Continuous Control Monitoring: The Missing Link in Security Visibility
- Avraham Cohen
- 2 minutes ago
- 6 min read
By Avraham Cohen, CISO Advisor
In today’s threat landscape, “we think we have this control” is no longer good enough.
Controls are either working or they aren’t, and if you're a CISO trying to defend your organization in real time, relying on outdated spreadsheets, static audits, or periodic attestation won’t cut it.
This is where Continuous Control Monitoring (CCM) comes in.
Do you need any help? Contact me directly at avraham.cohen@sdosecurity.com.
You can download the complete control list below:
What is CCM — and Why Should CISOs Care?
Continuous Control Monitoring automatically and continuously validates that security controls are present, appropriately configured, and operating effectively across your environment.
Think of it as real-time assurance for your security architecture - with clear, measurable evidence that the basics (and beyond) are in place.
However, to make CCM actionable, you must structure your controls meaningfully.
That’s where the Cyber Defense Matrix comes into play.
Organizing CCM With the Cyber Defense Matrix
Control Name | Mapped CDM Category | Risk Level |
What is the % of "End of Life" assets used? | Users, Devices | High |
What is the % of "End of Support" assets used? | Users, Devices | High |
What is the % of "End of Security" assets used? | Users, Devices | High |
What is the % of production deployments (last 90 days) with a connected backlog item or incident in case of own development/configuration? | Apps, Network | Medium |
What is the % of production deployments (last 90 days) where all code changes part of a production release were peer reviewed and approved? | Apps, Network | High |
What is the % of "Everyone with access to the repository has write access" for the main branch enabled? | Apps, Network | High |
What is the % of "Deleting this branch is not allowed" for the main branch disabled? | Apps, Network | Medium |
What is the % of "Rewriting branch history is not allowed" for the main branch disabled? | Apps, Network | Medium |
What is the % of "Check for at least two approvals from default reviewers" for the main branch enforced? | Apps, Network | High |
What is the % of "Reset requested changes when the source branch is modified" for the main branch disabled? | Apps, Network | Medium |
What is the % of servers without outbound monitoring? | Device, Apps, Network | High |
What is the % of internet-facing resources without DDOS Protection? | Apps | Medium |
What is the % of Instances that are accessible from the internet? | Device, Apps, Network | High |
What is the % of applications with more than two administrators? | Users | Medium |
What is the % of inactive users for more than 30 days? | Users | High |
What is the % of external users with high-privilege access? | Users | High |
What is the % of users with MFA enabled? | Users | High |
What is the % of high-privileged users that are required to enable MFA? | Users | High |
What is the % of users with MFA enabled that are phishing resistant? | Users | High |
What is the % of users that are required to enable MFA? | Users | High |
What is the % of users who have access to key vaults? | Users | High |
What is the % of users who have access to PAM? | Users | High |
What is the % of sensitive business applications with local users? | Users | High |
What is the % of users who haven't rotated their password in the last 90 days? | Users | High |
What is the % of business applications not using SSO? | Users | High |
What is the % of business applications not using strong password complexity? | Users | High |
What is the % of non-personal accounts? | Users | Medium |
What is the % of non-personal accounts with high-privilege access? | Users | Medium |
What is the % of non-personal accounts with multiple roles? | Users | Medium |
What is the % of non-personal account requests without reasoning? | Users | Medium |
What is the % of employees who are not present in the HR system? | Users | High |
What is the % of cloud subscriptions not hosted in multiple zones/regions? | Apps | Medium |
What is the % of servers that require a patch? | Device, Apps, Network | Medium |
What is the % of servers that have an overdue pending patch? | Device, Apps, Network | High |
What is the % of external connections without a web application firewall? | Device, Apps, Network | High |
What is the % of firewalls running in blocking mode? | Device, Apps, Network | High |
What is the % of servers with RDP port open? | Device, Apps, Network | High |
What is the % of servers with SSH port open? | Device, Apps, Network | High |
What is the % of managed devices without an EDR solution? | Device, Apps, Network | Medium |
What is the % of devices that are not managed by device management? | Device, Apps, Network | High |
What is the % of managed devices without disk encryption? | Device, Apps, Network | High |
What is the % of managed devices without media storage block enabled? | Device, Apps, Network | High |
What is the % of managed devices with outdated operating systems? | Device, Apps, Network | High |
What is the % of managed devices with pending security patches? | Device, Apps, Network | High |
What is the % of managed devices with vulnerabilities? | Device, Apps, Network | Medium |
What is the % of managed devices without a firewall enabled? | Device, Apps, Network | High |
What is the % of managed devices with local admin? | Device, Apps, Network | High |
What is the % of unmanaged devices that can connect to the network (physical/wireless/VPN)? | Device, Apps, Network | High |
What is the % of remote sessions that are not behind a VPN? | Device, Apps, Network | Medium |
What is the % of employees who had phishing awareness training in the last 12 months? | Users, Devices | High |
What is the % of employees who had password security training in the last 12 months? | Users, Devices | High |
What is the % of employees who had social engineering training in the last 12 months? | Users, Devices | High |
What is the % of employees who had safe web browsing training in the last 12 months? | Users, Devices | Medium |
What is the % of employees who had mobile device security training in the last 12 months? | Users, Devices | Medium |
What is the % of employees who had ransomware awareness training in the last 12 months? | Users, Devices | Medium |
What is the % of employees who had incident reporting training in the last 12 months? | Users, Devices | Low |
What is the % of employees who had insider threat training in the last 12 months? | Users, Devices | Medium |
What is the % of engineers who have had secure coding training in the last 12 months? | Users, Devices | High |
What is the % of servers that are monitored by an SIEM solution? | All | Medium |
What is the % of critical/high alerts in the last 90 days? | All | Medium |
What is the % of servers that are scanned by a vulnerability scanner? | Device, Apps, Network | High |
What is the % servers that are not scanned in the last 7 days? | Device, Apps, Network | High |
What is the % vulnerabilities that are not solved within the defined SLA? | Device, Apps, Network | High |
What is the % of internet-facing resources with a high-profile vulnerability? | Device, Apps, Network | High |
What is the % of secrets found in the application source code? | Device, Apps, Network | High |
What is the % of cloud subscriptions without CIS benchmark? | Device, Apps, Network | High |
What is the % of cloud subscriptions with less than 80% CIS compliance? | Device, Apps, Network | Critical |
What is the % of VPN login logs sent to the SIEM? | All | High |
What is the % of applications utilizing secrets vaults for secret management? | Device, Apps, Network | Medium |
What is the % of critical business systems with verified backup in place? | Apps | Medium |
What is the % of corporate accounts monitored for credential leaks on the dark web? | Apps | High |
What is the % of sensitive data access limited to approved individuals? | Data | High |
What is the % of sensitive data stores with access logging enabled? | Data | High |
What is the % of managed devices sending logs to the SIEM? | All | High |
What is the % of devices with at least one non-default compliance policy assigned? | Device, Apps, Network | Medium |
What is the % of email systems with anti-spam and anti-phishing controls enabled? | Device, Apps, Network | Medium |
What is the % of inbound emails scanned for malware in attachments and links? | Device, Apps, Network | Medium |
What is the % of email domains correctly configured with SPF, DKIM, and DMARC? | Device, Apps, Network | Medium |
What is the % of high-risk accounts protected by a PAM solution? | Users | High |
What is the % of systems with immutable backups enabled and tested? | Apps | High |
Final Words for the CISO
As a CISO, your mandate isn't just to deploy controls, it's to ensure they work continuously everywhere.
CCM bridges the gap between security intention and execution, and when structured through the Cyber Defense Matrix, you gain:
Clear visibility across functions and assets
A way to prioritize based on real risk and control gaps
A living maturity model you can explain to your board
You don’t need perfection, but you do need evidence.
Security isn’t static, and your assurance model shouldn’t be either.
