Patching is a critical method to isolate risks and to ensure workflows are not interrupted due to allowing software to fall out of supportable versions.
The security risk resulting from unpatched vulnerabilities is substantial — Verizon’s 2022 Data Breach Investigations report found around 70% of successful cyberattacks exploited known vulnerabilities with available patches.
Too often, however, IT teams must choose which urgent items get their attention, which creates a scenario where the urgent tasks get in the way of important tasks. By outsourcing patch management, also known as patching-as-a-service, organizations can shift the burden of ensuring that the patch process completes consistently to a third party.
Control, Transparency Must Be Maintained
Outsourcing patching can save an organization time and money. It can also lead to improved security. The outsource model provides security leaders with a verifiable service level agreement (SLA) to guarantee that the investment protects the organization.
“There are some challenges that come with outsourcing patching,” cautions Darryl MacLeod, vCISO at Lares Consulting, an information security firm. “For example, an organization may lose some control over patch management, and the patch management process may not be as transparent as it would be if patch management was done in-house.”
He adds that patching-as-a-service is probably most effective for small and midsized organizations that do not have the resources to patch in-house, but it can also be beneficial for organizations with complex patch management needs.
Data management and analytics company Aunalytics recently added a co-managed patching-as-a-service platform to its security solution suite. The company’s vice president, Steven Burdick, points out the security challenges for every organization are evolving every day.
“Bad actors are knocking on any door they can find hopeful that you have not patched a workstation or key third-party application such as Acrobat Reader,” he says. “Yet, despite your efforts to secure your environment by battening down the hatches, new, not yet discovered exploits continue to show up.”
He argues that outsourcing security patching and antivirus/malware protection platforms allow organizations to invest the time of their team members in the areas where the business can get the best value.
“Assigning an FTE or part of an FTE to someone to manage patching and security platforms requires additional investments in time, travel, and training that do little more than prepare your IT staff for their next role in another company,” he says.
Paying a Third Party to Take Responsibility
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that outsourcing patching to a patching-as-a-service vendor is a subset of outsourcing IT operations, in that an organization is shifting responsibility to a third party.
“There are a lot of reasons organizations outsource these tasks, though cost savings and not having to manage an internal IT department are two common reasons,” he says.
Like MacLeod, he points out there are also challenges. For one, the organization has to rely on the efficiency and integrity of the vendor to take on mission-critical issues without the oversight that comes with in-house assets.
Parkin says a successful program will require accurate and robust asset management tools, so the vendor knows what’s live in the client’s environment.
“They’ll need an included, or compatible, patch management function,” he adds. “Ideally, they will have inputs from vulnerability scanners and a risk management platform to help them prioritize the most important patches.”
Patching Services Rely on Automation
MacLeod predicts that as patch management becomes more complex, patching-as-a-service providers will likely offer more comprehensive solutions that include patch management software, patch repositories, patch deployment tools, and other services.
Patch management software automates the patching process; a patch repository stores and manages patches; and patch deployment tools are used to deploy patches to systems.
“Service providers will likely continue to expand their customer base by offering patching services to more types of organizations,” he adds.
He points out that the patching-as-a-service market has been growing in recent years as more organizations outsource patch management.
“This growth is expected to continue as patching becomes an increasingly complex and time-consuming task,” MacLeod says.
Outsourcing Makes up for Scarce Human Resources
Burdick says Aunalytics is seeing a lot of interest in the healthcare industry, professional services firms, and government, where IT talent is hard to attract and retain.
He adds that manufacturers are often early adopters of this type of solution because they recognize that they must constantly evolve to compete.
Paying for these services in an “as-a-service” model precludes organizations from having to pay for the training and travel costs of IT security team members, Burdick says, as well as the cost to replace and retrain staff when the company’s internal resource leave.
“Businesses today do not struggle buying technology; it’s the people to use the technology and to keep it running efficiently who are very hard to source in this economy,” Burdick says.
