Project Zero Trust by George Finney - A Book Review
Posted on September 10, 2025 • 5 minutes • 882 words
Table of contents
The Book and the Author
The book tells a fictional story about a security director who started in a company that had an incident. The story shows how to implement zero trust with John Kindervag’s 5-Step Methodology. From a technical perspective, it helps to understand how to manage security within a business because information technology and its cybersecurity branch support units of the core business functions.
The Author, George Finney is the CISO of The University of Texas System. He has more than 2 years of professional experience in the industry. He holds a CISSP from ISC2. He published the book on October 4, 2022, and it’s available on Amazon.
If you’re looking for a more engaging book about Zero Trust and its meaning for businesses, I recommend George Finney’s award-winning book.
Those are the citations that I want to highlight.
Citations from the book
Then, in 1983, an NSA computer scientist and cryptographer named Robert H. Morris testified before Congress, warning of network threats via a new phenomenon called “the computer virus.” In one of the great cosmic ironies of the computer age, his son Robert Tappan Morris created arguably the first computer worm, the eponymous Morris worm, in 1988. (p.9)
…they had printed out all of their critical documentation on paper to ensure that it would be available even if their computers were offline. (p.27)
Don’t use the words ‘least privilege.’ Say, ‘Aaron, do you need that access to that data to do your job?’ I’ll bet most times the answer is no. (p.32)
“I think we’ve all seen admin privileges given out to directors or executives as a status symbol instead of as a core part of their jobs,” (p.32)
In practice, the attack surface for a global organization with users working remotely could encompass the whole world. Rather than focusing on your “attack surface,” which is huge and hard for you to control, the Zero Trust design methodology focuses on what you can control: protect surfaces. (p.42)
When someone swipes their card, their picture pops up on the video screen so the guard can verify that it really is the person in the video. (p.52)
They have a process for incident response when they see an issue happening. It’s good that they are able to reboot them, but with Zero Trust, we need to get to the root cause of an issue to proactively prevent the problem from happening again,” (p.53)
We need to make sure we aren’t running the container over a TCP socket. It needs to run as a Unix socket. (p.120)
All API calls should be logged for at least a year, similar to how other logs are stored for investigative purposes. (p.125)
Contract provisions should require vendors to have cyber insurance, particularly since two-thirds of all breaches are caused by vendors. Vendors should be required to pay the costs of notifying victims. (p.125)
For all significant technology contracts, IT, security, and legal should review the terms of the agreement and approve them before it is signed. These teams must be able to say “no” to a vendor if their security has significant red flags. And you should be able to get out of a contract if the vendor experiences a breach. (p.125)
Pygmalion effect. Our beliefs about people influence our actions; our actions impact what other people believe about themselves; and their actions reinforce our beliefs. The most important part of being successful at something is believing that it’s possible.” (p.137)
Fifty percent of all human behaviors are based on habits. To have a chance at improving our security outcomes, we need to make critical security behaviors into a habit. (p.141)
Research from David Centola and his colleagues at the University of Pennsylvania indicates that to create long-term sustainable change, we only need twenty-five percent of a group to adopt new behaviors for the group as a whole to change their collective behaviors. (p.141)
We have seen some clever exfiltration techniques over the years,” Peter said. “Just taking over the flashing LED on a computer can be used to download data at about 4Kbps. The drone needs to be less than one hundred feet from the LED. (p.155)
Like most things in cybersecurity, the model for how to conduct a successful tabletop exercise can be found in a NIST Standard. For tabletop exercises, the NIST Special Publication is 800-84. (p.157)
A tabletop exercise can help make IT teams more efficient during a real event. (p.158)
Experts call this phenomena the fog of war. Our brains will naturally start to connect the dots to draw conclusions, but often we don’t have all the information we need to create a clear picture. The best way to combat the fog of war is to communicate, ask questions, be transparent, but most of all, don’t stick with your conclusions when you receive new information. (p.159)
…it’s important to benchmark your Zero Trust journey and measure your maturity over time. (p.162)
The NSA actually had some pen testers attempt to get into different networks, but when they told them they were using deception technologies, the red teams started to doubt their own tools and questioned whether the targets they were finding that had weaknesses were actually decoys. This effect persisted even when the NSA wasn’t actually using deception.” (p.165)