Last week I started a mini-series on automating audits.
This week - how can monitoring help us understand what executives and IT administrators need from audits?
Monitoring - Executive Needs
During my early career, I was fortunate to work with exceptional engineers.
Each had detailed knowledge of their field, and together we built extraordinary technical networks and IT infrastructures.
I knew that. The team knew that.
One day - the boss came around the corner and said - "We need to add in some monitoring."
"Why? It works..."
After some back and forth, the boss had his way, and monitoring was implemented.
A few days later, a shiny, expensive plasma TV was rolled into the office space. A place to display the monitoring dashboard.
At the time - I admit - my eyes rolled.
A needless extravagance. A vanity project that made no sense and did nothing to improve the administration of any of the infrastructures.
I didn't realise that the plasma TV wasn't for the team.
It wasn't even for the boss.
Every so often, we would get executives and partners to come to visit. They received a briefing about the latest activities, and then… they all stood up and walked over to the shiny plasma TV...
"And this is how we do it."
"Oh… I get it now."
The whole point was to allow executives and partners to understand how we did what we did.
A visual representation of "this is how..."
Visually Impressive But Vapid
I have always found monitoring dashboards to be visually impressive but vapid.
They have an abundance of data - shown in pretty, small graphs.
But when a situation bites - dashboards don't provide information.
IT administrators immediately turn to their terminals to query and better understand what is actually happening.
Visual storytelling is critical.
The rise of TikTok, social media in general, and streaming services show that - for many - visuals are more potent than simple words.
But visual storytelling...
- Isn't always true
- Isn't always meaningful
- Doesn't have depth
- Doesn't scale...
Perhaps that's the greatest issue with monitoring - it doesn't scale.
The graphs on the dashboard can be neatly arranged if there are only a few systems to monitor.
But if there are hundreds - or thousands of systems - at best, the graphs are aggregate views.
Or - at worst - a less than 1% sample of reality.
"Tell me what's wrong - so it can be fixed."
"Tell me what's wrong - so it can be fixed." is the mindset at the heart of how we think about continuous auditing.
One's ability to continuously comply with security requirements and avoid configuration drift is eminently achievable for technicians on a daily basis. But, the fixed nature of an annual audit checkbox or report - so executives "Get it now..." - is equally important.
A "continuous" vs "point-in-time" security audit isn't a simple, exclusive, binary choice. Instead, they meet two different needs - one for technicians and one for executives.
Most importantly, continuous security audits can always provide executives with a point-in-time view of security compliance. But the opposite can't be said.