Adopting Zero Trust with Author George Finney
Season Two, Episode Three: Approachable
Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.
Zero Trust as a concept or strategy on the surface appears simple in nature. Heck, it’s only two words. However, when push comes to shove, and it’s time for organizational adoption, Zero Trust impacts every aspect of a business in the form of a digital transformation. Fortunately, for every complexity and question, there is an answer and solution, which is where our latest guest comes into play.
This week on Adopting Zero Trust (AZT), we chat with infosec author, practitioner, and educator George Finney about ways to make ZT more approachable. Finney is the best-selling author of Project Zero Trust, which currently offers the most approachable way to understand John Kindervag's 5-Step methodology for implementing Zero Trust, the four Zero Trust design principles, and how to limit the impact of a breach.
“I think one of the reasons why Zero Trusts is so successful is that we synthesize down all of our best practices in security down to two words. We almost made it too simple,” said Finney.
Be sure to check out the not-editor’s note to see how you can get a chance two win a copy of George’s book.
In lieu of our regular editor’s notes, we are running a little giveaway for the next two weeks. Simply drop a comment on AZT, Elliot, or Neal’s LinkedIn post promoting this episode, and we’ll pick two people at random to receive Project Zero Trust. You must be within the U.S., and we’ll send it via Amazon. If you prefer the ebook or audiobook, we can make that happen as well.
Weekly Zero Trust Headlines and News
Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.
A Zero Trust Success Story, Risk Dashboards, and Brands and Politics
Pentagon Rolls Out Updated Cybersecurity Reference Architecture
State CIOs Focus on Cybersecurity and Identity Management in 2023
Thunderdome hits its targets, DISA moves to next phase of zero trust
Zero trust, XDR prominent in Gartner’s Hype Cycle for Endpoint Security
An ounce of prevention is worth a pound of cure
Investing in Zero Trust has long-term payoff
Defense in depth is not a strategy
Making Zero Trust More Approachable
The entirety of season one of AZT was centered around demystifying the concept of Zero Trust and squashing some of the vendor hype. What we quickly discovered is that there are dozens of different definitions and takes, and it has different meanings for every organization. To add to the complexity, when reviewing the key trusted documentation from organizations like CISA, NIST, and Forrester, there is a technical learning curve that comes along with it.
“For Zero Trust to be successful, we have to really make it a lot more approachable, right? It can't just be for us security nerds to get; it’s who needs to do Zero Trust,” said Finney.
When Finney first started to outline Project Zero Trust, he started by honing in on who it was for. There is already plenty of information for practitioners, but what about other positions within an organization that play a critical role?
“Executives, non-technical folks, CFOs or board members, they have to understand Zero Trust. And I think bringing all of that context together, there are so many folks in it that need to understand how to play their role in zero trust.”
If you’ve been with AZT since season 1, this should sound familiar, as Maureen Rosado discussed how important building an advisory group within an organization is to ensure Zero Trust is properly adopted.
Economics is in Play
Or, why Zero Trust is not technology, and it doesn’t need to cost an arm and a leg.
Unless you live under a rock (that’s where I usually am), it’s easy to see that the economic situation in the U.S. is a bit stressed. We are seeing technology companies, including cybersecurity vendors, shed anywhere from 5%-20% or more of their staff, trim down budgets, and teams being asked to do more with fewer resources.
What does this have to do with Zero Trust? Well, it certainly isn’t going to reduce the amount of SaaS websites slapping Zero Trust technology on the cover, but it does offer a strong argument for doubling down on building a strategy right now.
“I want be sensitive, particularly now with the economy kind of still in, not limbo, but still struggling. There's a lot of layoffs announced in the last month or so. Folks are still concerned about the economy. We're [cybersecurity executives] worried about budgets, and it feels like security teams are maybe relatively safe these days. But in terms of the adoption of Zero trust, the reason that we do Zero Trust is that it's a strategy focused on prevention. Prevention as a strategy,” said Finney.
Building on Finney’s comments, it’s also important for us to remember that Zero Trust is not technology, though it certainly plays a role. So when experts like George recommend moving forward with a strategy, it can start with something simple like a risk assessment to determine if users have too much access to information and data, and if you have a solution available to microsegment them.
“Prevention's worth a pound of cure. There have been studies around Zero Trust that show that it's 10 times as cost-effective, or, if you wait until a breach to say it the other way, it's 10 times more expensive. When we're thinking about being responsible stewards of our organization's funds, Investing in Zero Trust really does have a long-term payoff.”
This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.
Elliot: Hello and welcome to adopting Zero Trust or AZT. I'm Elliot, your co-host alongside with Neal, the true, true mouth of our podcast and conversation. Today we're actually going to be able to dig into an area of zero trust that we have yet to be able to explore. I, I think we've referenced this.
In fact, I think it was from Chase. He recommended the focal point of this conversation. But today we have educator, practitioner thought leader, Mr. George Finney the author of Project Zero Trust. thank you so much for being here, George. Really appreciate it. And you know, having now read through your book on Project Zero Trust this is gonna obviously be the top of our list for something that we recommend.
But that said, I'd love to learn a little bit more about your background and what led you to publishing this work.
George Finney: Well, first of all, you guys are so awesome for, for having me on your show. Thank you so much for, for, for bringing me on. I, I feel a little self-conscious. I, I actually just shaved off my beard. . So I'm, I'm, I've been out bearded. So, you know, gosh, gosh, I am very self-conscious about my, my baby face here.
No. So, wow. I, I, I've done so many different things in security in it over the years. I, I started out in. Telecommunications. I, I worked on people's fiber optic or or DSL lines before they even had fiber. I I was a network engineer, was a self-taught Linux admin ran email servers and DNS servers and P H P all, all over the place.
And, and after all of that, Just a huge advocate of, of, of open source. I thought, I know what I'll do. I'll, I'll go be a lawyer, . So I, I got my law degree. That's the reason that I came to tos, Mathius University. I'm still here 20 years later. And I'm, I, I kind of worked my way up from the email room and I'm now the cs o of the university.
But I've gotten to, to be able to teach while I've been here, which was amazing. I, I, I, I love you know, getting that energy from, from new students coming into security. But also one of the things I've been able to do while I've been at SM SMU is, is I've written a couple books and you, you, you guys are, are very familiar with, with, with the latest one, project Zero Trust.
Just, just such a fun you know, project to, to, to be able to come together. I, I, I, I don't, I don't wanna, I don't wanna give any spoilers away, but g gosh, it's, it, it, I, I'm really excited to talk to y'all.
Elliot: Wonderful. So I will try not to provide to me spoilers, we can focus on like the chapter titles, if that maybe helps a little bit. And I apologize if I don't want this to be demeaning, but the best way that I can position it is this like, A cybersecurity zero trust themed fan fiction novel of almost, and I mean that in like the nicest way possible because. all of the conversations that we had, all the previous episodes everyone will reference, you know, look at csa, nist, and these very dry pieces of material, which are like the core framing of what Zero Trust is. Obviously we chatted with Chase and some other folks that have influenced and shaped it, but there is nothing really available, at least that I've come across and maybe Neil has, but there's nothing that really.
The groundwork that explains zero trust in such a succinct and natural way that would actually occur in reality. So like you are literally walking people through a triggering event for why a certain organization would. Implement zero trust and open the doors. And also just to go off on tangent, I love the fact that instead of so again, I'll, I'll crack the breach the spoiler a little bit cuz it's right on like the first few pages, but it breaches the triggering event.
But I love that you're creating a scenario where it's info second security team. They're not necessarily running around with their chicken, like their heads cut off like a chicken. But you're creating an atmosphere where good is gonna come out of it. Like it is clearly a strategic push. and there's some, you know, running around outside of that. That said, I think it's a very realistic scenario. There's conversations that we've seen but walks you through all these different elements and then it progresses just like the conversations that we've had in these episodes in the past. So that is all to say, I fully appreciate the context and the format you put this Ed, and I feel like as far as like.
Business oriented book. This is the kind of thing that, you know, other people in your shoes the executive level for security roles who don't understand what zero trust is. This is exactly what they need. Some of them maybe will like create coloring books one day and simplify it. But like, this is such a good resource to really just walk you through like a day-to-day system, like the narratives that you clearly had to go through to like build this context.
So, My rambling aside I'd love just your input on, you know, what was the groundwork for you to build this? What influenced, and, you know, what, why did you decide to position it the way that you have?
George Finney: Yeah, so, so I, I got this call out of the blue. I'd written several other cybersecurity books. You, you can see one, I guess in the background. My book Well Aware won the book of the year award. . So, you know, I, I thought I was done writing books and I would, you know, you know, so Wiley calls out of the blue and says, Hey, we want you to write a book on zero.
And I, I, I almost said no. I, I, like, I didn't wanna write anymore. Like I, I, I, I wanted to kind of focus in on, on on some things, but you know, I, I thought I'd be nice and helpful and I'm like, Hey, you know, do you guys know John Kinder? You know, I'll, I'll just text him for you. He, you know, he's been talking about writing a book.
You guys could just go, go do it and work it out. And they're like, yeah, we, we called John. He's too busy. And I'm texting, you know, LA John, what are you doing? And you know, it turns out he, you know, he was so generous. I, I, you know, he is he's a good friend of mine. and I, I wasn't gonna write a, a book on zero trust without the blessing of the, the guy who kind of coined the term.
And so, you know, it just kind of happened over the weekend. You know, they they don't tell you this when you write a book, but e even when the publisher comes to you and says, we want you to write a book, they still want you to put together like a business plan and like a proposal for, you know, what, what you're gonna write.
And I'm like, you know, I, I wanna do something different, right? Because there's a lot of dry technical stuff out there, like you say. . And, you know, I was really inspired by this other book it's called The Phoenix Project. But if you're familiar with DevOps Phoenix Project is like your Bible.
And it's it, and it is, it's, it's very similar. It's a story. It's a narrative. You're a characters. And, and, you know, I, I think one of the, the, the big reasons why DevOps as a movement has taken off so much. Is in part because this book made it approachable. And, you know, zero Trust has already taken up.
I'm not like adding anything to the to, to the narrative here, but to, to be able to tell a story and to, to, to, to explain it in, in simple terms. Mm-hmm. , I mean, e e I'm, I'm, I've been a security practitioner for, for a long time, and even me going through like N State hundred 2 0 7. Sorry about that.
Elliot: All good.
George Finney: E e even with me as a security practitioner, like looking at ni, you know, 800, 2 0 7, I literally just don't know what that means. Right. I'm, I'm reading it. You know, I'm, I'm, I've read it probably, you know, in double digits at least. And it's still really, really hard to, to get through, right? For Zero Trust to be successful.
We've gotta. Really a lot more approachable, right? It can't just be for us security nerds, to, to get and right who needs to do zero trust. And this is part of what what the publisher asks, right? Who's the audience for a book like this? . And my my answer is, you know, it's not just, you know, security practitioners, it's, it's people brand new, not just to security, but brand new to it, right?
They've gotta play a role. You're, you're right. Executives, non-technical folks, CFOs or board members, they have to understand zero trust. And, and I, and I think, you know, bringing all of that context together, there are so many folks in it that need to understand how to do. Part how to play their role in zero trust.
And so, you know, one of the things we, we, we tried to do was for each CHA chapter, we have a kind of focus, right? So whether it's physical security or your e r p system or identity or cloud or DevOps or your soc all, all of those right, you know, have their, their, their place. And there's some really specific things you can do to, you know, to find and remove the trust relationships you have in, in, in all of those.
digital systems. But, but connecting those dots is, is, is really important. And you know, I, I think one of the reasons why Zero Trusts is so successful, right? We, we synthesize down all of our best practices in in, in security, down to two words. We almost made it too simple. And, and so, you know, again, telling that story, right?
Ha ha being able to be in someone's shoes and, and see yeah, I have that same problem. And, and, and to see a way forward to, to solve that we, we've gotta believe we can be successful insecurity to be successful.
Neal: Yeah, I think. There's kind of this wonderful thing I've learned in my, my career doing presentations in general. Whether it's stuff like this, whether it's producing some kind of security content and then having to go brief on that content. Government, private sector, public sector, doesn't really matter the moment you can put some kind of personality behind it, and it's not just bullet points, it's obviously a lot more impactful and, and to your point is able to resonate with those who really matter.
But, so I think it's, it's a key approach to getting. to the masses. I think it's a wonderful approach and I'll be very crystal clear. I didn't read the entirety. Elliot. I know it was probably read it four or five times. I've, I've, I have the book somewhere over here in my stack of stuff, so I have gone through it, so I, I just haven't verbose gone through, so I apologize in advance.
But I like the model a lot. It's, it's a lot of things that I think what I personally try to drive towards on presentation layer with any of the webinars that I'm creating for myself or any publications or anything like that up on stage bullet. Getting to the heart of it and actually putting personality behind it and personifying the actual issues is what's impactful.
Makes it easier to consume by a large degree, for sure.
George Finney: I, I, I've, I've, I've got a solution for you, Neil. You, you, there is an audiobook. So, you know, you don't have to finish read, just, just listen to it while you're, you know, walking the dog or whatever. And I'm, I'm, I'm it. It, it is, by the way, the number one selling book in the world on, on zero trust right now.
So, you know, not, not, not to oversell it but we, we got one of the actors from the Walking Dead.
Neal: Oh, that's cool.
George Finney: to, to be the narrator of the audiobook. I mean, so you talk about making it approachable, making it interesting, making it cool. Right. You know, it, you know, having a hook like that, like, oh, well I wasn't gonna read that, but man, you know, let, let me just check it out cuz, cuz of the Walking Dead guy, I liked him.
Wow, you, you know, again, making it approachable to, to, to, to someone outside of security. And it's not like, you know, we're, we're the normal like spooks and you can't talk to us. Like, you know, I, I, I think yeah, breaking down those barriers and is, is huge when it comes to to getting adoption.
Elliot: Totally agree and hope you don't mind me jumping in on this, but I think the reality is like between Neil and I, so he. Clearly tried and true practitioner, he understands this space. I'm, you know, I sit in like the content world. I annoy people like Neil and yourself to basically download information and build it into narratives.
So it's wonderful when technical people and people with your skillset can actually write narratives like this, but this is usually what's missing in in the world. So I fully appreciate it because people like myself, who again, Do not understand the foundational elements of cybersecurity as a practitioner would.
This is honestly I am that persona that's anyone who can really pick up the idea of zero trust after reading this. It'll be super clear. It's just abundantly obvious that the narrative helps drive that clarity.
George Finney: Well, and it's so true. I mean, a lot of the content that's out there today, frankly, is, is written by content writers that, that aren't necessarily security practitioners or specialists. And, you know, you know, a lot of that marketing content comes from vendors. And, you know, we all, we all know vendors make the world go round, but you know, they, they necessarily focus their angle on that product.
You know, ho ho honestly, like a lot of the conversations I have with other CISOs still today, I is, well, zero Trust isn't a tool. Wait, hang on. Wait. I, I can't just buy this thing and make zero trust happen. Oh my gosh. Like, what? What? But, but really, I mean, I, I, I think that that just shows how powerful marketing is and you know, you know, zero trust has become this big thing.
And in, and in a way we, we've really gotta I, I, I think some, some, some, Stuff behind all of the, the, the hype really. So, so, you know, hopefully, you know, people can kind of start to see, okay, it's not a, it's not a tool. So what is it? It's a strategy. There's a methodology there, there's a maturity model.
You know, there there philosophy or culture, right? A lot of aspects all come together. And yeah, you know, I, I think in a way, you know, we, we, we've gotta be sensitive to the. , you know, there are a lot of new people in, in security and, and you know, necessarily in marketing that man, we, we can really help inform the conversation and, and, and make, you know, everything that we're doing today in marketing around zero trust that much better and more effective and, and more helpful at, at, at getting zero trust really well adopted.
Neal: Yeah, I think you hit on a good point. Vendor hype and that, that's kind of the impetus of last season was discussing a lot on pretty much every episode asking the same question. You know, what is it to you? You know, what is, what is your trust in general? And thankfully even. You know, we kind of had our first vendor on recently, and even with, with them in particular, everybody is still, thankfully, for the most part in agreement as a consumer.
It's not a plug and place solution. It's an etiology of an approach and, you know, Some people are very clinical, logical and, and can look at a, this standard and be like, thank you very, very much. But those are usually not the people who are probably actually trying to get implementation done. They're the people who have been told to do the implementation.
So the next step to get to that buy-in, I think is a wonderful product like your book in particular to help educate. the masses, , like Kelly keeps claiming he is in that sense. But educate the people that need an easier approach to the construct. And then when we get to the n stuff, you know, or whatever it ends up being, whatever model you wanna apply to it.
Logically speaking, at that point, you know, the, the, the techies in the room can go through and read line by line of checkbox things, right. . I think to that point, something like this, the approachability of it was sorely missing. Nobody's really talked about, and now only hit this at the beginning, nobody's really approached the idea of how do you actually get buy-in for the people who don't truly understand what it is, you can go talk about it all day long.
You can point pictures and, and, and URL links to people who say there's zero trust, this and that. But until you can adequately explain in a. , easy to grasp idea, or at least show the scenarios in a story mode sensation, right? You're not gonna find it easy to get by at first, and I think that's why this is impactful to have this resource that you've produced.
It's, it's a good way to get that initial conversation going. Tend to get it back down to the tech guys and gals in the room that are gonna actually have to do it, right. Yeah.
George Finney: You know, I, I, I've had a lot of conversations both while I was writing the book as well as, you know, after it's come out. , it's fascinating to me to hear other CISOs that have gone through their, their, their zero trust journeys and failed. Right. And, and it, it, there is a common denominator with, with with, with those stories.
And it all comes back down to, to, to, to politics, to people, to culture. Right. You know, it's, it's, you know, I, I'm, I'm the ciso but you know, I've gotta go ask my, my infrastructure team to go do something. Right? And, and there there's that territoriality barrier, right? I, you know, I, I, I think. Oh, oh my gosh.
Ha. You know, approaching it as a tool, you know, is not gonna work in that mode. Right? It's not something that I can just tell my infrastructure team to go do instead. Right. What we say, A zero trust is in the book is a strategy. And, and we kind of, okay, well, you know, you're, you're a cso what, what's the strategy about, and, and, you know, whether you're a general or whether you're, you know, a business owner, right?
We, we have to have strategies for anything to be successful. But the reason that we have strategies is, is to get groups of people working together, collaborating in order to, you know, achieve a, a. . Right. And, and I, and I think that's, that's, you know, what, what I've been working on for the last several months has, has, has been, you know, how do we, you know, I mean, I, I think the most important part of Zero Trust is actually the people that, that, that, that have to go do it.
And, you know, losing sight of that, you know, thinking about architectures and all of these, you know, abstract concepts, right? Misses the point that it's the humans that have to go actually do. , right? And, and maybe there's automation and maybe, you know, you know, you, but guess, guess who configures that automation.
Guess who configures the, the, the devices Who builds those tools? It's still people. And, and you know, again, I think you know, as a, as as a leader we've gotta find ways to, to, to break down barriers, to, to eliminate silos. and Zero Trust is an amazing rallying cry, if you will, for this is how we're gonna do it.
And, and again, it's, it's simple enough I think, to get everybody on the same page, but you know, we've, you know, we, we've gotta kind of sift through that and, and, and, and make sure. You know, people feel like it's approachable and, and, and feel like they, they, they can play a role and, and wanna play a role in, in, in, in a, in a team that, that they feel welcomed in, right?
That all of those things about team building you, you've gotta think about in the context of, of, of zero trust.
Neal: Yeah, and I, I think he kind of hit at the beginning of that a little bit on some sensitive nuggets. You know, people doing things but not reaching fruition or some kind of stable point to grow. There was, I'm, I know I'm not gonna get the right numbers, but Gartner has their own research that they've done around this recently, and some 60, 70, whatever percent of companies have a zero trust.
or at least an idea, but more than half of them by Gartner standards have failed or are failing miserably in this, this effort. And. taking into account this and, and, and what's really involved in that. You also mentioned some of the approachability, some of the leadership struggles, some of the applicability of getting all hands bought into the idea.
Right. And from my experience, I think to that point that, that, that is what's really is ends up missing. You know, I'm, I kind of poked at the tech guys going line by line because that's really that. more often, not me. But no matter how well I understand it or how well I want to do it, it doesn't do me any good.
If the rest of the team's like Whoopty do, I don't understand this, why do I want to invest? Right? Whether that's me getting the other team to try to do work, but they're still only doing, cuz I'm telling 'em they're not bought in. or it's leadership that just gave me a couple hundred grand to try something, but they still don't get the idea.
Right. Buy-in top down, bottom up, whatever way you need to start it. Find a way to do it. And then the approachability factor. If you're not on board in the right structure and don't have the right requirements in play that everybody agrees on, or at least loosely good luck. You know? Yeah. So approachability is key to that buy-in phase for sure.
George Finney: Absolutely. You know, and I, I think, you know, I wanna be sensitive, particularly now, right? With the, with the economy kind of still in, in. Not limbo, but still struggling, right? There's a lot of layoffs been announced in the last month or so. You know, folks are still concerned, I think about the economy.
You know, we're, we're worried about budgets and, you know, it feels like security teens are maybe relatively safe these days. But Right, and, and again, in, in terms of adoption of Zero trust, right? The, the, the reason that we do Zero trust is it, it, it's as a strategy focuses on. right. Prevention as a, as a strategy, you know an answer.
Prevention's worth a pound of cure. , there have been studies around Zero Trust that show that it's, that it's, it's 10 times as cost effective. Right. You know, you know, or, or if you wait until a breach write it to say it the other way, it's 10 times more expensive. So, you know, when we're thinking about, you know, being responsible stewards of our organization's funds, right?
Investing in zero Trust really does have long term payoff. And it, it, it can, I think, help address some of these other issues that we're seeing with, with pressures around the economy, right? I, I think it is maybe the only strategy that, that we have in, in the security industry that, that can achieve that.
Neal: Yeah. So, you keep seeing me look, I'm taking notes so I can remember to come back to certain things. Love tech and you know, phone things. But that being said, you know, really quick things. Prevention is key, obviously. Definitely. And, and I think question being for you I kind of, I think we brought this up in the last couple of.
Guests and some other things. Maybe I'm conflating some other stuff I've done recently, but long and short defense in depth strategy. Do you see and a quick curiosity question. Do you see this as a natural growth curve for that, that original thing that we've been talking about for over 10 years, defense in depth security should be an onion, blah, blah, blah, blah, blah.
Do you see this as the next step or as a key strategic replacement or a value prop add to defense in depth mental.
George Finney: Oh, oh, okay. You, you, you didn't know you were gonna get me on my soapbox. But I, I've had this argument about defense in depth, right? So zero trust is a strategy. You know, with any strategy, you can have tactics underneath that strategy to help achieve your aims. So, you know, the question comes up, right?
Okay. What is defense in depth? Is it, is it really a strategy or is it a tactic? So I've, I've had this debate with other so sos and you know, I, I think if, if you do think. defense in depth is a strategy, right? You know, a strategy has two things. It's, you know, you have to have a, a, a goal and you have to have a plan on how to reach that goal.
So with, with defense in depth, it, it gives it away in the name. You know that it's, that's the plan, right? The, the plan is to have layers. , the goal for defense in depth is, is a little murky. But essentially, you know, the goal of defense in depth is to, to be able to cover failure states of your layers of security, right?
You have to assume that those, those layers are, are, are failing. So the goal of, of, of, of defenses in depth, if you will is not to prevent or contain breaches. It, it, the, the, the goal of defense in depth is, is to control failure states in your security controls themselves. and, and hopefully maybe that, that, you know, that will address your, your, your breaches.
But there, there's no guarantee. And, you know, the, the, the challenge with the onion example and, and, you know, other people make fun of defense in depth. They call it expense in depth. Right? So in, in terms of, you know, as success for, for measuring whether you're defense in depth strategy, if you wanna call it, that is successful right.
How do you know when a, when a is really, really hard to measure? So, you know, as a strategy it's actually a, a less effective strategy for for, for, you know, for preventing or containing breaches cause of that, that bloat. Right? And I think that's one of the, the, the, the criticisms of security and, and its the first question my CIO asked me when he, when he started was, well, how do we know when we're done?
How do we know when we've done. and it's, well, let me do some, you know, touchy-feely you know, risk calculations and see, you know, how, how we, or you know, can we quantify risk? Well, not really. So, you know, you get into those arguments and I think. , you know, again, peop you know, leaders, you know, boards of directors want to invest in security today.
Right. You know, those conversations are, have gotten really easy when you're talking to the board. It's, Hey, we, we wanna be more effective. How do we do it? It's, what's your strategy? And you know, again, there, there's still skepticism around like, , okay. Why are we just doing, you know, throwing money at the problem?
What, how, how do we actually get successful? And I think that's the difference. You know, you, you might still have a, a, a tactic of defense in depth. For any given protect surface that you have, you know, within your overall strategy of zero trust? I think it's, it fits in, in, in, in the scheme of things.
I think it's a stretch to think of it as, as, as a strategy. And I, and I actually would challenge ourselves to think about all of the other things, the concepts in, or practices in. in security that we've passed off as real strategies, because I don't think they actually live up to the metric of, of being a real strategy.
Right. Are they measurable? You know, do, do you have a plan and a goal? So, so, you know, really basic things, but gosh, I, I, I, you know, I, I, I kind of fall in the, the, the line that, that defense in depth is not actually a.
Neal: Oh, awesome. Well spoke. So I, I think it's kind of a fun take cuz, or a good solid take on the construct here. So I, I've heard back and forth and even kind of conceptualized a little bit like as a growth phase. I, I, first off, I do agree. , I think it's more of a tactic than it is a strategy as a whole. Depending on how you apply it, I guess it can, to your point, goes both ways depending on how much money you have really
But I guess my, my military brain takes it up in echelon from what defense and death means and or the applicability around this for me. And we're never gonna secure the. Ever, not fully, no matter what we do, but we can secure the things that the human has access to within reason, especially with zero trust mentality.
So, you know, people are gonna always click on things. People are always gonna answer a phone and, and give a password to something they shouldn't give a password to, but, When we started thinking about the approach from a strategy perspective of zero trust, then we lock down the things and that mentality that they have access to hopefully.
So I give you A P D F or you compromise A P D F off my desktop with whatever P I I proprietary data, and if you've got the right applicability around zero trust in theory. , you know, just cuz you download it from here to China, you probably shouldn't be able to open it right. Without some exhaustive measures.
So basic, fundamental nature, and I think taking defense in depth in that same vein, you know, we, we've always worked on, they always say that that OPSEC training is the number one prevention for getting done things done on your network. I still agree with. , but it's still like one of the last numbers I saw.
It's still some 18, 20% of people either a, just click through it and don't care or still click on stuff even after it, right? On the basics. And taking strategy, defense and death, having all the expensive things, but then applying some z t a mentality to it. And, and understanding the human sucks, but the tech behind the human can help make sure that they don't do stupid things and when they do do stupid.
Then that output is mitigated to some extent, right? Hopefully . So the control failures and, and what happens after? I give them my password by Outlook. Phishing,
George Finney: Ha ha, you know? Yeah. Yeah. I, I think the, the, the, the human part of it is, is, is a real challenge, right? And, and that's, you know, what, what, you know, what, what we talked about in the book is gosh you know, we, we, we, we, we don't trust computers, right? We don't trust packets. And there, there is, You know, anthropomorphization of, of, of computers to to, to just, you know, get, ah, it's George's packets, it's George's network, it's George's computer.
Let's just, let's let that be the, the, the, the same level of. You know, trust that we'd give to, to the human George, cuz George is a great guy. He, he, he writes really great books. You should go out and buy them. But, you know, you know, I, I think that, you know, again, as, as a team, right, we've gotta rely on one another to, to do our jobs in that sense.
We trust one another but we, you know, we don't trust packets. And, and you know, I, I think that, that, you know, is, is, is kind of a common. Thing that, that, that humans do is, you know, we, we, you know, we, we name our cars . I mean, you know, so, so, okay, cool. You know, how do we get out of that mode with, with, with, with computers and technology?
Right. You know, it's, it's, you know, I think it's, it's, it's definitely a discipline, right? It's a practice of of of, you know, kind of, kind of always following that, that same north star, if you will, of, of zero.
Neal: Yeah, I think that's a great point is the internet was originally built on, on implied trust of everything's good, now. You talked about some of the things you've worked on in the day, PHP and other fun stuff, boards, all fun stuff. Dns we always, we see the big failures in that still daily. Thank you bgp, but
I think it's kind of a fun application with 2.0 versions and the way things are going and, and understanding that there's always someone trying to do something malicious. Always that's never gonna go away. As long as countries are still butting heads or long someone's upset in their own country, stuff's gonna happen.
Right. And I think for me, the big piece of this is too many people operate like you kind of alliterated to under the idea that, you know, my stuff is my stuff and my stuff is always secure because you know me and. or whatever that may be, whatever that relationship may be. And working in the security side of the house for as long as I have you know, I've, I've been both part of trying to consume things as well as being targeted for consumption and espionage stuff.
So it's just kind of how the flow works for me. , you know, you write one article about Uyghurs and China, next thing you know, you're got 5,000 spam things trying to get into your box. But it is what it is so people know me as a person. , I'm pretty secure. I have really good standards and methodologies for what I do on a daily basis.
I, for the most part, can spot a lot of the bad things that are in my box, but it doesn't mean I'm gonna always be that good, or it doesn't mean that there's not gonna be some kind of zero day vulnerability on my box or whatever I'm working off of that someone else takes account, you know, takes advantage of.
So you know that that imp implied trust layer of the person and all that stuff. So I think round, you know, talking in circle a little bit, I think for me that that's the big deal. can't secure the human even when the human is someone who should be most secure in the environment, based off of their knowledge never truly gonna happen.
But working down at that more tactical, technical level, thinking about what that looks like for me from the bottom up of what they have access to, where they're doing their work and what things they have access to. And that's, that's what drives me with the zero trust mentality. I'm never gonna be 100% secure, but at least I know if I f up and do something ignorant, my documents have a good chance of not being compromised.
George Finney: Well, you, you know, and so my last book was called Well Aware. And you know, it, it's, it's, it's a dif very different book than, than, than Project Zero Trust. So if my, my, my, my elevator pitch is it's Stephen Covey's seven Habits for Cybersecurity. So. You know, we called it well aware cuz you know, we, we didn't wanna get sued and if we would've called it, you know, the nine cybersecurity habits of highly effective security people.
But it's true, right? You know, even the best security practitioners. even cyber criminals don't have perfect offset. Right? So, you know, the, the idea with, with the book and I've actually created a cyber personality test. So you, you can check that out on my website, well aware security.com.
But the idea is there are nine cybersecurity habits. And we know from, so I, I, I did like a super deep dive. psychology and neuroscience for the for the book. And as it turns out, right, 50% of all of the behaviors that, that we do every day are based in habits, right? We're essentially on autopilot.
We're not thinking about them at all. And okay, so 50% of our behaviors are habits. That's, that's a really big deal, and we're missing that entirely when, when, when we're in conversations about security training or awareness or what. . But also right, we have this expectation that humans are gonna be perfect everything, right?
That's, that's not gonna happen. Michael Jordan wa wasn't a perfect basketball player. O okay, so how do we improve? Well, when, when you work with coaches and any, any time, you know, leadership coaches or, or you know, strength trainers or whatever they will tell you, right, focus on your strengths.
What are your natural. Gifts and let's, let's build those up and build a team around you that can help support you. So that's what, that's what the cyber personality test does. It helps you identify your, your, your strengths. And from there you can improve, right? So we also know from from neuroscience that habits work like a muscle so they can get tired, right?
You know, when, when you're stressed out or whatever. But that also means that they can get stronger. So we can. and, and the fastest way to improve is, is actually to start building that identity as someone that, that, that believes that in insecurity, that thinks you can make a difference and then focus on whatever your natural given gifts are.
So, you know, again, not everybody is, is is a skeptic. There, there's some folks out there that, that, that, that, you know, think of themselves as being gullible and that's okay. You have other. . And, and I think, you know, build, you know, we also come together as a, as a social animal for mutual protection, right?
So, you know, bringing together a group that can help represent all of the different nine habits when you're forming a team, when you're form, you know, kicking off a project, right? Thinking about those things in advance can help you know, for lack of a better term, lubricate, you know, the human interactions and, and hopefully we all can collectively be getting better.
And I think that's how we measure. Our success in security, right? It's not that, you know, did we get hacked or not? It's how did we respond? Did, did we bury our head in the sand? Or, you know, did we think about how to iterate and, and, and be constantly improving?
Neal: I think that's also a good reference around tribe hackers mentality and that flow personal favorites there. But no, those are good things. You know, community involvement, collective defense. So I, I work with a lot of sharing communities today and have for a while I've been an in sum, been part of whatever, you know, that sums up for me, but the collective defense mentality, the whole point behind it.
To your point, you know, one of us is not as good as all of us potentially songs we're willing to work together. And I think that's, that, that is definitely very big and impactful. And then, kind of flipping back to the book a little bit here you know, the steps that you take in the book and the different mentalities and approach in the book.
I, I think that that's, indicative of that thought flow and, and how, you know, there's echelons and layers of people's approaches to things. And then on the same vein, as an intel analyst, by trade, I'm never the smartest person in the room. The room is the smartest person, the whole group of people that we can get together to discuss an idea and knowing that, you know, I need to do this more often, probably, but shut your mouth and let other people talk and you can learn something as well as maybe help figure out a new way to move the product forward or the, the problem for it.
So for sure.
George Finney: Well, de definitely the biggest lesson I learned wa was, was being able to work with, with John Kender Vag on, on the book. Right. So he, he wrote the forward and, and, and shared basically all of his notes. to, to help kind of inform the, the, the case study essentially. We, we, we wrote and I, I think the, the, the, the biggest eye-opener for, for me was thinking about you know, security for an organization, not as a monolithic thing.
But you know, as you know, something you know, , you, you, you're focusing on, on, on, you know, the things that you're trying to protect, right? And, and, and what kinder vibe calls those are protect surfaces to contrast with The other thing out there that's a total lie which is the attack surface.
So there's a whole category of products out there, right? The, there there's called a tax surface management as though that's something that you can do or, you know, somehow if we can shrink our attack surface, Then magically we'll be more secure. And you know, the reality is we can't shrink the attack surface, right?
The attack surface is every device in, in, in the world. And instead, right, focusing on those things that you can control. AKA a, a protect surface, right? Think about that and, and think about the controls you wrap around it, right? So that's, that's one of the other things I'd, I'd contrast with, with a defense in depth approach is, you know, is, is again, that's more of a monolithic pro approach.
Like, let's have a lot of layers just, you know, floating around and, and not knowing really where the, the heart of the onion is, so to speak. So with a protect surface, you know, it, it's like, you know, you know, getting a custom tailored. Specifically for, you know, that one, you know, part of the business that you really care about, so letting the business drive you and, and tell you what's important you know, whether that's a business impact assessment or, or something else along those lines.
Right. You know, what's, what's. , what's the one system that's gonna cost me a million dollars a minute? You know, for every minute that it's down. Okay, let's focus on that. You know, let, now let's wrap custom controls around that. And there are other things you know, again, physical security. Great. You know, great thing that I, I think a lot of CISOs don't necessarily think about because maybe they don't own it.
Maybe there's, you know, corporate security that, that handles that. Maybe, you know, you, you're, you, you, you have. commercial real estate, you know, you know, agreements. And they handle the, the security for you for card readers and maybe you don't have cameras. So, you know, again, thinking about those things that, that are core to your business, that are, that are important to you, tho those things can vary widely between organizations and industries, right?
So, you know, understanding, you know, what your business is, who, who the people are in the business, what, how you can bring in all those things together, man, that, that, it, it, it just, again, It, it's kind of like, you know, when you've put on a tailored suit for the first time, you're like, whoa, wow, my, my butt looks really good in this.
Right. That, that's how we should feel about security.
Neal: so that's a good analogy. That. So you're, you're kind of touching base on something that Me isn't Intel. So this is getting into my soapbox area a little bit here. And thank you for using that reference point. Cause I've used that on so many webinars and since we're, my company now is global. It, it's really the only term that resonates here in the States apparently.
So I had to kind of reframe my, my statements a little bit, but on my soapbox, so to speak. , you talk about business risk management. Business risk requirements, right? And and I, I wholeheartedly resonate with this mentality. Your protect service versus a tax service. You only have so much money. There's only so much resources as a whole and too many people either starting up a security endeavor, whether it's physical or digital fraud, whatever those may be.
Too many people think that they've gotta secure everything or they've gotta account for everything and they don't do a good job as sitting requirements as day one. Maybe eventually they come back. So the Intel analyst in me harps on this daily, literally whether it's at my nine to five or offline with the people I help consult with.
And if you don't have requirements, I don't care if you, whether they're Intel requirements, whatever they are, there's gotta be some kind of legit paper trail requirements on something, somewhere to get started spending money. And the best place for an Intel for me is obviously Intel requirements, mapping that out.
But me as an Intel analyst, my personal. Should always be to be an intermediary between the entire security org, which is my customer base, not just the soc, but if you've got security something, I should be helping you do something with that. More importantly, getting those requirements from you, turning them into things that I can map out to the strategic side of the house, so those business risk management requirements and everything else like that.
and what you mentioned. I, I love it. What's gonna take us, what's gonna cost us the most if it goes down? I don't care how secure you think it is, but that is the thing you need to make sure is secure. That's the thing you need to spend money on, making sure it's secure. And if it goes down, figure out how to bring it back up the quickest.
Right? So we see this in the OT side of the house. A lot because they understand the idea that if I lose a substation, I lose millions of dollars and all this other fun stuff. But if I lose a corporate server with a bunch of spreadsheets on it, not as impactful for me getting my clients spinning what that is.
So flip the paradigm around it world, you know, there's not enough focus on the actual protect surface and what that means. Too many people fixate on the larger things that don't matter and spend money where they shouldn't spend money. my thing, requirements, map it out to the business risk. Things that are coming down from the C-suite or whoever owns that responsibility.
Figure out what costs the most and, and if it's there or not. And then I think you can start micromanaging it down. You understand what's gonna cost you the most, where you need to protect, and then you can start doing the attack service mentality on that key aspect. So if it's a larger network of things, a larger server cluster, work your way down and figure out things like mire attack, fingerprints and stuff like that for all that stuff.
Right? So yeah, for. My big deal, get the right requirements, get the right money. If you find you can't fill all the requirements that the business leadership says, you have to, they better give you more money or sign off on the fact that they can't, and then you're not gonna get fired as a, so when things get breached, hopefully
George Finney: Well, I'll cross my fingers, but no, so, so, you know, you, you, you jo my mind, my mind a little bit. So if, if you only read one book this year, obviously read Project Zero Trust. If you read two books this year, . I, I, I really love Simon Sinek's book, start With Why. And I mean, again, it's, it's implied in the name.
There's like a quick five minute YouTube video that he does that, that explains the concept of starting with why and, and why that's so powerful. But, you know, I I, I, I've talked to some folks you know, who have been, you know, doing Zero Trust implementations and you know, they'll explain their situation to me and I'm like, hang on, wait, why are you doing.
like what? What's the business case for connecting this site to site VPN with one of your partners? Right. Cool. You should know this, you know, but generally speaking as an IT administrator, right, they're like, oh, wow. Yeah, I had no idea. My boss just told me to go do it. And I, I, I don't know what we're protecting, right?
I don't know if it's for, you know, a you know, an accounting backend system. I don't know if there's some sort of greater partnership where, you know, we should let other traffic through. Right? How do you, how do you know all of those things? If you haven't started with, with understanding basic requirements, right?
Start with why. And, and, and go from there, right? Let let that be your guiding principle. So powerful. But yeah, it's, I, I've had those conversations for years about, hey, well what are your requirements for this for this project? And you know, it, people will look at me with blank stares. Like, I, I can't, I don't know.
I can't give that to you. Why, why do you need to know this? Or you can't just do, do, do a firewall, right. Just, just get it done. No, no. Wait a minute. There, there, there's the whole context of of, of, of, of why we wanna do something in order to. A good job, and I think that's really missing from a lot of the conversations we have.
Neal: No, that's a good reference point. I'm gonna go look at that book personally, , see where it goes. And then shameless plug for some other people out there in the Intel world there's, there's some wonderful good intel groups to look into for doing requirements from an Intel perspective. So, there's a.
Conglomerate over in Euro land. That's kind of international call first. So looking at what they're doing, look at how they're doing things. For those who are asking the question about Intel requirements and how that plays into the larger thing like business requirements and all this other fun stuff.
Elliot: Oh man, I just wanted to find an excuse to slide in there. So we were joking around for my day job, like trying to build scenarios around continuity, playing inside, like these outlandish things just to like stretch people's imagination. And as soon as you were like talking about requirements, I was like, so, I guess you wouldn't have an excuse to put in a, an alien abduction would take over your team and you know, it can't really do that.
But I just love like the fact. Yeah, you can absolutely look at situations like here in Charleston. We absolutely have hurricanes, tornadoes, and weather events, which could impact it. But somewhere in the middle of the country, maybe not so much, you don't have to worry about flood and having like continuity planes like that.
But you know, you can imagine a hundred different scenarios. And again, just kind of tying it back having threat intelligence and business plans to correlate to. How impactful this is, how reality will actually mix into this is pretty critical. So, again, I just want to make an I abduction sidetrack for absolutely no reason, but otherwise to agree.
So pivoting a little bit A couple of things that I picked up out of this, and I will say without obviously spoilers, but George, you've definitely highlighted quite a few elements that, you know, I picked up through this book. One of the things that I think we picked up from a previous conversation, I think with Maureen on another episode, and she focused on like business development and building like conversations for organizations who are just trying to start adopting zero trust. I forget the term, but it's basically a committee. And that's one of these elements that we see throughout. This is like right out the gate, they're building this small internal group that focuses on you know, building the framework for internal strategy and all that. You know, how critical is something like that to adoption.
And I'll kind of, segue back towards some of the other points that Neil had mentioned about adoption in.
George Finney: Yeah. So there's a whole chapter dedicated to culture as it relates to zero trust, right? So, one, one of the things we did for the book is, Little stickers that says Project Zero Trust made. And, you know, we'll, we'll hand them out when I do book signings. But that's actually in the book. You know, we, we had, we, we have these teams that were developed around Zero Trust, right?
So you've got the E R P zero trust team, or you've got the Identity Zero Trust team. And they, they, they, they create their own stickers for the teams themselves, right? You know, like, it guys really love and girls really love you know, laptop sticker. . And so, okay, cool. Let's, let's let, let, let's, you know, identify, you know, our, our, our small team, you know, our tiger team, that, that goes out and, and protects, protects surface whatever it is with, with a sticker.
Let's, let's create that identity. Let, let, let's, let's, let's build our mission around that. I think that that can really, you know, kind of, you know, you don't have to do stickers, right? Whatever works for your organization, but you know, I, I think building that momentum, is, is incredibly important, right?
Feeling like you're making progress you know, having concrete things that, that you've done and you know, for identity, right? You know, everybody says that an identity and access. Governance group is really important. Especially if you get into larger organizations, right? You may have segmented governance organizations, so you know, you might have your ISAC for security you might have general it, you know, governance or leadership.
You might have a change advisory board or an architecture review board, right? All of those things, you know, I mean, you, you have a tendency in organizations to get silo. And I think bringing, you know, that back and having a, a cross-functional team to break down those silos is, is incredibly important for, for your long-term success.
If you have a smaller organization, maybe you don't have, you know, 10 different, you know, governance groups, maybe you just just have one. But again, bring your, your business stakeholders to, to that group, right? They, they've gotta be playing a role at, at, at some level.
Elliot: Awesome. Yeah. Sorry, go ahead. D I was gonna make fun of your sticker wall before you talk
Neal: Go ahead. Go
Elliot: All right. So for our folks that actually watch this, most people do actually listen to our episodes. But Neil has this lovely background behind him that says, adopting zero trust. And collectively, every episode there are new stickers that show up there.
I sent to a batch of these terrible zero trust stickers. So those are kind of appearing It is a snake biting itself. I don't remember what the background was. Anyways Yeah, I'll, I'll just add that out there. Anyways, Neil, off to you. I
Neal: No, you're good. No, it's all good. I, I think, you know, cultural adoption, you know, we talk about buy-in and earlier on, right? And on the military side of the house, this is what resonates with me. So Marine by trade, a bunch of other fun things, contractor and some other stuff post, but every place I've ever been service wise, at least in the Marine Corps, and I know some of the other sister services resonate with us a little bit.
You know, we, we have our, our hierarchy right in the military. We have, for me, I did a lot of work more at the, the squad level for what I did early on. So when I go forward, it was usually at the squad or maybe at the platoon level, so at the very lower echelons of the groupings of things, even down to the smaller group of fire team.
But the funny part was, at, at the company level, multiple platoons. Multiple squads within a platoon. Most of the platoons had their own mascot or their own slogan, their own grouping, right. And we had the leadership teams, just like any corporate entity you have your branch, your divisions, and so on and so forth, all the way up and.
You get down to those smaller teaming environments where the trusted relationship at the tech side of the house is within that platoon or even squad level, and they build their own logo. They build their own brand, their own mentality, what it means to do the job they're supposed to be doing. The leadership team within that structure, that platoon brings that mentality up to the company level or wherever the next echelon may be, and they get to bridge the gap.
And then we have our company identity as a, as a military unit, that's a whole separate. , right? So, you know, however you wanna do it. But we have logos, we have branding for us in our units that we worked in, you know, all the way down. In some cases, even one of my fire teams, we had our own shirt and our own hoodie and all this other stinking, idiotic stuff that we did.
Cuz it was fun, but it helped us. Culturally be significant for one another. It helped us grow together and have our brand of who we thought we were and what we were bringing to the table. So I, I just love that. I love the approach, you know, whether it's a small sticker, whether it's a t-shirt, whether it's a coffee mug that says, you know, zero trust engineering crew, whatever it may be, you know, that that's impactful and it resonates a lot with people and people want to be a part of something, whether we admit it or.
So for those of us who are anti-social, by whatever means that may be, or introverts, there's still a lingering aspect of our psyche that wants to know we did something useful for somebody else. And having something as simple as a sticker, ironically enough, goes a long way for a lot of people for that cultural impact.
So anyway, I thought that was fun, fun piece to add.
George Finney: Well, thank you guys. This, this, this, this has been so much fun. I, I, I to totally appreciate the conversation. So, yeah, thanks for having me on.
Elliot: All right, so we are towards the end of the hour, so we just want to quickly sum things up and then kind of go off on our way. So real quick George, where can folks find Project Zero Trust and where can they learn a little bit more about maybe future books that you're working on?
George Finney: Well, project Zero Trust is available anywhere. Fine books are sold. You, you can get them on Amazon Barnes and Noble, like Target. Also, again, don't sleep on the audiobook. It's really good. So audible.com or, or amazon.dot com for, for the audiobook. So, so definitely check it out there. Also you know, visit my website well aware security.com.
Elliot: Perfect. So thank you so much for that. We're definitely gonna, in the recap notes, we'll point people towards that personality quiz. Personally, I want to check that out. That seems very interesting. And as someone who has now Reade this book, and I can obviously recommend this. I will gladly be putting this out as I'm gonna, I'll, I'll throw a few out there to our listeners.
George Finney: Overnight.
Elliot: so as we kind of get that out there, just a heads up if you're listening to this I'll figure out exactly how we do that. But I'll also put out that audiobook too, cuz I gotta figure out which Walking Dead actor that is. I used to like that show, maybe not so much now, but,
Neal: 100th viewer on, on Spotify. Listener gets a book in the 2000th listener on on Apple
Elliot: Yeah, there you go. We'll figure out the constraints that I'll put out there. But anyways, George, thank you so much for your time. We really appreciate it. And we will we'll definitely bring you back in for some future conversations.