CISOs Guide To Compliance & Cyber Hygiene 

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A frequently used reference in the security industry today is that of the overburdened CISO, the security leader plagued by the relentless challenge of ensuring resilience in an age of advanced, persistent threats.

While discussions are typically focused on the latest threat discovery, what is often overlooked is the importance of foundational practices like patch management, active device risk monitoring, and the implementation of more robust policies to protect sensitive data. 
 
The most successful CISOs find ways to expand their influence beyond security operations and, ultimately, share accountability for risk management with others. By focusing on organisational processes and workflows that establish a culture where security is taken seriously by all, the CISO can help its direct teams scale more effectively. In this conversation, Michael shares insights into the challenges organisations face, as well as practical strategies for enhancing security and sleeping soundly.  

Why Are security Processes keeping CISOs Awake? 

There is a long-established narrative of CISOs losing sleep over the continuous and increasingly sophisticated threats their organisations face. However, many CISOs are actually sleeping just fine – or at least the ones who have established the right culture and processes within their organisations!  
 
If you've implemented the right plans and invested in the right tools, you should sleep well, knowing that you've mitigated the critical risks. Emphasising on simply preventing attacks is impractical because the total number of data breaches more than tripled between 2013 and 2022, exposing over three billion personal records, and the situation only worsened in 2023 and 2024.  
 
So, the key concern is not creating a foolproof defence, but rather ensuring the organisation has the right mechanisms to mitigate these risks.  

CISOs need to continually reaffirm their confidence in the tools and solutions they’ve purchased; this same reassessment must be completed throughout the organisation as distributed teams manage their identified risks. 
 
While the infosec team may be focused on the discovery of new attacks and threat vectors, the responsibility for establishing and monitoring compliance with various standards may fall to other groups, like desktop engineering or the mobility team. 

With the regulatory landscape continuously changing, non-compliance can be costly from a financial perspective alone. However, these regulatory requirements often lay the groundwork for establishing proper cyber hygiene, which is perhaps the most effective strategy for preventing threats from impacting the business.  

Is Cyber Hygiene Really A Problem For Most Organisations? 

Organisations really do struggle with the basics of cyber hygiene, most notably effectively monitoring and patching vulnerabilities. The latest IBM report highlights that stolen or compromised credentials are the most common cause of data breaches, often due to cyber criminals who are able to exploit well-established vulnerabilities. 

Many companies fail to get these fundamentals right, partially because of the sheer volume of vulnerabilities that need to be managed across firmware, operating systems, and applications. This is particularly noteworthy on mobile, where nearly 40% of mobile users are operating devices with known vulnerabilities. 
 
Maintaining an up-to-date operating system on each device is perhaps the most impactful practice an organisation can implement. Yet, many struggle to keep up with updates due to fears of conflicts and the need for compatibility testing, which leaves devices vulnerable to known security gaps. 
 
However, patching is just one part of the cyber hygiene puzzle. BYOD (Bring Your Own Device) management is another longstanding issue. Despite being on the agenda for years, it remains poorly understood. Many workplaces now allow a mix of personal and company-issued devices due to equipment availability, licensing costs, and employee preferences. 
 
The flexibility provided by BYOD programmes is great, but organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional headaches.  
 
Additionally, there is still an awareness gap regarding compliance control specifications. For instance, many organisations do not realise that Apple devices utilise a different set of controls to achieve compliance. Thus, creating a significant risk, as these devices may not meet the established regulatory or IT requirements.  

How Can CISOs Improve Their Organisation’s Cybersecurity Posture? 

For CISOs, the first area of focus should be to ensure that a clear set of compliance standards is established across the organisation. This is a critical set in establishing a more robust and trustworthy foundation for work. Going "back to basics" means doubling down on essential functions that have consistently proven to make devices more resilient to attack. 
 
The key goal should be to ensure that the entire organisation is part of a well-orchestrated defence-in-depth strategy. CISOs should ensure that the various solutions working across the business resemble the layers of a cake, where each operates as its own risk management, while also acting like a safety net for the previous one. 

Jamf identified that 39% of organisations had at least one device with known vulnerabilities being used in a production environment. Zero-day threats are tough to identify and mitigate, but known vulnerabilities with available patches remain the low-hanging fruit for attackers to exploit.  
 
Mobile Device Management (MDM) solutions can play a crucial role here. These tools can be used to ensure that every device and application used for work receives updates and patches promptly.  
 
MDM solutions can also improve both the overall usability and security of BYOD environments. They separate personal and corporate data on mobile devices into distinct containers, preserving employee privacy while also implementing essential policy controls on corporate data. Organisations can configure access to corporate services, distribute and manage work apps, deploy data loss prevention policies, and more. 

Active monitoring is another critical component in managing risk management initiatives. By monitoring compliance and device risk in real-time, security teams can gain insights into an endpoint’s health and suitability for work. This data enables informed decisions about app safety and data security.  

To sum it up, CISOs can finally get a good night’s sleep by creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities. 

Ensuring device compliance and consistently maintaining cyber hygiene is critical, especially with the prevalence of known vulnerabilities - and robust device management solutions are potentially the most effective in addressing these challenges. When these practices are in place and operating like a well-oiled machine, CISOs can rest easy, knowing their organisation is resilient against evolving threats. 

Michael Covington is VP of Strategy at Jamf 

Image: Tima Miroshnichenko

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« A Landmark Ransom Attack On Healthcare
US Congress Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Prosperon Networks

Prosperon Networks

Prosperon Networks support SMB to Enterprise networks through the provisioning of network monitoring software, customisation, consultancy and installation.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

ADF Solutions

ADF Solutions

ADF Solutions is a leading provider of digital forensic and media storage exploitation tools.

Capita

Capita

Capita is a consulting, digital services and software business, providing end-to-end enterprise IT services and solutions focused around digital transformation and innovation.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

Akheros

Akheros

Akheros develops cybersecurity learning algorithms which anticipate, detect and prevent offensive and incongruous behaviors of M2M interactions.

Cybersecurity & Infrastructure Security Agency (CISA)

Cybersecurity & Infrastructure Security Agency (CISA)

CISA leads the national effort to defend critical infrastructure against the threats of today and to secure against the evolving risks of tomorrow.

Ravelin Technology

Ravelin Technology

Ravelin prevents chargebacks, fraud, and account takeover. Machine learning and human insight combine for highly accurate fraud detection and prevention.

Verodin

Verodin

Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness.

Munich Re

Munich Re

Munich Re is a leading global provider of reinsurance, primary insurance and insurance-related risk solutions including Cyber.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Drawbridge

Drawbridge

Drawbridge is a premier provider of cybersecurity software and solutions to the alternative investment industry.

Abu Dhabi Gov Digital

Abu Dhabi Gov Digital

Gov Digital (formerly Abu Dhabi Digital Authority - ADDA) enable, support and deliver a digital government that is proactive, personalised, collaborative and secure.

Boldend

Boldend

Boldend offers leading-edge offensive and defensive cybersecurity solutions that empower government and commercial organizations to stay resilient in an evolving threat landscape.