CISOs Guide To Compliance & Cyber Hygiene 

Uploaded on 2024-10-14 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A frequently used reference in the security industry today is that of the overburdened CISO, the security leader plagued by the relentless challenge of ensuring resilience in an age of advanced, persistent threats.

While discussions are typically focused on the latest threat discovery, what is often overlooked is the importance of foundational practices like patch management, active device risk monitoring, and the implementation of more robust policies to protect sensitive data. 
 
The most successful CISOs find ways to expand their influence beyond security operations and, ultimately, share accountability for risk management with others. By focusing on organisational processes and workflows that establish a culture where security is taken seriously by all, the CISO can help its direct teams scale more effectively. In this conversation, Michael shares insights into the challenges organisations face, as well as practical strategies for enhancing security and sleeping soundly.  

Why Are security Processes keeping CISOs Awake? 

There is a long-established narrative of CISOs losing sleep over the continuous and increasingly sophisticated threats their organisations face. However, many CISOs are actually sleeping just fine – or at least the ones who have established the right culture and processes within their organisations!  
 
If you've implemented the right plans and invested in the right tools, you should sleep well, knowing that you've mitigated the critical risks. Emphasising on simply preventing attacks is impractical because the total number of data breaches more than tripled between 2013 and 2022, exposing over three billion personal records, and the situation only worsened in 2023 and 2024.  
 
So, the key concern is not creating a foolproof defence, but rather ensuring the organisation has the right mechanisms to mitigate these risks.  

CISOs need to continually reaffirm their confidence in the tools and solutions they’ve purchased; this same reassessment must be completed throughout the organisation as distributed teams manage their identified risks. 
 
While the infosec team may be focused on the discovery of new attacks and threat vectors, the responsibility for establishing and monitoring compliance with various standards may fall to other groups, like desktop engineering or the mobility team. 

With the regulatory landscape continuously changing, non-compliance can be costly from a financial perspective alone. However, these regulatory requirements often lay the groundwork for establishing proper cyber hygiene, which is perhaps the most effective strategy for preventing threats from impacting the business.  

Is Cyber Hygiene Really A Problem For Most Organisations? 

Organisations really do struggle with the basics of cyber hygiene, most notably effectively monitoring and patching vulnerabilities. The latest IBM report highlights that stolen or compromised credentials are the most common cause of data breaches, often due to cyber criminals who are able to exploit well-established vulnerabilities. 

Many companies fail to get these fundamentals right, partially because of the sheer volume of vulnerabilities that need to be managed across firmware, operating systems, and applications. This is particularly noteworthy on mobile, where nearly 40% of mobile users are operating devices with known vulnerabilities. 
 
Maintaining an up-to-date operating system on each device is perhaps the most impactful practice an organisation can implement. Yet, many struggle to keep up with updates due to fears of conflicts and the need for compatibility testing, which leaves devices vulnerable to known security gaps. 
 
However, patching is just one part of the cyber hygiene puzzle. BYOD (Bring Your Own Device) management is another longstanding issue. Despite being on the agenda for years, it remains poorly understood. Many workplaces now allow a mix of personal and company-issued devices due to equipment availability, licensing costs, and employee preferences. 
 
The flexibility provided by BYOD programmes is great, but organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional headaches.  
 
Additionally, there is still an awareness gap regarding compliance control specifications. For instance, many organisations do not realise that Apple devices utilise a different set of controls to achieve compliance. Thus, creating a significant risk, as these devices may not meet the established regulatory or IT requirements.  

How Can CISOs Improve Their Organisation’s Cybersecurity Posture? 

For CISOs, the first area of focus should be to ensure that a clear set of compliance standards is established across the organisation. This is a critical set in establishing a more robust and trustworthy foundation for work. Going "back to basics" means doubling down on essential functions that have consistently proven to make devices more resilient to attack. 
 
The key goal should be to ensure that the entire organisation is part of a well-orchestrated defence-in-depth strategy. CISOs should ensure that the various solutions working across the business resemble the layers of a cake, where each operates as its own risk management, while also acting like a safety net for the previous one. 

Jamf identified that 39% of organisations had at least one device with known vulnerabilities being used in a production environment. Zero-day threats are tough to identify and mitigate, but known vulnerabilities with available patches remain the low-hanging fruit for attackers to exploit.  
 
Mobile Device Management (MDM) solutions can play a crucial role here. These tools can be used to ensure that every device and application used for work receives updates and patches promptly.  
 
MDM solutions can also improve both the overall usability and security of BYOD environments. They separate personal and corporate data on mobile devices into distinct containers, preserving employee privacy while also implementing essential policy controls on corporate data. Organisations can configure access to corporate services, distribute and manage work apps, deploy data loss prevention policies, and more. 

Active monitoring is another critical component in managing risk management initiatives. By monitoring compliance and device risk in real-time, security teams can gain insights into an endpoint’s health and suitability for work. This data enables informed decisions about app safety and data security.  

To sum it up, CISOs can finally get a good night’s sleep by creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities. 

Ensuring device compliance and consistently maintaining cyber hygiene is critical, especially with the prevalence of known vulnerabilities - and robust device management solutions are potentially the most effective in addressing these challenges. When these practices are in place and operating like a well-oiled machine, CISOs can rest easy, knowing their organisation is resilient against evolving threats. 

Michael Covington is VP of Strategy at Jamf 

Image: Tima Miroshnichenko

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« A Landmark Ransom Attack On Healthcare
US Congress Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CloudEndure

CloudEndure

CloudEndure offers Disaster Recovery and Continuous Replication for the Cloud.

Hack Miami

Hack Miami

HackMiami is the premier resource in South Florida for highly skilled hackers that specialize in vulnerability analysis, penetration testing, digital forensics, and all manner of IT security.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

Stratogent

Stratogent

Stratogent does IT and Cybersecurity operations. We specialize in high-touch and high-change IT environments, especially in the biotech and pharma industry verticals.

TokenOne

TokenOne

TokenOne is a Cyber Security software company that makes it easy to replace passwords, tokens and other forms of authentication with a more secure solution.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

Expel

Expel

Expel provide transparent managed security services, 24x7 detection, response and resilience.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

Information Services Group (ISG)

Information Services Group (ISG)

As a leading global research and advisory firm, ISG partners with our clients to determine a future vision, lead rapid change and realize the value of your digital investments at scale.

UK Cyber Cluster Collaboration (UKC3)

UK Cyber Cluster Collaboration (UKC3)

UKC3 has been launched to support Cyber Clusters and encourage greater collaboration across regions and nations of the UK.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

CypherEye

CypherEye

CypherEye is a next generation trust platform that advances the current state of Multi-factor Authentication (MFA) to enable highly secure, private and auditable cyber-transactions.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.