icetray - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How should CISOs handle security patching with IT administrators?

What role does the CISO play when it comes to security patching? Expert Mike O. Villegas discusses the best way to share patch management responsibilities.

Symantec's annual "Internet Security Threat Report" highlighted some major enterprise concerns, with one of the...

biggest being a lack of proper vulnerability patching. Specifically, the report stated that over the last three years, more than 75% of websites scanned by Symantec contained unpatched vulnerabilities. What should CISOs do to make security patch management a bigger priority for enterprises? Can CISOs work with IT administrators and website managers to tackle the problem, and if so, how?

Patching is a prevention measure that protects systems from unauthorized users, malware or errors that adversely affect normal processes. Products such as Microsoft Office, antivirus, network devices, Linux and Windows servers, midrange computing, and large mainframes all need security patching, program temporary fixes or updates. Updates are different from patches, but it's helpful to discuss them since some updates not only provide enhancements to products but may also eliminate errors and possible vulnerabilities. Security patching can be automated but many organizations choose to selectively patch due to limited time or system availability constraints. Selective security patching is typically done manually during scheduled system outages.

Some organizations are diligent about security patching on Patch Tuesdays, while others may still have patches to implement that are over three months old. Most organizations make every effort to maintain current patches within 30 days of patch notices. However, there are a significant number of companies that do not consider patching a priority until the vulnerability has been exploited and results in an outage or breach, or until it's required to attain a compliance with standards such as PCI DSS. Vulnerability scanners are helpful tools that can identify critical patches and provide enterprises with better patch management.

Security patching can and should be done by system administrators, but security teams may be in charge of monitoring critical security patches. Security teams may also request the testing and application of patches within the standard 30-day period. Where automatic patch updates are not used, patch implementation should be subject to the installation's change control procedures.

In addition to maintaining current patch levels, enterprise CISOs should take certain steps to strengthen the patching process, including:

  • Outline a vulnerabilities and patching policy that the enterprise uses to handle the identification of vulnerabilities, roles and responsibilities related to patching activities, sources for identifying vulnerabilities and the sources for identifying required patches;
  • Establish a patching committee of technical management and staff who are responsible for identifying vulnerabilities and ensuring that the requisite patches or mitigating actions are prioritized and applied;
  • Update the patch management software that automatically keep desktops, laptops and remote users up to date with the latest security patches and software updates;
  • Subscribe to an alerting service -- typically from vendors for software requiring patches -- that will supply information of new vulnerabilities and associated patches; and
  • If it is subject to PCI DSS compliance, make sure the enterprise meets PCI DSS requirement 6.2, which requires all system components and software to install applicable vendor-supplied security patches within one month of release.

Security patching can be tedious and seemingly unrewarding work, but when they're kept current, patches effectively -- and without fanfare -- prevent major vulnerabilities from being exploited. However, if security patching is neglected, eventually it will result in expensive interruptions that will require remediation resources after a breach or outage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out this introduction to automated patch management software

Find out why software deployment tools and patching are critical to endpoint security

Discover the best combination of methods to make patch management easier

This was last published in November 2016

Dig Deeper on Information security program management