The Art of Patch Management

The Art of Patch Management

Malware exists to exploit vulnerabilities discovered in software. Patches exist to fix those vulnerabilities. So why do so many vulnerabilities remain unpatched? Why is patch management so complicated?

Sadly, security and IT professionals don’t live in a patch-everything-right-away fantasy land. Trade-offs and compromises are dictated by the conflicting priorities and interests within large organizations.

And people are people. Humans have cognitive biases that cause them to behave irrationally. The most dangerous of these biases is called hyperbolic discounting. People tend to choose smaller rewards now over larger rewards later. When offered a choice between avoiding patch-related headaches now and avoiding cyberattack-related headaches later, most people are drawn to the former. Bolstering this irrational choice is the false idea that “maybe we’ll get lucky and nobody will attack us.”

Not all patches are created equal. Some are urgent, others are not. Some require rebooting, others do not. Some can jam third-party applications, others cannot. The vagaries of complex systems and organizations, compounded by the irrationality of the human mind and variations in patches themselves, means that patch management is not an exact science — it’s an art.

Why Patch Management Is Indispensable

Patch management is an umbrella term for the process of knowing about, acquiring, testing, installing and following up on patches.

According to Accenture, cybercrime could cost businesses $5.2 trillion over the next five years. How much of that cost could be prevented by the massively lower cost of good patch management? Expert estimates on the number of new vulnerabilities revealed in 2018 ranged from patch management