TL:DR. Access control. Not just key cards and PIN's.
Also get automated log analysis tools and learn how to use them.
Other useful stuff.
Set up 1 or more test PC's with the standard network build and test each new patch on them before roll out. Get it in writing from a PHB if they don't want one or more (tested to work) patches installed if they are security related. IOW it's on them if there's a breach.
The eternal questions. What ports are open on this PC? Why exactly are they open? Can this PC be seen from the internet?