A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Unpacking Zero Trust in Higher Education
Episode
2

Unpacking Zero Trust in Higher Education

In this episode, host Raghu Nandakumara chats with George Finney, best-selling author and Chief Security Officer at Southern Methodist University, about his experiences with Zero Trust in higher education, the cultural elements of cybersecurity, his new book “Project Zero Trust” and why some Zero Trust projects fail.

Transcript

0:00:03 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today, I'm joined by George Finney, Chief Security Officer at Southern Methodist University. At SMU, George oversees all aspects of cyber and physical security, finding creative ways to enhance new and existing protections. George is also the bestselling author of several cybersecurity books, including Project Zero Trust and Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George is joining us to talk about his experiences with Zero Trust in higher education. Today, we are unpacking the cultural elements of cybersecurity, what Zero Trust isn't and why Zero Trust projects fail. George, it's an absolute pleasure to have you as a guest on our podcast. The first thing I want to ask you is, how does a law graduate go from graduating in law to doing a law internship, to becoming a network engineer, to then becoming the Chief Security Officer at SMU? That's quite a few direction changes.  

0:01:16 George Finney: So I actually, my undergrad was in liberal arts, which meant I studied a lot of philosophy and math, different things, languages. I learned to speak ancient Greek.  Really, really awesome experience. And I thought when I got out of college that I was going to go be a stockbroker. I actually interviewed on Wall Street and realized like, "Yeah, I totally wouldn't want to do that." So actually, I got a job at GTE. I started out working on their DSL lines, their department. Became a network engineer from there, and actually I went to a couple of different startups, one in Denver and then another in Dallas. And I've realized I love startups, I love open source, and that was actually the genesis of why I went to law school was, “Hey, there's this thing, the GPO, I really want to get into that.” There's a lot of open source licensing out there. While I was in law school, the GPL version 3 came out, I actually did a directed research around that. And again, I thought I was going to go be like a lawyer, never expected to be at SMU for 20 years, but I got that tap on the shoulder from our CIO and he said, "Hey, we really need a Chief Security Officer." The writing's on the wall, all of the security folks at the time reported into our infrastructure networking department. And I had that background as a CIS admin, one of my startups doing Linux support or whatever in addition to being a network engineer.  

0:02:35 George Finney: So I had this crazy background of law, network security and CIS  admin, so it made a lot of sense to bundle all that up and we brought the team under me. And gosh, it's just been fun. Being in higher ed, it's like the wild, wild west, so really rewarding and that's what's really enabled me to write some of these books, is just being in this environment that's really thoughtful about the way we do things. And I've been there so long, I've had the chance to grow the whole program and be a part of every facet, whereas if I was at a large organization, I'd be much more specialized. So gosh, it's been such an awesome, incredible journey.  

0:03:15  Raghu Nandakumara: Oh, that's fantastic. And I think the loss of Wall Street and the  loss of the Bar has been the gain of the InfoSec community. So you talk about your role as a CSO at SMU and about how interesting it is and how varied it is. I just think the role of a chief security officer at an education institute must be so varied and demanding for a number of reasons. Because I was reading some of the blog posts you'd written and you spoke how when you came to talking about enhancing security, I think one of the research fellows fairly high up in the organization said, "Oh, no way, research should be open and free." And your again sort of academic freedom. How do you balance all of these things in your role?  

0:04:01 George Finney: So it's interesting. I didn't realize this when I started, of course. Higher ed is really highly regulated. If for example you were at a bank or at a retail shop, you'd have some good guardrails on what you do, whereas in higher ed, we do all of it. We have student loans, that makes us compliance-wise under the same obligations that a bank would have. At the same time, we've got a health center and we've got HIPAA, we do credit card processing, we've got student records, we've got European folks. So dealing with privacy laws and everything, the variety is really challenging. And that's actually what appeals to me, and I think just generally speaking, in the security world, we have to stay on the bleeding edge. We're always having to secure that next new thing. Okay, containers are coming in, how do we do that? How do we just do security in this whole new ball game? And frankly, I get bored really easily. And I think if I were doing the same job for 30, 40, 50 years — no knock on the folks out there that are still doing COBOL programming — but man, I would have gotten way burnt out from doing the same thing that long. I need to keep up with the latest thing, and security is that career that gives that to me.  

0:05:12  Raghu Nandakumara: Completely. I'm fascinated by just new interesting things that  security, cybersecurity in all its manifestations throws up. And actually, you described such that,  that we often don't think of educational organizations, academic institutions as actually being this... It's almost like a conglomerate of lots of different industries bundled together. So how do you bring all of these various departments that all have different priorities and different challenges, how do you go about establishing a unified security culture?  

0:05:48 George Finney: It's really hard. And some people say it's up down, others say it's  bottom up, it's both. And the really unique thing about SMU, and I didn't have anything to do with this, it was way before my time. But the thing that most people know about Southern Methodist University is that we got the NCAA death penalty, we're the only university. So back in '88, remember there was the big football scandal where we were paying players before it was cool to pay players? Everybody was doing it right, we're the ones that got caught. Fascinating to be a part of the university 15 years later, and that's not something that George did as the CSO, I inherited that. But thinking, oh my gosh, every decision we make, every new vendor, the way we handle financial decisions, all of it, I think is influenced by that one incident. And lots of organizations have had breaches or smaller incidents, there's that famous saying out there, “never let a good crisis go to waste.” So again, I think those things are the things that stand out in people's memories and that collectively drives culture, and so I wanted to find ways to be proactive instead of reactive.  

0:06:56 George Finney: So those are great opportunities, and you can also create those  opportunities and you can also build relationships with your leadership team, again, that's  something that takes time, but I remember when I rolled out my simulated phishing program — this is eight years ago now — and the first campaign I sent I caught my president and I didn't get yelled at, I didn't get punished. But it is fascinating because I know other CISOs that have launched simulated phishing campaigns that did catch their CEO or whatever, and they don't do simulated phishing campaigns anymore. So you've got to have that trust that everybody's going to work together towards the common goal. And again, when you can align that to the mission of the organization, we need to protect our community, we're here to protect our students who are vulnerable, who are growing and learning, that's magic. Tapping into that to help drive culture is again, something that it's so amazing that we can be a part of that in the security world.  

0:07:50 Raghu Nandakumara: And I think just on that last point something that is regularly  expressed is that in order to do your job as a security professional, the first thing is that you need to understand the organization that you're protecting, and essentially their value prop and then your own value prop that ties in with this. So can you express how you express your value prop to your board?  

0:08:15. George Finney: Yeah, so I don't know if you've ever seen the Charlton Heston movie, Soylent Green. From back in the 1970s, kind of a sci-fi thing.

0:08:23  Raghu Nandakumara: No, I'd love to hear about it.  

0:08:24 George Finney: I'm going to spoil the ending, but essentially the world has grown so much, they've run out of food, and so there's this special food, it's called “Soylent Green” that  people love and it saved the world, because we can feed everyone now, and it turns out... The famous saying is that Charlton Heston runs out when he figures out what's happening, he's like, “Soylent Green is people!” You're feeding people back to the people, but oh my gosh, in security, security is people. When I have conversations with our board or with our leadership team, I tell stories about humans, what's the human impact to our organization. When I started out doing this, I had a monthly security report, it was all metrics focused, and okay, “How many firewall blocks have we seen” or whatever, it wasn't human. It was just numbers. But okay, cool, what does that mean? When you can tie it back to, “Okay, we had a person who was faced with identity theft, here's the impact to them,” and so I turned it into more article-driven, more story-driven things, and again that changed the audience.  

0:09:34 George Finney: I'm going to send this newsletter to everyone at the organization, including students. I'm going to make it publicly accessible to the interwebs or share it on LinkedIn or whatever, and that response again, oh my gosh, that's very different than the traditional way people do security where it's a black box: “I'm going to play my cards close to the chest; I'm not going to talk about things.” In writing some other books that I've written, when I  talk to people, people want to help and then they're like, “It has to be off the record because I can't tell these stories. Our PR department doesn't want me to or I've got an NDA or whatever.” And man, if we're not sharing our stories, then the next generation of security people are going to have to learn all of this over from scratch, and we can't do that. We have to stay ahead of the bad guys out there and to again, telling stories as an author they always say, "show, don't tell." And I think there's a lot of telling when we give security advice instead of showing. That's the difference.  

0:10:38 Raghu Nandakumara: Absolutely, and I think almost to apply that whole security  through obscurity is no security at all. It's the same with stories, if you don't understand the issues that you're here to combat, how can you possibly understand how you're going to secure them or the value of the security that is being built? So everyone here is here to learn about Zero Trust and learn about Zero Trust from you. Alright, so let's start with an easy one. Give me your favorite Zero Trust analogy.  

0:11:06 George Finney: Well, I'll give you the worst analogy, and we'll go from there. So what Zero Trust isn't... Obviously, the two words imply like The X­-Files, right? That's like the Fox Mulder “Trust No 1,” and that's not what Zero Trust is. So Zero Trust... The analogy... Don't use the analogy X-­Files. You actually have to work with other human beings to make Zero Trust happen. Although Zero Trust implies “don't trust,” don't take the cynical approach of, “Okay, gosh, I can't trust anyone,” but what we're doing there is we're substituting cynicism for good judgment. Zero Trust takes analysis, it takes thoughtful exercise of the practice of security to help protect our communities. Probably my favorite analogy is just a jawbreaker. So instead of an M&M, which is the crunchy outside with the soft chewy inside, a jawbreaker is hard all the way through. So in terms of a candy, if you want to do Zero Trust, make your organization a jawbreaker and hopefully the bad guys will break their teeth on the jawbreaker when they try to bite into it.  

0:12:17 Raghu Nandakumara: Takes you back to late days of primary school, where you go  into these penny stores and fill up your sweet bag with a bunch of jawbreakers and colored little  bottles, etcetera, and then wish that you'd be careful with those jawbreakers as your teeth ache from chewing into them. Okay, so I absolutely love the way you described what Zero Trust is, and more importantly what it's not. And definitely the bit about Zero Trust doesn't mean no trust, and it's often something that we hear at conferences, etcetera, almost people saying that I don't want to hear about Zero Trust anymore, and I don't like the term. So, what is a better way to express Zero Trust?  

0:12:57 George Finney: The way that I think about Zero Trust, there's a phenomenal book by Stephen Covey, who is actually the son of the Stephen Covey who wrote 7 Habits of Highly Effective People, the son Stephen Covey also wrote a book called Speed of Trust. And in his book, he argues that you have to have both trust and analysis at the same time to have good  judgment. So think of a matrix: on the X-­axis is trust, it's not a binary thing. Like a spectrum, I either trust or don't, you actually have a Y-­axis and the Y-­axis is analysis or skepticism or whatever you want to call it, but you have to have both at the same time. If you have low trust and low skepticism, that's kind of gullibility. If you have low trust and high skepticism, you're going to have indecision. You're not going to be able to get anything done. Covey talks about a trust tax on an organization, where if you don't trust any of the human beings around you, you're not going to get anything done or it's going to take a really long time.  

0:13:57  Raghu Nandakumara: Yeah absolutely.  

0:13:58 George Finney: Same thing with partners out in your different organizations or outside of your organization. So having both really critical, and I think that understanding fundamentally, of trust is something we don't necessarily talk about a lot in organizations, and frankly, when you get into Zero Trust, the real trick is, how do I spot the trust? When I look at a computer router or firewall server config, what's the trust? How do I go through and get rid of them? That's what Zero Trust is about, it's not about not trusting people, it's about finding those trusts in our digital systems and getting rid of them. We've been doing this for years, whether that's de-perimeterization as a tactic that falls under Zero Trust. Maybe server hardening, just as simple as that removing all the bloatware that comes from whatever OS vendor you have and you only need the things that you need to run. That's really what Zero Trust is all about, it's bringing all of those separate tactics together. Because that's what we were doing. We were implementing tactics all across the board to remove trusts — Zero Trust is the overarching strategy that helps bring us all onto the same page and gets us marching in the same direction.  

0:15:03 Raghu Nandakumara: So without getting too philosophical, what is the meaning of  trust in the context of cyber?

0:15:10 George Finney: I think yeah, what is a trust? There are a lot of different folks that talk about trust out there, and I think in terms of a digital system, it's about ease of connection. And  that's why we put trusts in, “I'm going to put in a firewall rule to allow me to talk to any server in my data center” (don't do this by the way, this is bad advice). This is what not to do, but that's a trust. Okay, cool. Now, when my computer or my device gets compromised, that's what the bad guys exploit to go and have free rein into an organization, that's what the bad guys exploit in terms of multi­factor authentication. I trusted that device for however long you're allowed to set up a trust for. That's a challenge, and we've got to find the right balance, and I don't think there's a trade­off between usability and security, I think that's a myth. But that's the way that a lot of folks think about, well, “my end user is my clients are going to revolt if I don't”... and actually, I think you touched on this in the beginning, when the highest-ranking academic person at my university said, "Don't put a firewall between me and the internet."  

0:16:16 George Finney: Okay, what they were saying in the background was, "I don't want to slow down my organization. I want to be able to perform my research without restriction,  whatever my research is." And we need to enable that. And I think Zero Trust actually helps us. So at some point our clients or our customers, or at SMU, it’s our students, they began to ask, “Why aren't you doing X?” And I think, gosh, if you're signing up for a bank today, and they don't set you up with multi­factor authentication, well, hang on, now I'm not going to do business with that bank, so at some point in our history, it became Table 6 to have security, and I think for every industry, for every technology, that's the path. They're just figuring out how this stuff works. We're innovating, and we didn't necessarily think about security like, “Oh man, we're going to go out of business if we're not doing security.” And I think the secret sauce of being a CISO today is moving that maturity model over to where you're building in security from day one.  

0:17:15 Raghu Nandakumara: So you've talked about things like, I think to quote you, it's like  you don't believe that usability, productivity and security are contradictory to each other. You very much believe that those go hand in hand, but then you also, and this is to quote something  from your book, you said, “The DevOps folks are all like Ricky Bobby. They just want to go fast.” So as the CSO, how do you provide the security framework to allow the Ricky Bobby’s to go fast, but do so safely?  

0:17:48 George Finney: I think, again, it comes back to understanding humans. I love the joke of Ricky Bobby actually, I used that with permission from John Kindervag who created Zero  Trust. So thank you, John, for that. When I wrote the book, I had the huge benefit of having John Kindervag riding shotgun, being able to bounce ideas off of, but I also went, “I'm not an expert in every domain of security, so I'm not an identity expert necessarily, I'm not a cloud or DevOps expert,” so I tried to find as many experts as I could, and when I sat down with some of the folks who are really great at DevOps, the developers, it's not that they don't want to do security, it's that they're incentivized to... All of their bosses need to get code out the door. Again, that's great, it's really needed for lots of organizations, and actually that's a benefit ... Zoom is a great example. Zoom is a DevOps company, so when — I'm not going to call them a cybercriminal, but a hacker, a former NSA person — disclosed two Zero Days, what do they do? They're like, “Cool, we're stopping everything else, and we're going to dedicate all of our DevOps cycles to fixing this.”

0:18:59 George Finney: That's incredible. That's one story of how DevOps enables security. And again, we in the security community have some norms, and I think we like to disclose to a company first and give them some time, I don't think that process was followed in that case, so  really, it's hugely unprecedented for an organization to be able to turn around a fix in 24 hours with no prior notice. It's an incredible story, but it just shows you how much security and DevOps can be aligned, and I think we have to be able to come to our partners and work with them and meet them where they are. A lot of what we can do with Zero Trust in the DevOps world, in particular, is to just be a part of their pipeline. They're already doing testing as a part of the pipeline, so let's just add a few tests. Can we check for secrets before the code gets pushed? So thinking about it, instead of trying to secure the code at the end of the pipeline, Zero Trust is really about Problem Management. Let's eliminate whole categories of issues before they become a problem. Let's think about prevention, let's get everyone on the same page and actually that enables CTOs and DevOps folks to not have to go and do those fixes at the end of the cycle; it's just built into the process.  

0:20:14 Raghu Nandakumara: So I'm going to quote your book again. I think at the start of the  introduction chapter, you say, the most effective means we have available to protect ourselves  inside security is prevention, and the most effective strategy for prevention is Zero Trust. And I'm going to challenge you slightly — so bear with me — is that if we think about the whole, the era of perimeter security, so think of, let's say, '90s to 2000s was very much sort of the era of prevention. The bad actors were on the outside, everyone on the inside is trusted, so as long as we shut the front door or you keep that tightly locked we're all good. And then we realize that actually that was failing, they were still getting in, and then there was a focus around detection and response. Okay, let's put all our efforts or majority of our effort into being able to detect, being able to respond, being able to recover, and that kind of became the driving force for I would say the 2010s. And I'm going to say too, that the current era is around containment — assuming that the bad actor is going to get in, we may not be able to detect them.  

0:21:22 Raghu Nandakumara: So the focus is around minimizing the impact of that, what are  your thoughts on that? On the idea that, Zero Trust is really about containment, more than prevention. What are your thoughts?  

0:21:34 George Finney: Technically, the definition we use for Zero Trust is John Kindervag's definition, and we go with that in the book. But the definition of Zero Trust is about as a strategy for preventing or containing breaches. We want to remove the trust in digital systems and  ideally will prevent them. Prevention is possible, and I think a lot of folks have maybe given up on that. And one of the tenants of Zero Trust is to assume breach, and we also will attempt  containment. So I think it's about both. “An ounce of prevention is worth a pound of cure” is really true in security. They've done studies about this to show, again, getting at the beginning of your code pipeline, much less expensive than having to fix things after the fact. So I argue that Zero Trust is actually the only thing in security today that actually meets the definition of a strategy. So I had an argument with another CISO about whether defense in depth meets the definition of a strategy. I argue that it does not, but when you think about it, a strategy has to have two things. You have to have a goal that you're trying to reach.  

0:22:35.2 George Finney: And you have to have a plan for how to get there. And ideally, with a good strategy, you can measure how far along you are towards achieving that, so when you  think about something... Again, I think of defense-in-depth as a tactic, but when you think about  defense in depth, “Okay, cool. What's the goal?” I think if you look at the technical definition of  defense in depth, the goal is to have multiple layers in order to prevent a failure in one of the layers. So ultimately, if there's a goal for defense-in-depth, it's about dealing with failure, not  preventing or containing breaches. With defense-in-depth, you're not actually addressing why a  particular layer failed, and a lot of folks will call defense-in-depth “expense-in-depth,” because what do we do? We just add more layers. That's great. Not efficient. But great, and so when you're pitching your board on something that sounds like, “We're just going to add a bunch of layers.” “How do you know when you're done, George? Well, how much money do you need?” Honestly, if JP Morgan can spend a billion dollars a year and still get breached, in my university, if I pursued that same approach, how do you know it's going to be effective? It's not an effective strategy.

0:23:38 George Finney: I think it's more like a tactic. Zero Trust is that strategy to help get all of the teams engaged in the right ways. We can leverage the right tactics and at the right time so that we don't need 50 or 100 tools to accomplish what we can do with three or four.  

0:24:00 Raghu Nandakumara: Of course, I agree with that, but there's a few really interesting things that you said. You spoke about the cost associated with when you're just pursuing a defense in depth approach without really having a strategy around it. Today, particularly with the macro conditions, there is this whole sort of, if ever there was a real pointed focus on ROI, we have that at the moment. So how does following a Zero Trust strategy really deliver not just security benefits, but ROI, cost, operational efficiencies, a simplicity in architectures. How does a Zero Trust strategy deliver these things?  

0:24:40 George Finney: Yeah, so in the book, we used John Kindervag's design methodology for Zero Trust. So there's a five-step process, and really the foundation of that five step process is this concept of a protect surface. So protect surface is like the opposite of an attack surface, and I understand that Gartner has a whole buzzword like “attack surface management” in their Hype Cycle or Magic Quadrant. Attack surface management is a lie. It's a marketing term that gives you the idea that if you only you could shrink your attack surface, then you'll be more secure and you can't shrink your attack surface. Your attack surface is any device in the world. So when you look at the Peloton or Parler breaches, what do they do? Both organizations had an API to go to mobile phones, one to go to treadmills or exercise bikes or whatever.  

0:25:27 George Finney: Well, guess what? The bad guys just reverse engineered that API. There was a blind spot to those organizations. They didn't see or have controls around it to be  able to detect anything through the API. And the bad guys export traded all the data helpfully through the API that the company provided. That's attack surface management. If you've got a mobile app, any mobile phone in the world is your attack surface. So instead, in contrast, Zero Trust uses this concept of a “protect surface.” What am I trying to protect, that requires that I  have to understand how the business works, that I have to have an inventory, I have to know what my top apps are or where my critical data is. So I'm going to get my arms around that which I'm trying to protect inside a protect surface. And I'm going to have a repeatable process that I follow to protect that.  

0:26:09 George Finney: So when I think about deploying tools as a CISO, in the olden times I think, “Okay, I have to deploy firewalls everywhere. I've have to deploy EDR everywhere.” Actually, when I think about just a protect surface, I'm going to provide bespoke controls to just that protect surface. So instead of licensing for my whole organization, all of these different tools I'm going to only use the ones that are needed inside that given protect surface. So if I have a protect surface that has an API, for example, I'm going to go to one of those awesome companies that have API security baked in. I'm going to put that in there. If it's web facing, I'm going to have a web application firewall. If it's a device, obviously I need endpoint EDR. I'm going to have a firewall, but I'm going to bake that and have it custom tailored, if you will, to protect that individual protect surface the way that it needs to.  

0:26:59 George Finney: Again, I've got multiple protect surface, this is the concept of microsegmentation — another tactic that falls under Zero Trust. I'm going to put like assets together. And so I'm going to contain that incident to just that one protect surface. And understand how those other protect surfaces interact and hopefully I've contained that to a single protect surface. That's really the power of this Zero Trust design methodology is really having bespoke controls. And then again, iterating, monitoring, logging everything. Again, another one of the tenants of the design methodology. But having that feedback loop, it's about, “Now that I've got my protect surface, how do I spot the trusts? How do I remove them?” Sometimes that's through proactive architecture. I can think ahead. Sometimes that's through pen tests or table type exercises or other things that help me find my own blind spots. And hopefully I'm being proactive and doing that before the bad guys find them for me.  

0:27:51 Raghu Nandakumara: I had the pleasure of having a few conversations with John around the concept of the protect surface. Obviously, he constantly stresses that again, and it absolutely makes sense because I think some of the challenges with Zero Trust adoption when organizations say that, “Alright, it's really difficult for us to follow Zero Trust strategy because how am I going to apply it to absolutely everything.” And you say, actually no. You've almost got to flip it on its head and say, “What do I most need to protect and focus on that? Why are we still having this challenge?” Because again, to me it comes as a Zero Trust strategy that to me is common sense, thinking about the protect surface that is common sense. As to where to start. And then as you iterate, you constantly look at that, what is the next thing you move to, but why still the barrier to adoption?

0:28:42 George Finney: Yeah, it's fascinating. I've talked to a lot of CISOs both before and after the book came out, and honestly the common denominator of folks who have launched  their Zero Trust initiatives and failed is because of people. It's not the technology, it's not that they didn't have all the tools they needed or whatever — it was about politics. It was about people didn't know what to do. They didn't know where to start. And again, I'm harping on people here, but my gosh, if security, if Zero Trust is just for us security nerds, we're going to fail. Because it's not the security nerds that are having to go out and do all the things. You've got infrastructure teams, you've got DevOps teams, you've got help desk or desktop support folks. So everyone in IT needs to be able to understand Zero Trust.  

0:29:30 George Finney: And if I as a CISO can't understand Zero Trust because all of the  marketing hype or whatever out there and there's so many competing like things, if I can't  understand it, how do I expect a new network engineer to my organization to be able to go and  deliver on Zero Trust? Right, oh my gosh. Obviously, the right answer here is now go buy George's book Project Zero Trust available on Amazon and Audible and have them to break down the barriers. Or we can just make it really simple. But again, everybody has to understand Zero Trust in order for our projects around Zero Trust to be successful.  

0:30:03 Raghu Nandakumara: Yeah, I agree. And I think what I love about the book, and there's lots to love in it, but what I liked is the validation of the progress, the tabletop exercise that they run. And those of you who haven't read the book yet or listened to it, you'll get the reference when you do. Validation is so important, I think that as security practitioners we don't do enough real validation. So why is this particularly important to show sort of ROI in your sort of Zero Trust program, but also get validation that you are making progress?  

0:30:40 George Finney: Yeah, and again, this is another one of the reasons why Zero Trust projects fail. When I've talked to other CISOs, the average time it takes for a Zero Trust  transformation is 3­-5 years depending on where you're starting from, it can vary by a couple of  years. But oh my gosh, think about executive turnover and think about CISO turnover and think  about the budget cycle. So if you're not showing progress from year to year, well, how do you keep justifying that? How do you continue to get support. As a CISO you ought to be out there  developing relationships, building trust, but part of that is breaking Project Zero Trust down into  bite-sized chunks. And so in the book we suggested that their journey lasts six months and that  was driven by a new product project release.  

0:31:26 George Finney: And so they had to get it done by a certain date. I think that really aligned well with the business. All the business leaders realized, yeah, we got this new project or product coming out, we had some security incidents, we want people to be a part and feel  comfortable that we are going to deliver good security, good products. If we don't, we think [chuckle] the new product isn't going to compete on the market. And again, that's aligning with the business, that's connecting the dots. That's not saying, “We know we have this new project, product coming out in six months. We'll be done with Zero Trust in five years.” No again, there is a Zero Trust maturity model out there folks. There's one in a book that is blessed by Kindervag himself. There's also one now from CISA.  

0:32:08 George Finney: And so I'm a part of the Cloud Security Alliance working group on Zero Trust and Kindervag and Chase Cunningham and others are collaborating with CISA to get that document right. But wow, I think collectively we are working together — oh my gosh, the security community is working together! — to have one consistent definition of Zero Trust. Something to start with instead of, “I got to go look at Forrester and Gartner and get behind the paywall” and I hear all these startups throwing Zero Trust products at me. Okay, let's go to a consistent definition that we can all get behind. And talk about, okay, I have a tool that can help you in your Zero Trust journey. Not, I have the tool that is all of your Zero Trust needs all in one. That's what we're really about. And again, we've got to make it simple and bring everybody to the table.  

0:32:52 Raghu Nandakumara: Yeah, absolutely — like the whole sort of thing about being able to almost look at it in six months blocks at a time. And align to a maturity model and being able to say that in six months we want to be here, in 12 months we want to be here, is just such a more digestible way of being able to adopt and also course correct because otherwise it's kind of, “Fund this five year program, but don't come and ask us anywhere between now and five years' time what we've been up to.”  

0:33:22 George Finney: Again, in two years the company might be using entirely different technology! How do you keep up with that in terms of Zero Trust? Gosh, yeah. You've got to make it a step-by-step approach. So the motto for the fictional company in the book, so the  company name is March Fit, and their company motto is “every step matters.” And every step matters because you have to take one step to enable the step after that. They don't have to be big steps. You don't have to be running, you can walk — baby steps count, and I think that is the approach to Zero Trust. We're always improving step by step. Everybody can come walk with us and make it inclusive. That's really what's going to move.  

0:33:53 Raghu Nandakumara: Yeah. 100%. So just kind of looking forward, let's look into  2023. As a CSO, what are you most worried about?  

0:34:02 George Finney: Gosh, people. I think honestly, there's a lot of burnout that's  happened with the pandemic. I think recruiting obviously is the big challenge. I think the great  resignation is a huge concern, that battle is being waged in our leadership teams across different organizations. How do we continue to enable security? How do we continue to lift up the organizations and each of our own unique digital transformations? I think we've got to keep  investing in people to keep making progress. And if we stop doing that, again, security is always at the bleeding edge. So if we're not dedicated to continuous learning, to lifelong learning, we're eventually going to start to fall behind. And I think when you're overloaded and you're getting burnt out, that's the first thing to go is, “I'm going to stop reading, I'm going to stop listening to books on tape” or whatever.  

0:34:47 George Finney: That is going to set us back years. We've got to be welcoming new people to security. I keep hearing people are turned off by security because it's the spooky Fox Mulder types. I want to do something that helps people and security does help people, but if we're turning people away from security because we're not investing in folks, we're putting out job descriptions that are supposed to be entry level but they're requiring 20 years of experience with Zero Trust. Admittedly like, think about some of the job descriptions that say 20 years' experience with Zero Trust. Guess what? Kindervag invented Zero Trust 12 years ago.  

0:35:26 Raghu Nandakumara: Yeah. Excellent. Exactly.  

0:35:28 George Finney: Anyway, I'll get down for my soapbox.  

0:35:29 Raghu Nandakumara: You are preaching to the converted here. So I completely agree. I think I almost feel that it's not far off us seeing sort of academic institutions offering undergraduate degrees in Zero Trust. So George, it's been an absolute pleasure to speak to you today. Just really enjoyed the conversation and could have gone on forever. Please everyone do go and check out George's latest book Project Zero Trust: A Story About a Strategy for Aligning Security and the Business on Amazon or like me if you prefer it through your ears rather than through your eyes, go and check it out on Audible. George will be very pleased to know that I'm fairly sure that I hold the world record for how quickly that book is finished. So yeah, I sort of found the time between yesterday and today to just whizz through it. Didn't miss a word — except for the appendix. I have to admit I didn't listen to the appendix. It's fantastic. I feel that today in our conversation I have been the Dylan, or the Luke Skywalker from the story and you have very much been the Obi­-Wan. So, I appreciate the time George, thank you so much for spending this time with us.  

0:36:32 George Finney: Thank you so much for having me.  

0:36:37 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at Illumio. And if you'd like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.