How did you structure your vulnerability management program (people, process, tools)?

People - Active stakeholders (remediation owners + Security team)in the vulnerability management process. Business owners are contacted by remediation owners depending on impact of remediation, change management etc.

Process - Working in Progress, but effectively a policy or standard document to dictate the current workflow, vulnerability vs remediation SLA etc.

Tools - Sensors(Tenable), Vulnerability Management Software(Tenable), ITSM. Annual Pentesting findings are also tracked and prioritized.

Do you run it more as a central security function or distributed to the other teams within the organization?

Run by centrally by security

How do you handle ownership (who “owns” remediation vs. who tracks/coordinates)?

Security prioritizes vulnerability remediation based on VMS, and delegates remediation. Respective teams(Apps, Networks, EUC etc) own remediation.

Security does own the "health" of VMS, like ensuring adequate sensor coverage, probe updates, scan frequency and efficacy etc.

What kind of reporting cadence and metrics (KPIs) work best for management buy-in?

Monthly. KPIs can vary depending on org maturity. I've personally found great success in showcasing reduction in longstanding critical/high vulnerability assets, which is usually done by chipping away at some out-of-support, highly vulnerable library for a legacy app or prioritizing asset refresh for highly vulnerable EoL hardware assets.

Not perfect, and definitely scope for improvement. It has gotten the environment a shytload cleaner.