Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

Book Review: How to Build Security with Strong Architecture

Struggling to keep up with today’s cyber security challenges? Read more on how CISOs or CSOs can develop a modern plan for cyber security.

book review slide 1

Michael S. Oberlaender, author of C(I)SO – And Now What?: How to Successfully Build Security by Design

book review slide 2

 Figure A: Security Architecture Based on TOGAF. Graphic provided by Michael Oberlaender 

book review slide 3

 Figure B: The Structured Solutions Approach. Graphic provided by Michael Oberlaender 

book review slide 1
book review slide 2
book review slide 3
September 1, 2013

Are you (and your enterprise) struggling to keep up with the pace of today’s cyber security challenges? You aren’t alone, but you aren’t without resources.

Michael S. Oberlaender has worked in executive security roles (CSO/CISO) in both the U.S. and EU (Germany) and in IT for more than 20 years. Most recently, he has been serving as Chief Security Officer for Kabel Deutschland AG, the largest European cable network provider, after working as Chief Information Security Officer for FMC Technologies Inc., a leading oil field services and engineering company in Houston, Texas.

Oberlaender’s new book, C(I)SO – And Now What?: How to Successfully Build Security by Design, covers a new CISO or CSO’s initial phases in the job, including setting expectations, base-lining, gap analysis, building capabilities and variances in organizational charts. For more advanced enterprise security leaders, the book leads you to define security architecture, addressing secure development processes, application security and security policy levels.

Additional topics include awareness programs, asset management, conducting audits, risk management, strategy development, ROI, developing trust relationships, incident response, forensics and crisis management.

The following is an excerpt from C(I)SO – And Now What?, provided by Michael Oberlaender.

 

Chapter 12: Security Architecture

The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until you have both the supporting policies and the enforcing technologies set up. It is therefore – as a reality check if you want – necessary to take care of the very basic things, to have the long standing “perimeter” (this is the “outer wall” so to speak, the common (logical) border line around your company’s infrastructure and network, the “first line of defense”) in place, and a few other common necessities such as antivirus filters, intrusion prevention, secure browsers and a SIEM (Security Information and Event Management) system as well. Here is why:

No matter what kind of business you have, no matter how sophisticated your processes and products are – your company most certainly will have a network using TCP/IP, it will exchange files with 3rd parties (inside and outside the perimeter), and it most likely will use the security-prone MS Windows products (at least at the user client side). So you don’t need to wait for any time-costing BIA or security audit (both are nevertheless indispensable though!), it is a matter of fact that you need “a” firewall (for the perimeter, I explain the “a” later), an AV solution, an IPS (prevention, not detection), and a secure browser as today’s most used interaction tool with the outside (and inside) world. Finally, the SIEM solution will provide you with the needed visibility into your network, and it will (if configured and managed properly) help you to discover unwanted traffic (or behavior) and to develop the awareness and later the strategy of what needs to be addressed and why.

So what I am telling you here is that you should not do it strictly “by the books” and wait for the BIA and other great analysis work to be done, but instead insist on having “a :=” state of the art firewall solution in place, and should you not have one, get one now! What do I consider as such? Well, I personally like the Palo Alto Networks solution, as I have done my research and real world test with that – it is a great improvement in comparison to the old world’s Checkboings, Jupyters and Cislos (and the like). The PAN device has been completely newly developed (from scratch) with the shortcomings of the traditional firewalls in mind, and the product is performing its role very well. When I predicted this already a couple of years ago, few seemed to listen – but Palo Alto Networks' growth and success over the last years speaks for itself, and I can only re-iterate my previous comments .

Talking about firewalls, I want to make it very clear once and for all: a network switch or router is a network switch or router and is NOT TO BE USED as a firewall, regardless of what the vendors will tell you. Keep this in mind, and make sure this is understood by any network administrator in your company. Make sure that the security tools are not in fact operated by network folks but instead by security folks reporting to you and not vice versa.

That doesn’t mean that you cannot, in addition, use a TCP/IP filter on your router or a “personal firewall” on your endpoint device – but those cannot be your single points of failures, as you will need the “in-depth” perimeter firewalls nevertheless. An additional benefit of the PAN solution is its integration of the IPS and a couple of other filters (even malcode:=”malicious code”, this is all kinds of code with a malicious purpose against you) as well, so you can simplify and consolidate some of the most necessary security functions in this choke point. Make sure though that you have its logs reported into your SIEM solution to get the security cockpit/dashboard informed about their blockings and effectiveness.

In case your company uses outdated browsers on the client-side, make sure these also get upgraded as soon as time allows. This will ensure that the most used (and therefore most attacked) interface to the Internet (and intranet, but the first one is where most of the attacks are coming from) is secured as much as possible – this will “strengthen” (to some extent) your perimeter approach. It can also have the nice side-effect to increase productivity in your company, depending on your browser usage and business type. With one of my previous employers I helped them to save ~$6.5 million per year just by upgrading the browser and increasing productivity/speed of their call center agents (see also chapter 21 “Building ROIs”). Not a bad thing to build your creditability at the C-level.

Once you have the most basic security technologies in place, and meanwhile hopefully your BIA and process analysis done, you should now have an idea what additional risks and areas of concern are out there in your realm. So you then need to develop a security architecture that addresses these findings per design. A few suggestions are:

  • A network separation (i.e. a separate administration network), a separate development (and test) network from production,
  • A multi-tier security in-depth approach (each layer of the TCP/IP model needs to have at least one security mechanism in place – see also chapter 20 “Strategy Development” and Figure 19: Security Stack),
  • A hardened operating system,
  • A compartmentalized virtualization environment,
  • Secured collaboration tools,
  • And certain security tools at the client side readily available, such as providing usable encryption (confidentiality), hash controls (integrity) and backups (availability).

There is certainly more than this, but it really depends on your specific situation and environment, and the BIA should help you to develop your business case for that. A good idea is to use the TOGAF reference model to define your overall enterprise (security) architecture and build in security from the ground level (see Figure A: [Security] Architecture Based On TOGAF) and covered by adequate and accompanying policies.

You can find out more about this book or purchase a copy at www.amazon.com or www.createspace.com   

www.createspace.com
KEYWORDS: CISO cyber risk mitigation cyber security education modern cyber challenges security architecture

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • IT feat

    How to Build a Strategic Defense with IT Integration

    See More
  • George Gerchow headshot and podcast header

    How to build future security leaders

    See More
  • remote work

    How to build a culture of security

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing