Business Class News. To be honored by a group of business leaders for the work that that I’ve done and have it resonate with them? I think that’s incredible.

Cybersecurity folks can get a lot out of it as well. That was really the goal, to build a bridge between what our CISOs and security community do with those other business leaders.

Quartz Network: Can you explain the nine habits that you identified?

George Finney: I kind of reverse engineered the nine habits. I started with this gigantic spreadsheet with hundreds of entries for all the cybersecurity advice that I’ve come across over the years. And then I started to try and categorize all these different tips or tricks that we give to people in the common themes or constellations, if you will, of behaviors.

And since we want people to repeat those behaviors, we need to make them happen. It’s something that we all do every day. I found that ultimately cybersecurity is one habit. I think there are nine different groupings of habits that we can focus on for behavior change.

So in the book, I talked about how those different habits actually align with different parts of the brain, and the techniques for behavior change we’ve learned from psychology and neuroscience. So as a part of the book, I actually talked to hundreds of security leaders, CEOs, other executives, as well as experts in psychology and neuroscience to hone that list.

The habits are literacy, skepticism, vigilance, secrecy, culture, diligence, community, mirroring, and deception. So we asked our users to take many different kinds of security trainings, sometimes online and sometimes in person. We sent those simulated phishing exercises that people hate. But, I really wanted to know what the most effective training was. And there’s nobody out there that can really afford to do A/B testing of one training company versus another to find out, which really was the most effective.

We do that for firewalls and security and we do that for antivirus. But nobody really does it for training. And I started thinking about what metric are we even using to measure that effectiveness of different security trainings. And that met metric is behavior change.

We know from psychology research that 40 to 50% of all the behaviors that we do in our lives are based on habits. So that means that the most effective way for training our users has to be based in training our habits. And that’s really where the nine cybersecurity habits came from.

Quartz Network: Have these habits evolved or changed within the last year now that everything’s become virtual or have they stayed set in stone?

George Finney: I think they’ve stayed pretty set in stone. They did evolve somewhat as I was categorizing them. The goal for the nine habits was really to have a common thread for me as an individual to approach security from.

So I think the ultimate answer is they shouldn’t change, right? No matter what technology you end up using, whether you’re a CEO, or whether you’re a single mom, or somewhere in between, we ought to have a common approach to training folks in security. It’s like teaching a person to fish instead of giving them fish. We want to have that roadmap so they don’t have to keep coming back to us when the next version of Snapchat comes out and we have to start over from scratch. We want to have that framework in place to help everyone be secure, no matter what they do. Whether they’re working from home or they’re back in the office.

Quartz Network: Based on these nine habits, you also created a personality test. What is that about?

George Finney: People love personally personality tests, so I wanted to look at security in general. Not from my perspective as a CISO, or some cybersecurity expert, but I wanted to look at it from the perspective of an individual.

So as a person, it doesn’t help me to know about PCI compliance or the NIST framework. And even more than that, as a CISO, I need to be able to help everyone be secure from the CEO to an administrative assistant. Before I even get started doing all those things that I need to do to make myself secure, I need to believe that I’m the kind of person that values security.

We already all have our own unique strengths and values and perspectives when it comes to security. So, I wanted to find a way to help highlight those things. To capture what your identity is, but also to jumpstart the process for building those nine habits. So, I developed the nine cybersecurity habits.

Along the way, I observed that the first four habits were all things that we do internally within ourselves. But the final five habits all involve other people.

So, the first four habits you think of things like literacy or skepticism. Those are internal. The final five habits, culture, or community, those all involve other people kind of coordinating together. And we all have our own natural strengths among the different habits.

So what the personality test does is it looks at your biggest internal strength and your biggest external strength. And those two combined manifests in 20 different cybersecurity identity archetypes. Personally, I didn’t know this before I took the test, even though I created the archetypes.

But I found that I’m a Cybersecurity Explorer, which means that I have high vigilance and high diligence, which kind of makes sense for me, because, again, I’m exploring. I’m always trying to find the next new thing, the next pattern. But you might be a Cybersecurity Believer or an Enforcer or Rebel.

So, folks will be able to go to my website to take that test for free. But also, there are a lot of things out there that I’m not good at, because I’m an explorer. So maybe culture or skepticism might not be my strength. We all work together in teams and these archetypes can help us put the right archetypes together to support our goals.

So I asked my own team to take the test. And it was really cool to see the balance between these habits that start to take shape and how each person’s personality fit into the role that they already play on the team.

Certain kinds of industries or projects might call for a team with more skepticism or more culture, but not necessarily dissection. Also the goals of the organization might vary. So, you might need a leadership team that’s more well balanced among all the habits, rather than focused on one area. I think this can help us work better together, by understanding where each one of us is coming from in regards to security, and really what we value. That starts with our identities.

Quartz Network: How do you get employees motivated to do this and excited about changing their cybersecurity habits?

George Finney: To be successful at behavior change, we have to make it easy. That’s what gets some people to think that security is hard, or it’s scary. So we need to be able to get rid of the obstacles that prevent people from doing those new behaviors and adopting those new habits.

In security, we’re good at giving advice. But really, what we’re doing is leaving the hard part up to our users. They’re the ones that have to take that crazy advice that we’re giving them, and actually figure out how to incorporate those behaviors into their lives.

We say, okay, don’t write your password down. And everybody’s heard that. But I have 100 passwords, some I have to share with family members. I have 20 devices that I need to get all those passwords on. So, how do I do that? That’s the hard part.

It’s easy for me to give that advice. Even if I go get a password vault, I still have to work that new thing in my life. The approach that I recommend is similar to this advice: If you want to start running, you should go to sleep in your workout clothes and have your tennis shoes right by the bed. That makes the new habit that you’re trying to build easy.

That advice really works for people who want to start working out, in part, because it’s not judgey. If you don’t do it, there’s no moral failing for you. It’s just very direct and specific advice. That’s the kind of recipe for success that I wanted to develop when it comes to cybersecurity.

As I was writing the book, I was really influenced by Charles Duhigg’s “Power of Habit” and I also read James Clears’ “Atomic Habits”. There’s a Stanford professor BJ Fogg who wrote a book called “Tiny Habits” which I love. That’s actually my favorite of all of them.

They all use different terminology but agree there’s this mental habit loop that happens in all of us. The first step in that habit loop is the prompt. That gets you to start the behavior and then there’s the behavior itself.

Then there’s a reward that releases endorphins in your brain to remind you that when you want to do that behavior again, there’s going to be an incentive. And that kind of completes the loop.

So in Foggs’ book, “Tiny Habits”, he introduces this idea of habit recipes. I’ve started using those little habit recipes in my daily life or when I train my users to help build those healthy cybersecurity habits into their lives the way they’ve lived them.

Again, we’re personalizing it so that allows us to focus those habits on their particular strengths, based on personality. One of the things that all of the habit experts recommend is that you want to make it easy and you want to start with low hanging fruit.

If I identify with skepticism, for example, that will supercharge me and get me started that much faster. I like to give a concrete example of the habit recipes. So, in the habit of deception, whenever my 5-year-old daughter and I go to the drive thru, and this is her idea, but she always reminds me to give a fake name to the person taking our order. So there’s this great bond and I have to come up with a new fake name every time.

So, the prompt, in this case, is going to the drive thru or getting takeout. The behavior is that fake name. And the reward is getting that fun time to spend with dad, or maybe eating french fries. But the point is that different prompts or different rewards work differently for different people. So you’ve got to find that sweet spot that works well for all of us.

You may want to focus on different behaviors in your life. Again, find that sweet spot, the low hanging fruit that’s going to get you started the quickest. But each recipe should be personal to you and build on your own natural strengths. So if we’re going to start making security easy, we want to start with the small wins and build up from there.

Quartz Network: Does your book or does this test provide suggestions as to how to move forward and really make sure that you’re learning and growing within that particular habit?

George Finney: Absolutely. I created a masterclass on Udemy that goes specifically into the habits and the recipes. There’s a whole workbook that goes along with it to help you find your low hanging fruit, whatever your strength is, and then build from there. I think all of us working together will help us get there that much faster.

Quartz Network: What final advice do you have for IT leaders to make sure they’re moving their teams and their company in the right direction when it comes to cybersecurity?

George Finney: The first thing I go back to, through the whole pandemic, is empathy, with all of us being so disconnected. There are challenges of being a parent, or of being single and trying to date during a pandemic. Some folks are having family hardships that are also challenging.

So all of us are approaching it from different perspectives. But it’s that effort of looking at it from someone else’s perspective that has helped a lot of us through it.

I think that has really separated out the great leaders from the ones that you want to get away from. Taking that approach to security – and this is one of the stats in the book – has shown companies with a poor culture are three times more likely to have been the victim of a data breach. So, we know from the corporate research out there that companies that have great cultures are more profitable. They’re more productive and they are also more diverse. At the end of the day, I think they’re more secure, too.

So empathy is a great leadership strategy. If we’re in security and we’re focused on the negative on fear, we’re actually out of alignment with a lot of the leadership direction out there that our CEOs and others are moving towards. But if instead we’re focused on empathy, and focused on helping build stronger communities and organizations, I think we’re all going to be in alignment and we’re going to work much better with with our business executive partners.

For more industry best practices and insights from leading IT executives like George, join Quartz Network.