We put together a scorecard, a security-metrics scorecard. It includes tracking the percentage of our systems that are under management. The way we define that is basically from a central location, the number of systems that I can view and observe their current risk and security status within a 48-hour period.
Other metrics include the percentage of critical or high vulnerabilities per every host. We are also looking at the number of successful malware infections and the number of computers that we have to reimage because of that. That number should really go down.
Those are our outcomes-based measures. We have other input-based measure we are looking at, too. They include number of hours per staff activity. The idea is the more we get things under control, the less time our staff should be spending on reactive-type issues. We should have a much less running around, putting out fires in the day.
The other thing is mean time to resolve an incident. We are looking for that to go down significantly as well.