The futility of security patches

OK, the post title is intentionally inflammatory, but here's a pointer to a very heterodox view on the subject:

Patch Tuesday has rolled around again, but if you don't rush to implement the feast of fixes it delivered, your security won't be any worse off in the short term – and may improve in the future.

That's the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm's Infrastructure, Operations & Cloud Strategies Conference: "Nobody has ever out-patched threat actors at scale."

Now for some important background.  Gartner Group is probably the premier IT market research organization.  All the big companies subscribe to their work.  Gartner prides themselves on bucking the tide of conventional wisdom (not too often, of course) - this is a great example of this.  They also pride themselves on having quotable quotes that will get picked up in the media - this is also a great, classic Gartner quotable quote.

Nobody has ever out-patched threat actors at scale.

Well, yeah.  The point of joining vulnerability data with threat exposure data is one we talked about 25 years ago.  The concept is a good one, but the devil is (as always) in the details.  Quite frankly, a CISO (Chief Information Security Officer) who tells his security team to back off patching - and whose company then gets hacked - won't likely be CISO after the next Board meeting.  Just sayin'.

But this is pure Gartner Group. Interesting idea, well stated, enticingly attractive for those who see themselves as Six Sigma.  I encourage you all to click through and read it.  Just keep in mind that this idea has been a non-starter for a quarter century.  Nothing has changed here.

But Gartner Security conferences are a lot of fun, and many fine lunches and dinners are enjoyed.