Whenever we hear of a new Zero Day threat, trying to work out when Day Zero actually was is always an inexact process. The first insight the general public know is when patches are released, which means somebody fell victim to the exploit days or weeks before. Sometimes we get more color from whichever researcher first analyzed the threat but it’s what was going on before Day Zero that’s the real concern. How long has the exploit of these vulnerabilities been going on? It’s a troubling ‘known unknown’. It leaves us feeling like we are swimming in the ocean knowing there are Great White sharks out of sight below us – it won’t be long before one of them gets hungry!

So, what can you do to counteract the threat of something, when you don’t even know what that something looks like?

Have you heard of the CIS Controls? Even though they’re not part of any specified GRC (Governance, Risk Management, Compliance) mandate, they could actually be used as the foundation for them all.

A light, straightforward hors d’oeuvre before you take on the mega-calorific, piled-high, full-fat platters of the multi-course feast that is a full Compliance standard. Put simply, Compliance is about ensuring your organization operates IT systems in a way that minimizes their vulnerability to cyber-attack. In the unfortunate event that a breach does succeed, Compliance also confirms that you can quickly identify the offense and respond properly. How you achieve this can be complicated. Since every company is different, with varying levels of risk, security measures are also naturally distinct for everyone.