Survey: Security Patches Put IT Leaders Between Rock and Hard Place

A global survey of more than 504 CIOs and CISOs finds 81% of respondents admit they have refrained from implementing an important security update or patch because of concerns about the impact those updates or patches might have on business operations. More than half of the respondents (52%) said they have made this decision on more than one occasion.

Potentially even more disturbing, 80% of CIOs and CISOs have discovered that a critical update or patch they thought had been deployed had in fact not actually updated all devices affected by a potential vulnerability.

The survey, which was conducted by Tanium, a provider of endpoint management tools, illustrates the nature of the Hobbesian Choice dilemma IT leaders face every day: The rate at which patches that address critical vulnerabilities are being issued continues to exponentially increase. But any one of those patches could greatly impact the availability of applications that depend on a service being available within the application that needs to be patched. In an ideal world, IT organizations would have plenty of time to test the downstream impact of any given patch. Unfortunately, however, the time between when a vulnerability is disclosed and when cybercriminals start exploiting that vulnerability becomes narrower with each passing day.

A full 94% of survey respondents said that they regularly need to make compromises when trying to protect their organizations from disruptions. Reasons for making those compromises span everything from pressure to keep the lights on (33%) and the need to implement new systems (31%) to being hamstrung by legacy systems (26%) and internal politics (21%). Nearly half (47%) of the CIOs and CISOs surveyed (47%) said they face challenges because other business units do not grasp how important technology resilience is to the company, while 40% said issues arise as other business units prioritize their customer work over security protocols.

Chris Hallenbeck, CISO for the Americas at Tanium, said the survey highlight how critical it has become for IT leaders to regain control over the software development life cycle. In most cases, that will require transitioning to more modern application architectures based on microservices constructed using containers. While that may require new security tools, containerized applications are much easier to update when compared to patching a monolithic legacy application, he noted, adding those applications also tend to be more resilient because it becomes easier to isolate malware infestations. At the same time, Hallenbeck said most organizations would be well-advised to rationalize the number of cybersecurity tools they have in place to increase overall visibility.

Being an IT leader in this era is a significant challenge. Most IT leaders are not really in a position to slow or even halt the rate at which new applications are being developed. In most cases, their role has become to minimize the level of risk associated with deploying those applications in a production environment. But as more applications get deployed, the size of the attack surface that needs to be defended increases steadily. That expansion inevitably lowers the odds IT leaders will be able to successfully defend organizations from cybercriminals who only need to find one weakness to exploit. Of course, while it’s still important to protect those assets as much as possible, the real test of leadership these days comes down to how well any IT team can limit the impact of a breach once it occurs.

Michael Vizard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

Who Owns Open Source Security?

According to a recent report by the Internet Security Forum, open source software (OSS) is quickly becoming a pillar within…

3 hours ago

The High Cost of Reporting a Non-Reportable Data Breach

Can a company be sued for reporting a data breach in which the data was never used and destroyed? In…

4 hours ago

Apps on Google Play Tainted with Cerberus Banker Malware

The official Android app market has traditionally been regarded as a safe place to install applications from. Every once in…

12 hours ago

New on Sonatype Learn: Outcome-based Training, New Courses, and a New Look!

The goal within the Customer Success organization here at Sonatype is simple: To maximize the value our customers receive from…

14 hours ago

IPv4 and IPv6 Overview

IP stands for internet protocol. The internet protocol is the protocol which allows internetworking at the internet layer of the…

15 hours ago

NIST SP 800-53 Revision 5 Released – Next Generation Security and Privacy Controls

Draft 5 of SP 800-53 closed its comment period back in May, and was just released as SP 800-53 Revision…

15 hours ago