Hybrid working has rapidly evolved from a makeshift measure to a mainstream practice. Over half (58%) of Americans now say they have the opportunity to work from home at least one day a week, according to McKinsey. But there are challenges. It’s harder to keep track of devices across highly distributed networks and cloud environments. Many go unpatched or misconfigured, expanding the attack surface in the process.
I recently sat down with CIO’s Barbara Call to outline the challenges CIOs face and why cyber hygiene is a foundational discipline.
In the dark
It’s a tough time for CIOs, whether they’re managing public or private sector networks. Remote workers might want to log in from anywhere on any device today. How do you know if that user is who they say they are? Or if they’re using a properly patched and configured endpoint? As the IT environment expands in this way, it becomes more important than ever to gain complete visibility into these endpoints. And as policies and procedures evolve accordingly, it’s vital to get corporate governance in order.
The stakes couldn’t be higher. Ransomware, data breaches and a tidal wave of financial and reputational risk threaten to submerge IT leaders. But in many cases, organizations are struggling to find the cybersecurity talent they need to help. The challenge is exacerbated by disjointed, siloed tooling, which worsens visibility gaps and makes cyber hygiene little more than a pipe dream. Toolsets must be standardized and consolidated — and designed to shine a light on these visibility gaps via real-time, actionable data. Anything less will leave IT operations, security and incident response teams in the dark.
Putting it into practice
Having spent three decades as a public sector C-level IT exec, I’ve worked first-hand to solve these challenges. As CIO of San Joaquin County in California, I developed a three-year transformation plan across the organization. It began with asset visibility and management and focused on continuous vulnerability scanning and remediation and security incident management, to manage risk on an ongoing basis. Also, key was creating a common security posture to facilitate improved communication between the C-suite.
Part of this standardization was about consolidating our IT and security tools, down from 20 to around six. The resulting improvements in visibility and control not only enhanced cyber risk management efforts but also drove cost savings by highlighting unused software licenses that could be dispensed with.
It all starts with cyber hygiene
So, where should CIOs start? Good corporate governance really is key — putting that framework in place to make effective cybersecurity decisions. A single pane of glass solution to manage security across the organization will make this far easier — as well as real-time monitoring for comprehensive endpoint visibility and the control to remediate when something is not quite right.
With this infrastructure in place, CIOs can finally start to enhance their cyber hygiene, focusing on:
- Asset discovery for enhanced security awareness and software reclamation
- Vulnerability identification to minimize the attack surface
- Configuration consistency to reduce anomalies and cyber risk
- Patch efficiency across all platforms to leave no gaps for the bad guys to exploit
- Management of license utilization so only authenticated users have access
- Finding and fixing incidents at speed to mitigate risk
- Continual measurement and management of risk to meet insurance requirements
Cyber hygiene really is the foundation for effective security and system management. By using this as their North Star, CIOs can chart a course to becoming a low-risk organization.
You can learn more about laying that foundation in our eBook The Ultimate Guide to Cyber Hygiene.