In the past, the question of the CISO or the IT department as to whether the existing IT security measures are actually effective or have been configured securely could often only be answered by manual security audits that were costly and had to be carried out recurrently. The request from management to present the current operational IT security situation also usually created unease among those responsible for security, because at best there was only a subjective intuition, as there was no time for a well-founded analysis in the day-to-day operational business.
With the continuous monitoring of IT security (Gartner established the term Continous Controls Monitoring for this) by the Security Lighthouse, however, the security status can be checked at any time. The real-time detection of security-relevant misconfigurations, critical vulnerabilities that have not been closed and much more not only highlights security gaps and acute needs for action. Rather, the operational security level becomes a measurable and controllable variable, so that it can also be analysed and actively controlled in the ISMS in the medium and long term according to the company's risk appetite. The determination of compliance is supported with a differentiated, individually adaptable set of rules. At Ampeg, we call this Security Level Management (SLM).
Security Level Management must be clearly distinguished from the more reactive solutions for Security Information and Event Management (SIEM). The focus of these products is to detect possible security incidents retrospectively by correlating centrally collected log data and to support IT operations in troubleshooting. Security Level Management, on the other hand, proactively detects possible deviations from specifications and security gaps (i.e. before a possible security incident), so that the attack surface can be minimised in time and the problem can be tackled at its root with medium- or long-term corrective measures.
Matthias Helmke, Head of Infrastructure at KWS, draws attention to another point: “If auditors want to check our security level, we can offer them an immediate and incredibly concrete way of doing so. We can also prepare reports quickly for specific target groups. All this dramatically simplifies audits.”