Robust patch management

Risk-based patch management needs unified teams, says Mike Riemer at Ivanti. This is how

 

Five years ago, fragmented data was frustrating for security teams but was almost manageable. Today, it’s quickly becoming a critical liability. Security teams bump up against the same problem repeatedly: despite massive workloads, they’re falling short — and much of it comes down to visibility. You can’t fight what you can’t see. 

 

Recent research reveals just how deep this problem runs. Over half of organisations still struggle with data silos between IT and security teams. These aren’t minor inconveniences: they’re actively undermining security efforts. When Ivanti surveyed security professionals, 62% reported that silos slow their incident response times. Another 53% said silos directly weaken their security posture. 

 

87% of cyber-professionals lack access to critical data that can help them make informed security decisions. The most common data gaps that prevent companies from making more informed decisions are in the software that employees use, such as shadow IT (45%) and contextual data about which vulnerabilities are exposing their systems to threats (41%). 

 

What makes this (even more!) concerning is the growing sophistication of threats. Take ransomware: 38% of security professionals expect AI to make these attacks more dangerous. The upshot is that traditional defences won’t cut it anymore. We need a comprehensive exposure management strategy, including visibility into our attack surface, but that’s impossible when critical security data is scattered across disconnected systems and teams. 

 

Can you afford to learn the hard way? 

Here’s an example of what this disconnect might look like in the real world: Picture a security team working hard and accurately flagging suspicious activity in their cloud environment. That’s great, right? However, this victory obscured a major issue. Because they lacked visibility into their on-premises systems, they missed the connection to a broader attack pattern.  

 

The resulting incident took twice as long to contain as it should have, leaving them dangerously exposed and seriously dampening the celebratory effect of the initial catch. In this scenario, the security team learned about visibility gaps the hard way. Can you afford double containment time? Probably not. 

 

Breaking the cycle 

46% of cyber-professionals believe IT teams lack urgency when responding to cyber-security problems. Security teams are under pressure to move fast, deploying patches quickly to limit exposure to threats. IT teams, on the other hand, must consider operational realities like uptime, resource constraints and business continuity. A lack of shared context exacerbates this tension. Security may not fully grasp how patching impacts operations, while IT teams may not appreciate the urgency of emerging threats. Miscommunication and siloed tools only widen the gap, leading to friction, delays and unpatched vulnerabilities. 

 

The challenges run deeper than just technical barriers. In many cases, we’re dealing with ingrained cultural habits. Security teams use one set of tools while IT uses another. Different departments maintain their own risk assessments. Nearly half of organisations report that their IT and security relationship actively hinders risk management. 

 

Look at how business leaders and security teams view risk. Business executives tend to focus on financial metrics and revenue impact, while security teams track technical measures like system downtime. Both matter, but without shared data and context, we end up with misaligned priorities and incomplete protection. 

 

44% note difficulty managing security risks as a key challenge in the relationship between security and IT. 40% report using different tools. Breaking this cycle requires rethinking how we handle security data and team collaboration. Some organisations are making progress. Among companies with the most mature security practices, 71% review all software vendors for security risks‚ more than double the rate of less mature organisations. They’ve learned that effective security requires breaking down walls between teams. 

 

Pivoting to exposure management 

This chronic problem does have a solution. That brings us to exposure management — a more sophisticated approach to understanding and prioritising security risks that considers business context, risk tolerance and tailored, true risk versus focusing primarily on the threat’s chances of exploitation.  

 

Exposure management has tremendous upside, but I’ve already witnessed too many scenarios when security teams intend to pivot to exposure management but don’t fully embrace the shift. Case in point: 83% of organisations say they have frameworks for identifying risk tolerance, yet only half follow them consistently. Why? Often, because different parts of the organisation can’t see the same picture. Again, we’re bumping up against visibility problems. 
 

Learning the easier way 

What’s working for companies that are getting this right? 

• Breaking down communication barriers. First, they’re creating direct channels between technical teams and executive leadership. This helps translate security metrics into business impact – something only 48% of organisations do effectively today. 

• Reassessing how different business units view risk. A development team pushing for rapid deployment has different priorities than a compliance team, but both perspectives must inform the overall security strategy. When teams share data and context, they make better decisions about acceptable risk levels. 

• Implementing risk-based patch management. Rather than treating all vulnerabilities equally, organisations focus their patching efforts on those that pose the greatest actual threat to their specific environment. This strategic approach ensures teams address the most critical security gaps first, making better use of limited resources while strengthening overall security posture. 

• Reimagining security. Most importantly, these organisations are changing how they think about security’s role. Instead of treating it as a cost centre or compliance checkbox, they position security as a business enabler. Strong security practices help companies enter new markets, support remote work and drive innovation. But you only get these benefits when security teams have the full picture. 

The stakes keep rising. That phrase is overused, to be sure, but it’s appropriate here. As AI capabilities expand, both for defence and attacks, we can’t afford to let data silos limit our visibility and response capabilities. 

 

Companies estimate it will take six years on average to fully integrate their siloed systems and teams. That’s too long. Moving faster to break down these barriers means being better equipped to handle emerging threats. Yes, it’s both a cognitive and practical shift. Yes, it means a bit more work up front. But the alternative means finding out exactly how expensive fragmented security can be. 

 

---

 

Mike Riemer is SVP Network Security Group and Field CISO at Ivanti 

 

Main image courtesy of iStockPhoto.com and StudioGraphic