Organizations who need to comply with regulative requirements are well aware of the time spent to prepare material and get ”ready” for the auditors. This usually makes the organization aware of the risk and security level at least once a year. All the other companies without these external regulative requirements may do some penetration testing perhaps once a year and a security audit every couple of years. But what happens in between those?
Security is not a destination. It´s an ongoing journey that need continual improvement and constant evaluation. Corrective actions and controls should be handled continuously and also the monitoring of the individual and overall risk-level of all information systems in the organization. Why doesn´t more organizations realize that?
There are numerous ways to go there but an easy way is to start using a tool for it. Continuous monitoring is about scanning your systems for vulnerabilities or changes that could impact security and report on the findings in real-time. Why wouldn´t you want know what risks you have that recently just showed up?
Be secure, compliant and aware – all the time! Start monitoring continuously!
// Hans Graah-Hagelbäck