According to NIST, Enterprise Patch Management is a critical and necessary cost of doing business…but what is it exactly?
NIST (National Institute of Standards and Technology) published a report this week titled Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. This document had not been updated in nearly 10 years, but this recent version provides high-level guidance and recommendations when it comes to the process of patch management. We have provided snippets directly from the document’s summary below, highlighting the more salient points in bold and expanding on these points with additional insight.
The evolution of technology has made security patch updates more crucial than ever. No single technique or tool will be the silver bullet for your management of IT security…this must be practiced in layers. We have seen many companies who are continually looking for that silver bullet when it comes to securing their systems, in hopes of avoiding all other arduous activities. This is just simply impossible to find in today’s computing environment, and the effort is better placed in executing a well-rounded set of techniques and solutions.
Managing the patching process the same way a company would manage fleet vehicle maintenance is a perfect comparison. Ransomware threat actors and other cyber criminals frequently exploit software vulnerabilities that could have otherwise been avoided with a regular patching schedule, which is why applying security patch updates is so vital to any IT security strategy. As a company who provides patch management services, we don’t see the main resistance to patching being downtime or cost (although these are factors). The key reason patching doesn’t get done properly is due to the operational maturity within IT security management. This includes not having the right technical (and after hours) staff available, lacking the knowledge of how to best perform patching, and not having the discipline to follow a regular patching schedule, especially when IT resources are being pulled in many other directions.
From the executive boardroom to the IT leadership, all levels of management within a company need to be aligned on managing IT security. If this alignment does not exist when it comes to applying software security updates and managing vulnerabilities, it is likely to lead to a cybersecurity event. Managing IT security is time consuming, expensive, and extremely complex. The truth is that it will not be perfect and mistakes will be made, but constantly working to improve operational maturity is essential.
You can read the entire NIST report HERE.