Patching remains a challenge for many organisations, despite the abundance of automated patch management tools. It is not uncommon for organisations to be uncomfortably behind their patching schedule, sometimes hindered by the lack of appropriate skills, or the challenge of diverting otherwise deployed resources. Un-patched systems remain one of the major sources of cyber risk, exposing known vulnerabilities that can be exploited with increasing ease. So as NCSC points out “It is better to start small and make progress than feel overwhelmed by the task and do nothing”[i].
For many organisations, improving patching effectiveness is a key driver for cloud transformation programmes. Aligning cloud migration with patching priorities can:
- support investment decisions;
- chip away at the backlog of legacy patching; and,
- reduce corporate risk.
Appropriately adopting cloud technologies presents clear opportunities for patch management reduction of server environments, whether consuming PaaS, SaaS, or even server-less computing. However, one often overlooked opportunity is to simplify workstation or endpoint patching. Where organisations can identify user communities that are using or moving to online services, be that public or private cloud, the opportunity exists to accelerate patch management improvement.
Patching environments that have multiple interdependencies between software and hardware platforms can risk breaking something and impacting business critical processes in a way that cannot be easily anticipated. However, appropriately managing risks through integration testing away from production environments can take time, incur costs and require skilled resources.
While patch management may be essential to stay on top of the latest features and functionality of software applications, cyber-related risk remains the key driver for effective patch management. The software we all regularly use inevitably contains vulnerabilities, and exploitation of known vulnerabilities remains the greatest cause of security incidents, particularly on end point devices which are often the front-line of cyber defence.
Vulnerability and patch management helps protect sensitive information and avoid business disruption, whether required for regulation or protecting corporate reputation. For this reason, patch management should effectively support an organisation’s vulnerability management processes, allowing executive staff to be as aware of the major risks associated with their IT environment as they are of their broader corporate and financial risks.