Patch management has long been a major pain point for IT and security teams alike. This problem has only intensified with the growing use of Bring Your Own Device (BYOD) policies and the proliferation of Software as a Service (SaaS). Now, with organizations having to adapt to a largely permanent distributed workforce, the old way of approaching software vulnerabilities has grown insufficient. We are overdue for an extraordinary change in our nationwide patch management strategy. This change is enormously important in light of the explosion of unmanaged devices and the growing tide of Common Vulnerabilities and Exposures (CVEs).
In the past, patch management was challenging even within the relatively insular bounds of corporate networks and entirely managed device fleets. Then the rise of personal devices and cloud-based applications came along to make things even more complicated. According to the 2025 Verizon Data Breach Incident Report (DBIR), 20% of all successful breaches originated from exploiting vulnerabilities. This statistic highlights just how important strong patch management strategies are in our current landscape.
The current workforce is forced to work in an ecosystem that is overwhelmed with app and device sprawl. Almost all employees access Shadow IT applications and personal devices that still go completely unmonitored and unmanaged by IT teams. This is a significant danger, since unpatched software often results in a critical security crisis. The notorious LastPass Hack is an urgent reminder describing the need. It originated from an unpatched application on an employee’s home computer, highlighting the catastrophic dangers of overlooking patch management.
As we work to protect these more critical systems, IT and security teams can no longer avoid embracing zero trust methodologies. One outstanding solution to this is 1Password Device Trust, which prevents unrecognized devices from authenticating to company SaaS apps. This strategy minimizes the chances of a vulnerability being exploited by ensuring that only secure, compliant, and up-to-date devices can obtain access.
Jason Meller, Vice President of Product at 1Password and founder of Kolide, emphasizes the importance of adapting existing patch management processes to meet current demands. Ever since Kolide’s acquisition in 2024, Meller has been an outspoken proponent of zero trust strategies. McCarthy thinks such strategies are foundational to security teams’ ability to gain deep visibility into device and software vulnerabilities.
The cyber hygiene patch management process is arguably the area that needs the most heavy lifting. IT and security teams are overwhelmed with an impossible list of CVEs to address. They must adapt and develop new strategies and roll out dynamic solutions to meet the needs of a 21st century workplace. To affect this change, organizations can no longer rely on outdated methods that would have been effective in a previously productive and profitable time.
As Albert Camus wrote, “One must imagine Sisyphus happy.” This concept strikes a chord with all you patch managers out there. Patching and fixing vulnerabilities isn’t something that can be marked off like a checkbox. It’s an ongoing process. Yet, this challenge is fundamental for paving the way to create a safe, secure, digital environment.