Vulnerability Management has been a disaster for the last 20 years in IT. It's IT's problem, it's security's problem, but in the end everyone suffers when we do it poorly. While there has been a glut of tools for finding vulnerabilities that's only the very top of the iceberg. The entire lifecycle: identification, triage, mitigation, and reporting is broken and needs to be rethought for modern IT and risk thinking. This talk addresses each of the Vulnerability Management lifecycle and draws upon 20+ years experience advising, building, and operating vulnerability management programs across various market verticals and organization types to draw conclusions and suggest ways to address, if not outright fix, some of the badly broken parts. If you're still scanning, dumping to spreadsheet, emailing people, and hoping things get fixed - you need to listen to this talk.