Continuous Monitoring: Reaching Maturity

Cultural Shift is a Necessity for Organizations

By , January 14, 2013.
Continuous Monitoring: Reaching Maturity

It will be a few years until many organizations reach a level of maturity with continuous monitoring. Getting there will take organizationwide acceptance, says George Schu of Booz Allen Hamilton.

See Also: Actionable Threat Intelligence: From Theory to Practice

"They need to adapt to a new way of doing things," Schu says in an interview with Information Security Media Group [transcript below]. "Implicit in the success of doing this well is a kind of cultural acceptance of the new process, perhaps some organizational change and training."

It's not all about the technology. "It's certainly the people dimension and understanding what needs to be done to get people to accept it and make this go successfully," says Schu, a senior vice president at the business advisory firm.

Continuous monitoring is becoming an integral part of cybersecurity, says Schu, highlighting how it's being packaged in relationship with the risk management framework developed by the National Institute of Standards and Technology. "Security really needs to be looked at through the prism of risk to the enterprise," he says.

In the interview, Schu:

  • Explains the difference between continuous and constant monitoring;
  • Discusses the potential savings continuous monitoring should offer organizations;
  • Addresses how businesses can learn from the federal government's implementation of continuous monitoring.

Schu is responsible for Booz Allen's cybersecurity, identity and risk management, cloud security and program compliance business in government and industry.

Before joining Booz Allen in 2007, Schu held management posts at Verisign and Oracle. Retired from the U.S. Navy, Schu served as commanding officer of Corry Station, a technical training base in Pensacola, Fla., and led the training of members of all services and foreign students in cybersecurity, electronic warfare and cryptology.

Continuous Monitoring

ERIC CHABROW: Some people think of continuous monitoring as constant monitoring, which it isn't. Please define continuous monitoring.

GEORGE SCHU: You're right. There are a lot of different ideas about it. If you follow the NIST definition, they define it as maintaining ongoing awareness of information security, vulnerabilities and threats to support organization risk management decisions. That's the definition that NIST has put forth of continuous monitoring and that's Special Publication 800-137.

CHABROW: How well are government agencies doing in implementing continuous monitoring?

SCHU: We haven't really kicked off a formal program yet. There are some agencies that have begun doing it, but there needs to be a more formal effort where everybody is operating from the same set of rules and set of tools, not that everybody needs the same tools. There will be a number of vendors that will be producing tools to do continuous monitoring, but they need to follow guidance that NIST puts out and DHS puts out. We're doing it in a very spotty way right now because it's right at the beginning of the continuous monitoring era.

CHABROW: If I understand, OMB is requiring all agencies to do continuous monitoring. Is that correct?

SCHU: That's right.

Challenges Facing Organizations

CHABROW: What are the challenges that are facing organizations? Why is it so difficult for them to implement this?

SCHU: The tools themselves are new. There isn't a governmentwide contract available to agencies to have this done. Now, agencies can go to providers on their own contracts, but DHS is trying to kick off a governmentwide effort by issuing a governmentwide contract through FEDSIM, which is a GSA office, to have one vehicle that's available to all of the government that will have competed and qualified tools and service providers available to the government on that contract.

CHABROW: Is this expensive?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

Latest Tweets and Mentions

ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

The ISMG Network