IT Resource Constraints And Its Impact On Security Patching

For the past two years, IT departments have seen their budgets and staff cut, forcing them to focus on the bare essentials. This trend is most visible in the server environment in which patching has become a non-essential task. As an enterprise architect and a security consultant, I’m seeing more and more environments that have not been patched for the past 10 to 14 months.
In these situations, the primary action taken by IT departments is to push the issue to the back burner because patching is not visible to the customer or to the business. The problem with this practice, however, is that the lack of patching increases the ‘surface area’ of attack and exponentially increases exposure to two very common threats. The two common threats are: (1) exposure of multiple business critical servers to an attack that can disrupt the business and (2) the increased potential of escalation of breach in which a patched server becomes vulnerable to attack because of the inherent trust relationship with a non-patched server.
The response I receive from IT departments is that it takes many resources to test the patches and, with limited resources available, testing the patches becomes unreasonable. Part of the problem stems from the fact that IT departments usually focus on quickly resolvable issues that can be removed from their task list as opposed to creating long-term and methodical solutions. The widely held belief by businesses that the solutions to IT problems are an ‘easy’ click away also contributes to the problem. So, what should IT departments do? IT departments should use this scenario as a lead to improving communication with the business and to set realistic expectations. On the IT side, this is a problem that the business needs to be aware of since there is a huge risk involved beyond the realms of the IT departments. On the business side, a change is necessary in which the business becomes mutually vested in making the change from short term, ‘easy’ click away solutions to a more methodical approach to IT projects.