Most vulnerability programmes do not lose momentum in one dramatic moment.

They lose it slowly.

A new critical issue lands. A business priority shifts. A patch cycle slips. A team gets pulled into incident response. The queue grows, the standards blur, and before long, the programme is back where it started: busy, reactive, and hard to measure.

That is why high-performing teams do not rely solely on urgency. They rely on rhythm.

In risk-based vulnerability management, momentum comes from a simple truth: if the programme is not reviewed, adjusted, and tested regularly, it will drift. A 90-day cycle is often the right answer. It is short enough to keep attention. Long enough to deliver real change. And structured enough to show whether exposure is actually falling.

Why Programmes Stall

Most teams do not stall because they lack effort. They stall because the work never settles into a repeatable operating model.

A long list of findings is not the same as a plan. If priorities change every week, if owners are unclear, or if closure does not require evidence, the programme becomes a stream of activity without a clear sense of progress.

That is not a theoretical problem. In 2024, the Change Healthcare cyberattack disrupted claims and pharmacy services across the United States, delaying prescriptions and payments and placing operational strain on teams beyond the security team. AP reported that providers across the country were affected, with delays to paychecks, prescriptions, and hospital discharges.

The lesson is simple. When exposure management lacks discipline, the consequences spread quickly.

Why 90 Days Works

A year is too long to wait for proof that the programme is moving in the right direction. By then, priorities have changed, the environment has shifted, and the organisation is left trying to explain too much at once.

Ninety days force clarity.

It gives teams a fixed period to choose a small number of improvements, execute them properly, validate outcomes, and show what changed. It creates a natural review point without turning the programme into a constant reset.

This matters because cyber risk does not wait politely for the annual review. Reuters reported in June 2024 that the Synnovis ransomware incident had a significant impact on services at some of London’s busiest hospitals. That kind of disruption makes one thing clear: when exposures turn into incidents, the business feels it immediately.

A 90-day rhythm helps teams stay ahead of that pressure by making improvement continuous rather than occasional.

The Four Parts of the 90-Day Rhythm

The structure does not need to be complex. In most organisations, four stages are enough.

1) Plan

Start the quarter by choosing a small number of moves that will reduce exposure, not just generate activity.

That might mean improving how critical assets are identified. It might mean raising the priority of vulnerabilities known to be exploited in the wild. It might mean tightening service levels for internet-facing systems or improving validation before closure.

The point is to be selective. A strong quarter does not try to fix everything. It picks two or three changes that will improve the rest of the programme.

This is also where the baseline gets set. Choose a small set of measures, such as time at risk for critical services, remediation time for actively exploited issues, validation rate, or exception rate with expiry dates. These give the quarter a clear starting point.

2) Run

This is where most programmes either build momentum or lose it.

Work needs to flow through the systems teams already use. Owners need to know what is expected of them. Priorities need to remain stable enough to allow progress to happen.

A weekly operational check-in is often enough. It does not need to be long. The purpose is to review blockers, confirm priorities still make sense, and keep the queue honest.

This stage matters because the work itself is rarely the only challenge. Handoffs, change windows, ownership gaps, and unclear fix paths can slow everything down. A steady weekly rhythm stops those issues from sitting unresolved for a month.

3) Validate

This is where many programmes overestimate their progress.

Work is only complete when there is evidence that the exposure has dropped. That might be a clean re-scan, a targeted re-test, or confirmation that a compensating control is now in place and working.

Without validation, the quarter can look productive without actually becoming safer. With validation, the programme earns trust because “done” means something real.

4) Show

At the end of the quarter, leadership does not need a wall of charts. It needs a clear answer to three questions.

What changed?
Did exposure go down where it mattered most?
What happens next?

A good quarterly readout is short. It shows the baseline, the current position, the most important improvement, and the next moves for the coming cycle.

That is how momentum becomes visible. Not as a claim, but as a trend.

What High Performers Do Differently

The strongest RBVM teams do not just work harder. They work in a way that compounds.

They keep the queue smaller by adding context to prioritisation. Critical services, internet exposure, and live exploitation signals shape the order of work.

They make ownership explicit. Work does not sit between teams waiting for someone to decide who should act.

They build validation into closure. Progress is not measured by status changes alone.

And they make the quarter mean something. Each cycle has a purpose, a baseline, and an outcome.

This is what separates movement from momentum.

It is also what makes the programme more resilient when disruption hits. Reuters reported that the Synnovis attack led to the postponement of procedures and wider service disruptions. The Financial Times later reported that the costs linked to the incident far exceeded the company’s profits. That is the business case for cadence in one line: if exposure is not being reduced steadily, the cost of drift can become very visible, very quickly.

Common Reasons the Rhythm Breaks Down

Even well-designed programmes can lose their shape. The usual reasons are familiar.

Too much scope. Too many priorities. No clear rules for what moves to the top. Closure without validation. Exceptions that never expire. Reporting that focuses on totals instead of direction.

These are not just process flaws. They are momentum killers.

The answer is usually not more complexity. It’s more clarity.

Reduce the number of quarterly goals. Tighten the definition of done. Use fewer metrics. Keep the weekly review short and practical. Treat the end of the quarter as a checkpoint, not a ceremony.

How to Start

If your programme feels stuck, do not start by redesigning everything.

Start with one quarter.

Pick one clear scope, such as internet-facing critical systems or a small set of crown jewel services. Choose two or three improvements that will change outcomes. Set a baseline. Review progress every week. Validate before closure. Report the trend at the end.

That is enough to create traction.

Over time, that rhythm does more than keep the backlog moving. It improves prioritisation quality, strengthens ownership, and gives leadership something they rarely get from vulnerability management: a clear, repeatable view of progress.

That is what high performers protect. Not just speed, but momentum.

Download the RBVM eBook

If you want a clearer view of what good RBVM looks like, download Podium-Ready RBVM: What Good Looks Like and How to Get There.

It covers the full operating model, a simple benchmark checklist, and a practical 90-day approach to reducing exposure and proving progress.

‍