Yes, most (if not all of us) are going to be impacted one way or another because of the Equifax breach. And class action lawsuits, credit monitoring tools, individual credit freezes will escalate. But there is another important dimension to this calamity, that might yield some positive upside if approached properly. What am I talking about? I am talking about the chasm between the Infrastructure Ops, Security Ops and Compliance and Audit that exist in every enterprise today (and wrote about it here) and how that might have contributed to this fiasco.But, this is not an Equifax issue I would hazard. Why can I state this confidently? Because I heard this loud and clear at #BlackHat and more recently at the #StructureSecurity conference in San Francisco. In fact, a comment by John \u2018Four\u2019 Flynn \u2013 CISO at Uber \u2013 really drove this home \u2018The #1 risk most organizations face today is the Windows 2000 server sitting under Bob\u2019s desk that needs to stay up and therefore is not patched, rebooted or changed in any manner as no one wants to assume the risk of it going down\u2019. And this trumps any security hygiene or compliance dictate.If you are in IT Operations, this presents an opportunity that does not come by very often. Most well run IT Ops teams may think they have a handle on security and may even be aware of \u2018Bob\u2019s server\u2019 and other vulnerable systems in their environment (cloud adds another degree of complexity but let\u2019s tackle that in the next article). But, the fear remains what if there are more systems than anticipated and maybe even to try a tool that exposes the risk they have. Actually not. They don\u2019t want to hear it because if they do and then don\u2019t act and there is an incident, heads will roll. So, they would rather play dumb and NOT EVEN entertain the dialog with a vendor or two. But, that does not reduce the risk and they do end up spending sleepless nights!But with Equifax \u2013 and the un-patched Apache servers \u2013 the quantifiable cyber security risk that an organization faces is becoming a board level conversation. And I would argue that this is the time that IT Ops can actually go up to the CIO (or CISO) and make a case for \u2018risk assessment\u2019 tools that would materially expose, quantify and reduce the cyber risk any organization faces For instance in a recent GAO report the five identified areas of weaknesses were in the areas of \u2018limited access controls, limited configuration management controls, limited to no segregation of duties, lack of contingency planning, siloed security management\u2019. I would argue that no IT organization would be magically accorded budget to identify tools that would help expose the risks in these five areas and further take corrective action on any given day. But we are not talking about any given day. This is the day (or the week) that the largest and most impactful breach in US history has happened and attributed to poor patch management governance.That is the opportunity. Don\u2019t let this crisis goto waste my fellow IT brethren. With the CEO having to step down as a result of this, the budget will appear magically in most regulated industry verticals. One needs to know what to ask for and why.So, let\u2019s take advantage of what happened at Equifax and go and secure budget for the tasks that you always knew you had to (update Bob\u2019s Win 2K server) and given the heightened awareness, there would also be more latitude toward any issues post-upgrade since the primary driver is to patch the systems.On the contrary, if we pretend that this just yet another breach and sink into hubris, and god forbid if another attack were to happen, the tolerance for any kind of IT snafu would be very low. So, let\u2019s ride this horse to the finish line and seek budget and deploy tools thatIdentify and expose riskHighlight the risk in a language upper management understandsApply the solutions reduce the risk to bring it to the acceptable levelConstantly monitor the environment for any changeRinse and repeat.As someone one said \u2013 "Never let a crisis go to waste."