In a recent benchmark study conducted by the Ponemon Institute on The State of Risk-based Security Management, we asked 1,320 IT security, operations and risk management professionals in the US and UK about their attitudes towards security and risk management.
We recently compared the data from public versus private sector and found some very interesting results. For example, in the public sector, 55% of the respondents agree that risk management creates a culture of informed choice compared to 48% in the private sector.
Another area where the government sector shows higher maturity than in the commercial space is in their believe that risk-based security methods help security professionals align the security mission with business objectives – 65% vs. 60% for in the private sector.
Although this seems to indicate that the government respondents are more effective than the commercial sector respondents, that’s not necessarily the case. The public sector seems to score lower when it comes to communicating effectively.
Seventy percent of the government respondents admit that communications occur at too low a level vs. 62% for the private sector. In terms to how often this communication occurs, 46% of the public sector only communicates with senior executives when there is an actual incident vs. 41% for the private sector.
Introducing Continuous Monitoring, Diagnostics and Mitigation
Continuous monitoring is one of the six important steps that NIST recommends as part of the Risk Management Framework (NIST special publication 800-137). The goal of Continuous Monitoring is to deploy security controls and keep a continuous watch over them to ensure that you’re best able to address changes in the environment.
A good paper by SANS that explains the benefits of continuous monitoring can be found here.
There were some shortcomings, though, so the Federal government has created programs to help strengthen cyber security and fortify Federal and other government cyber networks.
The goal of Continuous Diagnostics and Mitigation is to provide the technical administrators with the capabilities to observe network anomalies and problems, identify vulnerabilities and the risks they pose, and determine and implement the most appropriate fix.
In the following video, leading security specialists discuss how Continuous Diagnostics and Mitigation goes to the heart of what NIST means by Continuous Monitoring.
Included in the discussion are:
- Michael Chertoff, former Homeland Security Director and current Chairman of The Chertoff Group
- Mark Weatherford, former DHS Deputy Undersecretary for Cybersecurity and current Principal at The Chertoff Group
- Jane Holl Lute, former DHS Deputy Secretary and current President and CEO of the Council on Cyber Security
- Keren Cummins, Tripwire’s Director of Federal Solutions
- John Klein, Tripwire’s Director of Federal Sales
If you’re interested in learning more about how continuous monitoring, diagnostics and mitigation can help your organization, you can register to attend this upcoming Chertoff Group Security Series on A Shift in Security: What Does Continuous Monitoring Mean for Reducing Enterprise Risk?. It will be held on Oct 29th in DC.
- No Patch, No Problem?
- Control and Capabilities Drive Enterprise Security Confidence
- Security Configuration Management for Dummies
- SecureCheq Uncovers Critical Configuration Vulnerabilities
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock