Security Manager's Journal: Progress at last on the patching front, and a new priority

Computerworld - This week, I got an indication that my fledgling security organization will be able to finally lay its first big initiative to rest and move on to other things. For me, that will be the budget, but before I tell you about that, I should report on the latest developments in the patching saga.

As we've sought support for building a vulnerability remediation program that has the patching of critical systems at its core, my team and I have been attacking on two fronts. I've handled the frontal assault, meeting with systems administrators and business leaders to raise awareness of the need to regularly update our systems. On the flanks, my team has been working to produce policy statements that, when signed by our senior executives, will demonstrate that we have support from the highest levels.

Progress on both fronts has been slower than I would have hoped for, but we are gaining ground. The week's best news was the approval of a patching policy by our legal department. This means that senior management is now cleared to sign the policy and thus relieve me of the ultimate responsibility for instituting patching. Our CIO has assured me he's prepared to sign off on this policy. His explicit backing should put this matter in a new light for those in the IT department who are still balking.

I honestly don't know how any experienced systems administrator in this day and age can put up resistance to a comprehensive patching program. The dangers of leaving systems unpatched overwhelm me, but they don't seem to bother a lot of our sysadmins very much.

Nonetheless, between my nearly constant jawboning on the subject and the imminent approval of the patching policy, I think we could be on the verge of winning this fight -- even though at this point, the systems administrators are clearly trying to avoid me. I expect our adversaries to give in resignedly rather than come over to my point of view enthusiastically, but that's OK. Either way, we can begin the serious work of getting our systems in order.

Just Logistics

There will be plenty of work to do. We are going to have to define a process for testing patches. How and when will we deploy them? How are we going to go about catching up with several years' worth of missed patches? But although working out those details will take some skill, those are really just questions of logistics, and I'm confident we'll knock it all into shape.

So, at long last, I think I can say that kick-starting a regular patching program is no longer my top priority. Like everyone else, as the end of the year approaches, I've made budget planning my new top priority.

As I contemplate how to budget for 2009, I have to consider what's going to be best for a security organization that's still in its first year and serves an enterprise with limited maturity. I need to choose the security initiatives that will be the foundation of our risk management efforts, keeping in mind, of course, that we are in an economic climate that makes it impossible to spend freely on tools and staff.

Open-source tools are appealing, given the budgetary circumstances, but my company is too big for open source to be widely used. I'm not ruling it out, and I'll probably employ it where it makes sense, but it will have to be considered judiciously.

I figure that I will identify three to five significant components of a foundational security infrastructure, with a mix of defensive and detective controls, and focus my efforts on those. But which should I choose, and how many will ultimately be approved? I'll keep you informed as I come up with answers.