I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance. Myth 1: We can patch our way to security Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for critical s , with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rat
My random musings about IT Security whenever I have time to think