Most critical infrastructure organizations do audit the security of their strategic IT vendors but they do so on an informal and inconsistent basis. They also base their audit process on point-in-time paper-based audit forms (typically issued on an annual basis) rather than any type of real-time analysis. This means that once a vendor actually “passes” a security audit, critical infrastructure organizations have no visibility into their cybersecurity status for a year’s time. This ain’t exactly continuous monitoring.
