Creating a Continuous Monitoring Culture
Facing Similar Challenges as Those Posed by ERP Systems
It will be a few years until many organizations reach a level of maturity with continuous monitoring. Getting there will take organizationwide acceptance, says George Schu of Booz Allen Hamilton.
"They need to adapt to a new way of doing things," Schu says in an interview with Information Security Media Group [transcript below]. "Implicit in the success of doing this well is a kind of cultural acceptance of the new process, perhaps some organizational change and training."
It's not all about the technology. "It's certainly the people dimension and understanding what needs to be done to get people to accept it and make this go successfully," says Schu, a senior vice president at the business advisory firm.
Continuous monitoring is becoming an integral part of cybersecurity, says Schu, highlighting how it's being packaged in relationship with the risk management framework developed by the National Institute of Standards and Technology. "Security really needs to be looked at through the prism of risk to the enterprise," he says.
In the interview, Schu:
- Explains the difference between continuous and constant monitoring;
- Discusses the potential savings continuous monitoring should offer organizations;
- Addresses how businesses can learn from the federal government's implementation of continuous monitoring.
Schu is responsible for Booz Allen's cybersecurity, identity and risk management, cloud security and program compliance business in government and industry.
Before joining Booz Allen in 2007, Schu held management posts at Verisign and Oracle. Retired from the U.S. Navy, Schu served as commanding officer of Corry Station, a technical training base in Pensacola, Fla., and led the training of members of all services and foreign students in cybersecurity, electronic warfare and cryptology.
ERIC CHABROW: Some people think of continuous monitoring as constant monitoring, which it isn't. Please define continuous monitoring.
GEORGE SCHU: You're right. There are a lot of different ideas about it. If you follow the NIST definition, they define it as maintaining ongoing awareness of information security, vulnerabilities and threats to support organization risk management decisions. That's the definition that NIST has put forth of continuous monitoring and that's Special Publication 800-137.
CHABROW: How well are government agencies doing in implementing continuous monitoring?
SCHU: We haven't really kicked off a formal program yet. There are some agencies that have begun doing it, but there needs to be a more formal effort where everybody is operating from the same set of rules and set of tools, not that everybody needs the same tools. There will be a number of vendors that will be producing tools to do continuous monitoring, but they need to follow guidance that NIST puts out and DHS puts out. We're doing it in a very spotty way right now because it's right at the beginning of the continuous monitoring era.
CHABROW: If I understand, OMB is requiring all agencies to do continuous monitoring. Is that correct?
SCHU: That's right.
Challenges Facing Organizations
CHABROW: What are the challenges that are facing organizations? Why is it so difficult for them to implement this?
SCHU: The tools themselves are new. There isn't a governmentwide contract available to agencies to have this done. Now, agencies can go to providers on their own contracts, but DHS is trying to kick off a governmentwide effort by issuing a governmentwide contract through FEDSIM, which is a GSA office, to have one vehicle that's available to all of the government that will have competed and qualified tools and service providers available to the government on that contract.
CHABROW: Is this expensive?
SCHU: I think that's in the category of the unknown right now. The ideal is that this will be more affordable, but more importantly, more effective, than the process that this will supersede, which was called Certification and Accreditation. We did C&A right after the FISMA Act was past in 2002. C&As were required for all federal systems, but in time security managers of agencies felt that C&As were not enough because they were on a snapshot in time of the security status of a system. That's the background for why we came up with something called continuous monitoring. The ideal would be that continuous monitoring would be more price-efficient than C&As. You will be getting a better result from doing continuous monitoring than what you were getting out of Certification and Accreditation. To say whether it's cheaper then C&As, I don't think we know yet. To answer your question fully, we can only do that once we get continuous monitoring throughout the government.
Broader Cybersecurity Approach
CHABROW: How does continuous monitoring fit into a broader approach to cybersecurity?
SCHU: That's a good way to think about this. It's going to be a very important part of cybersecurity. There's no silver bullet and certainly continuous monitoring is not a silver bullet. What's interesting about continuous monitoring is the way it's being packaged in relationship to the risk management framework that was developed by NIST. Security really needs to be looked at through the prism of risk to the enterprise.
Continuous monitoring will certainly improve the risk assessment of the enterprise, but the security ecosystem has many other parts to it. We will continue to do awareness services to agencies, like we're getting from U.S. CERT and other national cyber centers like NCIJTF and other national cyber centers, providing the indications and warning threats and attacks that are about to happen, or analysis of attacks that have happened. It's all part of the bigger cyber ecosystem that needs to be working in a harmonious way so that agencies are secure.
Continuous Monitoring in Other Sectors
CHABROW: When you talk about continuous monitoring in government, how are other sectors dealing with continuous monitoring?
SCHU: The government is ahead of what we're seeing in other sectors. Once continuous monitoring is implemented and tested in the government, it's something that would be appropriate for the critical infrastructure operators in the private sector. If it's not there yet in the tools, the services for continuous monitoring are still being developed and haven't really been fully implemented any place. I see that happening in the private sector after the first wave in the government.
CHABROW: When you talk about the first wave in the government, how long do you think that will take until it gets to a certain level of maturity that's being effective?
SCHU: I would say three to five years, based on other processes that we have seen rolled out, what it takes to have a successful rollout and what it takes to shake out the bugs and have an implementation that's fully functioning and satisfying the requirement of the process.
CHABROW: Are there certain skills an organization needs to have on-board to successfully implement continuous monitoring?
SCHU: There's definitely the classic cybersecurity skills. Network security engineers are needed. Analysis skills are needed so that you understand what the continuous monitoring is telling you about what's going on in your networks. I think it's many of the skills that we have developed over the years around cybersecurity, but it's applying those skills in new ways and using new tools to do the continuous monitoring.
CHABROW: What are the biggest challenges organizations face in implementing continuous monitoring, and how can they be met?
SCHU: An analogue to continuous monitoring is any big change that a new system introduces to an organization: a new system, a new way of doing things, a new process to the enterprise. A good analogue to that would be the implementation of an ERM system, an enterprise resource management system. That's often a tough thing on an organization because people inherently resist any new process. They like the way they've been doing things all along and they need to adapt to a new way of doing things. Implicit in the success of doing this well is a kind of cultural acceptance of the new process, perhaps some organizational change and training, so it's not just all about technology. It's certainly the people dimension and understanding what needs to be done to get people to accept it and make this go successfully.