You cannot protect what you have until you know what you have. An asset inventory should be as automated as possible to avoid human error and blind spots. It should also include an application inventory broken out by applications that can be scanned for missing updates and updated automatically/remotely and those that can't.

Create groups in order to roll out patches in a well-tested and timely manner. Have key individuals in IT and Security test out the updates first, followed by a second group comprising of 10% of the organization and spanning all teams, finally push patches out to the remaining population of users and servers in as automated a manner as possible.

New vulnerabilities pop-up every day. We should scan accordingly. Find ways to automate scanning such as built-in agents or built-in cloud services. Ensure the automated patching is working appropriately and then focus attention on the vulnerabilities that require manual remediation. Use a risk-based approach to target vulnerabilities as opposed to just the CVSS score.

Regularly check your Asset and Application inventory to make sure they're up to date. Be sure that security tools are installed and configured properly on endpoints.

Create a list of applications by department that are vetted by security and made available to end users without IT involvement. Make it easy for users to use the applications you want them to use. Publish the criteria for what gets whitelisted so employees know the reason those applications are preferred above their niche open source tool they're used to using.