Jamf Security Lounge: Defensive Strategies Unleashed — Chess Mastery and Goalkeeping in the Life of a CISO

In this episode of Jamf Security Lounge, host Aaron Webb, Senior Product Marketing Manager, Security, is joined by Jamf’s CISO Aaron Kiemele to discuss the complexities that go into being a CISO.

August 2 2023 by

Hannah Hamilton

CISO roles and responsibilities

To begin, Kiemele talks about a CISO’s responsibility to have an outcome of security for the business and to “bend the curve” toward better behaviors and attitudes for business success. He and his team aim to grow security skills throughout the company by being a facilitator for security best practices, keeping in mind that there is no “finish line” for security. A part of this accomplishment is staying up to date with the latest threats and trends in the market. Kiemele lists a few types of resources to stay abreast of the constantly changing security landscape: books; conference sessions from Black Hat, RSA or DEF CON; podcasts like Darknet Diaries or the Mac Admins Podcast; and more.

Making a cybersecurity strategy

Webb and Kiemele dive into cybersecurity strategies and frameworks. Kiemele recommends starting out by picking a trusted framework like ISO 27001, SOC 2, UK Cyber Essentials or a more general framework like NIST CSF, and breaking it down into smaller, digestible problems you can tackle. Webb recommends tools that organizations can use to aid in their framework implementation. When addressing regulatory compliance and data protection, Kiemele recommends diligently researching the obligations your company has and aiming for the controls listed in your chosen framework.

A part of a successful cybersecurity strategy involves enabling business operations and fostering a culture of security awareness. Kiemele reminds us that “security is part of the business, not apart from it,” and that it’s a business enablement function that supports business goals while reducing risk to a manageable level. Kiemele and Webb discuss how to strike this delicate balance.

To create an security-aware culture, Kiemele emphasizes on the importance of transparent and open communication with other departments. Kiemele and his team work to manage risk while continually evaluating how it affects other goals based on feedback from other groups in the organization. He also encourages us to consider other humans as an asset to your company, not just a risk.

Webb and Kiemele also discuss AI and ML, and how both bad actors and cybersecurity professionals can use them to their advantage. Watch or listen to the session for more information.

End user privacy and security

When your organization uses Apple, you have to approach a security policy knowing users tend to have admin rights on their device and are more likely to update to the latest OS. Kiemele mentions the institutional advantage of having Apple devices in the enterprise, citing that it’s easier to secure the devices with fewer tools and to understand the failure conditions. While users do have local admin privileges, because apps are vetted on the App Store, it’s less likely that users install malicious apps. Webb and Kiemele examine the differences in securing Apple vs. Windows devices — check out the session to learn more!

They also discuss user privacy. Users are using shadow devices because they feel concerned their privacy is being violated. While in the past, organizations may have harvested personal data, this practice is outdated, says Kiemele. IT already has to process heaps of information; personal information doesn’t help identify problems with the device, so there’s no reason to collect it.

Words of wisdom

Kiemele offers advice for CISOs or people wanting to get into the cybersecurity world. This advice includes:

  • Where to start if you’re a new CISO
  • How your background affects your ability to be a cybersecurity professional
  • How to build security skills
  • How to build networking and public speaking skills

The session closes with Kiemele’s top 3 tips to mitigate risks:

  1. Decide what your treasures are and prioritize what needs to be protected the most.
  2. Don’t be the “department of no” — support the business, educate and advocate for security, and pick your battles when you do need to say no.
  3. Blame is pointless. Run with mistakes and take the lessons you learn to move forward.

Watch the webinar for a closer look at the life of a CISO.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.