8th Layer Insights 5.7.24
Ep 45 | 5.7.24

Communicating Complex Topics with Creativity and Passion


Perry Carpenter: Hi, I'm Perry Carpenter and you're listening to "8th Layer Insights". [ Music ] Imagine yourself in a dimly lit room. The soft glow of a computer screen illuminates your face. And in the background of your mind, the familiar refrain from "The X-Files" echoes over and over and over. No, you're not thinking of, "I want to believe," you're thinking of that other line, "Trust no one." Now, in "The X-Files", this sentiment was about shadowy government cabals, but in the world of cyber security, it takes on a new life. Enter Zero Trust, a concept that challenges the very notion of blind faith in digital interactions. This is trust no one, except for just enough to do what needs to be done. Imagine a world where trust is earned with each click, with each login, with each exchange of data. This is a subtle paradigm shift, a departure from the days of unquestioned access or model-after roles or even traditional role-based access control. This is Zero Trust. My guest today is George Finney. George recently released a book called "Project Zero Trust", and what I love about this is that George brought his entire personality and his way of thinking to this book. It's a subject that he was passionate about, but he also brought in his creativity. George is an accomplished CISO and author, and what he does with this book is he combines both of those passions and his passion for creativity in a way that really leaps off the page at you. George does an amazing job at combining technical detail with creativity and fiction writing to build a world and characters and plot lines that allow the concept of Zero Trust not just to be words on a page, but to live and to breathe and to really enter our minds in a way that is hard to capture without storytelling being at work. And so on today's show, "Zero Trust, Creativity, and the Importance of Finding the Best Way to Communicate Complex Ideas". Welcome to "8th Layer Insights". This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think, to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights", Season Five, Episode Five. I'm Perry Carpenter. Welcome back. Let's dive straight into our interview with George Finney.

George Finney: Howdy, y'all. I'm George Finney. I'm the Chief Security Officer for Southern Methodist University here in Dallas, Texas. And I'm also the author of a couple of cybersecurity books, including the award-winning "Well Aware", and my new book, "Project Zero Trust".

Perry Carpenter: So yeah, we talked to you a couple years ago when -- when "Well Aware" came out, and that book was obviously received very well by the community. So much to the point where you were invited back to write another book, which is always a good thing. So I want to dive into "Project Zero Trust" and first of all, ask you the question, what made Zero Trust the topic that you wanted to write your next book about? What, you know, what led to the decision to write the book? What led to the decision of the topic? And then we'll talk about the formatting of the book a little bit later, because that's very special.

George Finney: You know, I actually thought that I was done writing books for a little while, like in the movies, right? Every time I think I'm out, they -- they pulled me back in.

Perry Carpenter: It's not a fun process.

George Finney: You know, it's -- it's a huge, huge commitment. And, you know, I knew -- it took three years to go through the process of creating "Well Aware". So I was a little gun shy, but I got this call out of the blue from the publisher, Wiley & Sons, and, you know, they were the ones that said, Hey, you know, this is really the right time to write a book about Zero Trust. And, you know, again, I owe a lot to my publisher for, you know, kind of opening that door. And, you know, just the creative process I have. I mean, you know, as soon as, you know, we got done with the phone call, it's like something had clicked and I had the vision for what I wanted to do and how I was going to translate that to the audience of IT professionals out there to help make a difference and demystify Zero Trust.

Perry Carpenter: Yeah, so just for specifics, is your editor at Wiley, was that Jim Minatel?

George Finney: Yeah.

Perry Carpenter: Yeah, shout out to Jim, if you're listening, then.

George Finney: Yeah, totally.

Perry Carpenter: Yeah, Jim was my editor of two books and is fantastic to work with, and really is an author advocate as well. So, good to have somebody reach out to you because they realize that you're the person to trust with that topic, for sure.

George Finney: I love Jim and, you know, a sneak preview, but we are working on a sequel to "Project Zero Trust".

Perry Carpenter: Nice.

George Finney: So I'm only really in the outlining stages at this point. We haven't -- haven't started making real progress there, but oh my gosh, it's going to be really cool. I've got, you know, some cool ideas to bring back that we didn't cover in the first book, like -- like artificial intelligence. So, yeah, it's going to be really good.

Perry Carpenter: So for another time for our listeners, I'm actually also in the throes of outlining the next Wiley book that I'm doing right now. And so I definitely feel both the excitement and the pain. The excitement of the opportunity to share and to dive in, to do the research and to try to -- to try to create a meaningful package for that. And then the anxiety and the dread of throwing myself into it for a long time. But why don't we dive into Zero Trust? Because I think that that's a phrase that has been around for a while, started kind of by Forrester, and then has been through a number of permutations as different vendors say that they do that or don't do that, and specific programs say that they do that or don't do that. And then the promoters and the detractors, the promoters that say, Yes, this is a great mindset and a great way of thinking about approaching your program. The tools are kind of less relevant than the mindset. And then there are some people like in the identity management space that say, Wait, isn't this just kind of least privileged and role-based access control, and understanding provisioning of systems, and those kind of things. So can you disambiguate a little bit of that for people who may have heard the term but not have, like, thrown themselves into really understanding what it is?

George Finney: Oh my gosh, Perry. Before I published the book, I was at a roundtable with a group of 15 CISOs, and we all kind of went around the table and gave our different definitions of Zero Trust. And there were actually 16 different definitions.

Perry Carpenter: I believe that.

George Finney: One guy actually changed his vote at the end. And, you know, I think there's been that watering down of the original vision. But the definition we used in the book, "Project Zero Trust", was Zero Trust is a strategy, a strategy for preventing or containing breaches by removing the trust relationships that we have in digital systems. And really, for me, the reason that this resonates is, you know, from my lens as a CISO, I've got to be able to do security and Zero Trust in every aspect of technology. And it's not just identity. It's not just firewalls or -- or antivirus. I think it permeates everything that we do. And for me as a CISO, I think, you know, we have to have a strategy. It helps us articulate how we're doing what we're doing to leadership, to help get them on board and on the same page. You know, we've kind of distilled all of the best practices and security down to, like, two words. That's our elevator pitch. But also I think the reason that it's so important to think of it as a strategy is because the most important part of Zero Trust is the people. And, you know, this goes back to when we were having the early conversations about writing the book. You know, Who's the audience for the book?

Perry Carpenter: Yeah.

George Finney: And it's not just security nerds like -- like us. Everybody in IT has to play a role, and we have to give them a way of seeing themselves in cyber, right, just like the motto for CISA. And I think capturing that as a strategy, right? What is a strategy for? It's for getting everybody on the same page, working in the same direction towards a common goal. And, you know, again, if everybody's kind of moving in their own directions, you know, I'm identity, so I'm doing my own thing and I don't talk to anybody else, oh my gosh, we're going to be set up for failure every time if we're not collaborating. And it's so important to have a cohesive strategy. You know, one of my biggest influences, I got to meet Jocko Willink, he wrote the book "Extreme Ownership". He's also a Navy SEAL.

Perry Carpenter: Right. Right.

George Finney: And so, you know, understanding that idea, right, when he breaks it down, he talks about commander's intent, right? So, you know, you have a general, or, you know, whatever battlefield commander, you have to translate that commander's intent down to every private that's doing their portion of the job. And I think that's what Zero Trust is for everyone in IT.

Perry Carpenter: Yeah. So, if you were to go in kind of as a consultant, and we'll talk about the fact that you have a consultant in the book that is kind of also helping break down the mindset, what would be your first pitch to the project team that's assembled? Like, how do you explain that so that people know their roles and you are cascading that authority down or that responsibility down?

George Finney: You know, this is one of the pieces that I think really kind of opened my mind. So, I got to collaborate with the creator of Zero Trust to write the book. He happens to just live here in Dallas and we've become friends over the years.

Perry Carpenter: That's amazing.

George Finney: So John Kindervag, shout out. He was the guy at Forrester that created Zero Trust. And what I didn't realize, you know, not having done a deep dive into Zero Trust up until that point, was there is a methodology, a repeatable process for doing Zero Trust in every organization. And I'll call myself out on this, right? When I think about, you know, security, well, what do we do? We have tools. And I think about this because of the budget cycle. Okay, I've got approval to move forward and now I'm going to go implement my EDR tool, for example. Okay, I'm going to go push that out everywhere. What -- what Kindervag's method is, you know, the crux of this is the idea of a protect surface. So really, it's flipping this whole marketing notion of an attack surface on its head. Let me wrap my arms around, you know, this thing called a protect surface, right? It's the things that I care about, my crown jewels, or our different services. We're going to contain the blast radius to this protect surface. But when I get people in a room together, I want to have everyone who's involved with protecting that individual protect surface, be it my ERP system or my identity system or any of the other things that you want to protect. And then I focus in on that particular protect surface so that everybody has a seat at the table. We have conversations about how we're protecting that individual surface. And it's not just one tool. It's not just EDR when you're having that conversation. We're building that cohesive strategy to protect this whole protect surface. And I think, you know, again, thinking about it strategically, everybody is on the same page. We know what the goal is. We're all working towards preventing or containing breaches within that protect surface. Then we get onto the other parts of that methodology. It's a five-step methodology. That, again, is iterative so that we continue as that technology evolves, whatever it is. We're growing and adapting the controls around the protect surface so that it's narrowly tailored to the specific needs of the business. It's aligned with the business, but also it's focused, right? So, you know, you wouldn't show up to a job interview, you know, in a suit that doesn't fit you, that's baggy, that, you know, right? We know how we align, you know, to get the business right. That's what the business is doing if it's a one-size-fits-all approach to security. We just did EDR and now we're done, right? Well, no, there's a lot more focus and granularity we need to do to achieve good security.

Perry Carpenter: Yeah, yeah. So, what are the -- you mentioned the five-step methodology. What are the five steps? Is that something you can rattle off -- off the top of your head?

George Finney: Oh my gosh, I didn't know there was going to be a quiz, Perry! No, so the first step is to define your protect surface, whatever that protect surface is.

Perry Carpenter: Yeah.

George Finney: You know, figure out where your current rules are. There's an approach to how you attack the protect surfaces, right? You want to start with -- with something you can wrap your arms around that everybody can learn on before you go straight into the crown jewels. But yeah, after you've practiced, right, then you go to the most important things and craft your Zero Trust journey from there, protect surface by protect surface. For each protect surface, the first thing we want to do before we start getting into controls is to map the transaction flows, how the data is flowing through that protect surface, what servers or services are talking to one another. We really need to deeply understand how data is flowing through that given protect surface, what the dependencies are. Once you've done that, then you can start to think about architecting controls. What controls do you need to protect that protect surface in the right way. And also understanding what resources do you have? I have a relatively small team, being in a university. If you're in banking or healthcare, maybe you've got a much larger team and you've got to -- you can align those controls differently. Then step four is to craft your policy. So, you know, I come from a networking background, so I think of policy in terms of firewall policy. But today, you know, your identity team might be using policy to craft different least-privileged kind of style protections. Your EDR tools will have policy if you have a WAP, right? Everything has policies, so again, if you're all in a room talking about what your policies ought to be, that will help each individual contributor to go to their different tools and make sure that the policy is crafted in the same way that they've all aligned together. And then the final step, the fifth step, is to monitor and maintain. So you need to be getting the logs, you need to make sure your SOC is monitoring, but also, you know, are you doing pen tests? Are you doing tabletop exercises? You need to have the big picture and ensure that you've -- you've done a good enough job when it comes to crafting your controls. And if you've not, then you use this step as the feedback loop to go back to the beginning. Did you define your protect surface correctly? Did you --

Perry Carpenter: Yeah.

George Finney: -- map the controls? Or, oh, okay, there's a change in the software. We've got to make an update, and continue iterating through that process.

Perry Carpenter: So it sounds like a lot of the keys to success with this goes back to some hygiene and some strategy, right? So, initial threat modeling, getting the right people in the room that can think about what your protect surface is or the inverse of your attack surface as well. And then how do you deal with things like application and system inventories so you actually understand where data may even reside so you're not accidentally leaving pockets of systems out there that can't be protected? Do you -- do you feel like in these kind of strategies that are very hygiene-centric, that many organizations, especially ones that are strapped, resource-constrained, tend to throw up their hands a little bit early in the process and say, This isn't something we can do, we just want to buy tools that fix it? Or do you think that people are ready to buckle down and do the hard work of getting things right at the early stages?

George Finney: You know, I think it's definitely something that's a misconception, right? I want people to be able to do Zero Trust wherever they are. It doesn't require that you, you know, get another million dollars in budget to go do X tool. And I think that's -- that is where some folks will throw up their hands and say, Zero Trust is too expensive, I can't afford it. But all of those things that you're probably already doing, if you've done a business impact assessment, for example, you know what your critical applications are. That should feed into how you define protect services. You should have a risk register. You know, if you've done, you know, a privacy assessment, like for GDPR or CCPA, you know, you've probably already done some of the heavy lifting when it comes to mapping --

Perry Carpenter: Yeah.

George Finney: -- your transaction flows, right? So, all of those, you know, compliancy-focused things are really feeding into the process. And you can do Zero Trust with the tools that you have available today. You know, again, we're aligning the resources and the business with your Zero Trust strategy. So, it doesn't have to be that you increase your controls. I talked to one, you know, banking executive in my consulting practice kind of on the side, and her idea was, Oh my gosh, you know, with Zero Trust, we're probably spending, you know, too much. We could probably cut our cybersecurity expenses in half if we more narrowly tailored our controls. And I think that's totally accurate. So, you know, it does take a little bit more strategic thought. And I think this is really the crux of the challenge because, you know, people like me where practitioners are strapped for time.

Perry Carpenter: Yeah.

George Finney: We're so heavily invested in the firefighting mode, we can't take a step back to think strategically about how we, you know, solve for the problem of not having to fight fires anymore. And I think prevention really is possible. If there's one takeaway that I can say is, Oh my gosh, prevention is achievable and let that drive the conversation, right? Of how do we get out of firefighting mode and eliminate whole categories of issue so that we free up the resources we have today to go and be even more effective at maturing our program?

Perry Carpenter: So in the world of security phrases, you hear "Zero Trust" a lot, and then you hear "assume breach" a lot. How do those work together or against each other?

George Finney: Well, you know, Perry, you know I'm in higher ed, and --

Perry Carpenter: Yeah.

George Finney: -- the only way to look at higher ed is we've already been breached. You know, we get free penetration testing from our students.

Perry Carpenter: That's a way to look at it.

George Finney: So, you know, gosh, I think, you know, again, we've talked in our industry for, you know, more than a decade about trying to help folks kind of adopt that hacker's mindset when you're thinking about security, right? I think a lot about, you know, misuse cases, right? So, helping educate, you know, our IT folks not just to think about use cases in terms of project management or Agile, but what are the misuse cases? How could these things go wrong and how do we bake that in from the beginning? And man, you know, assume breach I think is a great way for helping folks understand. We know the dwell times for cybercrime, you know, is typically, you know, nine months or so. Those -- those folks are already in there. We know there's probably a handful of compromised accounts today already. I think that helps jumpstart people's thinking when it comes to having that hacker mindset, to -- to thinking proactively, right? I call it a premortem if you will, right? We're great at doing postmortems after the fact, and figuring out what -- what we did wrong. Why -- why can't we think about a premortem and think about what could go wrong at the beginning of a process or project?

Perry Carpenter: Yeah.

George Finney: And then baking those controls from the beginning, we know that if you, you know, think of it from the beginning, security is going to be much, much less expensive than in the long run. And so, you know, again, coming back to costs, we know an ounce of prevention is worth a pound of cure. That's why Zero Trust is most effective. That's why assume breach, you know, is so pivotal in the Zero Trust conversation. It's why Zero Trust I think is the most efficient way of doing security, right? You're not having to spend 10x the costs on responding to the breach. You're assuming the breach from the beginning, and letting that dictate how you -- how you think about solving the problem.

Perry Carpenter: So one last question, then, on Zero Trust before we move on to the creative process for the book. If you were to say in a nutshell for somebody that may still be struggling with, like, what are the, you know, defining factors of Zero Trust and how does that -- I guess the way I would phrase it is, How is Zero Trust both the same and different from the way that we've been approaching security for a long time? So, what -- what are the commonalities? And then what are the -- if there was a single distinguishing factor that people could go hang their hat on and say, This is why Zero Trust is important for me, what would that be?

George Finney: Gosh, well, when I think about Zero Trust, I think about it as a strategy. And you can deploy all of the same tactics that you've been using for years intelligently based on your strategy of Zero Trust. So, defense in depth. You know, I had an argument with someone about this, so I have to kind of just break it down a little bit.

Perry Carpenter: Sure.

George Finney: I don't think defense in depth is a strategy. And, you know, maybe it depends on, you know, how you define the issue, but I think of defense in depth as a tactic. If you think of it as a strategy, you know, okay, well, What is -- what's the goal of defense in depth? Well, really the goal, if you're thinking about it as a strategy, is to overcome the failure of layers in your security stack. You know, what's the -- what's the process you do to overcome -- to reach your goal of preventing failure of layers? It's to add more layers. I don't think that's strategic thinking as an example because how do you know when you're done? How do you know when you've reached the goal? It's a very hard thing to measure, and that's why, you know, a lot of CEIOs say, Well, Zero Trust is too expensive. We're just spending more tools and we don't have a metric for showing when we're successful. I think of defense in depth as a great tactic for deploying in your Zero Trust strategy when you know the tools or technologies out there aren't really good enough to stop --

Perry Carpenter: Yeah.

George Finney: -- the bad guys, right? Email is a great example. You -- you have to have a lot of layers for email because, for some reason, anybody in the world email everybody in our organizations. Maybe there's a different paradigm we -- we can move to. But until we do, you know, okay, you've got your -- most of the CISOs that I know will use some sort of email tool or appliance, right, to filter your email. A lot of CISOs that I've talked to also have a belt and suspenders approach, right? So we use, you know, Microsoft's antispam tool, but also we've got an API-based tool to layer on over the top of that. We also have human-level things where they can report phishing. Maybe we have banners that we have for external senders to help people distinguish that kind of thing. Maybe we've got, you know, DKIM and SPF to layer it, right? There's a lot of layers that -- that we wrap around email because it is such a massive part of our attack surface.

Perry Carpenter: Yeah.

George Finney: Great tactic that fits naturally under your Zero Trust strategy, because you're looking at, Okay, we're preventing or containing breaches. How do we do that? We're aligning with the business. We know we need to get emails from our -- from our clients or our partners. Okay, how are we wrapping that protect surface? You might treat a protect surface much differently with a different set of tactics. So that's how I think, you know, in terms of all of the different strategies we do. You mentioned threat modeling, right? I think that that aligns really naturally with your strategy overall of Zero Trust.

Perry Carpenter: Great. Now that we've covered, like, what types of information will people get out of the book, let's talk about the packaging of the book. And by that, I mean the packaging of the idea, is not the cover of the book, though the cover is pretty. But I think that most people buy the book for what's on the inside. And on the inside, you've made some interesting creative choices. So walk us through that. And then I think you can point back to some interesting inspiration from a couple books that have come before, but then -- then also you had to do the work to actually put it in that kind of packaging and make that successful. So, give us a little bit of background on what people should expect when they pick it up.

George Finney: Yeah, so, you know, one of the first questions any publisher will ask you is, Who's the audience for a book? And, you know, I wanted to have a much more inclusive view of who the audience ought to be. I think the help desk needs to be engaged with Zero Trust. I think project management, right? So widen the audience was one objective that we needed to have. There are other books out there on Zero Trust that were highly technical deep reference manuals and their very important. I've read them. I think they're all very good resources. But when I think about, you know, the book, I wanted someone brand new to IT to be able to pick up the book. At the same time, I wanted someone who's got 20 years' experience in the industry to be able to get something out of it as well. And so I, you know, I immediately kind of gravitated towards what other folks had done in the past where they tell a story. I think that's much more approachable. So, love Gene Kim's "Phoenix Project", but also other leadership books like, you know, "One Minute Manager". You know, there's a rich tradition of storytelling to help kind of, you know, people, you know, from all different areas, different industries, be able to kind of grasp these highly technical things that we're -- we're doing. And again, I think I mentioned earlier, you know, I want people to be able to see themselves in this Zero Trust journey. So I kind of crafted a story, a narrative.

Perry Carpenter: Yeah.

George Finney: And I really wanted to have some rich characters that, you know, if you're in a specific role in IT, I wanted to have an identity person. I wanted to have a networking person. I wanted to have developers. And so, you know, I got to craft those characters, and, you know, I wanted to be very -- have a very rich, diverse background in those characters, right? So, you know, again, any person from any walk of life should be able to pick this up and say, Okay, yeah, I've, you know, I've done, you know, IT training, and wow, George, I can really see how, you know, I can play a role in this Zero Trust journey. I get it finally. And that, to me, has been the most rewarding part of having written the book, is --

Perry Carpenter: Yeah.

George Finney: -- after the fact, when I talk to folks, you know, I talke to a former military leader who's very high up in strategic command, and he said, Oh my gosh, I wish I had this book five years ago.

Perry Carpenter: Wow, that's great.

George Finney: And again, that just, I -- I mean, that's why you write books like this is to make a difference.

Perry Carpenter: So, you know, as you were doing that, I think you accomplished the goal, right? It not only was in the format, but it was extremely readable. It didn't come off as cheesy, which is, you know, one of the big fears and things like that The characters were rich and diverse. And I think that that was good. In addition to being able to see yourself in the characters, you're like, Oh, I've worked with that person before. And even some of the expressions of their personality, right? So all that was -- was great. You also avoided one of the biggest cardinal sins or problems of trying to bring technical information into a fictional world, which is the dreaded info dump. I don't know how consciously you were trying to navigate that. It's like, Oh, now we need to explain the concept. Let's bring everybody into an auditorium and have a professional explain it for 15 pages and then go back out and they discuss it. You avoided that really, really well. Was that a conscious, intentional type of thing about how you parse the information, or did that come pretty instinctually for you?

George Finney: You know, it was -- it was very much of an intentional choice and process. I don't know if you've read the NIST standard on Zero Trust. It's NIST 800-207. Oh my gosh, I mean, I had to read that probably, you know, 50 times before I was like, Oh, okay, like, I kind of see what you're doing here.

Perry Carpenter: Yeah, that is not on Zero Trust. That's actually a sleep study engagement type of program. Yeah.

George Finney: And, you know, I mean, I did occasionally, like, okay, they're in a room and they have a PowerPoint, but really, there are only five bullets on the PowerPoint.

Perry Carpenter: Right.

George Finney: And, you know, that -- that was the extent to which I kind of wanted to dig that info dump, because, again, it's got to be digestible. Using this kind of case study model, you know, allows you to make it real.

Perry Carpenter: Yeah.

George Finney: Right? And so, you know, the other part of the process that I don't talk about a lot is, I don't know if you know this, but I'm not an expert at everything. And so, you know, even though it was a story, you know, I probably interviewed 20 or 30 people about different elements, aspects of Zero Trust. And I, you know, for some reason, people, like, pick up the phone when I call. But, you know, oh my God, to be able to talk with identity experts and really say, Okay, you know, here -- here are the issues that I'm wrestling with. You know, what -- what do you see out there? What are the common pitfalls that -- that you see organizations running up against? And I wanted to make it real enough. You know, the company as a case study, you know, needed to have, you know, they couldn't be the perfect company, right? They're not going to be a shining example. They couldn't be, you know, totally imperfect, either. And so, you know, there really had to be a lot of salient challenges that the individuals had to overcome. So I think that was the most important part, was helping people understand we're all facing the same challenges, not, Okay, here's the reference architecture or whatever. You know, let's -- let's use Zero Trust to solve some real problems.

Perry Carpenter: After the break, the conclusion of our interview with George Finney. [ Music ] Welcome back. As you're approaching kind of the next phase of this, you said you were in the process of thinking about part two, or episode two or whatever you're going to end up calling it. What are some of the things that worked and some of the things that you didn't work? So if you were to do a postmortem on part one, what did you -- what did you really like? And then, like, what do you want to tweak in part two to, like, even take it to the next level?

George Finney: You know, every writer knows that, you know, writing a sequel, you know, is going to be a real challenge, right? You know, especially for something that's been as successful as this book, people have a lot of expectations. And so, gosh, how do you deliver on that I think is something I worry about a lot. You know, at the same time, as a writer, I do the cardinal sin of writers, and I read all the reviews, and, you know, for good or bad, and, you know, I do take those to heart, right? I think one of the criticisms, but also one of the things people liked the most, was, you know, the takeaway section at each book, at each --

Perry Carpenter: Yeah.

George Finney: -- or at the end of each chapter. And, you know, some people really liked that, but other people thought, Hey, you know what, that really disrupts the flow of the narrative. You know, could you put all of the key takeaways at the end. And --

Perry Carpenter: I'm in the camp of liking it.

George Finney: Yeah.

Perry Carpenter: Like, what does George really want somebody to get out of this chapter? Because, you know, the dialogue and everything else is fun. But what are the main points that I just need to, like, try to remember as I go forward?

George Finney: Yeah. You know, so I think I'll keep that. But I really want to think, you know, hard about how I, you know, make that relevant, that I'm not beating you folks over the head too much with an info dump, like you say. So, you know, gosh, you know, we do kind of a recap at the end. I do have, like, appendices with, you know, resources for folks to go and check out that I found helpful. So, you know, I think, you know, again, in the next book thinking about artificial intelligence, you know, it's so much of a game changer today. And I actually talked to the publisher a few weeks ago just to say, Hey, you know, here's the idea. Is this something y'all are -- and I was like, you know, I want to touch on some things that I've maybe glossed over, you know, like EDR. We didn't really cover EDR in a lot of detail, and how that fits into Zero Trust. But also third-party risk, or mergers and acquisitions I think is something that I'm going to want to take on. And I was thinking, Oh, you know, I'll do a chapter on AI. And oh my gosh, Jim came back and he's like, Dude, don't write a chapter on AI. The whole book is going to be about AI. Do every chapter.

Perry Carpenter: Nice. And oh my gosh. AI is a narrative thread because that's going to be integrated into every part of our life and our systems, yeah.

George Finney: That's exactly it. And, you know, in the first iteration of "Project Zero Trust", you know, it was really the hacker driving the narrative and keeping it moving forward. Again, I think AI isn't going to be, like, the bad guy necessarily, but it is going to definitely be the moving force that gets you to go from chapter to chapter.

Perry Carpenter: Interesting.

George Finney: And there's so many different elements, right? You know, AI is not a monolithic issue. There are lots of very specific ways that organizations will have to treat it. And, you know, there's a lot of great thinking going on right now in the community about how to do Zero Trust and AI specifically. So, again, I'm, you know, leveraging the knowledge of the community to get us there.

Perry Carpenter: Yeah. Well, and I think a focus also, like you mentioned, on third-party risk is crucial at this moment. I mean, we've seen over the past few years that third parties are by and far becoming one of the de facto gateways into an organization. I mean, you've got SolarWinds. Just within the past couple of weeks, we had some major healthcare systems taken down through third-party issues. And that is not going to go away, and everybody has to find a way to trust enough whatever people are critical to them doing their business. And so I think putting rational thinking around that and helping people have a framework of understanding, How do I do Zero Trust and also rely on third parties is going to be really, really big. So the last question then. of the characters that you included in the book, who's your favorite and why?

George Finney: I would say that one of the female characters I think I love really the most.

Perry Carpenter: Yeah.

George Finney: Her name is Harmony. Her nickname, and, you know, I love giving characters nicknames in books, I think it just kind of adds that extra depth of character. But some of the folks on the team call her Money. And you know, like, she's the nerd in the room. You know, she's kind of always the one kind of generating some of the pop culture references.

Perry Carpenter: Yeah.

George Finney: You know, again, that's one of the things that people really love the most about the book was like, Oh my gosh, you did a "Step Brothers" reference, or a "Boondock Saints" reference, you know. And as a total aside, every time when you read the book, when you get a pop culture reference, you can almost take it to the bank that that's a point at which I got writer's block. And so, like, that -- that was my way of, like, overcoming, like, Okay, let's make this fun. Let's make this --

Perry Carpenter: Right.

George Finney: -- interesting. I was -- I was having trouble coming up with names for some of the characters and, you know, her name is actually Harmony Gold is her full name. You only get that once in the book, but that's a reference to the company, the animation studio that made Robotech.

Perry Carpenter: Nice.

George Finney: So, you know, that was really nice. You mentioned the consultant earlier. His name is Aaron Rappaport. So, you know, in working with John Kindervag, he didn't want to be a character in the book, which, Okay, cool. And so, again, writer's block, how do I come up with a name? So Aaron Rappaport is Seth Rogen's character in the movie "The Interview", which in the scheme of cybersecurity movie references, right, that's got to be at the top of your list. So, you know, again, I don't have, like, an official count of how many pop culture references I made in the book. You know, again, it's got to be fun. It's got to be something that really connects with you on an emotional level. And, you know, I mean, whether it's some of the music references I do or, you know, other kind of artistic things, man, it was such a joy to write. Which, you know, again, that's -- that's one of the things that I think people take away is, you know, they get that -- that positive belief that, Oh, my gosh, this is -- this is joyful, right? And I think security, cybersecurity in particular, is, I think it's a noble calling.

Perry Carpenter: Yeah.

George Finney: You know, when you think about Maslow's hierarchy of needs, right, you have to have safety and security as a foundation to reach your highest potential as an individual. And what we're doing in our industry is allowing our organizations, all the people in our organizations and our customers to reach their highest potential, because we're protecting them in such a fundamental way. I just love being a part of this and having that be, you know, the driving force in my career to make a difference in the world.

Perry Carpenter: Absolutely. And I see a potential contest for you to do at some point, which is have everybody that has gone through the first book that's already out there and give you page and reference for the cultural references. And then also tie that to, you know, the origin of that. And then the person that sends you the most of those, the most accurate one, gets either a copy of Part 2 or gets their name used as a character in Part 2.

George Finney: Oh, my gosh. You just blew my mind. Okay. Okay, yeah, well, that's happening.

Perry Carpenter: Nice. Okay, so then last thing I want to ask you, three totally unrelated questions, may not even have any -- well, one of them has to do with cybersecurity for sure. And then the other two are like open game. So, number one, when you think of security misconceptions or myths or legends that are out there, what is one that comes to mind that you would either love to dispel or just makes you smile for some reason.

George Finney: So, we're going to dispel a myth.

Perry Carpenter: Okay.

George Finney: There is an unofficial motto in the cybersecurity industry, and I know you've heard it before, but we say, and this is wrong, but we say that people are the weakest link. I think it's probably more accurate to say that people are the only link. And so certainly people are probably the biggest attack surface. At the same time, you know, we've always thought about security as, you know, people, process, and technology, right?

Perry Carpenter: Yeah.

George Finney: And when you see that in your cert book or whatever, you know, they even have the pie chart, so that it's, like, equal slices of the pie. And I think that's totally bogus. It's 100% people. You know, people are the ones that create the technology --

Perry Carpenter: Yeah.

George Finney: -- that configure the technology, that use the technology, people are the one to create the processes, people are the ones that follow the processes or not. And so, you know, it's 100% people. You know, we know that, you know, when you read the Verizon data breach report, we'll see, you know, 90-some percent of breaches are caused by human error. I think that's wrong. I think it's 100%. And, you know, one of the biggest things that I hear in Zero Trust, and when I get questions is like, Oh, okay, well, I shouldn't trust people, right? And again, this comes back to the book. No, I think to accomplish our mission in security, we have to work with other people. We have to trust the other people on our team to get their jobs done, to play their roles. And, you know, I like to think that people are the only link because that's the only way that we can, you know, even have a hope at being successful. So, that -- that's the myth. I think we should stop saying that altogether.

Perry Carpenter: Wonderful. So then pivoting away from security, but because of your interesting position as a writer and as somebody that has to do research, your browser history has to be pretty interesting. What would be something that you find yourself searching for, reading, that would be very, very difficult or awkward to explain to somebody? Out of context.

George Finney: Gosh. Out of context. I mean, it would be really hard to explain post-quantum encryption to my mom. You know, but also I've gone down so many artificial intelligence rabbit holes that, you know, it's -- that's even a weird thing. Like, I'll say this, I am a massive proponent of ChatGPT. I use it every single day. And, you know, what really hooked me was the mobile app. And when they released, I think they call the feature Whisper, but the, you can just --

Perry Carpenter: The voice, yeah.

George Finney: Yeah, you can just talk to it. You don't even -- you don't have to type anymore.

Perry Carpenter: It's amazing.

George Finney: But it responds back, and they did this in a beautiful way. It doesn't sound like an artificial voice. They figured out, you know, whatever magic they're using, to kind of give it like a really human, warm, in-tone voice. And so I will just, of course I picked kind of a female voice, but I will talk to her for, you know, it's just like having the smartest person in the world at your fingertips. Like, you know, gosh, what did I ask her the other day? For some reason, I just got curious and I was like, Well, how does super glue work? And she's like, Okay, here's -- here's how it works. You know, you expose the oxygen and here's what happens. And, like, Well, how did they discover that? And then she tells me how -- okay, well, how does, you know, chemically, like, where do those chemicals come from? Were they just sitting around? I was like, Okay, cool. And then I'm like, you know, I'm getting older and, you know, my sodium content's kind of high.

Perry Carpenter: Yeah.

George Finney: Like, I'm going to eat this taco for lunch. Hey, you know, how much sodium does this company's tacos have for this specific taco that I just ordered? And oh, I don't have to, like, spend minutes looking for, you know, it's crazy that we've got this, like, at our fingertips now. And, you know, I think the future is I think really bright because that's going to free us up to do that much more and be that much more creative.

Perry Carpenter: So you actually did something amazing there that nobody else has done yet when I asked that question, is you broke out of the browser box and went into what is the next stage of search, right? It's a ChatGPT and AI. So ChatGPT, Perplexity, you know, all those are going to be harboring many weird questions that we ask because we're going to interact with them in a more stream of consciousness type of way. So, I love that. Oh, and then a side note on the voice processing and the text-to-speech back on OpenAI, the thing I think that they did brilliantly is as it's doing processing, you'll hear ums and breaths and restarts. And that is amazing.

George Finney: Again, that is so cool. And it feels just -- we've passed the uncanny valley.

Perry Carpenter: Yeah.

George Finney: But I've actually -- I read literally everything and one of my favorite voice actors, her name is Lake Bell. I mean, she wrote a book about how her process, you know, is to develop voice and I just hear so much of what she does as a voice actor in the way that this, you know, AI is speaking back to us. Like, it blows my mind. It's so cool.

Perry Carpenter: It is one of the most amazing synthetic voice experiences you could have, if not the, you know, chart-topping one right now. It'd be interesting to see how -- how different companies evolve to even take that to the next level. All right, then last question should be pretty easy, or maybe hard, but if you had one book to recommend, doesn't have to be a security book, what is -- what is one book that you think virtually everybody should read?

George Finney: I read probably, you know, 50, 60 books a year and I've got so many recommendations, but I think probably my favorite book of the last decade is called "Venomous Lump Sucker".

Perry Carpenter: I have not heard of that one.

George Finney: "Venomous Lump Sucker". So, it came out last year. It reminds me so much of the way that Douglas Adams writes. It's incredibly humorous, but it's tackling the topic of extinction. You know, the premise is, you know, similar to the way that -- that we handle, you know, carbon credits --

Perry Carpenter: Yeah.

George Finney: -- for global warming. The book postulates that at some point there'll be this concept of extinction credits. So, you know, you wipe out a species, fine, but you had to pay for that in terms of your credits and then there's this whole marketplace for credits. And then, you know, some things happen where they have to go save the species, the venomous lump sucker.

Perry Carpenter: Okay.

George Finney: And it's just this hilarious romp --

Perry Carpenter: Yeah.

George Finney: -- through this kind of, you know, near future-- style world where, oh my gosh.

Perry Carpenter: It's thought-provoking cynicism, yeah.

George Finney: Yeah, and it's so my wheelhouse. But yeah, that was -- that was my favorite book of last year, for sure.

Perry Carpenter: Okay, that's on my list now. All right, is there any last thing that you want to make sure people hear?

George Finney: Just thank you so much, Perry, for having me on. I always love chatting with you. Your podcast, I'm not saying this, you know, facetiously, one of my favorite podcasts.

Perry Carpenter: I appreciate it.

George Finney: I've done my own podcast, and, you know, yours is how I wish mine, you know, could be with production value, but gosh, you know, I would say stay positive. Like, there's so much in our industry, particularly right now, that's scary, that is concerning, that makes me angry. But I think, think of it positively, right? What kind of difference can we make every day? And, you know, again, we are making so much of a difference in the world with what we do. Don't let the bad news out there in the world detract from your belief that you can make a difference.

Perry Carpenter: And with that, thanks so much for listening. And thank you to my guest, George Finney. I've loaded up the show notes with more information about George, his previous book, "Project Zero Trust", and a ton of other relevant links and references to what we covered today. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. Oh, and I'd also love it if you'd tell someone else about the show. That really helps us grow. If you want to connect with me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode. The "8th Layer Insights" logo and main show art were designed by Chris Machowski at Ransomwear.net, that's W-E-A-R, and Mia Rune at MiaRune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off. [ Music ]