This goes not only for hardware and OSes, but for applications and tool sets as well. Procurement costs include not only purchase price and maintenance but future updated versions. The owners of those assets are responsible for keeping them updated.
You might think, "Why update for update's sake?" But that's old, insecure thinking. The latest software and hardware comes with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.
Patch at speed
It's advice so common as to seem cliché: Patch all critical vulnerabilities within a week of the vendor's patch release. Yet most companies have thousands of unpatched critical vulnerabilities. Still, they'll tell you they have patching under control.
If your company takes longer than a week to patch, it's at increased risk of compromise -- not only because you've left the door open, but because your most secure competitors will have already locked theirs.
Officially, you should test patches before applying, but testing is hard and wastes time. To be truly secure, apply your patches and apply them quickly. If you need to, wait a few days to see whether any glitches are reported. But after a short wait, apply, apply, apply.
Critics may claim that applying patches "too fast" will lead to operational issues. Yet, the most successfully secure companies tell me they don't see a lot of issues due to patching. Many say they've never had a downtime event due to a patch in their institutional memory.
Educate, educate, educate
Education is paramount. Unfortunately, most companies view user education as a great place to cut costs, or if they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks.
Good user education focuses on the threats the company is currently facing or is most likely to face. Education is led by professionals, or even better, it involves co-workers themselves. One of the most effective videos I've seen warned of social engineering attempts by highlighting how some of the most popular and well-liked employees had been tricked. By sharing real-life stories of their fallibility, these co-workers were able to train others in the steps and techniques to prevent becoming a victim. Such a move makes fellow employees less reluctant to report their own potential mistakes.
Security staff also needs up-to-date security training. Each member, each year. Either bring the training to them or allow your staff to attend external training and conferences. This means training not only on the stuff you buy but on the most current threats and techniques as well.
Sign up for CIO Asia eNewsletters.