Are you (and your enterprise) struggling to keep up with the pace of today’s cyber security challenges? You aren’t alone, but you aren’t without resources.

Michael S. Oberlaender has worked in executive security roles (CSO/CISO) in both the U.S. and EU (Germany) and in IT for more than 20 years. Most recently, he has been serving as Chief Security Officer for Kabel Deutschland AG, the largest European cable network provider, after working as Chief Information Security Officer for FMC Technologies Inc., a leading oil field services and engineering company in Houston, Texas.

Oberlaender’s new book, C(I)SO – And Now What?: How to Successfully Build Security by Design, covers a new CISO or CSO’s initial phases in the job, including setting expectations, base-lining, gap analysis, building capabilities and variances in organizational charts. For more advanced enterprise security leaders, the book leads you to define security architecture, addressing secure development processes, application security and security policy levels.

Additional topics include awareness programs, asset management, conducting audits, risk management, strategy development, ROI, developing trust relationships, incident response, forensics and crisis management.

The following is an excerpt from C(I)SO – And Now What?, provided by Michael Oberlaender.


Chapter 12: Security Architecture

The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until you have both the supporting policies and the enforcing technologies set up. It is therefore – as a reality check if you want – necessary to take care of the very basic things, to have the long standing “perimeter” (this is the “outer wall” so to speak, the common (logical) border line around your company’s infrastructure and network, the “first line of defense”) in place, and a few other common necessities such as antivirus filters, intrusion prevention, secure browsers and a SIEM (Security Information and Event Management) system as well. Here is why:

No matter what kind of business you have, no matter how sophisticated your processes and products are – your company most certainly will have a network using TCP/IP, it will exchange files with 3rd parties (inside and outside the perimeter), and it most likely will use the security-prone MS Windows products (at least at the user client side). So you don’t need to wait for any time-costing BIA or security audit (both are nevertheless indispensable though!), it is a matter of fact that you need “a” firewall (for the perimeter, I explain the “a” later), an AV solution, an IPS (prevention, not detection), and a secure browser as today’s most used interaction tool with the outside (and inside) world. Finally, the SIEM solution will provide you with the needed visibility into your network, and it will (if configured and managed properly) help you to discover unwanted traffic (or behavior) and to develop the awareness and later the strategy of what needs to be addressed and why.

So what I am telling you here is that you should not do it strictly “by the books” and wait for the BIA and other great analysis work to be done, but instead insist on having “a :=” state of the art firewall solution in place, and should you not have one, get one now! What do I consider as such? Well, I personally like the Palo Alto Networks solution, as I have done my research and real world test with that – it is a great improvement in comparison to the old world’s Checkboings, Jupyters and Cislos (and the like). The PAN device has been completely newly developed (from scratch) with the shortcomings of the traditional firewalls in mind, and the product is performing its role very well. When I predicted this already a couple of years ago, few seemed to listen – but Palo Alto Networks' growth and success over the last years speaks for itself, and I can only re-iterate my previous comments .

Talking about firewalls, I want to make it very clear once and for all: a network switch or router is a network switch or router and is NOT TO BE USED as a firewall, regardless of what the vendors will tell you. Keep this in mind, and make sure this is understood by any network administrator in your company. Make sure that the security tools are not in fact operated by network folks but instead by security folks reporting to you and not vice versa.

That doesn’t mean that you cannot, in addition, use a TCP/IP filter on your router or a “personal firewall” on your endpoint device – but those cannot be your single points of failures, as you will need the “in-depth” perimeter firewalls nevertheless. An additional benefit of the PAN solution is its integration of the IPS and a couple of other filters (even malcode:=”malicious code”, this is all kinds of code with a malicious purpose against you) as well, so you can simplify and consolidate some of the most necessary security functions in this choke point. Make sure though that you have its logs reported into your SIEM solution to get the security cockpit/dashboard informed about their blockings and effectiveness.

In case your company uses outdated browsers on the client-side, make sure these also get upgraded as soon as time allows. This will ensure that the most used (and therefore most attacked) interface to the Internet (and intranet, but the first one is where most of the attacks are coming from) is secured as much as possible – this will “strengthen” (to some extent) your perimeter approach. It can also have the nice side-effect to increase productivity in your company, depending on your browser usage and business type. With one of my previous employers I helped them to save ~$6.5 million per year just by upgrading the browser and increasing productivity/speed of their call center agents (see also chapter 21 “Building ROIs”). Not a bad thing to build your creditability at the C-level.

Once you have the most basic security technologies in place, and meanwhile hopefully your BIA and process analysis done, you should now have an idea what additional risks and areas of concern are out there in your realm. So you then need to develop a security architecture that addresses these findings per design. A few suggestions are:

  • A network separation (i.e. a separate administration network), a separate development (and test) network from production,
  • A multi-tier security in-depth approach (each layer of the TCP/IP model needs to have at least one security mechanism in place – see also chapter 20 “Strategy Development” and Figure 19: Security Stack),
  • A hardened operating system,
  • A compartmentalized virtualization environment,
  • Secured collaboration tools,
  • And certain security tools at the client side readily available, such as providing usable encryption (confidentiality), hash controls (integrity) and backups (availability).

There is certainly more than this, but it really depends on your specific situation and environment, and the BIA should help you to develop your business case for that. A good idea is to use the TOGAF reference model to define your overall enterprise (security) architecture and build in security from the ground level (see Figure A: [Security] Architecture Based On TOGAF) and covered by adequate and accompanying policies.

You can find out more about this book or purchase a copy at or