Craig Lawson from Gartner suggests that rushing to implement patches isn't always beneficial for organizations. Despite the pressure to remain current with security updates, he notes that most can't keep up. Patching, he asserts, is often counterproductive, with many vulnerabilities not even exploited by attackers. Less than 10% of known vulnerabilities face active exploitation, skewing organizations' focus on patching all at once, potentially causing more issues. Lawson argues for a more strategic approach to managing security risks rather than a panic response to patches.
That's the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm's Infrastructure, Operations & Cloud Strategies Conference: "Nobody has ever out-patched threat actors at scale."
Lawson thinks that's folly, because developers issue more patches than users can implement safely. "Patches break things," he said, or are so complex to implement that the work may not be worth it.
The effort required to determine if a patch will have unintended consequences may also be ineffectual, because his research suggests criminals exploit just 8-9 percent of vulnerabilities and most of the flaws they target aren't rated critical.
Lawson thinks organizations try to implement all patches anyway, sometimes to meet internal metrics for speedy patching, or to ensure they meet regulatory compliance.
Collection
[
|
...
]