Advanced targeted threats are continuing to evolve and at the same time trends like cloud and Bring Your Own Device are driving faster and faster change to IT systems. Occasional penetration tests, annual audits and quarterly vulnerability scans are no longer even close to sufficient to protect the business. Not only is more continuous monitoring necessary to maintain a due diligence level of security, it is increasingly a requirement of compliance regimes such as the Payment Card Industry, FISMA and others. However, continuous monitoring only increases security if the right things are monitored and if the monitoring is used to drive continuous improvement in security defenses. As the old saying goes; \You can't manage it if you can't measure it, but just measuring it doesn't manage it, either." Choosing the most effective security controls to monitor is key, and the Critical Security Controls initiative is proving to be a force multiplier for organizations looking to implement effective, efficient continuous management processes. Come hear SANS experts Tony Sager and John Pescatore detail the status and future of the Critical Security Controls and describe strategies and What Works in using the controls as the basis for a Continuous Monitoring program. ""