The Chief Information Security Officer (CISO) has outlined a five-year plan for the company that includes the following:
• Implement an application security program.
• Reduce the click rate on phishing simulations from 73% to 8%.
• Deploy EDR to all workstations and servers.
• Ensure all systems are sending logs to the SIEM.
• Reduce the percentage of systems with vulnerabilities from 89% to 5%.
Which of the following would BEST aid the CISO in determining whether these goals are obtainable?