LANDesk Security Suite is a great tool for managing site security, but there is no tool for solving people problems. Well, nothing legal and ethical, anyway. That said, here are some guidelines for the organization that has to start from scratch.

1. POLICY. Is there a computer usage policy? Do you state what your users can and can't do with your computers? If so, review it. If not, let the business owner know that you need one, and start the process of getting stakeholders together for building that policy. Whether you're building from scratch or reviewing an old document, this will take a long time, so start it first. You can do other things in parallel.
2. UPDATES. Go into Security & Patch Manager and click "Download Updates". Select the applicable channels. That's at least Windows Vulnerabilities, Windows Spyware, Security Threats, and LANDesk Updates. Configure the Alert Settings to alert you of any service pack or critical definitions. If you're not on 8.8 yet, check the box to put new definitions into Unassigned. Schedule a daily update.
3. HAVE YOU STOPPED READING? IF you're so swamped that you're not going to review the patch content, please do not put new vulnerabilities into Unassigned, even though I normally would recommend that. First, it won't let your automated patch process work when you upgrade to 8.8, and second I've seen too many shops who forget they did it. If you really can't be bothered to review and test patches, you need to decide whether you're going to skip patching or just use the Definition Group Settings button to autofix everything. Not making a decision about Unassigned is the same as deciding not to patch.
   
4. WEEKLY MEETING. Go to your calendar and book a recurring weekly meeting with your team, one to two hours long. The purpose of this meeting is:
1. Review the patches in Unassigned, and move them into Scan or Do Not Scan.
2. Review the contents of the Detected folder and decide what you are going to do. Categorize by Critical, High, and Other (Service Packs are handled differently).
1. Critical threats: schedule a repair task and set a reminder in your calendar; tomorrow you'll set these to autofix.
2. High threats: Copy these into a custom group, then schedule a Repair & Stage task. Start the stage task now and set two reminders in your calendar; tomorrow, you'll turn on the repair task, and the day after tomorrow you'll set these to autofix.
3. Other threats: Treat these like High threats, but let them pile up in the custom group for a month, and fix them all together.
3. Service Packs need to be tested, even if you don't test anything else. Go ahead and start the Stage task, but don't do the Repair task until you know that Service Pack works in your environment.
   
5. MONTHLY MEETING. Go to your calendar and book a recurring monthly meeting with your team, two to three hours long. In this meeting, you're going to review the policy or progress towards a policy.
   
1. Blocked apps: Are you blocking what the policy says you should block?
2. Compliance: Check the available security threats and keep the ones that are in line with your policy in Scan. Move the ones that aren't into Do Not Scan... if you don't need to know that your systems aren't in compliance with the NSA's recommendation (trust me, they aren't), then don't scan for it. If it's in your Scan folder, you should be willing to use autofix to enforce it. If you're not willing to enforce it, move it into Do Not Scan.
3. Review the reports and dashboard to make sure that you understand what's in there. It's better to know what they say and why they say it before your CxO comes by to ask.

Last but not least, when you're in those meetings, you need to focus, and that means no helpdesk; explain to your management what you're doing, and provide a contingency plan that allows you to do preventative work instead of reactive.

What if you've got Process Manager or Security Suite 8.8? Then there's an automatic patch process, and you can use some different steps... but honestly, I really think you should follow the process above and just use Process Manager to take care of grunt work like creating groups and tasks or checking their status.

1. You still need a policy. You can't do things unless you've got authority to back you up, and it's a good idea to get that authority in writing.
2. INFRASTRUCTURE. Make sure you've got the built-in Process Manager configured properly. You'll need a SQL system instead of Oracle, you'll need the SA password, and you'll need Active Directory (and credentials to read from it with). There's good documentation on the community site to help you.
   
3. TARGETS. Get three queries set up, indicating your Test, Pilot, and All Workstations groups. Test should be indicative of the average workstation's default build. Pilot should be the IT group and some representative regular users. These systems will be automatically patched with new content, so make sure the users are aware of that. If you've got Macs, make sure you're testing them too.
   
4. CONTENT. Do you want to test blocked apps? Every AV DAT File? What about Service Packs? All this is configured in the Process Designer.
   

Good luck!