No one argues with the need for continuous monitoring. A snapshot of your security posture from 12 months ago is useless, if not dangerous, as it might offer a false sense of security. A continuously updated view of your security posture is essential. Likewise, as discussed in a recent blog post, continuous response and remediation are also essential in order to maximize the benefits of continuous monitoring. What good is it to simply know you have problems? You must also have an efficient way to respond and remediate problems as they are identified. Continuous response and remediation is most certainly the next step in the continuous continuum.
However, the notion of continuous must not be limited to just technology. As seen in most of the hacks we read about each week, people are often responsible for breakdowns in security that allow the hacks to occur. Specifically, social engineering and phishing are common attack vectors.
These days there are so many security risks that everyone must be aware that useful information is essential to protect oneself and the company. Besides phishing and social engineering awareness and updates, employees must also be made aware of and reminded of a myriad of company policies around cloud computing, BYOD, acceptable internet use, use of P2P services, protection of PII, telecommuting… the list goes on!
It's not good enough to have employees simply attest to volumes of security policies each year. It's too much to read, too much to remember, and too much time passes between reminders (re-attestation). Some policies may not even be relevant to all employees. But more importantly, things change rapidly. People must be made aware of important changes as they occur (new phishing techniques, updated PII mandates, etc.).
Each person in your company is like a port in your firewall. That is, each individual allows information to flow in and out of the company. Like the ports in your firewall, people must be programmed (or trained) to operate properly. Unlike technology, people sometimes forget. That's why it's important to constantly remind people of their responsibilities. These reminders might be prioritized, based on risk. They might also be event driven, such as when new or revised PII mandates are released, or there are increased reports of suspected social engineering attacks.
With this in mind, organizations must find ways to provide training and awareness content to all users in an ongoing manner--or, continuous security training and awareness. This continuous security awareness and training will require that training become:
More tailored to individual user needs;
Easy for users to digest and remember;
Accessible from anywhere at any time; and
Have minimal time impact on users.
Certainly this is no small feat, but I think, with some creativity, it's achievable. Continuous is for people too.