Patching Program Still Under Fire

Having allies on the business side helps, but the sysadmins who will do the work remain unconvinced.

My situation rapidly went downhill after I started talking about the need to proactively manage the vulnerabilities on our systems. My peers -- other leaders in IT at this company -- are threatened by my open approach to change and by being put in the spotlight by the new guy in charge of security. As a first step toward resolving this conflict, I'm trying to build alliances.

IT works for the business, and the people in the field running corporate operations are IT's customers. I assumed that the business owners have some influence over the services IT provides them, and that gave me an opening. I figured that if I could convince the business managers that vulnerability management is important to their operations, then perhaps I could add their voices to mine and thus gain credibility and influence.

So far, I've had success with this approach. Once I talk to business managers about what it is I'm trying to do, they become supportive of the idea of stabilizing and improving the security of their systems through patching.

The IT systems administrators and their managers are the people most resistant to applying patches -- and it's the sysadmins who would have to actually do the work. Predictably, they are falling back on the old argument that patching destabilizes systems and causes more problems than it solves. I'm trying to make them see it from the viewpoint of a security manager: Unpatched operating systems are a huge security risk in any environment.

But the sysadmins don't see why it's important to do the updates when everything already seems to be working. Their attitude is that we haven't had any problems yet, so why should they incur extra work and operational risk just to make the security team happy?

I'm trying to bridge the differences in our perspectives, but I'm not having much luck. Looking only at return on investment, the sysadmins have a pretty solid argument. There's no question that a comprehensive patching program is expensive. You have to test the patches, and it seems as if there's always another one being released. Then you have to track down every machine that needs the patch and make sure it's fully up to date. But as the security manager, I have to look beyond immediate ROI. A security incident could be more costly than an ongoing patching program.

Patch Catch-up

I feel that if we leave our infrastructure unpatched, our servers could be vulnerable to a breach, which could result in devastating losses. It's a core belief of mine that a mature IT infrastructure should include a repeatable, ongoing program of vulnerability remediation. But explaining that to sysadmins who don't want to do it is a tall order.

Right now, I'm focusing on getting all our systems up to date. But a successful vulnerability management program depends on having a repeatable process that results in a collection of "snapshots" of the overall security posture at various points in time. These snapshots tell us the threat model at that moment, the protection requirements, the environment being protected and the state of the defensive technology.

A successful catch-up effort will give us our first snapshot, the baseline. But as technology and the business environment evolve, the technical controls that are part of this snapshot will become less effective. That's why I'm already thinking ahead to establishing a patch cycle.

Gaining allies is bringing us closer to this goal. I'll keep you posted on how my campaign fares with the systems administrators.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com. Join in To join in the discussions about security, go to computerworld.com/blogs/security.

Related:

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon