GOAL OR METRIC: Have "Secure Always 24/7/365" Strategy
RATIONALE: The volume and sophistication of threats is increasing exponentially, meaning there are much greater risk in every part of an IT infrastructure: Access, identities, data, remote devices, servers, data, and the list goes on. The most efficient organizations address security using an "always on" and global approach. This often means dedicating IT staff to this task or, as is most often is the case, hiring a firm that specializes in this kind of thing.
POTENTIAL RESULTS: No disruptive security breaches means avoiding uncontrollable costs to fix the problem and nobody gets fired.
An element of this Strategy that is overlooked is the same one that Hires a firm for Physical Security of the Guards. If the goal is to say that you have bodies to fill the slots for 24 x 7 x 365 instead of well qualified individuals then the fact that you have coverage 24 x 7 x 365 will give you a false sense of security.
You must hire 6 Full time Employee's to cover this at a minimum. You then have 1 primary and 1 alternate for each of the 8 hour shifts. If you do not have alternates then you go uncovered when the primary is sick or on vacation etc.