George Finney is the Chief Security Officer and Director of Digital Interests for Southern Methodist University in Dallas, Texas. He is working to transform the IT security and compliance at the University through streamlining technology controls, increasing regulatory awareness, overseeing the IT contracts process, and implementing a vendor management program—as well as advocacy for open source software and processes.
He has written a number of papers and presentations on information security and software licensing. He maintains a number of industry credentials, including the CISSP and CIPP. He received his Juris Doctorate at SMU's Dedman School of Law and is a licensed attorney.
We caught up with George and asked him to share from his knowledge and experiences.
SW: What do you think would get more people to fill the employment gaps in security?
GF: We need to remember that we’re competing with other really cool jobs out there, so we should start by getting kids interested in cybersecurity earlier. We need to make cybersecurity as exciting as being on a sports team or being on the debate team. I think we’re doing a great job, but we need to keep extending our reach to more people. I saw the CEO of the Girl Scouts speak recently, where she announced they will be offering cybersecurity merit badges. There are some high schools that participate in capture the flag style events. The more people we can reach, the better our security will be in the future. Even if they don’t pursue cybersecurity as a career, they can still have a huge impact on the cybersecurity of their future employers.
SW: If you had to choose, what’s the one security practice people can adopt that would have the greatest impact?
GF: We need to be able to create ways of incentivizing security inside our companies. One of the biggest single threat vectors for every company is their people. The better our industry becomes in terms of technology or architecture, the less cost effective it will become for hackers to use social engineering to get what they want. Security is more like a behavior than a skill, and the best way to change a behavior is to incentivize adopting alternative behaviors. What if we gave employees extra vacation time for meeting certain security goals? What if we offered a bounty program for finding holes in our security? What if we offered bonuses for not getting breached?
SW: When you are not making the world a safer place, what do you do in your downtime?
GF: Writing books on cybersecurity! I published my first cybersecurity book, “No More Magic Wands,” last year. Rather than write a technical reference manual or a compliance guide, I decided to write something that anyone could pick up and have fun reading while they learn about cybersecurity. I was inspired by other leadership and management books out there, such as “The Seven Habits” or “Who Moved My Cheese,” and I realized that this was the perfect way to help get business leaders more involved in cybersecurity. I’m currently working on the sequel and keeping up with my weekly blog, www.strongestelement.com.