Inundated with monthly, weekly, and even daily software patches, IT teams need a strategic approach to security patch management—one that lets them put risks into context, prioritize effectively, and manage their overall attack surface risk.
Continue reading the Ransomware Spotlight series:
Enterprises today have a massive amount of software to manage and keep up to date—1,061 applications on average, according to the MuleSoft Research 2023 Connectivity Benchmark Report. At that scale, with many software vendors issuing security patches monthly, weekly, and sometimes even daily, IT teams need a strategic way to prioritize what to patch and when.
The first step is to establish a proper cybersecurity audit routine that provides a complete picture of the enterprise IT ecosystem—all devices and the software they run. With that in place, the next must-have is a contextualized, risk-based approach to assess which patches are needed most urgently and which can wait, in line with the organization’s overall attack surface risk management framework.
A constant flood of patches
Apart from the sheer volume of potential patches to apply, IT teams need to factor the time and effort each security patch requires. Many involve machine downtime, which affects the availability of IT assets and can hamper employee productivity. Knowing which patches are essential and which can wait is a practical necessity.
Traditionally, deciding which patches to apply has been based on the severity of the associated vulnerability, with each vulnerability assigned a ‘criticality value’ from zero to 10. It’s