Lots of organizations have a vulnerability management program. After all, compliance standards such as ISO 27001 require it. So, we can all rest assured that deploying SIMs and sticking an official sounding title on a former network engineer should take care of that little checkmark, right? Well, of course not. Many organizations go through the expense of establishing a formal vulnerability management program, considering it a cost of doing business. What if you could have a vulnerability management program that actually is effective *and* saves money?! This presentation describes how to plan and tune your vulnerability management program to maximize the return on your investment. Carole Fennelly is an information security professional with over 25 years of hands-on experience in the information security field. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine, as well as a frequent speaker at the Black Hat Briefings. Ms. Fennelly is presently the Director of Content and Documentation for Tenable Network Security.