From: GovInfoSecurity.com
Cultural Shift is a Necessity for Organizations
It will be a few years until many organizations reach a level of maturity with continuous monitoring. Getting there will take organizationwide acceptance, says George Schu of Booz Allen Hamilton.
“They need to adapt to a new way of doing things,” Schu says in an interview with Information Security Media Group [transcript below]. “Implicit in the success of doing this well is a kind of cultural acceptance of the new process, perhaps some organizational change and training.”
It’s not all about the technology. “It’s certainly the people dimension and understanding what needs to be done to get people to accept it and make this go successfully,” says Schu, a senior vice president at the business advisory firm.
Continuous monitoring is becoming an integral part of cybersecurity, says Schu, highlighting how it’s being packaged in relationship with the risk management framework developed by the National Institute of Standards and Technology. “Security really needs to be looked at through the prism of risk to the enterprise,” he says.
In the interview, Schu:
- Explains the difference between continuous and constant monitoring;
- Discusses the potential savings continuous monitoring should offer organizations;
- Addresses how businesses can learn from the federal government’s implementation of continuous monitoring.
Schu is responsible for Booz Allen’s cybersecurity, identity and risk management, cloud security and program compliance business in government and industry.
Before joining Booz Allen in 2007, Schu held management posts at Verisign and Oracle. Retired from the U.S. Navy, Schu served as commanding officer of Corry Station, a technical training base in Pensacola, Fla., and led the training of members of all services and foreign students in cybersecurity, electronic warfare and cryptology.
Continuous Monitoring
ERIC CHABROW: Some people think of continuous monitoring as constant monitoring, which it isn’t. Please define continuous monitoring.
GEORGE SCHU: You’re right. There are a lot of different ideas about it. If you follow the NIST definition, they define it as maintaining ongoing awareness of information security, vulnerabilities and threats to support organization risk management decisions. That’s the definition that NIST has put forth of continuous monitoring and that’s Special Publication 800-137.
CHABROW: How well are government agencies doing in implementing continuous monitoring?
Leave a Reply