Survey: Patch Management Still Big Stumbling Block in Risk Management

Ellen Mesmmer May 29, 2012
McAfee report shows how companies spend to meet compliance rules

Everyone talks about "risk and compliance" in security, but what do companies have to do to make it through audits and meet regulations related to information security? And what are the costs?

McAfee asks those questions in its "Risk and Compliance Outlook - 2012" survey of 438 IT professionals in the U.S. as well as Europe and Brazil, Australia and Singapore, finding the main challenge is getting visibility into IT operations. Four out of 5 of those surveyed believe "visibility into the risk posture of their IT environment" is important, and one-quarter estimated they shaved off six to 10 hours per week in IT staff time with good visibility.

But the patching of software remains a chief stumbling block to good risk management, according to the findings.

"Before the advent of numerous regulations and the rise of malicious code targeting known vulnerabilities, patch management was not a top issue for many organizations," states the McAfee report. "Today, patch management must be a top priority to mitigate the continuous threat of malicious code and compliance failure. These concerns have pushed organizations to gain better control and oversight of their information assets. This is seen with nearly half of the surveyed organizations applying patches monthly and near one-third doing so on a weekly basis."

But as they patch away, there's the sense this is a time-intensive process that's costly. The IT professionals surveyed indicated they are tempted to do routine vulnerability patching less in order to save money.

About half of the companies say they are able to pinpoint risks associated with vulnerabilities and threats well, "and 43% indicate they over-protect and patch everything they can." This might be substantial indeed, given that the National Vulnerabilities Database reported 3,532 vulnerabilities last year.

But the most disruptive aspect of patching is said to be "out-of-cycle patches" that defy the monotonous, scheduled "Patch Tuesday" of every month led by Microsoft, with other vendors also now releasing patch announcements on that second Tuesday of every month.