What do teachers and cybersecurity experts have in common? Probably not much unless it’s a computer science course. But when it comes to the concept of an assessment, the IT professionals could learn a few things by hitting the books… the education theory books, that is.
Developing an iron clad cybersecurity program for an organization or enterprise can’t rely on a purely reactive approach. Nor is an occasional assessment sufficient to combat relentless adversaries. A mentality of continuous assessment is critical for protecting complex IT systems and data.
The concept of continuous assessment is not just about finding vulnerabilities in your cyber defenses, it’s been a movement in educational theory as well. And understanding the term from the educational perspective can add value to your cybersecurity program.
In educational theory, continuous assessment is defined as ongoing formative appraisal of student learning. This method of assessing students continuously is opposed to historical practice of summative high-stakes end of term assessment. Driven by technological developments and demand for real time knowledge of student progress, continuous assessment is aimed at quantifying actual knowledge and skill rather than how well a student can cram for an exam.
According to a blog on Toppr, an educational testing company, “This method [continuous assessment] is comprehensive, cumulative, diagnostic, formative, guidance-oriented and systematic in nature.” This description definitely sounds like what one should be aiming for in a robust cybersecurity program as well.
A methodical, diagnostic approach that comprehensively and systematically evaluates a defense program to identify and address vulnerabilities has a clear advantage to the alternative. It requires shifting goals and mindsets just like a teacher or professor has to strategically move away from one giant final exam to assessing student learning in creative and ongoing ways throughout the term.
While the transition to a new way of thinking about your program and about the daily work of dealing with vulnerabilities can be a mindset shift, the rewards are clear.
Defining some more terms related to assessment from education theory will help explain why occasional assessment isn’t cutting it in education or cybersecurity. Summative assessments happen at the end of learning and are used for grading; formative assessments happen periodically throughout the learning process and are used to track progress and provide feedback.
In cybersecurity, these two assessment models can be loosely equated to high stakes, periodic engagements to assess security and to a continuous assessment mindset. You could also consider summative assessments as a real-world attack situation where your defenses are actually being tested by a nefarious adversary. This is too late for low-stakes adjustments, you are either prepared or you aren’t. Formative assessments, on the other hand, can equated to ongoing assessments and management of your cybersecurity posture—a constant cycle of assessing and addressing vulnerabilities.
The value of a formative approach is clear: continuous low-stakes checks with the opportunity to address issues is going to provide stronger overall security posture than occasional outside engagements or audits or, worse yet, finding your vulnerabilities because you’ve experienced a successful breach of your defenses.
Moving toward a continuous assessment mindset means thinking about why you perform the assessment and matching your goals to a better “how” to do assessment. Summative assessments, in the form of unwanted attacks by nefarious actors will certainly happen at some point. Formative—or continuous—assessments will not only help you do well on that kind of high stakes exam when it comes but will also measure your actually preparedness—because you haven’t been cramming, you’ve been learning and mastering the knowledge all along.
One criticism of the continuous assessment model in education is that it is stressful for students. Opponents claim that students don’t do as well when they feel like the instructor or the integrated technology is always checking their knowledge. In other words, they don’t like being constantly watched during their trial and error learning process.
While this idea of continuous assessment acting as Big Brother may be a negative in a classroom setting, it is a huge advantage in a cybersecurity program. If you think of the student in this scenario as nefarious actor trying to access your organization’s data, what could be better than a security program that is constantly watching for attempted breaches?
Adopting a continuous assessment mindset means your cybersecurity program is using personnel and technology in tandem to monitor, identify, and address vulnerabilities all the time. Because you’ve put systems in place to have a real time view of your security posture, large devastating attacks are less likely to happen. You are applying continuous pressure on bad actors with a proactive, offensive approach rather than a purely defensive stance.
Platforms and tools that help with monitoring and tracking are key here. Automated anomaly detection programs that provide a broad view of any possible issues and feeding any anomalies into a risk calculation tool can help make implementing a continuous assessment mentality possible.
While educational theory can provide a helpful framework and terminology for thinking about assessment, cybersecurity experts have also been exploring the issue and creating new models.
The first one to consider is CARTA: continuous adaptive risk and trust assessment. Put forth by Garter, the CARTA philosophy calls for evaluation of all aspects of a security program on an ongoing basis. It advocates not only active evaluation of your own security program but also of your tools, platforms, and vendors to create a comprehensive view of the whole security ecosystem. The CARTA model demonstrates that by taking an adaptive approach, you can better allocate limited resources and take advantage of opportunities because you have a broad view and the tools in place to monitor changes.
Another concept known as ConMon, Continuous Control Monitoring (CCM), or just Continuous Monitoring (CM) is explained in an Infosec Resources blog. Just like it sounds, CM is another name for the philosophy that having a constant real-time view of security posture is necessary to mitigate risks in the ever-changing threat climate.
While not a model, per se, Beryllium InfoSec Collaborative touts the importance of always being prepared even citing their work with an outside expert to apply educationally-based models of preparedness to business and InfoSec issues. Sound familiar?
All these organizations agree that occasional audits of cybersecurity defenses aren’t near enough. If you aren’t moving to a continuous assessment mindset, your program—and organization—are operating under old school thinking that isn’t giving you an accurate picture of your security posture.
It’s time to take a lesson from the teachers and evaluate your processes, partners, and tools to create a system that provides a real-time view of security posture where you can continuously identify and mitigate risks.