Many organizations believe they
are focused on serving the needs of their
customers. They evaluate customer wants and
desires and identify the functionality needed to
meet these needs. Software developers identify
updates and new releases while network
administrators plan system upgrades and
migrations. This approach of rolling out phases,
issuing new releases, and upgrading networks
used to work in the past when customers were
focused on features and functionality. As more
and more customers are concerned about security,
a new approach is needed.
A Lesson From Microsoft
When Microsoft issues a new product, their
software is often identified by the year of
release. For example, Windows 95, Windows 98,
Exchange Server 2013, and Microsoft Office 2013.
Like most software, over time vulnerabilities
are discovered. Many years ago Microsoft
included security fixes with new functionality
updates (Service Packs). By applying a Service
Pack, a customer would address all known
vulnerabilities up to the date of the Service
Pack. Microsoft's customers soon found that
vulnerabilities needed to be addressed more
quickly and couldn't wait for the next Service
Pack. Microsoft reviewed the needs of its
customers and developed the concept of "Patch
Tuesday".
On the second Tuesday of each
month, Microsoft released software patches to
address vulnerabilities. This too worked for a
while until Microsoft discovered that customers
didn't want to wait a full month to have
software patched. More recently, Microsoft has
moved to a rolling model of releasing patches on
a weekly basis. Patches to critical
vulnerabilities are now released immediately and
customers do not have to wait for the weekly
updates.
Network Platforms
Application software does not exist in an
isolated environment. It resides on hardware and
relies on the underlying operating system and
other related applications (e.g. databases).
These too can have vulnerabilities and must be
patched and updated in a timely manner.
Migrating to a Customer
Centric Approach
Migrating to a customer centric (i.e. customer
focused) approach requires that application
developers, system and network administrators,
Chief Security Officers (CSO), and organization
management prioritize security efforts and not
wait for the next rollout of software and
hardware releases. This change in mind set from
functionality/features to security may not
happen overnight, but it needs to happen for
many of your customers (internal and external)
that need to meet compliance requirements and
industry standards.
The following steps help migrate
to a customer focused organization:
- Top down management support and recognition that customers need timely security updates
- Identify changes in business processes to allow timely updates
- Document and distribute written policies and procedures
- Implement and enforce procedures, monitor to ensure procedures are being followed
- Perform annual (or more frequently if major changes occur) audits of web applications, networks, and organization compliance
Summary
Migrate to a customer centric approach and
ensure that high and medium priority issues are
addressed within 30 days of notice of the
vulnerabilities. As Bill Gates once said
""Security is, I would say, our top priority
because for all the exciting things you will be
able to do with computers - organizing your
lives, staying in touch with people, being
creative - if we don't solve these security
problems, then people will hold back."
Network
security audits and
web application
security audits help identify unpatched
systems.
Security Blog menu
Tags: patch management | software patching |
software as a service | security patching |
customer security | client security
|