Get Started

Are you Measuring Continuing Risk?

  • 4 min read

Share this post

Continuous Risk
Continuous Risk

Regular readers may remember that we bought a new house last year. You’ll be pleased to learn that as recommended, I ran a short-term (48-hour) radon test in the basement.

Radon, in case you missed that day in middle school science class, is a colorless, odorless, tasteless, and radioactive gas – a health hazard. And while it is often “the single largest contributor to an individual’s background radiation,” the level of exposure differs by location, depending on the geology beneath the house.

I ran the test, mailed it off to the testing center, and waited for the results. The levels came back “safe!” Awesome.

Well, maybe. 

Because last month, while showing some folks around the new house, my friend Marco said, “Rob, you should get one of those continuous radon monitors.”

It’s a good point. My home office is in the basement, my wife and I work out there, and my kids play down there all the time. 

This time, and thanks to an Airthings Home Radon Detector, the results were not so favorable. Our basement often reached the “sort of unsafe” level, occasionally even spiking into the “run for your lives” level. So we brought in a radon mitigation firm and the levels have been falling.

Was my initial radon test broken or defective? Probably not. It’s just that a one-time test is simply a snapshot in time – a picture of how things are looking right now. Even if accurate, it’s not great at assessing the continuing risk to the Black Family.

And continuing risk, rather than a quick peek, is a much better predictor of what might go wrong in the future.

vciso ebook

One-Time Tests Vs. Continuous Monitoring

In the cybersecurity world, the distinction between one-time and continuous testing is well illustrated by comparing SOC 2 Type 1 and SOC 2 Type 2 compliance.

You can read more here, but in short, SOC 2 Type 1 is a point-in-time evaluation of a company’s cybersecurity compliance. SOC 2 Type 2, by contrast, is done over a period of time, usually 6 – 12 months, during which the company must adhere to a security program continuously. 

Not surprisingly, customers and would-be customers that want evidence of a great security program are going to expect (and sometimes demand!) SOC 2 Type 2 compliance of their vendors. They want to see a well-designed cybersecurity program that is executed and maintained consistently.

How Often Is Often Enough?

As for how often the various processes and systems within your organization need to be monitored, it depends on a number of interrelated factors.

For example, a penetration test, in which a trained human spends a week (or more) attempting to find their way into your network, is very worthwhile. But it’s also expensive and potentially disruptive to your daily operations. Even if you could afford it, you wouldn’t want this happening continuously.

Smoke alarms in your office, on the other hand? Those need to be functioning at all times.

Things to consider in determining monitoring type and frequency… 

Can it be automated?

Humans are a scarce resource. If the task of monitoring requires the time and attention of a person, you’ll need to make some prioritization decisions based on cost. But if automation is possible (e.g., anti-virus protection, endpoint detection and response), and it doesn’t negatively affect performance, you may as well do it continuously.

What is the rate of change?

If you make a lot of changes to your software, it may be worth doing multiple penetration tests in a single year – each software change has potentially opened up a new vulnerability. Or maybe you made a recent acquisition, suggesting the need for a number of one-time assessments until the newly acquired business becomes acclimated to your processes and standards.

What is the optimal frequency?

You don’t run fire drills every day. They are important, but they are also disruptive. The same thinking applies for things like phishing tests which would quickly exhaust your staff if done all the time.

The goal is to balance the severity of the potential problem with the cost and effort of guarding against it. 

vciso ebook

It’s All About Trade-Offs

Occasionally, while onboarding a new client, they will tell us that they did some sort of assessment many months ago – a phishing test, penetration test, disaster recovery test – and they now assume the box is checked and they are “all set.”

If only. 

The systems and processes within your organization – not to mention the threats against it from the outside – are never static. Your decisions regarding what to monitor, to what degree, and at what frequency, will always require a trade-off between the risk involved and the associated cost in people, time, and resources.

One more thing. If you are a basement dweller like me, take Marco’s advice to heart and get yourself a continuous radon monitor! 

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

How to Use the NIST Framework to Communicate Your Cybersecurity Program to Clients and Prospects

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales