Effective Patch Management Using Agile

In the past couple of weeks, I have shared a couple of articles related to cyber security. The first article, "Is it time to drop "cyber" in security" discusses that cyber issues are not just “techie” problems limited to the IT department. Cyber security risks impact the entire organization and need to be part of an organizations overall risk and security programs. "How can we make the cybersecurity profession agile", discusses integrating Agile management practices in cyber security. The proliferation of ransomware targeting deprecated and unpatched software is timely for a discussion of both of these points.

the crippling effects Petya and WannaCry on people and business worldwide has continued to make the mainstream news. I am certain that this has also been a hot topic in many boardrooms C level executive suites. 

The fact that patches for the vulnerabilities these attacks exploit were addressed by Microsoft and others long before these recent attacks. This demonstrates that many organizations lack effective patch management programs. I personally feel that the leading reason organizations struggle addressing these vulnerabilities is the expectation that software management products will provide them with policies and procedures. To be effective, your organization must have clearly defined policies that address your risks and concerns. Products are simply the tools used to implement your organizations policies. No tool is perfect, all products have their own vulnerabilities and shortfalls, but with clearly defined policies your organization can set reasonable and effective goals, develop contingency plans and metrics that can demonstrate the programs progress and value to your organization.

This is where I feel that Agile’s iterative approach to delivering products that can be demonstrated and improved upon with each successive sprint is ideal. Start by targeting vulnerabilities that present the greatest risk to your systems and organization. When you have those under control, grow your program to address vulnerabilities representing lower risk to the organization or add efficiency. Minimizing the number software products permitted in your environment reduces the cost and effort required to patch and maintain your systems. The Agile concept of reducing the amount of “Work in Progress” helps your team get the amount of work they need to get down each month to an achievable amount that delivers value. 

Developing a monthly cycle of sprints to evaluate, test, deploy, and remediate that is targeted to address risks that have been identified by your organization. The results of each month’s patch cycle are evaluated, activities that resulted in waste are fixed or eliminated. Process improvements are fed into the next month to facilitate continuous, measured improvement so your program can adapt to meet your needs as they evolve and address risks to your orginization as they emerge.