Imagine that you have just been assigned as a systems owner and application owner for a business unit in your organization. You want to do the right thing and ensure that the systems and applications you're in charge of are properly secured. The security team has just provided you with a report for 15 servers that you are responsible for and they have over 500 items to be addressed. As a week goes by, you've fixed about 100 vulnerabilities; another report comes in for the same 15 servers with another 50 items to be addressed. OK, that is two steps closer to being done, and now it's 1 step back with the additional vulnerabilities. As time goes by, additional servers and applications are commissioned and a few are decommissioned. There are lots of vulnerabilities coming at you now in the form of reports. Automated patching and scheduling help, but it's a never-ending cycle of fixing things as they come.

This is the initial phase of reporting, and it is information overload with no prioritization for remediation. The vulnerabilities that are being reported are items to be addressed with no meaning other than it needs to be fixed. Again, by reporting on everything, you are really reporting on nothing:

As a systems owner, I want information to come down to me in a way so that I understand why I'm patching in the first place. That comes with the identification and classification of the applications and systems that have the highest impact to the lowest impact to the business.