“At its core, the most basic way to measure your effectiveness is to measure the date of vulnerability detection to the date of mitigation. If that number is moving to the right, you are losing the battle. If that number is staying about the same, you are at least treading water. And if it’s moving to the left, you’re doing the right things,’ Chirhart said. ‘But at the end of the day, to move the mark to the left, you need the resources, tools, processes, funding and political support to make time for mitigation.”
Source: Experts debate effects of government cybersecurity executive order