To Patch, or Not to Patch? (Not If, But How)
Building on the findings and analysis published in Managing Vulnerabilities and
Threats: No, Anti-Virus is Not Enough (December 2010) and Is Your Vulnerability
Management Program Leaving You at Risk? Most Likely, Yes (June 2011),
Aberdeen focuses in specifically on patch management – based on trends in
its adoption as identified in seven independent benchmark studies over a
period of four years. The analysis confirms the general correlation: higher
adoption of patch management corresponds to a lower percentage of accepted
risks. This makes sense: if you don't patch at all, you effectively accept all the
risk; but even if patching is 100%, some residual risks remain. On the critical
question of how to patch, which is the better strategy: to prioritize patching
for the most critical systems and/or for the patches that would provide the
greatest good for the greatest number of systems? – Or alternatively, to
adopt the simpler policy of patching everything?
October 2011
Analyst Insight
Aberdeen’s Analyst Insights
provide the analyst perspective
of the research as drawn from
an aggregated view of surveys,
interviews, analysis and
experience.
Business Context: Focusing in on Patch Management
This Analyst Insight is the third in a series focusing on how a global sample
of more than 160 organizations manages the never-ending vulnerabilities and
threats that assault their enterprise endpoints:


In Managing Vulnerabilities and Threats: No, Anti-Virus is Not Enough
(December 2010), Aberdeen noted that the top performers excel at
managing vulnerabilities and threats across their entire lifecycle,
from assessment to prioritization to successful remediation. Their
focus on maximizing efficiency and minimizing total cost also
acknowledges the unfortunate but critical necessity of adopting a
continuous approach to vulnerability management – and highlights the
value of solutions that increase visibility and provide actionable
intelligence for remediation.
In Is Your Vulnerability Management Program Leaving You at Risk? Most
Likely, Yes (June 2011), Aberdeen noted that executive management
generally understands the importance of vulnerability management
initiatives as part of their overall risk management strategies, but
further analysis showed that in spite of their expenditures they may
actually be ignoring (and therefore accepting) as much as 80-90% of
their endpoint security-related risk – e.g., in the case of adopting a
Microsoft-only approach. Given that companies are compelled to
invest in managing these unrewarded risks anyway, their best
interests are clearly to do it as efficiently and as effectively as
possible – which highlights the importance of taking a multiplatform, multi-application approach.
Definitions
For the purposes of this report:
 Unrewarded risk refers to
threats, vulnerabilities and
regulatory compliance, and
the corresponding
investments that companies
are compelled to make to
deal with them.
Characteristics include
protecting value, defense, and
minimizing downside.
 Rewarded risk refers to
projects and initiatives which
are undertaken with an
objective of innovation and
growth. Characteristics
include creating value,
enablement, and maximizing
upside.
This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and
represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc.
and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.
To Patch, or Not to Patch? (Not If, But How)
Page 2

In this report, Aberdeen focuses in specifically on patch management
– including historical trends in its adoption as identified over four
years and seven independent benchmark studies, and differences in
adoption by the leading performers in comparison to the lagging
performers across the same span of research. But most importantly,
Aberdeen explores the correlation between current use of patch
management and the level of endpoint-related risk that companies
are effectively accepting. This leads directly to the strategic question
which is behind the title of this Analyst Insight: to patch, or not to
patch? Aberdeen's research confirms that the right question is not if,
but how.
Aberdeen's Research Findings on Patch Management
In the execution of its unique benchmarking style of market research,
Aberdeen routinely asks a global demographic of enterprises about selected
IT Security-related technologies: their current use, their planned use in the
next 12 months, and their current evaluations. Of course, the foundation of
Aberdeen's research methodology is that the adoption of enabling
technologies for security and compliance is necessary for top performance,
but not sufficient – that is, it also requires essential policy, planning, process
and organizational elements of implementation, which are critical success
factors in an enterprise's ability to maximize business value. For now,
however, we focus on trends in adoption for patch management solutions.
Definition
For the purposes of this report,
patch management refers to
the technologies and processes
used to identify, prioritize and
remediate the vulnerabilities
that put an organization's IT
infrastructure at risk:
 Identification of the
vulnerabilities and threats
that are relevant to the
organization's IT assets
 Determination of which
vulnerabilities and threats
should be addressed first,
based on the level of risk
and the business value of the
IT assets in question
 Remediation of the
vulnerabilities through
deployment of software
patches (or configuration
changes, or other
compensating controls)
Historical Trends in Patch Management (2007-2011)
Over four years and seven independent benchmark studies in which
Aberdeen asked questions about the adoption of patch management, the
research shows very little variation in terms of its current use. On average,
about three-fourths (75%) of all respondents consistently indicate that patch
management is currently deployed within their organizations (Figure 1).
Percentage of Respondents
Figure 1: Current Use of Patch Management (All Respondents)
100%
All Respondents
85%
75%
74%
70%
Sep-07
Jul-08
75%
75%
74%
72%
75%
50%
25%
0%
Mar-09
Nov-09
Feb-10
Nov-10 May-11 Average
Date of Aberdeen Study
Source: Aberdeen Group, October 2011
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 3
But one-dimensional survey results such as these are widely available. A
unique aspect of Aberdeen's methodology is that it defines a maturity class
framework which sorts all respondents into a sort of normal distribution, i.e.,
all enterprises within each study fall into one of the following three levels of
practices and performance:

Best-in-Class (top 20%) – practices that are the best currently
being employed and result in the top industry performance,

Industry Average (middle 50%) – practices that represent the
average or norm for the study, and result in average industry
performance, and

Laggards (bottom 30%) – practices that are significantly behind the
rest of the industry, and result in below average performance.
The historical trends in patch management across multiple benchmark
studies are fairly consistent in terms of current adoption by maturity class as
well. On average, patch management is currently deployed by about 70% of
Laggards, by about 75% of the Industry Average and by about 90% of the Best-inClass (Figure 2).
Figure 2: Current Use of Patch Management (by Maturity Class)
 Actual security-related
incidents experienced (e.g.,
number, year-over-year
change)
 Audit deficiencies related to
security or compliance
experienced (e.g., number,
year-over-year change)
 Annual costs related to the
initiative under study
Companies with top
performance based on the
selected criteria earn "Best-inClass" status.
69%
76%
64%
To distinguish Best-in-Class
companies (top 20%) from
Industry Average (middle 50%)
and Laggard organizations
(bottom 30%) in aspects of IT
Security and IT GRC, Aberdeen
generally uses aspects of the
following:
Full details of the criteria used
are provided in each respective
benchmark study.
87%
93%
77%
71%
86%
Laggards
76%
79%
88%
71%
86%
66%
64%
50%
76%
88%
67%
80%
74%
Percentage of Respondents
75%
Industry Average
85%
Best-in-Class
100%
Determining the Best-in-Class
25%
0%
Sep-07
Jul-08
Mar-09
Nov-09
Feb-10
Date of Aberdeen Study
Nov-10
Average
Source: Aberdeen Group, October 2011
To be sure, this analysis shows that the leading performers are consistently
more likely than the lagging performers to have current deployments of
patch management – but the question is, how strong is the correlation
between current adoption and the achievement of top results?
One way that Aberdeen sometimes uses to tease out this information is to
compare the following:

The absolute adoption by the top performers (i.e., the percentage of
the Best-in-Class indicating current use, which is represented by the
height of the dark blue bars in Figure 2), with
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 4

The relative adoption by the leaders in comparison to the laggards
(i.e., current use by the Best-in-Class divided by current use by
Laggards, or the ratio of the blue bars to the red bars in Figure 2).
The result shows that for the past four years, patch management has been
squarely in the baseline quadrant – i.e., high adoption by the leading
performers, as well as relatively high adoption by everyone else (Figure 3).
Baseline technologies are widely viewed as foundational for success,
although taken by themselves they do not differentiate top performance.
Relative Adoption (ratio of adoption by the leaders
compared to that of laggards)
Figure 3: Current Use of Patch Management by Top Performers
(Absolute Adoption vs. Adoption Relative to Lagging Performers)
2.0
Early Adoption
Differentiators
Date of Study
Average
1.5
Oct 2010
Mar 2008
New / Emerging
1.0
0%
Average
Mar 2009
Sep 2007
Feb 2010
Nov 2009
Baseline
50%
100%
Definitions
For this Analyst Insight:
 Baseline refers to high
adoption by the leading
performers, as well as
relatively high adoption by all
others. Baseline technologies
are widely viewed as
foundational for success,
although taken by
themselves they do not
differentiate top
performance.
 Emerging refers to modest
adoption by the leading
performers, and relatively
low adoption by all others.
 Early Adoption refers to
modest adoption by the
leading performers, but high
adoption by the leaders
relative to that of all others.
 Differentiators refers to
high adoption by the leading
performers, and high
adoption by the leaders
relative to that of all others.
Absolute Adoption (% of leading performers indicating current use)
Source: Aberdeen Group, October 2011
Latest Snapshot in Patch Management (May 2011)
Aberdeen's most recent study that included questions about patch
management – the Q1 2011 Aberdeen Business Review (May 2011) – provides
the basis to explore differences in current use, planned use in the next 12
months, and current evaluations by company size and geographic region.
As shown in Figure 4, current use of patch management is strongly
correlated with company size. Nearly 100% of Large enterprises have
already deployed patch management, or plan to do so within the next year.
For Small businesses, however, just 3 out of 5 (59%) indicate current use.
But planned use and current evaluations among Small businesses are both
relatively high, which can reasonably be taken as a proxy for market interest
and near-term growth. This is not terribly surprising, given the steady
drumbeat of headlines about publicly disclosed breaches – even smaller
businesses are becoming more aware of the compelling need to address the
vulnerabilities and threats to their endpoints.
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 5
Percentage of Respondents (N=139)
Figure 4: Latest Snapshot in Patch Management (May 2011) –
Current Use, Planned Use, Evaluations (by Company Revenue)
100%
75%
9%
8%
14%
9%
5%
8%
50%
72%
25%
59%
76%
2%
6%
92%
Definitions
The following terms are
defined by an organization's
revenue in the most recent 12month reporting period:
 Large: $1B or higher
0%
All Respondents
Small (<$50M)
Midsize
Large (>$1B)
 Mid-Size: less than $1B and
more than $50M
 Small: $50M or lower
Current
Planned < 12 Months
Evaluating
Source: Aberdeen Group, October 2011
A similar analysis, based on the geographic region of the respondents'
headquarters, is presented in Figure 5. Current use of patch management is
strongest in the Asia/Pacific region, while planned use and evaluations
indicate a sharply increasing focus on endpoint-related vulnerabilities and
threats in the Americas and EMEA.
Percentage of Respondents (N=139)
Figure 5: Latest Snapshot in Patch Management (May 2011) –
Current Use, Planned Use, Evaluations (by Geographic Region)
100%
75%
9%
8%
11%
9%
5%
13%
72%
69%
71%
50%
25%
3%
7%
86%
0%
Worldwide
Americas
EMEA
Asia/Pacific
Definitions
The following terms are
defined by the geographic
location of the firm's
headquarters:
 Americas: North, South
and Central America
 EMEA: Europe, the Middle
East, and Africa
 Asia / Pacific: all others
Current
Planned < 12 Months
Evaluating
Source: Aberdeen Group, October 2011
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 6
Insight: Correlating Patching (If, and How) with Risk
Let's review what has been established about patch management so far,
based on a focused review of Aberdeen's benchmark research over the last
four years:

On average, about three-fourths (75%) of all companies have
current deployments of patch management

This overall percentage shows very little variation over seven
studies over the last four years

The leading performers are consistently more likely than the lagging
performers to have current deployments of patch management

But analysis shows that while current use of patch management is
foundational for success, taken by itself this does not differentiate
top performance

Current use of patch management is strongly correlated with
company size – nearly all of Large enterprises, in comparison to just
3 out of 5 Small businesses

But planned use and current evaluations among Small businesses are
both relatively high, indicating solid market interest and near-term
growth

By geographic region, current use of patch management is strongest
in the Asia/Pacific region

Meanwhile planned use and current evaluations indicate a sharply
increasing focus on endpoint-related vulnerabilities and threats in
the Americas and EMEA
If You Patch Means You are Accepting Less Endpoint Risk
In Is Your Vulnerability Management Program Leaving You at Risk? Most Likely,
Yes (June 2011), Aberdeen noted that because there is no such thing as
"perfect" security – that is, one could invest an infinite amount on
prevention, and yet an incident may still occur – one should think about
whether the ratio of "total annual cost of my IT Security initiatives" versus
"total annual cost of IT Security-related incidents that were not avoided, in
spite of my investments" reflects an acceptable balance.
Each organization's decisions about optimizing the tradeoffs between higher
or lower annual investments in patch management initiatives, versus the
additional costs of endpoint-related incidents avoided or not avoided, is the
very essence of a risk-based approach. As summarized in Table 1, the
percentage of risk which the companies in Aberdeen's study are effectively
ignoring or accepting – above and beyond their current investments – is on
average about 60%, but ranging as high as 78%.
© 2011 Aberdeen Group.
www.aberdeen.com
Definitions
For the purposes of evaluating
the business value of enterprise
investments in patch
management initiatives,
Aberdeen uses the following
simple equation:
 Total annual cost of
incidents that were
successfully avoided by
patching
divided by
 Total annual cost of
patching, plus the total
annual cost of incidents that
were not avoided
The denominator includes the
total annual cost for the
organization's patch
management initiatives; also in
the denominator, however, are
the total costs from incidents
that were not avoided in the
last 12 months, in spite of the
investments in patching that
have been made.
In the numerator are the best
estimates for the total costs of
incidents that were avoided in
the last 12 months as a result
of the organization's
investments in patching – these
may be difficult to come by,
however, and imprecise at best.
For this reason, the most
general way to think about this
simple framework is that any
investments in technologies and
services that lower the total
annual cost of the initiative
(efficiency) and cause a greater
shift from the denominator to
the numerator in terms of
incidents avoided (effectiveness)
will have a strongly positive
impact on the overall return on
annual investment.
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 7
Table 1: IT Security Investments Overall Accept About 60% of Risks; Variations by Size, Region
Annual Averages
All
Large
Mid-Size
Small
Americas
EMEA
Asia/Pac
Total annual cost of initiatives
+ Total costs not avoided
(as a % of annual revenue)
0.2%
0.1%
0.6%
3.8%
0.2%
0.2%
0.2%
Total annual cost of initiatives
+ Total costs not avoided
(as $ per employee per year)
$220
$140
$590
$1,200
$230
$170
$250
Ratio of total costs not avoided
to total annual cost of initiatives
1.47
0.64
2.00
3.57
1.35
1.59
2.74
Percentage* of risk which companies
effectively ignore or accept, above
and beyond their current investments
60%
39%
67%
78%
57%
61%
73%
* Calculated as (Total Cost of Incidents Not Avoided) / ((Total Annual Cost of Initiatives) + (Total Cost of Inciden ts Not Avoided))
Source: Aberdeen Group, June 2011
To see if there is a correlation between the research findings on the latest
trends in deployment of patch management, and the analysis showing the
level of risk which companies effectively ignore or accept, Aberdeen created
a simple x-y graph (Figure 6). By inspection, we can see the general
correlation: higher adoption of patch management corresponds to a lower
percentage of accepted risks. This makes sense: if you don't patch at all, you
effectively accept all the risk. If patching is 100%, some residual risks remain.
Figure 6: Adoption of Patch Management Generally Correlates
with Lower Percentage of Risks Effectively Accepted or Ignored
Percentage of Risks Effectively Accepted or
Ignored, Above and Beyond Current Investments
Case in Point: RSA Breach
100%
Average
Company Size
Region
50%
0%
50%
75%
100%
Current Use of Patch Management
Source: Aberdeen Group, October 2011
© 2011 Aberdeen Group.
www.aberdeen.com
"In our case the attacker sent
two different phishing emails
over a two-day period. The
email subject line read 2011
Recruitment Plan. This was
intriguing enough for one of the
employees to actually pull the
email out of their Junk Box and
double-click on the email
attachment. The spreadsheet
contained a zero-day exploit
that installs a backdoor through
Adobe Flash vulnerability (CVE2011-0609)."
~ Uri Rivner,
Head of New Technologies,
Consumer Identity Protection
for RSA, The Security Division
of EMC
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 8
How You Patch Also Affects How You Accept Endpoint Risk
This brings us at last to the critical question of how to patch:


On one hand, a classic risk-based approach would be to prioritize
patching for the most critical systems, and / or for the patches that
would provide the greatest good for the greatest number of
systems. Some companies describe a methodical cycle of scanning,
prioritizing, pre-testing, patching, testing and confirming that patches
are successful.
"Our most critical systems are
those I am not allowed to
patch. They are the
manufacturing systems, and I
am not allowed to touch
them."
~ CISO, EMEA
Others argue strenuously that it is more cost-effective to simply
patch everything: "It would take more of my resources to compute
the vulnerability management priority index," thundered the Chief
Information Security Officer of a well-known global brewer, "than it
would to simply adopt the policy of patching everything."
Aberdeen has written about these two distinct strategies before, for
example in Full-Disk Encryption On the Rise (2009). Given the precision of
encrypting only specific files or folders based on content and pre-existing
policies, or the simplicity of encrypting everything on the endpoint,
Aberdeen's research shows a clear trend towards the simplicity of full-disk
encryption.
In another example, given the simplicity of providing stronger (nonpassword) authentication technologies such as one-time passwords or smart
cards for all users – or the precision of using passwords for everyone
combined with context-specific challenges based on transparent risk-based
scoring and heuristics – more companies go with the more precise (and
lower cost) approach.
A recent white paper by technical leaders at the Denmark-based solution
provider Secunia (see How to Secure a Moving Target with Limited Resources,
www.secunia.com) provides an excellent comparison of distinct patching
strategies – with the realistic assumption of limited resources – and analyzes
the tradeoffs between the risks of patching with the risks of testing. Some of
their high-level conclusions:

Patching is a foundational security control, as it eliminates the root
cause of compromise.

Analysis of two patching strategies shows that knowing what to
patch pays off – they calculate that an 80% reduction in risk can be
achieved by identifying and patching either the most risky
applications or the most prevalent applications.

An intelligent patching strategy demands a dynamic approach, given
the fast-changing vulnerability and threat landscape.
© 2011 Aberdeen Group.
www.aberdeen.com
Simplicity, or Precision?
Aberdeen has previously
shared an analogy which
illustrates the difference
between the strategy of
simplicity and the strategy of
precision. The story is
apocryphal as it is commonly
told, but no less instructive:
 In the Space Race between
the Soviet Union and the
United States in the 1960s,
cosmonauts and astronauts
needed a writing instrument
that would work in a
vacuum, in zero gravity, and
in the temperature extremes
of hot sunlight and cold
shadow. At great expense,
the Americans developed a
high-tech, pressurized ball
point pen – the Fisher
“Space Pen” – that met
these requirements. The
Soviet solution: a standard
graphite pencil.
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 9
Case in Point: Telecommunications Provider, EMEA
A leading telecommunications provider in northern Europe supports its
customers with a wide range of services, from fixed lines to mobile and data
networks, Internet and security services, voice over IP, and cable services
for digital television. The company was especially challenged to maintain a
complete and accurate picture of its many endpoints, in particular thirdparty programs and multiple versions. Additional challenges included a lack
of patching capabilities and tools to produce reports for use by senior
management. After evaluating patch management solutions from Microsoft,
Shavlik and others – based on factors of pricing, reputation and ease of use
– the company selected a solution from Secunia.
"Our results have been good, but our patching process still needs to evolve,
and resources for patching still need to be better aligned," noted a company
Information Security Specialist. "The reporting capabilities have also been
extremely useful."
Their experiences to date also confirm the intimate relationship and
tradeoffs between patching and testing. "We have learned a lot about the
importance of testing patches before deploying them to the production
environment," says the specialist. "For example, some of our older
employees really don't like it when their Firefox browser or Adobe Acrobat
Reader changes language from Finnish to English without notice."
Solutions Landscape (illustrative)
The solutions in the Table 2 – highlighted based on their capabilities for
integration of intelligence for prioritization and automated remediation – are
illustrative of those that address patch management in the context of the
end-to-end vulnerability management lifecycle.
Table 2: Solutions Landscape for the Vulnerability Management Lifecycle (illustrative)
Company
Web Site
Solution(s)
eEye Digital
Security
www.eeye.com
Retina Unified Vulnerability Management, Blink Endpoint Protection,
Iris Network Traffic Analyzer
IBM (BigFix)
www.bigfix.com
BigFix Asset Discovery, Patch Management, Security Configuration
Management, Vulnerability Management, Anti-Virus / Anti-Malware
Lumension
www.lumension.com
Novell
www.novell.com
ZENworks Configuration Management, Asset Management, Endpoint
Security Management, Patch Management
Secunia
www.secunia.com
Secunia Corporate Software Inspector, Vulnerability Intelligence
Manager
Shavlik
www.shavlik.com
Shavlik NetChk Protect, NetChk Configure, Security Intelligence
Lumension Application Control, AntiVirus, Device Control, Patch and
Remediation, Scan, Security Configuration Management, Risk Manager,
Enterprise Reporting
Source: Aberdeen Group, October 2011
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 10
Key Takeaways and Recommendations
To patch, or not to patch? Aberdeen's research and analysis shows that:

On average, about three-fourths (75%) of all companies have
current deployments of patch management, a percentage that shows
very little variation over seven studies over the last four years

The leading performers are consistently more likely than the lagging
performers to have current deployments of patch management

Current use of patch management is strongly correlated with
company size – nearly all of Large enterprises, in comparison to just
3 out of 5 Small businesses

By geographic region, current use of patch management is strongest
in the Asia/Pacific region, followed by EMEA and the Americas

But analysis shows that while current use of patch management is
foundational for success, taken by itself it does not differentiate top
performance – in other words, success is not only a question of if,
but also a question of how
The general correlation is clear: higher adoption of patch management
corresponds to a lower percentage of accepted risks. This is common sense: if
you don't patch at all, you effectively accept all the risk; but even if your
patching is 100%, some residual risks will remain.
On the critical question of how to patch, which is the better strategy:

To prioritize patching for the most critical systems, or for the
patches that would provide the greatest good for the greatest
number of systems?

Or alternatively, to adopt the simpler policy of patching everything?
Aberdeen's direct interviews with organizations find strong proponents in
both camps. Assuming resources are limited, recent analysis by industry
leader Secunia demonstrates that a significant reduction in risk can be
achieved by identifying and patching either the most risky or the most
prevalent applications.
Why Companies Don't Patch
 When asked about the
inhibitors for current
investments in patch
management, "lack of a
compliance driver" was the
leading response. The
corollary to compliance
requirements as a leading
driver is that lack of
compliance requirements (or
compliance requirements
without meaningful "teeth")
often translates to “defer
making investments.”
 Surprisingly, "no valuable
services are exposed" and
"no valuable data is exposed”
were also indentified as
leading inhibitors to current
investments. Given the
increasing volume, variety,
and sophistication of new
threats and vulnerabilities,
however, this finding
indicates a high need for
additional awareness and
education about the risks
and costs of ignoring,
deferring, or underfunding
patch management.
Aberdeen's research shows that characteristics of organizations with top
performance in managing vulnerabilities and threats include:

A comprehensive approach – the top performers excel across
the entire vulnerability management lifecycle, from assessment to
prioritization to remediation. Their focus on maximizing efficiency and
minimizing total cost also acknowledges the necessity of a continuous
approach to vulnerability management. A multi-application approach
is critical, especially since on the typical Windows-based PC there
are more than 3-times more vulnerabilities in third-party
applications than in all installed Microsoft programs combined. For
most organizations a multi-platform approach is also important.
Speed and accuracy are key solution selection criteria.
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897
To Patch, or Not to Patch? (Not If, But How)
Page 11

A risk-based approach – the top performers quickly determine
which vulnerabilities and threats should be addressed first, based on
the level of risk and the business value of the IT assets in question.
Solution selection criteria should include the visibility and
intelligence that can be gleaned to provide insights, rankings, and
recommended priorities for remediation.

An optimized approach – the top performers tend to focus on
being secure, compliant and well-managed, in that order. Wellmanaged includes both greater efficiency (i.e., lower total cost) and
greater effectiveness (e.g., automation to reduce cost and reduce
windows of vulnerability); this has the additional benefit of freeing
up resources to focus on projects aimed at innovation and growth.
For more information on this or other research topics, please visit
www.aberdeen.com.
Related Research
Is Your Vulnerability Management
Program Leaving You at Risk? (Most
Likely, Yes); June 2011
Q1 2011 Aberdeen Business Review;
May 2011
Managing Vulnerabilities and Threats
(No, Anti-Virus is Not Enough);
December 2010
The State of IT (In)Security, and How to
Avoid Costs by Investing More;
November 2010
National Cybersecurity Awareness Month:
Anti-Virus and Personal Firewalls;
October 2010
National Cybersecurity Awareness Month:
Patches, Configurations and Changes;
October 2010
Five Key Capabilities for Gaining Visibility
and Control over Your Network Devices,
Endpoints and End-Users; Sept. 2010
Securing Your Applications: Three Ways
to Play; August 2010
Web Security in the Cloud; May 2010
Email Security in the Cloud; April 2010
IT Security: Balancing Enterprise Risk and
Reward; January 2010
When Less is More: Why Small
Companies Should Think Outside the
(Red / Yellow) Box for Protecting Their
Endpoints; March 2009
Secure, Compliant, and Well-Managed:
The IT Security Approach to GRC;
February 2009
Vulnerability Management: Assess,
Prioritize, Remediate, Repeat; July 2008
Author: Derek E. Brink, Vice President and Research Fellow, IT Security
(Derek.Brink@aberdeen.com)
For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class.
Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide
organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why
our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of
the Technology 500.
As a Harte-Hanks Company, Aberdeen’s research provides insight and analysis to the Harte-Hanks community of
local, regional, national and international marketing executives. Combined, we help our customers leverage the power
of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional
information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call
(800) 456-9748 or go to http://www.harte-hanks.com.
This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies
provide for objective fact-based research and represent the best analysis available at the time of publication. Unless
otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be
reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by
Aberdeen Group, Inc. (2011a)
© 2011 Aberdeen Group.
www.aberdeen.com
Telephone: 617 854 5200
Fax: 617 723 7897