Vulnerability Management is Broken, but it’s Not a Security Problem — it’s an Organizational One

One of the most dangerous risks organizations face isn’t insecure code; it’s a broken process.  

 Earlier this year, Verizon reported that vulnerability exploitation had overtaken phishing as the number-two intrusion point after credential abuse. With AI, the pace and severity of exploits are only increasing. Google Cloud and Mandiant recently noted that AI is allowing adversaries to “identify, chain, and weaponize weaknesses faster than traditional vulnerability management programs were designed to respond.” The direction is clear, and the cost — in breach expenses, disruption and declining customer trust — continues to climb.  

 What’s frustrating is that many of these breaches are preventable. The patches and tools for remediation exist. What’s broken is the process. Organizations have structured responsibility for identifying and remediating vulnerabilities across siloed teams with misaligned incentives. Until we fix that, the numbers will keep moving in the wrong direction.  

 The standard process is that security teams find vulnerabilities and IT teams patch them. But those teams report to different leaders and are measured on different outcomes. Nobody owns the gap between discovery and remediation, so nobody is accountable for closing it. 

 Change the owner 

 The security industry has long talked about closing the gap between security and IT, but incremental improvements aren’t enough. There needs to be a clearer division of ownership. IT should own the entire patch management lifecycle — not just the deployment of patches, but the identification and prioritization of what needs to be patched. That means giving IT the budget and tooling to do that work and measuring them on the outcomes. 

 This isn’t about sidelining the security team. Security’s role in vulnerability management remains essential: validating remediation, setting policy, managing the broader risk picture. But the operational work of identifying and prioritizing patches shouldn’t wait for a monthly security report. The CISO should still set the policy: which vulnerability types are critical, what the remediation SLAs are, and what constitutes acceptable risk. They also retain an auditing role over IT’s performance. What changes is who does the operational work. Security sets the rules, and IT executes against them and is measured accordingly. 

 We should also change the focus of what is measured. Most security programs track total vulnerabilities found, which is a metric that reflects security team activity but says little about risk reduction. The metric that matters is mean time to remediation, because in a world of five-day exploit windows, speed is the main variable we can control. If IT owns the patch, IT should own that KPI.  

 CISOs should still be accountable for risk and security strategy, but not for a remediation gap they don’t control. 

 Where AI fits in 

 This structural shift is particularly timely because of AI. Until now, IT teams haven’t had the bandwidth to become security experts or the time to track which vulnerabilities pose the greatest risk and which to act on first. With the rise of AI, that expertise is embedded in the tooling. 

 Modern patch management platforms can ingest vulnerability feeds, cross-reference them against a specific environment, and prioritize a queue. Continuous scanning replaces periodic reporting, and intelligent prioritization puts the highest-risk patches at the top of the queue automatically. Patch confidence scoring helps IT assess deployment risk before they act, reducing the hesitation that often delays patching in production environments. 

 The result is that IT teams can stay ahead of the vulnerability curve proactively, rather than reacting to a security handoff. When security comes in to validate, the operational work is already underway, shortening the window of exposure that attackers currently exploit. 

 The organizational chart is the vulnerability 

 The conversation in most boardrooms right now is about AI strategy and risk mitigation. Restructuring responsibilities between IT and security doesn’t demote the role of CISOs; it recognizes what they control. Security owns strategy, risk, and the broader vulnerability management function. IT owns the patch with the budget, tooling, and KPIs to match. The organizations that close the exploit gap won’t necessarily be the ones with the biggest security budgets. They’ll be the ones that fixed the process.