Fostering a culture of empathy and pragmatism for effective patch management
Patch management is a tough nut to crack.
Even with all the information available out there, patching remains a notoriously challenging IT task that companies of all sizes struggle with.
So what is the problem here? Why do companies from all industries and of all sizes struggle with patching?
As someone who has spent a considerable part of my career helping businesses with patch management, I've discovered it's not just a lack of resources and time-consuming processes that make patching difficult. Communication breakdowns and departmental silos are often the underlying issues that get in the way of patching.
These issues are not what stakeholders immediately think of but can be the catalyst for problems with patching.
Effective patch management starts with communication
The companies I've seen struggle the most with patching are the ones with poor communication between departments.
The reason?
When departments work in silos, their goals and priorities become misaligned, which hampers patching initiatives. This lack of communication can also lead to establishing policies and processes that fail to consider the available resources.
So, before organisations can develop a patching policy, they need to establish robust communication channels between all stakeholders. This is the foundation upon which a successful patching policy is built.
A healthy relationship between the security and tech teams, with open dialogue and collaboration, is especially pivotal for efficient decision-making and timely patch implementation.
Foster a culture of empathy
A lack of empathy can create friction between teams, hindering their understanding of each other's goals and available resources.
Regular meetings, cross-team collaboration and open communication can foster understanding and empathy, enabling teams to appreciate the challenges and contributions of their colleagues.
Understand the security team's perspective
A business running as normal is a success for the security team, but their contributions are often underestimated, leading to a lack of support from other departments. Similarly, without effective communication and collaboration, the security team may fail to understand the capacity of other teams and develop policies that are impractical with the available resources. This disconnect can impede progress in patch management.
Creating a sustainable patching policy
A sustainable patching policy is one that balances the need for security with operational realities. It considers factors such as system criticality, risk assessment, available resources and business impact.
Set realistic expectations about how much effort and time it will take to complete a patch cycle. Consider what resources are needed and the availability of those resources on a consistent basis.
Continuous improvement is key to maintaining an effective and sustainable patching process. Regularly review and update the patching policy to reflect changes in the IT landscape, emerging threats, and industry best practices.
Start with visibility
If IT teams do not know what systems exist, do not know the location of those systems or understand the significance of the data they contain, they will not be able to patch effectively.
Think about it this way: you can't fix what you don't know exists.
Visibility minimises the chances of vulnerabilities going unnoticed. This is why establishing visibility is the first step towards creating a sustainable and effective patching policy.
Prioritise patching the critical assets
I think it can be overambitious to want to patch all systems and tackle all vulnerabilities en masse.
Instead, start with the critical assets and gradually work on patching other systems and applications over time.
By focusing on patching critical assets first, you can secure the systems, applications and infrastructure most essential for business continuity.
To successfully implement this risk-based approach, conduct a thorough assessment of your assets. Identify critical systems and prioritise them based on their importance to the business and the sensitivity of the data they contain.
Develop a policy based on incremental goals
A patching policy based on incremental goals facilitates steady progress toward compliance. This is what organisations should aim for instead of expecting immediate compliance.
By breaking the patching process into manageable chunks, teams can make steady progress towards compliance. Meeting these smaller goals demonstrates a commitment to fulfilling objectives and builds credibility with auditors and regulators.
The role of a security professional is that of a negotiator between the business, IT, external auditors and regulators. They must actively engage in dialogue, understand stakeholder concerns and bridge gaps to facilitate productive collaboration, ensuring compliance requirements are met.
Leverage automation
Modern solutions and automation are a game-changer for patch management.
From scanning systems for vulnerabilities to deploying and testing patches, automation can streamline the entire patch management lifecycle.
Modern solutions enable IT teams to centrally control and monitor the patching process, ensuring updates are applied uniformly across the network. They can also provide real-time visibility into the patch status of each system.
By reducing the time spent on manual updates, organisations can allocate resources more efficiently and minimise the burden on IT teams over time.
Think about patching business systems like any business initiative. How can you invest in this capability effectively, and return value to the business long term? The answer is often by investing in automation.
A foundation for change
Without effective communication and a good dynamic between all stakeholders, patching will continue to be an arduous task for companies to manage.
With the right foundation, organisations can prioritise patch management and overcome the challenges—both the ones regularly considered and the ones less thought of.
These foundational steps lay the groundwork for companies to implement an efficient patching policy and achieve success in their patch management efforts. For tips on developing an effective patching policy, take a look at our article on best practices for patch management.