Security organizations must rethink their vulnerability management programs. They need to monitor complex, dynamic computing environments, and respond in minutes or hours when issues are discovered—not days or weeks. They need to address weaknesses in people as well as technology. Also, security professionals must be able to think like attackers in order to understand which vulnerabilities pose the greatest risks to the enterprise.