Stepping into a new position is always difficult. This can be especially true when jumping into a CISO position. Whether you were internally promoted or brought in externally, settling into such a critical role can be quite daunting. This article will provide actionable advice to enable you to secure your network as effectively as possible. The approach we will use is inspired by martial philosophy. It is common to draw parallels between the corporate world and military operations, but no position mirrors an military officer as closely as the CISO role.

You are directly responsible for leading the fight against real-life attackers in a way none of your C-suite peers do. Thus, it is crucial to adopt a martial mindset. In The Art of War, Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”  Below, you will find advice that will help you win the daily battle for your infrastructure.

Step One: Understand the lay of the land

When you come to a new organization, you must develop a detailed understanding of your infrastructure. It will be useful to ask yourself the following questions:

What is on the network?

What sort of devices and resources do you have?  Get familiar with how many and what types of servers, firewalls, client devices, domain controllers, and more you have. What are their logical and physical locations? Review and update your network topology. Also, understand what is hosted, both internally and externally. What web pages, file shares, and other services are in your network?

How does data flow in and out of the network?

Where are your data ingress and egress points? Find out which resources are externally available and accessible via the internet. Where does data coming in and out of your network go through? Identify your external gateway. Is there a DMZ? Determine where traffic comes in from the DMZ. Get an idea, of which resources are in the DMZ and which are in your internal network.

What does the baseline look like?

What types and quantities of traffic are considered normal? Find out what is common and see if any factors could cause a non-malicious deviation from the baseline. Perhaps your organization allows remote work on the last Friday of the month, which may cause an increase in remote traffic and increase the utilization of certain protocols and services. Understanding this will help to weed out false positives and make your detection strategies more fine-tuned.

Where are your weak spots?

Identify your sensitive infrastructure. What resources on the network are critical for operations? Which resources, if compromised, would result in a severe breach of confidentiality, integrity, or availability? Read articles from penetration testers and ethical hackers to understand what hackers would probably target and why. Doing so allows you to develop a more effective plan to secure your network.

Who is on your team?

Get to know your team. Understand their skills, ambitions, personalities, traits, and qualities. An effective leader reads their team and assigns them roles and responsibilities they will thrive in. Delegating responsibilities will decentralize power in your team, leading to improved effectiveness and anti-fragility. Your people are your greatest asset.

Step Two: Assess and implement security controls

Now that you understand your city, you need to get familiar with your defenses.

What controls are already in place?

Get an understanding of what security controls and policies are already in place. Read up on company security policies and any information passed down from the previous CISO. Speak with your security engineers to better understand what defenses are already in place.

Which controls need to be added or updated?

Based on what you and your team know about the network, determine what controls need to be updated or added. Review prior security audits and vulnerability scans. Identify any open holes in your network that your security team is already aware of and fix them.

How do you know your controls are good enough to stop malicious actors?

Your team fixed the holes they already knew about, but that still leaves two questions. How do I know my controls fixed the issue, and how do I discover the unknown holes in my security? You must test your security. This should be done with internal security audits, vulnerability scanning, and reputable 3^rd party penetration testing.

Step Three: Test your security controls

Validate that your defenses are as good as you think they are. Will they hold up to the enemy? See the attacker’s perspective to take your defense to the next level.

Security Audits

Perform regularly scheduled security audits. Depending on the type of data your team handles, you may fall under different regulatory requirements and will need to audit accordingly.

Vulnerability Scanning

Conduct vulnerability scanning using tools such as Nessus, Qualys, and more. Vulnerability scans are meant to identify low-hanging fruit, so your team can quickly remediate easy-to-fix issues normally resolved by a simple update or patch. Correcting these easy-to-fix security flaws will improve your overall security posture.

Penetration Testing

The most comprehensive way to test your security is to have a penetration test. Penetration testers mimic the tactics, techniques, and procedures of malicious actors. Sometimes called ethical hackers, they attack your network in a controlled, non-destructive way. Their goal is to find and exploit vulnerabilities, flaws in business logic, and other misconfigurations. Much of what they do cannot be replicated by a vulnerability scanner and requires a manual approach. They will help you find flaws in your network, provide remediation guidance, and give you key insight into the minds of hackers.

Armed With Knowledge

Using a penetration tester to understand and protect you from the approach of malicious hackers, brings us full circle to Sun Tzu’s quote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” If you follow each of the steps in this article, you will gain a profound awareness of your security posture and an attacker’s perspective. This knowledge arms you with insight and capability as you lead your organization to victory in the daily battle against malicious actors.