Vulnerability management programs have a dirty secret that annual security assessments and compliance audits politely decline to examine: the remediation backlog. Organizations that have deployed vulnerability scanners — Tenable, Qualys, Rapid7 — know their vulnerability count precisely. Most of them have more open vulnerabilities than they will remediate in the coming year. Many have more open vulnerabilities than they will remediate in the next three years at their current remediation pace.

Enterprise IT has adopted AI-assisted tools at an uneven pace across the four functional areas. The adoption unevenness reflects a genuine difference in the maturity of AI applications across contexts — some IT functions have clear, measurable AI use cases with documented productivity gains, while others have AI vendor claims that have not translated to operational reality at the scale most enterprises require.

The honest assessment of where AI is saving time in enterprise IT is narrow but real: specific use cases within IT support, security operations, and software development assistance have demonstrated consistent productivity gains. The broader claims — AI transformation of IT operations across all functions — remain future-oriented rather than present-tense.

The IT budget allocation problem is structural, not mathematical. Organizations that spend the right total amount on IT frequently allocate it incorrectly across the four functional areas — run the business, grow the business, transform the business, and maintain the infrastructure that enables all three — producing technology environments that are simultaneously overspent in some areas and critically underfunded in others.

The allocation pattern that is most common and most damaging is heavy spending on new software and technology initiatives with insufficient investment in the support, security, and infrastructure maintenance that determines whether those investments function reliably. An organization that spends aggressively on digital transformation while deferring network infrastructure refresh, understaffing the helpdesk, and running security with inadequate tooling has not made a strategic trade-off. It has made an accounting error that looks like a strategic choice.

Bring Your Own Device policies were adopted by enterprise IT organizations under pressure from employees and leadership who wanted to use their personal devices for work and did not want to carry two phones. The policies were designed hastily, implemented with tools that were not ready for the management requirements they needed to meet, and left in place with minimal review as the security landscape changed around them. The result is a policy category that most IT security professionals acknowledge as a significant exposure and most organizations decline to address because addressing it requires telling employees they cannot use their personal devices for work.

Ransomware preparation is the security investment that organizations discover the quality of during the worst possible moment. The backup strategy that was designed but not tested reveals its gaps when the organization needs to restore from it. The incident response plan that was written but not rehearsed reveals its gaps when the team is trying to execute it under pressure. The cyber insurance policy that was procured but not fully read reveals its requirements when the claim is filed.

Endpoint Detection and Response platforms replaced antivirus as the dominant endpoint security technology on the basis that signature-based detection could not keep pace with the volume and variety of modern malware. The replacement was justified. EDR’s behavioral detection, continuous telemetry, and forensic capability represent a genuine improvement over signature-based antivirus in detecting and investigating endpoint threats.

The marketing that followed — the promise of comprehensive endpoint security that would significantly reduce breach frequency and impact — overstated what the technology can deliver. EDR is better than what it replaced. It is not the endpoint security solution. Endpoints continue to be compromised at scale in organizations running mature EDR deployments because the threats that matter most have adapted to operate within the behavioral envelope that EDR considers legitimate.

Phishing has been the leading initial access vector for enterprise breaches for over a decade. Security awareness training — the annual compliance exercise that organizations deploy to satisfy auditors and reduce cyber insurance premiums — has been the dominant organizational response for the same period. The training has not significantly reduced phishing click rates in most organizations. The reasons are structural, not motivational, and the solutions require technical controls rather than behavioral ones.

The security vendor community has done something impressive with the Zero Trust concept: it has taken a principled architectural framework that requires organizational discipline, policy definition, and sustained implementation effort, and repackaged it as a product category that can be purchased and deployed. The repackaging is commercially effective. It is also misleading in a way that causes organizations to believe they have implemented Zero Trust when they have purchased a tool.