The structure and composition of an IT or compliance organization can have a significant impact on the effectiveness of vulnerability management (VM). It is important to understand the relationship between the business stakeholders and the managers of underlying IT assets. It is this relationship that should reflect the adage that IT exists to support the business. If you can get the support of the business, then IT will be driven to support a VM program and comply with supporting policy. To put it more simply, VM must be a business priority. Otherwise, it is not worth doing.