Wannacry was a wake up call - to everyone !! The person serving you your lunch has heard about it - no disrespect intended. It's reasonable to believe that following this massive issue that played out on a global stage, patch management would be front and centre on every executive's operational focus. In fact, there are only so many variations you can use for the same theme - we covered it here - Server and workstation patching for nuclear-utilities .
But following another, yes another massive data breach, Equifax, being attributed to a recent Apache vulnerability, I'm beginning to wonder if patch management is just as cumbersome as email management has been since its inception. In fact, I haven't seen many sourcing RFPs that discuss patch management requirements in any significant manner.. Certainly, the Y2K issue drove significant patching of platforms, not to mention, replacement and upgrading of many other platforms. The early 2000's where I was involved in IT outsourcing had patch management as an important core support principle.
Has an organisation's focus on moving resources from BAU outcomes, in other words keeping the lights on, to one of supporting the organisation to "sell more" a key contributor to this current malaise ? Or has the move to cloud created a soft vendor management approach where it utilises the 'commercial SLA' stick as opposed to 'show me and prove it to me' from a quality assurance perspective. Whether it is outsourced or internally supported, an expedited approach to reviewing and updating platforms to plug vulnerability holes is exceptionally important, specifically internet facing platforms,
by Con Lokos