You just signed on as CISO. Congratulations. Now you can expect to be deluged with security emergencies and unresolved issues from your predecessor while you're getting to know and building credibility with your team. Meanwhile, cyberattackers are still pounding at the door. All of these immediate pressures are important, but optimizing organization-wide security is why you were hired. Here are four steps that will help you identify security priorities and appropriate remediation steps, so you can begin moving the organization forward as quickly as possible.
1. Take Inventory, Test, and Measure—30 Days
What's already in place at your organization? According to , large enterprises report having 30 to 70 security vendors. That can mean having dozens or hundreds of security controls, policies, and management tools. Disconcertingly, the report also notes there is a "veritable epidemic of misconfigured, disconnected, turned off, and non-optimized security tools all over the organization." That's not counting the possibility that an attacker has already breached the organization and compromised controls.
Don't forget to assess gateways and connections to third-party business partners. Supply chain attacks are increasing as attackers seek to exploit weak links in small companies' security practices in order to gain access to the much larger enterprise that the smaller companies serve.
Policy review is critical to ensuring a full understanding of the security environment. It's likely that systems, business processes, policy owners, legal requirements, and other factors have changed during your predecessor's tenure and existing policies no longer align with business needs. Getting your arms around the current security posture means first identifying all vendors, controls, policies, and third-party connections currently in place.
Once you know what is there, assess what is working—and how well—and what isn't. In dynamic threat landscapes with dozens of threat vectors that change constantly, you need specific data about your controls. How broad is coverage? Network only? Network, hosts, and endpoints? How sensitive are controls? Can you successfully defend against attackers' current tactics techniques, and procedures (TTPs)? Manual and pen testing processes provide insight, but they are time-consuming and costly to conduct on a frequent basis and they can only deliver a snapshot of security strength at any given time.
Testing frequency and consistency are key to gaining accurate data for evaluation. Instead, consider automated tools that correlate findings with real-time threat data.
2. Assess Risk and Identify Gaps—15 Days
Once you have tested and measured the existing security environment, you have data for assessing risk and identifying gaps. Compare your test results with security best practices and risk assessment guidelines. Cybersecurity risk increases with gaps in coverage, lack of specific functionality, or reduced incident response ability. Gaps can occur anywhere:
- Enterprise perimeter: Gaps that threats exploit to gain entry through email, web browsing (such as drive-by-downloads), and web applications (including retail or online banking websites)
- Enterprise internal network: Gaps that enable an attacker to compromise endpoints, establish command and control, move laterally to other endpoints or network segments, or exfiltrate data
3. Prioritize and Act—40 Days
With a clear, documented picture of gaps and associated risk, you can turn your findings into an action plan. Each business must decide its own priorities. Depending on your company's overall business goals and available resources, prioritize remediations accordingly. For example, tightening email security can quickly reduce business risk and free valuable IT time for other projects. A web-based business might prioritize upgrading its web application firewall instead of reducing risks associated with outbound web browsing because it's launching a new customer-facing service.
4. Remediate and Repeat—15 Days
Once remediation is complete, adopt a proactive test method to continuously test your environment. Continual testing provides up-to-the-minute status of any, or all, security controls and policies. As attackers change tactics or your attack surface changes, any new vulnerabilities or gaps that might arise don't go unnoticed. Test across all vectors in an ad hoc manner or schedule regular assessments. Gain in-depth visibility into controls for optimizing or replacing them. Conduct pre-purchase testing on new solutions you're considering. By testing products under evaluation, you can avoid disappointing results, products that don't perform as hoped, and potentially save millions of dollars in product and implementation costs.
Get off to a fast start in testing, assessing, and remediating the environment in your new organization. Cymulate represents a completely new way of proactively ensuring your security posture is working as you expect. Fast, easy to deploy, and cloud-based, Cymulate gives you insight in as little as 10 minutes. See a free demo by visiting here.
 Utilizing Breach and Attack Simulation Tools to Test and Improve Security, Gartner, May 17, 2018
 Guide for Conducting Risk Assessments, NIST Special Publication 800-30, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf