Continuous Monitoring and the Cloud DHS's John Streufert Discusses Continuous Monitoring Evolution
Continuous Monitoring and the Cloud
As enterprises move more applications to the cloud, continuous monitoring will play a greater role in assuring the software is patched in a timely manner, says John Streufert, DHS director of federal network resilience.

"As we move toward more virtual environments, we will try to automate the patching, and have it go on seamlessly in the background," Streufert says in an interview with Information Security Media Group. "We are seeing a trend ... where those who run cloud-based environments are taking advantage of automated patching and provisioning of their various servers, desktops or session instances. Everything seems to be heading toward trying to get into the position to improve the mean time between patching, reducing that to the lowest possible amount."

Streufert is arguably the federal government's foremost practitioner in implementing continuous monitoring, having won accolades for deploying a successful continuous monitoring program at the State Department, a job that led to his current post at DHS, guiding other federal agencies in initiating continuous monitoring programs.

In the interview, Streufert discusses:

  • How continuous monitoring could move beyond compliance to address other needs;
  • The difference between continuous monitoring and constant monitoring;
  • How continuous monitoring will evolve as a vital information security tool over the next five years.

Before joining DHS last year, Streufert headed the State Department's implementation of continuous monitoring of its worldwide information networks, significantly reducing material weaknesses in State's IT systems. By employing a scoring mechanism known as the Risk Scoring Program he helped devise, the amount of risk to State's IT systems was reduced by 90 percent in one year.

Streufert joined the State Department in 2008 as deputy chief information officer and chief information security officer. Before then, he served in technical management roles for the Agency for International Development, where he began implementing some of the practices adopted at State; the Federal Crop Insurance Corp.; Naval Shipyards and the Naval Sea Systems Command. In 2004, Streufert received the Distinguished Presidential Rank award, and in 2005 he attained the highest IT security score of the federal government as assessed by Congress.

Around the Network