« Running Security as a Business: Measuring Performance | Main | Getting Traction for the Security Program Within the Organization »

June 29, 2015


Bill Ross

Hmmm. I am not sure if we are using the right nomenclature. I could see managers being burned out by "continual risk assessments" as it implies constant work for them from the "continuous" point of view. What makes more sense is the Risk Management Framework's emphasis on "continuous monitoring". In this case, a significant risk management engine is working 24 x 7 through automation and etc but it is not invasive as this article implies. I truly believe in the need for an annual end-to-end risk assessment with quarterly updates combined with a solid continuous monitoring solution.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)