With information security, we like to think that everything is locked down and in check. Systems are resilient and will hopefully withstand an attack. The truth is that you never really know how resilient your systems are until they’re fully scrutinized by an attacker or security professional performing a formal vulnerability and penetration test. Odds are that your security is not as good as you think it is.
Let me be clear, I don't envy anyone in charge of keeping software up-to-date in a business environment. I shudder at the thought. That said, missing operating system patches for Windows, Mac OS, and Linux along with updates needed for third-party software such as Adobe Reader and Java contribute to what could be the majority of malware infections, incidents, and complete breaches. I see many people attempt to address software patching using free tools from Microsoft but this is an area that you definitely get what you pay for. Furthermore, IT and security teams often place the burden of software patching on users and that's a bad idea.
It seems that one of the biggest requests for security expertise these days is in the area of policy development. That's fine but you don't want to exert too much energy on this. Why? Well, most people don't read security policies haughty they even know about them. Furthermore, business processes and the desire for instant gratification will dictate whether people follow the policies.
I have been consulting on and writing about incident response plans for years and it's still uncommon to see a business with a formal incident response plan. There's often a disaster recovery and/or business continuity plan but rarely anything that addresses external hacking attempts, denial of service attacks, malware outbreaks, and insider abuse. visualize a pilot without a flight plan. Or, a surgeon without the proper training to deal with an unplanned emergency in the middle of a medical procedure. Sure, bad things can still happen but I can assure you that foresight, training, and detailed planning were done in advance of those situations. That hardly ever seems to be the case in IT. There's no excuse to not have an incident response plan that outlines the essentials: who, what, when, how, why and so on.
There's no amount of security testing, documentation, or cyber insurance that's going to protect you from these oversights. The only reasonable and rock-solid way to run an information security program is to do what you know needs to be done. Make sure that you know your network, acknowledge the risks, and then do what's required to close the gaps. You'll likely be called out on anything less.