Why do so many companies fail at basic patch management?


It’s hard to know what to make of the initial findings of Rich Mogull’s ‘Project Quant’ survey of patch management practices.

To boil down over 60 pages of industry research to its essence, Project Quant reports that almost 50 percent of enterprises do not have a formal patch management process, 54 percent say they do not measure compliance with patch management policies, and 68 percent do not track patch time-to-deployment.

Most amazingly, of those companies that do measure patch compliance, 40 percent of them use end-user complaints to validate patch coverage.

What blows my mind is that at a time when industry and government are spending billions to combat threats to the integrity of their information, productivity, and reputation, nearly half of Project Quant respondents appear to be neglecting one of the most basic fundamentals of information security.

So, why, then? A number of plausible reasons present themselves.

The patch process is too confusing and disruptive for anyone to be really good at it. I sympathise with organisations endeavouring to maintain a modicum of patch currency on its assets. The dimensions of complexity stack up quickly—multiple operating systems and hardware platforms, innumerable applications, globally distributed infrastructures, murky visibility into the real configuration status of managed assets. And then there’s the gnawing worry that a poorly packaged patch, or the right patch winding up on the wrong assets, can trigger a career-shortening service outage.

Going naked may be a rational economic choice. The cost of developing and practicing an excellent patch management program may not be worth it to many organisations. Intriguingly, Project Quant indicates that compliance needs, not pure economics cost/benefit, is the main factor driving organisations to pay attention to patch and configuration management.

One can argue that compliance is good for business, and therefore constitutes a sound economic rationale, but for most organisations, the relationship of compliance to economic benefit is hit and miss.

It is also true that a decision to underplay patch management may be a penny-wise-pound-foolish proposition, but here managers are comparing the hypothetical harms of lax configuration management with the certainty of higher costs.

Patch management—good, bad, or indifferent--is invisible. Before we make fun of the 40 percent of organisations who use end-user complaints to measure patch compliance, let’s think for a minute. Could it be that incumbent patch and system management tools provide such poor visibility that end-user complaints and other indirect metrics are the best that many organisations have?

Unfortunately, after speaking with many IT managers over many years, I can say that visibility remains a big problem. Worse, many treat invisibility as an immutable feature of the natural order of things or downplay its importance in security and system management. Either way, many IT security managers simply don’t know what they’re missing.

Security fatigue, leading many organisations to say, “Ah, to hell with it.” The volume and stridency of security marketing messaging continues to ratchet upwards. And if marketers believe their messages aren’t getting through, they’ll repeat them louder and more shrilly.

The real danger is not that IT and security managers will tune out messaging, but shift their focus away from prudent, meat-and-potatoes measures (such as patch and configuration management) and devote inordinate resources to pre-empting exotic, black swan threats. Basic patch and configuration management will not make an enterprise invulnerable, but often resistant enough to convince an attacker to seek easier pickings somewhere else.

That, strictly speaking, may not sound neighborly, but community security is often the sum of individual securities.

By its nature as a user survey, it’s too easy to read Project Quant findings as an exposé of benighted end users. But the real blame for the ragged state of configuration management may lie more with vendors than consumers.

Enterprise infrastructures, from their architecture down to the configuration details of individual computers can be too complex to manage with complete precision. Patch and configuration management “solutions” themselves can not only magnify this complexity, but sometimes seem to be created with obscurity, coverage gaps, and ambiguity as design goals.

While I commend those IT organisations that field effective, efficient patch and configuration management programs, I can certainly understand why nearly half of the IT world remains in a condition of fear, uncertainty, and doubt. It doesn’t have to be that way.

"Recommended For You"

The IT security professional€™s guide to system management cost savings Observations on the future of ALM