From sleepless nights to security bliss

Michael Covington at Jamf describes the priorities that successful CISOs are focussed on

 

"What’s keeping a CISO up at night?" is a common theme in cybersecurity discussions. CISOs have a lot to be worried about, from the surge in threats to protecting their company’s networks from constant attacks. A look at the current state of the cyber threat landscape is surely enough to give any CISO a sleepless night.   

 

While much attention is given to new threat discoveries, savvy security leaders know that a return to basics may provide a greater return on investment, whether mastering overlooked fundamentals like patch management, or implementing proactive risk monitoring programmes. 

 

The most successful CISOs find a way to extend their role beyond just managing security tools and practices. They aim to cultivate a culture where every team, not just the security department, understands and prioritises risk management. 

 

By embedding security into organisational processes and workflows, CISOs ensure that all departments are aligned in protecting the organisation’s assets, thereby strengthening the overall security posture, and helping the security team itself to scale more effectively.

 

The essentials of cyber cleanliness  

A key reason some CISOs sleep soundly is because they cultivate a culture where cyber hygiene is a shared responsibility throughout the organisation. By ensuring that all teams understand and prioritise the maintenance of well-protected systems, CISOs can more effectively mitigate risks. 

 

Good cyber hygiene involves the regular application of updates to critical systems, strong password management, and the use of multi-factor authentication to safeguard sensitive data. A poor level of cyber hygiene is the reason for most breaches, as organisations hand opportunities to threat actors through fundamental security failings. IBM reported that stolen or compromised credentials, often resulting from unpatched vulnerabilities, are the most common cause of data breaches.

 

These issues frequently arise when end users fail to update their software, leaving systems vulnerable to exploitation. Despite awareness of these risks, many organisations neglect regular updates and patches, which leads to widespread vulnerabilities, especially in mobile, where 40% of users operate a production device with known vulnerabilities.

 

Addressing vulnerabilities isn’t the only part of cyber hygiene that needs to be rectified. Poor management of multi-factor authentication and outdated password policies also contribute to bad cyber cleanliness. 

 

Ignoring these issues can potentially lead to data breaches, ransom demands, and irreparable damage to customer trust. A weak password can be just the opening that cybercriminals need to unravel a company’s security framework. 

 

Unfortunately, there is no one-and-done solution to these issues. The CISOs who have addressed cyber hygiene concerns effectively are those who implement a defence-in-depth strategy. This approach involves deploying multiple layers of security measures to protect against threats, ensuring comprehensive protection.

 

Each layer is designed to address specific attack vectors or gaps, so if one security layer fails, another can intercept the threat. This multi-layered approach significantly reduces the risk of a breach, providing a robust defence system that makes it much harder for attackers to exploit vulnerabilities.

 

Automated updates and monitoring are vital, but aligning all teams on risk management is the key. Adhering to security standards across all devices is essential for maintaining strong cyber hygiene. 

 

Navigating compliance with ease  

The other key issue is that organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional stress. Within many organisations, an awareness gap still exists around compliance control specifications. 

 

For example, many organisations are unaware that Apple devices use a distinct set of controls to achieve compliance. This lack of understanding creates a significant risk, as these devices may fail to meet established regulatory or IT requirements. In some organisations, this disconnect may even result in user choice being restricted or in bad end user experiences.

 

To address this problem, CISOs need a clear set of compliance standards that are established across the entire organisations. By setting these standards, businesses can better align their mobile device management practices with regulatory requirements, reducing risks and enhancing overall security. 

 

When standards are well-defined, organisations have a solid framework to guide their compliance efforts effectively. Some widely recognised frameworks that help organisations meet security and regulatory standards are CIS Benchmarks, NIST guidelines, and ISO 27001.

 

The entire organisation needs to be part of a well-orchestrated defence-in-depth strategy. This is where Mobile Device Management (MDM) solutions also play a crucial role. 

 

These tools ensure devices are secure, up-to-date, and compliant with regulatory standards, even in complex environments with mixed-use devices. More importantly, MDM solutions can improve both the overall usability and security of Bring Your Own Device (BYOD) environments.

 

Mastering the BYOD balance  

BYOD has been a key topic in corporate discussions for years, yet many organisations still struggle with its implementation and management. 

 

According to Jamf’s survey, 49% of enterprises across Europe lack a formal BYOD policy, leaving them with no visibility or control over personal devices accessing corporate resources. This lack of control poses risks such as data leakage, software vulnerabilities, shadow IT, and even physical loss of devices, endangering sensitive company data.

 

MDM tools help CISOs and their security teams manage access to corporate services, control app distribution, and implement data loss prevention measures. They also ensure that all devices and applications are promptly updated with the latest patches and help separate corporate data from personal data, preserving privacy while enforcing security policies.

 

Active monitoring complements MDM by providing real-time insights into device compliance and risk levels. This enables IT and security teams to assess an endpoint’s health and make informed decisions about app safety and data security, ensuring all devices adhere to the organisation’s security standards. 

 

Overall, the focus of CISOs should be creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities.

 

How are CISO’s sleeping fine?

Rather than succumbing to fear of abstract threats, CISOs who sleep soundly are well-prepared and have a strong focus on core areas, particularly:  

1. Strong cyber hygiene
2. Comprehensive compliance measures
3. Effective BYOD management.  

By doing so, they build a resilient security posture that allows them to sleep soundly, confident in their organisation’s ability to withstand evolving threats. Ultimately, it’s not just about defending against cyber threats but also about building a security framework that promotes peace of mind.  

 

---

 

Michael Covington is VP of Strategy at Jamf 

 

Main image courtesy of iStockPhoto.com and Deepak Sethi