CISOs Guide To Compliance & Cyber Hygiene 

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A frequently used reference in the security industry today is that of the overburdened CISO, the security leader plagued by the relentless challenge of ensuring resilience in an age of advanced, persistent threats.

While discussions are typically focused on the latest threat discovery, what is often overlooked is the importance of foundational practices like patch management, active device risk monitoring, and the implementation of more robust policies to protect sensitive data. 
 
The most successful CISOs find ways to expand their influence beyond security operations and, ultimately, share accountability for risk management with others. By focusing on organisational processes and workflows that establish a culture where security is taken seriously by all, the CISO can help its direct teams scale more effectively. In this conversation, Michael shares insights into the challenges organisations face, as well as practical strategies for enhancing security and sleeping soundly.  

Why Are security Processes keeping CISOs Awake? 

There is a long-established narrative of CISOs losing sleep over the continuous and increasingly sophisticated threats their organisations face. However, many CISOs are actually sleeping just fine – or at least the ones who have established the right culture and processes within their organisations!  
 
If you've implemented the right plans and invested in the right tools, you should sleep well, knowing that you've mitigated the critical risks. Emphasising on simply preventing attacks is impractical because the total number of data breaches more than tripled between 2013 and 2022, exposing over three billion personal records, and the situation only worsened in 2023 and 2024.  
 
So, the key concern is not creating a foolproof defence, but rather ensuring the organisation has the right mechanisms to mitigate these risks.  

CISOs need to continually reaffirm their confidence in the tools and solutions they’ve purchased; this same reassessment must be completed throughout the organisation as distributed teams manage their identified risks. 
 
While the infosec team may be focused on the discovery of new attacks and threat vectors, the responsibility for establishing and monitoring compliance with various standards may fall to other groups, like desktop engineering or the mobility team. 

With the regulatory landscape continuously changing, non-compliance can be costly from a financial perspective alone. However, these regulatory requirements often lay the groundwork for establishing proper cyber hygiene, which is perhaps the most effective strategy for preventing threats from impacting the business.  

Is Cyber Hygiene Really A Problem For Most Organisations? 

Organisations really do struggle with the basics of cyber hygiene, most notably effectively monitoring and patching vulnerabilities. The latest IBM report highlights that stolen or compromised credentials are the most common cause of data breaches, often due to cyber criminals who are able to exploit well-established vulnerabilities. 

Many companies fail to get these fundamentals right, partially because of the sheer volume of vulnerabilities that need to be managed across firmware, operating systems, and applications. This is particularly noteworthy on mobile, where nearly 40% of mobile users are operating devices with known vulnerabilities. 
 
Maintaining an up-to-date operating system on each device is perhaps the most impactful practice an organisation can implement. Yet, many struggle to keep up with updates due to fears of conflicts and the need for compatibility testing, which leaves devices vulnerable to known security gaps. 
 
However, patching is just one part of the cyber hygiene puzzle. BYOD (Bring Your Own Device) management is another longstanding issue. Despite being on the agenda for years, it remains poorly understood. Many workplaces now allow a mix of personal and company-issued devices due to equipment availability, licensing costs, and employee preferences. 
 
The flexibility provided by BYOD programmes is great, but organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional headaches.  
 
Additionally, there is still an awareness gap regarding compliance control specifications. For instance, many organisations do not realise that Apple devices utilise a different set of controls to achieve compliance. Thus, creating a significant risk, as these devices may not meet the established regulatory or IT requirements.  

How Can CISOs Improve Their Organisation’s Cybersecurity Posture? 

For CISOs, the first area of focus should be to ensure that a clear set of compliance standards is established across the organisation. This is a critical set in establishing a more robust and trustworthy foundation for work. Going "back to basics" means doubling down on essential functions that have consistently proven to make devices more resilient to attack. 
 
The key goal should be to ensure that the entire organisation is part of a well-orchestrated defence-in-depth strategy. CISOs should ensure that the various solutions working across the business resemble the layers of a cake, where each operates as its own risk management, while also acting like a safety net for the previous one. 

Jamf identified that 39% of organisations had at least one device with known vulnerabilities being used in a production environment. Zero-day threats are tough to identify and mitigate, but known vulnerabilities with available patches remain the low-hanging fruit for attackers to exploit.  
 
Mobile Device Management (MDM) solutions can play a crucial role here. These tools can be used to ensure that every device and application used for work receives updates and patches promptly.  
 
MDM solutions can also improve both the overall usability and security of BYOD environments. They separate personal and corporate data on mobile devices into distinct containers, preserving employee privacy while also implementing essential policy controls on corporate data. Organisations can configure access to corporate services, distribute and manage work apps, deploy data loss prevention policies, and more. 

Active monitoring is another critical component in managing risk management initiatives. By monitoring compliance and device risk in real-time, security teams can gain insights into an endpoint’s health and suitability for work. This data enables informed decisions about app safety and data security.  

To sum it up, CISOs can finally get a good night’s sleep by creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities. 

Ensuring device compliance and consistently maintaining cyber hygiene is critical, especially with the prevalence of known vulnerabilities - and robust device management solutions are potentially the most effective in addressing these challenges. When these practices are in place and operating like a well-oiled machine, CISOs can rest easy, knowing their organisation is resilient against evolving threats. 

Michael Covington is VP of Strategy at Jamf 

Image: Tima Miroshnichenko

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« A Landmark Ransom Attack On Healthcare
US Congress Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Sophos

Sophos

Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyberthreats.

Radisys

Radisys

Radisys offers software, products, integrated systems, and professional services for communication service providers and telecom solution vendors.

ADF Solutions

ADF Solutions

ADF Solutions is a leading provider of digital forensic and media storage exploitation tools.

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

ESL Bangladesh

ESL Bangladesh

ESL is the Largest IT Infrastructure & Telecom Service Provider in Bangladesh.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

Syber Technology

Syber Technology

Syber Technology is an IT project implementer empowering IT systems of Small to Medium Enterprises in the Middle East.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

ThreatNG Security

ThreatNG Security

ThreatNG is redefining external attack surface management (EASM) and digital risk protection with a platform of unmatched breadth, depth, and capabilities in thwarting technical and business threats.

IDVerse

IDVerse

IDVerse is focused on making user verification effortless through technology. We build intelligent tools that protect users from identity fraud while enabling a seamless user experience.

Bearer

Bearer

Bearer helps modern teams ship trustworthy products with the help of our code security solution built for security, privacy and engineering teams.

Vault Cloud

Vault Cloud

Vault Cloud, Australia's National Cloud, is an Australian owned and operated company specialising in secure, sovereign, hyperscale cloud infrastructure.

Gleam Cloud Security Solutions (GCSS)

Gleam Cloud Security Solutions (GCSS)

GCSS Security is an information security firm providing cyber security protection with a highly skilled and experienced team focused on technology that creates best-in-class customer experiences.

Sherweb

Sherweb

Sherweb are a marketplace of leading cloud solutions and value-added services delivered by a team of passionate experts invested in MSP growth.

Digital & Intelligence Service (DIS)

Digital & Intelligence Service (DIS)

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.