Analyze the Attack Surface Before Taking a CISO Job
I once had a conversation with a Chief Financial Officer (CFO) who said whenever they join a new company, they never know what they’ll find lurking in the financials until well after their first day. They said it’s a little nerve wracking to be unclear about the level of accuracy in the financial reports, internal spending control discipline, accounting or equity rule violations, contractual obligations, illegal activity, and more that they may be walking into. It makes sense since it’s not likely that the company will be willing, or even able, to share highly sensitive information with an applicant. So, in many ways, a CFO takes their chances with a new company and assumes they’ll uncover things that will need to be cleaned up. Their stories seemed to mirror what a Chief Information Security Officer (CISO) faces when they consider joining a new company as well. They’re largely blind to the issues going in.
When a CISO arrives on their first day to receive their RFID badge and login-in credentials, it’s not uncommon for it take weeks, perhaps months, before feeling like they have their arms around the environment they’re responsible for protecting. In the meantime, they’ll assign tasks to learn what assets are where, connected to what, where [sensitive] data is located, the state of patch and configuration management, what software and which versions are installed, who is hosting in what data centers, and so on. When an incident could happen at any time, that’s a long time to wait before learning what exactly they’ve signed up for and gotten themselves into. Sure, the interviews with the CEO, CTO, CFO, CRO, CIO, and EIEIO may shed some light about what the business needs or is at risk to, but probably not much. That’s what the CISO is for after all.
I think we can do better. These days there’s no reason why, prior to interviewing for a CISO position, that someone shouldn’t be able to obtain and proactively analyze a company’s attack surface map. This attack surface map should, at the very least, include all the Internet-accessible assets owned by the company, including all domain names, hostnames, IP-ranges, and associated meta-data about each and every asset – be they web servers, name servers, mail servers, VPN gateways, IoT devices, and more in whatever country and data center they reside. I mean, if it’s large enterprise or a high-profile target, adversaries are performing reconnaissance every single day anyway. We should be on equal footing.
From the attack surface map, a would-be CISO would have a far better sense of the overall size of the environment, the degree of IT hygiene, diversity of software and technology across the ecosystem, regulatory requirements, third-party vendor relationships, and perhaps even be able to identify some unknown exposures prior to meeting with the executive team. Consider it a form of due diligence research performed on the company in addition to understanding their core business.
As a long-time CEO and CTO, I’ve personally interviewed hundreds, maybe a thousand or more people for all kinds of positions over the years. Nothing sends a stronger positive signal than when a person shows up to any interview knowledgeable about the company, is able to tell me something I didn’t know, and can point out exactly where they can provide immediate value. Ask any hiring manager, they’ll tell you the same thing. What then would the world be like if CISO applicants (outsiders) arrived knowing more about the company’s attack surface than the insiders, could point to potentially unknown areas of risk, and offer up a plan to address it? I tell you what it would be – impressive.
The problem is a company may not have an up-to-date attack surface map at the ready to share, as most don’t. So, here’s what I’d like to do. To help CISOs out and improve the interview process, if you’re considering joining a new company, reach out. Bit Discovery will provide you with an attack surface map of the company, free of charge, and you’re even welcome to share it with them if you’d like. As you might expect, there will be some amount of vetting of incoming requests. Still, we’d like to serve as many CISOs as we’re able.
Email: email@example.com with your name / LinkedIn profile and the company. We’ll handle the rest.