In testimony before the Oversight and Investigations Subcommittee of the House Financial Services Committee, Alan Paller of the SANS Institute emphasized the importance of continuous monitoring. Mr. Paller also emphasized the cost-effective nature of continuous monitoring in his testimony.
The great shame is that doing security right can cost less than we spend now to do it wrong. The waste was documented by a Senate oversight committee Chairman, who pointed out that billions are being paid to contractors, at a rate of more than $1,000 per page, for millions of pages of useless reports documenting out-of-date and generally less important security problems.
A much better approach is continuous automated monitoring, which means daily monitoring and correction of vulnerabilities in software and other security flaws. This has already been documented by the Office of Management and Budget as massively more effective than out-of-date reports, but agencies just keep paying their contractors to keep producing paper reports.
Attached below is Mr. Paller’s testimony.