Cyber breaches are causing business executives all across organizations to take note. CISOs are getting questions from senior management, the Board of Directors, auditors, regulators, business leaders, and IT personnel. Responding to these questions often consumes far too many resources and distracts the security organization from their primary mission: actually ensuring security and compliance!\nRapid response to questions requires near real-time security posture data\nTypically, they just want to know: How secure are we? What are our risks? What are our exposures? Are we exposed to this particular vulnerability in the news?\nWith data in so many places, responding to these questions is much more challenging than one might think. Higher level trend and summary data can only be produced when all of the underlying detailed data is centralized and normalized. Without it, just determining how many servers might be vulnerable to a new exploit can take broad organizational cooperation and significant manual effort. Or if a particular vulnerability exists, knowing what the remediation status is across all impacted systems can be elusive. The bottom line is the CISO needs to have detailed near real-time security posture data, even if the request is general in nature.\nConsecutive scanning is not good enough\nSo where do you start? The foundation for effective security metrics is the maintenance of a current inventory of IT assets, both hardware and software. (e.g. servers, workstations, mobile devices, network, storage, virtual, and cloud infrastructure, etc.). Based on the IT asset inventory results, the security organization should know how each asset is configured. Configuration settings are critical to knowing which controls are in place or not in place, and to determining an organization\u2019s baseline security posture.\nEven more important, a security organization needs to know what vulnerabilities exist and whether there are known exploits for those vulnerabilities, and to track patching status by asset type and asset criticality. The notion of scanning assets for configuration errors and vulnerabilities every three months or even monthly is no longer sufficient in today\u2019s cyber security environment. Even starting one scan when the one before it completes is not enough. Some vendors call this \u201ccontinuous scanning\u201d but it is really just \u201cconsecutive scanning.\u201d That can leave an exploitable vulnerability or misconfiguration active for hours or days\u2014an eternity when the typical breach happens in seconds or minutes!\nTruly continuous network monitoring is a requirement today\nEvery security organization needs to see everything all the time; to know all IT assets that exist, to know how they are configured, to know which assets are vulnerable and actually exploitable, and to monitor the entire IT environment for new IT assets and unusual activity. This is only possible with truly continuous network monitoring. To learn more about what truly \u201ccontinuous network monitoring\u201d is, read this eBook by Steve Piper: The Definitive Guide to Continuous Network Monitoring.