It’s always easy to look at a plan, a timeline or a map and see what you want to see. Unfortunately, translating such blueprints into real-world results isn’t always as easy as merely drawing things up as you’d like them to work out.
For decades, enterprises have taken a largely audit based approach to ensuring that their IT security infrastructure was providing them with the necessary level of protection. These static checks were generally infrequent, costly and largely reactive to auditing demands.
As we all know, given the nature of today’s cyber security landscape, such a fixed approach to maintaining IT security protection won’t cut it. Security practitioners need to know state of their cyber defenses in a measurable quantifiable manner. To address this reality, government practitioners began developing a process of constant security validation known as continuous monitoring
The current model for this concept, using automated systems to proactively verify that security systems are in place and aligned correctly to prevent unauthorized access, was implemented at the U.S. Dept. of State roughly five years ago, and the results were significant. State found that by testing defenses constantly it could not only improve protection but also save a lot time and overhead costs previously attributed to other processes that continuous monitoring better informs, such as vulnerability remediation.
The need for organizations of all kinds to maintain a continuous and comprehensive understanding of real-world IT risk and security effectiveness couldn’t be more apparent today. In addition to the rise of more targeted and advanced cyber attacks, the sheer complexity of today’s network security infrastructure and it’s nearly fluid rate of change introduce numerous attack paths and widen existing attack surfaces. Keeping track of the end-to-end network and proactively managing security effectiveness is now a necessity.
But that’s not to say that the mere need for such an approach makes it easy to implement in practical terms. Since its creation, one of the biggest challenges to the adoption of continuous monitoring has been the lack of automated assessment systems capable of streaming and analyzing all the involved data.
However, representative of the nature of demand and timing, RedSeal assessment solutions have matured to the point where organizations can implement continuous monitoring in a more practical, cost-effective and resource-effective way.
As a result of this, beyond the government space, where continuous monitoring is an articulated set of compliance requirements, we see organizations from many different industries adopting the concept. This proves that the need for the continuous assessment capabilities offered by our product, including its many maps and visual expressions of security effectiveness, has never been more ubiquitous or concrete.
One of the industry analyst firms we work closely with, Enterprise Strategy Group, published a report last week, “Security Management and Operations, June 2012“, that provides hard data behind the argument that widespread adoption of continuous monitoring is not simply theoretical.
Per the report results, drawn from a survey of over 300 IT security decision makers:
-Over 40 percent of enterprise organizations that ESG classifies as security process leaders are already testing security on a daily basis
-99 percent of all organizations have some form of process in place to review security effectiveness in some manner
-Of the types of assessments used, analysis of network security controls (over 50 percent) was the most popular form of assessment
-Use of automated systems to analyze issues including vulnerability exposure remains one of the top priorities among security management
We’ve been pioneers and advocates for more proactive network security all along and we’re thrilled to see our solutions now viewed by many others as something organizations cannot live without.
You may still call it by another name such as continuous audit or continuous compliance, but continuous monitoring and the processes it encompasses are unquestionably being adopted and here to stay.
If your organization hasn’t already wrapped its arms around continuous monitoring and how it can help you proactively improve your management of defenses, policy compliance and security posture on an ongoing basis, all while reducing related costs, we can help.
Wouldn’t it be nice to rest assured on a daily basis that your defenses are working, you remain within the scope of compliance demands and most importantly, in a larger sense, that your many efforts are on the right track?