Patch Management: Why It Matters, Why It’s Likely Broken at Your Business, and What to Do Now

patch management

Please, please read this before you hire any more cybersecurity people. And share it with anyone you know who is planning or considering hiring any more cybersecurity people.

Why? Because simply hiring more people won’t make your IT any more secure. If you can find, afford, hire recruit, and retain any of those people you think you want to hire. ISACA, the non-profit IT advocacy group, predicts the shortfall in available cybersecurity professional will reach 2 million by 2019.

ServiceNow, pioneers in IT service management from the cloud, recently announced the results of a survey it commissioned. The survey, conducted by the respected Ponemon Institute, collected responses from “nearly 3,000 security professionals in nine countries.” They were asked about “the effectiveness of their vulnerability response tools and processes” – the ways they “prioritize and remediate flaws in software that could serve as attack vectors.” Herewith, some of the results and some accompanying observations.

Cybersecurity Threats: Bad, and Getting Worse

  • “Cyberattack volume increased by 15% last year, and severity increased by 23%.”
  • “48% of organizations have experienced a data breach in the last two years.”
  • “A majority of breach victims (57%) said that they were breached because of a vulnerability for which a patch was already available.”
  • “34% were actually aware that they were vulnerable before they were breached.”
  • “54% say that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence.”

Patch Management: Why It Matters

  • “Organizations that avoided breaches rated themselves 41% higher on the ability to patch quickly than organizations that had been breached.”

Patch Management: How Broken Is it?

  • “Organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.” Yet “37% of breach victims said they don’t scan for vulnerabilities.”
  • “Security teams lost an average of 12 days manually coordinating patching activities across teams.”
  • “65% say they find it difficult to prioritize what needs to be patched first.”
  • “61% say that manual processes put them at a disadvantage when patching vulnerabilities.”
  • “55% say that they spend more time navigating manual processes than responding to vulnerabilities.”

So how will respondents respond? Not by automating and consolidating their patch management processes, apparently.

  • “64% of respondents say they plan to hire more dedicated resources for patching over the next 12 months.”
  • “On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels.”

Patch Management: What to Do Now

The survey results announcement includes what ServiceNow says are “five key recommendations that provide organizations with a pragmatic roadmap to improve security posture.” I have reproduced and annotated those recommendations below.

“Take an unbiased inventory of vulnerability response capabilities.”

  • If you have IT asset management (ITAM) and/or cybersecurity management solutions in place, make sure to take maximum advantage of any discovery and inventory features they have. But if you have to assess your vulnerability response capabilities manually, swallow hard and do it.

“Accelerate time-to-benefit by tackling low-hanging fruit first.”

  • Lists of available operating system and application patches are always available online, from vendors and other reputable sources. Determine where your needs are most pressing, with a focus on patches that have been available the longest without being implemented at your business. (These are the ones likely to have been tested and tweaked the most to avoid breaking anything or creating new vulnerabilities when implemented.)

“Regain time lost coordinating by breaking down data barriers between security and IT.”

  • Focus equally on breaking down any and all political and cultural barriers between security and IT, and between IT and business decision makers. Cybersecurity and patch management affect entire organizations and are affected by all users. Eliminating data barriers without identifying and eliminating any “soft” barriers separating those who must collaborate will not improve your cybersecurity much, if at all.

“Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.”

  • Where pursuit of effective end-to-end vulnerability responses is not yet possible, start by automating those successful “low-hanging fruit” pursuits as much as possible. Then replicate and scale these when and wherever possible. Document everything, to make it as easy and consistent as possible to replicate successes and avoid repeating mistakes.

“Retain talent by focusing on culture and environment.”

  • Make sure your people have personal professional growth paths. Reward and acknowledge them for work well done.

Get hold of the complete report of the survey results, and share them with your colleagues and managers. Then, get to work improving patching of operating systems and applications at your business. Those two steps may be the biggest you can take most quickly toward better cybersecurity. (See my post, “4 Things You Can Do to Deal with GDPR, the IoT, and Social Engineering More Effectively,” for the other two steps you should take. Now.)

Michael Dortch

Michael Dortch

As an IT industry analyst, consultant, journalist, and marketer, Michael Dortch has been creating content that translates “bits and bytes” into “dollars and sense” for more than four decades. Michael has been a senior analyst at Aberdeen Group, Robert Frances Group, Constellation Research, and Yankee Group. He has also served in senior content development, marketing, and public relations roles at Huawei Technologies USA, Ivanti, LANDESK, and ServiceNow. Michael currently develops content for several startups and established companies, directly and through select agencies. More information is available at