When George Finney was studying law at Southern Methodist University, a private university in metropolitan Dallas with 11,649 students (undergrad and graduate), his supervisor made him a “deal of a lifetime,” he says. Finney had some network engineering experience, but he really wanted to get his law degree to do patent law. “It turns out that life is always interesting,” he says. “While I was studying law, I helped the only cybersecurity engineer who was on staff, and it wasn’t a full-time role. After I finished law school, my former supervisor in IT security named me the head of the SMU Cybersecurity program, as CSO. While I’m not practicing law per se, I do believe that I am doing some type of law work, as I’m exposed daily to SOC or PCI compliance in addition to networking, system administration and cybersecurity technology. My law degree gives me the background and knowledge about what I need legally to do if there is a cyber incident, specifically the steps that I need to take.”

In his role, Finney reports to the SMU CIO but has access to the SMU Board of Directors. “That’s where the CSO role continues to move,” he says. “As CSOs, we have to be able to communicate to about risk exposure and not specific technologies. I have to speak about potential compliance issues. Ten years ago, my role focused on technology, but today’s CSOs are trying to be partners to the business.”

On his team are four full-time staff members for cybersecurity and two team members for physical security. He also has several outsourced providers to fill in gaps on services such as penetration testing and staffing the security operations center. “My team is fairly small compared to some of my corporate friends,” Finney says. “But I also take a different view in that everyone [on campus] is a security employee, all working to keep everyone safe, and I like to think of myself as a coach  to set up the playbook right, whether it’s an incident response plan or other program.”

Finney likes the constituency that he and his team serve, which includes students, faculty and visitors to the university. “The joy of working at a university is that we get to be on campus and see our customers every day.  We also play a part in educating them to be digital citizens,” he says. “Students all will eventually leave campus and find their own careers, but while they are with us, we want to not just protect their personal information, we also are hopefully setting them up to be digitally secure for the rest of their lives. I think it’s a great mission, and I’m really excited to be a part of it.”

Part of that lifelong lesson, he says, is being proactive and teaching that to students and faculty, as well. “Part of my mission is to teach others and my team to be proactive and not reactive. It’s been a long process to get there: it’s required funding and its required support. We are not there yet but we are on the cusp of turning the corner.”

Finney is a proponent of removing barriers that may prohibit the next generation of cybersecurity leaders. “With most job postings, there’s a high barrier of entry. We are requiring industry-specific experience, and we should not be doing that,” he explains. “For example, with the banking industry, which is one of the biggest employers of cybersecurity, they require five or 10 years of banking experience, which eliminates many qualified candidates. Also, many employers require a candidate to have Splunk training. That’s a great product and knowledge to have, but is that training valuable to us long-term? We need to remove barriers to find qualified candidates. I can provide specific training once the candidate is on the job. When I recently filled a position, I removed many barriers, and I received 10 times as many qualified candidates.”

“Collectively as CSOs and leaders in the community, we need to commit to educating our employees and future leaders to close the [cybersecurity] skills gap,” Finney continues. “There aren’t enough college graduates to fill cybersecurity jobs. One way is to look internally at candidates who have the skill sets and to train them.”

In his free time, Finney is a published writer. His book, No More Magic Wands: Transformative Cybersecurity Change for Everyone, discusses a story that’s common with businesses today: a security breach and how to address security problems. It offers advice that can assist cybersecurity professionals in influencing good practices within their organization.  “Writing has been my passion and my mission to shepherd in the next generation of security awareness training,” he says.  

Critical Issues

1. Active Shooter
2. Data Security
3. Rogue Insider Threats