Continuous assurance vital in cybersecurity landscape

Continuous identification and prioritisation of vulnerabilities emphasised for effective defence.

The importance of continuous assurance in cybersecurity is becoming increasingly vital as the nature of the threat landscape requires a proactive and continuous approach to remain secure, according to Scott Flower, co-founder and director of CI-ISAC.

"The reason it's so important is that the actual threat landscape is changing all of the time," Flower said. He noted that without a continuous assurance program focused on vulnerability identification, organisations are perpetually at risk, constantly "chasing their tails" in an attempt to stay ahead of attackers. 

Traditional penetration testing, when conducted sporadically, fails to offer sufficient protection. "If you've got just pen testing as a once-off activity, the threat actors don't stop between the pen tests," Flower explained. Continuous vulnerability testing and searching, therefore, are key components of a positive, proactive security posture.

When asked about the possibility of optimising testing practices without compromising security, Flower was sceptical about finding a perfect balance. "The mix will change depending on the threat landscape and also the types of products and services technology that your actual business is using," he stated. 

Budget considerations play a critical role in maintaining a continuous assurance strategy. Ensuring that budgets align with the most efficient and effective outcomes is essential, as is the integration of threat intelligence into vulnerability management. 

"Being threat-led... making sure that the prioritisation of the remediation of those vulnerabilities is done in an evidence-based way based on the threat that you're facing," Flower emphasised.

In terms of cost optimization, cybersecurity leaders continually face pressure to minimise expenses while maximising security effectiveness. Flower advises that decision-making around cybersecurity investments should be informed and threat-led to avoid wasting resources on irrelevant or low-priority risks. 

"Your decision-making process around what technologies, what vulnerability assessment, and process you are using for vulnerability management as well, should be threat-led and informed," he said.