Thought for the day: Are you guilty of corporate stupidity?

Return on investment is a very sensible business idea, yet many companies are practising what could be called negative return on...

Return on investment is a very sensible business idea, yet many companies are practising what could be called negative return on investment by choosing IT products that cost them more money the longer they have them. In the current business environment, this could be described as corporate stupidity.

Using software that requires frequent patching because of security problems is like pouring money down the drain. What’s more, it is a situation that is totally unnecessary because there are solutions to the problem.

When a security patch alert is issued, you can stop whatever it is that you are doing, no matter how important or crucial, and spend the day (or next several days) applying patches to servers. Or you can carry on with what you were doing and hope that nothing will happen.

Installing patches is a boringly repetitive and uninspiring chore, which usually requires expensive, skilled technical staff (who are probably in short supply) to carry it out. Servers often have to be brought down, so the natural tendency is to postpone patching. When you postpone, you are accepting insecurity as a way of life.

On the other hand, if you take the route of fixing patches immediately, skilled staff become engaged in firefighting. Commitments to deliver in other areas go out of the window, leaving the IT department’s reputation in tatters.

The financial implications of patching are considerable. Employing skilled IT staff to firefight is a waste of money, and it has the knock-on effect seeing business plans held up because of delays from the IT department. There is also the disruption of having systems out of action while servers are being fixed.

One solution to the problem of patching is to choose software that is more secure and has less need for patches.

Figures recently released by software supplier Zeus show a huge difference in the annual cost of applying security patches to the three leading web servers.

In 2002 it cost Microsoft Internet Information Services users about £30,000 to apply security patches to 10 servers. In contrast, it cost Apache users £7,000 and Zeus users £120.

Another solution is to use security appliances where possible. These use hardened operating systems and eliminate many of the shortcomings of server-based security. The success of appliances over the past couple of years can be seen, in part, as a direct response to the issues of negative return on investment through server patching.

Given the availability of other options and the increasing costs and risks involved with the deployment of software security patches, it is hard to understand why some people will continue to waste time, effort and money on patching.

As time goes on, we will see the majority of IT managers starting to use secure web servers or security appliances rather than simply patching their applications.

Not only will this provide them with increased security, it will also enable them to grasp the holy grail of IT: positive return on investment.

What do you think?

Is there a better way to maintain security that doesn't entail constant patching?  Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Ian Kilpatrick is chairman of e-business security supplier Wick Hill Group

Read more on IT risk management