CISOs Guide To Compliance & Cyber Hygiene 

A frequently used reference in the security industry today is that of the overburdened CISO, the security leader plagued by the relentless challenge of ensuring resilience in an age of advanced, persistent threats.

While discussions are typically focused on the latest threat discovery, what is often overlooked is the importance of foundational practices like patch management, active device risk monitoring, and the implementation of more robust policies to protect sensitive data. 
 
The most successful CISOs find ways to expand their influence beyond security operations and, ultimately, share accountability for risk management with others. By focusing on organisational processes and workflows that establish a culture where security is taken seriously by all, the CISO can help its direct teams scale more effectively. In this conversation, Michael shares insights into the challenges organisations face, as well as practical strategies for enhancing security and sleeping soundly.  

Why Are security Processes keeping CISOs Awake? 

There is a long-established narrative of CISOs losing sleep over the continuous and increasingly sophisticated threats their organisations face. However, many CISOs are actually sleeping just fine – or at least the ones who have established the right culture and processes within their organisations!  
 
If you've implemented the right plans and invested in the right tools, you should sleep well, knowing that you've mitigated the critical risks. Emphasising on simply preventing attacks is impractical because the total number of data breaches more than tripled between 2013 and 2022, exposing over three billion personal records, and the situation only worsened in 2023 and 2024.  
 
So, the key concern is not creating a foolproof defence, but rather ensuring the organisation has the right mechanisms to mitigate these risks.  

CISOs need to continually reaffirm their confidence in the tools and solutions they’ve purchased; this same reassessment must be completed throughout the organisation as distributed teams manage their identified risks. 
 
While the infosec team may be focused on the discovery of new attacks and threat vectors, the responsibility for establishing and monitoring compliance with various standards may fall to other groups, like desktop engineering or the mobility team. 

With the regulatory landscape continuously changing, non-compliance can be costly from a financial perspective alone. However, these regulatory requirements often lay the groundwork for establishing proper cyber hygiene, which is perhaps the most effective strategy for preventing threats from impacting the business.  

Is Cyber Hygiene Really A Problem For Most Organisations? 

Organisations really do struggle with the basics of cyber hygiene, most notably effectively monitoring and patching vulnerabilities. The latest IBM report highlights that stolen or compromised credentials are the most common cause of data breaches, often due to cyber criminals who are able to exploit well-established vulnerabilities. 

Many companies fail to get these fundamentals right, partially because of the sheer volume of vulnerabilities that need to be managed across firmware, operating systems, and applications. This is particularly noteworthy on mobile, where nearly 40% of mobile users are operating devices with known vulnerabilities. 
 
Maintaining an up-to-date operating system on each device is perhaps the most impactful practice an organisation can implement. Yet, many struggle to keep up with updates due to fears of conflicts and the need for compatibility testing, which leaves devices vulnerable to known security gaps. 
 
However, patching is just one part of the cyber hygiene puzzle. BYOD (Bring Your Own Device) management is another longstanding issue. Despite being on the agenda for years, it remains poorly understood. Many workplaces now allow a mix of personal and company-issued devices due to equipment availability, licensing costs, and employee preferences. 
 
The flexibility provided by BYOD programmes is great, but organisations are constantly failing to integrate personal devices into existing security frameworks to manage devices without causing additional headaches.  
 
Additionally, there is still an awareness gap regarding compliance control specifications. For instance, many organisations do not realise that Apple devices utilise a different set of controls to achieve compliance. Thus, creating a significant risk, as these devices may not meet the established regulatory or IT requirements.  

How Can CISOs Improve Their Organisation’s Cybersecurity Posture? 

For CISOs, the first area of focus should be to ensure that a clear set of compliance standards is established across the organisation. This is a critical set in establishing a more robust and trustworthy foundation for work. Going "back to basics" means doubling down on essential functions that have consistently proven to make devices more resilient to attack. 
 
The key goal should be to ensure that the entire organisation is part of a well-orchestrated defence-in-depth strategy. CISOs should ensure that the various solutions working across the business resemble the layers of a cake, where each operates as its own risk management, while also acting like a safety net for the previous one. 

Jamf identified that 39% of organisations had at least one device with known vulnerabilities being used in a production environment. Zero-day threats are tough to identify and mitigate, but known vulnerabilities with available patches remain the low-hanging fruit for attackers to exploit.  
 
Mobile Device Management (MDM) solutions can play a crucial role here. These tools can be used to ensure that every device and application used for work receives updates and patches promptly.  
 
MDM solutions can also improve both the overall usability and security of BYOD environments. They separate personal and corporate data on mobile devices into distinct containers, preserving employee privacy while also implementing essential policy controls on corporate data. Organisations can configure access to corporate services, distribute and manage work apps, deploy data loss prevention policies, and more. 

Active monitoring is another critical component in managing risk management initiatives. By monitoring compliance and device risk in real-time, security teams can gain insights into an endpoint’s health and suitability for work. This data enables informed decisions about app safety and data security.  

To sum it up, CISOs can finally get a good night’s sleep by creating a culture that is focused on foundational cybersecurity practices and by encouraging a “back to basics” mindset when it comes to tool selection and operational priorities. 

Ensuring device compliance and consistently maintaining cyber hygiene is critical, especially with the prevalence of known vulnerabilities - and robust device management solutions are potentially the most effective in addressing these challenges. When these practices are in place and operating like a well-oiled machine, CISOs can rest easy, knowing their organisation is resilient against evolving threats. 

Michael Covington is VP of Strategy at Jamf 

Image: Tima Miroshnichenko

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

« A Landmark Ransom Attack On Healthcare
US Congress Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

National Association of State Chief Information Officers (NASCIO)

National Association of State Chief Information Officers (NASCIO)

NASCIO's Cybersecurity Committee focuses helps state CIOs to formulate high-level security and data protection policies and technical controls.

SentinelOne

SentinelOne

SentinelOne is a pioneer in delivering autonomous security for the endpoint, datacenter and cloud environments to help organizations secure their assets with speed and simplicity.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

Cygilant

Cygilant

Cygilant is a SOC2 certified service provider that combines MSSP and Incident Detection and Response (IDR) capabilities managed by global SOCs staffed with trained security engineers.

Securitybulls

Securitybulls

Securitybulls is an information security firm offering an encyclopedic penetration testing & IT security assessment service for your organization.

Project Moore

Project Moore

Project Moore is an Amsterdam law firm specialising in IT-law and privacy.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

Network Utilities (NetUtils)

Network Utilities (NetUtils)

Network Utilities provide identity centric network and security solutions to organisations from Telecoms and ISPs to SMEs and large corporates.

CyberNews

CyberNews

Cybernews.com is a research-based online publication that helps people navigate a safe path through their increasingly complex digital lives.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

BlastWave

BlastWave

BlastWave’s BlastShield integrates three innovative products into a single solution to help prevent inadvertent and intentional attacks.

Centroid

Centroid

Centroid is a cloud services and technology company that provides Oracle enterprise workload consulting and managed services across Oracle, Azure, Amazon, Google, and private cloud.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.