Enterprise Patch Management is Critical to Your Business

update icon over a black background with digital code

According to NIST, Enterprise Patch Management is a critical and necessary cost of doing business…but what is it exactly?

NIST (National Institute of Standards and Technology) published a report this week titled Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. This document had not been updated in nearly 10 years, but this recent version provides high-level guidance and recommendations when it comes to the process of patch management. We have provided snippets directly from the document’s summary below, highlighting the more salient points in bold and expanding on these points with additional insight.

Software used for computing technologies must be maintained because there are many in the world who continuously search for and exploit flaws in software. Software maintenance includes patching, which is the act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities. Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. In past perimeter-based security architectures, most software was operated on internal networks protected by several layers of network security controls. While patching was generally considered important for reducing the likelihood of compromise and was a common compliance requirement, patching was not always considered a priority. In today’s environments, patching has become more important, often rising to the level of mission criticality. As part of a zero-trust approach to security, it is now recognized that the perimeter largely does not exist anymore, and most technologies are directly exposed to the internet, putting systems at significantly greater risk of compromise. This dynamic applies across all computing technologies, whether they are information technology (IT), operational technology (OT), Internet of Things (IoT), mobile, cloud, virtual machine, container, or other types of assets.

The evolution of technology has made security patch updates more crucial than ever. No single technique or tool will be the silver bullet for your management of IT security…this must be practiced in layers. We have seen many companies who are continually looking for that silver bullet when it comes to securing their systems, in hopes of avoiding all other arduous activities. This is just simply impossible to find in today’s computing environment, and the effort is better placed in executing a well-rounded set of techniques and solutions.

Zero trust architectures emphasize business asset-specific security over just protecting a network with assets on it, so patching is vital for reducing risk to those individual assets and determining the assets’ trust status. There is often a divide between business/mission owners and security/technology management. Business/mission owners may believe that patching negatively affects productivity, since it requires scheduled downtime for maintenance and introduces the risk of additional downtime if something goes wrong and disrupts operations. Leadership and business/mission owners should reconsider the priority of enterprise patch management in light of today’s risks. Patching should be considered a standard cost of doing business and should be rigorously followed and tracked. Just as preventive maintenance on corporate fleet vehicles can help avoid costly breakdowns, patching should be viewed as a normal and necessary part of reliably achieving the organization’s missions.

Managing the patching process the same way a company would manage fleet vehicle maintenance is a perfect comparison. Ransomware threat actors and other cyber criminals frequently exploit software vulnerabilities that could have otherwise been avoided with a regular patching schedule, which is why applying security patch updates is so vital to any IT security strategy. As a company who provides patch management services, we don’t see the main resistance to patching being downtime or cost (although these are factors). The key reason patching doesn’t get done properly is due to the operational maturity within IT security management. This includes not having the right technical (and after hours) staff available, lacking the knowledge of how to best perform patching, and not having the discipline to follow a regular patching schedule, especially when IT resources are being pulled in many other directions.

If an organization needs a particular technology to support its mission, it also needs to maintain that technology throughout its life cycle – and that includes patching. Leadership at all levels of the organization, business/mission owners, and security/technology management teams should jointly create an enterprise patch management strategy that simplifies and operationalizes patching while also improving its reduction of risk. This will strengthen organizational resiliency to active threats and minimize business and mission impacts. This publication provides recommendations for enterprise patch management planning.

From the executive boardroom to the IT leadership, all levels of management within a company need to be aligned on managing IT security. If this alignment does not exist when it comes to applying software security updates and managing vulnerabilities, it is likely to lead to a cybersecurity event. Managing IT security is time consuming, expensive, and extremely complex. The truth is that it will not be perfect and mistakes will be made, but constantly working to improve operational maturity is essential.

You can read the entire NIST report HERE.

Microsoft WSUS Consultant

WSUS Consulting Services

Software update service for system administrators to manage Microsoft product updates

SCCM Consulting Services

Systems management software for managing large numbers of computers running multiple operating systems and application.

We utilize a proven 31-step patching process.

*Diagram represents a portion of our process

Patch Management As A Service

FREE Webinar Every Thursday
from 10:00 - 11:00 AM. PST

RSVP Early - Limited Seats

$250K Cyber Insurance Coverage

Our integrated insurance coverage and breach response services includes $250,000 of cyber liability insurance (annual aggregate) with $0 deductible.

As a Patchworx℠ client, you will be protected for the cost of an actual or suspected violation of a privacy regulation due to a security breach that results in the unauthorized release of protected personal information (PPI) up to the policy limits.

PPI is defined as any private, non-public information of any kind in the merchant’s care, custody or control. This coverage territory is worldwide and is backed by a carrier rated A+ by AM Best.