« Running Security as a Business: Measuring Performance | Main | Getting Traction for the Security Program Within the Organization »

June 29, 2015


Bill Ross

Hmmm. I am not sure if we are using the right nomenclature. I could see managers being burned out by "continual risk assessments" as it implies constant work for them from the "continuous" point of view. What makes more sense is the Risk Management Framework's emphasis on "continuous monitoring". In this case, a significant risk management engine is working 24 x 7 through automation and etc but it is not invasive as this article implies. I truly believe in the need for an annual end-to-end risk assessment with quarterly updates combined with a solid continuous monitoring solution.

The comments to this entry are closed.