Strong Security Starts with Continuous Monitoring

Get the facts and figures surrounding this best practice.

Continuous monitoring has captured followers in state and local government. Here are some statistics surrounding implementation and perspectives from those who practice it.


Dan Lohrmann

"We use continuous monitoring, reporting and alerting for our critical applications at various layers, from presentation to database, as well as for disk memory and CPU utilization. By also incorporating user monitoring, performance anomalies can be detected and resolved prior to customer impact."

— Dan Lohrmann, Chief Security Officer, Michigan

Kurt Plowman

"It used to be acceptable to do security scans two or three times a year, but with advanced persistent threats and recent vulnerabilities, continuous monitoring is crucial. Security is no longer about what you know — it’s about what you don’t know."

— Kurt Plowman, Chief Technology Officer, Staunton, Va.

John Matelski

"Building an effective continuous monitoring strategy involves more than implementing tools that run 24x7 across our environment; it involves a deep understanding of risk, compliance drivers, situational awareness and having the right analytics in place to make the best decisions possible."

— John Matelski, CIO, Gwinnett County, Ga.

By the Numbers


Percentage of organizations that are continuously monitoring systems

SOURCE: “The State of Risk-Based Security Management: United States” (Ponemon Institute, 2012)


10 years

Age of the Federal Information Security Management Act (FISMA) that spawned the practice of continuous monitoring

SOURCE: The E-Government Act of 2002



Percentage of state and local government officials who have adopted cybersecurity control frameworks or methodologies

SOURCE: “The National Preparedness Report” (Federal Emergency Management Agency, 2012)



Estimated number of victims whose health and personal data were hacked from a Utah state website

SOURCE: “Data Breach Expands to Include More Victims” (Utah Department of Health, April 9, 2012)

36 to 72 hours

The frequency at which all PC and server configurations are checked at the U.S. State Department, a leader in continuous monitoring

SOURCE: “FISMA 2.0: Continuous Monitoring” — Case Study Update (State Department, Feb. 14, 2011)



Want to learn more about continuous monitoring? Look up our white paper at

Jul 18 2012