Patching-as-a-Service Offers Benefits, Challenges

Patching is a critical method to isolate risks and ensure workflows are not interrupted due to allowing software to fall out of supportable versions.

The security risk resulting from unpatched vulnerabilities is substantial: Verizon's 2022 Data Breach Investigations report found around 70% of successful cyberattacks exploited known vulnerabilities with available patches.

But too often, IT teams must choose which urgent items get their attention, and that creates a scenario where the urgent tasks get in the way of important tasks. By outsourcing patch management, also known as patching-as-a-service, organizations can shift the burden of ensuring that the patch process completes consistently to a third party.

Control, Transparency Must Be Maintained

Outsourcing patching can save an organization time and money. It can also lead to improved security. The outsource model provides security leaders with a verifiable service-level agreement (SLA) to guarantee that the investment protects the organization.

"There are some challenges that come with outsourcing patching," cautions Darryl MacLeod, vCISO at Lares Consulting, an information security firm. "For example, an organization may lose some control over patch management, and the patch management process may not be as transparent as it would be if patch management was done in-house."

Patching-as-a-service is probably most effective for small and midsize organizations that do not have the resources to patch in-house, he adds, but it can also be beneficial for organizations with complex patch management needs.

Data management and analytics company Aunalytics recently added a co-managed patching-as-a-service platform to its security solution suite. The company's vice president, Steven Burdick, points out that security challenges for every organization are evolving every day.

"Bad actors are knocking on any door they can find, hopeful that you have not patched a workstation or key third-party application such as Acrobat Reader," he says. "Yet despite your efforts to secure your environment by battening down the hatches, new, not yet discovered exploits continue to show up."

Burdick argues that outsourcing security patching and antivirus/malware protection platforms allow organizations to invest their team members' time in areas where the business can get the best value.

"Assigning an FTE or part of an FTE to someone to manage patching and security platforms requires additional investments in time, travel, and training that do little more than prepare your IT staff for their next role in another company," he says.

Paying a Third Party to Take Responsibility

Outsourcing patching to a patching-as-a-service vendor is a subset of outsourcing IT operations, in that an organization is shifting responsibility to a third party, says Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation.

"There are a lot of reasons organizations outsource these tasks, though cost savings and not having to manage an internal IT department are two common reasons," he says.

Like Lares Consulting's MacLeod, he also points out challenges. For one, the organization has to rely on the efficiency and integrity of the vendor to take on mission-critical issues without the oversight that comes with in-house assets.

A successful program will require accurate and robust asset management tools so the vendor knows what's live in the client's environment, Parkin says.

"They'll need an included, or compatible, patch management function," he adds. "Ideally, they will have inputs from vulnerability scanners and a risk management platform to help them prioritize the most important patches."

Patching Services Rely on Automation

MacLeod predicts that as patch management becomes more complex, patching-as-a-service providers will likely offer more comprehensive solutions that include patch management software, patch repositories, and patch deployment tools. Patch management software automates the patching process, a patch repository stores and manages patches, and patch deployment tools are used to deploy patches to systems.

"Service providers will likely continue to expand their customer base by offering patching services to more types of organizations," he adds, also pointing out that patching-as-a-service market has been growing in recent years as more organizations outsource patch management. "This growth is expected to continue as patching becomes an increasingly complex and time-consuming task."  

Outsourcing Makes up for Scarce Human Resources

Aunalytics' Burdick says Aunalytics is seeing a lot of interest in the healthcare industry, professional services firms, and government, where IT talent is hard to attract and retain. Manufacturers are often early adopters of this type of solution because they recognize that they must constantly evolve to compete, he adds.

Paying for these services in an "as-a-service" model precludes organizations from having to pay for the training and travel costs of IT security team members, Burdick says, as well as the cost to replace and retrain staff when the company's internal resources leave.

"Businesses today do not struggle buying technology; it's the people who use the technology and keep it running efficiently who are very hard to source in this economy," he says.