Over the years I have been asked a curious question numerous times. 'If we use product x or solution y we wouldn't have to patch anymore, right?" At this point in the conversation I would often sit back in my seat and try to look like I was giving their question a lot of thought. The reality was more pragmatic. I was trying very hard to stifle my screams while appearing considerate of their query.
Let's be honest with ourselves. No one likes to apply patches. If that were the opposite I have little doubt that we would have far fewer data breaches than we read about in the news these days. I'm sure that there is a mythical unicorn out there that simply lives for this sort of activity. I will be entirely honest when I say that I have never met this person.
Applying patches is a very necessary activity. So, why is it that we continually have to return to this discussion point? Time and again we read in the press about companies that were compromised because of a missed patch or configuration error. One of the things that I do a fair bit is to read the data breach notices that companies issue. There are some trends that are inescapable. A piece of software wasn’t patched to current. There was a configuration error or a laptop was stolen but, have no fear, there was a password.
Two of the aforementioned were easily preventable situations and the third…well, I’ll just leave that one alone for this post.
Let’s just dispense with the nonsense. There is no product on this little blue marble that we call home that will ever give you 100% security. It just isn’t going to happen. Full stop. There are so many moving parts in the modern IT ecosystem that we have to take this in to account. There is a real problem that we seem to drift farther and farther from each and every day. We are failing to tackle the fundamentals well and as a result the security of our digital supply chain is suffering.
I often get teased by some friends for using the phrase “defined repeatable process”. This idea is absolutely nothing new. This is a term that has been floating around for a long while now but, we seem incapable of implementing them. Why is that? When we drift away from doing things well, such as patching, we are inadvertently increasing our technical security debt. As this chasm continues to widen there will come a point after which most organizations would not be able to pivot to the safety of higher ground.
So as I knock this idea around in my head I continue to wonder what it is that we can do to improve things from a repeatable process standpoint.
Go ahead and put up your feet on your desk basking in the glow of knowledge that some vendor is going to solve all of your security issues. Never patch another system again and we shall gleefully dance around the smoldering crater that was once your enterprise network after the hordes of attackers are done savaging it.
An apple a day keeps the doctor away and all that sort of rot.