What is the biggest missing piece from most companies’ security posture?

765 views1 Upvote6 Comments

VP - Head of Information Technology in Software, 1,001 - 5,000 employees
For me, patch management on the laptop feed is still missing—it's still a glaring problem. How do you do it in a way that doesn't piss the user off? How do you avoid the phone call from the sales guy who tells you, "Hey, my computer rebooted in the middle of a presentation to a client"? 

Laptops are still the biggest surface area to attack in a business, and it's harder than hell to fix. In Maslow's hierarchy of IT, at the bottom is the expectation that things work. Patch management is a part of things working, which is not what gets you any credit or funding. The most basic principle—patchwork systems—is still one of the hardest things to do, and it's broken everywhere. It's a headache and you get no credit even if you fix it. You could make it the best thing in the world and get nothing. 

It's funny that we used to call laptops fixed assets because there's nothing fixed about them. They're all over the world, roaming around constantly. There's thousands of them. If I have to touch a laptop to fix it, I'm screwed because I have thousands of them, and during COVID, they're everywhere. I've been in this business 22 years. There have been server patching companies and containerization, etc., which have made patching a lot easier in terms of Kubernetes and doing things to scale, but the user-facing hardware is still in its infancy. This has been our problem for as long as I can remember and it still doesn't seem solved.
3 2 Replies
Board Member, Former CIO in Software, 10,001+ employees

You've probably got at least 3,000 devices to manage for a small company.

CISO in Software, 51 - 200 employees

What makes it worse is that if Kaseya or Teamviewer were to get hacked, then you're totally screwed.

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
I'm still waiting for the day when we have an operating system that's like your CRM, for example, like Salesforce—not a desktop as a service, more like a software that's a desktop. When are we going to get to that point? You still have to secure the end point, but why can’t we have this completely automated with patch management, etc., all done from a website perspective or an application so that you don't see any of that? All of that could be completely transparent. Or, if it is something that does cause downtime or friction for the end user, it's often pretty transparent or very short.
CIO in Education, 1,001 - 5,000 employees
Awareness that people are still ultimately the weakest link.
Managing Director in Manufacturing, 51 - 200 employees
Policy, Controls, Audits. 

A policy is on as good as the controls in place to ensure its enforced and a control is only as good as an audit to ensure its working. e.g. A stale user policy may exist saying that users aged out need to be disabled, but is there an automated control taking action? have you reviewed the results of the controls actions?

Content you might like

Avoiding vendor lock-in41%

Competitive Pricing57%

Ease of scaling to workloads45%

Resistance to outages40%

Regulatory compliance12%

Other (share below)4%


1.5k views1 Upvote1 Comment

MBA / Master's Degree73%

CISSP / Comparable Certification26%


6.6k views1 Upvote16 Comments