The Red Team / Pentest Team just handed our CISO a report that says the network is a 'Shooting Gallery'. Sure, we test, just like everyone else. We use internal or 3rd party pentest / red teams to evaluate our security controls and policies in an effort to reduce the risk exposure, and the results are always the same. This discussion will shine the light on one of the often overlooked critical processes in a mature vulnerability management program: looking past individual findings to discover root causes and address the true systemic problems that make the enterprise network a perennial shooting gallery.