Leading the Drive to Continuous MonitoringSenator, Federal CIO, State Department CISO Cited for Leadership
Continuous monitoring isn't just a promise as a means to more effectively assure the security of IT systems - especially as a replacement for the check-box compliance approach followed under the Federal Information Security Management Act - it's becoming a fact, thanks in large measure to three government leaders.
The SANS Institute Tuesday honored three government champions of continuous monitoring - Sen. Tom Carper, Federal Chief Information Officer Vivek Kundra and State Department Chief Information Security Officer John Streufert - with its 2010 National Cybersecurity Leadership Award for significantly improving the effectiveness of the nation's IT security.
SANS, a not-for-profit IT security education and research organization, cited the three leaders for uncovering more than $300 million each year in wasted federal spending on ineffective certification and accreditation reporting and developing and demonstrating an alternative approach called continuous monitoring that provides more effective security for federal systems at lower costs. According to SANS, Carper, Kundra and Streufert also played critical roles in changing federal policy to ensure that government agencies can rapidly implement the improvements.
For the past several congresses, Carper has introduced legislation to codify continuous monitoring, and though his bills have yet to be enacted, they have helped influence the direction the government has taken to require agencies to adopt continuous monitoring, which was evident with a memorandum issued by Kundra in April for agencies to do just that. But the real star is Streufert, who implemented continuous monitoring and other automated measures at the State Department before any edict emanated from the Capitol or White House.
How effective is Streufert's leadership on continuous monitoring? Here's how SANS Institute Research Director Alan Paller explained it to Congress in June, in discussing Operation Aurora, the computer attack first disclosed by Google early this year:
"State can tell, within a day, which systems have and have not been patched. When State's CISO learned of the critical problem posed by the Aurora vulnerability, he didn't have to send an e-mail. He raised the vulnerability's risk factor (the value used determine agency risk scores). Every office saw immediately that their security score had fallen and their bosses also saw the fall. Within six days, 85 percent of all vulnerable systems (servers and PCs) in all embassies and in all State Department offices around the world had been patched and were safe from attacks. That's six days, not weeks or months. No e-mails had to be sent; the scoring risk system did all the work. A clear example of why daily continuous monitoring is so important: it causes rapid risk reduction with low overhead."
And, Streufert told me that beyond security, continuous monitoring makes good business sense:
"We were in search of strategies that would offer a higher return on investment for time and money we spent on security, just as our CIO asked us to do."
A job well done, and an honor well deserved.