Device and software vulnerabilities pose an increasing risk to modern security. However, patch management is an infamously difficult (and downright Sisyphean) task for IT and security teams, who are faced with an ever-growing list of CVEs to remediate. This task was difficult enough in the days of on-premise environments, but a modern distributed workforce has to contend with all the users, devices, and applications that may exist outside the purview of traditional security solutions, like MDM. Overall, with the ever-growing number of CVEs and the ever-growing sprawl of shadow IT, patch management has become both more urgent and more daunting than ever. IT and security teams need to adopt zero trust methods to ensure that only healthy and patched devices are able to access their critical systems. With the help of SaaS management and employee-remediation tactics, teams can do even more to improve efficacy and support for their company-wide patch management programs.

French philosopher Albert Camus famously said, "one must imagine Sisyphus happy."

With all respect to Camus, though, he probably never imagined Sisyphus working on patch management. Any IT or security worker who has ever wrestled with the ever-growing list of Common Vulnerabilities and Exposures (CVEs) knows that remediating vulnerabilities can be difficult, never-ending, and often thankless.

It's also vitally necessary. The 2025 Verizon Data Breach Incident Report (DBIR) reported that 20% of successful breaches began with the exploitation of vulnerabilities – a figure that's been growing steadily over the past few years.

It's not hard to understand why vulnerability exploits are on the rise. Patch management was difficult enough in the days of corporate networks and fully managed fleets. Today's modern, distributed workforce has to contend with app and device sprawl, and many of these Shadow IT applications and employee personal devices are fully unmanaged by IT. Every unmanaged device could be hosting unpatched, vulnerable software; the LastPass Hack is an infamous example of this, since it started from an unpatched app on an employee's personal computer.

As employees use more unmanaged devices, those devices host more unmanaged apps, and those apps might have any number of unpatched vulnerabilities; it's a tangled web of risk that just keeps sprawling further and further beyond our reach. And yet, teams keep grinding away at patch management, using tools that clearly aren't up to the task, and falling farther and farther behind.

This approach is unsustainable, ineffective, and downright exhausting. In fact, the patch management process is what needs an update the most, particularly if we want it to reflect the modern reality of BYOD and SaaS sprawl.

IT and security teams can't afford to keep playing "patch management wack-a-mole," and smacking down whatever vulnerabilities happen to pop up. We need to take a proactive approach to seek out and find risks before they have a chance to rear their ugly heads. That means:

  1. Establish oversight of every employee and contractor device, including BYOD.
  2. Discover every work-related SaaS app being used at their company.
  3. Invest in automated systems to monitor devices and SaaS apps for vulnerabilities.
  4. Prevent devices with known vulnerabilities from accessing company resources until the problem has been fixed.

1Password Device Trust is one example of a zero trust solution that blocks a device from authenticating to company SaaS apps if the device isn't known and secure. That means that no device – whether managed or unmanaged – can authenticate unless it passes a gamut of device posture checks, including having patched software and hardware.

1Password Device Trust works hand-in-hand with Trelica by 1Password, which discovers managed and unmanaged SaaS applications being used across a company and provides profiles of the risks and patch status of each app.

Even better, it offloads some of the work of patch management from IT and security teams to end users, who are guided through the process of installing updates themselves.

These examples illustrate how we can update our patch management practices to accommodate the realities of distributed teams.

It's time for IT and security teams to step away from the boulder and ask themselves a question: Is there a better way to push this rock up this hill?

About the Author: Jason Meller is a vice president of product at 1Password, the founder of Kolide, and the author of "honest.security." Jason began his security and product career at GE's elite computer incident response team. From there, he moved to Mandiant, quickly working his way up to becoming the chief security strategist in 2015. He later founded and served as the CEO of Kolide until its acquisition by 1Password in 2024.

Jason Meller — Vice President of Product at 1Password https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFSE-0gvI2Hb_8pjxruid12bPuB_-O9TmYMsAcxItgrn8677BRXvnZJZeAbyEVIXEyojOoSEqR-68MEtGGciNz3bO21-0SGDlwhEH5uBBLhNTed3yNQpGKE_IPGppbT8kqmp91CpjH0_axC9_qZwSVyIq6whON5Rt-6DvdCdSWOZYzGQmJM8TnV7p5eVw/s728-rw-e365/Jason.png
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.