Maksim Kabakou - Fotolia

Security Think Tank: Software patching needs executive sponsorship

What strategies can companies adopt to keep up with, and deal with, the huge volume of software updates they face?

Organisations have continued to face the same issues around patch management for over a decade now. Leading issues include patch volumes, resources to do patching and line-of-business reluctance to have “their” systems unavailable for any time at all.

Until recently, at least one leading UK-based organisation had not deployed any patches to a system for an astonishing five years because it was deemed “too vital”.

First and foremost, organisations must be dedicated to patching vulnerabilities, and this requires executive sponsorship. Patch volumes are unlikely to reduce, so without a dedicated approach, an organisation will not be able to keep pace with the patches it must deploy.

To be dedicated to patching vulnerabilities, an organisation needs a formal patching policy, which must:

  • Identify the rationale (to business leaders) for rapid patching;
  • Explain who owns the patch management policy and process;
  • Describe where the funding comes from to support patching;
  • Give guidance on the patch management process itself (for example, permitted exceptions from patch management).

Read more about the importance of software patching

  • Any company that ignores the need for software patching is asking for trouble, just like ignoring those worn brake pads on your car. Sooner or later, something will go wrong in an unpatched environment. 

Also, an organisation should have a framework for patch management that covers all the prerequisites to successfully manage system and software vulnerabilities. This includes:

  • Identifying roles and responsibilities for patch management;
  • Identifying and classifying devices;
  • Aligning patch management with other operational processes (where possible);
  • Maintaining up-to-date knowledge of the vulnerabilities that could affect the organisation.

Good practice used by ISF members includes:

  • Assessing the business impact of implementing patches (or not implementing a particular patch);
  • Having a method of deploying patches in a timely manner, including a process for dealing with the failed deployment of a patch.

Daily patch management is strongly recommended, but this is unlikely to be feasible for organisations that are not dedicated to patching vulnerabilities.

Where appropriate – and without scaremongering – executives should be alerted to the possibility of their organisation becoming the next high-profile news story because of poor patch management practices.

Maxine Holt is principal analyst at the Information Security Forum (ISF). ...........................................................................................

Read more on IT risk management