Friday, October 6, 2023

Enhance Your Patching Process With These Top 4 Metrics

 


One of the key components of any kind of security policy for a business is to have a regular schedule of performing software patches and upgrades.  But what the timing should be, is really entirely up to the CISO, or even the vCISO.  In my opinion, given the dynamics of the Cyber Threat Landscape, it should be done once a week.  In fact, when I started my first IT job over 20 years ago, this was the norm, even all the way back then.

But it takes resources to monitor all of this stuff, as you will most likely need to have a dedicated person on hand to do all of this.  Not many people think about this, but it matters a lot to the other members of the C-Suite, and even to the Board of Directors.  But the good news here is that there are metrics and Key Performance Indicators (KPIs) that you can use to help put a quantitative assessment to this.

So, here is a review of some of the major ones that you can make use of:

1)     The Mean Time To Remediate:

The acronym for this is the “MTTR”.  It simply measures how long it takes to get your dedicated resources to put the software patches and upgrades into your production environment after they have been first announced.  The one primary disadvantage with this kind of metric is that it treats all patches and upgrades in the same manner.  So for example, a low priority one will receive the same kind of weighting as a high priority one.  However, some CISOs have been known to use the MTTR solely just for tracking the latter.

2)     The Mean Time To Detect:

The acronym for this is the “MTTD”.  Essentially, this metric shows how long it takes for your IT Security Team to detect an actual threat variant that exists in your IT /Network Infrastructure, and also how long it takes for them to apply the relevant patch to remediate it.  In a way, this can be viewed as an enhancement to the MTTR.  For more information on this, click on the link below:

http://cyberresources.solutions/blogs/Threat_Report.pdf

3)     The Mean Time To Prioritize:

The acronym for this is the “MTTP”.  This metric reflects the degree of vulnerability of all of the digital and physical assets that you have at your business.  Typically, all of the details for this will come into play when you first conduct a comprehensive Risk Assessment Analysis.  This can then be fed into the MTTP, and it will show how quickly you need to respond to a security breach that has impacted your most vulnerable assets.  One of the responses is mitigation of course through your Incident Response (IR) Plan, but the other key component is applying the relevant software patches and upgrades in a timely manner.

4)     The Mean Time To Communicate

The acronym for this is the “MTTC”.  This is actually a new metric, and this is the first that I have even heard of such a thing.  This metric shows how well your IT Security team can interact with the other members of the IT Department.  If your business is large enough, these two departments will have independent tasks and duties to protect it.  For example, the IT Security team would be responsible for the checking and downloading of the software patches and upgrades, but then, it would be up to the IT Department to actually roll them out into the production environment.  But this metric can also be used to gauge how effectively your IT Security team can also communicate with the other relevant members of the other departments in your business. 

My Thoughts On This:

Honestly, nobody really likes to be gauged by a set of metrics and KPIs, but this is the only way that value can be shown to the higher ups, as previously mentioned.  But a key factor here is to have the buy in form all of the members of the IT Security team, and determine which ones are the most relevant to your security requirements.

A good way to help speed things up in the deployment process is to make use of automated tools, such as those making use of AI and ML.  There are plenty of tools out there, the hard part will be in figuring out which ones will be the most relevant for helping to secure your business.

I am also going to be writing a special whitepaper on the software upgrade and patching process (softwareupdate.art), so stay tuned for it!!!

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...