6 Questions CIOs Should Ask About Patching

From WannaCry to the Equifax breach, it’s no wonder that fixing software vulnerabilities in a timely manner is a current theme within cybersecurity. While this task falls with the IT team, CIOs that oversee IT need to be aware of the organization’s patching processes and ensure that it’s being properly implemented. Patching known vulnerabilities is one of the “lowest hanging fruit” activities a company can take on its path to cybersecurity.

Regularly asking these six questions – and digging further into any unsatisfying answers – will help ensure your organization is prepared to quickly patch areas of exposure and minimize risk.

1. Do we have an updated inventory of devices and the software versions running on each?

If you don’t have a reliable log of where the software that needs to be patched is deployed, you run the major risk of missing an instance, leaving the vulnerability open. Maintaining inventory documentation may be a tedious task, but it’s absolutely necessary to have an inventory so you can quickly and completely address issues.

2. Does that inventory documentation take into account any BYOD or remote employee programs?

As more employees work remotely, use their own devices or as your company engages more contractors outside of your immediate ecosystem you need to ensure this shift in work habits doesn’t leave your network vulnerable. If you cannot control the security and updates of an employee’s personal device used for work purposes, strongly consider implementing virtual desktops to help isolate your environment and gain better control no matter the endpoint device and its upkeep.

3. What is the documented procedure for rolling out updates and patches?

Without a written, documented procedure for rolling out updates or patches the process is left to the discretion of individual team members. In the best case scenario, patches are implemented in an inconsistent manner; in the worst case scenario they don’t get implemented at all.

4. What is the timeline for those updates and how long does the process take?

With the state of cybersecurity today, hackers are increasingly taking advantage of known vulnerabilities and poor patching practices. With both WannaCry and the Equifax breach, the vulnerability was known and unaddressed by many for months, allowing malicious parties plenty of time to take advantage of the hole.

There should be a documented timeline for patching and updating software and an understanding (even if it’s simply a reasonable estimate) of how long it takes to complete the task.

“Patch updates are becoming extremely important, because hackers are responding to critical bugs immediately.” – Healthcare Dive

5. Does this protocol and timeline take risk level into account and adjust accordingly?

Some vulnerabilities present a bigger risk than others. Companies should have a way to assess risk impact and a plan to adjust the patching protocol accordingly. As CIO, it’s important you understand this process so you can have reasonable expectations and make adjustments to resources if needed.

6. Is there anything we can do to make this process easier and faster?

Patches and updates take time away from more business driving tasks – particularly if the IT staff has to touch every individual device. The longer devices go unpatched, the greater potential for a breach. Ask your team if there are solutions that would make this process easier and faster. (Virtual desktops offer centralized control for easier, faster patching and some fully managed desktop as a service providers perform catching for the client based on the client’s schedule.)  Not only do you minimize risk by more quickly implementing patches, but it also allows IT teams to get back to more innovative or business critical tasks.

You may also like:

• Top 5 Reasons to Evolve Your Desktops 
• Are You the Reason Employees Aren’t Productive?
• 4 Things Fully Managed DaaS Makes Easier for IT