To Patch or Not to Patch


Nowadays, unpatched software represents a massive cybersecurity challenge for IT enterprises. Therefore, the vulnerability in this environment is common and patches are available to prevent any cyber threats. 

On the surface, the patching gap, which is the time between the availability of a patch for a software vulnerability and the application of that patch, should not be long. What’s so hard about applying a patch?

In large organizations, patching may take time. There are many open vulnerabilities and people are hardly staying ahead of the most urgent vulnerabilities. IT enterprises normally have different types of software, which include mobile apps on phones to legacy systems of record running in on-premise data centers and everything in between.

Additionally, such software is a mix of commercial off-the-shelf (COTS) packages, custom-built applications and open-source software. Vulnerabilities crop up in all of these on a regular basis. 

Given this never-ending stream of available patches combined with limited security staff, prioritization is very important. To accurately prioritize vulnerabilities, you need to know both the severity—as measured by the Common Vulnerability Scoring System (CVVS), for instance—and the types of business systems affected.

Even with the right prioritization, speed is also of the essence and manual patching processes slow everything down. Throwing more people at the problem is not the right answer, assuming the organization can even find them. A shortage of people doesn’t mean fewer budgets for people. It means more junior people and burning people out.

Impact on Business Operations

Not patching can lead to breaches, but patching also has negative impacts. It can be hard to get the business to accept the need for patching because it has business costs. You have logistical issues to deal with and people issues – users may delay the patch because they want to get on with their work.

In order to prevent data breaches, security teams need to patch more quickly. However, many IT security experts are held back by manual processes and disconnected systems that compromise their ability to patch in a timely manner.

Effective and timely patching is the best thing you can do to avoid being hacked. To balance the conflicting priorities of rapid patching against addressing the negative business impacts of patching, many organizations have implemented patch management processes and policies that both address the prioritization of different patches as well as the ability for business stakeholders to make exceptions to various patching regimens for business purposes.

For instance, the United States Postal Service (USPS) has published both its patch management policy and patch management process online. According to the policy, patches are implemented based on criticality ranking of the vulnerability that is being patched. The process then differentiates between patches to critical vulnerabilities, patches to non-critical vulnerabilities and excluded patches.

The decision to make such exclusions fall to specific stakeholders which are business owners or functional support based on when such exceptions occur. Functional support is known as the group responsible for identifying and evaluating patches and performing functionality testing.

 On the other hand, the business owner is defined as the business relationship management program manager or an equivalent stakeholder. Either of the two may cause IT to hold off on a patch for business reasons.

Also, for each system, the IT organization must evaluate, test and then implement vendor-released patches according to policy and then validate such implementations.

The end result of these processes can be a 30-day implementation for critical patches and a 90-day deadline for non-critical patches – more than enough time for cybercriminals to exploit vulnerabilities.

Where to Start

Patching schedules may struggle under layers of complexity. However, the starting point is straightforward. Start with basic hygiene items that can be addressed immediately. For instance, if security teams don’t scan for vulnerabilities, they need to make it a priority to acquire and deploy a vulnerability scanner.

It’s also essential to know that critical vulnerabilities might appear at any time and certain patches may suddenly become crucial. When you have emergency patches, you need to rally the IT experts in your organization. If you’re running a standard working week, you will need resources that are prepared to work outside of normal hours. That is an additional cost, so you need to have that budgeted beforehand.

Automation is also vital to reducing the time as well as the headcount necessary. Automation offers a path forward for software patching. By automating routine vulnerability response processes and elevating staff to focus on more critical work, security teams can reduce breach rates while focusing on other aspects of their work.

The business must place patch management into the context of financial risk to the organization. As with other cybersecurity efforts, the question of ‘to patch or not to patch?’ boils down to risk vs cost of addressing that risk. Every organization must find the right balance between these two priorities that meet its business objectives.


A well-patched system is a more secure system. In an ideal world, we would just patch everything and do so in a quick way. Unfortunately, we live in the real world rather than a perfect world. Even in the IT industry, we have learned the real-world restrictions of patching and we certainly face even more limitations with OT systems. 

As a larger industry, we will never be able to patch fast enough and completely enough to reach a sufficiently secure state. There will never be zero risks and we will never have sufficient resources. Therefore, we need to focus our efforts on areas of highest risk and where it provides the most benefits. 

If you need help with patch management, software patching and you want to create a strong cybersecurity system for your organization, choose Vicarius. Vicarius is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. 


Photo by Angel Origgi on Unsplash

Written by Kent Weigle

Leave a Reply


    See all

    Related Post

    Strong Cyber Hygiene is only One Click Away

    Want to take TOPIA for a free ride? Schedule A Meeting with our 🐺team!

    Let us know what would like to see 😀