How a vulnerability management program can help identify cyber risks