DON'T shortchange remediation. Surprisingly, organizations will perform vulnerability scans, or hire someone to conduct a scan, get a report and then not follow through. They may cherry-pick one or two critical items and neglect the rest. The result is that the organization has spent time and money without doing much for its security.
"Some organizations stop at detection as an end point," says Chenxi Wang, a principal Forrester analyst. "That tells you where you are, but doesn't do much for your risk posture."
Also read the companion article Vulnerability management keeps getting sexier