The Hardest Part of Vulnerability Management Isn't Finding Vulnerabilities

Over the years, I've inherited multiple vulnerability management programs across global organizations. One thing has been consistent every time: finding vulnerabilities has never been the problem.

Today's tools are exceptionally good at identifying missing patches, insecure configurations, exposed services, and software flaws. Most organizations already know they have thousands, sometimes millions of findings. The challenge is deciding what actually matters and getting the business to act.

Early in my career, our success was measured by the number of vulnerabilities remediated and patch compliance percentages. Those metrics looked great on executive dashboards but rarely reflected actual risk reduction. We were spending valuable engineering cycles fixing low-impact findings while critical internet-facing assets waited because they belonged to another business unit or required operational downtime.

That experience fundamentally changed how I approached vulnerability management.

The most mature programs I've led shifted the conversation from vulnerabilities to risk. Instead of asking, "How many critical vulnerabilities remain?" we asked, "Which vulnerabilities create the greatest business exposure today?" Asset criticality, exploitability, internet exposure, compensating controls, and business impact became just as important as the CVSS score. Adopting a risk-based prioritization platform — in my case Vulcan Cyber (Tenable), which I found through Sagetap — helped operationalize that shift.

Equally important was governance. Vulnerability management isn't owned by the security team — it requires partnership with infrastructure, application owners, cloud engineering, and business leadership. Security identifies the risk; the organization collectively reduces it.

Technology continues to improve, and AI will undoubtedly accelerate prioritization. But the organizations that consistently reduce cyber risk aren't the ones with the best scanners. They're the ones that have built accountability, risk-based decision making, and executive ownership into the process.

In my experience, vulnerability management stops being a technical exercise the moment you stop measuring how many vulnerabilities you found and start measuring how much risk you've actually removed.