CISOs Guide To Compliance & Cyber Hygiene 

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A frequently used reference in the security industry today is that of the overburdened CISO, the security leader plagued by the relentless challenge of ensuring resilience in an age of advanced, persistent threats.

While discussions are typically focused on the latest threat discovery, what is often overlooked is the importance of foundational practices like patch management, active device risk monitoring, and the implementation of more robust policies to protect sensitive data. 
 
The most successful CISOs find ways to expand their influence beyond security operations and, ultimately, share accountability for risk management with others. By focusing on organisational processes and workflows that establish a culture where security is taken seriously by all, the CISO can help its direct teams scale more effectively. In this conversation, Michael shares insights into the challenges organisations face, as well as practical strategies for enhancing security and sleeping soundly.  

Why Are security Processes keeping CISOs Awake? 

There is a long-established narrative of CISOs losing sleep over the continuous and increasingly sophisticated threats their organisations face. However, many CISOs are actually sleeping just fine – or at least the ones who have established the right culture and processes within their organisations!  
 
If you've implemented the right plans and invested in the right tools, you should sleep well, knowing that you've mitigated the critical risks. Emphasising on simply preventing attacks is impractical because the total number of data breaches more than tripled between 2013 and 2022, exposing over three billion personal records, and the situation only worsened in 2023 and 2024.  
 
So, the key concern is not creating a foolproof defence, but rather ensuring the organisation has the right mechanisms to mitigate these risks.  

CISOs need to continually reaffirm their confidence in the tools and solutions they’ve purchased; this same reassessment must be completed throughout the organisation as distributed teams manage their identified risks. 
 
While the infosec team may be focused on the discovery of new attacks and threat vectors, the responsibility for establishing and monitoring compliance with various standards may fall to other groups, like desktop engineering or the mobility team. 

With the regulatory landscape continuously changing, non-compliance can be costly from a financial perspective alone. However, these regulatory requirements often lay the groundwork for establishing proper cyber hygiene, which is perhaps the most effective strategy for preventing threats from impacting the business.  

Is Cyber Hygiene Really A Problem For Most Organisations? 

Organisations really do struggle with the basics of cyber hygiene, most notably effectively monitoring and patching vulnerabilities. The latest IBM report highlights that stolen or compromised credentials are the most common cause of data breaches, often due to cyber criminals who are able to exploit well-established vulnerabilities. 

Many companies fail to get these fundamentals right, partially because of the sheer volume of vulnerabilities that need to be managed across firmware, operating systems, and applications. This is particularly noteworthy on mobile, where nearly 40% of mobile users are operating devices with known vulnerabilities. 
 
Maintaining an up-to-date operating system on each device is perhaps the most impactful practice an organisation can implement. Yet, many struggle to keep up with updates due to fears of conflicts and the need for compatibility testing, which leaves devices vulnerable to known security gaps. 
 
However, patching is just one part of the cyber hygiene puzzle. BYOD (Bring Your Own Device) management is another longstanding issue. Despite being on the agenda for years, it remains poorly understood. Many workplaces now allow a mix of personal and company-issued devices due to equipment availability, licensing costs, and employee preferences. 
 
The flexibility provided by BYOD programmes is great, but organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional headaches.  
 
Additionally, there is still an awareness gap regarding compliance control specifications. For instance, many organisations do not realise that Apple devices utilise a different set of controls to achieve compliance. Thus, creating a significant risk, as these devices may not meet the established regulatory or IT requirements.  

How Can CISOs Improve Their Organisation’s Cybersecurity Posture? 

For CISOs, the first area of focus should be to ensure that a clear set of compliance standards is established across the organisation. This is a critical set in establishing a more robust and trustworthy foundation for work. Going "back to basics" means doubling down on essential functions that have consistently proven to make devices more resilient to attack. 
 
The key goal should be to ensure that the entire organisation is part of a well-orchestrated defence-in-depth strategy. CISOs should ensure that the various solutions working across the business resemble the layers of a cake, where each operates as its own risk management, while also acting like a safety net for the previous one. 

Jamf identified that 39% of organisations had at least one device with known vulnerabilities being used in a production environment. Zero-day threats are tough to identify and mitigate, but known vulnerabilities with available patches remain the low-hanging fruit for attackers to exploit.  
 
Mobile Device Management (MDM) solutions can play a crucial role here. These tools can be used to ensure that every device and application used for work receives updates and patches promptly.  
 
MDM solutions can also improve both the overall usability and security of BYOD environments. They separate personal and corporate data on mobile devices into distinct containers, preserving employee privacy while also implementing essential policy controls on corporate data. Organisations can configure access to corporate services, distribute and manage work apps, deploy data loss prevention policies, and more. 

Active monitoring is another critical component in managing risk management initiatives. By monitoring compliance and device risk in real-time, security teams can gain insights into an endpoint’s health and suitability for work. This data enables informed decisions about app safety and data security.  

To sum it up, CISOs can finally get a good night’s sleep by creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities. 

Ensuring device compliance and consistently maintaining cyber hygiene is critical, especially with the prevalence of known vulnerabilities - and robust device management solutions are potentially the most effective in addressing these challenges. When these practices are in place and operating like a well-oiled machine, CISOs can rest easy, knowing their organisation is resilient against evolving threats. 

Michael Covington is VP of Strategy at Jamf 

Image: Tima Miroshnichenko

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« A Landmark Ransom Attack On Healthcare
US Congress Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Global Secure Solutions (GSS)

Global Secure Solutions (GSS)

Global Secure Solutions is an IT security and risk consulting firm and authorised ISO training partner for the PECB.

Janusnet

Janusnet

Janusnet develops software and solutions for organisations to enforce and manage data security.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

WetStone Technologies

WetStone Technologies

WetStone develops software solutions that support investigators and analysts engaged in eCrime Investigation, eForensics and incident response activities.

MaskTech

MaskTech

MaskTech supplies highest security embedded chipsets, operating systems and related middleware for electronic identification cards, travel documents and authentication solutions.

National Cyber Security Agency (NACSA) - Malaysia

National Cyber Security Agency (NACSA) - Malaysia

NACSA is the leading government agency in Malaysia responsible for the development and implementation of national cyber security management policie and strategies.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Altipeak Security

Altipeak Security

Altipeak Security provide Safewalk - a flexible and robust authentication platform through which we offer improved security to SMBs, corporates, banks, insurance companies, healthcare and more.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

Rausch Advisory Services

Rausch Advisory Services

Rausch delivers solutions that address compliance, enterprise risk, information technology and human resource capital.

Axiata Digital Labs

Axiata Digital Labs

Axiata Digital Labs is the technology hub of Axiata Group Berhad Malaysia which is one of the leading groups in telecommunication in Asia.

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.

Prophet Security

Prophet Security

Prophet Security empowers organizations to triage, investigate, and respond to alerts with unparalleled speed and accuracy.