“Build It Right, Then Continuously Monitor” is a strategy promoted in a recent NIST document written by Ronald S. Ross and featured in our IT Downloads library. It sounds so simple, right? But few IT organizations follow this seemingly simple premise; instead, following a piecemeal approach to creating a framework for managing security risks.
The document, “What Continuous Monitoring Really Means,” is short, at less than two pages, but it packs a lot of valuable information in a small package. For example, it emphasizes the importance of first investing in IT infrastructure before setting up a continuous monitoring process. As Ross puts it, “You can check that broken lock on the front door of your house once a day or every hour, and the lock is still broken. Better to fix the lock first, reinforce the door jamb, and then with the remaining resources, check the lock on an ongoing basis.”
But the document doesn’t just tell you what not to do; it also offers a few recommendations for strengthening your IT infrastructure, which starts with “establishing a sound cybersecurity and risk management governance process.”
Before making the investment in continuous monitoring resources, it would be in your best interest to read this informative piece. Like all NIST documents, it’s geared toward the federal government, but its advice will certainly pertain to a wide swath of organizations, including your own.