In today’s cyber landscape, threats evolve faster than most organizations ability to respond. From zero-day exploits to Ransomware as a Service, attackers do not waste time. But inside many companies, vulnerability management (VM) still moves at a crawl.
Investments in tools and strategies continue to rise – but so do unresolved vulnerabilities. Because what is broken is not the detection, it is the follow-through.
Vulnerability Management (VM) should be at the heart of every cyber defense strategy. The stakes are high: the average cost of a data breach has now surged to €4.46 million globally, according to IBM Cost of a Data Breach Report 2024.
Regulatory pressure is only intensifying, driven by EU’s NIS2 Directive, the Cybersecurity Act, CRA, DSA, GDPR, HIPAA, and PCI DSS. Robust VM is no longer optional – it is foundational.
Yet even with expert consultancies and having leading tools in place, organizations still struggle. Why? Because great advice cannot fix broken culture, unclear ownership, or lack of accountability.
Vulnerability management is a business imperative – not just compliance
VM is not just about ticking regulatory boxes – it is a business-critical capability:
- Downtime costs – IT downtime costs about €8,300 per minute. VM helps prevent disruptions before they escalate.
- Avoiding fines – Non-compliance with GDPR and others can cost up to €10 million or 2% of global turnover.
- Reputation and trust – 65% of consumers lose trust after a breach (Ponemon Institute). VM protects both data and brand.
Attackers move fast – often within hours of vulnerability discovery (CrowdStrike). With complex legacy environments and shadow IT growing, traditional scans just aren’t enough. The shift to continuous, real-time VM is now essential.
How legacy systems derail your VM efforts
Legacy systems are often the most vulnerable and least prioritized. Teams assume that they will be retired ‘soon’, but delays keep them alive – and risky.
What initially starts as temporary becomes long-term exposure. The result:
- SLA breaches mount.
- Confidence in VM reporting drops.
- Known vulnerabilities remain unresolved.
Unpatched, untracked, and unmanaged, legacy systems silently increase silently increase the organization’s risk profile.
Solution: Treat legacy systems as active risks, not future retirements. Build realistic de-risking roadmaps, ensure executive ownership, and resist the urge to defer action. Establish clear deadlines and accountability for phasing out or isolating these systems.
Organizational misalignment kills progress
The legacy system problem we explored earlier is often a symptom of a deeper issue: organizational misalignment.
Consider a typical example:
- Security teams run scans.
- Infrastructure teams patch.
- Application teams ‘own’ the systems.
But no one owns the end-to-end risk, so nothing moves.
Fragmented responsibility turns known vulnerabilities into long-term liabilities. Risk data is generated – but rarely actioned. Security goals are outpaced by business priorities.
Solution: Shift to a shared accountability model. Appoint end-to-end owners. Tie remediation timelines to business KPIs. Ensure that leadership sees the risk – and the delay.
From strategy to action: bridging the gap
Even with expert guidance, many organizations still struggle to bridge the gap between planning and execution. Why?
We saw this firsthand at a financial services client:
They had the tools. They had the strategy. They had external support. Still, VM progress stalled.
Here is what we observed:
- Siloed teams created remediation bottlenecks.
- No one had the authority to drive cross-team decisions.
- Security priorities were routinely deprioritized.
- Legacy processes blocked agility.
- Exception requests buried the real problems.
The result? A cycle of delay and frustration. Vulnerabilities were identified but never fixed. Year after year, the backlog grew – and so did the risk.
And they are not alone. According to Gartner (2023), 43% of security leaders cite fragmented ownership as a top reason why their vulnerability management efforts fail – even in well-funded programs.
The issue isn’t tooling or budget – it is internal structure and culture. Some organizations embed VM in their DNA. Others stay stuck in delay loops.
Real-world breaches prove the point
The cost of inaction is no longer theoretical:
- Ivanti connect secure VPN vulnerability (February 2025): Delayed recognition and patching of a critical vulnerability led to exploitation.
- Change healthcare ransomware attack (2024): Ransomware disrupted services nationwide. Root causes? Fragmented vendor access and identity management.
These incidents underscore a critical truth: Tools alone will not solve the problem. Without clear ownership and strategy, even well-known flaws turn into full-blown crises.
Why VM strategies fail?
Strong frameworks fail when culture is not ready for change.
Leaders often overestimate execution capability. Strategic roadmaps sit idle, and operating models remain on paper.
We have seen this pattern repeatedly at KPMG: the true blockers are not technical – they are cultural:
- Misaligned priorities
- Internal politics
- Resistance to change
Sometimes, the solution is focus – cutting noise and prioritizing what matters. Other times, it is about real transformation: new roles, new governance, new behaviours.
Detection isn’t the issue – execution is
Solution: Focus on translating strategy into execution. Work with advisors who understand both the tech and the politics. Break through the blockers.
How KPMG helps breakthrough
KPMG’s approach goes beyond tooling and templates. We help you tackle the internal dynamics that stall progress:
- Engaging all levels – Aligning exec sponsors and ops teams for long-term success.
- Mapping maturity – Setting realistic baselines and fit-for-purpose models.
- Strategic planning – Ensuring VM is properly scoped, budgeted, and aligned with business goals.
- Cross-functional integration – Bridging Security, IT, and Business for shared ownership.
- Tracking progress – Measuring remediation to show real impact.
We have helped global clients shift from scanning to solving. Let us help you do the same.
Final thoughts
Effective VM is not about more tools or assessments – it is about leadership, ownership, clarity, and follow-through.
Until strategy becomes execution, your business remains exposed.
To close the gap, VM must be embedded in your operating culture – with shared accountability and continuous improvement.
Move from knowing the problem – to fixing it.
Let’s talk
What is really blocking your VM program? Assess your VM processes today. Identify the blockers. Build a culture that owns remediation – not just reporting.