Finding Your Cybersecurity Identity With Habits

George Finney

Chief Security Officer at Southern Methodist University

Learning Objectives

Please Join the Chief Security Officer of Southern Methodist University, George Finney in this Executive Interview where he will discuss the 9 different cybersecurity habits and the process to help you and your employees break them.


"There are nine different groupings of habits that we can work on to focus on for behavior change. "

George Finney

Chief Security Officer at Southern Methodist University

Transcript

Britt Erler

Hello and welcome to CIO and CISO VISIONS Leadership Virtual Summit hosted on Quartz Network. My name is Britt Erler QN executive correspondent, thank you so much for joining us. Today, we will be discussing how to find your cybersecurity identity with habits, providing insights on this topic, I’d like to welcome our executive Speaker George Finney, Chief Security Officer for Southern Methodist University. Welcome, George,


George Finney

Thank you so much for having me, Brent, it’s awesome to be here.


Britt Erler

It is a pleasure to have you here and can’t wait to dive into this topic today. But before we do, so, if you wouldn’t mind giving the audience some context, about your background and your current role with SMU?


George Finney

So I’ve actually been at SMU for a long time, I came to SMU to get my law degree, which is I know weird for an IT guy, and also a little unusual for a CISO. But, you know, I have always been in technology, I was kind of inspired by open source software, you know, getting to understand how the business operates, you know, working through contracts, and, you know, compliance. And so security was just a natural fit for me. And to be able to kind of take some of those lessons that I’ve learned from, from, you know, from business or from the law and, and translate those back into, to conversations that can help people I think is is incredibly valuable. But I also get to teach here at SMU as well. So, you know, it’s kind of a fun job, you know, everything’s new every day. So it’s just like everything else in cybersecurity.


Britt Erler

Of course, cybersecurity and education have seen so many changes in the past year alone, so I can’t even imagine. And you clearly have decades of cybersecurity experience. And I know that you recently decided to publish a book called well aware that really dives in and discusses these nine cybersecurity habits that people within an organization should master in order to combat a lot of the security issues that we’re seeing today. What inspired you to write this book.


George Finney

So I actually got the inspiration several years ago when I was working with a leadership coach after I became a CISO. And, you know, of course, I’ve read lots of professional development books over the years, but I was actually talking with him about how he works with other executives, to coach them. And I realized that there really wasn’t a resource out there for coaches to use to help improve the security mindset of all the executives they work with. And ultimately, I think security is a leadership issue. And the challenge there is CEOs today are getting fired for not getting cybersecurity, right. You know, you hear boards of directors say that cybersecurity is one of their most important things on the roadmap. But when you look at business schools, you know, the top 20 MBA programs in the country don’t even offer a cybersecurity course. So I think that means a cybersecurity going to continue to be an issue for years to come. unless we do something now. And well aware, the book is my attempt to help bridge that gap with business leaders in kind of a non technical way to highlight the examples of successful leaders who’ve made a difference in security, rather than just focusing one on one what people do wrong. So it came out last year, and I was blown away by the response from the business community, I found out that I one book of the year by business class news. So thank you don’t I mean, to be honored by a group of business leaders for the work that that I’ve done and have it resonate with them? I think that’s incredible. And you know, of course, I think cybersecurity folks can, can get a lot out of it as well. But, um, you know, that was really the goal was to, to connect, or build a bridge between what are CISOs and security community do with with those other business leaders.


Britt Erler

And I think I find it really interesting because as important as cybersecurity has always been, it’s truly been brought to the forefront, especially last year alone now that we’ve become virtual in every single aspect of our lives. So it’s crazy to see how it’s evolved and is continuing to evolve in all these markets across the board. So for you to have the chance to really dive into this topic and help leaders no matter what industry they’re in, and make sure that they’re focusing in the right areas is such an inspiration. So let’s talk about it a little bit more. Talk to me about these nine habits that you identified.


George Finney

Um, so I kind of, you know, I reverse engineered the nine habits. So I started with this gigantic spreadsheet with hundreds of entries for all the cybersecurity advice that I’ve come across over the years. And then I you know, I started to try and categorize Arise all these different like tips or tricks that we give to people in the common themes or constellations, if you will, of behaviors. And since we want people to repeat those behaviors, we need to make them happen. It’s something that we all do every day. And I found that ultimately cybersecurity is one habit, I think there are nine different groupings of habits that we can work on to focus on for behavior change. So in the book, I talked about how those different habits actually align with different parts of the brain, and the techniques for behavior change. We’ve learned from psychology and neuroscience. So as a part of the book, I actually talked to hundreds of security leaders, CEOs, other executives, as well as experts in psychology and neuroscience to hone that list. But the habits are literacy, skepticism, vigilance, secrecy, culture, diligence, community mirroring, and deception. So there will be a test at the end. Hopefully, you’ve memorized those that I’m on memorize. But so, you know, we asked our users to take lots of different kinds of security trainings, right, someone’s online, sometimes in person, you know, we send those simulated phishing exercises that people hate. But, you know, I really wanted to know what the most effective training was. And there’s nobody out there that can really afford to do a B testing, like, you know, one training company versus another to find out, which really was the most effective. So, you know, we do that for firewalls and security, we do that for antivirus. But nobody really does it for training. And I started thinking about what metric, you know, what are we even use to measure that effectiveness of different security trainings and, and really, that that met metric is behavior change. And we know from from the psychology research that 40 to 50% of all the behaviors that we do in our lives are based on habits. So that means that the, the most effective way for training our users has to be based in training or habits. And that’s really where the nine cybersecurity habits came from.


Britt Erler

Now, how these habits have evolved or changed within the last year now that everything’s become virtual, and our kind of day to day schedules and mindsets have evolved? Or have they stayed pretty set in stone?


George Finney

You know, I think they’ve stayed pretty set in stone, the, you know, they they did evolve somewhat as, as I was kind of, you know, categorizing them. And, you know, I think the goal for the nine habits was really to have, you know, a common thread for me as an individual to approach security from. So so, you know, I think the ultimate answer is they shouldn’t change, right? No matter what technology you end up using, whether you’re a CEO, or whether you’re a single mom, or somewhere in between, you know, we ought to have a common approach to training folks in security. And, you know, it’s like teaching a person to, to fish instead of giving them fish, right, we want to have that, that roadmap. So they don’t have to keep coming back to us when the next version of Snapchat comes out. And we have to, you know, start over from scratch, right? We, we want to have that framework in place to help everyone be secure, no matter what they do, whether they’re working from home, or whether they’re back in the office,


Britt Erler

right, you’ve really created this baseline for cybersecurity for companies, and then they can take it and mold it however they need to based on their company’s needs, which is incredible. And now I know, based on these nine habits, you also created a personality test. Talk to me a little bit about that.


George Finney

Yeah, you know, people love personally personality tests. You know, so I wanted to look at security in general, not from my perspective as a CISO, or some cybersecurity expert, but I wanted to look at it from the perspective of an individual. So as a person, it doesn’t help me to know about PCI compliance, or the NIST framework. And even more than that, as a CISO, I need to be able to help everyone from the CEO to an administrative assistant to be secure. So before I even get started with doing all those things that I need to do to make myself secure, I need to believe that I’m the kind of person that values security. And we already all have our own unique strengths and values and perspectives when it comes to security. So I wanted to find a way to help highlight those things, to capture what your identity is, but also to jumpstart the process for building those nine habits. So I developed the nine cybersecurity habits. And along the way, I kind of observed that the first four habits were all things that we do internally within ourselves. But the final five habits all involve other people. So you know, the first four hours That’s right you think of things like literacy or skepticism, those are internal, right, the final five habits, culture, or community, those all involve other people kind of coordinating together. And we all have our own natural strengths among the different habits. And so what the personality test does is it looks at your biggest internal strength and your biggest external strength. And those two combined manifests themselves in 20 different, what I’m calling cybersecurity identity archetypes. So personnel. Personally, I didn’t know this before I took the test, even though I created the archetypes. But I found that I’m a cybersecurity Explorer, which means that I have high vigilance and high diligence, which kind of makes sense for me, because, you know, again, I I’m exploring, right, I’m always trying to, to find the next new thing, the next pattern, but you might be a cybersecurity believer or an enforcer or rebel. So, you know, folks will be able to go to my website, which is, well aware security comm to take that test for free. But also, there are a lot of things out there that I’m not good at, because I’m an explorer. So maybe culture or skepticism might not be my strength. So, you know, we all work together in teams. And so these archetypes can help us work together to put the right archetypes together to support our goals. So I asked my own team to take the test. And it was really cool to see the balance between these habits start to take shape, and how each person’s personality fit into the role that they already play on the team. But, you know, certain kinds of industries or projects might call for a team with, you know, more skepticism or more culture, but not necessarily dissection. And so, you know, also the, the goals of the organization might vary, right. So, you might need a leadership team that’s more well balanced among all the habits, rather than focused on one area. I think this can help us work better together, by understanding where each one of us has come from coming from when it comes to security, and really what we value and then that starts, I think with with our identities.


Britt Erler

Yeah. And I think it’s really unique, because even though you created this baseline that really can be used by any organization, you also realize that every single employee in person is different. And you made it personal, right? So people can actually work on it themselves internally and externally with their organization, as a team or with whoever else. And I think that’s what’s really going to get people involved and motivated in something like this. And that leads perfectly into my next question. This all sounds incredible, right? These tests these baselines, but I think the biggest struggle for a lot of companies is okay, where do I start with implementing this into my organization? How do I get my employees motivated to do this and excited about changing their cybersecurity habits? What are your thoughts on that?


George Finney

So you know, to be successful behavior change, we have to make it easy. And, you know, I think that’s, that’s what what gets some people is people think that security is hard, or it’s scary. And so we need to be able to get rid of the obstacles that prevent people from from doing those new behaviors and adopting those new habits. And I think that in security, we’re good at giving advice. So you remember this spreadsheet that I mentioned, but really, what we’re doing is relieving the hard part up to our users, right? They’re the ones that have to take that crazy advice that we’re giving them, and actually figure out how to incorporate those behaviors into their lives. So we say like, okay, don’t write your password down. And everybody’s heard that, right. But I’ve got 100 passwords, some I have to share with family members, I’ve got like, 20 devices that I need to get all those passwords on. So, like, how do I do that? That’s not That’s the hard part. It’s easy for me to give that advice. So you know, even if I go get a password vault, I still got to work that new thing in my life. So the approach that I recommend is, you know, similar to, you know, if you’ve heard the advice, that if you want to start running, you should go to sleep and your workout clothes, and maybe have your tennis shoes right by the bed. Right? So that makes the new habit that you’re trying to build easy. And that advice really works for people who want to want to want to start working out, in part, because it’s not judgey right? And so if you don’t do it, there’s no moral failing for you. It’s just very direct and specific advice. So So that’s the kind of like recipe for success that I wanted to develop when it comes to cybersecurity. And so there’s been a number of like, really great books out there on habits recently. So obviously, there’s there’s my book of course, but and by the way, if you if you’re listening to this and you read it boasts a review that really helps out. But as I was writing the book, I was really influenced by Charles Duhigg power of habit. I also read James clears atomic habits. There’s a Stanford professor BJ Fogg wrote a book called Tiny habits, which I love. I think that’s actually my favorite of all of them. And they all use different terminology. But they all agree that there’s this mental habit loop that happens in all of us, right. And so the first step in that habit loop is the prompt, that gets you to start the behavior, then there’s the behavior itself. And then there’s a reward that releases endorphins in your brain to remind you that, when you want to do that behavior, again, there’s going to be an incentive. And that kind of completes the loop. And so in Foggs, book, tiny habits, he introduces this idea of habit recipes. And so I’ve started using those little habit recipes, in my daily life, when when, or when I train my users to help build those healthy cybersecurity habits into their lives the way they’ve lived them. And also, again, you know, we’re personalizing it, right, if you’ve got the, the, you know, the personality assessment, the identity, and so you’re really customizing and not just to an individual, and like their job role, but really to their lives the way they live it. So, you know, that allows us to focus those habits on their particular strengths, based on personality, right. So you know, one of the things that all of the habit experts recommend, again, you want to make it easy when you want to start with low hanging fruit. And so if I identify with, you know, skepticism, for example, that you know, will will just kind of supercharge at me and get get me started that much faster. So I like to give a concrete example of, of the habit recipes, right. So, in the habit of deception, whenever my daughter and I, she’s five, right. But when we go to the drive thru, she always is this is her idea, by the way, but she always reminds me think of a fake name to the person taking our order. And so there’s this great bomb, like, you know, I’ve got to come up with a new fake name every time I can’t use the same fake name. But she knows like the Starbucks barista doesn’t need to know, my real name, or her real name, right. And when they call it out to the restaurant, like that’s advertising, that you’re who you are, and you know, could be used against you. So, you know, the prompt, in this case is going to the drive thru or getting takeout that paid that behavior itself is that fake name. And the reward is getting, you know, that fun time to spend with dad or, or maybe eating french fries or whatever. But different you know, the point is that different prompts or different rewards work differently for different people. So you’ve got to find that, that you know, sweet spot that works well for for all of us. And, you know, again, you may want to focus on different behaviors in your life. Again, find that sweet spot, the low hanging fruit that’s going to get you started the quickest. But each recipe should be personal to you and build on your own natural strengths. So you know, if we’re going to start making security easy, we want to start with the small wins and build up from there.


Britt Erler

From there absolutely not have to know George, what is the best name you’ve ever given at Starbucks? I have to know.


George Finney

You know, I love given the name Elvis. Um, you know, and nobody calls me out on it. They’re, like, really look like an Elvis. Um, but you know, maybe I do look like an Elvis, I just didn’t know,


Britt Erler

hey, you know, I can see it. Maybe you’ve got some moves that we don’t know about George, we never know, we never know,


George Finney

you know, I may have some moves.


Britt Erler

Now, I do want to ask, because obviously, you now know, for lack of a better term, you’ve labeled certain personality traits. You also identified these habits, once you’ve identified this for a certain person does your book or does this test provide suggestions as to how to now move forward with that evolve? And, you know, really make sure that you’re learning and growing within that particular habit?


George Finney

Absolutely. So I’m actually working on a masterclass, now, we’re gonna launch it on, on Udemy. But it goes specifically into the habits, the recipes, there’s a whole workbook that goes along with it to help you kind of, you know, find your, your low hanging fruit, whatever your strength is, and then build from there. So, you know, I think, again, you know, that what I mean, I think the goal is to create like a cookbook, you know, for lack of a better term for all the recipes. But yeah, I think collectively, all of us working together to share recipes. You know, the seventh habit is community right? I think all of us working together will help us get there that much faster, completely agree


Britt Erler

with you. And, you know, obviously, every company right now big or small is kind of in a different place, you know, with the pandemic ending last year, some companies are able to pivot and go virtual summit took them a little longer, because they were still kind of in the stone age, in terms of it, you know, for a lot of upper IT leadership, what are some final pieces of advice that you have for them to make sure that they’re moving their teams and their company in the right direction when it comes to cybersecurity.


George Finney

So the first thing I go back to, you know, through the whole pandemic is empathy. And, you know, I mean, with, with all of us being so disconnected, you know, some of us, like me have young kids at home, you know, their, their challenges, being a parent, you know, their challenges, you know, being single and trying to date during a pandemic, you know, some folks are having family hardships, that that, you know, are also challenging, right, so all of us are kind of approaching it, you know, from different perspectives, and just, just that, that little effort of looking at it from from someone else’s perspective, I think it has what’s gotten a lot of us through, and I think that’s, that’s really separated out the great leaders, from the ones that you, you kind of want to get away from. And, you know, I think, you know, taking that approach to security, you know, as we know, you know, this is one of the stats in the book, you know, companies with with a poor culture are three times more likely to have been the victim of a data breach. So, you know, we know, from from the the corporate research out there that, you know, companies that have great cultures are more profitable, they’re more productive, you know, they are also more diverse. And at the end of the day, I think they’re more secure, too. So, you know, you know, I think, you know, empathy is a great leadership strategy. You know, and I think if we’re in security, and we’re focused on, you know, again, you know, the negative on fear, we’re actually out of alignment with with a lot of the the leadership direction out there that that maybe our CEOs and others are moving towards. But if instead we’re focused on empathy, and focused on helping build stronger communities and organizations, that I think we’re all going to be in alignment, and we’re going to work work much better with with our business executive partners. I completely


Britt Erler

agree. And I can really see how that correlates, you know, empathy, we’ve seen such a rise in the sense of humanity, if you have a credible culture, you know, there’s that much more trust that much more transparency, and you’re less likely to have you know, disgruntled employees, you know, or people that don’t want to be there that aren’t productive, that aren’t keeping your information and the rest of the organization safe. So I can definitely see how that goes hand in hand. And I think that’s some incredible advice for any company, or any department, not just it, especially moving forward in this virtual world that we’re in. So, George, incredible advice today, I myself will be taking a look at your book. I think it’s so interesting. And I think, you know, for people who aren’t even in the IT space, it’s critical for us to make sure that we are constantly up to date on cybersecurity, because we brought work now into our home. So fantastic advice for companies, organizations and people across the board. Thank you so much for being here. Thank you to everyone who has joined us today as well. I’m sure you will have further questions not to worry. There is a discussion forum underneath this presentation. Please be safe, be healthy and enjoy the rest of the CIO and see CIO VISIONS Leadership Virtual Summit.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden