A vulnerability management process defines how to detect, assess, and mitigate or remediate vulnerabilities in a system.
Failure to have a well defined vulnerability management process allows vulnerabilities to go undetected and/or to not be addressed by mitigation or remediation in a timely manner.
There should be a well defined vulnerability management plan which defines the processes for scanning, assessment/determination of risk, prioritization of mitigations/remediations, and process of mitigation or remediation. This should include regular vulnerability scanning, and monitoring of threat intelligence that is then matched against a software inventory to determine if there is exposure there. When a vulnerability is detected, the risks associated with that vulnerability should be determined. This process should include existing mitigations, what is exposed, what is the cost in dollars, reputation, and relationships, and other factors to determine the prioritization of next steps. Remediation or mitigation plans should be established, prioritized and scheduled. If the risk is mitigated by other factors or the cost of a breach is below the cost to fix the vulnerability it may be acceptable to accept the risk and not remediate it, but this should be a last resort.