Security controls can be grouped loosely into three broad areas: management, operational, and technical. IT must have a comprehensive, risk-based approach to managing security. This approach must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses. IT must also perform even deeper tests, including full-scale penetration testing, to minimize the false positives and reduce duplicate efforts. The main weapon in IT’s unending struggle to stay ahead of the bad guys isn’t the hottest new security system.”]
Source: https://www.darkreading.com/analytics/when-vulnerability-management-meets-compliance