Changes are never easy and smooth. Any kind of change within an organization typically requires extensive planning, scoping, budgeting, and a series of approvals. Implementing a complete vulnerability management program in an organization with no prior security experience can be very challenging. There would be obvious resistance from many of the business units and questions asked against the sustainability of the program. The vulnerability management program can never be successful unless it is deeply induced within the organization's culture. Like any other major change, this could be achieved using two different approaches, as described in the following sections.

The bottom-up approach is where the ground-level staff initiate action to implement the new initiative. Speaking in the context of the vulnerability management program, the action flow in a bottom-up approach would look something similar to the following:

1. A junior team member of the system administrator team identifies some vulnerability in one of the systems
2. He reports it to his supervisor and uses a freeware tool to scan other systems for similar vulnerabilities
3. He consolidates all the vulnerabilities found and reports them to his supervisor
4. The supervisor then reports the vulnerabilities to higher management
5. The higher management is busy with other activities and therefore fails to prioritize the vulnerability remediation
6. The supervisor of the system administrator team tries to fix a few of the vulnerabilities with the help of the limited resources he has
7. A set of systems is still lying vulnerable as no one is much interested in fixing them

What we can notice in the preceding scenario is that all the activities were unplanned and ad hoc. The junior team member was doing a vulnerability assessment on his own initiative without much support from higher management. Such an approach would never succeed in the longer run.

Unlike the bottom-up approach, where the activities are initiated by the ground-level staff, the top-down approach works much better as it is initiated, directed, and governed by the top management. For implementing a vulnerability management program using a top-down approach, the action flow would look like the following:

1. The top management decides to implement a vulnerability management program
2. The management calculates the ROI and checks the feasibility
3. The management then prepares a policy procedure guideline and a standard for the vulnerability management program
4. The management allocates a budget and resources for the implementation and monitoring of the program

5. The mid-management and the ground-level staff then follow the policy and procedure to implement the program
6. The program is monitored and metrics are shared with top management

The top-down approach for implementing a vulnerability management program as stated in the preceding scenario has a much higher probability of success since it's initiated and driven by top management.