Cutting the Cost of Patch Management

Cutting the Cost of Patch Management

In my previous post on Cyber Threat Intelligence (CTI) I discussed at least one immediate benefit of CTI as a means of cutting the cost of vulnerability and patch management by potentially obviating the need to trigger a patch management exercise.

By taking into consideration the actionable intelligence provided by CTI in the assessment of risks posed by vulnerabilities CISOs may reduce the internal CVSS score of a vulnerability and hence eliminate the need to instigate patching of affected applications and systems.

In this post I will assert that vulnerability and patch management is a costly administrative process. By ‘administrative‘ I mean that it is a cost to the business, it is a process that does not generate any value for the business as opposed to a process that does generate value which I define as a service (as per the NoIT principle ofKnowIT).

Patch Management- an administrative task
Patch Management- an administrative task


The cost of any administrative process to a business consists of the following components:

  • The human resource cost (unit time cost of employees committed to the process multiplied by their number) – H
  • The frequency of the process (how often it is executed) – f
  • The time required to execute the process (how long does it take to fully complete all tasks associated with the process, including dealing with failures and retries) – T
  • The scope of the process (how many people/applications/systems are impacted by the process) – S
  • The lost opportunity cost (a reflection of the value generated if the resources consumed and impacted by this administrative process was reallocated to a service) – O

Reducing any of these components will result in a reduction of the total cost of the process and our simplistic model can be expressed mathematically as:

Total Cost = (f x H x T x S) + O

Our model is far from precise however it is a suitable starting place for identifying and quantifying ways of reducing the costs of administrative processes. For example let’s look at how CTI impacts the cost of vulnerability and patch management, as we have noted it can reduce the frequency, time and scope of the process (we’ll tackle lost opportunity later), however it could potentially increase the human resource costs, at least in the short term, as we’ll need to hire and assemble a CTI team. Overall we can clearly see the benefits CTI based on this simple analysis alone.

As IT decision makers working for profit seeking organisations that are owned by shareholders it is incumbent on us to identify technology, processes and people that can help to bring the costs of administrative processes to as near to zero as possible or ideally to eliminate them entirely. For a great example of what happens when the business is held to ransom by ‘excessively complex IT’ arising from the implementation of one successive administrative process over another for decades, look no further than here.

Using the same reasoning any activity that increases one or more of the component costs of an administrative process should be avoided. A good example here, is what happens when a business decides to remediate all the vulnerabilities identified by, say, SAST. While this is a contrived example (no business will be able to survive the cost of attempting to remediate all the vulnerabilities that have been identified in code without technology that currently does not exist) the extreme case is instructive. Remediating the vulnerabilities identified by SAST may increase human resources, and certainly will increase the time and scope required by vulnerability and  patch management. As we will see later the lost opportunity costs may, however, be substantial.

So beyond Cyber Threat Intelligence what other technologies should we use to reduce the costs of vulnerability and patch management? Runtime Application Self Protection (RASP) is an obvious candidate. Where we have implemented RASP we have reduced all the component costs of vulnerability and patch management.

Investment in RASP has reduced the human resources allocated to vulnerability and patch management by reducing the internal CVSS score of vulnerabilities of code that we own and control. This means that we don’t need to assign a developer to patch the code. The vulnerability no longer poses a risk high enough to warrant allocating the resource to patch it. With our current implementation of RASP (Waratek AppSecurity for Java) this is especially true of any Java vulnerability that exploits:

As I have previously described, reducing the CVSS score also reduces the frequency of patch management.

Some RASP implementations can reduce the time required to patch a vulnerability and also minimize disruption of running applications. The white paper “Zero Downtime for Zero Day Vulnerabilities” describes how Virtual Patching and Taint Detection effectively minimise disruption to running applications while maximising security.


Finally let’s touch upon the lost opportunity costs. These are the most difficult to calculate and there is no single correct way of measuring the lost opportunity. At a minimum we could consider the lost opportunity cost as the amount that would have been gained by the business from putting the capital allocated to the administrative process into a savings account. Under free market conditions this would normally result in a gain in line with rate of interest but for the sake of argument lets call it 5%. So we can say the absolute minimum cost of an administrative process will be:

Total Cost = (f x H x T x S) * 1.05

However this is, in my opinion, a highly conservative estimate of the lost opportunity cost. Perhaps a better way of calculating the opportunity cost is to use the rate of profit of the most profitable service within the business, making the assumption that if the capital allocated to the administrative process had instead been directed to this value generating service, the revenue would rise commensurately and in all likelihood considerably.

I hope this post has elaborated the argument for greater automation and innovation within the domain of Cyber Security and I invite readers to share their thoughts and suggestions for reducing costs.

This is a guest post by Hussein Badakhchani

Tags: , , , ,