Patch management is one of the key security controls or processes that can help you keep the systems connected...
to the network secure and an unattractive target for malware attacks.
Depending on your organization's culture and size, the patch management process typically involves the IT operations or infrastructure team taking care of upkeep. Some organizations may opt to have their security teams be the primary owners of patching -- but this is generally not a best practice.
The word upkeep does make it sound like a daunting task, especially if the team is burned out or stretched too thin from their day-to-day job responsibilities. The upkeep tasks typically involve obtaining the patches, testing them, documenting the testing for approval and installing them. The prerequisites for patch management are having systems in place responsible for discovering assets on the network and having a public or private repository set up to enable systems to fetch updates.
Now that we have the definition of patch management out of the way, let's discuss why most CISOs continue to struggle with their IT Infrastructure teams to keep system patches up to date. There are two sides to this coin.
Let's start from the CISO perspective. A CISO is probably asking, how do I work with the patch management team effectively to get all the systems up to date with patches without missing a beat? What is the right patch management process for this organization? Who should the stakeholders be, and does everyone have a clear understanding of their systems and all the data elements in play? How should I prioritize the application of patches based on risk?
From the patch management team's perspective, however, there are challenges and hurdles on multiple fronts. The team is dodging the CISO as much as possible, not because they do not want to patch, but because they either don't know where to start or don't have any updates to provide or enough information to formulate a sustainable working patch management process.
Perfecting the patch management process
To have a sustainable, working patch management program, you need to first open up the two-way communication street. Identify and understand the systems under the hood inside out, as well as the business processes and data elements that are in play.
Then, customize and integrate patch standards into the current IT infrastructure and business processes -- and do not ask the patch management team to figure out how to retrofit their process into the standards that you have proudly developed. After all, patch management is not a one-size-fits-all solution.
Without first understanding how business systems interconnect, the back-end processes, the data elements moving from point A to point B, how to normalize the information gathered, how to map it back to your risk-based algorithm, how to inject the data gathered, and how to automate the patch management process, your patch management team will continue to treat all the systems with the same risk level, and they will apply every single approved patch manually.
And, before you know it, the team will drown silently in the testing cycle, push a bad patch to production causing massive disruption to the business, and CISOs will find themselves sitting in the corner of the room along with others trying to explain the root cause to the business executives. Meanwhile, in their mind, CISOs are asking themselves if the patch management team knows what they are doing, and if they should put a stop to patching altogether -- which, of course, is not the best option.
Patch management is vital to properly protect your organization from unwanted visitors and threats while keeping your systems stable and in a working functional state. It is inevitable that issues will crop up, and working together with the IT and business team is one of the key ingredients to success.
Collect as much relevant information as possible when developing your patch management program and execute it by partnering with the business and the IT department. Without their support, the patch management program will never be successful.