Security vs. Stability: The Patch Management Conundrum

An age-old problem…

An article review.

In a perfect world, security patches would be rolled out as soon as they are made available to the public, and those patches would never disrupt an organization’s operations. Unfortunately the latter has been known to happen, and because of that many IT departments are hesitant to apply updates quickly…perhaps too hesitant, as a survey from Orange Cyberdefense puts the average time to apply patches at over 200 days.


The struggle between securing systems and keeping them available is highlighted in a recent article from CPO Magazine, which notes that in March of 2023 ransomware attacks were reportedly up 91% over the prior month, and had risen 62% from the same time period in 2022. Yet despite the surge in attacks, many organizations lag behind in applying patches. Why? The article points out the difficulties in gaining insight to every device within an organization, including all the software components that may be installed, along with the conflicting pressures of applying patches quickly and keeping things running. While a missed patch may not be immediately obvious, if a critical network component goes down everyone is aware and the IT Department often takes the blame.

According to the article however the hesitancy to implement patches may be unfounded, as it asserts that only 2% of patches wind up needing to be rolled back. The problem lies in the fact that one doesn’t know which patches will make up that small percentage that need to be rolled back, and no one wishes to find that out at 6pm on a Friday…or 8am on a Monday, for that matter.

Unfortunately, beyond the routine methods of avoiding patching hassles such as implementing updates in phases and instituting a “burn in” period for testing, there doesn’t seem to be a good solution to help balance uptime and security…and until vulnerability management organizations focus more on smoothly implementing fixes it seems like the struggles will continue.

Original article by Mike Star writing for Federal News Network

This Article Review was written by Vigilize.

Matt Jolley is the current Vigilize, he is also the recipient of the 2023 Cyb3rP0e+ designation!

Audit & Assessment

Policies & Procedure Development

Endpoint Detection and Response

Managed SIEM

Consulting Services

Network Monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Considerations – Why you should choose infotex, Inc. as your next MSOC!

Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to! We even made a movie with all the reasons why infotex...

The Magnificent Seven 2023

Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcom...

“Cooked Turkey” – Awareness Poster

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers!Check out for...