Multiple breaches, including the massive 2017 data breach at the credit reporting agency Equifax, have been traced back to unpatched vulnerabilities\u2014a 2019 Tripwire study found that 27% of all breaches were caused by unpatched vulnerabilities, while a 2018 Ponemon study put the number at a jaw-dropping 60%.That shouldn\u2019t surprise anyone in the security space: The number of vulnerabilities identified each year has gone up annually for the past several years.At the same time security teams have been stretched thin as they\u2019ve been extra busy enabling secure remote work and addressing other pandemic-related needs all while dealing with a staffing crunch.As a result, improving the vulnerability management program is not always a top priority.Yet veteran security chiefs say they see common mistakes and missteps that can and should be addressed to strengthen these programs. Here are 10 mistakes they say CISOs still frequently make:1. Failing to get executive backingThe work required for a good vulnerability management program extends well beyond the security team. Risk decisions require executive input, patching takes IT expertise, and scheduled downtime for updates impacts multiple business functions.Consequently, CISOs need buy-in from multiple players in the organization to do this task well, and they\u2019re more likely to get that buy-in when they have support for those efforts from the senior-most leaders within the enterprise, says Michael Gray, CTO of managed services provider Thrive.On the other hand, CISOs who lack executive-level support for their vulnerability management efforts can be stymied by a lack of clarity on acceptable risk and pushback from IT and business units on scheduling patching and system downtime.But here\u2019s some good news: Gray and others say CISOs are increasingly finding that executive support they need, as cybersecurity has become a board-level concern. Figures from analyst firm Gartner confirm the trend, with its 2021 directors survey finding that 88% of boards now view cybersecurity as a business risk.2. Not fostering a sense of shared responsibility\u201cCISOs shoulder the responsibility or the risk for VM [vulnerability management]: They should not,\u201d says Alex Attumalil, CISO for Under Armour.CISOs don\u2019t own the systems or the business functions they support, nor do they have the authority to solely determine whether the organization is comfortable accepting any particular risk.\u201cWe\u2019re not authorized to accept risk on behalf of the company. So you must bubble up the information,\u201d he says. That requires communicating risk to other enterprise leaders, framing vulnerability management in terms of business risk and \u201cenabling them to be part of the solution. They need to know they\u2019re accountable for the vulnerabilities their systems are introducing.\u201dAttumalil says this approach gives enterprise executives beyond the CISO \u201ca stake in the game,\u201d a move that builds more support and collaboration when it comes to vulnerability management work such as scheduling system downtime for patching.3. Using generic risk prioritizationOne recent study, conducted by Pulse for security vendor Vulcan Cyber, showed that the vast majority of the 200-plus responding enterprise IT and security executives don\u2019t prioritize vulnerabilities based on their organization\u2019s own unique risk profiles. More specifically, the study revealed that 86% rely on third-party vulnerability severity data to prioritize vulnerabilities, with 70% also using third-party threat intelligence.Veteran security leaders warn against that approach, saying it could have CISOs and their teams focusing limited resources on the wrong threats.Kyle Lai, president and CISO of KLC Consulting, which provides cybersecurity advice and vCISO services for U.S. defense contractors, recommends a different approach. He says CISOs and their teams must understand the organization\u2019s own technology environment and have an up-to-date asset inventory, and they must understand the organization\u2019s risk appetite and risk tolerance, so they can identify the biggest threats to their own enterprise and prioritize addressing those.\u201cThey should have a good understanding of how big an impact a particular threat might have; they should know which ones are more serious. They should be prioritizing based on the impact to their own organization,\u201d he says.4. Skimping on trainingLexmark International CISO Bryan Willett recognizes that the skills for patching Linux systems vary from those needed to patch Windows, and those skills differ from those required to execute other tasks within in his vulnerability management program.Moreover, he says, the knowledge his security workers need for vulnerability management is different than the know-how IT workers require to do the patching in the actual systems.\u201cSo I want those teams to get the training they need to take on their responsibilities,\u201d he says.But security leaders say not all organizations are committed to providing the ongoing education that employees need to deliver world-class security and, more specifically, a robust vulnerability management function. Experts say organizations sometimes underestimate the amount of specialization vulnerability management tasks require or they overlook the need for workers to be trained on the specific systems or tools used within their own enterprise.\u201cThe thing everybody needs to remember is that employees want to do the right thing, but we have to invest in them to be able to do the right thing,\u201d Willett adds.5. Failing to track codeResearch from the Linux Foundation shows that a growing number of organizations are using a software bill of materials (SBOM) to better understand all the code they have within their systems. More specifically, the report indicates that 47% are producing or consuming SBOMs and 78% of organizations expect to produce or consume SBOMs in 2022 (up from 66% in 2021).Although the figures show an increase in the use of SBOMs, they still indicate that a good number of organizations could be falling short in knowing all the code they have in their IT environment. And that lack of visibility limits their ability to know if they have vulnerabilities that need to be addressed, Lai says.\u201cYou have to know what code and what open source components you have, so when something like Log4J comes out, you know all the places it exists,\u201d he says.6. Postponing upgradesAlthough vulnerability management is a never-ending task, it could be built into a more effective program by addressing technical debt, says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at professional services firm PwC.As Nocera explains: \u201cThe more I can retire legacy versions or consolidate on a standard stack, the less I have to manage in terms of vulnerabilities. That\u2019s why I think that simplification and consolidation is the best force multiplier you can get.\u201dNocera acknowledges that retiring legacy systems and addressing technical debt does not, of course, eliminate vulnerabilities. But getting rid of legacy systems does remove some work, and it can rid the enterprise of systems that are no longer able to be patched\u2014thereby reducing risk.And by getting rid of those issues, security teams along with their IT counterparts can shift their focus to addressing the remaining priorities\u2014making the program much more effective and impactful, he says.Despite the benefits of this approach, a good number of organizations haven\u2019t made this a priority: The 2022 Endpoint Management and Security Trends Report from Action1 Corp., maker of a remote monitoring and management cloud platform, found that only 34% of respondents plan to focus on \u201celiminating risky legacy software that they have replaced with cloud alternatives.\u201d7. Ignoring news about emerging threatsThe first warnings about new vulnerabilities or emerging threats often come through brief bulletins that lack a lot of details. Despite the limited information that accompanies such early reports, Lai says security teams should not dismiss their importance. In fact, he says, it\u2019s critical to track news and headlines from various security sources to know what\u2019s on the horizon.\u201cYou want to pay attention to what\u2019s coming out. They might not offer any details, but this type of intelligence helps you better prepare,\u201d he says. \u201cYou can start working or planning.\u201d8. Reacting to every new threatOn the other hand, Erik Nost, a senior analyst at Forrester Research, warns CISOs against reacting to breaking news without first assessing whether and to what degree it could impact their own organizations.\u201cA lot of CISOs are still learning how to deal with zero days and the vulnerabilities that make news headlines, which is increasing in frequency,\u201d he says. \u201cSorting through what\u2019s news sensationalism and what vulnerabilities are an actual threat to their organization is a challenge, but asking teams to prioritize remediating everything that hits their inbox or the CEO sees in news headlines is not the right approach.\u201dNost points to a recent analysis from Cornell University showing that APTs (advanced persistent threats) are more likely to exploit known vulnerabilities than zero days. So, Nost says, \u201cCISOs should also take into account threat actors and consider if APTs are likely to target their organizations.\u201dHe says security teams should consider active exploits as a \u201ca better prioritization factor to consider versus what the media is talking about.\u201d\u201cTeams are pressed for time. If they\u2019re playing whack-a-mole on every vulnerability that shows up on Twitter, then they\u2019re not actively assessing risk that\u2019s specific for their organization, against their acceptable risk appetite, and remediating the vulnerability that is the biggest threat,\u201d Nost adds. \u201cAnd if there is a zero day or vulnerability that makes news headlines, you may still need to take action, so your teams should have procedures on how to assess the threat. Just remember to stick to the established playbook, risk appetite, and threat analysis procedures.\u201d9. Relying on outdated informationThe Gartner directors survey not only showed that most boards now view cybersecurity as a risk, it also found that a majority (57%) have increased or expect to increase their risk appetite during the 2021-2022 time period. At the same time, the number of newly identified vulnerabilities found annually continues to grow year over year. And the typical enterprise\u2019s IT environment continuously evolves.Taken together, these points illustrate the need for CISOs to develop processes to revisit and review their calculus for prioritizing vulnerability mitigations and remediation, experts say.\u201cToo often companies aren\u2019t great about managing the lifecycle of vulnerabilities,\u201d Gray says. \u201cIt\u2019s always growing, it\u2019s always changing, and it\u2019s something that needs to be constantly paid attention to.\u201d10. Not embedding security into developmentNocera says not enough organizations are embedding security and secure design principles into the development process, leading to a missed opportunity for CISOs and CIOs to together build a more robust vulnerability management program for their organizations.Bringing security earlier into the development process\u2014or \u201cshifting left\u201d\u2014lets CISOs get ahead of security problems before code gets into production, Nocera says. \u201cSo you\u2019re not introducing known vulnerabilities into the environment.\u201dShifting left won\u2019t necessarily cut back on the amount of vulnerability management work, Nocera says, but\u2014like eliminating legacy systems and technical debt\u2014it does free up resources so teams can optimize their vulnerability management efforts.