Babysitting. Recently babysitting has come up as a topic regularly with work. Babysitting processes, babysitting projects, even babysitting people to ensure they are meeting their responsibilities. While this might seem unglamorous, it is really important in terms of Continuous Monitoring.
Many of us are old enough to remember a time when risk management was not the favored paradigm. Several years ago, we lived in the risk avoidance mindset. And that did not work well. We avoided doing activities that might cause any risk. And we tried to protect everything. That made security very unpopular and expensive. And it made it difficult for organizations to accomplish their mission. Part of that mentality was also the checklist mindset. Once a year (or every 3 years), we would whip out a checklist to verify processes were running as intended and our security posture was solid.
An influx of attacks on a variety of systems, including those that support our critical infrastructure, may have shifted the tide a bit. The reality is that cybersecurity practitioners are at “war” with hackers. These adversaries must only find one way in, while security professionals must find and guard against all vulnerabilities – It’s a losing battle. No organization can be without risk, the key is to minimize the risk. And a big component of minimizing risk is reviewing the security controls and security posture of the system being protected.
Now we realized we needed a more regular look at security. NIST created the Risk Management Framework (RMF). And we started to look at security in terms of what was really critical to protect, thus saving organizations some money and using that money more effectively. Now organizations could meet their mission requirements more efficiently. And that’s also a win for security personnel, as we’d like to stay gainfully employed! Without organizations being successful, we also risk our own livelihood. We also realized that some of the risk reduction techniques should be “babysat” more often: once a week, once a month, but definitely more often than once a year in many cases!
While this work is unglamorous, and definitely not the sexy, exciting world of cybersecurity we see on television, it is essential to organizational success. When considering the importance of Step 6 of the RMF (Continuous Monitoring), the focus is on a continual look at controls relating to system security. In essence, we have all become babysitters. Babysitters for the protections that reduce risk in our systems and devices. Maybe that’s a baby worth sitting?