To most effectively manage vulnerabilities, you need to think like the attacker: how would you go about doing damage, exfiltrating valuable information and making money? What are the key assets in your network that you would target? How would you get to these assets?