By Jie Zhang, VP Analyst at Gartner
The adoption of new technologies and growth of digital businesses are contributing to the expansion of threat landscape, creating a need for more controls. Increased attack surfaces due to cloud adoption and new digital business are making security assurance tasks even more arduous, error-prone and incomplete than before.
Organizations of various sizes and in different industries often face resource limitations due to their security and IT operational teams being occupied with manual testing and reporting on controls. To address this issue, leaders in security and risk management must adopt technology such as continuous control monitoring (CCM) that automates the monitoring of cybersecurity controls’ effectiveness and aids in gathering relevant information in almost real time.
How CCM Tools Benefit an Organization?
CCM tools provide SRM leaders and relevant IT operational teams with a variety of capabilities that allow for the automation of CCM, reducing the need for manual effort. These tools support activities throughout the control management life cycle, such as gathering data from various sources, testing the effectiveness of controls, reporting results, notifying stakeholders, and even initiating corrective actions in cases of ineffective controls or anomalies.
Additionally, the automation provided by these tools allows SRM leaders and IT operational teams to obtain almost real-time insights into the effectiveness of controls. This, in turn, improves situational awareness when monitoring security posture and detecting compliance gaps.
There are numerous other benefits that organizations can derive from CCM, including:
- Streamlining control testing and reducing audit management costs. SRM leaders and IT operational teams no longer have to rush to gather evidence and evaluate controls immediately before audits when evidence of key control activities is collected automatically according to designated standards and policies.
- By introducing checks and balances, organizations can ensure that controls and gaps are actively managed.
- Reduction in the cost of independent external audits by sharing evidence and avoiding the assessments typically performed by consulting firms.
- By using preconfigured dashboards and reporting features, the human error associated with ad hoc data exports, copying and pasting, and hunting for files is reduced.
- Reduced remediation costs, since control deficiencies are identified and fixed before they escalate.
- A better understanding of the organization’s security and compliance posture for senior leaders.
An organization must determine its security compliance requirements, based on frameworks, regulations, and industry standards, as well as internal policies, before rolling out a CCM implementation.
As a next step, organizations should define the scope of connecting systems and applications to a CCM tool. The selected systems and applications need to be clearly documented and agreed upon. Assess the scope of the project, determine the requirements, including automation, your organization’s readiness, the user roles that could benefit from CCM capabilities, and the budget. This task involves, among other things, checking whether the IT asset tracking is consistent, inventorying and cataloguing security controls (the percentage of technical controls versus nontechnical controls) and checking the frequency of security control testing and compliance reporting. Calculating how many controls and assets the security and IT operational teams must manage and the cost of existing management capabilities is essential.
Furthermore, organizations must then evaluate CCM vendors and their tools against the requirements. Additionally, identify the data sources available in the security management portfolio and whether they can be used as sources for CCM. Data sources are crucial for successful deployment of CCM solutions.
Ultimately, companies should configure their selected CCM tool to meet the necessary requirements and utilize any gap analysis features to enhance monitoring capabilities. This includes establishing alerts and priorities, integrating them into response procedures, and ensuring recipients are informed. Testing should also be conducted to verify proper implementation. In addition, personnel training and pilot programs should be conducted in the production environment. As the final step, implementing the CCM tool should be followed by ongoing monitoring of its performance, coverage, and process integration to continually improve settings and automate compliance reporting effectively.