Surveillance is a polarizing topic. Some think that the monitoring of data, behaviour, or online activities is just an everyday element of modern life. From a business perspective, knowledge is power and information is arguably the most valued currency of all. The other side of the debate is that surveillance is indicative of the growing obsession of governments, organisations, and even our bosses(!) to try to control every minute detail of our lives. Some say it is a violation of civil liberties, indicative of a society driven by suspicion and fear.
What is indisputable, however, is that we need to be on constant alert regarding the threat to the security of our organisation. Let’s be clear about this: data is the most valuable asset of any company. It is therefore the most desired by cybercriminals. As I quipped in my last blog post, there are two companies that exist in the world: those that have suffered a security breach, and those that will.
But there is something that can help companies avoid being the next victim: Continuous Monitoring.
The National Institute of Standards and Technology (NIST) in the United States offer a useful definition of Continuous Monitoring :
“Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
Here are the 5 essential truths about Continuous Monitoring and how it can strengthen your company:
- Continuous Monitoring is a key component in the risk management process
Continuous Monitoring is a component in the risk management process; it is not the risk management process itself. It’s important for businesses to realise that there is no “one size fits all” approach to Continuous Monitoring or the implementation of the technologies available. Senior Management is required, therefore, to know their goals and objectives with regards to data security and decide how they will measure success or failure. It is by knowing this that a company will be able to maximise the effectiveness of their continuous security processes and these approaches will eventually become ingrained into the company culture.
- It’s about strategy not surveillance
What often fogs our understanding of Continuous Monitoring is what it’s NOT about: it’s not about watching everything and knowing everything; rather it’s about detecting compliance. Collecting every last bit of data about everything in and around your company is a waste of time and resources. A sound monitoring strategy will focus on what is needed for internal compliance procedures or external auditing. The point is that Continuous Monitoring is not about a need to know everything but to be able to produce a detailed picture of the processes involved in the successful operating of your company and prove the integrity of such practices.
An essential part of compliance, one that is strangely rarely mentioned, is its continuous nature. Periodic assessments are not enough. The key to successful continuous monitoring, therefore, is automation. It ensures that a company can keep up-to-date with the ever-accelerating changes in security breaches. Cybercriminals, operating in multinational cyber gangs, are becoming more sophisticated in their strategies to access your data. Automation takes out any potential for human error. It ensures that your company is always one step ahead.
- It is not just about technology – it’s about people
It would be pretty understandable to find ourselves focusing exclusively on the technology, but the people element is also crucial. All those involved in Continuous Monitoring, from senior management to systems administrators, need to have access to training and educational material about the technologies and the program. Having the right technology will certainly reduce the threat of human error in a possible data breach, but the technology is not there to replace humans altogether. For technology to work successfully it’s vital that the people involved understand how and why it affects the working practices of the company and how they will be required to manage its implementation.
- It is cost-effective
At the end of the day business is about making money. In this era of austerity, the reality for companies is that budgetary constraints can often mean that investing in security comes low on the list. After all, data breaches are what happen to other companies. Investing in effective Continuous Monitoring means taking the essential step of moving your company from reaction to threat prevention. While there might be an initial outlay, some disruption, and quite possibly a bedding-in process, in the long run taking these necessary steps means making sure your company, your customers, and your employees are safe from the very real threat of someone stealing their data. At the end of the day investing in software that enables Continuous Monitoring ensures that you save money (and the trust of your customers!) which would certainly be lost in a distressing security breach.