author photo
By Bruce Sussman
Thu | Oct 18, 2018 | 5:38 AM PDT

What is the role of the Chief Security Officer within an organization?

We recently interviewed CSO George Finney of Southern Methodist University about the Chief Security Officer's high-level responsibilities.

It became clear during our chat that number one on his list is relationship building:

"The times that I think I've been successful in security are the times when I've built that relationship over months and years and I see that come to fruition during an incident, or I see how they've influenced their department because of a conversation we've had."

Watch our interview from the recent SecureWorld Dallas cybersecurity conference:

Finney describes what a Chief Security Officer role is not about and then flips to what a CSO can do to make an organization better and more secure.

He believes in being a student of an organization's culture and operating security within that culture. If not, he says, a Chief Security Officer and related security team efforts will become less effective.

"As executives we always come up with new strategies for how to accomplish some kind of goal. The same is true with cybersecurity. We are coming up with strategies for how to prevent hacking, but we're kind of ignoring culture. We're largely ignoring the larger picture of our companies and organizations, and I think it has a huge impact on us and is kind of blind spot for us." 

And he says information security must no longer call employees in the rest of the business "the weakest link." Finney says that label lowers the motivation for individuals to take security seriously because it creates a culture of "learned helplessness."

Instead, he says, "Help people believe that change is possible, right, and that this is not a hopeless situation."

And as Chief Security Officer, he is always looking for unexpected opportunities to align with other parts of the organization.

"We partner with our human resources department to be a part of our wellness program. People are already motivated to eat healthy, to exercise, to make the right security behaviors as part of that program where rewards and incentives are built-in already... that kind of gets people engaged."

Finney is a part of the SecureWorld Dallas Advisory Council that helps drive the direction of the annual gathering.