Also, make sure that credentials for authenticated scanning are tightly secured, either through the vendor's own technology or a good privileged identity management vault product.
Vulnerability management as a service can save money on capital expenditure, management overhead and headcount.
In addition, consider bringing in consultants or service providers, at least periodically, to complement your internal scanning. Using a disinterested outsider protects against any in-house biases or self-protecting omissions from reports.
DO insist on usable reporting. This applies at a number of levels. At the highest levels, of course, you want trending and overall status reports for management. At a security level, the vulnerability management tool should provide information on the severity of the flaw, based on standards such as the Common Vulnerabilities and Exposure (CVE) list or the Common Vulnerability Scoring System (CVSS) and weighted by the value the organization places on the asset. The reporting should tell you what is vulnerable, how it is vulnerable and how high the risk is. Operational reports for those charged with remediation should be straightforward and task-oriented.
Also read up on the fundamentals of vulnerability management
Patching and configuration change is usually going to be performed by network operations personnel and systems administrators. They are not security professionals, so the report and instructions should be described in terms of patches and configuration changes, not vulnerabilities.
Audit reports should clearly demonstrate that the vulnerability or configuration error was detected, the risk was assessed, a ticket was opened, the ticket was closed after the issue was remediated, and the remediation was validated by a final scan.
Finally, the reports should be able to repurpose the same data for different uses--reports for different parts of the organization and types of audiences, reports for different sets of regulations, and so on.
"In the old days you ran new scan for every report," says Gary Davis, senior group manager for risk and compliance at McAfee, "but what you want is scan-once-report-many model that disassociates scanning from reporting."