Maksim Kabakou - Fotolia

Security Think Tank: Tackle vital patching challenge with risk-based approach

What strategies can companies adopt to help keep up with and deal with the huge volume of software updates they are facing?

Patching is one of the areas where organisational security is frequently under strain and struggling to attain good quality processes in the face of increased threats and the resulting high volume of patches.

According to the Centre for the Protection of National Infrastructure (CPNI), disregard for patching represents a significant and growing problem for all businesses.

Patch management is part of an overarching configuration management regime, and should be harmonised with it and with the risk management regime. However, we know from experience that this is seen as too difficult and left in the capable – but laden – hands of the IT team.

In effect, many businesses are in a totally reactive, “patch everything as it comes” mode. This is stressful and inefficient and is no guarantee of a quality patch management system.

Businesses use a vast array of systems and applications, and starting from a risk perspective will help triage how we build our patch management regime.

In risk assessing each server and application, find out what information it uses/ holds and how critical this information is – how important is the CIA (confidentiality, integrity and availability) of the information and what would be the impact of its compromise.

Some areas may be more critical than others and the necessity of patching therefore raised higher in the patching regime.

The same risk-based approach should be applied to the patches themselves. With the understanding of each application and its CIA in mind, the next stage is to understand how critical (or not) the patches are so that their application can be prioritised. For instance, a critical security patch on a payroll application should take priority over a new feature for a marketing email system.

Without this system of risk assessing the effect of not patching (or delaying and scheduling all non-critical updates and fixes) and understanding the criticality of the system or application being patched, the continuation of patch pandemonium is assured.

We cannot escape patching, nor should we want to. If anything, the proliferation of patches serves to highlight how greatly the threat to our systems and information has increased.

It may take a time investment to get the configuration, risk and patch management harmonised, but given that the threat is never going to go away – if anything it will increase – making a priority of getting this right should be a business imperative.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on IT risk management