3072: A CISO's Guide to Mobile Security: Key Strategies from Jamf

[00:00:04] Have you ever wondered what makes a Chief Information Security Officer sleep well at night, despite the constant threat of cyber attacks?

[00:00:14] Well today we're going to uncover some enlightening perspectives on this topic with my guest Michael Covington, VP of Strategy at Jamf.

[00:00:24] Now Michael brings a refreshing twist to the typical cyber security narrative.

[00:00:29] Instead of focusing on the threats that could disrupt the sleep of CISOs, he highlights how robust security processes and sound strategies ensure a peaceful night's sleep.

[00:00:42] We'll talk about some of the critical areas of cyber hygiene, compliance and the management of BYOD and shared devices, all those usual suspects.

[00:00:51] But how these components are crucial for maintaining security without sacrificing any sleep for those at the helm.

[00:01:00] So join us today as we explore how shifting focus from fear to foundational security practices can lead to better outcomes for businesses and their guardians of their data.

[00:01:13] But enough from me, let's get Michael onto the podcast now.

[00:01:17] So a massive warm welcome to the show.

[00:01:21] Can you tell everyone listening a little about who you are and what you do?

[00:01:25] Yeah, thanks for having me.

[00:01:26] I am the Vice President of Portfolio Strategy at Jamf.

[00:01:30] We are leaders in Apple device management and security.

[00:01:33] I come from a long tenure in the security industry.

[00:01:36] I started out in academic research and moved on to microprocessor and platform security before taking a little bit of a detour in network and data center protection.

[00:01:45] But I recently started coming back home and I'm back on the endpoint and really looking at where devices meet the edge and really bringing together all the technologies that make this big topic that everybody's discussing these days of zero trust a reality.

[00:02:00] My role is an interesting one.

[00:02:01] I sit in the product orgs.

[00:02:02] I get to spend a lot of time in the markets, spend time with customers and with partners, with thought leaders and practitioners who really have, as you would imagine, a lot of best practices to share.

[00:02:12] And it's a fun place to sit.

[00:02:14] And we've over the last couple of years, I've had a few people from Jamf on the podcast.

[00:02:18] I'm not sure if they're still there.

[00:02:20] I think it was Jaron Bradley and Lynn Larm, I think it was.

[00:02:25] Are they still there?

[00:02:26] Do you know them at all?

[00:02:27] I appreciate it's a huge company, but do you know those?

[00:02:30] Absolutely.

[00:02:30] Good friends.

[00:02:31] Lynn leads our technology practice and Jaron leads our threat research team.

[00:02:36] And still very active, as you can imagine, within the company.

[00:02:40] Fantastic news.

[00:02:40] One of the reasons I was excited to get you on the podcast today was I read that you said that CISOs who sleep soundly have addressed specific challenges.

[00:02:50] So can you explain how cyber or good cyber hygiene plays a role in ensuring mobile device security and why so many organizations still seem to struggle with this aspect, especially in this mobile first world that we find ourselves?

[00:03:05] Yeah. And then, you know, maybe just for context, as you can imagine, I've spoken to a lot of CISOs over the years and I just can't help myself from asking the most cliche of questions.

[00:03:15] And the answers that I've received have really been surprising in that many have told me that they sleep just fine.

[00:03:22] Thank you.

[00:03:52] And that the team has an established plan to respond to risk when it's elevated.

[00:03:57] And I think to kind of get right to the heart of your question around device hygiene and mobile, this is all about having a repeatable process in place.

[00:04:07] And mobile is still pretty new.

[00:04:09] We haven't seen a lot of organizations embrace mobile at scale for all of their critical applications yet.

[00:04:18] And I think that that's where we start. We're starting to see some struggle with these folks that have been sleeping so well for so long now starting to look at the world shift and they're starting to think through how do I adopt these new devices in my environment and make sure that I can continue to manage that risk effectively for the business.

[00:04:34] Yes. And before you came on the podcast, I was a great start, worrying start if anything.

[00:04:39] It's 40% of mobile users are running devices with known vulnerabilities, which is enough to keep anyone awake at night.

[00:04:47] So how can organizations improve those patching processes and get back to continuously monitoring configurations and enhance security?

[00:04:56] I realize there's so much going on and people are putting out fires, but if you don't sort this stuff out, then it will develop a life of its own and a bigger problem.

[00:05:04] But any advice on this?

[00:05:06] Yeah. And I think it's really important to highlight that this is not a problem that's isolated to mobile.

[00:05:12] The study that we did that really tried to assess the state of the state as it relates to cyber hygiene with organizations around the world.

[00:05:21] We did find that 40% of mobile devices were running with known critical vulnerabilities.

[00:05:27] But if you zoom out just a little bit, we found that 39% of orgs had at least one device like desktop and mobile with known OS vulnerabilities and that almost 3% of devices had vulnerable applications.

[00:05:40] And so we always talk about the layered defense approach to start to give organizations a structure for how to think about their security best practice.

[00:05:50] And so this is not just about patching. This is about, like I said, the CISOs who sleep well at night, they get back to basics. And one of the very first steps in risk assessment is know your assets.

[00:06:00] And as I said, mobile has been ignored for so long that most organizations just don't know how many mobile devices they have out there, especially as you start to look at personal devices that have crept into the organization in the form of BYOD, whether it's sanctioned or not.

[00:06:15] I think once you know what those assets are, that's when it's time to start talking about your baselines.

[00:06:21] How do you establish a standard for mobile that is appropriate for mobile so that you can make sure that you've got the right configurations on the device, like a passcode setting?

[00:06:32] You can hold users accountable to ensuring that you have a minimal OS standard in place before they're connecting to your critical applications.

[00:06:40] And let's not forget, like this is not just about knowing the assets and getting that baseline in place.

[00:06:47] You've got to protect the users from active threat and you've got to make sure that the baseline is being met when that protected user starts accessing applications.

[00:06:56] And so this really is about bringing together everything that we know about this mobile device, the user who's at it, their role in the organization, the attributes of the device, the real time assessment of the posture of that device before allowing access to your applications.

[00:07:14] And that's ultimately the piece that ties it all together and ensures that you're not just patching applications in a vacuum or putting security tools in a device to check a box on a checklist.

[00:07:26] It's about making sure that you've got good practices in place and you can ensure they're in place when the most sensitive of information is being accessed by your users.

[00:07:36] And of course, another big headache in any corporate environment is compliance.

[00:07:41] It's a major issue right now, especially when it comes to integrating personal and work devices into existing regulations.

[00:07:49] So again, how can security teams better align those mobile device management strategies with broader compliance requirements?

[00:07:58] Because they are much closer than people might imagine, right?

[00:08:01] You know, compliance is an easy word to say, but I think really unpacking it and understanding what it means.

[00:08:07] There are very few people who have that skill set in organizations today, especially as it relates to these modern devices and especially mobile.

[00:08:15] And I think translating the mandates that are written, we have to remember that regulatory standards are written almost in a legal prose.

[00:08:24] And translating that into control that can be practically implemented on a device, that's challenging.

[00:08:29] And so really where we advise our clients is to take a step back.

[00:08:34] Make sure that you understand the compliance standard that you're trying to align with, whether it's something like the CIS benchmarks or NIST 800, and then find the right guide to help you with that interpretation of that standard for the devices that you're trying to apply it to.

[00:08:52] In my world, I look a lot to the MSCP.

[00:08:56] That's the Mac OS security compliance project.

[00:08:59] It's an open source effort.

[00:09:01] Anybody can go there and look at it to really get some programmatic guidance on how to apply the security standards that are important to you.

[00:09:12] And that's probably the best advice I could give any security team that's looking to move in this direction or mobile, because the MSCP recently extended beyond the Mac OS start that they had.

[00:09:23] And they now support taking these standards into the mobile world as well, which I think is so important to help with that translation.

[00:09:28] Something that we've been talking about for well over a decade is bring your own device or BYOD and shared device management.

[00:09:36] Longstanding challenges, but we've evolved so much since the arrival of the smartphone and tablets, etc.

[00:09:42] But now in this world of hybrid working and expectation to work anywhere, as long as there's an internet connection, what are the most common pitfalls that you see organizations facing?

[00:09:54] And how can some of those challenges be effectively addressed?

[00:09:57] Because the journey is officially out of the bar, isn't it?

[00:10:00] When we're not going back.

[00:10:01] Yeah, it sure is.

[00:10:03] You know, I think so many organizations kind of come into the BYOD conversation from a control perspective.

[00:10:09] They want to immediately put policy on a device that they don't own.

[00:10:13] I think it'd be better if they took a step back and maybe started this conversation from a perspective of enablement.

[00:10:21] What is it that the workers need to do to find the applications that are going to make them productive?

[00:10:26] How do they get connected to the network?

[00:10:28] And I think once you've got your head around delivering a good working environment for the user,

[00:10:34] you can start to think about how the controls kind of overlap with that.

[00:10:38] And it's really about making sure that the key applications for work are enabled on that device.

[00:10:45] I feel like the BYOD conversation, we don't acknowledge it, but so many organizations are just allowing BYOD to access contacts and calendar and email.

[00:10:56] That's a bore.

[00:10:57] There's no new productivity that's going to happen through those applications.

[00:11:00] It's the additional data sets and workloads.

[00:11:03] And when you start to think about access to that on a personal device, you have to also factor in what the user wants.

[00:11:11] The user wants privacy.

[00:11:12] The user wants to be able to use their device at work for those key applications and not have to go through a bunch of additional setup steps.

[00:11:19] And so when it comes to best practices around BYOD, it's really partition or container oriented.

[00:11:26] And this is very possible in today's modern mobile devices.

[00:11:31] Carve out a partition on the device for work.

[00:11:33] Don't look at just applications in isolation, but think of all the applications that a user needs for their work and put it into a container.

[00:11:41] And then you can start to layer controls on top of that container that restrict how data flows in and out of it, how the user connects that container to the network and to other places for compute.

[00:11:53] And don't interfere with what the user does on the personal side of the device.

[00:11:58] I think that's where so many organizations go wrong and they leave a sour taste in end users' mouths.

[00:12:03] It's important to respect the privacy, get out of the user's way, and make sure that the data is controlled that's important to the organization.

[00:12:11] And over the years, there's another cliche that we keep hearing about, and that is workers are the weakest link in security.

[00:12:17] I think it's a very lazy thing to say and hopefully something we can finally retire.

[00:12:22] And one of the things that, again, put you on my radar, as you said, that all security processes, rather than the threats themselves,

[00:12:29] they're the things that keep CISOs awake at night.

[00:12:31] So can you elaborate on how organizations can develop stronger processes to mitigate risks, especially with the increasing use of mobile devices?

[00:12:41] Yeah, I'll just take it right back to what we were just talking about, establishing those good security baselines.

[00:12:46] You know, we've got a lot of work to do to right the ship and to make it so that we can have fewer than 40% of devices operating with known vulnerabilities in production.

[00:12:55] And, you know, we talked a bit about compliance.

[00:12:58] This isn't just about regulated industries.

[00:13:00] This is about every business, whether it's a small mom and pop shop or a giant enterprise.

[00:13:06] Making sure that the devices are configured well, the best standards.

[00:13:10] This means like when you're using something like a MacBook, set up FileVault.

[00:13:14] Make sure your data is encrypted on the device.

[00:13:16] We found that over a third of Macs don't have that very simple setting set up.

[00:13:21] On mobile, set up a lock screen so that if a user sets it on a counter and someone else picks it up, it's protected.

[00:13:27] We found that 3% of devices worldwide have lock screen disabled.

[00:13:31] These are simple fixes.

[00:13:33] And I think once we can get this under control, then we can start to talk about the real threat.

[00:13:40] And there is an incredible threat out there as it relates to mobile.

[00:13:44] But I think by getting some of these process issues addressed, we're going to make the organizations and the devices themselves more resilient.

[00:13:51] So when that threat does happen, we're going to be able to keep it at bay and keep the business operating.

[00:13:58] And how do you think organizations can better consolidate the management of BYOD and shared devices into maybe existing security stacks without introducing additional complexity?

[00:14:10] Because things can get incredibly complicated very quickly, and that seems to delay the entire process.

[00:14:16] But any tips on how to avoid that complexity?

[00:14:21] Yeah.

[00:14:21] And, you know, I'm going to focus on the word that you used there in the question around consolidation.

[00:14:26] And I think that you absolutely want to treat a BYOD device similar to how you treat a corporate device in that you want visibility of it.

[00:14:36] You want to know that it's accessing your key applications and workloads.

[00:14:40] But you need to keep in mind that as an organization, you don't own that device.

[00:14:45] And your rights on that device in terms of control vary from what you have on a corporate device.

[00:14:52] So think about what your requirements are.

[00:14:54] Requirements for managing risk, both within the applications and the data that you're going to be allowing access to.

[00:15:00] So that that way you might be able to say certain applications are okay to use on BYOD.

[00:15:05] Others may not be.

[00:15:07] And similarly to the controls that you establish on those devices.

[00:15:10] You know, so often in security circles, one of the first controls that's put on a device, a corporate-owned device, is an acceptable use policy.

[00:15:18] You want to make sure that you prevent users from going to inappropriate content so that you don't damage the organization's brand, for example.

[00:15:26] You can't use those same kind of controls on a personal device.

[00:15:30] You can't tell a user what is and is not appropriate to do on their endpoint.

[00:15:35] But what you can do is you can tell them how they can treat corporate data.

[00:15:40] So copy and paste rules, making sure that you're controlling the flow of company information as it moves within that device that is belonging to the user.

[00:15:49] There's a lot to do there, but it really falls back to requirements, making sure that you document those and that you are really clear on where that central consolidation is important and where you may be able to diverge a little bit from a standard and do something differently for BYOD.

[00:16:05] Because let's be honest, it's a different type of device and you can't treat them all exactly the same.

[00:16:10] I'm 100% with you.

[00:16:12] And I do think many organizations continue to struggle with defining those clear BYOD policies.

[00:16:20] So again, any other best practices that you've seen that allow organizations to maybe securely manage those personal devices without compromising corporate data?

[00:16:30] I know it's almost a secret recipe that everyone's looking for, but I suspect you've seen both good and bad examples, right?

[00:16:37] Yeah, of course.

[00:16:38] And I think it's important to remember that BYOD at the end of the day is really a benefit for both the employee and the employer.

[00:16:45] The employee gets to carry just a single device around.

[00:16:48] And from a usability perspective, it's so much more convenient to not have to have multiple devices floating around in your bag.

[00:16:55] And for the employer, they get a user who's more connected to data and applications than ever before because it's going to be tied to them to their hip.

[00:17:03] But too many organizations, I think, treat BYOD like a cost savings exercise.

[00:17:09] They don't have to buy the hardware and so therefore they don't need to invest in the experience and the applications and the policies that are documented for those devices.

[00:17:18] And I think that's where so many go wrong.

[00:17:20] As we've said so many times already just in this conversation, it's about documentation of your requirements, documentation of your policies.

[00:17:28] And so best practices for me, I think, really revolve around, I'd say, three key points.

[00:17:33] First, you've got to respect the user privacy.

[00:17:36] Don't try to restrict what people do on their own devices or when and how they use personal applications.

[00:17:43] Second, you've got to be transparent.

[00:17:45] You've got to educate users on what your policies are so that they know what they can do to avoid tripping over them.

[00:17:53] But also they know what they can do to right the ship should something go sideways on the device, whether it be they're actually attacked and they need to perform some mitigation step or they've made a mistake and they've lost access to a key application as a result.

[00:18:08] You don't want them sitting there scratching their head trying to figure out how do I get back to being productive?

[00:18:13] Because productivity is the ultimate goal here.

[00:18:16] It's not a prevention policy we want in place.

[00:18:19] We want the users connected.

[00:18:20] And the last thing we need to remember, I think, just as it relates to best practices on BYOD, this is about establishing a good user experience just like we want to do on a corporate-owned device.

[00:18:30] And so focusing on the policies that get users quickly into those key applications, allow them to kind of seamlessly move around the device.

[00:18:39] I think many security leaders are going to find that their security policies for BYOD are actually going to lead to a more secure organization, a better user experience, and more productivity if they can get the policies just right.

[00:18:54] So hopefully with a little bit of a reminder that UX makes all the difference, you're going to see some upticks in productivity here down the road.

[00:19:01] And I think we must have broke some kind of record for a tech podcast because it's, what, 20 minutes in and we've not mentioned AI yet.

[00:19:08] But with just a few months left of 2024, the AI smartphone, that is the big talking point at the moment.

[00:19:15] AI is now becoming embedded in our personal and corporate devices.

[00:19:20] And we're a few months away from 2025.

[00:19:22] So if I was to ask you to look into a virtual crystal ball and look ahead into the future, are there any other emerging trends in mobile device security that you think will become more critical for organizations to address?

[00:19:35] And how can they start preparing today as many businesses are planning next year's strategies as well?

[00:19:42] Any advice there?

[00:19:44] You know, I think I've probably already alluded to it.

[00:19:46] But for me, it's the role that mobile devices are playing in a day-to-day organization and the mission-critical capabilities that they're providing.

[00:19:57] So healthcare, for example, really has embraced mobile to transform patient care.

[00:20:03] Aviation industry has also adopted mobile to really lead to more efficient operations, improved passenger experiences.

[00:20:10] And knowledge workers we've talked a lot about here, they have access to so much more information now.

[00:20:15] And all of this is because of the applications that are finally opening up on mobile.

[00:20:21] These devices have access to some of the most sensitive data across the organization.

[00:20:25] And as you start to think about trends like AI and how that actually brings more information and intellectual property down to the device, these things are sitting on an incredibly valuable repository of information.

[00:20:40] And so I think mobile security is going to continue to mature.

[00:20:43] But this is not just about prevention and defensive tooling.

[00:20:46] It's about data gathering and monitoring.

[00:20:49] So I'm excited to see organizations who are exploring zero trust actually focus on mobile enablement in the near term.

[00:20:57] I'm expecting to see more interest in active threat hunting for mobile.

[00:21:02] I think this is going to become an expertise within the security operations center, whether you have it in-house or you outsource that to a managed organization.

[00:21:10] And I'm also really excited to see how we start to use more of the data that we're collecting from these devices to deliver a better user experience and to ultimately ensure that users are being more productive with these tools at the end of the day.

[00:21:25] So for me, it's about better use of data and more application access for workers.

[00:21:31] Fantastic.

[00:21:32] Well, I love learning so much from you today about mobile security, but it can be a dry topic.

[00:21:37] So I'm going to try and have a little bit of fun with you before we go.

[00:21:40] And a question I always ask my guests is, is there a book that has inspired you or maybe just recommend after reading over the summer holidays or a song that means something to you that we can add to a Spotify playlist?

[00:21:52] I'll let you decide.

[00:21:54] But for everyone listening, what's that one final gift that you'd like to leave everyone with?

[00:21:58] Yeah, I think I'm going to show my age here, but I got to tell you, I'm a big fan of the crowd sing along.

[00:22:04] And so you've got to go with an old standby that everyone knows the words to.

[00:22:08] I'm a big Neil Diamond fan.

[00:22:10] So give me some sweet Caroline to get the voices going and the pub rallied.

[00:22:14] And I think that's going to make me happy at the end of the day.

[00:22:17] So good.

[00:22:18] So good.

[00:22:19] That's all I can say.

[00:22:21] I will get that added straight to our Spotify playlist.

[00:22:24] And it's huge over here in the UK.

[00:22:27] It seems to be sung at every sporting event.

[00:22:29] I'm not sure exactly what caused that or why it's happened, but a great song.

[00:22:33] And of course, for anyone listening just wanting to find out more information about Jamf on the more serious topics we discussed today.

[00:22:39] Where would you like to point everyone there?

[00:22:41] Best place to check us out is jamf.com.

[00:22:44] That's J-A-M-F dot com.

[00:22:46] Excellent.

[00:22:47] Excellent.

[00:22:47] Well, I'll include links to that so everyone can find you.

[00:22:50] And we covered so much today around cyber hygiene, compliance, defining BYOD and share devices, policies and everything in between.

[00:23:00] And you even had time to leave us with a great song.

[00:23:02] But more than anything, just thank you for sharing your insights and your time today.

[00:23:06] Thanks again.

[00:23:07] Thank you.

[00:23:08] So as we wrap up today's discussion with Michael, it's clear that the key to a good night's sleep for CISOs isn't just about warding off threats.

[00:23:16] It's more about embracing comprehensive, proactive security strategies that address core issues like cyber hygiene, compliance, BYOD management.

[00:23:27] And I cannot thank Michael enough for taking the time to share how getting these foundationals right not only protects organisations, but also fosters a secure, efficient and resilient digital environment.

[00:23:42] But the big question after that conversation is what steps is your organisation taking to ensuring that your security leaders can rest easy?

[00:23:51] And how are you going to tackle some of those problems?

[00:23:54] I'd love to hear your thoughts and experiences in securing mobile and BYOD environments.

[00:23:59] So please share your stories with me and let's keep this conversation going.

[00:24:03] Tech blog writer at Outlook.com.

[00:24:06] LinkedIn, just at Neil C. Hughes.

[00:24:08] Let me know your thoughts.

[00:24:09] Well, I've taken up far too much of your time.

[00:24:12] I'll be back again bright and early tomorrow with another yes, but thank you for listening today.

[00:24:16] Hopefully I will speak with you all again tomorrow.

[00:24:18] Bye for now.