In reality, despite all the attention software flaws have gotten the last few years, programs designed to keep up with security patches – even the most critical patches – are not yet a well-oiled machines in most organizations.
Microsoft's April security bulletin included eight patches: five labeled critical, and another three important. How many organizations can handle that many patches in a timely manner? How many can handle that number of Microsoft patches in addition to the plethora of patches from other software vendors, ranging from Symantec to SAP? Not many, according to a recent INS survey of 120 IT professionals.
The survey, conducted in January, found that while 20 percent of respondents are very confident that their patch management program keeps their networks and systems safe from exploits aimed at known software vulnerabilities, half of the remaining respondents don't have enough resources to apply patches in a timely manner, and 31 percent don't bother to test patches prior to implementation. Compounding the problem, 39 percent only apply patches at fixed intervals instead of when-required based on severity and risk. And that only works if you have a complete software inventory to ensure that all vulnerable systems and devices are even getting patched; more than one-third of respondents can't even make this claim.
Patch management for too many organizations has fallen into the netherworld of "nice to have, but not a priority." The reasons for this state of affairs are multifaceted, but leading the list has to be that showing a return on investment (ROI) in a patch management program is difficult and won't ever compare to the ROI for a hot new application that's tied to revenue.
In fact, patch management is not about new revenue, it's about revenue loss prevention. And the potential of revenue loss is not always compelling to CIOs under constant pressure to show how IT supports business initiatives aimed at revenue growth. Perhaps this explains why more than two-thirds of survey respondents have not even tried to measure the ROI prior to implementing a patch management process along with the tools to support it.
But the real problem may be that thinking only in terms of revenue loss is too narrow, for patch management can also lead to tangible cost savings. For instance, part of a comprehensive patch management process should be assessing current systems and applications. For most organizations, this process is likely to uncover applications that are either underutilized or no longer supported, providing little functionality. Frequently maintenance is still being paid, not to mention the hidden cost of server capacity they consume. Eliminating these old and underutilized applications can significantly reduce costs, and often enables server consolidation, which will further lower costs.
So what are IT organizations doing about patch management? Well, according to the INS survey, 72 percent are in the process of formalizing their patch management program, but 41 percent also say that lack of in-house resources to manage the program is a significant problem. Clearly, a program – formal or informal – won't work without the resources to manage it.
The obvious, but difficult, solution is to bite the bullet and conduct an ROI analysis to determine not only the potential revenue loss from not patching critical systems (such as stolen customer data that results in lower sales of that hot new app), as well as the potential cost savings from retiring or consolidating older systems, but also the cost of dedicating sufficient resources to maintain the program. In my experience, when everything is accurately accounted for, the results will show a positive return on a patch management program investment. And though it may not be as eye-popping as the ROI projections for a new online service, at least it will get you on the next project planning agenda.
The author is a Senior Manager, Strategic Marketing, INS.